center header graphic
 right header photo
academics button library button athletics button home rollover tour button calendar roll contact button news button
blue bar
Security Plan for Confidential Information

This security plan describes Westmont’s safeguards to protect confidential information belonging to students, staff and donors.  In accordance with the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Gramm Leach Bliley Act (GLB), Westmont implements the following policies and procedural safeguards to insure the security and privacy of confidential information:


The Family Educational Rights and Privacy Act

Pursuant to the Family Educational Rights and Privacy Act (“FERPA”) students are vested with certain rights, and the college with certain responsibilities regarding educational records.[1]  These rights and responsibilities are as follows:

Complaints

Students may complain of privacy rights violations under FERPA by filing a complaint with the Office of the Secretary of State, Department of Education, Washington, D.C.

Disclosure

The College will not, without the student’s written consent, disclose information from a student’s educational record except for those authorized by FERPA to obtain access to student records without consent.  Those so authorized include but are not limited to, college personnel with legitimate educational interests; schools of intended enrollment; specified state and federal educational administrators; providers of financial aid; and emergency health care providers.  The College may contact students’ parents regarding certain matters of concern, including, but not limited to urgent matters related to student safety and violations of state or local law.  Access to student records may also be obtained by court order or lawfully issued subpoena.

The College may disclose certain directory information about a student unless he or she submits a written directive to the contrary requesting that directory information be withheld.  The “Withhold Directory Information” form can be obtained from the Registrar’s Office.  “Directory information” includes the student’s name; address; telephone number; date and place of birth; major; participation in officially recognized activities and sports; dates of attendance at the college; degrees and awards received; and the most recent previous educational institution attended.  It also includes the height and weight of members of athletic teams.

The College will keep a record of all individuals or entities, other than college personnel, who have requested or obtained access to student records.

Gramm Leach Bliley Act

This Information Security Plan (“Plan”) describes Westmont College’s (the “College”) safeguards to protect covered data and information[2] as defined under the Gramm Leach Bliley Act.  These safeguards are provided to:

  • Ensure the security and confidentiality of covered data and information;
  • Protect against anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer or student.

This Information Security Plan also provides mechanisms to:

  • Identify and assess the risks that may threaten covered data and information maintained by the College;
  • Train employees on maintaining the privacy of covered data;
  • Implement and review the plan; and
  • Adjust the plan to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.
Identification and Assessment of Risks to Confidential Information

 Westmont recognizes that it has both internal and external risks. These risks include, but are not limited to:

  • Unauthorized access of covered data and information and educational records by someone other than the owner of the covered data and information;
  • Compromised system security as a result of system access by an unauthorized person;
  • Interception of data during transmission;
  • Loss of data integrity;
  • Physical loss of data in a disaster;
  • Errors introduced into the system;
  • Corruption of data or systems;
  • Unauthorized access of covered data and information by employees;
  • Unauthorized requests for covered data and information;
  • Unauthorized access through hardcopy files or reports; and
  • Unauthorized transfer of covered data and information through third parties. 

 The College recognizes that this may not be a complete list of the risks associated with the protection of covered data and information. Since technology growth is not static, new risks are created regularly. Accordingly, the Director of Information Technology (“IT”), in consultation with College Counsel, and the Vice President for Administration, will actively monitor advisory groups such as the Educause Security Institute, for identification of new risks. 

The College believes that IT’s current safeguards are reasonable and, in light of current risk assessments and the College’s compliance with procedural safeguards under the Family Educational Rights And Privacy Act and applicable state privacy laws, are sufficient to provide security and confidentiality to covered data and information maintained by the College. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

Design and Implementation of Safeguards Program

Security Plan Coordinators

The Vice President for Administration, in consultation with the Director for Information Technology and College Counsel, will serve as the coordinator of this Plan. Together, they will assess the risks associated with unauthorized transfers of covered data and information and educational records and implement procedures to minimize those risks to the College.

Employee Management and Training

The College checks references of new employees working in areas that regularly work with covered data and information and educational records (e.g. Business Office, Dean of Students’ Office, Development Office, Financial Aid Office, and Registrar’s Office).

During employee orientation, each new employee in these departments will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. In addition, each new employee will be trained in the proper use of computer information and passwords. Training also will include controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including “pretext calling”[3], and how to properly dispose of documents that contain covered data and information. Each department responsible for maintaining covered data and information will be instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information will work with the Vice President for Administration and College Counsel on an annual basis to coordinate and review additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.

Physical Security

The College has addressed the physical security of educational records and covered data and information by limiting access to only those employees who have a business reason to know such information or a legitimate educational interest in the information as defined by the Family Educational Rights and Privacy Act.  Loan files, account information and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys.  Paper documents that contain covered data and information are shredded at time of disposal.

Information Systems

Access to educational records and covered data and information via the College’s computer information system is limited to those employees who have a business reason to know or a legitimate educational interest in the information.  Each employee is assigned a user name and password. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to College employees in appropriate departments and positions.

All computers on campus can access the network.  Access to the College network from the modem pool is validated before getting network access.  Anyone gaining access from the Internet passes through a firewall to limit the resources they can access.  Users without a Westmont email account are restricted to the public information available on the web site.

Requiring a potential user to provide a valid user identification and password protects services such as email.  If a user does not have a valid combination of user identification and password, they are not given access.  This method is used for services and information that are not considered public.  This is the case for all data stored on our administrative server where financial data is stored.   In addition, administrative data is further protected in that once a user provides a valid user identification and password combination, they are only shown data that is relevant to their current function. 

When it becomes economically reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind the College’s firewall. All firewall software and hardware maintained by IT will be kept current.

Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that the College determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard confidential financial information. Contracts with service providers will include one or more of the following provisions:

  • An explicit acknowledgement that the contract allows the contract partner access to confidential information;
  • A specific definition or description of the confidential information being provided;
  • A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
  • An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information;
  • A provision for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
  • An agreement that any violation of the contract’s confidentiality conditions may constitute a material breach of the contract and entitles the College to terminate the contract without penalty; and/or
  • A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement.

Notification

Pursuant to California Civil Code §1798.82, Westmont shall notify the owner or licensee of confidential information of any breach of the security of covered data and information immediately following discovery, if the information was, or is reasonably believed to have been, acquired by an unauthorized person. 

Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment.  Continued administration of the development, implementation and maintenance of the program will be the responsibility of the Vice President for Administration, in consultation with College Counsel, who will review the standards set forth in this policy and recommend updates and revisions as necessary.  It may be necessary to adjust the plan to reflect changes in technology or law, the sensitivity of student/customer data and internal or external threats to information security. 

Approved by President Gaede, 11/11/03

[1]Educational records are those records, files, documents, and other materials that contain information directly related to a student; and are maintained by an educational institution or its agent or by a person acting for such an educational institution or its agent.   20 U.S.C. § 1232(g)(a)(4)(A).

[2]Covered data and information for the purpose of this policy includes student financial information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage, which is required under federal law, the College chooses as a matter of policy to also include in this definition any credit card information received in the course of business by the College, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information that the College has obtained from a customer in the process of offering a financial product or service, or such information provided to the College by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

[3] “Pretext calling” occurs when an individual improperly obtains personal information of college personnel or students so as to be able to commit identity theft.  It is accomplished by contacting the College, posing as someone authorized to have information, and through the use of trickery and deceit, convincing an employee of the College to release identifying information.
© 2002 Westmont College - Feedback