Clark University Financial Information Security Plan

1) Purpose:

• In accordance with The Financial Services Modernization Act of 1999, also known as the Gramm Leach Bilely Act, and to protect the financial information of our students, faculty, and staff, Clark University has adopted this Financial Information Security Plan. The goal of this document is to outline the measures we will take to comply with this Act, and to assure an ongoing review mechanism to address requests to meet future privacy needs. The Executive Vice President shall serve as the Coordinator of the Plan, and will be assisted by the Vice President for Information Technology, the Controller, and the Registrar, as well as other University Officers as needed.

2) Objectives:

• We will strive to ensure the security and confidentiality of all student and other customer financial records and information. This information will be safeguarded so as to protect to the extent possible any unauthorized access to, or use of, such records in a manner which could cause substantial harm or inconvenience to any customer. We will also protect against any anticipated threats to the security or integrity of this financial information.

3) Risk Assessment: The University will assess the risk to customer financial information from each of the following:

• Unauthorized access to data through software applications
• Unauthorized use of other users’ accounts and passwords
• Unauthorized viewing of printed data or computer displayed financial data
• Improper storage of printed financial data
• Unprotected documentation usable by intruders to access data
• Improper destruction of printed financial material

4) Specific Information Security Plans:

• No financial information will be collected by any department of the university which is not necessary for the effective functioning of that Department.
• Printed copies of customer financial information will be shredded when its usage is completed.
• No printed financial information is to be kept in unlocked storage areas. The Physical Plant Department has been instructed to install needed locks and other security devices on a priority basis.
• Printed copies of customer financial information are not to be left on desks when such work areas are unattended.
• Key control of all locked areas will be maintained by the Physical Plant staff, with the cooperation of the University Police and all user departments. All keys must be turned in to the Director of Human Resources upon separation from the University.
• Computer work stations used to display customer financial information are not to be left unattended with that information displayed. Users of such information are to log off when they are away from their workstation for any significant period of time.
• Passwords are to be utilized, and kept confidential, at all times. These will be controlled by the Department of Information Technology Services.
• Disciplinary measures, up to and including termination, may be imposed for breaches to customer information security.
• Information Technology Services has determined that moving away from the use of Social Security numbers as student identifiers will assist in the protection of customer financial information, and will be doing so.
• All staff utilizing customer financial information ( both existing and new hires) will be give a copy of this plan, and asked to signify their acceptance of it provisions.
• All service providers to the University with access to student financial information will be required to implement and maintain safeguards to these data. All existing contracts with such providers shall be modified to include safeguarding requirements no later than May 24, 2004. All new contracts will include these requirements.
• The University will remain in full compliance with the Family Educational Rights and Privacy Act (“FERPA”)
• The University will continually evaluate and, where necessary, amend this Plan to ensure that customer financial information is protected. This testing will include regular evaluation of the effectiveness of the safeguards put into place, and the key controls, systems, and procedures.