The objective of Amherst College in developing and implementing this Information Security Policy (“Policy”), is to create effective administrative, technical and physical safeguards to protect personal information, and to comply with the College’s obligations under M.G.L. 93 H, 93 I and 201 CMR 17.00. The Policy covers all forms of personal information, whether it is maintained on paper, digital, or other media.
For the purposes of this Policy, “personal information” means an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such individual: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
The purpose of the Policy is to effect compliance with Massachusetts laws by:
(a) Ensuring the confidentiality of personal information;
(b) Protecting against any anticipated threats or hazards to the security or integrity of such information;
(c) Protecting against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
In formulating and implementing the Policy, the College’s objective is to (1) identify reasonably foreseeable internal and external risks to the confidentiality and/or integrity of any electronic, paper, or other records containing personal information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information; (3) evaluate the sufficiency of existing policies, procedures, information systems, internal controls and security practices, in addition to other safeguards in place to control risks; (4) design and implement a plan that puts safeguards in place to minimize those risks, consistent with the requirements of Massachusetts laws; and (5) periodically monitor the effectiveness of those safeguards.
IV. Effective Date
This policy will become effective on February 26, 2010.
V. Contact Information
Questions regarding this policy should be directed to David Hamilton, Chief Information Officer.
VI. Implementation Priority
Amherst College places priority on protecting the combinations of personal information the unauthorized disclosure of which is most likely to cause substantial harm, such as identity theft and major financial fraud. High-risk personal information combinations include the use of names in combination with Social Security Numbers and/or state issued ID numbers.
VII. Policy Components
The Policy defines and implements the following components:
- Information Stewardship Committee
These employees develop resources and provide guidance for compliance with the Policy and the law, with the responsibilities outlined below.
- Information Stewards
An Information Steward exists within each College department which handles personal information. An Information Steward facilitates Policy compliance within his or her department.
Implementing processes for ensuring that College personnel have the appropriate knowledge and skills to handle personal information appropriately.
The process for the dissemination of information—such as new tools, policies, or best practices—to departments in a timely manner.
- Policies and Procedures
The set of documents that state what the College requires and does to ensure the confidentiality of personal information.
- Tools & Resources
The software, hardware, guidelines, and other resources that departments deploy to help ensure the confidentiality of personal information.
The buildings, networks, and appliances that comprise the work environment of the departments at the College and help support secure management of personal information.
- Vendor Management
The process for ensuring that vendors contractually comply with applicable law concerning the secure handling and disposition of personal information and meet the College’s legal requirements.
- Monitor & Audit
The process for checking compliance with the Policy.
- Security Breach Response
The controlled process for investigating a potential security breach, mitigating the impact of a breach, and taking appropriate notification and corrective action.
The process for disposal of personal information stored electronically, on paper, or on other media.
VIII. Roles and Responsibilities
1. Information Stewardship Committee
The Information Stewardship Committee (ISC) shall be responsible for establishing, operating, and monitoring the Policy. The group will be comprised of 5 to 10 employees from across the College. The initial members of the Information Stewardship Committee are identified in an Appendix to this Policy.
The ISC is responsible for managing and coordinating the following:
- Developing and implementing a documented information security Policy.
- Planning a College-wide outreach and awareness Policy. The Policy includes training and other materials to facilitate management’s operation of all departments in a compliant manner.
- Advising departments on security measures, acceptable practices, guiding the internal process of breach notification, and data destruction procedures.
- Developing best practices for requiring third party vendors to comply with applicable laws and regulations concerning the secure handling and destruction of personal information.
- Periodic testing of the Policy’s safeguards.
- In the event of a legally declared data breach, conducting a post-incident review of the events and actions taken in order to determine and implement improvements to the Policy and/or take corrective action.
- Documenting non-compliance exceptions and compensating controls.
- Monitoring applicable laws, regulations, standards, and best practices.
2. Information Stewards
Amherst College shall recognize a representative from each area of operation which handles personal information as a designated Information Steward (IS). An IS is accountable and responsible for distribution, implementation and maintenance of the safeguards outlined in the Policy within the IS’ specific department. Security responsibilities and operational requirements of this individual may be delegated to appropriate managers.
The designated Information Steward shall be responsible for:
- Implementing the Policy within his or her area of operation.
- Ensuring employees and others with access to personal information have been trained on their responsibilities to protect personal information. Training shall consist of materials provided by the ISC in addition to training addenda that may be specific to the department’s operating environment and use of personal information.
- Ensuring that third party vendors comply with applicable laws and regulations concerning the secure handling and destruction of personal information which is maintained by the IS’ department or for which the IS’ department is otherwise responsible.
- Reviewing the department’s implementation of security measures at least annually, or whenever there is a material change in practices that may affect the security or integrity of records containing personal information and informing the ISC of any relevant changes.
- Periodic review of the department’s compliance with Policy requirements.
- In the event of a data breach, participating with the ISC in the post-incident review of the events and actions taken in order to determine and implement improvements and/or corrective action.
- Maintaining a list of authorized users of personal information.
- Advise the ISC of changes and developments to relevant laws, regulations, standards, and best practices specific to his or her department.
IX. Response to Internal & External Risks
To address both internal and external risks to the confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving the effectiveness of the current safeguards for limiting such risks, the College shall implement the following measures:
- The IS shall distribute a description of the Policy to persons with access to personal information within their department and such persons must comply with the Policy’s processes and procedures and those established by the department.
- The IS shall provide ongoing training to all persons who access personal information as part of their job or contracted process.
- New hire training shall include information on applicable laws relating to personal information and the employee’s obligation to comply with them.
2. Compliance & Disciplinary Action
- All employees must operate in compliance with the Policy and applicable laws and regulations.
- The College shall take appropriate disciplinary action against employees and others for violating security provisions of the Policy.
- Users suspected of violating the Policy may be denied access to the data as well as College information technology resources during the investigation of alleged abuse.
3. Limiting Collection of Personal Information
- The amount of personal information collected shall be limited to that amount reasonably necessary to accomplish the College’s legitimate educational or business purposes, or necessary for the College to comply with state or federal laws and regulations.
- The time period personal information is retained shall be limited to the period that is reasonably necessary to accomplish the College’s legitimate educational or business purposes, or necessary for the College to comply with state or federal laws and regulations.
- Access to records containing personal information shall be limited to those persons who reasonably need to access such information in order to accomplish the College’s legitimate educational or business purposes, or as necessary for the College to comply with state or federal laws and regulations.
- The Information Technology Department shall reasonably monitor computer systems that maintain or process personal information for unauthorized use.
5. Security Review
- The IS shall review security measures at least annually, or whenever there is a material change in the College’s practices that may reasonably implicate the confidentiality or integrity of records containing personal information. Information Stewards shall fully apprise the ISC of the results of reviews and recommendations for improved security arising out of those reviews.
6. Separated and Transferred Employees
- Separated employees and employees who transfer to other departments within the College shall return all records containing personal information, in any form, that may at the time of such separation or transfer be in his or her possession.
- A separated or transferred employee’s physical and electronic access to personal information shall be blocked as soon as possible. Moreover, the separated employee’s remote electronic access to all forms of personal information shall be disabled.
7. System and Application Passwords
- Passwords shall be robust and changed periodically in a manner consistent with standards established by the Information Technology Department.
8. Access Control
- Access to personal information shall be restricted to active users and active user accounts only.
- Access to electronically stored personal information shall be limited to those employees having a unique log-in ID; this means users shall not share a common login token or use a generic account.
- The secure access control measures in place shall include assigning unique identification tokens and passwords, which are not vendor-supplied default passwords, to each person with authorized access to personal information.
9. Secure Authentication
- There shall be secure user authentication protocols in place, including:
- Documented protocols for control of user IDs and other tokens or identifiers;
- A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- Restriction of access to active users and active user accounts; and
- Blocking of access to user identification after no more than twenty unsuccessful attempts to gain access within 60 minutes.
10. Physical Security
- Each department shall develop standards which ensure that reasonable restrictions for physical access to records containing personal information are in place and each department must store such records and data in locked facilities, secure storage areas or locked containers.
- Employees shall be prohibited from leaving files containing personal information unattended in an unsecure area.
- At the end of the workday, all files and other records containing personal information shall be secured in a manner that is consistent with the Policy’s rules for protecting the security of personal information.
11. Secure Data Destruction (Physical & Electronic)
- All personal information stored electronically, on paper, or on other media that requires destruction at the end of its life cycle shall be destroyed in a manner such that the information cannot practically be read or reconstructed, as required by M.G.L. 93-I.
- Paper records containing personal information must be destroyed by shredding so that personal information cannot practically be read or reconstructed or disposal in one of the secure bins maintained by the College. Contact the Facilities Department’s Service Center (ext. 2254) for the location of the nearest secure bin or to request a secure bin.
- Electronic records typically can be destroyed by overwriting the media on which the record is stored. Contact the Information Technology Department for additional information on secure disposal methods for electronic data or for help in disposing of such data.
12. Firewall & Security Software
- There shall be reasonably up-to-date firewall or similar protection and operating system security patches, designed to reasonably maintain the integrity of the personal information, installed on all systems processing personal information.
- There shall be reasonably up-to-date versions of system security agent software, which must include malware (e.g. virus) protection and reasonably up-to-date patches and virus definitions, installed, when feasible, on all systems processing personal information.
13. Laptop & Mobile Device Encryption
- No personal information shall be stored on laptops or other portable devices.
- The transmission of all records and files across public networks or wirelessly shall be encrypted to the extent technically feasible.*
14. Suspicious Activities & Breach Reporting
- Employees and others (e.g. vendors) shall report any suspicious or unauthorized use of personal information directly to the designated Information Steward within their department.
- Information Stewards shall report suspicious activities directly to the College’s Chief Information Officer.
- Whenever there is an incident that requires notification under M.G.L. c. 93H, §3, per the decision of the College’s Legal and Administrative Counsel, all responsive actions shall be documented. The ISC and affected IS shall perform a mandatory post-incident review of events and actions taken to determine whether any changes in the College’s security practices are required to improve the security of personal information.
- Massachusetts 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth
Appendix: Initial Members of the Information Stewardship Committee
- John Carter, Chief of Campus Police
- Kathleen Goff, Registrar
- Patricia Long, Associate Director of Human Resources
- Paul Murphy, Legal and Administrative Counsel
- Stephen Nigro, Comptroller
- Peter Schilling, Director of Information Technology
*Encryption here means the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by applicable laws or regulations.