High Risk Confidential Information Committee
This ad hoc committee is charged to conduct a review of policies, procedures and internal controls as they relate to the collection and handling of high-risk confidential information (HRCI) of employees, dependents, and students. For the purposes of this work, HRCI is defined as any combination of full name, SSN, date of birth, permanent address, driver’s license number/passport/other government-issued identification, credit/debit card number, bank information and personal medical information. The review should address, but not necessarily be limited to:
- What information is collected as a part of employment or admission into the institution and whether such information is necessary for purposes of employment or the admission’s process.
- How such information is stored, secured and accessed.
- Who has access to such information and whether this access is pertinent to the functions of the job position.
- When and how high risk confidential information is entered or purged from the College’s databases (i.e., pre/post employment or enrollment).
Due to the comprehensive nature of the task, the committee is expected to prioritize its work in order to promptly and efficiently mitigate risks. As a part of its work, the committee should consider the cost and benefits associated with hiring a third party to conduct a risk assessment and to review and recommend changes to Western’s current policies and practices.
Throughout the review, the committee, as necessary, should consult with departments or campus units to become aware of potential risks and, for those affected by changes in policies or procedures, to gain an understanding of the impact on College functions.
Based on this review, the committee is expected to formulate policies and procedures that strengthen the security of HRCI. The draft policies and procedures will be presented to the President’s Cabinet for review and approval prior to communication to the campus community and implementation.
Brad Baca, Chair, Vice President for Finance and Administration, 943-2186
Chad Robinson, Director of IT Services, 943-3123
Kim Gailey, Director of Human Resources, 943-3142
Rod Russell, Director of Accounting, 943-7027
Risk and Controls Assessment: Completed April 2011.
The Committee engaged a firm with expertise in information security to assist in assessing the risks and controls we have in place as they relate to the use and storage of HRCI in our campus business practices. As part of this review, the committee and the consultants worked with various departments across campus. These departments included Human Resources, Accounting, Purchasing, Admissions, Financial Aid, Computer Servcies, Registration Services and areas within Student Affairs.
Policy Deployment: Completed February 2012.
Expanded use of Online Payment.
Data Retention/Destruction Guidlines: Under development.
Enterprise Information Security Audit (EISA): In progress.
The HRCI has instructed IT Services to conduct an audit of our enterprise informations systems (primarily Banner and Department network shares) to make sure that access to information is aligned with work requriments. The focus is on limiting access to HRCI data, but all permissions will be reviewed in this process.
Information Security Awareness Training: Under Investigation.
The HRCI is investigating options for information security awareness traing for employees.