Information Technology Services

Written Information Security Policy (WISP)

Introduction

The objective of Brandeis University in the development and implementation of this comprehensive written information security policy (WISP) is to create effective administrative, technical and physical safeguards for the protection of regulated, restricted and confidential data. The WISP sets forth the university's procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting regulated, restricted and confidential data.

The purpose of the WISP is to comply with regulations issued by the Commonwealth of Massachusetts entitled "Standards for the Protection of Personal Information of Residents of the Commonwealth" [201 Code Mass. Regs. 17.00], and by the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (GLB) [15 USC 6801(b) and 6805(b)(2)].

In accordance with these federal and state laws and regulations, Brandeis University is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the University to affected individuals and appropriate state and federal agencies.

Brandeis University is committed to protecting the confidentiality of all sensitive data, as defined below, that it maintains, including information about individuals who work or study at the University.

Applicability

This policy applies to all Brandeis University faculty, staff, hired consultants, interns and student employees.

Definitions

  • Data: For the purposes of this document, data (classifications defined below) refers to regulated, restricted and confidential information collected, stored, archived or maintained in any way under the management of Brandeis University, whether stored on or off campus or within a third-party service.
  • Personal Information: Personal Information (PI), as defined by Massachusetts law (201 CMR 17.00), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:
    • Social Security number;
    • Driver's license number or state-issued identification card number; 
    • Financial account number (e.g., bank account) or credit or debit card number that would permit access to a person's financial account, with or without any required security code, access code, personal identification number or password.
    • For the purposes of this policy, PI also includes passport number, alien registration number or other government-issued identification number.
  • Nonpublic Financial Information: The GLB Act (FTC 16 CFR Part 313) requires the protection of "customer information," which applies to any record containing nonpublic financial information (NFI) about a student or other third party who has a relationship with Brandeis University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of Brandeis University. For these purposes, NFI shall include any information:
    • A student or other third party provides to obtain a financial product or service from Brandeis University;
    • About a student or other third party resulting from any transaction with Brandeis University involving a financial product or service; or
    • Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.
  • Protected Health Information: Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the:
    • Past, present or future physical or mental health or condition of an individual.
    • Provision of health care to the individual by a covered entity (for example, hospital or doctor).
    • Past, present or future payment for the provision of health care to the individual.
    • PI, NFI or PHI shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public (the policy requirements).

Data Classification

Refer to the Brandeis Data Classification Standard.

Responsibilities

Information Technology Services (ITS) staff shall be responsible for all data stored centrally on the university's servers and administrative systems, and are responsible for the security of such data. For distributed data stored on departmental servers, the department head or their designee shall be responsible, and ITS and the department share joint responsibility for securing the data under the direction of the university's data security coordinator.

Department heads will alert ITS at the conclusion of a contract for individuals that are not considered Brandeis University employees to terminate access to their Brandeis University accounts.

All members of the Brandeis community are responsible for maintaining the privacy and integrity of all regulated, restricted or confidential data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members are required to access, store and maintain records containing regulated, restricted or confidential data in compliance with this policy.

Data Security Coordinator

Brandeis University has designated the Chief Information Security Officer to implement, supervise and maintain the WISP. That designated employee (the "Data Security Coordinator") will be responsible for:

  • Initial implementation of the WISP;
  • Training employees;
  • Regular testing of the WISP's safeguards;
  • Evaluating the ability of each of Brandeis University's third-party service providers to implement and maintain appropriate security measures for regulated, restricted or confidential data to which Brandeis University has permitted them access, consistent with the regulations; and requiring such third-party service providers by contract to implement and maintain appropriate security measures;
  • Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in Brandeis University's business practices that may implicate the security or integrity of records containing regulated, restricted or confidential data; and
  • Conducting training sessions for all owners, managers, employees and independent contractors, including temporary and contract employees, who have access to regulated, restricted or confidential data, on the elements of the WISP.

Internal Risks

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing regulated, restricted or confidential data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

Internal Threats

  • Brandeis University shall only collect data of students, their parents, alumni, donors, suppliers, vendors, staff or employees that is necessary to accomplish Brandeis University's legitimate need to access said records, and for a legitimate job-related purpose, or necessary to Brandeis University to comply with state or federal regulations.
  • Access to records containing regulated, restricted or confidential data shall be limited to those persons who are reasonably required to know such information in order to accomplish Brandeis University's legitimate business purpose or to enable Brandeis University to comply with state or federal regulations.
  • Access to regulated, restricted or confidential data shall be restricted to active users and active user accounts only.
  • Any regulated, restricted or confidential data stored shall be disposed of when no longer needed for business purposes or required by law for storage. Paper or electronic records (including records stored on hard drives or other electronic media) containing confidential and restricted data shall be disposed of only in a manner that complies with the regulations and as follows:
    • Paper documents containing regulated, restricted or confidential data shall be either redacted, burned, pulverized or shredded upon disposal so that regulated, restricted or confidential data cannot be practicably read or reconstructed; and
    • Electronic media and other non-paper media containing regulated, restricted or confidential data shall be destroyed or erased upon disposal so that regulated, restricted or confidential data cannot be practicably read or reconstructed.
  • A copy of this WISP must be distributed to each current Brandeis University employee with access to regulated, restricted or confidential data and to each new Brandeis University employee with access to regulated, restricted or confidential data at the commencement of their employment.
  • All university employees with access to regulated, restricted or confidential data shall participate in Brandeis University's training program on the detailed provisions of the WISP. Immediate retraining of Brandeis University's employees shall occur to the extent the Data Security Coordinator determines a need.
  • Procedures for terminated employees (whether voluntary or involuntary)
    • Terminated employees must return all records containing regulated, restricted or confidential data, in any form, that may at the time of such termination be in the former employee's possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
    • A terminated employee's physical and electronic access to regulated, restricted or confidential data must be immediately blocked. Such terminated employee shall be required to surrender all keys, IDs, access codes or badges, business cards and the like, which permit access to the university's premises or information. Moreover, such terminated employee's remote electronic access to personal information must be disabled; their voicemail access, email access, internet access and passwords must be invalidated.
    • An employee's network login ID will immediately be suspended upon termination. If the employee is an alumnus of Brandeis University, they may formally request to the Data Security Coordinator a separate network login ID to access alumni eligible resources. All requests will be individually evaluated.
  • All persons who fail to comply with this WISP shall be subject to disciplinary measures, up to and including termination, irrespective of whether regulated, restricted or confidential data was actually accessed or used without authorization.
  • All security measures shall be reviewed at least annually, or whenever there is a material change in Brandeis University's business practices that may reasonably implicate the security or integrity of records containing regulated, restricted or confidential data. The Data Security Coordinator shall be responsible for this review and shall fully apprise management of the results of that review and any recommendations for improved security arising out of that review.
  • Physical assets protocol
    • All assets must be secured from theft by locking up and maintaining a secure workplace, whether that work takes place in Brandeis University's offices, vendor site, a car, hotel, home or other alternate work site.
      • All laptops should be placed in the trunk of vehicle when and wherever they are parked. If no secure trunk or other storage is available, employees must keep their laptops in their possession.
      • Laptops and other portable devices left in the office or at home over night should be kept in a secure location.
      • Employees must have assets secured or within their physical possession while on public or private transportation, including air travel.
      • An employee's failure to adhere to this and other security policies of Brandeis University may result in disciplinary action up to and including termination.
  • Access control protocol
    • Access to electronically stored regulated, restricted or confidential data shall be limited to those university employees having a unique login ID.
    • Where technically feasible, employees must ensure that all computer systems under their control are locked when leaving their respective workspaces. Employees must not disable any logon access.
    • Where technically feasible, all computers that have been inactive for 60 or more minutes shall require re-log-in.
    • After 10 unsuccessful log-in attempts by any user ID, that user ID will be blocked from accessing any computer or file stored on any computer until access privileges are reestablished by the Data Security Coordinator or their designee.
    • Employees must maintain the confidentiality of passwords and access controls:
      • All passwords used for Brandeis University's systems and laptops are required to adhere to strong password rules.
      • All passwords used for Brandeis University's systems and laptops are required to be changed every 12 months.
      • Employees must not record passwords on paper or in a document in an unsecure way.
    • Where practical, all visitors are restricted from areas where files containing regulated, restricted or confidential data are stored. Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing regulated, restricted or confidential data are stored.
  • Brandeis University's employees are required to immediately report suspicious or unauthorized use of regulated, restricted or confidential data to the Data Security Coordinator.
  • Pursuant to Brandeis University's policies, whenever there is an incident that requires notification under any state or federal breach notification statute or regulation, there shall be an immediate mandatory post-incident review of events and action taken, if any, with a view to determining whether any changes in Brandeis University's security practices are required to improve the security of regulated, restricted or confidential data for which Brandeis University is responsible.

External Risks

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing regulated, restricted or confidential data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

External Threats

  • To the extent technically feasible, firewall protection, operating system security patches and all software products shall be reasonably up-to-date and installed on all Brandeis University computers.
  • To the extent technically feasible, all system security software including, but not limited to, anti-virus, anti-malware, internet security, device management and backup shall be reasonably up-to-date and installed on all Brandeis University computers.
  • To the extent technically feasible, all regulated, restricted or confidential data stored on workstations or other portable devices shall be encrypted, as must all records and files transmitted across public networks or wirelessly. Encryption here means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
  • Employees must not email any students, parents, alumni, donors, suppliers, vendors, staff or employees' information or documents containing Regulated data without encryption.
  • There shall be secure user authentication protocols in place that:
    • Control user ID and other identifiers;
    • Requires passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies;
    • Control passwords to ensure that password information is secure.
  • Regulated, restricted or confidential data shall not be removed from the business premises in electronic or written form absent a legitimate business need and use of reasonable security measures, as described in this WISP.
  • All Brandeis University computers, systems and infrastructure shall be monitored for unauthorized use or access to regulated, restricted or confidential data.
  • ITS staff provides computer, systems, infrastructure and application support for services under their management. To perform these activities and provide support for these services, ITS staff may have administrative access to the operating system, databases, applications or infrastructure being supported as part of their job responsibilities. This access may only be used in support of Brandeis University business and consistent with the roles and responsibilities of the staff member as prescribed by Brandeis University management. ITS periodically reviews administrator access to the systems it is responsible for managing, and administrative access is also reviewed and updated upon a change in the staff member's role or responsibility.

Contact in Case of Loss/Theft or Suspected Loss/Theft

If you have reason to believe that any regulated, restricted or confidential data has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, report the incident immediately by contacting the Information Security Office at 781-736-4592.

This policy does not create an employment contract or any right to continued employment at Brandeis University. Brandeis University reserves the right to modify, revoke, suspend, terminate and/or change any and all policies and procedures at any time, with or without notice.

Policy Owner

Information Technology Services

December 2019