Purpose
The purpose of this written information security policy (“WISP”) is to comply with regulations issued by the Commonwealth of Massachusetts entitled “Standards For The Protection Of Personal Information Of Residents Of The Commonwealth” [201 Code Mass. Regs. 17.00], and by the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”) [15 USC 6801(b) and 6805(b)(2)].
The objectives of this WISP are to:
- ensure the security and confidentiality of personal information that Emerson College collects, creates, uses, and maintains;
- protect against any anticipated threats or hazards to the security or integrity of such information;
- protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to a resident of Massachusetts; and
- define an information security program that is appropriate to Emerson College’s size, scope, and type of operations, its available resources, and the amount of personal information that Emerson College owns or maintains, while recognizing the goal of protecting personal information.
Scope
This policy is applicable to all individuals accessing College Data (“Users of College Data”).
Definitions
Please see the Cyber Security Incident Reporting Policy for the following definitions:
- Cyber Security Incident (or “incident”)
- Data Breach (or “breach”)
- Data Breach Notification
- Encryption
- Event
- Regulated Data
Please see the Data Governance Policy for the following definitions:
- Access
- College Data
- Users of College Data (or “users”)
- Data Custodians
- Data Stewards
- Personal Information
Policies
All Users of College Data must comply with:
- The Data Governance Policy, which outlines roles and requirements for managing College Data.
- The Cyber Security Incident Reporting Policy, which outlines requirements for users to report potential security incidents.
- The Electronic Resources Acceptable Use Policy, which defines prohibited practices such as password sharing and the subversion of security controls.
Data Security Coordinator
Emerson College has designated the Information Security Officer (ISO) to implement, supervise and maintain the WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:
- Implementation of the WISP and maintenance of all Information Security policies.
- Providing Information Security training to employees.
- Regular testing of the WISP’s safeguards.
- Conducting annual information security risk assessments.
- Evaluating the ability of Emerson’s third party service providers to implement and maintain appropriate security measures for the different classifications of data to which the College has permitted them access, consistent with the regulations and requiring such third party service providers by contract to implement and maintain appropriate security measures.
- Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in the College’s business practices that may implicate the security or integrity of records containing Moderate and High Risk data.
Risk Assessment
As part of developing, implementing, and maintaining this WISP, Emerson College will conduct a periodic, documented risk assessment at least annually or whenever there is a material change in Emerson College’s business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal information.
The risk assessment shall:
- identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, integrity, and/or availability of any electronic, paper, or other records containing personal information;
- evaluate the effectiveness of relevant policies, procedures, systems, and safeguards in place to control such risks, including but not limited to:
- ongoing faculty, staff, contractor, and (as applicable) stakeholder training;
- faculty, staff, contractor, and (as applicable) stakeholder compliance with policies and procedures; and
- means for detecting and preventing security system failures.
Following each risk assessment, Emerson College will:
- design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;
- reasonably and appropriately address any identified gaps; and
- regularly monitor the effectiveness of Emerson College’s safeguards.
Administrative Safeguards
At a minimum and to the extent feasible, Emerson College will employ and maintain the following administrative safeguards:
- The WISP must be made available to all Users of College Data.
- Employees will be provided education and training on the proper use of the computer security system and the importance of personal information security.
- Emerson IT and Data Custodians and Stewards will self-audit to ensure that only those persons, whose job descriptions and/or College-assigned objectives necessitate access to Moderate and High Risk data.
- All employees and third parties granted access to College Data are required to comply with the Employee and Third-Party Account Termination Policy.
Technical Safeguards
At a minimum and to the extent feasible, Emerson College will employ and maintain the following technical safeguards:
- Secure user authentication protocols including:
- control of user IDs and other identifiers;
- a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- restricting access to active users and active user accounts only; and
- blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
- Secure access control measures that:
- restrict access to records and files containing personal information to those who need such information to perform their job duties; and
- assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
- Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
- Reasonable monitoring of systems, for unauthorized use of or access to personal information;
- Encryption of all personal information stored on laptops or other portable devices;
- For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
- Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Emerson College will oversee each of its third-party service providers that may have access to or otherwise create, collect, use, or maintain personal information on its behalf by:
- evaluating the service provider’s ability to implement and maintain appropriate security measures to protect personal information consistent with this WISP and all applicable laws and regulations; and
- requiring the service provider by contract to implement and maintain such appropriate security measures for personal information.
Physical Safeguards
At a minimum and to the extent feasible, Emerson College will employ and maintain the following physical safeguards:
- Emerson College’s physical safeguards shall, at a minimum, include reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
- All physical assets containing College Data must be secured from theft by locking and maintaining a secure workplace and/or keeping it within the employee's possession.
Compliance
The CIO shall ensure compliance with this policy. The ISO will ensure regular reviews, updates, and distribution of this policy. Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources and/or Student Conduct policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process, and the Code of Community Standards.