...
Internal Use Information Standards & Procedures
Information Collection, Access and Use of Internal Use Information
- Internal Use Information should be generally protected from any unauthorized access, modification, transmission or storage.
- Internal Use Information is restricted to members of the University community who have a legitimate purpose for accessing such information.
- Internal Use Information should be generally protected from any unauthorized access, modification, transmission or storage.
Storage and Maintenance of Internal Use Information
- Internal Use Information should be generally protected from any unauthorized storage.
- When stored in any physical form (i.e., paper), Internal Use Information should be stored in a closed container to protect disclosure such as; filing cabinet, closed office, or desk drawer.
Transmission and Disclosure of Internal Use Information
- Internal Use Information should be generally protected from any unauthorized transmission and disclosure.
- Documents containing Internal Use Information should not be posted publicly.
- Internal Use Information should be generally protected from any unauthorized transmission and disclosure.
Information Retention and Disposal
- Documents containing Internal Use Information should be destroyed by shredding or an alternative process that destroys information beyond recognition or reconstruction (if in hard copy form), or should be sanitized or securely deleted by the Information Security Officer or his or her designee (if in electronic form) in accordance with the University’s Record and Information Management Policy and Records Retention Schedule. (See Record Retention Policy)
Responses to Incidents and Breaches
- Employees and Third Party Service Providers with access to Confidential Information will be encouraged to report any suspicious or unauthorized use of Confidential Information in accordance with procedures described in the "Incident Response Policy" section of the Suffolk University Information Security Policy Manual.
- Whenever there is an information security related incident that constitutes a Security Breach involving MA PI and requires notification under M.G.L. c. 93H, §3, there shall be an immediate mandatory post-incident review of events and actions taken in accordance with the "Incident Response Policy". if any, with a view to determining whether any changes in security practices are required to improve the security of MA PI in accordance with the MA Regulations.
Incorporation of Other University Information Security Policies
This WISP includes, and incorporates by reference, the information security standards, polices, and procedures set forth in the Suffolk University Information Security Policy Manual, which includes the following:
- Acceptable Use PolicyvPolicy
- Anti-Virus Policy
- Encryption Policy
- Incident Response Policy
- Password Policy
- Portable Device Policy
- System Administrator Account Policy
- User Account Policy
- Vendor Policy
Waivers and Exceptions
Individuals subject to the mandatory requirements or standards set forth in this WISP, or the Information Security Policy Manual, may request that the CIO grant a waiver or exception from a particular requirement or standard that cannot practicably be followed without substantial operational hardship or excessive cost, and the CIO may in his/her discretion grant such waiver or exception provided that
- the waiver or exception would not result in a violation of applicable law or regulation; and
- that the CIO imposes, wherever possible, other alternative requirements or standards that serve the purposes of the WISP and/or Information Security Policy Manual but are less burdensome on the particular individual or his/her department or unit.
Enforcement and Disciplinary Action
The University reserves the right to monitor network traffic, perform random audits, and to take other steps to insure the integrity of its information and compliance with the WISP. Violations of the WISP will result in appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks, or other employment related discipline up to and including suspension or termination of employment, depending on the circumstances and relevant factors such as the nature and severity of the violation and whether the violation was knowing, intentional or repeated.
Revision History
...