Child pages
  • 1.0 Written Information Security Program - WISP

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Objectives

The objectives in the development and implementation of this comprehensive written information security program (“WISP” or “Program”) are:

...

  • To comply with our obligations under law including the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”), 15 USC 6801(b) and 6805(b)(2), and implementing regulations of the Federal Trade Commission codified at 16 CFR Part 314 and the Massachusetts personal information safeguards law M.G.L.c 93H, s. 2, and implementing regulations of the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) codified at 201 CMR 17.00 entitled “Standards for the Protection of  Personal Information of Residents of the Commonwealth”.

Scope of the WISP & Key Program Design and Implementation Features

The WISP provides for, and was designed and developed, and will be implemented, to include the following key features, requirements and components:
 

  • Identification of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records, or other University Information, containing Confidential Information;
     
  • Assessment of the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Confidential Information;
     
  • Evaluation of the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;
     
  • Design and implementation of safeguards to minimize those risks; and
     
  • Regular monitoring of the effectiveness of those safeguards.


Applicability

This Program applies to all University faculty and staff, whether full-time or part-time, paid or unpaid, temporary or permanent, as well as all agents and representatives of the University, including any Third Party Provider providing services to the University (“University Users”), who create, use or otherwise access or interact with any University Information or University Information Resource.

This Program applies to all University Information, including all information collected, stored or used by or on behalf of any operational unit, department and person within the University community in connection with University operations. In the event that any particular information at Suffolk University is governed by more specific requirements under other University policies or procedures, the more specific requirements shall take precedence over this Program to the extent there is any conflict.

 

Definitions

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

...

University Users
All University faculty or staff members, whether full-time or part-time, paid or unpaid, temporary or permanent, as well as all agents and representatives of the University, including any Third Party Service Provider providing services to the University who create, use or otherwise access or interact with any University Information and/or University Information Resource.

 

Administrative Oversight & Roles Responsibilities

Chief Information Officer

...

    1. Conducting and documenting initial and periodic assessments to identify Records and University Information Resources that are maintained, accessed or used by the DISC’s department;
       
    2. Develops written procedures (in consultation with the CIO and ISO when necessary), concerning physical access to departmental Records, and the security and appropriate storage and maintenance of such Records;
       
    3. Meets periodically upon request with the CIO and ISO to share information, coordinate implementation of the WISP and related University policies, and plan for and help deliver training to departmental faculty and staff.

 

Assessment of Internal and External Risks


The internal and external risks to the confidentiality, security and/or integrity of Records containing Confidential Information were assessed through a thorough, careful process which was led by the CIO, ISO, Assistant Provost for Regulatory Affairs, representatives from the various University departments that maintain or have access to Confidential Information, and numerous outside consultants. This assessment involved:

...

Looking forward, the University, led primarily by the CIO and ISO, will continue to assess external and internal risks periodically, and as changes to technology occur which may represent or introduce new kinds or degrees of risk.

Data Classification

Suffolk University Information is classified into the following types of information:

Confidential Information Standards & Procedures

 

General Program Standards
    1. Confidential Information must generally be protected to prevent unauthorized access, use, modification, transmission, storage or disclosure, and/or loss, or theft.
       
    2. A copy of the WISP will be made available, and provided physically or electronically, to each University User with access to Confidential Information (CI).
       
    3. Initial and periodic future training and retraining of employees (and other University Users as appropriate) with access to CI will be required by the University. All participants in such training sessions are required to certify their completion of the training.
       
    4. All security measures shall be reviewed at least annually, or whenever there is a material change in the University’s business practices that may reasonably implicate the security or integrity of Records containing PI or FCI. The CIO shall be responsible for overseeing this review and shall consider for implementation recommendations for improved security arising out of that review.
       
    5. The ability of Third Party Service Providers to comply with the MA Regulations and the GLB Regulations (and the requirements of this WISP) in the handling of PI and FCI will be evaluated regularly and the University will ensure that contracts with those services providers will include provisions obligating them to comply with the MA Regulations and the GLB Regulations (and the requirements of this WISP) in providing the contracted-for services.
       
Information Collection, Access and Use of Confidential Information 
    1. The amount of Confidential Information collected must be limited to that amount reasonably necessary to accomplish the University’s legitimate educational and business purposes, or necessary to comply with other state or federal regulations.
       
    2. Access to records containing Confidential Information shall, to the full extent feasible, be limited to those persons who are reasonably required to know such information in order to accomplish the University’s legitimate educational and business purpose or to enable the University to comply with other state or federal regulations.
       
    3. Electronic access to databases and files with Confidential Information will be blocked after multiple unsuccessful attempts to gain access have been attempted by the user when such access-blocking technologies are feasible and reasonably available.
       
    4. Physical and electronic access to Confidential Information of a terminated or former University User shall be immediately blocked. Such terminated person shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the University’s premises or information. Moreover, such terminated person’s remote electronic access to Confidential Information shall be disabled and his/her voicemail access, email access, Internet access, and passwords shall be invalidated. The CIO and ISO shall maintain a highly secured master list of all passwords and encryption keys.
       
    5. All terminated or former University Users who have (or had) access to Confidential Information shall be required to return all records containing Confidential Information, in any form, which may at the time of such termination be in the person’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
       
    6. Access to electronically stored MA PI and FCI shall be electronically limited to those employees and other authorized University Users having a unique logon; and re-logon shall be required when a computer has been inactive for more than a few minutes.
       
    7. There must be secure user authentication protocols in place, including: 
      1. Protocols for control of user IDs and other identifiers;
      2. A reasonably secure method of assigning unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access to PI or FCI
      3. Restricting access to records and files containing personal information to those who need such information to perform their job duties.
      4. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
      5. Blocking of access to users after multiple unsuccessful attempts by those users to gain access.
      6. Access to Confidential Information shall be restricted to active users and active user accounts only.
      7. Passwords for current University Users shall be changed periodically in accordance with the "Password Policy".
      8. All University-issued computers, including laptops, will be password protected and require a user name and password that complies with University policy.
         
    8. All computer systems will be reasonably monitored for unauthorized use of or access to MA PI or FCI.
       
Storage and Maintenance of Confidential Information 
    1. University Users must maintain Records containing MA PI and FCI in locked facilities, secure storage areas or locked containers. Users are encouraged to store other Confidential Information in the same manner, although a somewhat lesser degree of physical security (e.g. storage in a filing cabinet in a limited access office which is locked during evenings and extended periods of non-attendance) shall normally suffice for Confidential Information that does not include MA PI or FCI.
       
    2. University Users are prohibited from leaving open files (both electronic and paper) containing MA PI and FCI unattended. Records containing MA PI and FCI must be secured in locked file cabinets or locked drawers. and computers that have access to MA PI and FCI.
       
    3. University Users with computer with access to PI and FCI shall be configured with automatic locking (requiring re-entry of a password) after a certain time of no activity, as specified in the "Password Policy".
       
    4. At the direction of the DISC, each department shall conduct, and appropriately document, initial and periodic/subsequent assessments, to identify all of the Records and University Information Resources maintained, or accessed and used, by the department and to determine which contain Confidential Information. Each department shall also develop rules (bearing in mind the business needs of that department) that ensure that reasonable restrictions upon physical access to records containing Confidential Information are in place, including a written procedure that sets forth the manner in which physical access to such records in that department is to be restricted.
       
    5. Confidential Information shall not be stored on any unencrypted laptops, handheld computers (e.g. IPads) or personal digital assistant (“PDA”) devices (e.g. Blackberry, I-Phone, Droid) or similar device, and shall not be stored on any unencrypted portable or removable storage media (e.g. CDs, flash drives, USB drives, external hard discs, etc.).
       
    6. When stored in an electronic or other digital format, Confidential Information must be protected with Strong Passwords (See "Password Policy").
       
    7. In those instances in which Records or media need to be temporarily transported, carried or stored outside of the workplace in connection with an employee’s University duties, they shall be held and stored in a secure fashion. For example, paper records shall be stored in a locked briefcase or file drawer whenever possible and/or shall be kept at all times within the physical custody of the responsible employee.
       
    8. There must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the Confidential Information installed on all systems connected to the internet which process Confidential Information.
       
    9. There must be reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to- date patches and virus definitions, installed on all systems processing Confidential Information.
       
Transmission and Disclosure of Confidential Information 
    1. Any disclosure of Confidential Information outside of the University must be in accordance with law.
       
    2. University Users are prohibited from sending any Records containing MA PI or FCI via email through the Suffolk Network, across public networks or wirelessly (whether to internal or external recipients) unless such Records, messages or files are encrypted. University Users are also encouraged to refrain from sending any unencrypted records, messages or files containing Confidential Information other than MA PI or FCI via email through the Suffolk Network, across public networks or wirelessly (whether to internal or external recipients). In such instances, University Users are encouraged to find other more secure means of communicating such information (e.g., by providing a link to a confidential document stored on a secure University server, rather than an attach the document to the email message) whenever possible, especially in cases where the information in the document is particularly sensitive (e.g. where its unauthorized disclosure to external parties could foreseeably result in harm to an individual’s reputation or other personal interests, could readily be used to perpetrate identity theft or financial fraud, or could foreseeably result in the loss of significant rights by, or financial damage to, the University or a third party doing business with the University).
       
    3. Whenever performing University-related work involving Confidential Information, University Users should always use the University Computer Network and the University Virtual Private Network.
       
Information Retention and Disposal 
    1. Paper records containing MA PI or FCI shall be burned or shredded, and electronic records (including records stored on hard drives or other electronic media) shall be destroyed or erased, so that personal data cannot practicably be read or reconstructed. Other Confidential Information should be similarly shredded, destroyed or erased.
       
    2. Record retention and disposal shall also be in accordance with the provisions of the Suffolk University Records Management Policy and related Record Retention Schedule.
       
    3. It is expected that Records will be disposed of at the end of the applicable retention period(s) specified in the Suffolk University Records Retention Schedule. If a custodian of a Record, or group of Records, believes there is a legitimate business reason for retaining such Record(s) beyond the stated retention period, that custodian is expected to consult with CIO, who shall determine whether the Record(s) may or may not be retained for a longer period, and if so, for how much longer.

Internal Use Information Standards & Procedures

The following standards and procedures shall apply to Internal Use Information
 
Information Collection, Access and Use of Internal Use Information
    1. Internal Use Information should be generally protected from any unauthorized access, modification, transmission or storage.
       
    2. Internal Use Information is restricted to members of the University community who have a legitimate purpose for accessing such information. 
Storage and Maintenance of Internal Use Information 
    1. Internal Use Information should be generally protected from any unauthorized storage.
       
    2. When stored in any physical form (i.e., paper), Internal Use Information should be stored in a closed container to protect disclosure such as; filing cabinet, closed office, or desk drawer.
       
Transmission and Disclosure of Internal Use Information 
    1. Internal Use Information should be generally protected from any unauthorized transmission and disclosure.
       
    2. Documents containing Internal Use Information should not be posted publicly.
       
Information Retention and Disposal 
    1. Documents containing Internal Use Information should be destroyed by shredding or an alternative process that destroys information beyond recognition or reconstruction (if in hard copy form), or should be sanitized or securely deleted by the Information Security Officer or his or her designee (if in electronic form) in accordance with the University’s Record and Information Management Policy and Records Retention Schedule. (See Record Retention Policy)

Responses to Incidents and Breaches

 

  • Employees and Third Party Service Providers with access to Confidential Information will be encouraged to report any suspicious or unauthorized use of Confidential Information in accordance with procedures described in the "Incident Response Policy" section of the Suffolk University Information Security Policy Manual
  • Whenever there is an information security related incident that constitutes a Security Breach involving MA PI and requires notification under M.G.L. c. 93H, §3, there shall be an immediate mandatory post-incident review of events and actions taken in accordance with the "Incident Response Policy". if any, with a view to determining whether any changes in security practices are required to improve the security of MA PI in accordance with the MA Regulations.

Incorporation of Other University Information Security Policies

This WISP includes, and incorporates by reference, the information security standards, polices, and procedures set forth in the Suffolk University Information Security Policy Manual, which includes the following:

Waivers and Exceptions


Individuals subject to the mandatory requirements or standards set forth in this WISP, or the Information Security Policy Manual, may request that the CIO grant a waiver or exception from a particular requirement or standard that cannot practicably be followed without substantial operational hardship or excessive cost, and the CIO may in his/her discretion grant such waiver or exception provided that

    1. the waiver or exception would not result in a violation of applicable law or regulation; and 
       
    2. that the CIO imposes, wherever possible, other alternative requirements or standards that serve the purposes of the WISP and/or Information Security Policy Manual but are less burdensome on the particular individual or his/her department or unit.

Enforcement and Disciplinary Action


The University reserves the right to monitor network traffic, perform random audits, and to take other steps to insure the integrity of its information and compliance with the WISP. Violations of the WISP will result in appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks, or other employment related discipline up to and including suspension or termination of employment, depending on the circumstances and relevant factors such as the nature and severity of the violation and whether the violation was knowing, intentional or repeated.

Revision History

 

 

Version

Date

Responsible University Office

Approved By

1.0

09/14/10

Provost Office

Provost Barry Brown

1.1

02/12/13

Senior VP of Finance and Administration and Treasurer Office

Senior VP Danielle Manning

...