Skip to main content.
Safeguarding Financial-Customer Information
Safeguarding Financial Customer Information Home > Safeguarding Financial-Customer Information Home Page > Information Systems and Safeguarding Information

Designing and Operating Information Systems to Safeguard Information

The following checklist guides University of Mary Washington functional and technical managers in the design and operation of information systems (paper-based or computer-based) that deal with legally protected information.  Legally protected information is information

  • to which the University restricts access as required by law (including but not limited to such statutes as the Family Educational Rights and Privacy Act (FERPA) dealing with student records and the Gramm-Leach-Bliley Act (GLBA) dealing with personal financial information), or
  • to which the University decides to restrict access in accord with the provisions of the Virginia Freedom of Information Act or other applicable law.

Checklist

  • Store legally protected information in a secure area and ensure that only authorized persons have access to it.
    • Store paper-based information in a room, cabinet or other physical location that is locked when unattended.
    • Ensure that storage areas are protected against destruction or potential damage from physical hazards to either paper-based information or computer-based information or both, including fire or floods.
    • Store computer-based information on servers to which digital access is limited by passwords or other security measures and to which physical security protections have been applied (i.e., housed in a locked room).
    • In general, do not store information on a server that is accessible directly via the Internet (except when appropriate technical safeguards are in place).
    • Maintain backup copies of information on dependable media that are protected in accord with the above and are stored offsite, if possible.
  • Provide for secure data transmission when collecting legally protected information.
    • If collecting paper-based information, design a collection mechanism to be sure that the information is not visible in transit (i.e., don't gather such information on a postcard).
    • If collecting information on-line, use a Secure Sockets Layer (SSL) or other secure connection that is automatically established to ensure that the data is encrypted in transit.
    • If e-mail is used to collect such information, ensure that it is encrypted in transit and password protect it to ensure that only authorized persons have access to it.
  • Dispose of legally protected information with a close focus on security.
    • Designated data stewards (for major categories of information, such as student information or financial information) establish the process for disposal of records containing legally protected information in accord with applicable laws, policies and regulations (federal, state and university).
    • Shred paper information or securely recycle it, maintaining its security throughout the process until it is no longer readable.
    • Remove data before transfer or disposal of computing devices of any kind in accord with state regulations (see http://www.vita.virginia.gov/docs/psg/SMS_COV_ITRM_Std_SEC2003-02-1-f-eff-030804.pdf).
    • Promptly dispose of outdated information.
  • Use appropriate control procedures to detect improper disclosure or theft of legally protected information

Adapted by the Department of Information Technologies from related FTC materials