This Information Security Plan (the “Plan”) describes the Bard College at Simon’s
Rock ("Simon's Rock") process for protecting confidential personal information.
Confidential Personal Information (“CPI”), for purposes of this Plan, includes the
following categories of information:
Customer Information, as defined in the Gramm-Leach-Bliley Act (GLBA), is any nonpublic
personal information that the College obtains from a customer in the process of offering
a financial product or service. In the Simon's Rock context, a financial product or
service includes offering student loans to students, receiving income tax information
from a student’s parent or guardian when offering a financial aid package, and offering
financial account payment plans. Nonpublic personal information includes, but is not
limited to, bank and credit card account numbers and income and credit histories,
whether in paper or electronic format.
Personal Information, as defined in Massachusetts General Law 93H and Mass regulations
201 CMR 17.00 ("Massachusetts Privacy Law"), is any data record (electronic or paper)
that contains an individual’s first name or initial and last name, in combination
with any of the following data elements that relate to the individual: (a) Social
Security number; (b) driver’s license number or government-issued identification card
number; or (c) financial account number, or credit or debit card number, with or without
any required security code, access code, personal identification number or password,
that would permit access to an individual’s financial account. Personal information
shall not include information that is lawfully obtained from publicly available information,
or from federal, state or local government records lawfully made available to the
Protected Health Information (PHI), as defined by the Privacy Rule of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), includes all information related
to health care that identifies an individual; and, that involves the individual’s
past, present, or future physical or mental health condition, or the provision of
health care to the individual, or any payments for the provision of health care. This
information must be protected when it is held or transmitted in any form or media,
whether electronic, paper, or oral. Simon's Rock's Wellness Center, as a health care
provider, is a HIPAA covered entity. However, the College, as an employer, is not
covered, and employee health insurance information handled by our Human Resources
department is excluded.
Protected Educational Records are information about Simon's Rock students as described
by the Family Educational Rights and Privacy Act (FERPA). Under FERPA, the College
designates specific categories of "directory information" which may be shared publicly
with third parties. Simon’s Rock's FERPA directory information is defined in our current
Student Handbook and will be reviewed and updated as necessary. Student educational records that are
not designated as directory information can only used by college staff and officials
who have a legitimate need to know and educational interest in the student's information.
Otherwise, such information can only be released with the student's permission, or
as allowed by FERPA.
All of the above are considered CPI for the purposes of this plan. These safeguards
are provided in order to:
Protect the security and confidentiality of CPI
Protect against threats or hazards to the security or integrity of CPI
Protect against unauthorized access to or use of CPI that could result in harm or
inconvenience to any person.
This Plan also provides for mechanisms to:
Identify and assess the risks to CPI collected, stored and maintained by Simon’s Rock
Develop policies and procedures to manage and control these risks
Implement and review the Plan
Adjust the Plan to reflect changes in technology, the sensitivity of CPI and internal
or external threats to information security.
II. CPI Risk Management
Simon’s Rock recognizes the existence of both internal and external risks to the security
of CPI. These risks include, but are not limited to:
Unauthorized access of CPI by someone other than its owner
Compromised system security as a result of system access by an unauthorized person
Interception of data during transmission
Loss of data integrity
Physical loss of data in a disaster or otherwise
Errors introduced into systems
Corruption of data or systems
Unauthorized access of CPI by employees
Unauthorized requests for CPI
Unauthorized access through hard-copy (paper) files or reports
Unauthorized transfer of CPI through third parties
Simon’s Rock recognizes that this may not be a complete list of the risks associated
with the protection of CPI. Since technology is not static, new risks are created
regularly. Accordingly, the Information Technology Services department (ITS) will
monitor security advisory information such as provided by the Educause Security Listserve,
REN-ISAC (Research and Education Networking Information Sharing and Analysis Center),
and the SANS Institute (System Administration, Networking, and Security), for identification
of new risks.
A. Information Security Plan Coordinator
The Director of Information Technology Services, Janice Gildawie, serves as the coordinator
of this Plan. Compliance and monitoring is shared by all Simon's Rock department heads
and the College's Provost Leadership Council. Together, they are responsible for assessing
the risks associated with maintaining and transmitting CPI and implementing procedures
to minimize those risks to Simon’s Rock.
B. Design and Implementation of Safeguards Program
Employee Management and Training
Employees in departments that use or have access to CPI in the course of their work
for the College receive training on the importance of the confidentiality of CPI,
including a review of the requirements of laws such as FERPA, HIPAA, GLBA, and the
Massachusetts Privacy Law. Employees are trained in how to avoid risks such as laptop
theft, wireless snooping, phishing attacks, virus infections, and spyware. Employees
are also trained in the importance of keeping passwords secure. Departments which
routinely handle CPI are responsible for training their employees in controls and
procedures to prevent employees from providing confidential information to unauthorized
individuals. Employees are also trained how to properly dispose of documents that
contain CPI. Each department responsible for maintaining CPI is instructed to take
steps to protect CPI from destruction, loss or damage due to environmental hazards,
such as fire and water damage or technical failures. These training efforts should
help minimize risk and safeguard CPI security.
Simon’s Rock has addressed the physical security of CPI by limiting access to only
those employees who have a business reason to know such information. CPI is available
only to Simon’s Rock employees with an appropriate business need for such information.
Paper documents containing CPI are kept in office file cabinets or rooms that are
locked each night. Only authorized employees have access to those spaces. Storage
areas holding paper documents containing CPI are kept secure at all times. No paper
documents containing CPI may be removed from campus without the approval of a department
manager. Paper documents that contain CPI are shredded or securely destroyed at the
time of disposal.
Access to CPI via the College’s computer information system is limited to those employees
who have a business reason to know such information. Each employee is assigned a user
name and password for access to Simon’s Rock servers, and, where required, for access
to the Banner database hosted at the main Bard campus. Databases containing CPI, including
but not limited to accounts, balances and transactional information, are available
only to Simon’s Rock employees in appropriate departments and positions.
Simon’s Rock takes reasonable and appropriate steps consistent with current technological
developments to make sure that all CPI in electronic form is secure and to safeguard
the integrity of records in storage and during transmission. ITS runs Identity Finder
software on staff machines to locate potential instances of CPI. ITS also runs threat
detection software to identify systems that are compromised and/or infected with malware
so they can take appropriate steps to mitigate the risk. Passwords for central software
systems are required to comply with complexity rules and must be changed regularly.
When technically feasible, encryption technology is utilized for transmission of CPI.
All CPI stored on laptops or other portable devices must be encrypted. When personal
computers are redeployed, all memory components are completely reformatted or otherwise
erased for any new use.
Responding to System Failures
Simon’s Rock maintains systems to prevent, detect, and respond to attacks, intrusions,
and other system failures. ITS regularly reviews network access and security policies
and procedures, as well as protocols for responding to network attacks and intrusions.
Any loss or theft of a college computer, and all instances of computer malware or
other security breaches must be reported immediately to ITS. The Information Security
Plan Coordinator shall be responsible for documenting responsive actions taken in
connection with any incident involving a breach of security, and mandatory post-incident
review of events and actions taken, if any, to make changes in business practices
relating to protection of CPI.
C. Service Provider Oversight
Whenever the College retains a service provider that will maintain, process or have
access to CPI, the College will ensure that the provider has in place an information
security program sufficient to protect CPI. The College will include in the contracts
with service providers having access to CPI a provision requiring the providers to
have in place security measures consistent with the requirements of the Massachusetts
privacy law, and to assure that such CPI is used only for the purposes set forth in
D. Computer System Security Infrastructure
Simon’s Rock maintains a computer security system that provides, at a minimum, to
the extent technically feasible:
Secure user authentication protocols including:
control of user IDs and other identifiers
a reasonably secure method of assigning and selecting passwords
control of data security passwords to ensure that such passwords are kept in a location
and/or format that does not compromise the security of the data they protect
restricting access to active users and active user accounts only
blocking access to user identification after multiple unsuccessful attempts to gain
access or the limitation placed on access for the particular system
Secure access control measures that:
restrict access to records and files containing CPI to those who need such information
to perform their job duties
assign unique identifications plus passwords, which are not vendor supplied default
passwords, to each person with computer access, that are reasonably designed to maintain
the integrity of the security of the access controls
Encryption of all transmitted records and files containing CPI that will travel across
public networks, such as any files with CPI sent via email.
Reasonable monitoring of systems, for unauthorized use of or access to CPI
Encryption of all CPI stored on laptops or other portable devices including but not
limited to email received on smart phones.
For CPI access or storage on a system that is connected to the Internet, the system
must have: reasonably up-to-date operating system security patches; firewall protection,
and, for laptop and desktop computers, reasonably up-to-date versions of system security
agent software, which must include malware protection and reasonably up-to-date patches
and virus definitions, or a version of such software that can still be supported with
up-to-date patches and virus definitions, and is set to receive the most current security
updates on a regular basis.
Education and training of employees on the proper use of the computer security system
and the importance of CPI security.
The Information Security Plan Coordinator will work with the Provost Council and the
leadership of other College departments to ensure that this security system infrastructure
is appropriately maintained and properly complied with.
E. Retention of CPI
CPI will only be retained for as long as needed for the College’s reasonable business
purposes, including for the purpose of complying with any state or federal law. Each
department that stores CPI will regularly review the CPI it has retained for the purpose
of determining which information may be purged.
F. Violations of this Policy
Any employee who violates this policy shall be subject to discipline pursuant to the
relevant disciplinary policy, including possible termination of employment.
G. Termination of Access to CPI
Once an employee concludes his/her employment, either voluntarily or involuntarily,
such employee’s access to college data systems and physical paper storage locations
including CPI shall be terminated.
H. Continuing Evaluation and Adjustment
This Plan is subject to periodic review and adjustment. Adjustments might be necessary
or advisable due to changes in technology, increases or decreases in the sensitivity
of the information that is covered by this Plan, and the assessment of internal or
external threats to the security and integrity of the covered information, among other
reasons. Continued administration of the development, implementation and maintenance
of the Plan will be the responsibility of the Information Security Plan Coordinator,
who may assign specific responsibility to others for implementation and administration,
Credit is given to our colleagues at Williams College and Wellesley College for their
generosity in sharing their expertise and knowledge to facilitate Simon's Rock's development
of this plan.