Sections
Personal tools
You are here: Home Administration Finance Information Security
Contact Info

Vice President for Finance & Administration:
Brad Baca
(970) 943-2186
bbaca@western.edu

Associate Vice President for Finance & Administration:
Julie Feier
(970) 943-2186
jfeier@western.edu

Executive Assistant:
Desolee Pennartz - Taylor Hall 328
(970) 943-2018
dpennartz@western.edu

Address:
Finance & Administration
Taylor Hall 328
Western State College
600 N. Adams St. 
Gunnison, CO 81231

Fax:
(970) 943-2277

 

Information Security

HRCI Committee

High Risk Confidential Information Committee

Charge

This ad hoc committee is charged to conduct a review of policies, procedures and internal controls as they relate to the collection and handling of high-risk confidential information (HRCI) of employees, dependents, and students.  For the purposes of this work, HRCI is defined as any combination of full name, SSN, date of birth, permanent address, driver’s license number/passport/other government-issued identification, credit/debit card number, bank information and personal medical information.  The review should address, but not necessarily be limited to:

  • What information is collected as a part of employment or admission into the institution and whether such information is necessary for purposes of employment or the admission’s process.
  • How such information is stored, secured and accessed.
  • Who has access to such information and whether this access is pertinent to the functions of the job position.
  •  When and how high risk confidential information is entered or purged from the College’s databases (i.e., pre/post employment or enrollment).

Due to the comprehensive nature of the task, the committee is expected to prioritize its work in order to promptly and efficiently mitigate risks.  As a part of its work, the committee should consider the cost and benefits associated with hiring a third party to conduct a risk assessment and to review and recommend changes to Western’s current policies and practices.

Throughout the review, the committee, as necessary, should consult with departments or campus units to become aware of potential risks and, for those affected by changes in policies or procedures, to gain an understanding of the impact on College functions.

Based on this review, the committee is expected to formulate policies and procedures that strengthen the security of HRCI.  The draft policies and procedures will be presented to the President’s Cabinet for review and approval prior to communication to the campus community and implementation. 

Committee Members

Brad Baca, Chair, Vice President for Finance and Administration, 943-2186
Chad Robinson, Director of IT Services, 943-3123
Kim Gailey, Director of Human Resources, 943-3142
Rod Russell, Director of Accounting, 943-7027

Initiatives

Risk and Controls Assessment: Completed April 2011.

The Committee engaged a firm with expertise in information security to assist in assessing the risks and controls we have in place as they relate to the use and storage of HRCI in our campus business practices. As part of this review, the committee and the consultants worked with various departments across campus. These departments included Human Resources, Accounting, Purchasing, Admissions, Financial Aid, Computer Servcies, Registration Services and areas within Student Affairs.

In April 2011 we received the final report for the information security risk assessment from Coalfire. The report included a review of the College’s various business procedures, categorization of information risks associated with those procedures, assessment of current controls against those risks, identification of residual risks and development of a prioritized mitigation plan to address these risks.  The results of that report have helped guide further initiatives.

Policy Deployment: Completed January 2011.

With input from the campus, the HRCI Committee developed the High Risk Information Confidentially and Disclosure Policy and the Data Protection and Security Policy, to address use and storage of HRCI data on campus. These policies were adopted into the Board of Trustees Employee Handbook in late 2011. In conjunction with this policy deployment, college employees and faculty were required to sign a Confidentiality Agreement that affirmed their knowledge and understanding of the new policies. 

Data Retention/Destruction Guidlines: Under development.

With assistance from several parties, the HRCI Committee is developing data retention and destruction guidelines and schedules that will be used to help manage the retention and timely removal of the substantial volume of data and documents that are generated by the instituion. 

Enterprise Information Security Audit (EISA): In progress.

The HRCI has instructed IT Services to conduct an audit of our enterprise informations systems (primarily Banner and Department network shares) to make sure that access to information is aligned with work requriments.  The focus is on limiting access to HRCI data, but all permissions will be reviewed in this process.

Information Security Awareness Training: Under Investigation.

The HRCI is investigating options for security awareness traing for employees.

Document Actions