Wellesley College

Wellesley College Written Information Security Program

(Note: Italicized text represents significant changes from the most recent revision)

1.0 Policy Statement

The Wellesley College Written Information Security Program (“WISP”) is intended as a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data maintained at the College, and to comply with applicable laws and regulations on the protection of Personal Information and Nonpublic Financial Information, as those terms are defined below, found in records and in systems owned by the College.

2.0 Overview & Purpose

The WISP was implemented to comply with regulations issued by the Commonwealth of Massachusetts entitled “Standards For The Protection Of Personal Information Of Residents Of The Commonwealth” [201 Code Mass. Regs. 17.00], and by the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”) [15 USC 6801(b) and 6805(b)(2)].

In accordance with these federal and state laws and regulations, Wellesley College is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the college to affected individuals and appropriate state agencies.

Wellesley College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the College. Wellesley College has implemented a number of policies to protect such information, and the WISP should be read in conjunction with these policies that are cross-referenced at the end of this document.

The purposes of this document are to:

Establish a comprehensive information security program for Wellesley College with policies designed to safeguard sensitive data that is maintained by the College, in compliance with federal and state laws and regulations;
Establish employee responsibilities in safeguarding data according to its classification level; and
Establish administrative, technical and physical safeguards to ensure the security of sensitive data.

3.0 Scope

This Program applies to all Wellesley College employees, whether full- or part-time, including faculty, administrative staff, union staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Wellesley College community (hereafter referred to as the “Community”). This program also applies to certain contracted third-party vendors (see section 4.6 for further information). The data covered by this Program includes any information stored, accessed or collected at the College or for College operations. The WISP is not intended to supercede any existing Wellesley College policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personal Information and Nonpublic Financial Information, as defined below. If such policy exists and is in conflict with the requirements of the WISP, the other policy takes precedence.

3.1 Definitions

Data

For the purposes of this document, data refers to information stored, accessed or collected at the College about members of the College community.

Data Custodian

A data custodian is responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport and storage of the data and provide technical support for its use. A data custodian is also responsible for implementation of the business rules established by the data steward.

Data Steward

A data steward is responsible for the data content and development of associated business rules, including authorizing access to the data.

Personal Information

Personal Information (“PI”), as defined by Massachusetts law (201 CMR 17.00), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:

Social Security number;
Driver’s license number or state-issued identification card number; or
Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.

For the purposes of this Program, PI also includes passport number, alien registration number or other government-issued identification number.

Nonpublic Financial Information

The GLB Act (FTC 16 CFR Part 313) requires the protection of “customer information”, that applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with the College, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the College. For these purposes, NFI shall include any information:

A student or other third party provides in order to obtain a financial product or service from the College;
About a student or other third party resulting from any transaction with the College involving a financial product or service; or
Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.

Examples of NFI include:

Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
Account balance information, payment history, overdraft history, and credit or debit card purchase information;
The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account;
Any information you collect through an Internet “cookie” (an information collecting device from a web server); and
Information from a consumer report.

3.2 Data Classification

All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.

Confidential

Confidential data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a significant level of risk to Wellesley College or the Community. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure.

Confidential data includes data that is protected by the following federal or state laws or regulations: 201CMR17.00 (Mass Security Regs), 16 CFR 313 (Privacy of Consumer Financial Information), the Federal Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the FTC’s Red Flag Rules. Information protected by these laws includes, but is not limited to, PI, NFI and Protected Health Information (PHI).

Restricted

Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of Wellesley College. Any non-public data that is not explicitly designated as Confidential should be treated as Restricted data.

Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), College financial and investment records, employee salary information, or information related to legal or disciplinary matters.

Restricted data should be limited to access by individuals who are employed by or matriculate at Wellesley College and who have legitimate reasons for accessing such data, as governed by FERPA, or other applicable law or College policy. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.

Public (or Unrestricted)

Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to Wellesley College or members of the Wellesley College community. Any data that is not classified as Confidential or Restricted should be considered Public data.

4.0 Policy

4.1 Responsibilities

All data at the College is assigned a data steward according to the constituency it represents. Data stewards are responsible for approval of all requests for access to such data. The data steward for each constituency group are designated as follows:

Type of Data	Data Steward*
Faculty	Provost
Staff	Vice President for Finance and Administration
Student	Shared between the Registrar, Director of Admission and Dean of Admission and Financial Aid
Alumnae	Executive Director of the Alumnae Association

*The data steward may appoint a designee to serve in their place.

Library and Technology Services (LTS) staff serve as the data custodians for all data stored centrally on the College’s servers and administrative systems, and are responsible for the security of such data. For distributed data stored on departmental servers, the department head or their designee serves as the data custodian, and LTS and the department share joint responsibility for securing the data.

Human Resources will inform LTS staff about an employee’s change of status or termination as soon as is practicable but before an employee’s departure date from the College. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to College data. For detailed information regarding account terminations, see the Electronic Content Stewardship Policy.

Department heads will alert LTS at the conclusion of a contract for individuals that are not considered Wellesley College employees in order to terminate access to their Wellesley College accounts.

The LTS Security Team is in charge of maintaining, updating, and implementing this Program. The College’s Chief Information Officer (CIO) has overall responsibility for this Program.

All members of the Community are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing sensitive data in compliance with this Program.

4.2 Identification and Assessment of Risks to College Information

Wellesley College recognizes that it has both internal and external risks to the privacy and integrity of College information. These risks include, but are not limited to:

Unauthorized access of Confidential data by someone other than the owner of such data
Compromised system security as a result of system access by an unauthorized person
Interception of data during transmission
Loss of data integrity
Physical loss of data in a disaster
Errors introduced into the system
Corruption of data or systems
Unauthorized access of Confidential data by employees
Unauthorized requests for Confidential data
Unauthorized access through hard copy files or reports
Unauthorized transfer of Confidential data through third parties

Wellesley College recognizes that this may not be a complete list of the risks associated with the protection of Confidential data. Since technology growth is not static, new risks are created regularly. Accordingly, LTS will actively participate and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.

Wellesley College believes the College’s current safeguards are reasonable and, in light of current risk assessments made by LTS, are sufficient to provide security and confidentiality to Confidential data maintained by the College. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

4.3 Policies for Safeguarding Confidential Data

To protect College data classified as Confidential, the following policies and procedures have been developed that relate to access, storage, transportation and destruction of records. For an overview of storage guidelines, see the Data Storage Guide.

Access & Storage

Only those employees or authorized third parties requiring access to Confidential data in the regular course of their duties are granted access to this data, including both physical and electronic records.
To the extent possible, all electronic records containing Confidential data should only be stored on Vault (the College’s on-campus secure network storage) and not on local machines or unsecured servers.
PHI may be stored or accessed through the Google Apps core suite (including Mail, Drive, Groups, Sites, Chat) as these apps are certified HIPAA compliant, provided that access to the PHI is appropriately restricted. This does not apply to Google consumer apps such as Google+, Hangouts, etc.
Massachusetts PI and NFI must not be stored on any Google app.
Confidential data must not be stored on cloud-based storage solutions that are unsupported by the College (including DropBox, Microsoft OneDrive, Apple iCloud, etc.).
Members of the Community are strongly discouraged from storing Confidential data on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). However, if it is necessary to transport Confidential data electronically, the mobile device containing the data must be encrypted.
Paper records containing Confidential data must be kept in locked files or other secured areas when not in use.
Upon termination of employment or relationship with Wellesley College, electronic and physical access to documents, systems or other network resources containing Confidential data is immediately terminated. (See the Stewardship of Electronic Content Policy for more information.)

Transporting Confidential Data

Members of the Community are strongly discouraged from removing records containing Confidential data off campus. In rare cases where it is necessary to do so, the user must take all reasonable precautions to safeguard the data. Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in any unsecure location.
When there is a legitimate need to provide records containing Confidential data to a third party outside Wellesley College, electronic records shall be password-protected and/or encrypted, and paper records shall be marked confidential and securely sealed.

Destruction of Confidential Data

Records containing Confidential data must be destroyed once they are no longer needed for business purposes, unless state or federal regulations require maintaining these records for a prescribed period of time.
Paper and electronic records containing Confidential data must be destroyed in a manner that prevents recovery of the data. Massachusetts General Law 93I specifies the manner in which records containing PI must be destroyed.

Traveling Abroad with Students’ Personal Information

In the event that transmission of student passport information is required by the hotel or program abroad in advance of the travel, only the relevant information requested (e.g., Name, Passport Number, Date of Expiry, and Date of Birth) will be provided, not complete copies of the passport images. This information should first be transmitted via fax or through eFax Secure website (SSL), provided that the Wellesley College department arranging the travel confirms the accuracy of the fax number by sending an initial confirmation message before the actual data. If faxing is unavailable, the data may be sent via Wellesley email, provided that the same confirmation of transmission takes place.
Faculty/staff who need to retain these passport numbers for arranging travel will store this data in spreadsheets that are saved on the College’s secure Vault server. Any spreadsheets containing student passport information should be routinely deleted by the spreadsheet owner when no longer needed.
Faculty/staff who are traveling with the students abroad that need student passport and visa information for hotel check-in will keep a paper record on their person that contains relevant information (such as the passport and visa numbers and their expiry dates) and the last names of the students only. Faculty/staff must not retain or travel with copies of student passports.
In extreme circumstances involving travel to a remote location where access to technology would be limited and would prohibit retrieval of a lost passport, a program director may request an exemption to this policy allowing for him or her to retain copies of the students passports during travel. This request will be made to the Chief Information Officer for approval. If the request is approved, the program director will sign the “Faculty/Staff Agreement for Traveling with Secure Data” to acknowledge their understanding of the WISP and their responsibilities in protecting the passports. The program director also agrees to alert LTS immediately if the copies of passport are lost.

4.4 Policies for Safeguarding Restricted Data

Access to Restricted Data should be limited to members of the Community who have a legitimate business need for the data.
Restricted Data can be stored on Google Apps, Sakai, NTM and Vault.
Restricted data may be stored on cloud-based storage solutions that are unsupported by the College as long as they are in compliance with the requirements of any laws governing the protection of such data (e.g., FERPA).
Documents containing Restricted Data should not be posted publicly.

4.5 Password Requirements

In order to protect College data, all members of the Community must select unique passwords following these guidelines:

Has at least 8 characters
Contains a combination of at least three of the four character types: uppercase and lowercase letters, numbers, and special characters (e.g., @ $ # !)
Does not contain words in any language, slang, dialect, jargon, etc., even if they are separated by numbers or special character (e.g., be87gin)
Does not contain repeated characters or a sequence of keyboard letters (e.g., qwerty, 12345, or yyy99)
Does not contain any part of the user’s name, username, birthday, or social security or those of friends and family (e.g., Jill1030)

Members of the community must protect the privacy of their passwords. Passwords must not be shared with others. If an account or password is suspected to have been compromised, all passwords should be changed immediately and the incident reported to the Wellesley College Help Desk.

4.6 Third-Party Vendor Agreements Concerning Protection of Personal Information

Wellesley College exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI provided by the College to them. The primary budget holder for each department is responsible for identifying those third parties providing services to the College that have access to PI. All relevant contracts with these third parties are reviewed and approved by the Wellesley College Purchasing Department to ensure the contracts contain the necessary language regarding safeguarding PI. It is the responsibility of the primary budget holders to confirm that the third parties are required to maintain appropriate security measures to protect PI consistent with this Program and Massachusetts laws and regulations.

4.7 Computer system safeguards

Technology Support Services staff monitor and assess safeguards on an ongoing basis to determine when enhancements are required. The College has implemented the following to combat external risk and secure the College network and systems containing Confidential Data:

Secure user authentication protocols:
- Unique passwords are required for all user accounts; each employee receives an individual user account.
- Server accounts are locked after multiple unsuccessful password attempts.
- Computer access passwords are disabled upon an employee’s termination.
- User passwords are stored in an encrypted format; root passwords are only accessible by system administrators.
Secure access control measures:
- Access to specific files or databases containing Confidential Data is limited to those employees who require such access in the normal course of their duties.
Technology Support Services staff perform regular internal network security audits to all server and computer system logs to discover to the extent reasonably feasible possible electronic security breaches, and to monitor the system for possible unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of College data.
Operating system patches and security updates are installed to all servers on a regular basis.
Antivirus and anti-malware software is installed and kept updated on all workstations.

4.8 Employee Training

All administrative employees are required to complete the online security training “Securing the Human” on an annual basis. Any faculty, union, student or contract employee that has access to PI is also required to complete this yearly training. The training is also strongly recommended for all employees.

Additionally, users who are the victims of a phishing attack will be required to complete this course within 2 weeks after LTS identifies the issue, regardless of whether or not they have already completed the training. If a user fails to complete the training within 2 weeks, his or her remote access to College resources will be disabled. The LTS Security Team maintains records of all such training.

4.9 Reporting Attempted or Actual Breaches of Security

Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the CIO. The CIO will contact the Chair of the Data Incident Team - the Risk and Compliance Manager - who will convene the team. The Chair is responsible for coordinating the Data Incident Team and determining appropriate actions in their response to the breach. The Incident Team will document all breaches and subsequent responsive actions taken. All related documentation will be stored in the Finance Office.

For more information about incident response, including specific procedures for responding to a breach, see the Wellesley College Data Incident Response Plan.

5.0 Enforcement

Any employee or student who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises Confidential or Restricted data without authorization, or who fails to comply with this Program in any other respect, will be subject to disciplinary action, which may include termination in the case of employees and expulsion in the case of students.

6.0 Policies cross-referenced

The following Wellesley College policies provide advice and guidance that relates to this Program:

7.0 Effective date

This Written Information Security Program was implemented February 1, 2010. Revisions: May 2012, July 2014, June 2015.

The College will review this Program at least annually and reserves the right to change, modify, or otherwise alter this Program at its sole discretion and at any time as it deems circumstances warrant.