In order to protect critical information and data, and to comply with Federal Law, specifically the Gramm, Leach, Bliley Act, William Woods proposes certain practices in WWU information environment and institutional information security procedures. The goal of this document is to define the WWU's Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the.

Guidelines:

II. Gramm Leach Bliley (GLB) Requirements

GLB mandates that WWU appoint an Information Security Plan Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically. The Vice President of Financial Services has been appointed the Information Security Plan Coordinator. He as appointed the Director of Human Resources and Benefit Services and the Web Administrator to implement the GLB requirements.

III. Information Security Plan Coordinator

The Coordinator and his designees will assist WWU’s relevant offices identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.

IV. Risk Assessment and Safeguards

The Coordinator and his designees must work with all relevant areas of the university to regularly assess and identify potential and actual risks to security and privacy of information. Each Division or Department head, or her designee, will conduct an annual data security review, with guidance from the Coordinator. Vice Presidents will be asked to identify any employees in their respective areas that work with covered data and information.  University Information Technologies will conduct an annual security audit and develop electronic information security best practices and an incident response policy.

While the university has discontinued usage of social security numbers as student identifiers, one of the largest security risks may be the possible non-standard practices concerning social security numbers, e.g. continued reliance by some university employees on the use of social security numbers.  Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). By necessity, student social security numbers still remain in the University student information system. 

The university will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are still used, and in what instances students are inappropriately being asked to provide a social security number. This assessment will cover university employees as well as subcontractors such as security and food services, and consortiums such as MOBIUS.

University Information Technologies will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.

V. Employee Training and Education

While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, the Director of Human Resources and Benefit Services and the Web Administrator will develop training and education programs for all employees who have access to covered data.

VI. Oversight of Service Providers and Contracts

GLB requires the university to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Business Services, in cooperation with the Office of General Counsel, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. While contracts entered into prior to June 24, 2002 are grandfathered until May 2004, the Vice President of Financial Services will take steps to ensure that all relevant future contracts include a privacy clause and that all existing contracts are in compliance with GLB.

VII. Evaluation and Revision of the Information Security Plan

GLB mandates that this Information Security Plan be subject to periodic review and adjustment. The most frequent of these reviews will occur within University Information Technologies where constantly changing technology and constantly evolving risks indicate the wisdom of quarterly reviews. The plan itself should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.

VIII. Definitions

Covered data and information for the purpose of this policy includes student financial information required to be protected under the Gramm Leach Bliley Act (GLB). WWU chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the university, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.