Business Office – Dr. Baz Abouelenein, Chief Financial Officer
Information Technology Services – Fred Miller, Chief Information Officer
Last Revised: 06/11/2019
Title: Information Security Program for Financial Records
Applicable: Wofford Students, Faculty and Staff
Contacts: IT Help Center x4357
Background: Wofford College must comply with the information security requirements of the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”.)
Policy: Wofford College will (i) ensure the security and confidentiality of records covered by the GLBA, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers. This policy incorporates by reference the College’s policies and procedures, and is in addition to any policies and procedures required for other federal and state laws and regulations, including, without limitation, FERPA.
- Designation of Representatives: The College’s Chief Information Officer is designated as the Security Officer who is responsible for coordinating and overseeing this policy. The Security Officer may designate other representatives to oversee and coordinate particular elements of the policy. Any questions regarding the implementation of the policy or the interpretation of this document should be directed to the Security Officer or his or her designees.
- Scope: This policy applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the College, whether paper, electronic or other form, handled or maintained by or on behalf of the College or its affiliates. For these purposes, the term nonpublic financial information means information (i) a student or other third party provides to obtain a financial service from the College, (ii) about a student or other third party resulting from transactions with the College involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
- Risk Identification and Assessment. The College will make reasonable efforts to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The Security Officer will establish procedures for identifying and assessing such risks in each relevant area of the College’s operations, including:
- Employee training and management. The Security Officer will coordinate with Human Resources and the Financial Aid Office to evaluate the effectiveness of the College’s procedures and practices for access and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the College’s current policies and procedures, including the Wofford Non-Faculty Employee Handbook and the Wofford Student Handbook.
- Information Systems and Information Processing and Disposal. The Security Officer will coordinate Information Technology Services (ITS) assessment of the risks to nonpublic financial information in the College’s information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. This evaluation will include assessing the College’s current polices and procedures including policies for Acceptable Use, IT Security, Identity Management, Network Access, and Electronic Data Retention and Preservation. The Security Officer will coordinate ITS assessment of procedures for monitoring potential information security threats to software systems and for updating systems by implementing patches or other software fixes designed to deal with known security flaws.
- Detecting, Preventing and Responding to Attacks. The Security Officer will coordinate ITS efforts to evaluate procedures and methods for detecting, preventing and responding to attacks or other system failures, existing network access and security policies and procedures, as well as incident response teams and policies. The Security Officer may elect to delegate an ITS representative to monitor and communicate information related to the reporting of known security attacks and other threats to the integrity of networks used by the College.
- Designing and Implementing Safeguards. The risk assessment and analysis will apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The Security Officer will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
- Overseeing Service Providers. The Security Officer will coordinate with the Director of Business Services and Risk Management to raise awareness of, and to develop methods for, selecting and retaining service providers that maintain appropriate safeguards for nonpublic financial information of students. In addition, the Security Officer will work with the Director of Business Services and Risk Management to develop and incorporate standard, contract terms which require third-party providers to implement and maintain appropriate safeguards. Any deviation from these standard terms requires the approval of the Director of Business Services and Risk Management. These standards will apply to existing and future contracts.
- Adjustments: The Security Officer is responsible for evaluating and adjusting the policy based on the risk identification and assessment, as well as any material changes to the College’s operations or other circumstances that may have a material impact on security.