Information Security Plan
Revised May 02, 2012
This Information Security Plan (the “Plan”) describes the Bard College at Simon’s Rock ("Simon's Rock") process for protecting confidential personal information.
Confidential Personal Information (“CPI”), for purposes of this Plan, includes the following categories of information:
Customer Information, as defined in the Gramm-Leach-Bliley Act (GLBA), is any nonpublic personal information that the College obtains from a customer in the process of offering a financial product or service. In the Simon's Rock context, a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent or guardian when offering a financial aid package, and offering financial account payment plans. Nonpublic personal information includes, but is not limited to, bank and credit card account numbers and income and credit histories, whether in paper or electronic format.
Personal Information, as defined in Massachusetts General Law 93H and Mass regulations 201 CMR 17.00 ("Massachusetts Privacy Law"), is any data record (electronic or paper) that contains an individual’s first name or initial and last name, in combination with any of the following data elements that relate to the individual: (a) Social Security number; (b) driver’s license number or government-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account. Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Protected Health Information (PHI), as defined by the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), includes all information related to health care that identifies an individual; and, that involves the individual’s past, present, or future physical or mental health condition, or the provision of health care to the individual, or any payments for the provision of health care. This information must be protected when it is held or transmitted in any form or media, whether electronic, paper, or oral. Simon's Rock's Health Services department, as a health care provider, is a HIPAA covered entity. However, the College, as an employer, is not covered, and employee health insurance information handled by our Human Resources department is excluded.
Protected Educational Records are information about Simon's Rock students as described by the Family Educational Rights and Privacy Act (FERPA). Under FERPA, the College designates specific categories of "directory information" which may be shared publicly with third parties. Simon’s Rock's FERPA directory information is defined in our current Student Handbook and will be reviewed and updated as necessary. Student educational records that are not designated as directory information can only used by college staff and officials who have a legitimate need to know and educational interest in the student's information. Otherwise, such information can only be released with the student's permission, or as allowed by FERPA.
All of the above are considered CPI for the purposes of this plan. These safeguards are provided in order to:
- Protect the security and confidentiality of CPI
- Protect against threats or hazards to the security or integrity of CPI
- Protect against unauthorized access to or use of CPI that could result in harm or inconvenience to any person.
This Plan also provides for mechanisms to:
- Identify and assess the risks to CPI collected, stored and maintained by Simon’s Rock
- Develop policies and procedures to manage and control these risks
- Implement and review the Plan
- Adjust the Plan to reflect changes in technology, the sensitivity of CPI and internal or external threats to information security.
II. CPI Risk Management
Simon’s Rock recognizes the existence of both internal and external risks to the security of CPI. These risks include, but are not limited to:
- Unauthorized access of CPI by someone other than its owner
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster or otherwise
- Errors introduced into systems
- Corruption of data or systems
- Unauthorized access of CPI by employees
- Unauthorized requests for CPI
- Unauthorized access through hard-copy (paper) files or reports
- Unauthorized transfer of CPI through third parties
Simon’s Rock recognizes that this may not be a complete list of the risks associated with the protection of CPI. Since technology is not static, new risks are created regularly. Accordingly, the Information Technology Services department (ITS) will monitor security advisory information such as provided by the Educause Security Listserve, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), and the SANS Institute (System Administration, Networking, and Security), for identification of new risks.
A. Information Security Plan Coordinator
The Director of Information Technology Services, Janice Gildawie, serves as the coordinator of this Plan. Compliance and monitoring is shared by all Simon's Rock department heads and the College's Provost Leadership Council. Together, they are responsible for assessing the risks associated with maintaining and transmitting CPI and implementing procedures to minimize those risks to Simon’s Rock.
B. Design and Implementation of Safeguards Program
Employee Management and Training
Employees in departments that use or have access to CPI in the course of their work for the College receive training on the importance of the confidentiality of CPI, including a review of the requirements of laws such as FERPA, HIPAA, GLBA, and the Massachusetts Privacy Law. Employees are trained in how to avoid risks such as laptop theft, wireless snooping, phishing attacks, virus infections, and spyware. Employees are also trained in the importance of keeping passwords secure. Departments which routinely handle CPI are responsible for training their employees in controls and procedures to prevent employees from providing confidential information to unauthorized individuals. Employees are also trained how to properly dispose of documents that contain CPI. Each department responsible for maintaining CPI is instructed to take steps to protect CPI from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard CPI security.
Simon’s Rock has addressed the physical security of CPI by limiting access to only those employees who have a business reason to know such information. CPI is available only to Simon’s Rock employees with an appropriate business need for such information.
Paper documents containing CPI are kept in office file cabinets or rooms that are locked each night. Only authorized employees have access to those spaces. Storage areas holding paper documents containing CPI are kept secure at all times. No paper documents containing CPI may be removed from campus without the approval of a department manager. Paper documents that contain CPI are shredded or securely destroyed at the time of disposal.
Access to CPI via the College’s computer information system is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password for access to Simon’s Rock servers, and, where required, for access to the Banner database hosted at the main Bard campus. Databases containing CPI, including but not limited to accounts, balances and transactional information, are available only to Simon’s Rock employees in appropriate departments and positions.
Simon’s Rock takes reasonable and appropriate steps consistent with current technological developments to make sure that all CPI in electronic form is secure and to safeguard the integrity of records in storage and during transmission. ITS runs Identity Finder software on staff machines to to locate potential instances of CPI. ITS also runs threat detection software to identify systems that are compromised and/or infected with malware so they can take appropriate steps to mitigate the risk. Passwords for central software systems are required to comply with complexity rules and must be changed regularly. When technically feasible, encryption technology is utilized for transmission of CPI. All CPI stored on laptops or other portable devices must be encrypted. When personal computers are redeployed, all memory components are completely reformatted or otherwise erased for any new use.
Responding to System Failures
Simon’s Rock maintains systems to prevent, detect, and respond to attacks, intrusions, and other system failures. ITS regularly reviews network access and security policies and procedures, as well as protocols for responding to network attacks and intrusions. Any loss or theft of a college computer, and all instances of computer malware or othert security breaches must be reported immediately to ITS. The Information Security Plan Coordinator shall be responsible for documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of CPI.
C. Service Provider Oversight
Whenever the College retains a service provider that will maintain, process or have access to CPI, the College will ensure that the provider has in place an information security program sufficient to protect CPI. The College will include in the contracts with service providers having access to CPI a provision requiring the providers to have in place security measures consistent with the requirements of the Massachusetts privacy law, and to assure that such CPI is used only for the purposes set forth in the contract.
D. Computer System Security Infrastructure
Simon’s Rock maintains a computer security system that provides, at a minimum, to the extent technically feasible:
- Secure user authentication protocols including:
- control of user IDs and other identifiers
- a reasonably secure method of assigning and selecting passwords
- control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect
- restricting access to active users and active user accounts only
- blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
- Secure access control measures that:
- restrict access to records and files containing CPI to those who need such information to perform their job duties
- assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls
- Encryption of all transmitted records and files containing CPI that will travel across public networks, such as any files with CPI sent via email.
- Reasonable monitoring of systems, for unauthorized use of or access to CPI
- Encryption of all CPI stored on laptops or other portable devices inlcuding but not limited to email received on smart phones.
- For CPI access or storage on a system that is connected to the Internet, the system must have: reasonably up-to-date operating system security patches; firewall protection, and, for laptop and desktop computers, reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education and training of employees on the proper use of the computer security system and the importance of CPI security.
The Information Security Plan Coordinator will work with the Provost Council and the leadership of other College departments to ensure that this security system infrastructure is appropriately maintained and properly complied with.
E. Retention of CPI
CPI will only be retained for as long as needed for the College’s reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores CPI will regularly review the CPI it has retained for the purpose of determining which information may be purged.
F. Violations of this Policy
Any employee who violates this policy shall be subject to discipline pursuant to the relevant disciplinary policy, including possible termination of employment.
G. Termination of Access to CPI
Once an employee concludes his/her employment, either voluntarily or involuntarily, such employee’s access to college data systems and physical paper storage locations including CPI shall be terminated.
H. Continuing Evaluation and Adjustment
This Plan is subject to periodic review and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the Information Security Plan Coordinator, who may assign specific responsibility to others for implementation and administration, as appropriate.
Credit is given to our colleagues at Williams College and Wellesley College for their generosity in sharing their expertise and knowledge to facilitate Simon's Rock's development of this plan.