Written Information Security Policy (WISP)

Introduction

The objective of Brandeis University (“University”) in the development and implementation of this comprehensive written information security policy (“WISP”) is to create effective administrative, technical and physical safeguards for the protection of Regulated, Restricted, and Confidential data. The WISP sets forth the University’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Regulated, Restricted, and Confidential data.

The purpose of the WISP is to comply with regulations issued by the Commonwealth of Massachusetts entitled “Standards For The Protection Of Personal Information Of Residents Of The Commonwealth” [201 Code Mass. Regs. 17.00], and by the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”) [15 USC 6801(b) and 6805(b)(2)].

In accordance with these federal and state laws and regulations, Brandeis University is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the University to affected individuals and appropriate state and federal agencies.

Brandeis University is committed to protecting the confidentiality of all sensitive data, as defined below, that it maintains, including information about individuals who work or study at the University.

Applicability

This Policy applies to all Brandeis University faculty, staff, hired consultants, interns, and student employees.

Definitions

Data

For the purposes of this document, data (classifications defined below) refers to Regulated, Restricted, and Confidential information collected, stored, archived, or maintained, in any way under the management of Brandeis University, whether stored on or off campus, or within a third-party service.

Personal Information

Personal Information (“PI”), as defined by Massachusetts law (201 CMR 17.00), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:

For the purposes of this Policy, PI also includes passport number, alien registration number or other government-issued identification number.

Nonpublic Financial Information

The GLB Act (FTC 16 CFR Part 313) requires the protection of “customer information”, which applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with Brandeis University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of Brandeis University.  For these purposes, NFI shall include any information: 

Protected Health Information

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the:

 Past, present, or future physical or mental health or condition of an individual.

 “PI”, “NFI” or “PHI” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public (the policy requirements).

Data Classification: Refer to the Brandeis Data Classification Standard.

Responsibilities

Information Technology Services (ITS) staff shall be responsible for all data stored centrally on the University’s servers and administrative systems, and are responsible for the security of such data.  For distributed data stored on departmental servers, the department head or their designee shall be responsible, and ITS and the department share joint responsibility for securing the data under the direction of the University’s Data Security Coordinator.

Department heads will alert ITS at the conclusion of a contract for individuals that are not considered Brandeis University employees in order to terminate access to their Brandeis University accounts.

All members of the Community are responsible for maintaining the privacy and integrity of all Regulated, Restricted, or Confidential data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing Regulated, Restricted, or Confidential data in compliance with this Policy.

Data Security Coordinator

Brandeis University has designated the Chief Information Security Officer to implement, supervise and maintain the WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:

  1.  Initial implementation of the WISP;

  2. Training employees;

  3. Regular testing of the WISP’s safeguards;

  4. Evaluating the ability of each of Brandeis University’s third party service providers to implement and maintain appropriate security measures for Regulated, Restricted, or Confidential data to which Brandeis University has permitted them access, consistent with the regulations; and requiring such third party service providers by contract to implement and maintain appropriate security measures;

  5. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in Brandeis University’s business practices that may implicate the security or integrity of records containing Regulated, Restricted, or Confidential data; and

  6. Conducting training sessions for all owners, managers, employees, and independent contractors, including temporary and contract employees, who have access to Regulated, Restricted, or Confidential data, on the elements of the WISP.

Internal Risks

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Regulated, Restricted, or Confidential data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

Internal Threats

External Risks

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Regulated, Restricted, or Confidential data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

External Threats

Contact In Case Of Loss/Theft or Suspected Loss/Theft

If you have reason to believe that any Regulated, Restricted, or Confidential data has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, report the incident immediately by contacting the Information Security Office at 781-736-4592.

This policy does not create an employment contract or any right to continued employment at Brandeis University. Brandeis University reserves the right to modify, revoke, suspend, terminate and/or change any and all policies and procedures at any time, with or without notice.

Policy Owner

Information Technology Services
December 2019