IT 080 - Information Privacy And Data Security
Number: IT 080
Effective: December 1, 2016
Department: Information Technology
Last Revision: December 19, 2016

Purpose

To classify data and establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of CWI business, or the compromise of confidential information.

Scope

Applies to all users with access to (a) confidential information through CWI or its affiliates or (b) college information resources, including those used by CWI under license, contract, or other affiliation agreement.

Definition

Access: Any personal inspection or review of the confidential information or a copy of the confidential information, or an oral or written account of such information.

Confidential Information: Information identified by applicable laws, regulations, or policies as personal information, individually identifiable health information, education records, personally identifiable information, non-public personal data, confidential personal information, or sensitive scientific or sponsored project information. Confidential information includes but is not limited to any information that identifies or describes an individual such as a social security number, physical description, home address, non-business telephone numbers, ethnicity, gender, signature, passport number, bank account or credit card numbers, expiration dates, security codes, passwords, educational information, medical or employment history, driver’s license number, or date of birth. It also includes electronic data that includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when either the name or data elements are not encrypted: 1) social security number; 2) driver’s license or state identification card number; 3) student or employee identification number; or 4) credit card number in combination with any required security code, access code, password, or expiration number that would permit access to an individual’s financial account.

Confidential information does not include any information knowingly and voluntarily made publicly available by the owner of such information, such as information voluntarily listed in college or other public directories. Custodian: Member of the CWI community having primary responsibility for gathering, inputting, storing, managing, or disposing of confidential information. One becomes a custodian either by designation or by virtue of having acquired, developed, or created information resources for which no other party has stewardship. For example, for purposes of this policy, librarians have custody of library catalogs and related records, faculty have custody of their research and course materials, students have custody of their own work, and any individual who accepts a credit card number in the course of conducting CWI business is the custodian of that information. The term does not necessarily imply legal ownership.

Data: Information generated in the course of official CWI business. Information that is personal to the operator of a system and stored on a college IT resource as a result of incidental personal use is not considered CWI data.

Disclosure: To permit access to or release, transfer, disseminate, or otherwise communicate any part of information by any means, including but not limited to orally, in writing, or by electronic means to any person or entity.

Incident: A potentially reportable incident that may include, but is not limited to, the following:

  • Attempts to gain unauthorized access to systems or data;
  • Unwanted disruptions or denial of services;
  • A virus outbreak;
  • Theft, misuse or loss of electronic equipment containing confidential information;
  • Unauthorized use of systems for processing or data storage;
  • Circumstances where a department or unit cannot account for or fails to properly dispose of paper records containing confidential information; or
  • Unauthorized changes to system hardware, firmware and software.

Individually Identifiable Health Information: Any information, including demographics, collected from an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse relating to the past, present or future physical or mental health or condition of an individual and identifies the individual, or information which can reasonably be expected to identify the individual.

Information Resources: Includes information in any form and recorded on any media, and all computer and communications equipment and software.

Information Security Officer (ISO) – The individual or individuals responsible for protecting confidential information in the custody of CWI; the security of the equipment and/or repository where this information is processed and/or maintained and the related privacy rights of college students, faculty and staff concerning this information. An ISO has primary responsibility for oversight of information security, networks and systems, and working in cooperation with IT and Human Resource (HR) to educate the CWI community about security responsibilities.

Information Service Provider (Service Providers): A person or entity, including CWI departments, individuals, and ancillary organizations, that receives, maintains, processes or otherwise is permitted to access confidential information through its provision of services directly to CWI who manages significant information resources and systems for the purpose of making those resources available to others. This includes the Office of Information Technology, the Alumni Association, Registrar, and Financial Aid, as well as other entities that operate at a division, department, or sub-department level.

Information Technology (IT) Resources: An array of products and services that collect, transform, transmit, display, present, and otherwise make data into usable, meaningful and accessible information. IT Resources include but are not limited to: desktop computers, laptops, and tablet PC’s; handheld devices including but not limited to, cell phones; e-mail, voicemail, servers, central computers, and networks; cloud storage systems; network access systems including wireless systems; portable hard drives and databases; computer software; printers and FAX machines and lines; campus, classroom and office audio and visual display devices and switching, camcorders, televisions, physical media; telephone equipment and switches including local and long-distance services; satellite equipment and any other current or future IT resource adopted by CWI as new technologies are developed.

Level One Data: Private information that must be protected by law or industry regulation. This information is considered highly sensitive (“HS”).

Level Two Data: Information that should be protected. This information is considered moderately sensitive (“MS”).

Level Three Data: Publicly available information. This information is considered non-sensitive (“NS”).

Managers: Members of the CWI community who have management or supervisory responsibilities, including deans, department chairs, directors, department heads, group leaders, supervisors and faculty who supervise teaching or research assistants.

Minimum Security Standards (“MSS”): Required configuration standards, maintained by the Office of Information Technology, that increase the security of systems (servers, workstations, mobile devices) and help safeguard CWI’s information technology resources and data.

Protected Health Information (“PHI”): Individually identifiable health information that is maintained in any medium or transmitted or maintained in any other form. PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA), and records held by a covered entity in its role as an employer.

User: Anyone who uses CWI’s information resources, even if they have no responsibility for managing the resources. This includes students, faculty, staff, contractors, consultants, and temporary employees.

Policy

This policy creates an environment that will help protect all members of the CWI community from information security threats that could compromise privacy, productivity, reputation, or intellectual property rights. CWI recognizes the vital role data and information plays in its educational and research missions, and the importance of taking the necessary steps to protect information in all forms.

Given the large amounts of data and information generated by CWI employees and students, it is important everyone is familiar with the provisions of this policy. As more information is used and shared by students, faculty and staff, both within and outside CWI, an associated effort must be made to protect information resources from threats by establishing responsibilities, guidelines, and practices that will help CWI prevent, deter, detect, respond to and recover from compromises to these resources. All CWI data must be subject to some protective measures. This policy classifies CWI data into categories in order to apply appropriate protective security measures.

Users are responsible for protecting the information resources to which they have access. Their responsibilities cover both computerized and non-computerized information and information technology devices they use or possess, including but not limited to paper, reports, books, film, microfiche, microfilms, recordings, computers, PDAs, disks, jump drives/memory sticks, printers, phones, and fax machines. Users must follow the information security practices set by the ISO, as well as any additional departmental or other applicable information security practices.

Guidelines

I. Data Classifications

  1. CWI data is classified among three levels: One, Two, and Three. All data, regardless of classification, must be protected as per CWI’s MSS.
    1. Level One (HS) Data: This is the most sensitive data and it must never be left unattended without being properly secured. This includes CWI data protected by:
      1. Federal or State law (for example, HIPAA; FERPA; Sarbanes-Oxley; Gramm-Leach-Bliley; and HHS 45 CFR § 46 Protection of Human Subjects Subparts A-E);
      2. Industry Regulation (for example, PCI-DSS);
      3. CWI rules and regulations;
      4. Contractual agreements requiring confidentiality, integrity, or availability considerations (for example, Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements).
    2. Level Two (MS) Data: This data includes internal data used for official CWI business. While there might not be a specific statute or regulation requiring its protection, this data should be safeguarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use.
    3. Level Three (NS) Data: This data includes information that may or must be open to the public and has no existing local, national, or international legal restrictions on access or usage.

II. Security Protection Measures

  1. Detailed security measures for protecting data can be found at Minimum Security Standard for Systems on the Information Technology Resources homepage. Additionally:
    1. Questions about this standard should be addressed to the Information Security Office.
    2. Questions about properly classifying specific pieces of information should be addressed to department managers.
    3. CWI data stored on non-college IT resources must still be verifiably protected according to the MSS.

III. Group Responsibilities

  1. All users share in the responsibility for protecting information resources for which they have access or of which they have custody. Responsibilities set forth in this section are assigned to four groups: custodians, users, managers (of users), and information service providers. Individuals may have responsibilities in more than one area and should be familiar with the requirements of each group.
    1. Custodians are responsible for:
      1. Establishing information security procedures;
      2. Determining Authorizations;
      3. Recordkeeping; and
      4. Incident Handling and Reporting.
    2. Users are responsible for:
      1. Being familiar with and adhering to CWI policies;
      2. Physical security;
      3. Information storage;
      4. Distribution and transmission of information;
      5. Destruction and disposal of information and devices;
      6. Passwords;
      7. Computer security;
      8. Remote access;
      9. Logging off;
      10. Virus and malicious code protection;
      11. Backups; and
      12. Incident handling and reporting.
    3. Managers must fulfill the responsibilities of Custodians and Users set forth above, plus Managers are responsible for:
      1. Sharing responsibility for information security with the employees they supervise;
      2. Establishing information security procedures;
      3. Managing authorizations;
      4. User training and awareness;
      5. Physical security; and
      6. Incident handling and reporting.
    4. Information Service Providers are responsible for:
      1. More extensive information security requirements than individuals;
      2. Establishing information security procedures;
      3. Physical security;
      4. Computer security;
      5. Network security;
      6. Access controls;
      7. Passwords;
      8. Contingency planning; and
      9. Incident handling and reporting.

IV. Administrative Responsibilities

  1. The ISO continually monitors the college information security threat landscape and proposes tools or mitigation strategies to reduce the CWI’s exposure. Oversight and responsibilities include:
    1. Policy, procedures and standards review, enhancement and revision;
    2. User security training and awareness;
    3. Oversight authority for college networks and systems security;
    4. Incident handling, remediation, and reporting; and
    5. Collaborating with college departments as needed to ensure policy conformance.
  2. Legal counsel for CWI is responsible for interpreting the laws that apply to this policy and ensuring that the policy is consistent with those laws and other CWI policies. Any inadequacies in this policy should be brought to the attention of the ISO. CWI’s legal counsel will work in concert with the ISO and other parties deemed necessary to report any criminal offenses when necessary.
  3. The Office of Information Technology (IT) is responsible for working with the ISO to develop standards consistent with this policy, other CWI policies, and state and federal law. IT will also work with the ISO to assist with training and compliance issues

V. Enforcement

  1. Violations of this policy will be handled consistent with CWI disciplinary procedures applicable to the relevant individuals or departments, up to and including termination or dismissal. Failure to comply with this policy may also result in the suspension of access to network resources until policy standards have been met. Should CWI incur monetary fines or other incidental expenses from security breaches, CWI may recoup these costs from the non-compliant department, school or auxiliary organization.