This Gramm-Leach-Bliley Security Program (“Program”) was adopted by Washington University pursuant to the Gramm-Leach-Bliley Act (“Act”) and, specifically, the Standards for Safeguarding Customer Information (“ Safeguards Rule”) codified in 16 CFR 314. The purpose of the Safeguards Rule is to ensure the security, confidentiality and integrity of personally identifiable financial information of University students, faculty and staff. This Program sets forth the University’s standards, policies and procedures to (1) insure the security and confidentiality of financial information, (2) protect against anticipated threats or hazards to the security or integrity of such information, and (3) prevent the unauthorized access to or use of such information.
Designated Program Coordinators
The University’s Program Designee responsible for coordinating the Program is the Director of Computing and Information Systems. This individual is also responsible for the security of all computing facilities and transmission of data
Information Safeguards
To avoid reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of information protected by the Act, the University has in place the standards, policies and procedures outlined below. The University monitors and, when necessary, adjusts such standards, policies and procedures to maintain compliance with state and federal law.
Information Security Policy:
Most of the University’s financial and administrative systems are accessible through the campus network. The Information Security Policy ( www.wustl.edu/policies/infosecurity.html ) identifies key concerns and issues faced by the University community at the application, host, and network levels, and addresses the need for security of critical information and systems. The Policy specifies various categories of required information technology security, describes technology security roles and responsibilities, and outlines security standards and guidelines regarding access, accountability, authentication, availability, maintenance and reporting.
Computer Use Policy
The integrity of the University’s information computer network housing financial information is also protected from inappropriate use by those with access to computing facilities and services of Washington University. These protections and procedures are outlined in the Computer Use Policy ( www.wustl.edu/policies/compolcy.html ). Violations of the Computer Use Policy are actionable under the University Judicial Code ( www.wustl.edu/policies/judicial.html).
Family Educational Rights and Privacy Act Notice
The University acknowledges the privacy rights of its students, including the privacy of financial information, as expressed in its Family Educational Rights and Privacy (FERPA) Act Notice ( http://aisweb.wustl.edu/studentrecords/home.nsf/pages/ferpa).
Health Insurance Portability and Accessibility Act
The University acknowledges the privacy rights of its students and others as required by the Health Insurance Portability and Accessibility Act (HIPAA). HIPAA policies adopted by the University are designed to protect personal information related to health care, including financial information. The security safeguards are outlined in Security Measures Required to Comply with Privacy Policies ( http://hipaa.wustl.edu/Policies/Security.htm).
Employee Training
The University requires employees to maintain the confidentiality of University records, including financial records, of students, faculty and staff. Employees are expected to protect all confidential and proprietary information by safeguarding it when in use, filing it properly when not in use, and discussing it only with those who have a legitimate business need to know. Violations of this duty of confidentiality can lead to disciplinary action up to and including termination. The obligation to maintain the confidentiality of these records is documented in the Employee Handbook (http://hr.wustl.edu/ ). The University also provides on-going training which includes instruction regarding the protection and proper use of confidential information.
Oversight of Service Providers
The University takes reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for information protected by the Act. These steps include the assessment of a service provider’s ability to safeguard confidential and private information. Service providers retained by the University are required by contract to implement and maintain the security, confidentiality and integrity of confidential, proprietary and protected information. Specifically, such providers are required to (1) limit use of the protected information to the business purpose of the contract, (2) access protected information by commercially acceptable standards only, (3) return or destroy protected information received in connection with the contract, and (4) maintain the confidentiality of protected information after termination of the contract.
Evaluation and Monitoring
This Information Security Program shall be evaluated and adjusted in light of relevant circumstances, including but not limited to, changes in University operations or as a result of testing and monitoring of University computer networks. Risk assessment will be done through the University’s Department of Internal Audit.