Written Information Security Policy (WISP)

Introduction

The objective of Brandeis University (“University”) in the development and implementation of this comprehensive written information security policy (“WISP”) is to create effective administrative, technical and physical safeguards for the protection of Regulated, Restricted, and Confidential data. The WISP sets forth the University’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Regulated, Restricted, and Confidential data.

The purpose of the WISP is to comply with regulations issued by the Commonwealth of Massachusetts entitled “Standards For The Protection Of Personal Information Of Residents Of The Commonwealth” [201 Code Mass. Regs. 17.00], and by the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”) [15 USC 6801(b) and 6805(b)(2)].

In accordance with these federal and state laws and regulations, Brandeis University is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the University to affected individuals and appropriate state and federal agencies.

Brandeis University is committed to protecting the confidentiality of all sensitive data, as defined below, that it maintains, including information about individuals who work or study at the University.

Applicability

This Policy applies to all Brandeis University faculty, staff, hired consultants, interns, and student employees.

Definitions

Data

For the purposes of this document, data (classifications defined below) refers to Regulated, Restricted, and Confidential information collected, stored, archived, or maintained, in any way under the management of Brandeis University, whether stored on or off campus, or within a third-party service.

Personal Information

Personal Information (“PI”), as defined by Massachusetts law (201 CMR 17.00), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:

For the purposes of this Policy, PI also includes passport number, alien registration number or other government-issued identification number.

Nonpublic Financial Information

The GLB Act (FTC 16 CFR Part 313) requires the protection of “customer information”, which applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with Brandeis University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of Brandeis University.  For these purposes, NFI shall include any information: 

Protected Health Information

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the:

 Past, present, or future physical or mental health or condition of an individual.

 “PI”, “NFI” or “PHI” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public (the policy requirements).

Data Classification

All Regulated, Restricted, and Confidential data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.

Regulated Data

Information that if disclosed or modified without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy. In general information in the Regulated Data class is subject to extensive, specific security and privacy regulations. 

Regulated Data includes data that is protected by the following federal or state laws or regulations:  201 CMR 17.00 (Massachusetts Regulations), 16 CFR 313 (Privacy of Consumer Financial Information), the Federal Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the FTC’s Red Flag Rules.  Information protected by these laws includes, but is not limited to, PI, NFI and PHI.

Restricted Data

Information that if disclosed or modified without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy. 

Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes, but is not limited to, research data on human subjects, University financial and investment records, or information related to legal or disciplinary matters. Credentials such as passwords or passphrases are included in this class.

Confidential Data

Information that if disclosed or modified without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy. This class of data also includes data the University has chosen to treat confidentially for University business.

Responsibilities

Information Technology Services (ITS) staff shall be responsible for all data stored centrally on the University’s servers and administrative systems, and are responsible for the security of such data.  For distributed data stored on departmental servers, the department head or their designee shall be responsible, and ITS and the department share joint responsibility for securing the data under the direction of the University’s Data Security Coordinator.

Department heads will alert ITS at the conclusion of a contract for individuals that are not considered Brandeis University employees in order to terminate access to their Brandeis University accounts.

All members of the Community are responsible for maintaining the privacy and integrity of all Regulated, Restricted, or Confidential data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing Regulated, Restricted, or Confidential data in compliance with this Policy.

Data Security Coordinator

Brandeis University has designated the Chief Information Security Officer to implement, supervise and maintain the WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:

  1.  Initial implementation of the WISP;

  2. Training employees;

  3. Regular testing of the WISP’s safeguards;

  4. Evaluating the ability of each of Brandeis University’s third party service providers to implement and maintain appropriate security measures for Regulated, Restricted, or Confidential data to which Brandeis University has permitted them access, consistent with the regulations; and requiring such third party service providers by contract to implement and maintain appropriate security measures;

  5. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in Brandeis University’s business practices that may implicate the security or integrity of records containing Regulated, Restricted, or Confidential data; and

  6. Conducting training sessions for all owners, managers, employees, and independent contractors, including temporary and contract employees, who have access to Regulated, Restricted, or Confidential data, on the elements of the WISP.

Internal Risks

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Regulated, Restricted, or Confidential data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

Internal Threats

External Risks

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Regulated, Restricted, or Confidential data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

External Threats

Contact In Case Of Loss/Theft or Suspected Loss/Theft

If you have reason to believe that any Regulated, Restricted, or Confidential data has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, report the incident immediately by contacting the Information Security Office at 781-736-4592.

This policy does not create an employment contract or any right to continued employment at Brandeis University. Brandeis University reserves the right to modify, revoke, suspend, terminate and/or change any and all policies and procedures at any time, with or without notice.

Policy Owner

Information Technology Services
Approved: December 9, 2019