v.1.2, May 2010
1. Statement of Purpose
This is an umbrella document intended to bring together a panoply of information and data security processes and policies in an effort to enhance the overall security of the information that touches all aspects of the college’s workings, and ensure compliance with all applicable laws and regulations.
Security is an ongoing process, and accordingly, this document is a living document. It is not, in itself, a policy or procedure; It is intended rather to allow for policies, procedures, and best practices to be effectively defined, utilized, and updated toward the general purpose of enhancing the overall information security of the institution.
This document addresses all data regardless of form or media.
2. Information Security Overview
Information technology (IT) security goals are often distilled into the three core concepts of confidentiality, integrity, and availability. Very simply, confidentiality refers to ensuring that only authorized users are allowed access to data or services. Integrity refers to the trust that the information and services provided and received are accurate, valid, and come from a known or authorized source. Availability seeks to ensure that IT information and services remain available and useful for all who need them.
In practice, IT security is about processes designed to balance risk mitigation with pragmatic utility, and the vigilance to dynamically alter processes and practices as those risks and utilization needs change. Smith College has incorporated many components and processes designed to work toward these goals and provide our community with both security and usability.
3.1. Data Classification
"Classified" data refers to data that has been identified as either "Confidential" or "Sensitive". Institutional data shall be identified as to its classification regardless of its medium or form.
Classified data shall be secured and protected commensurate with its classification and value. It shall be safeguarded by appropriate security systems and procedures and it shall be disseminated by officially designated offices only.
3.1.1. Confidential Information
Confidential information is data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws and regulations or institutional contracts (i.e., protected data); Personal Information data; data that involves issues of personal privacy; or data whose loss, corruption or unauthorized disclosure may impair the academic, research or business functions of the college, or result in any business, financial, or legal loss.
Examples: Any data explicitly identified as protected under law; data protected by contract or grant authority, such as grant funded research data; copyrighted information; medical information; personnel information; donor information; account and financial information of the college.
3.1.2. Personal Information
Personal Information (PI) is a specific subset of confidential information; PI is defined by MA General Law 93H as a person’s first name and last name or first initial and last name in combination with any one of the following: Social Security number, or driver’s license number, or state-issued identification card number, or financial account number, or credit card number, or debit card number.
Personal Information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
3.1.3. Sensitive Information
Sensitive information is data whose unauthorized disclosure is not a violation of law, does not impair business or result in a financial loss but may be damaging to our students, employees, or alumnae or to the college’s reputation and thus require a higher degree of security than other information.
Examples: a list of donors’ names and contributions, a list of employees names and salaries, detailed building plans for buildings that contain secure locations, data network maps, or Board of Trustees notebooks.
3.2. Data Breach or Data Security Incident
3.2.1. Data Security Incident
Generally, a Data Security Incident is any unexpected or unauthorized change, disclosure of or interruption to Smith College’s information resources that could be damaging to our students, staff, faculty, alumnae, donors, parents, prospective students and/or reputation.
3.2.2. Data Breach
A Data Breach as defined by MA 201 CMR 17.00: the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.
3.3. Records Handlers
In order to properly recognize and codify information and records handling and management, it is important to define roles for those who are required to work with classified data as part of their responsibilities. In its simplest form, there are two classifications:
3.3.1. Data Custodians
The individual(s) responsible for making decisions about the sensitivity and criticality of specific college systems and data stored in these systems; determining the classification of data under their control; documenting the use of the specific system(s) and data; and determining which college staff have authorized access to that system and its data.
3.3.2. Authorized Users
All students, employees (including student, non-student, faculty, professional, classified, temporary, part-time, and full-time), volunteers, and contracted consultants of Smith College who are required to have access to data to perform their job function, academic assignment, or contractual obligations.
4. Legal Compliance
Smith College must comply with applicable federal and state policies, regulations and legal procedures and seeks to comply in principle with such policies even when they may not formally apply. Relevant regulatory law and policy and the college’s efforts to comply as appropriate include:
The Federal Family Educational Rights and Privacy Act (FERPA) seeks to assure students that her/his personal records and information will be made available only to those authorized by the student. Although the act does not specify IT security or compliance guidelines, diligent security practices have been implemented at Smith that work to ensure data access authorization and privacy restrictions. These measures put Smith in compliance with FERPA regulations.
Under the aegis of the Federal Trade Commission (FTC), the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the privacy and security of customer personal information. Higher education institutions as loan granting institutions must comply with the FTC regulations. Compliance with FERPA satisfies compliance with the privacy component of the GLBA. Institutions must also comply with the FTC Safeguards provisions of the act, requiring the institution to develop, implement, and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards. For compliance, Smith has developed and completed a written comprehensive plan under the coordination of the Dean of Enrollment.
This document is not currently published on the Web.
The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers to take reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of individual health information and to protect against any reasonably anticipated threats, unauthorized use or disclosure of that information. Although the college’s health services department is not technically required to comply with this regulation, the college has taken steps to safeguard the integrity and unauthorized access of personal health information in compliance with the spirit of the HIPAA regulations.
The Digital Millennium Copyright Act (DMCA) and its sister act, the Technology, Education and Copyright Harmonization Act (TEACH), seek to address circumvention of copyright protections, address issues of fair use in a digital environment, and provide methods for correction and redress. Smith has developed an extensive Web site explaining copyright laws and policies in order to promote appropriate use of intellectual property. Copyright violations typically involve either peer-to-peer file sharing or placing protected content on open Web sites. Possible violations are reported to the Vice President for Information Technology, the college’s DMCA agent, who reviews the report and takes appropriate corrective action.
See http://www.smith.edu/global_copyright.php for additional information.
The Communications Assistance for Law Enforcement Act (CALEA) requires covered entities to assist law enforcement agents with lawful monitoring of electronic communications (electronic wiretapping). Two factors effectively determine compliance obligation—If an institution manages a private network and does not manage its gateway to the Internet, it is exempt from compliance obligations. After research and discussions with both peer institutions and legal counsel, Smith feels that it qualifies as an exempt institution.
In the absence of directly applicable law, the Payment Card Industry Data Security Standards (PCI DSS) were developed to create a collective contractual compliance security standard for use of payment cards to conduct business transactions. Currently, Smith policy prohibits the local online processing of credit card information for payments. Smith outsources online use of payment cards for business transactions, and compliance with the PCI standards falls to that contracted entity.
The Federal Rules of Civil Procedure were amended effective December, 2006. The changes, known as eDiscovery, govern the preservation of electronically stored information in the event of a lawsuit. As with notification laws, there are no standing provisions requiring compliance. However, ITS staff, working with Smith’s General Counsel, have developed internal procedures to appropriately respond to eDiscovery or litigation hold requests when they are made.
4.8. MGL 93H and MA 201 CMR 17
Massachusetts General Law 93H, and the associated MA 201 CMR 17 regulations developed by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) have been implemented to protect residents of the Commonwealth from fraudulent activity due to identity theft. These regulations provide definitions for protected data types, data breach incidents, and notification procedure requirements. They also require implementation of a variety of information security policies and requirements that are variable, dependent on the type of business and resources of the individual institution, with the intent of requiring businesses to develop and maintain relevant information security best practices. Smith College has several security, policy and compliance initiatives in process that endeavor to comply with these regulations both in spirit as well as by the letter. This document is the college’s Comprehensive Information Security Program.
The effective start date for MA 201 CMR 17: 1-March-2010.
4.9. Red Flags Rule
The FTC working to protect consumers from fraudulent and unfair business practices have issued the Identity Theft “Red Flags Rule” to help spot and prevent identity theft. Most higher education institutions engage in financial activities that compel them to be in compliance with this regulation. Covered institutions must develop a written program, periodically updated, that identifies and detects relevant warning signs (“red flags”) of possible identity theft, and provides alerting and responses that will prevent or mitigate the risk of identity theft related activity. The regulations do not provide a specific checklist for compliance, but do provide a list of likely red flags, detection options, possible prevention and mitigation responses, and recommendations for administering and updating the written program. Employee education is a necessary component for effective implementation of the red flags program. The Student Financial Services department has developed a “Policy on Identity Theft” pursuant to the specific requirements of the Red Flags Rule.
The effective start date for Red Flags Rule: 1-June-2010.
The Higher Education Opportunity Act includes specific requirements concerning copyright protection, and more specifically peer-to-peer electronic file sharing of protected material. The regulation has three general components: 1) an annual disclosure to students regarding copyright and penalties for violations, 2) a written plan to combat distribution of copyrighted material using “technology-based deterrents,” and 3) provide students with legal alternatives to acquiring copyrighted material. Smith currently provides students with an annual notice regarding copyright policy and enforcement, and with legal options for on-line downloading of protected material. Smith also employs technology-based deterrents to attempt to identify, control and reduce the amount of unauthorized transfer of protected material.
The effective start date for the HEOA: 1-July-2010.
4.11. Other Regulations
Compliance needs for other regulations should also be considered. This would include federal grant agency regulations, such as those required by NSF or NIH grants, any relevant foreign laws and regulations, as they apply to our community members; and breach notification or PI data regulations of other states.
5. Smith College Policies and Procedures
The Smith College community maintains general community policies and procedures as well as department specific internal policies and procedures that are designed to enhance IT security. General policy goals are vetted through the IT oversight committee, the Information Technology Coordinating Committee, and are posted on the Smith Web site.
This section briefly describes many of the policies and procedures relevant to information security and provides a link to the official policy or procedure where possible.
5.1. Official Smith College Policies
5.1.1. Acceptable Use of Computer Resources
Smith College provides computer resources to students, faculty, and staff for academic purposes and for their use on college business. This document describes the college's standards and policies for the acceptable use of these resources, which include individual computer accounts, access to electronic mail (email), and space for Web pages.
5.1.2. Account Password Security Guidelines
The Information Technology Services department uses the user account security parameter settings described in this document as a default minimum guideline for all systems on which they can be implemented.
5.1.3. Account Retention Policy
This document presents the college’s computer account retention and email forwarding policy.
5.1.4. Banner Data Entry Standards Manual
This document describes data contained in Smith College’s Banner system, and includes policies and procedures for data handling and data custodian responsibilities.
5.1.5. Code of Conduct
The Code of Conduct outlines principles, policies and some of the laws that govern the activities of the college and to which our employees (faculty, staff and students) and others who represent the college must adhere.
5.1.6. Copyright Policy
This document describes Smith College's policies on the use of copyrighted works for education and research, lists the people to contact about specific copyright questions, and provides links to many other useful copyright resources on the Web.
5.1.7. Data Security Incident Response Plan
A detailed procedure outlining the processes for handling an information security incident or data breach event, including notification requirements and procedures, if needed.
Plan approved by Senior Staff, not yet published on the Web.
5.1.8. Electronic Commerce Procedures
If a Smith department, office, or group wishes to allow users to purchase a product, service, or event registration on-line, and pay for that item using a credit card, they must follow the process described in this document. This will ensure that the privacy and security of users' financial data is protected, and the security of the Smith network is maintained.
5.1.9. Electronic Mail Policy
This document sets forth Smith College's policy with regard to access to and disclosure of electronic mail messages sent or received by Smith students, faculty, and staff with the use of the college's electronic mail system. It also sets forth policies on the proper use of the electronic mail systems.
5.1.10. Employee Information Security Policy
This policy outlines general procedures and policies for the proper handling of classified data by all members of the Smith College community.
5.1.11. GLBA Compliance Program
The official document written to comply specifically with the Gramm-Leach-Bliley Act requirements summarizes the Smith College information security program. (See GLBA in section 4.2 above.)
Document not yet published on the Web.
5.1.12. Records Management Policy
The records management policy outlines responsibilities related to records management, preservation, retention and disposal. This policy is a comprehensive approach for managing and preserving college records; it applies to all records of the college and its related entities and is managed and implemented by the Smith College Archives.
5.1.13. Remote Access Policy for Administrative Information Systems
Smith College provides selected persons with remote access to Smith's administrative information systems and databases for the purpose of doing work on behalf of the college from off campus. This document explains the remote user's responsibility to ensure the same level of security for college data and intellectual property as he/she would if working on campus.
5.1.14. Staff Handbook
The staff handbook is designed to acquaint staff with the employment policies and benefits for exempt/administrative and non-exempt/administrative support staff of Smith College.
5.1.15. Student Records Access and Privacy
The Office of the Registrar maintains an official statement issued in accordance with the United States Family Educational Rights and Privacy Act of 1974 (FERPA).
5.1.16. Web Server Policy
This policy specifies requirements intended to maintain the credibility, integrity, availability and security of Smith's primary Web server, as well as the vitality of its content, at the highest level reasonably possible.
5.1.17. Wireless Network Policy
Smith College currently provides the convenience of wireless data network access in select locations to the campus community. Wireless networking is provided as an added supplement to the college’s wired LAN network. This document describes the college's policy on the deployment and use of wireless networking.
5.1.18. Written Comprehensive Information Security Program
Initiated in compliance with MA 201 CMR 17, this program documents the Information Security policies, procedures and initiatives across departments and in response to all legal compliance initiatives.
5.2 Departmental Policies and Procedures
Policies and procedures that are internal to a department may have an information security component. These policies should be reviewed and updated on a regular basis, in accordance with the Comprehensive Information Security Program and with general Smith College information security policies.
6. Security Safeguards:
Smith College maintains information security related policies, procedures, services and appliances related to information security. These are managed primarily by the Systems and Network Services staff in ITS, and the Computer and Technical Support staff in the Science Center.
Major infrastructure components are the data network, servers, and physical security. The data network has been logically redesigned to use Virtual Local Area Networks (VLANs) for better traffic control, performance, and isolation, particularly with respect to residential network traffic. ITS uses Access Control Lists (ACLs) in its routers and switches to block or contain certain services or types of traffic that are inappropriate or present high risk to our systems and users. At our Internet gateway, we incorporate gateway ACLs in concert with a dynamic traffic shaping appliance and an Intrusion Prevention System to best provide service availability, to monitor and manage inappropriate network use, and to enhance Quality of Service (QoS) for institutionally high-priority services. ITS actively monitors network and gateway services and availability. Core and satellite data closets are physically isolated with keyed lock access wherever possible and with Uninterruptible Power Supply (UPS) units in core locations to provide service continuity over brief electrical interruptions.
ITS maintains a limited-access data center for its core server and network equipment. Servers are equipped with redundant components and UPS protected power for maximum availability. Servers, services, and environmental conditions are monitored for availability and automated alerts sent to appropriate staff whenever monitoring systems detect an event. Users can contact Public Safety 24/7 to report possible service interruptions; Public Safety contacts ITS on-call staff for problem analysis and resolution. Business continuity/disaster recovery plans have been created and tested to ensure continuity of key services in the event of unanticipated prolonged service interruptions.
Several security steps have been taken to protect Smith College servers. Key Banner, Oracle and related administrative services and systems are protected by redundant firewall appliances. Host-based firewalls are implemented on other servers. ITS servers also incorporate host-based intrusion detection and protection services with alerting. Non-essential services on ITS servers are disabled and network connections to select servers are limited to on-campus access only. Vendor security patch releases are actively monitored and installed as soon as feasible. Implementation and use of application layer secure communications for both authentication and authorization verification, and for data transfer have been made whenever possible.
Authorization is required to access both the wireless and residential network. Smith has implemented a site license for client based anti-virus and malware protection for all community members. ITS is engaged in active user security awareness initiatives and makes access to virus, malware and spyware protection software readily available.
Identity management is a core component of any IT security implementation. Smith uses Novell Directory Services (NDS) and Lightweight Directory Access Protocol (LDAP) services to provide most of its authorization and authentication needs. This includes enhanced account password restrictions, authorization for use of licensed or restricted services and data, and network access controls. ITS maintains strict, auditable user account creation, retention and expiration procedures to ensure that appropriate authorization is maintained. Smith has replaced the use of Social Security numbers with personal identification numbers for identity management. Access to personal identity data is restricted to authorized users only.
Smith College currently provides education on information security for all members of the Smith College community. Educational opportunities are provided as part of regularly scheduled events and procedures, ad hoc events, and in response to specific needs. They utilize a variety of dissemination methods, including Web and email notices and alerts, seminars, Web-based information and documentation, physical postings, and group meetings. Regularly scheduled training opportunities include new staff and faculty at time of hire, and targeted email communications to incoming first year students. News and alerts of specific threats or events may be posted on the main Smith Web site, a notice in the College’s eDigest newsletter, or a targeted email distribution, or by other methods as appropriate. Email communications and alerts are generally short and direct, with links to the Web for more detailed information. The Information Technology department maintains several online resources that include information security related information, including alerts, policies, and best practices. These include the ITS Technology and Resource Advisor site (http://www.smith.edu/its/tara), and the TechNotes blog (http://sophia.smith.edu/blog/technotes).