Information Security Program
This policy serves to identify relevant individual policies and programs in a single policy document that addresses information security at Washington and Lee University.
This policy applies to all students, faculty, staff, volunteers, and - as applicable - certain agents or third party contractors.
This policy is intended to be a comprehensive document that identifies and references all of the university's information security related policies in a single document. The polices, practices, and programs constituting Information Security Program include:
Financial Information Security - Required by the Gramm-Leach-Bliley Act of 2003 ("GLBA"), this policy served as the sole basis for the Information Security Program Committee until Spring 2009 and establishes certain practices related to safeguarding certain financial information.
Student Education Records (a.k.a. FERPA or Buckley Amendment) Policy - Informs students and employees/contractors/agents of the university of their respective rights and responsibilities under the Family Education Rights and Privacy Act of 1974 (a.k.a. the Buckley Amendment "FERPA"), as amended, including the circumstances under which the university may disclose student education records.
Identity Theft Program - Required by the Federal Trade Commission's Red Flag Rules under the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"), this Board-adopted policy codifies the university's procedures for identifying and responding to suspicious activity associated with accounts in which the university is acting as a creditor.
eCommerce Policy - Developed in consultation with consultants from the firm of Berry, Dunn, McNeil, & Parker, this policy is designed to facilitate the university's acceptance of credit cards in a manner consistent with the requirements of the Payment Card Industry Data Security Standards ("PCI DSS") and other best practices.
Confidentiality Policy - Informs all faculty, staff, student employees, and volunteers of their duty to protect and safeguard all confidential information acquired during the course of employment or service to the university.
HIPAA Notice of Privacy Practices and Procedures - Governs the handling - by covered group health plans - of protected health information of covered employees and their dependents.
The Information Security Program Committee
The University's Information Security Program Committee is charged with overseeing the security of the University's non-public information (including information that is designated as confidential and/or sensitive either by applicable law or by the Committee) through development and implementation of an overall Information Security Program ("Program") that includes the policies, practices, and programs listed in Section III above. In accordance with the GLBA, the Program will be subject to periodic review and adjustment by the Committee to assure ongoing compliance with the GLBA and the Federal Trade Commission Safeguards Rule, and other existing and future laws and regulations, as well as to evaluate consistency with other University practices.
The Committee reports to the Provost and includes an administrator from each of the following offices and departments whose operations are likely to be most significantly affected by the Program: Business, Financial Aid, Human Resources, Information Technology Services, Law School Advancement, Law School Records, Law School Technology, Student Affairs, University Development, University Registrar, and University Treasurer. The Provost may add representatives from other offices and departments as s/he deems appropriate.
The Provost designates the Information Security Program Coordinator, who serves as the chair of the Committee. The Office of General Counsel works closely with the Coordinator and the Committee and serves as a resource on all elements of the Information Security Program.
The eCommerce Subcommittee
The eCommerce Subcommittee of the Information Security Program Committee was created in February 2009 to help the University address issues - including compliance with PCI DSS - arising from acceptance of credit cards by various departments across campus.
This policy has not yet been revised.