Skip to main content.
Safeguarding Financial-Customer Information
Safeguarding Financial Customer Information Home > Safeguarding Financial-Customer Information Home Page > Employee Training in Safeguarding Information

CHECKLIST OF CONCEPTS in Training and Managing Employees Who Deal with Legally Protected Information

The following checklist guides University of Mary Washington supervisors in the training and management of employees who deal with legally protected information.  Legally protected information is information

  • to which the University restricts access as required by law (including but not limited to such statutes as the Family Educational Rights and Privacy Act (FERPA) dealing with student records and the Gramm-Leach-Bliley Act (GLBA) dealing with personal financial information), or
  • to which the University decides to restrict access in accord with the provisions of the Virginia Freedom of Information Act or other applicable law.

CHECKLIST

  • Check references prior to hiring employees who will have access to such information.
  • Ensure that every employee formally records his or her agreement to follow confidentiality and security standards for handling such information (this is commonly done by annual signature on the confidentiality statement attached to the Employee Work Profile for classified employees).
  • Inform employees how to take basic steps to maintain the security, confidentiality and integrity of such information.  Such steps include:
    • Do not disclose to any other person, or allow any other person access to, any information related to the University of Mary Washington that is proprietary or confidential and/or pertains to employees, students, faculty, alumni, or other populations that the University serves or from whom it gathers information, unless the individuals involved have been informed in advance that the information may be disclosed or the disclosure is required by law.  [Disclosure of information includes, but is not limited to, verbal discussions, facsimilie transmissions, electronic mail messages, voice mail communication, written documentation, "loaning" computer access codes, and/or other transmission or sharing of data.]
    • Lock rooms and file cabinets where paper records are kept.
    • Use password-protected screensavers on computing devices.
    • Use strong passwords (see http://www.umw.edu/policies/network/devices for a current description of the characteristics of strong passwords).
    • Change passwords periodically, and do not post them near your computer.
    • Ensure that any personal computer you use in dealing with such information is configured and maintained to current security standards (again, see http://www.umw.edu/policies/network/devices for a current description of the steps related to operating systems, virus protection and adware protection).
    • Ensure that such information is encrypted when it is transmitted electronically over networks (look for a closed-lock icon indicating a Secure Sockets Layer -- SSL -- connection on web pages used to communicate such information, or use such tools as SecureFTP).
    • Refer any calls you receive seeking such information to designated staff who are trained in what can be disclosed and under what conditions.
    • Learn to recognize improper or fraudulent attempts to obtain such information and report them to the University Police.
  • Provide a listing to employees of examples of the types of information to which these procedures apply in their areas of responsibility.
  • Regularly remind employees of these policies and procedures, in part by means of on-line notices in relevant systems and with cards or signs in work locations.
  • Limit employee access to information to that necessary for them to do their jobs and to contribute effectively to pursuit of the University's mission in doing so.
  • Impose disciplinary measures for any breaches.

See related MATERIALS at:

Checklist adapted by the Department of Information Technologies from similar FTC materials.