INFORMATION SECURITY PROGRAM PURPOSE & OBJECTIVES
Labouré College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the College. Labouré‘s Written Information Security Program (“WISP” or “Program”) aims to protect all information assets through their entire lifecycle. The lifecycle includes the creation, collection, processing, dissemination, usage, storage, and secure disposal when no longer required.
The Labouré College WISP is a set of comprehensive guidelines and policies designed to safeguard the confidentiality, integrity, and availability of all sensitive and restricted data collected and maintained by and at the College. Equally as important, it is regularly reviewed and updated to comply with applicable laws and regulations on the protection of Personal Information (PI), as those terms are defined below, found in records and systems owned by the College.
Data - For the purposes of this Program, “data” refers to all information stored, accessed, or collected at the College about members of the College community.
Personal Information - Personal Information (PI), as defined by Massachusetts law (201 CMR 17.00), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:
• Social Security number;
• Driver’s license number or state-issued identification card number; or
• Financial account number (e.g., bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.
• For this Program, PI also includes passport number, alien registration number, or other government-issued identification numbers.
OVERVIEW AND PURPOSE
The WISP is implemented to comply with federal regulations as well as those issued by the Commonwealth of Massachusetts including but not limited to:
• Standards for The Protection of Personal Information of Residents of The Commonwealth [201 Code Mass. Regs. 17.00].
• Massachusetts regulations to safeguard personal information [M.G.L. c. 93H et seq. and 940 CMR 27.0]
• Federal Trade Commission, Privacy Consumer Financial Information & Standards for Safeguarding Customer Information [16 CFR Part 313 &314]
• Financial customer information security provisions of the federal Gramm-Leach-Bliley Act (GLB) [15 USC 6801(b) and 6805(b)(2)]
• Health Insurance Portability and Accountability Act (HIPPA) [Pub. Law 104-191 and related regulations]
• Family Education Rights and Privacy Act (FERPA) [20 USC 1232g and related regulations]
• Fair Credit Reporting Act (FRCA) [15 USC 1681 and related regulations]
• Payment Card Industry Security Standards Council (PCI DSS)
• General Data Protection Regulations (GDPR)
Labouré College is required to take measures to safeguard personally identifiable information and to provide notice about security breaches of protected information at the College to affected individuals and appropriate state agencies.
Labouré College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the College. Labouré College has implemented several policies to protect such information. This program is designed in conjunction with the policies cross-referenced at the end of this document.
Labouré ensures the security and privacy of all personal information by following the program’s objectives outlined below:
• Establish a comprehensive information security program for Labouré College with policies designed to safeguard sensitive data that is maintained by the College, in compliance with federal and state laws and regulations;
• Establish employee responsibilities in safeguarding data according to its classification level; and
• Establish administrative, technical, and physical safeguards to ensure the security of sensitive data.
The Program applies to all Labouré College employees, whether full- or part-time, including faculty, administrative staff, contract, and temporary workers, interns, and student employees, as well as to all other members of the Labouré College community (hereafter referred to as the "Community"). The Program is also applied to certain contracted third-party vendors and hired consultants. The data covered by this Program includes any information stored, accessed, or collected at the College or for College operations.
GENERAL PROGRAM CONTROLS
Labouré employs multiple controls in the protection of Information and Information System assets. The controls are based on NIST Special publication 800-53, which in turn maps to best practice ISO 27001 controls. The controls represent a mix of protections, of different types and at different levels using the principle of Defense in Depth. The fundamental focus is preventing improper disclosure, alteration, and destruction of information assets; that transactions are genuine and cannot be disputed. Labouré classifies all information assets as is specified in the Labouré Information Classification standard. The standard defines the type of information, impact of disclosure, how it should be labeled and handled. Labouré information assets are classified as follows:
Confidential - Confidential data refers to any data where unauthorized access, use, alteration, or disclosure of this data could present a significant level of risk to Labouré College or the Community. All PI, as defined above, is designated as Confidential. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration, or disclosure.
Restricted - Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual's right to privacy or negatively impact the finances, operations, or reputation of Labouré College. Any non-public data not explicitly designated as Confidential should be treated as Restricted Data. Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property, College financial and investment records, employee salary information, or information related to legal or disciplinary matters.
Restricted data should be limited to access by individuals who are employed by or matriculate at Labouré College and who have legitimate reasons for accessing such data, as governed by FERPA, or other applicable law or College policy. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.
Public (or Unrestricted) - Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to Labouré College or members of the Labouré College community. Any data that is not classified as Confidential or Restricted should be considered Public data.
Labouré's executive management actively and visibly supports an information security culture. Labouré Information Security Team is responsible for the oversight of institution-wide information risks, which includes all Information Security and Privacy related affairs. All controls are governed by the required policies that are approved by Labouré's executive management team. Standards and procedures set the right conventions and steps for implemented controls. The Information Security Program status is reported regularly to Labouré's Board and executive management. Specific security roles and responsibilities were established to oversee and manage information security and privacy risks.
ROLES & RESPONSIBILITIES
Labouré Board of Trustees
• Oversee Information Security and Privacy Program activities
• Monitor execution of the program’s strategic objectives
Labouré Executive Management
• Provide Executive Sponsorship/Tone at the top for Information Security and Privacy program and activities
• Accountable to Board of Trustees for Labouré’s security profile
• Inform program of current and future strategy and vision
• Ensure alignment of Labouré strategy and Information Security & Privacy goals
• Informed of and provide direction in response to Labouré’s most significant risks
• Provide management oversight of all aspects of the Information Security & Privacy program
• Provide authorization to operate information systems at an acceptable level of risk
• Approve investments and resource allocation to Information Security & Privacy program
Information Security Advisory Board (Subset of Executive Management)
• Guide Information Security in maintaining alignment between business goals and the Information Security Program principles and objectives
• Guide Information Security related to capital investments
• Guide Information Security related to long term strategic initiatives, execution tactics, and operational impacts
Director of Information Technology
• Implement and direct a defined Information Security & Privacy program
• Provide ongoing guidance and support for the refinement of the overall program ensuring best practices are incorporated
• Define the Information Security Strategy
• Communicate status of Information Security program to the Board of Trustees and Executive Management
• Synthesize and communicate the latest security & privacy related trends and issues for corporate relevance
• Present relevant Security & Privacy information and trends during Cabinet meetings
• Communicate with auditors and regulators on Information Security management topics as appropriate
• Assist Executive Management with security requirements
• Implement, manage and continuously assess the Information Security and Privacy Program
• Establish, manage and maintain Labouré’s Security profile
• Ensure the maintenance of appropriate operational security posture for information systems
• Manage Security Incident Response processes
• Manage the annual Security and Privacy training of all Labouré employees
• Manage Security Controls Monitoring
• Perform periodic Security and Privacy Awareness Communications
• Ensure the development and maintenance of the security plan.
• Ensure systems are deployed and operated following the agreed-upon security controls.
• Provide oversight of System Access Management Processes
• Evaluating the ability of service providers to comply with 201 CMR 17.00 in the handling of personal information for which the College is responsible. Ensure contracts with those service providers include provisions obligating them to comply with 201 CMR 17.00 in providing the contracted for services and obtaining from such service providers written certification that they have a written, comprehensive information security program that complies with the provisions of 201 CMR 17.00.
• Reviewing the scope of the security measures in the Program at least annually, or whenever there is a material change in College business practices that may implicate the security or integrity of records containing personal information.
• Responsible for the implementation of the business rules established by the Data Security Coordinator.
• Responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of all information systems and data
• Operate and maintain centralized reporting of appropriate information security-related activities for formal incident management
• Manage Business Continuity Management processes and Disaster Recovery processes
Data Security Coordinator
• Responsible for the data content and development of associated business rules, including authorizing access to the data
• The Data Security Coordinators for each constituency group are designated as follows:
• Handle information and information assets in compliance with this Program and as defined in Labouré’s policies/standards/procedures
• Consult information Security and Privacy on solution(s) implementations
• Escalate suspected incidents to the Helpdesk or Information Security
• Participate in Security and Privacy Awareness Training
A multi-layer security architecture supports Labouré's business infrastructure. The security architecture enables technical decisions in support of Labouré's business goals and the management of its information assets. The security architecture enables the effective deployment of security resources that include policy, standards, and risk-based decisions.
Labouré employs active network peripheral and monitoring controls. Encryption is enforced at rest, in all application databases, on portable media, backup media, desktops, laptops, and in data transmissions. The College also enforces end-point protection.
Addresses: 201 CMR 17.03(2)(b)
Labouré College recognizes it has both internal and external risks to the privacy and integrity of College information. These risks include, but are not limited to:
• Unauthorized access of Confidential/Restricted data by someone other than the owner of such data
• Compromised system security as a result of system access by an unauthorized person
• Interception of data during transmission
• Loss of data integrity
• Physical loss of data in a disaster
• Errors introduced into the system
• Corruption of data or systems
• Unauthorized access of Confidential/Restricted data by employees
• Unauthorized requests for Confidential/Restricted data
• Unauthorized access through hard copy files or reports
• Unauthorized transfer of Confidential/Restricted data through third parties
This may not be a complete list of the risks associated with the protection of Confidential and Restricted data. Since technology growth is not static, new risks are created regularly. Accordingly, the Labouré’s Director of Information Technology will actively participate in and monitor advisory groups such as the EDUCAUSE Security Institute and SANS Internet Storm Center for the identification of new risks.
VENDOR MANAGEMENT AND CONTROL
Addresses: 201 CMR 17.03(2)(f)(1, 2)
Labouré College exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI provided by the College to them. The College Comptroller is responsible for identifying those third parties providing services to the College that have access to PI. All relevant contracts with these third parties are reviewed and approved to ensure the contracts contain the necessary language regarding safeguarding PI. It is the responsibility of the Data Security Coordinators to confirm that the third parties are required to maintain appropriate security measures to protect PI consistent with this Program and all federal and state laws and regulations.
PERSONNEL AND TRAINING
Addresses: 201 CMR 17.03(2)(b)(1, 2), 201 CMR 17.04(8)
Labouré promotes security awareness using email messages, formal instruction, and newsletters to communicate awareness. All employees are required to complete ongoing information security training. Training consists of a core security curriculum plus additional materials based on the employee's role.
Training is provided monthly via an online training platform, with each module covering a different topic related to information security. Employees must also read and re-sign Labouré's Information Systems Acceptable Use Policy (IT 1.11) annually. The training goals are to ensure that Employees:
• Understand and utilize techniques to minimize security threats
• Know how to respond to security incidents diligently
• Are aware of the policies, standards, and procedures that protect Labouré information assets
Labouré reviews and updates all training content on an annual basis to ensure that it reflects changes to Labouré regulatory and legal environment and policies.
TECHNICAL AND OPERATIONAL CONTROLS
INFORMATION PROTECTION, CLASSIFICATION, HANDLING, AND MARKING
Addresses: 201 CMR 17.03(2)(c) , 201 CMR 17.03(2)(g) , 201 CMR 17.04(2)(a) , 201 CMR 17.04(2)(3) , 201 CMR 17.04(2)(5)
Access & Storage of Confidential Data
• Only employees and authorized third parties that require access to Confidential data in the regular course of their duties are granted access to this data, including both physical and electronic records.
• To the extent possible, all electronic records containing Confidential data should only be stored within approved, secured information systems such as those provided by Jenzabar or ADP.
• Confidential data must not be stored on cloud-based storage solutions that are unsupported by the College (including DropBox, Microsoft OneDrive, Apple iCloud, among others).
• Paper records containing Confidential data must be kept in locked files or other secured areas when not in use. While storage in a locked office is minimally acceptable, employees should work with their supervisors to find solutions that offer greater long-term security, since many individuals have access to offices that are not their own.
• Upon termination of employment or relationship with Labouré College, electronic and physical access to documents, systems, and other network resources containing Confidential and Restricted data is immediately terminated.
Transporting Confidential Data
• Members of the Community are strongly discouraged from storing Confidential data on laptops or other mobile devices (e.g., flash drives, smartphones, external hard drives). However, if it is necessary to transport Confidential Data electronically, Labouré will provide an encrypted and authorized asset owned by the college for transporting data. Personal devices are not permitted to store or transport Confidential Data.
• Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in an unsecured location.
• When there is a legitimate need to provide records containing Confidential data to a third party outside Labouré College, electronic records shall be password-protected or encrypted, and paper records shall be marked confidential and securely sealed.
Destruction of Confidential Data
• Records containing confidential data must be destroyed once they are no longer needed for business purposes unless state or federal regulations require maintaining these records for a prescribed time.
• Paper and electronic records containing Confidential data must be destroyed in a manner that prevents the recovery of the data. Certified destruction is used for all media that require disposal. Massachusetts General Law 93I specifies how records containing PI must be destroyed.
Access and Storage of Restricted Data
• Access to Restricted Data is limited to members of the community who have a legitimate business need for the data.
• Restricted Data can be stored on the College’s eLearning learning management system since this is a primary point of academic interaction between students and instructors.
• Documents containing Restricted Data should not be posted publicly.
College Email Policy
• Labouré College has adopted an Email Policy (IT 1.3) regarding the appropriate use of email, including the limits of sending Confidential or Restricted data through unencrypted email communication. It should be understood as a complementary policy to the guidelines contained in this Program.
Addresses: 201 CMR 17.03(2)(3), 201 CMR 17.03(2)(f)(1,2)
Labouré manages access control, identification, and authorization through established policies and procedures that grant access using the principle of least privilege as the guiding tenet, the use of strong passwords, and the approval of access by the information owners. Banners further re-enforce access to information systems and their information usage. Access to Labouré assets is audited on a user and application level at defined frequencies and criticality. See User Account Review Policy – IT 1.7.
Upon termination, the employee is required to surrender all college assets, keys, IDs, access codes, badges, business cards, and the like that permit access to the College's premises or information. Moreover, terminated employee's remote electronic access to personal information will be disabled; his/her voicemail access, e-mail access, internet access, and passwords will be disabled or invalidated. If necessary, terminate employee's access may be extended for 30 days to provide continued access to College e-mail systems, as well as academic systems such as the College's (eLearning) Learning Management System, to facilitate the orderly conclusion of instructional responsibilities.
Labouré College has adopted a Remote Access Policy (IT 1.4), guiding remote access to the College networks and data. It should be understood as a complementary policy to the guidelines contained in this Program.
Labouré College has provided wireless access to students, and staff and faculty to access information assets while on campus. Access to both wireless networks, Laboure_Students and Laboure_Staff, require assigned Active Directory credentials (username and password). For Faculty, all access by non-college assets will be only allowed through remote access, See Remote Access Policy – IT 1.4. Only Labouré College assets will be permitted to access the college network directly.
USER AUTHENTICATION AND PASSWORD CONTROL
Addresses: 201 CMR 17.04(1), 201 CMR 17.04(1)(a), 201 CMR 17.04(1)(b, c), 201 CMR 17.04(2)(b), 201 CMR 17.04(1)(d, e)
Labouré College has adopted a User Authentication and Password Control Policy (IT 1.5), which establishes policies and procedures covering user authentication, password control, and network access. It should be understood as a complementary policy to the guidelines contained in this Program.
CHANGE CONTROL AND CONFIGURATION MANAGEMENT
Labouré College has adopted a Change Control Policy (IT 1.9) regarding the change controls and documentation associated with changes to IT services. It should be understood as a complementary policy to the guidelines contained in this Program.
Addresses: 201 CMR 17.03(2)(g)
Labouré's work areas are secured to protect its information assets and ensure privacy. Documents and media are stored in a prescribed manner based on the policies and procedures governing information protection. The College strictly enforces a clean-desk policy. The College will ensure that all data centers and network distribution are equipped with automatic door closers and locking hardware to ensure the security of these facilities. Keys that provide access to these facilities are restricted to the Information Technology Department (IT) staff members, along with individuals with College roles requiring access to all college facilities, including administrators, maintenance staff, and security officers. A record of all individuals with keys granting access to data centers and network distribution facilities will be maintained by the College Security Office. All unauthorized employees, guests and/or vendors entering these facilities will be accompanied by a member of the IT Department staff.
Labouré's work environment is equipped with the required industry safety level controls - temperature and humidity controls, smoke detectors and fire suppression systems. Labouré reviews the appropriateness of the physical and environmental controls on an annual basis. Screen and laptop locks are required and in use. The college shall ensure all computer hardware is secured, either in locked rooms or with other security systems, to prevent loss from theft. The college shall maintain a hardware inventory for identification and retrieval purposes. Filling cabinets and drawers are locked when not in use. Security guides control building entry. Cameras are in effect and monitored.
SYSTEMS AND COMMUNICATION PROTECTION
Addresses: 201 CMR 17.04(6), 201 CMR 17.04(7)
Labouré has implemented essential controls that are used to assure secure information transmission using the security principle of defense in depth. Labouré's system and communications protection strategy focus on perimeter and boundary protections, network, gateways, and application-level malware and virus protection, public access protection, and the use of encryption of information. The protections are governed by strict rules-based standards and processes of administration. Audit trail reviews are proactively conducted regularly to alert on anomalies.
To combat external risks to the security, confidentiality, and integrity of any electronic records containing PI, the College has implemented, and will maintain, the following technical systems and processes:
• Redundant network firewall systems which are regularly updated with malware protection and operating system security patches.
• Antivirus and malware software that has been installed on all College servers and computer workstations. These software systems refresh their virus signature database files daily.
• Encryption software for College desktops, laptops, and other portable devices, to prevent any loss of Confidential or Restricted data that might be inappropriately stored locally on these devices. Encryption here means the transformation of data using an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.
• Virtual Private Networks have been established between the College and vendors providing critical hosting services for the College’s Student Information Management System. These VPNs are encrypted to prevent external interception of Confidential or Restricted data.
• Operating system patches and security updates are installed to all servers on a regularly.
INCIDENT REPORTING AND RESPONSE PLANNING
Addresses: 201 CMR 17.03(2)(j)
Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromises of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the ISM, who will coordinate the College’s response. Labouré ensures that all employees, contractors, and temporary workers are trained to report suspected incidents expediently.
Labouré College has adopted an Information Security Incident Response Policy (IT 1.6) regarding the response and reporting to any Information Security Incident. It should be understood as a complementary policy to the guidelines contained in this Program.
REGULAR MONITORING AND DETECTION OF SECURITY FAILURES
Addresses: 201 CMR 17.03(2)(b)(3), 201 CMR 17.04(4)
The College's Information Technology staff will oversee regular internal network security audits performed on all server and computer system logs to discover, to the extent reasonably feasible, possible electronic security breaches, and to monitor the system for possible unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of College data. Additionally, centralized logging systems are configured to look for anomalous behavior or unauthorized access to Confidential or Restricted data and provide alerts and regular reports to the ISM.
Labouré actively maintains a Business Continuity & Disaster Recovery Plan (IT 1.10), and an incident management process. The plans prioritize critical business applications and the infrastructure required to recover the business environment in the event of a disaster. The prioritization is determined using a Business Impact Assessment (BIA), which identifies the overall recovery objectives – recovery time objective (RTO), recovery point objective (RPO), and a maximum tolerable outage (MTO). Tabletop exercises are conducted once a year. Lessons Learned sessions are conducted after every activity, and corrective action is taken with uncovered gaps. Labouré maintains both co-location and recovery sites to ensure availability. Labouré College has also adopted a Network Backup Policy (IT 1.8) regarding planning for information backups and network disaster recovery. It should be understood as a complementary policy to the guidelines contained in this Program.
Addresses: 201 CMR 17.03(2)(d)
Any employee or student who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises Confidential or Restricted data without authorization will be subject to disciplinary action, which may include termination in the case of employees and expulsion in the case of students.
The following Labouré College policies provide advice and guidance that relates to this Program:
• Email Policy – IT 1.3
• Remote Access Policy – IT 1.4
• User Authentication and Password Control Policy – IT 1.5
• Information Security Incident Response Policy – IT 1.6
• User Account Review Policy – IT 1.7
• Network Backup Policy – IT 1.8
• Change Control Policy – IT 1.9
• Business Continuity & Disaster Recovery Plan – IT 1.10
• Information Systems Acceptable Use Policy – IT 1.11