Policy on Information Security

Policy Category: Division of Technology Services

Effective Date: 9/13/2023

Responsible Officer: Vice President of Technology & Chief Information Officer

History: Information Security Policy, 2022; Review 6/7/22, Gramm-Leach Bliley Act Compliance Policy, Red Flag Policy Updated 8/5/2024

Responsible Office: Division of Technology Services

Location: Link

Purpose

This policy provides the foundation for the management of information security at the University and is the master policy document of the information security program.

Scope/Availability

This policy applies to all University departments and all faculty, staff, students, contractors, student employees, and anyone with access to university information technology resources.

Legal

Gramm-Leach Bliley Act 

Red Flag Rule 

Policy

A structured Information Security Program shall be sanctioned by the Chief Information Officer and maintained by the Associate Vice President for Technology Services to sufficiently mitigate risks to the confidentiality, integrity, and availability of university systems and data in electronic form. This policy and the university’s supporting policies, operational plans, written information security program (WISP), guidelines, standards, and procedures are the documented elements of the program that facilitate its execution and maintenance. Policies in scope for the program will be reviewed on a recurring basis by the policy owner.

All systems shall be secured in a manner that reasonably and appropriately mitigates risks to a.) the highest level of data classification of information stored, processed, or transmitted on it and b.) the system’s overall business criticality. Similarly, all information in electronic form shall be handled in a manner appropriate for its data classification level as determined by the associated university data custodian.

Definitions

1. Third-Party: Any third-party hired or contracted by the university to provide services and who also stores, processes or transmits institutional data or uses systems as part of their duties or service delivery.
2. Data: Any data in the custody of the university, regardless of whether it is owned, licensed, or only managed by the university. 
3. Information Security Program: The design, execution, and maintenance of the processes, plans, policies, and procedures involved in lowering risks to data and systems by the AVP and other delegates of the CIO.
4. Information Technology Resource: Information technology resources (“ITRs”) are Wentworth owned, leased, and/or managed information, technology, or IT services, which include but is not limited to computer accounts (email, network, system, application, et al.), computers (desktops, laptops, workstations, servers, classroom A/V, and all mobile devices), printers and other peripherals, telephones and facsimile machines, electronic technology (i.e., computer programs, folders, and files), local and wide area networks, Internet access, digital storage media, and any information that resides on or traverses these resources.
5. System: Any electronic technology that stores, processes, or transmits information on behalf of the university. Examples are servers, workstations, computer networks, mobile computers. and enterprise applications.
6. Written Information Security Program (WISP): A document that describes in detail the elements of the information security program, such as governance aspects, risk management methodology, and the policies, plans, and procedures that support the program objectives. 

Procedure(s)

Compliance

1. Individual offices are responsible for following all university policies and procedures regarding information security as referenced in the Additional Information Section below

Exceptions 

1. Exceptions to this policy must receive written approval from the Associate Vice President for Technology Services, under the guidance of the CIO, and formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness.

Enforcement

Failure to comply with this policy may result in one or more of the following: 

1. Temporary suspension or permanent loss of the violator's privileges with respect to access to institutional data and/or university-owned information systems. 
2. Disciplinary action up to and/or including termination of employment. 
3. Civil or criminal penalties as provided by law. 

Additional Information & Related Documents

• Written Information Security Program (available upon request)
• Information Technology Resource Acceptable Use Policy 
• Stewardship of Information Policy 
• Policy on Accessing University IT Resources from Personally-owned Computing Devices

Interpretation & Revision

Any questions of interpretation regarding this policy shall be referred to Vice President of Technology & Chief Information Officer. They will be the final authority regarding the interpretation of this Policy. 

This policy shall be reviewed every year, however minor changes and updates can be made at any time.  

Wentworth will typically apply the policy in place at the time it receives a report concerning the respected policy. 

Additionally, in instances where two or more policies are implicated, Gramm-Leach Bliley Act Compliance Policy, Red Flag Policy a case-by-case determination will be made to determine what policy will be used. 

Review and Revision History

This policy was drafted by representatives from the Division of Technology Services.  It was reviewed by Cabinet and approved by the President on 9/12/2023.

This policy updates the Information Security Policy, 2022 and related procedures. It replaces the following policies: 

Gramm-Leach Bliley Act Compliance Policy, January 2018 

Red Flag Policy, effective May 1, 2009, and updated January 2018