Purpose
The purpose of the College Incident Response Policy is to establish the responsibilities for reporting, investigating, and responding to Security Incidents.
Definitions
Confidential Information:
This information consists of College Information which falls into one of the following categories:
- Massachusetts Personal Information
- Financial Customer Information
- Records and information the College, or any of its employees or units, is required by law to keep confidential, including but not limited to the following:
- Personally identifiable information about students of the College, other than “directory information,” contained in “Education Records,” i.e. records “directly related to a student”, to the extent protected by the federal law known as the Family Educational Rights and Privacy Act or “FERPA”
- Information considered privileged under Massachusetts law, including but not limited to information consisting of or relating to communications between an individual and an employee of the College acting in their professional capacity as a licensed psychotherapist, psychologist, mental health counselor, or sexual assault counselors.
- Information the College is required by contract, or by College policy, to keep confidential
- Other highly sensitive personal information about an individual, the disclosure of which could foreseeably result in identity theft, financial fraud, damage to reputation, or acute embarrassment, or other significant harm to the individual. Examples of such information include: information about a person’s medical condition or physical or mental health; or personnel or employee payroll records.
Information Security Incident:
Any event that is known or suspected to cause Confidential Information to be accessed or used by an unauthorized person, and shall include any incident in which the College is required to make a notification under applicable law.
College Information:
Any information in any form whether electronic, hardcopy, audial, or otherwise which is created, collected, stored, accessed or used in connection with the operation and/or management of the College, or which is created, collected, stored, accessed or used by a party authorized by the College.
College Information Resource:
Any tool, device, equipment, or system used to create, collect, record, process, store, retrieve, display, and transmit College Information, including but not limited to email, servers, computers, laptops, personal digital assistants (PDA), telecommunication resources, fax machines, printers, file cabinets, software, and embedded technology.
Policy
All College Users are responsible for reporting known or suspected Information Security Incidents promptly, such as theft, loss of equipment or documents, or unauthorized access or unauthorized acquisition of Confidential Information to the Director of Information Technology.
By way of illustration only, Information Security Incidents may include:
1. The theft or physical loss of computer equipment containing or suspected to contain Confidential Information
2. An unencrypted list of student names and social security numbers emailed to an unauthorized recipient
3. A firewall is accessed by an unauthorized entity
4. Printed copies of student loan applications are discovered in a publicly accessible dumpster.
The College has established procedures to coordinate response to and resolution of Information Security Incidents (see Procedure section below). The Director of Information Technology will manage the incident response procedure and will document all responsive actions taken in connection with any Information Security Incident and will work with College Leadership to conduct a mandatory post-incident review of events and actions taken, if any, to ensure that the College undertakes any change in business practices relating to the protection of Confidential Information.
Whenever necessary (e.g. in the event of a “Security Breach” as defined by M.G.L.c. 93H, s 1), external notification (e.g notification to affected individuals, government agencies, and/or the media) shall be made as required by law, and appropriate remedial or preventative action shall be taken to protect individuals potentially affected by the Information Security Incident.
Applicability
The Incident Response Policy applies to all College students, faculty and staff members, whether full-time or part-time, paid or unpaid, temporary or permanent, as well as all agents and representatives of the College, including any third-party service provider providing services to the College who create, use or otherwise access or interact with any College Information or College Information Resource (“College Users”).
Procedure
In the event of an actual or suspected Information Security Incident, procedures for responding will include the following steps:
Discovery & Internal Reporting
Any College User who identifies an actual or potential Information Security Incident should report it promptly to the Chief Information Security Officer (CISO) and secure the Confidential Information if he or she still has access to it.
Assessment
The CISO will determine the likelihood that an actual Information Security Incident has occurred. If an Information Security Incident has occurred, the CISO will notify College Leadership.
Containment
College Information Technology department staff and, if necessary, external vendor resources, will work with the applicable department to contain the Information Security Incident as soon as possible.
Investigation
Under direction from College Leadership, College staff will work with the applicable department to investigate the Information Security Incident and document all findings.
Resolution and Review
College Leadership shall conduct a post-Information Security Incident review of events and determine if changes should be made to mitigate risks and help prevent similar incidents.
External Notification & Remedial and Preventative Actions
Whenever necessary (e.g. in the event of a “Security Breach” as defined by M.G.L.c.93H, s 1), external notification (e.g notification to affected individuals, government agencies, and/or the media) shall be made as required by law, and appropriate remedial or preventative action shall be taken to protect individuals potentially affected by the Security Incident.
Documentation
The Director of Information Technology will document all Security Incidents, as well as all subsequent actions are taken to assess, notify, contain, investigate and resolve the Security Incident (as applicable).
Documentation will include:
1. How the incident was detected
2. Relevant dates (including the suspected date of compromise, the date the compromise was detected, the date the incident was contained, the date the incident was resolved)
3. Names of any party responsible for compromising the College Information Resource, if known
4. Investigation and scope (including the cause of the compromise, impact, and severity of the Security Incident, nature of the resolution)
5. Proposed improvements to ensure future Information Security Incidents may be avoided or minimized.
Violation of Policy
The College reserves the right to monitor network traffic, perform random audits, and to take other steps to ensure the integrity of its information and compliance with this Policy. Violations of this Policy may lead to appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks. Willful or repeated violations of this Policy may result in dismissal from the College.