Protection of Confidential Information on Workstations and Laptops
This policy defines a set of security controls (software and hardware measures) which represent contemporary best practices for securing staff laptops and workstations. In addition, these measures assist in bringing Brandeis University in compliance with Massachusetts State law pertaining to the Protection of Personal Information.
This policy applies to all members of the Brandeis community and all workstations and laptops owned by Brandeis University. In addition, it applies to any personally owned workstations or laptops that store University information considered Personally Identifiable Information (PII) or meets the broader definition of confidential, e.g. salary information.
This policy does not apply to servers, laboratory equipment and appliances, or dedicated research computing equipment, unless required by the IRB. However, when such equipment stores or processes Personally Identifiable Information, the Brandeis Security Office must be consulted so that adequate security protections can be identified and implemented.
This policy is guided by the following principles:
- Adhere to the legal obligations incumbent on Brandeis University
- To tie security requirements to risk
- Respect our community: all members of the Brandeis community who have access to confidential information have a community obligation to protect this information and the privacy of the individuals it represents
This policy was written with the understanding that due to hardware and software limitations, some devices will require unique tactics to achieve compliance. If you think there are technical barriers to following best practices with your equipment, please complete an exemption request form. (https://goo.gl/SKfjQj)
Standard for the Protection of Confidential Information
- All University-owned workstations and laptops that store Personally Identifiable Information (PII) will have their storage media fully encrypted.
- In addition, any encrypted devices must require a strong password or passphrase to be accessed.
Any University owned workstation or laptop that falls under the foregoing encryption requirement must have all PII backed up remotely on encrypted media or to a University-licensed cloud service.
- All University-owned workstations and laptops must have one or more approved antivirus/anti-malware software programs installed.
- The University Information Security Office is charged with both providing and approving the programs used to meet this requirement. Any individuals who do not wish to use the provided software should request an exemption to use a different software program(s).
Personally Identifiable Information Protection
All systems that house certain types of restricted PII are subject to the Massachusetts Protection of Personal Information regulations (Mass 201) and/or other applicable data breach notification laws. University workstations and laptops, regardless of the category of data maintained, must be scanned appropriately to identify PII, using University-approved scanning procedures. Users of University systems must review the results of required scanning to facilitate proper handling of any PII identified. The University Information Security Office is charged with maintaining and approving PII identification tools.
Incident Response and Management
In order to ensure compliance with University policy, as well as with State and Federal data breach regulations, all lost or stolen workstations or laptops must be reported to the Information Security Office immediately upon discovery of the theft or loss so as to attempt recovery and data breach analysis.
Individuals are personally responsible for the consequences of a data breach resulting from non-compliance with this policy and will be handled in accordance with the University's corrective action procedures.
 Mass 201 CMR 17.00 http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf. See specifically 17.04(5).
 Note that by default, University owned laptops and workstations provided by ITS will be encrypted.