Data Security Policy

Summary

The information security plan at Saint Michael's College is designed to protect non-public and financial information about our students, applicants, alumni, donors, employees and other constituents by developing reasonable physical, administrative and technical safeguards that:
• Ensure the security and confidentiality of this information, whether electronic or hard copy,
• Protect against threats to the security and/or integrity of such records, and
• Protect against unauthorized access

Body

Purpose

The information security plan at Saint Michael's College is designed to protect non-public and financial information about our students, applicants, alumni, donors, employees and other constituents by developing reasonable physical, administrative and technical safeguards that:

  • Ensure the security and confidentiality of this information, whether electronic or hard copy, 

  • Protect against threats to the security and/or integrity of such records, and

  • Protect against unauthorized access to or use of such data that could result in substantial harm or inconvenience to any constituent. 

The Vice President for Finance, Vice President for Human Resources and Administrative Services, and the Chief Information Officer collectively form the Cabinet’s Compliance Committee.  Any questions about this policy should be directed to this committee.

This policy is designed in accordance with state and federal compliance regulations, including, but not limited to:

  • Family Educational Rights and Privacy Act Regulation - FERPA

  • Gramm Leach Bliley Act - GLBA

  • Massachusetts Privacy Protection Act

  • Vermont Data Breach Notification Requirements

  • FTC Red Flags Rule

Scope

This policy applies to all users of all information systems that are the property of Saint Michael’s College. Specifically, it includes:

  • All employees, whether employed on a full-time or part-time basis by Saint Michael’s College.

  • All contractors and third parties that work on behalf of and are paid directly by Saint Michael’s College.

  • All contractors and third parties that work on behalf of Saint Michael’s College but are paid directly by an alternate employer.

  • All employees of partners and clients of Saint Michael’s College that access Saint Michael’s College’s non-public information systems.

  • All students, graduate and undergraduate, whether enrolled full time or part-time at Saint Michael’s College.

Definitions

Data:  Data is a discrete body of information created, collected and stored in connection with the operation and management of the College and used by members of the College having authorized access as a primary source.  Data includes electronic databases as well as physical files.

Personally Identifiable Information (PII):  “Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information,” as defined by the National Institute of Standards and Technology (NIST).

Security Breach:  A Security Breach is any event that causes or is likely to cause Classified Information to be accessed or used by an unauthorized person and shall include any incident in which the College is required to make a notification under the Vermont Security Breach Notification Act.

Strong Passwords:  A Strong Password means a password with at least 8 characters, of which at least 3 characters must be a combination of uppercase letter, lowercase letter, numeric character or special character.

Users:  Users includes all members of the Saint Michael’s College community to the extent they have authorized access to College data, and may include students, faculty, staff, contractors, consultants and temporary employees and volunteers.

Policy

Risk Assessment

  • The process of risk assessment will be updated by the CIO or designated information security officer on a regular basis.  Any risks or control weaknesses identified in this process shall be noted, and procedures developed to mitigate any material risks.   

  • Identified risks include:

    1. Unauthorized access of information by someone other than authorized faculty, staff and agents of the College via

      1. Telephone requests for information

      2. Third party transfer of data

      3. Access to hard copy files

    2. Compromised system security as a result of unauthorized computer system access via

      1. Interception of data during electronic transmission

      2. Loss of data integrity due to corruption

      3. Physical loss of data due to theft

      4. Hacking, phishing, key logging or other means of prohibited access to protected information.

    3. Physical loss of data due to accident, fire, flood, or other disaster.

Data Classifications

  • All data covered by this policy is to be classified among one of three categories, according to the level of security required. In descending order of sensitivity, these categories are “Confidential”, “Internal Use,” and “Public.”  All information, whether contained in physical documents, electronic databases, or other collections of information, is to be assigned to a security classification level according to the most sensitive content contained therein.

    1. Confidential data includes personally identifiable information (PII) and sensitive institutional information, and must be given the highest level of protection against unauthorized access, modification or destruction. Unauthorized access to confidential data may result in a significant invasion of privacy, or may expose members of the College community to significant financial risk. 

    2. Internal Use data includes information that is less sensitive than confidential data, but that, if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal interests, or on the finances, operations, or reputation of Saint Michael's College.  Internal use data must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal use data is information that is restricted to members of the college community who have a legitimate purpose for accessing such data.

    3. Public data is information that is generally available to the public, or that, if it  were to become available to the public, would have no material adverse effect on individual members of the College community or upon the finances, operations, or reputation of Saint Michael’s College.  It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to disclosure rules, is available to all members of the College community and to all individuals and entities external to the College community.  Public data is not subject to the protections or limitations on disclosure imposed by this Policy. 

    4. Classified Information:  Classified Information means Confidential Data and Internal Use Data.  Classified Information does not include Public Data.

  • In the event information is not explicitly classified, it is to be treated as follows:   Any data which includes social security number, bank and credit card account numbers, financial information such as copies of income tax returns and FAFSA forms, and other income and credit histories shall be treated as Confidential.   All other information is to be treated as Internal Use, unless such information is Public data because it appears in form accessible to the public (i.e., on a public website or a widely distributed publication) or is created for a public purpose.

Data Security

  • The College recognizes that many departments on campus have legitimate business needs for certain Classified Information about our constituents.  However, access to physical copies of such information should be physically restricted within the department having the immediate need for hard copy information, and access to electronic copies should be limited by appropriate system login and access security methods as established and maintained by the Department of Information Technology.

  • When stored in an electronic format, confidential data must be protected with strong passwords and stored on servers that have protection and encryption measures provided by the Department of Information Technology in order to protect against loss, theft, unauthorized access and unauthorized disclosure.  Classified Information should not be stored on desktop computers, mobile devices or external drives (College-owned or personal) except in accordance with a separate policy on mobile devices or as specifically authorized by the CIO or designated information security officer.

  • Classified Information may be disclosed to persons who have a legitimate need to access the data. The Colleague Access Application Form will be used to authorize users’ scope of access to Confidential data. 

  • Classified information in hard copy print format, as defined in section 2, shall be maintained in locked filing cabinets or in a locked file room with limited overnight access when not in use.  Office doors shall be locked when offices containing this information are vacant or otherwise unattended during office hours.  Classified Information should be adequately controlled during processing, and should be reasonably secured while not in use.   Classified Information sent in hard copy print format to other departments on campus should be hand-delivered or sent via campus mail in a sealed envelope marked “confidential.” 

  • Classified Information sent via fax must be sent only to a fax number that has been verified as using a secured location.

  • College personnel should shred any hard copy Classified Information in accordance with applicable records retention procedures, and such information should be stored securely until such time as it is shredded. If an outside vendor is used for destruction of such records, the vendor should be contractually obligated to maintain the confidentiality of this information, and precautions should be taken to ensure the protection of this information.  Refer to section 4.6 regarding contracts with vendors and service providers.

  • Electronic storage media shall be sanitized according to Department of Defense (DOD) standards prior to disposal or re-allocation.

Managing System Failures and Security Breach Incidents

  • Managers of departments that maintain custody of confidential information shall contact the Office of Public Safety should a breach of security be discovered in their office; Public Safety shall undertake an investigation and coordinate or recommend the appropriate response given the circumstances. The Vice President of Finance, Chief Information Officer and the Vice President of Human Resources and Administrative Services must be notified in a timely manner if Classified Information is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the College’s information systems has taken place or is suspected of taking place.

  • In the event of a security breach, the College shall notify constituents affected by the safeguarding violation as required by applicable law.  Responses shall be initiated by the Compliance Committee, and coordinated with the Vice President of Enrollment and Marketing (if applicable), and the President.  The College’s Information Security Incident Response Plan is incorporated herein by reference.

Disaster recovery and business continuation

The Department of Information Technology shall develop written disaster recovery and business continuation plans for all Classified Information, and shall make these plans available to the Compliance Committee upon request.  These contingency plans should be reviewed regularly and updated as business conditions change.  Individual departments shall be responsible for disaster recovery and business continuation plans for hard copy information and any electronic information that is not stored in a centralized database.

Service Providers

  • Due Diligence and Monitoring:  The College shall exercise due diligence by ensuring that all outside service providers that have access to Classified Information take appropriate steps to ensure the safeguarding of such information in accordance with this policy and applicable legal requirements.  

  • Contracts

    1. The Director of Financial Planning and Business Services shall review and/or negotiate all relevant contracts prior to execution, and shall ensure that all relevant contract terms are provided to address safeguarding of Classified Information related to the services to be provided.  These terms might include some or all of the following:

      1. A statement of compliance with the Saint Michael’s College Information Security Plan & Data Security Policy.

      2. An explicit acknowledgement that the College allows the service provider access to Classified Information

      3. A specific definition of Classified Information as related to the services being provided

      4. A stipulation that the Classified Information will be held in strict confidence and used only for the business purposes as outlined by the contract

      5. A guarantee from the service provider that it will ensure compliance with the safeguarding provisions contained in the contract

      6. A provision addressing return or destruction of all such Classified Information upon termination of the contract, subject to records retention requirements

      7. A provision defining remedy for breach of safeguarding provisions under the contract, including termination without penalty to the College and that the vendor shall bear the cost of informing and otherwise protecting those whose information has been compromised.

      8. A provision allowing or requiring audit of the service provider’s safeguarding provisions, as applicable (independent assessment, internal audit review, or SSAE 16 report).

      9. A provision ensuring that the contract’s protective requirements survive any termination of the agreement.

Ongoing review

  • Testing:  The Compliance Committee will perform or initiate appropriate testing of controls in high-risk areas, which may include internal audit by relevant staff members or independent examination by external auditors.

  • Reporting:  A risk assessment will be performed by the CIO or designated information security officer and updated periodically to identify and assess relevant risks.  Relevant department heads will submit risk assessment reports to the compliance officers upon request. Interim reviews will occur during each fiscal year to identify emergent risks and changes that may be necessary due to changes in the internal and external business environment, changes in the sensitivity of information, changes in technology or business arrangements.  The Vice President of Finance shall report annually to the Operations Committee of the Board of Trustees on behalf of the Compliance Committee.

Employee management and training

  • Employee hiring procedures:  The Office of Human Resources will perform or coordinate background checks and other such due diligence for all new employees whose positions require a background check.  In addition, certain employees may be required to sign confidentiality agreements.

  • Office procedures:  Offices that maintain Classified Information shall develop and maintain relevant written procedures to comply with this policy, such as locking filing cabinets and office doors, maintaining security of computer user accounts through password-protected screensavers, strong passwords, and periodic password changes andother procedures as applicable to the department and as outlined in the Acceptable Use and Access Control policies.

  • Training:  The College will provide policies, appropriate training, and periodic updates to all employees and volunteers of departments that have access to confidential information.

Related Policies Procedures and Forms

  1. Information Technology Appropriate Use Policy

  2. Information Technology Access Control Policy

  3. Colleague Account Application

  4. Third-Party Mikenet Application

Standards and Guidelines

  1. Data Classification Standard

  2. Password Standard

Enforcement

Violation of this policy may be subject to discipline as outlined in the employee and student handbooks, or a termination of the contract in the case of contractors or consultants.  Additionally, individuals may be subject to loss of Saint Michael’s College information resource access privileges, may be subject to legal action, and may also be held financially liable.

Notification of possible violations should be made to a member, or members, of the Cabinet’s Compliance Committee or to abuse@smcvt.edu.

Controls

The Director for Information Technology Operations will maintain a list of Saint Michael's College employees who have been granted access to confidential data.

Conduct periodic reviews of departmental disaster recovery and business continuation plans.

Conduct periodic penetration tests of the security defenses to identify and seal any possible technological gaps through which cyber criminals could get in to search for any information.

COBIT Standards

COBIT 5:  APO01.06 Define information (data) and system ownership

COBIT 5:  APO13.01 Establish and maintain an ISMS

COBIT 5:  APO13.03 Monitor and review the ISMS

COBIT 5:  DSS06.03 Manage roles, responsibilities, access privileges and levels of authority

References

COBIT 5: Enabling Processes, ©2012 ISACA

SMC Legacy Policy:  Information Security Plan

Info-Tech: Data Protection Policy Template

Beazley: 

Data Security and Reporting Policy

Breach News

EDUCAUSE Campus Policies

Details

Details

Article ID: 544
Created
Fri 1/6/23 4:09 PM
Modified
Wed 2/15/23 11:27 AM