Written Information Security Policy

Saint Joseph’s College Written Information Security Policy

I. Overview: 

Saint Joseph’s College has established this WISP (Written Information Security Policy) for the protection of data related to all the college’s business. This WISP sets forth guidelines for methods of accessing, collecting, storing, using, transmitting and protecting Personally Identifiable Information. It also outlines the need for compliance with both state and federal regulations.   

II. Purpose:

In formulating this WISP, Saint Joseph’s College seeks to:

1. Document and formalize the written policies surrounding security risks.
2. Define the compliance standards for the stated policy.
3. Identify the separate supporting standards, documents, procedures and guidelines which help ensure the security of the college’s data.
4. Identify reasonable foreseeable internal and external risks to the security and confidentiality of any electronic, paper, or other records containing Personal Identifiable Information (PII).

III. Scope:

This policy applies to all Saint Joseph’s College employees, full-time or part-time including faculty, administrative staff, contract and temporary workers, hired consultants, interns and student employees, as well as all other members of the Saint Joseph’s College community.  This policy also applies to certain contracted 3rd party vendors. The data covered by this policy includes any information created, stored, accessed or collected at the College or for College operations.  The WISP is not intended to supercede any policy, document or procedure that contains more specific requirements, or exceptionally secured procedures that safeguard data.

IV. Definitions:

WISP – The term WISP refers to Saint Joseph’s College Written Information Security Policy.

PII – The term PII refers to Personal Identifiable Information. PII encompases any and all data held by Saint Joseph’s college, either written or electronic.  Maine State law defines PII by  Title 33: Property, Chapter 11: Register of Deeds, subchapter 2: Records and Record Keeping, 651-B. Privacy Protection:

“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the data elements described in this paragraph:

(1) Social security number;

(2) Driver’s license number or state identification card number;

(3) Account number, credit card number or debit card number if circumstances exist such that the number could be used without additional identifying information, access codes or passwords;

(4) Account passwords or personal identification numbers or other access codes; or

(5) Any of the data elements contained in subparagraphs (1) to (4) when not in connection with the individual’s first name, or first initial, and last name if the information included would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was included.

Data – For the purposes of this document, data refers to information stored, accessed or collected at the College about members of the College community.

Data Custodian (President and VP’s) – A data custodian is responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport and storage of the data and provide technical support for its use.  A data custodian is also responsible for implementation of the business rules established by the data steward. 

Data Steward  – A data steward is responsible for the data content and development of associated business rules, including authorizing access to the data. The steward will be responsible for these assigned groups:

Faculty – Vice President and Chief Learning Officer;
Staff – Vice President and Chief Financial Officer;
Student – Registrar, and Senior Director for Student Success Initiatives;
Alumnae – Vice President & Chief Advancement Officer

Data Security Coordination Team – SJC IT personnel charged with managing the written security policy, ensuring the training of employees for WISP compliance, and appropriate testing and annual review of the WISP.  Led by the Associate VP and Chief Information Officer and consisting of the  Information Security Officer and the  Director of IT Infrastructure. 

Personal Information – described in United States legal fields as either personally identifiable information (PII), or sensitive personal information (SPI),as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Breach – A “breach” shall mean the unauthorized acquisition or unauthorized use of either unencrypted PII or, encrypted electronic PII along with the confidential decryption process or key that is capable of compromising the security, confidentiality, or integrity of PII maintained by the College, creating a substantial risk of identity theft or fraud.

A good faith but unauthorized acquisition of PII by a person, for the lawful purposes of such person, is not a breach unless the PII is used in an unauthorized manner or subject to further unauthorized disclosure. 

A “breach” shall not include disclosure of PII which is legally accessible from an outside legitimate source, or where disclosure is required by court order or where necessary to comply with state or federal regulations.

V. Policy

Commitment to Limited Collection of, and Access to, PII

Saint Joseph’s College will collect, maintain and store only that PII which is reasonably necessary to accomplish the legitimate business purpose for which it is collected; limiting the time PII is retained to what is reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to have access to PII in order to accomplish such purpose or to comply with state or federal record retention requirements.  All persons granted access to PII shall be informed of Saint Joseph’s College’s Written Information Security Policy and shall be provided basic training for compliance with its requirements.

Identified Locations of PII

Saint Joseph’s College will identify specific electronic databases and servers, along with physical locations, where PII is known to exist.  These locations, while not an exhaustive list, are kept by the Data Custodians and are audited by the Information Security Officer. It is incumbent upon the Data Stewards in each department, to promulgate amongst their staff with PII access, any and all identified locations of PII they have access to, and the importance of preserving its confidential nature.

Identified Potential Risks to PII Security

1) Internal

• Weak passwords used with accounts that have access to PII.
• Computers in publicly accessible areas that are not locked when an assigned employee with access to PII has temporarily stepped away from them.
• Insufficient physical security and controls which compromise access to workspaces and permit use of terminals, theft of equipment or access to paper files.
• Termination procedures that are not followed, resulting in continued access by former employees to PII.
• Employees transporting data on laptops, or on USB “thumb drives” and other types of removable media.
• Unencrypted connections to Saint Joseph’s College data systems over which PII could be carried.
• Incomplete or ineffective training programs explaining to employees what PII is, and what the College’s responsibilities are in its handling.
• Insufficient physical controls, resulting in access to PII by unauthorized persons.
• Malicious software which could compromise the security and integrity of PII.
• Hacking, spoofing and other activities intended to compromise data security and access data and data systems without authorization.
• Social engineering and improper sharing of PII by employees with those not granted permissions to it.
• Lack of audit procedures.
• Insufficient separation of systems into particular subnets.
• Sending/Forwarding PII to non-SJC email addresses, or off-campus data systems.
• Sending paper-based PII through campus mail.

2) External

• Vendors of the College who have been granted access to PII.
• Data accessed through the improper disposal of electronic media (including hard drives from disposed computers) and paper files.
• Improper off-site storage of electronic and paper media.
• Hacking and other activities intended to compromise data security and access data and data systems without authorization.
• Consultants and contractors who are not properly vetted.

3) Electronic Data Safeguards

• Identity Management: Saint Joseph’s College will maintain a procedure for managing computer accounts for active employees, and will have in place procedures for promptly disabling accounts of those individuals who are no longer employed and/or entrusted by the College.
• Passwords: Saint Joseph’s College requires passwords for accessing any system that may contain PII.  Passwords must meet minimum requirement of complexity set by the Director of Networking. Accounts shall be locked after excessive unsuccessful login attempts. Enforcement of the password policy shall be maintained through electronic means.

Vendor assigned and default passwords shall be changed reasonably promptly, but must be changed before the system accessed through said password contains any PII.

Access to PII shall be electronically limited to those employees with unique usernames.  Usernames and passwords with access to PII shall not be shared amongst individuals.

• Timeouts: On a data system where a significant quantity of PII is stored, where it is practical, electronic timeouts shall be employed to screen-lock or timeout the user’s session.
• Access to Computers: Access to computers shall be restricted to those for whom the access is necessary.  Persons entrusted with access to PII from their accounts shall ensure that they lock their computer screens, their office doors, or both, so that unauthorized access to PII does not occur.
• Data Security and Access Control Lists: Saint Joseph’s College makes ongoing, self-audited efforts to ensure that only those persons, whose job descriptions and/or College-assigned objectives necessitate access to electronically stored PII will be granted such access. A Data Custodian has authority to request permission, in writing or helpdesk ticketing system, to grant access to files and folders containing PII.

For the purposes of this section, a job description, approved by the appropriate Data Custodian, that necessitates electronic access to share locations which are designated to contain PII, shall constitute written permission.

Network Design Considerations: Saint Joseph’s College shall maintain its firewall so that networks which contain data servers can be discrete from end-user systems.

• Firewall: A commercial-grade firewall shall be maintained at Saint Joseph’s College protecting systems containing PII from both external and internal unauthorized access.  The software running on the firewall shall be reasonably current.

Data Encryption: Where electronic files containing PII must unavoidably be taken from an approved storage location and placed on portable media (including, but not limited to, a computer’s internal hard drives, USB “thumb drives,” externally connected drives and other removable media such as CD Rom), the files containing PII must comply with the standards set in the Saint Joseph’s College Data Classification Guideline.

Encrypted Network Transmission: Where feasible, when PII is transmitted over a data network where data interception is reasonably foreseeable, PII will be encrypted using Saint Joseph’s College approved encryption.

Saint Joseph’s College shall maintain SSL Certificates, managed by a trusted root host, which shall be used on web pages served by the College over which there exists the reasonably foreseeable possibility that PII may be accessed.

VPN: Saint Joseph’s College shall maintain a Virtual Private Network (“VPN”), which will necessarily be used to encrypt data connections to the College where there is a reasonably foreseeable possibility that PII will be carried over the connection and an SSL HTTP connection is not feasible.

Security Patches: There shall be reasonably up-to-date versions of virus/malware protective agents running on College-owned computers, which report back to a central server that is reviewed regularly for compliance with policy. Reasonable means and methods shall be taken to ensure that security-related critical patches are applied to operating systems and application software.

Electronic File Storage: The College shall maintain a file server or other secure means of data storage of sufficient speed and storage capacity to hold any and all electronic documents that may contain PII.  No PII should be stored on individual desktop/laptop computers. All data must comply with Saint Joseph’s College Data Classification Guideline.

Encrypted Backups: Wherever feasible, server backups shall be encrypted using an industry-accepted data encryption standard.

Ongoing Data Security Training and Acceptable Use: The College shall develop and maintain a data security employee training program. Employees whose positions at the College require contact with PII shall be provided additional training, within their departments, commensurate with the potential exposure.

The College will maintain an acceptable use policy with which all persons granted access to Saint Joseph’s  College’s network will be required to comply.

4) Data Retention and Destruction

• Destruction of records will be done in a commercially acceptable manner so that PII cannot be practically read or reconstructed.
• All hard drives from servers or sensitive computer systems designated for replacement or retirement must be securely destroyed to render any PII data unreadable or unable to be reconstructed.
• Where the College contracts with a third-party data destruction company, the College shall obtain written assurances from the third-party that its disposal practices are in compliance with Federal and State regulations.
• All data retention must comply with the Saint Joseph’s College Records Management Policy.

5) Paper Based Data Safeguards

• File Cabinets: Where filing cabinets are to be used for the storage of PII, the filing cabinets are to remain locked unless the need to access the files within is imminent or current.  Should removal of files containing PII from a filing cabinet be necessary, the files themselves must be protected against unauthorized access and if the files will not be returned to the filing cabinet promptly, the filing cabinet shall be locked.  Files must be returned to filing cabinets, which are then to be locked, no later than the end of the workday of the employee which removed them, unless their overnight storage outside their designated filing cabinet is approved, in writing, by the appropriate Data Steward.
• Transport: All efforts will be made to minimize the physical transport of printed PII, substituting encrypted electronic data transport instead.  Where printed PII must be transported, the carrier shall either be commercial and bonded, or a trained member of the Saint Joseph’s College community.

6) Third Party Entrustment

• Saint Joseph’s  College shall take all reasonable steps to verify that any third-party vendor, contractor or service provider with access to PII maintained by the College has the capacity to protect such PII in the manner required by Maine Law, Title 33, 651-B.
• Saint Joseph’s College requires that all third-party vendors, contractors or service providers entrusted with PII complete, and submit to the College, a written manifestation of their current and ongoing compliance with the requirements of Maine Law,Title 33, 651-B.  Should the third-party not provide such documentation, or later withdraw their assent to the requirements, the College shall no longer provide any PII to said third-party and will take affirmative steps to ensure that previously entrusted PII is destroyed in a manner in-line with that which the College would use.
• All vendor contracts that will have access to PII must include standard Saint Joseph’s College contract language for PII.

7) Termination of the Relationship that Requires Entrustment of PII

Employees may leave, be terminated, or switch roles within Saint Joseph’s College. The relationship between Saint Joseph’s College and third parties may change. Where the employee or third-party had access to specific PII and the changed relationship negates the need for access, Saint Joseph’s College shall take specific affirmative steps to ensure that access to PII is withdrawn.

• All records containing PII, in any form, must be returned at the time of termination of the relationship.  If return is not feasible, destruction in accordance with industry standards, along with proof of such destruction, is acceptable.
• At the time of termination of the relationship, all electronic and physical access to PII must immediately cease and be blocked.  Former employees and third parties must return keys, IDs (if not required for other legitimate purposes), access control tokens and cards.  Electronic locks access shall be disabled.
• Continued access to PII by former employees and third parties with whom the business relationship has been terminated must be expressly authorized, in writing, by the appropriate Data Custodian.

8) Disciplinary Actions for Violations of the WISP

Employees must comply with the requirements of the WISP. Use of PII in a manner not expressly or impliedly granted by the College is prohibited during, and subsequent to, employment at Saint Joseph’s  College. Disciplinary action for infractions of the WISP shall be mandatory, the severity of which shall be commensurate to the infraction and may depend on a number of factors, including but not limited to, the nature of the violation, the nature of the PII, and the extent of the unauthorized use, exposure, or disclosure.

9) Breach Procedures

Whenever there is a breach that requires notification under Maine Law, Title 10, 1347-A, the College shall take, at a minimum, the following steps:

• Notify the appropriate state regulators within the Department of Professionalism and Finance Regulation, or the Attorney General of the State of Maine.
• Notification to the consumer reporting agencies if the breach affects more than 1000 persons at a single time.
• Notification to affected persons with information about the breach and steps to take to secure their PII, including but not limited to, contacting the consumer reporting agencies to request a credit security freeze.
• A letter of notification of breach shall be sent to the College’s insurance carrier by the Vice President and Chief Financial Officer.
• An immediate mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in the security practices are required to improve the security of PII.
• Disciplinary action may be taken against the individual, or individuals, who caused, or contributed to, the breach.