Policy Statement
Users of Electronic Resources connected to the Emerson College network, as well as all users of College Data, must promptly report all actual and suspected Cyber Security Incidents. Emerson IT is responsible for evaluating incidents for a breach of College Data, including Personal Information held by the College, and when necessary to initiate the Cyber Security Incident Response Plan
Reason for Policy
Prompt and consistent reporting of Cyber Security Incidents protects and preserves electronic resources and institutional data and aids the College's compliance with applicable law.
Scope
This policy applies to Electronic Resources, regardless of ownership or location, used to store, process, transmit or access College Data, as well as all Users of College Data.
Definitions
For purposes of this policy, the following definitions apply:
Cyber Security Incident Response Plan: Internal protocol for a team(s) of College staff responsible for response to cyber security incidents.
Cyber Security Events, Incidents, and/or Breaches:
- Event — An exception to the normal operation of IT services, such as outages. Not all events are incidents or breaches.
- Incident — Electronic activities that result in unauthorized access or exposure to College Data, or significant impairment of College IT systems. All incidents start as events.
- Breach — The unauthorized acquisition or unauthorized use of either (a) unencrypted data or (b) encrypted electronic data along with the confidential process or key, that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth. A good faith but unauthorized acquisition of personal information by Emerson College or its employees or agents for the lawful purposes of Emerson College is not a breach unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure. The term “breach” does not include disclosure of personal information when the disclosure is required by court order or necessary to comply with state or federal regulations.
Data Breach Notification: The College’s notification requirements in response to a Cyber Security Incident.
Electronic Resources: Any electronic asset (including devices and data) owned or handled by Emerson College.
Encryption: Security method that renders data elements unreadable by unauthorized parties.
The Information Security Officer (ISO) is the IT professional responsible for:
- Ensuring the prompt investigation of an incident
- Ensuring the preservation of evidence relating to an incident
- Determining what College Data may have been exposed
- Securing any compromised systems to prevent further damage
- Providing guidance to institutional stakeholders
- Developing and distributing an after-action analysis
- Working with external law enforcement when necessary
Personal Information: Per the Massachusetts regulation for Personal Information and Breach of Security, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number (“PIN”), or password that would permit access to a resident’s financial account. The term “personal information” does not include that information which is lawfully obtained from publicly available information (such as addresses or birthdays), or from federal, state, or local government records lawfully made available to the general public.
Regulated Data: Data that requires the College to implement specific privacy and security safeguards as mandated by federal, state, and/or local law, or College policy or agreement.
Users of College Data: Any person extended access and use privileges to College Data. Includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person extended access and use privileges by the College under contractual agreements or otherwise.
Responsibilities of Users
Users are required to immediately report actual or suspected Cyber Security Incidents to Emerson IT at helpdesk [at] emerson.edu (helpdesk[at]emerson[dot]edu) or 617-824-8080. Examples include but are not limited to:
- Confirmed or suspected malware impacting Electronic Resources or with the potential to infect College Data
- Malicious email targeting College Data
- College Data discovered to have been unsecured or accessible by unauthorized parties
- Impairment of Emerson’s Electronic Resources
Users are required to follow the instructions provided by Emerson IT after reporting an incident, and to cooperate in any investigation of the incident by the College.
To the extent that the incident is occurring with a user’s assigned electronic resources, if directed by Emerson IT, the user will cease use of the actual or suspected resource immediately, understanding that continued use may inadvertently damage potential evidence if the incident becomes part of a criminal case or insurance claim.
Users who encounter a suspected or actual incident are required to take all possible measures to preserve evidence, as directed by Emerson IT. For instance, if a user suspects their device has been compromised, they may be directed to power off the machine and deliver it unchanged to the IT Help Desk for investigation.
Users will not refer to a Cyber Security Incident as a “breach” unless they have been approved to do so by the ISO.
Incident Notification
- All departments, units, and offices must include provisions in any third-party contracts requiring that the third party and third-party subcontractors provide immediate notification to the College of incidents involving College Data or Electronic Resources and to report findings of investigations of such incidents.
- The College will investigate incident reports and will comply with any legal obligations to notify affected individuals.
- Notification may be delayed in cases where law enforcement determines and advises that notice would impede an ongoing investigation.
Compliance with this Policy
The CIO shall ensure compliance with this policy. The ISO will ensure regular reviews, updates, and distribution of this policy. Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources and/or student conduct policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process, and the Code of Community Standards.