Written Information Security Program

I. OBJECTIVE

The objective of Connecticut College in the development and implementation of this comprehensive written information security program (“WISP”) is to create and guide the implementation of effective administrative, technical and physical safeguards for the protection of Personally Identifiable Information (“PII”). The WISP sets forth Connecticut College’s procedures for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PII. This WISP does not replace or in any way supersede any of Connecticut College’s existing or future policies or procedures with respect to the safeguarding and/or handling of student education records data protected under the Family Educational Rights and Privacy Act (FERPA).

For purposes of this WISP, “PII” means an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such individual:

  • Social Security number;
  • Driver’s license number or government-issued identification number;
  • Tribal identification card;
  • Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account;
  • Passwords, personal identification numbers, or other access codes;
  • Any other numbers or information that can be used to access a person’s financial resources;
  • Digital signatures;
  • Passport number;
  • Student number;
  • Date of birth;
  • A birth or marriage certificate;
  • The maiden name of the individual’s mother;
  • A private key that is unique to an individual and that is used to authenticate or sign an electronic record;
  • An individual’s taxpayer identification number or an identity protection personal identification number issued by the IRS;
  • Medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional or health insurance information;
  • Biometric data, including fingerprints;
  • DNA profile;
  • Health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual, or any information in an individual’s application and claims history, including any appeals records;
  • Username or email address coupled with a password or security question and answer that would permit access to an online account;
  • Information or data collected through the use or operation of an automated license plate recognition system (a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data); and
  • Shared secrets or security tokens that are known to be used for data based authentication.

It also includes the following information regardless of whether it is in combination with an individual’s first and last name or first initial and last name:

  • Username or email address coupled with a password or security question and answer that would permit access to an online account;
  • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to that account; or
  • Any of the above data elements if the information compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

“PII” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

II. PURPOSE

The purpose of the WISP is to better:

  • Ensure the security and confidentiality of PII;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

III. SCOPE

In formulating and implementing the WISP, Connecticut College has addressed and incorporated the following protocols:

(1) identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PII;

(2) assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the PII;

(3) evaluated the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;

(4) designed and implemented a WISP that puts safeguards in place to minimize those risks, consistent with the requirements of the regulations; and

(5) implemented regular monitoring of the effectiveness of those safeguards.

IV. DATA SECURITY COORDINATOR

Connecticut College has designated (John Schaeffer/ Director of NSS/CISO to implement, supervise and maintain the WISP. That designated employee (the “Data Security Coordinator”) will be responsible for: 

a. Initial implementation of the WISP;

b. Training employees;

c. Regular testing of the WISP’s safeguards;

d. Evaluating the ability of each of Connecticut College’s third party service providers to implement and maintain appropriate security measures for the PII to which Connecticut College has permitted them access, consistent with the regulations; and requiring such third party service providers by contract to implement and maintain appropriate security measures;

e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in Connecticut College’s practices that may implicate the security or integrity of records containing PII; and

f. Conducting training sessions for all owners, managers, employees, and independent contractors, including temporary and contract employees, who have access to PII on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with Connecticut College’s requirements for ensuring the protection of PII.

V. INTERNAL RISKS

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PII, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately.

Internal Threats

  • Connecticut College shall only collect the PII of students, alumni, affiliates, contractors, or employees that is necessary to accomplish Connecticut College’s legitimate need to access said records, for a legitimate job-related purpose, or necessary for Connecticut College to comply with state or federal regulations.
  • Access to records containing PII shall be limited to those persons who are reasonably required to know such information in order to accomplish Connecticut College’s legitimate business/educational purpose or to enable Connecticut College to comply with state or federal regulations.
  • Access to PII shall be restricted to active users and active user accounts only.
  • Off-campus storage of documents containing PII shall be held in a secure location with appropriate physical safeguards, such as locking mechanisms and access limitation. Any attempts to access PII stored in a secure, off-campus location shall be rejected absent a properly documented and approved access request that has been confirmed with the department/records originator.
  • Paper or electronic records (including records stored on hard drives or other electronic media) containing PII shall be disposed of only in a manner that complies with the regulations and as follows:
    • Paper documents containing PII shall be shredded upon disposal so that PII cannot be practicably read or reconstructed; and
    • Electronic media and other non-paper media containing PII shall be destroyed or erased upon disposal so that PII cannot be practicably read or reconstructed.
  • Connecticut College employees shall protect all PII by safeguarding it when in use, protecting it properly when not in use, and sharing it appropriately. PII relating to students will only be shared per FERPA guidelines. Information relative to other members of Connecticut College, including employees, affiliates, and developers, will only be shared as allowed by state and federal legislation or Connecticut College policy.
  • A copy of this WISP must be distributed to each current Connecticut College employee with access to PII and to each new Connecticut College employee with access to PII at the commencement of their employment.
  • All Connecticut College employees with access to PII shall participate in Connecticut College’s training program on the detailed provisions of the WISP. Immediate retraining of Connecticut College employees shall occur to the extent the Data Security Coordinator determines a need.
  • Procedures for Terminated Employees
    • Terminated employees must return all records containing PII, in any form, which may at the time of such termination be in the former employee’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
    • An involuntarily terminated employee’s physical and electronic access to PII must be immediately blocked.
  • All persons who fail to comply with this WISP shall be subject to disciplinary measures, irrespective of whether PII was actually accessed or used without authorization.
  • All security measures shall be reviewed at least annually, or whenever there is a material change in Connecticut College’s organizational practices that may reasonably implicate the security or integrity of records containing PII. The Data Security Coordinator shall be responsible for this review and shall fully apprise management of the results of that review and any recommendations for improved security arising out of that review.
  • Physical Assets Protocol
    • All assets must be secured from theft by locking up and maintaining a secure workplace.
    • All laptops must be placed in the trunk of the vehicle when and wherever they are parked. If no secure trunk or other storage is available, employees must keep their laptops in their possession.
    • Laptops and other portable devices left in the office or at home overnight should be kept in a locked and secure location.
    • Employees must have assets secured or within their physical possession while on public or private transportation, including air travel. Laptops, tablets, etc. must not be checked in luggage.
    • An employee’s failure to adhere to this and other security policies of Connecticut College may result in disciplinary action and, in case of preventable loss or theft, employee’s replacing all assigned equipment at their own expense.
    • PII should not be stored on the local drive; it should be stored on the Connecticut College network.
  • Access Control Protocol
    • Access to electronically stored PII shall be electronically limited to those Connecticut College employees having a unique login ID.
    • All system access must be through a pre-registered device and via the use of a multifactor authentication program and VPN.
    • Employees must ensure that all computer systems under their control are locked when leaving their respective workspaces. Employees must not disable any logon access.
    • Employees must log off the Connecticut College network when they are not directly using those resources.
    • All computers that have been inactive for 30 or more minutes shall require re-log-in.
    • After 5 unsuccessful log-in attempts by any user ID, that user ID will be blocked from accessing any computer or file stored on any computer until access privileges are reestablished by the Data Security Coordinator.
    • Employees must maintain the confidentiality of passwords and access controls:
      • All passwords used for Connecticut College systems and laptops are required to adhere to strong password rules.
      • Passwords may not be used as the password for any non-affiliated Connecticut College accounts.
      • All passwords used for Connecticut College systems and laptops are required to be changed every 365 days.
      • The three previously used passwords for any given account may not be used as the new password for an account.
      • Employees must not share their individual accounts or passwords with anyone.
      • Employees must not record passwords on paper or in a document. A password management tool is provided by the College to securely store all passwords.
    • Where practical, all visitors who are expected to access areas other than common retail space or are granted access to office space containing PII should be required to sign-in at a designated reception area where they will be assigned a visitor’s ID or guest badge unless escorted at all times. Visitors are required to wear said visitor ID in a plainly visible location on their body, unless escorted at all times.
    • Where practical, all visitors are restricted from areas where files containing PII are stored. Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing PII are stored.
      • Connecticut College employees are required to report suspicious or unauthorized use of PII to the Data Security Coordinator immediately, emailing help@conncoll.edu or an IT service ticket.
      • Whenever there is an incident that requires notification under any state breach notification statute or regulation, there shall be an immediate mandatory post-incident review of events and action taken, if any, with a view to determining whether any changes in Connecticut College’s security practices are required to improve the security of PII for which Connecticut College is responsible.

V. EXTERNAL RISKS

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PII, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately.

External Threats

  • Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes PII.
  • All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes PII.
  • To the extent technically feasible, all laptops or other portable devices storing PII will be encrypted, as well as all records and files transmitted across public networks or wirelessly, to the extent technically feasible. Encryption here means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
  • There shall be secure user authentication protocols in place that:
    • Control user ID and other identifiers;
    • Assigns passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies;
    • Control passwords to ensure that password information is secure.
  • PII shall not be removed from Connecticut College’s premises in electronic or written form absent a legitimate need and use of reasonable security measures, as described in this WISP.
  • All computer systems shall be monitored for unauthorized use or access to PII.

VII. CONTACT IN CASE OF LOSS/THEFT OR SUSPECTED LOSS/THEFT

If you have reason to believe that any PII has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, report the incident immediately by contacting the IT Service Desk during normal working hours to report the incident.