Body
OBJECTIVE
Massasoit Community College’s objective in the development and implementation of this comprehensive Written Information Security Program (WISP) is to create effective administrative, technical, and physical safeguards for the protection of Confidential Information. Massasoit Community College will comply with applicable obligations to safeguard Confidential Information to prevent data breaches. The WISP sets forth Massasoit Community College’s procedures for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Confidential Information.
Massasoit Community College will:
1) Identify reasonably foreseeable internal and external risks to the security, availability, confidentiality, and/or integrity of any electronic, paper, or other records containing Confidential Information.
2) Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Confidential Information and risks to other college assets, whether physical or digital.
3) Evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks.
4) Design and implement a WISP that puts safeguards in place to minimize those risks, consistent with Confidentiality Obligations which require Massasoit Community College to safeguard Confidential Information to prevent data breaches; and
5) Regularly monitor the effectiveness of those safeguards.
PURPOSE
The purpose of the WISP is to:
a) Ensure the security and confidentiality of Confidential Information.
b) Protect against any anticipated threats or hazards to the security or integrity of such information.
c) Protect against any unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
d) Ensure compliance with all “Confidentiality Obligations” which are defined as:
· Any state or federal laws in effect or hereinafter enacted
· Applicable industry standards such as the Payment Card Industry Data Security Standard (PCI DSS)
· Contractual obligations
· Massasoit Community College defined Confidential Information
SCOPE
This WISP and associated policies, standards, guidelines, and procedures apply to all full and part-time employees and those employed by other entities to perform work on behalf of Massasoit Community College at hosted or outsourced sites, or who have been granted access to Massasoit Community College information or systems.
WISP is designed to encompass various aspects of the security of Confidential Information in electronic or written format, and in data transmission. For the purposes of this WISP, “Confidential Information” means any personal and business information that Massasoit Community College must keep confidential, including
a) the first name and last name or first initial and last name of an individual with which Massasoit Community College conducts business in combination with any one or more of the following data elements that relate to such an individual:
· Social Security Number (US); Social Insurance Number (Canada);
· Driver’s License, State or Federal Issued Identification Card Number or Passport; or
· Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, which would permit access to an individual’s financial account.
b) Human Resource Information.
c) Medical Records, Health Insurance Information, and other Personal Health Information.
d) Personally identifiable student record information.
e) Business information that is classified as confidential, or proprietary, or information from Massasoit Community College clients that is contractually agreed to as confidential, including but not limited to: Strategic Plans, Legal Documents, Intellectual Property, Client Information, Vendor Information, Partner Information.
The term “Confidential Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the public.
INFORMATION SECURITY OFFICER
The College’s Information Security Officer is:
Information Security Officer
|
William Morrison, CIO
|
Phone: 508-588-9100 x1155
|
Email: wmorrison@massasoit.mass.edu
|
The Information Security Officer will be responsible for:
a) Initial Implementation of the WISP.
b) Regularly evaluating and testing of the WISP’s safeguards.
c) Evaluating the ability of each of Massasoit Community College’s third party service providers to implement and maintain appropriate security measures for Confidential Information to which the College has permitted access, consistent with Confidentiality Obligations which require Massasoit Community College to safeguard Confidential Information to prevent data breaches; and requiring such third party service providers by contract to implement and maintain appropriate security measures and notify Massasoit Community College of any security breach or suspected breach involving Confidential Information of which it becomes aware. Third party service providers include any non-College entity that is provided access to Confidential Information in order to provide good and/or services to the College, including, but not limited to: consultants, contractors, collaboration partners, Software-as-a-Service vendors, recycling companies, and other third parties who may store or handle Confidential Information protected under this WISP.
d) Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a breach or attempted breach of the WISP, or there is a material change in the College's business practices that may impact the security or integrity of records containing Confidential Information. The Information Security Officer shall fully apprise management of the results of that review and any recommendations for improved security arising out of that review.
e) Providing training upon hire for all new employees and making training available for continuing employees, via electronic means or in person for all employees, including temporary and contract employees who have access to Confidential Information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training and their familiarity with Massasoit Community College’s requirements for ensuring the protection of Confidential Information.
f) Executing the Incident Response Policy and corresponding procedures as required for Information Security breaches or attempted breaches.
g) Maintain highly secured lists of all lock combinations, passwords, and keys.
INTERNAL RISKS
To combat internal risks to the security, availability, confidentiality, and/or integrity of any electronic, paper, or other records containing Confidential Information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately.
Protecting Against Internal Threats
1. Confidential Information Collection & Use, Access, Transmission, Storage & Disposal
Massasoit Community College maintains and uses Confidential Information in personnel files, payment card transactions, benefits records, legal documents, student educational files and other areas that process, transmit and/or store the information in electronic and/or hard copy records. It is vital that the collection, use, access to, transmission, storage and disposal of Confidential Information is appropriately safeguarded and restricted to avoid any data breach and/or unauthorized access.
a. Collection & Access to Confidential Information
The amount of Confidential Information collected by Massasoit Community College should be limited to that amount reasonably necessary to accomplish Massasoit Community College’s legitimate business purposes, or necessary for Massasoit Community College to comply with Confidentiality Obligations.
Access to Confidential Information shall be limited to those persons who are reasonably required to know such information in order to perform their official job functions and/or accomplish Massasoit Community College’s legitimate business purpose or to enable Massasoit Community College to comply with state or federal laws or regulations.
The College reserves the right to require any employee to return all records containing Confidential Information in the employee’s possession, custody, or control (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.) and to block an employee’s physical and electronic access to Confidential Information. Where an employee has been terminated or placed on paid administrative leave, said employee shall be required to surrender all keys, access cards, or badges that permit access to Massasoit Community College’s premises or Confidential information. Visitors shall not be permitted to access unescorted any area within Massasoit Community College’s premises that contains Confidential Information.
b. Electronic Access and Transmission
Electronic access includes accessing Confidential Information through use of computers and laptops generally by way of email or file sharing and electronic document storage and possession, and access via mobile devices such as smartphones, tablets, thumb drives and similar storage devices. Employees may not copy or download electronic records containing Confidential Information onto any unencrypted College laptop or mobile device. Further, no employee may copy or download electronic records containing Confidential Information onto any personal computer or device.
Electronic access to Confidential Information shall be restricted to active users and active user accounts only. Where a user is unsuccessful after three (3) attempts to electronically access Confidential Information, the user’s access will be blocked until reinstated by the Information Security Officer. Current employees’ user ID’s and passwords must be changed periodically as outlined by IT system requirements and must never consist of vendor supplied, default passwords. Access to electronically stored Confidential Information shall be electronically limited to those employees having a unique log-in ID; and re-log-in shall be required when a computer has been inactive for a period as defined by IT system configuration requirements.
Only under the following circumstances may Confidential Information be included in electronic communication:
(a) Encrypted when transmitted over an open public network, for example the Internet.
(b) Transmitted over Massasoit Community College’s private network, for example an MPLS network.
(c) Transmitted over a secure VPN for remote access; or
(d) Faxed over a private direct fax line and the faxed documents are safeguarded; and treated as hard copy Confidential Information by the receiver.
Confidential Information may be emailed externally if it is encrypted using Massasoit Community College provided encryption tools. If there is no capability to send Confidential Information as encrypted data, a secure alternate means of delivery must be used. To the extent reasonable, any Confidential Information emailed should not be printed. If it is printed, this data should be safeguarded as hard copy Confidential Information.
c. Hard Copy Access and Transmission and Transport
To the extent employees must access Confidential Information to accomplish a legitimate business purpose; such access must be limited to necessary Massasoit Community College personnel only. Each department accessing such Confidential Information must develop internal controls to ensure that disclosure of Confidential Information is safeguarded in accordance with this policy.
Employees are prohibited from keeping open files containing Confidential Information on their desks when they are not at their desks during the day. All Confidential Information in hard copy form or on electronic media must be secured in a locked office, cabinet, or storage facility during non-business hours.
To the extent any electronic or hard copy records must be shared with any internal or external party, and such information includes in part, Confidential Information that the internal or external party does not have authorization to access, such Confidential Information must be redacted prior to sharing.
d. Storage of Confidential Information
Each department shall develop rules (in consideration of the business needs of that department) that ensure that reasonable restrictions for accessing electronic or hard copy records containing Confidential Information are in place, including a written procedure that sets forth the manner in which access to such records is to be restricted; and each department must store such records and data in locked facilities, secure storage areas or locked containers. In any event, no Confidential Information should ever be kept in any unlocked or unsecure storage facility, including unlocked cabinets or unlocked offices. Confidential information should also never be left at insecure copy machines or fax machine locations where unauthorized individuals could gain access.
Hard copy or electronic media with Confidential Information should never be taken out of its secure storage to an off-site location unless there is a legitimate Massasoit Community College business purpose, and the data is appropriately safeguarded at all times. For example, it is not acceptable for anyone who has access to Confidential Information to leave Confidential Information in files in an insecure, unoccupied car, or store Confidential Information at a private residence. Should the need arise to remove electronic Confidential Information from its secure location an encrypted laptop or appropriate media must be used. For hard copy Confidential Information, a record must be kept of who has the information, when it was taken and when it was returned.
e. Disposal of Confidential Information
The destruction of all College records and materials, both hardcopy and electronic, shall be performed in compliance with the Commonwealth of Massachusetts’ Record Retention Schedule. Any hardcopy Confidential Information that no longer has a legitimate Massasoit Community College business purpose shall be destroyed by use of an office-grade cross-cut shredder or by disposal of such documents in marked document shredding receptacles in the office as provided by a document shredding service provider. No Confidential Information should ever be disposed of in normal trash or in recycling bins or by any other public means of disposal.
Paper or electronic records (including records stored on hard drives or other electronic media) containing Confidential Information shall be disposed of only in a manner that complies with all Confidentiality Obligations. IT will manage the disposal of Confidential Information in electronic format including network equipment, servers, workstations, laptops, mobile devices, and removable media.
EXTERNAL RISKS
In addition to monitoring its internal risks, it is necessary for Massasoit Community College to ensure it is protected from external threats to access Confidential Information in its possession.
1. Electronic Safeguards
Massasoit Community College employees that must transmit Confidential Information via laptops and desktop computers shall not transmit such data on non-College computers or devices as such devices increase the risk of an external threat to data security. Further, any such Confidential Information transmission cannot occur using electronic messaging such as email or instant messaging, through any social media sites, or through any other Internet channel that is not specifically approved by IT as an encrypted means to transmit Confidential Information.
When Confidential Information remote access transmissions are necessary to complete a legitimate business purpose, they should be conducted only using official Massasoit Community College provided private network, VPN connections or encrypted internet protocols.
Massasoit Community College maintains up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the Confidential Information, installed on all systems processing Confidential Information. Massasoit Community College maintains up-to-date versions of system security agent software which includes malware protection and reasonably up-to-date patches and virus definitions, installed on all systems processing Confidential Information. No employee with college-issued laptops, desktops or other devices shall disable any of these security measures or the automatic updating functions on such devices. All computer systems are to be monitored for unauthorized use of or access to Confidential Information.
Massasoit Community College also requires each employee who uses College-issued desktop, laptop, or mobile device to set up a unique password for entry into the business systems (if applicable) and onto the computer system itself (i.e. Windows password). These passwords shall not be shared with anyone. In addition, Massasoit Community College’s system periodically notifies users that they must modify their passwords. All employees must abide by these requirements and ensure they appropriately update their passwords as required.
COMPLIANCE AND ENFORCEMENT
1. Distribution of the Written Information Security Program
A copy of the WISP shall be distributed to each existing employee and all new hires by the appropriate hiring manager. Each hiring manager should discuss the policy with their staff and certify their compliance with the WISP.
2. Training Regarding the Written Information Security Program
As noted above, employees must complete mandatory information security training upon hire. Additionally, annual retraining is strongly encouraged.
3. Discipline for Violations of the Written Information Security Program
Any violation of the WISP shall result in immediate disciplinary action, up to and including termination, in accordance with and subject to all applicable collective bargaining agreements or non-unit policies. Employees are required to report any potential violation of the WISP and/or any suspected unauthorized use of Confidential Information to the Information Security Officer. Any manager receiving information regarding a potential violation of the WISP must immediately take the following steps:
i. Report the alleged violation to the Information Security Officer.
ii. Report the alleged violation to Human Resources if personnel records are involved or the Registrar if student records are involved; and
iii. Make all external reports that may be required in accordance with state or federal laws.
Whenever there is an incident that requires notification under any Confidentiality Obligations, there shall be an immediate mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in Massasoit Community College’s security practices are required to improve the security of Confidential Information for which Massasoit Community College is responsible.
All management and supervisory employees shall be responsible for the enforcement of, and compliance with, the WISP including necessary distribution to ensure employee knowledge, acceptance, and compliance. All employees are under an obligation to comply with Massasoit Community College policies, including all Information Security policies and procedures, and any related instructions issued by the Information Security Officer.
Any lost or stolen Massasoit Community College equipment or documents containing Confidential Information must be immediately reported to the Information Security Officer, the Inventory Control Officer, Campus Police, and the Comptroller.
COMPLIANCE WITH LAWS
It is the policy of Massasoit Community College to comply fully with all state and federal laws and regulations that govern the maintenance and security of Confidential Information.
REFERENCES
Framework
COBIT 4.1
|
Regulations and Requirements
PCI DSS - MA 201 - HIPAA
|
Supporting
Policies and Procedures
|
PO7 Manage IT human resources
AI4 Enable operations and use
DS7 Educate and train users
|
PCI
Requirement 6: Build and maintain secure applications and systems
Requirement 12: Maintain a policy that addresses information security for all personnel.
|
|
REVISION HISTORY
This section contains comments on any revisions that were made to this document and the date they were made.
Version Number
|
Issued Date
|
Approval
|
Description of Changes
|
1.0
|
11/23/2015
|
Compass IT Compliance
|
Initial Draft
|
2.0
|
5/15/2018
|
Senior Team
|
Localizations from initial draft
|
3.0 |
7/21/2019 |
CIO |
Language clarifications received per college counsel |