Policy on Stewardship of Information
Effective Date: 07/01/2020; Updated 9/13/2023
Responsible Officer: General Counsel
History: Updating a Current Policy
Responsible Office: Compliance and Risk Management
This policy is intended to provide guidance to Wentworth Institute of Technology (henceforth known as “the university” or “Wentworth”) related to the protection of all information owned, managed, or in the custody of Wentworth.
This policy applies to all members of the Wentworth community, students, faculty, staff, affiliates, and anyone with access to institutional information.
All information owned, managed, or in the custody of Wentworth (“information”) shall be consistently and appropriately protected from its time of origin or receipt until the time of its destruction according to its classification. Information is classified into three categories, based on its sensitivity, criticality, and applicable regulations and statutes: Restricted, Private, and Public.
Individuals with access to institutional information are obligated to know the classification of information they access and create and to follow the corresponding standard for protecting, handling, disseminating, and destroying information as required and specified by this policy and related Wentworth procedures and standards.
Restricted - Data should be classified as Restricted when:
- unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the university or its affiliates
- protected by state or federal privacy regulations, or
- protected by confidentiality agreements.
The highest level of security controls should be applied to Restricted data.
Personally identifiable information (PII)* as defined by any state, federal, or other applicable privacy law. Non-personally identifiable information covered by FERPA (such as application/admissions information, grades, transcripts, disciplinary actions, financial application/award information, directory information that a student has elected to not have disclosed); non-personally identifiable information covered by GLBA (such as financial transaction information); employment information (such as salary, benefits, and performance evaluations); and sensitive non-personally identifiable information regarding applicants, alumni, donors, parents, or business associates of the Institute; information that is subject to a confidentiality agreement; sensitive infrastructure data; legally privileged information, trade secrets and intellectual property; details about Wentworth’s security (cyber or physical) controls, plans, or vulnerabilities.
*Broadly, PII is the combination of the full personal name of an individual plus one or more other elements of uniquely identifying information, such as, but not limited to, date of birth, home address, student or employee ID number, financial account number, bank account number, credit card number, social security number, credit history, CORI record, medical record number, personal email address, or driver’s license number. Privacy laws may differ in what is in scope for PII. The Mass. Privacy Law (MGL c. 93H and 201 CMR) defines PII as a Massachusetts resident’s full personal name plus one or more of the following: SSN, financial account number, driver’s license number.
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the university or its affiliates. By default, all institutional data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.
Examples: Course materials, internal-use only policies and procedures, research and assessment data, inventory data (library, technical, infrastructure entities), marketing plans, meeting minutes or agendas with potentially non-public information, non-public strategic plan information, departmental budgets, and unpublished writing or research.
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the university and its affiliates. While enhanced controls are not required, careful forethought should be given to the release of data deemed Public.
Examples: Campus maps and directory information, IPEDS, Common Data Set, Institute of International Education, open doors, promotional material, redacted departmental meeting minutes, program and course descriptions, student/campus activities, athletics information, hosted conference information, event schedules, public-facing internet content, approved press releases, publication-oriented personnel biographies and photos, publication archives, and published materials.
Low Risk - Data is classified as Low Risk if either of the following conditions apply:
- The data is generally available to the public, or
- The unauthorized use, access, or alteration of the data would not have an adverse impact on the university or an individual community member.
Moderate Risk - Data is classified as Moderate Risk if any of the following conditions apply:
- The data is governed by laws or regulations that restrict the use or disclosure of such data, or
- The data is subject to contractual restrictions that restrict the use or disclosure of such data, or
- The unauthorized use, access, or alteration of the data could have an adverse impact on the university or an individual community member.
High Risk - Data is classified as High Risk if either of the following conditions apply:
- The data is governed by laws or regulations that require the university to report to the government and/or provide notice to individuals if the data is breached, or
- The unauthorized use, access, or alteration of the data could have a significant adverse impact on the university or an individual community member.
Roles and Responsibilities
- Data Trustee: Vice Presidents who have overall responsibility for all the data sets maintained by units reporting to them. Data Trustees are responsible for ensuring that Wentworth institutional data resources are used in ways consistent with the mission of the university. The Data Trustees have the responsibility for the appointment and accountability of Data Owners. Data Trustees are also responsible for ensuring that institutional data and information systems used with such data are adequate to meet the business and regulatory compliance requirements set for these data.
- Data Steward: Generally, those authorized, by Data Trustees and/or Data Owners, with operational responsibilities over the systems that are used to collect, access, store, transmit, and destroy data. Data Stewards are responsible for effectuating the policies, procedures, and guidelines concerning the accuracy, privacy, security, and integrity of the data subsets for which they are responsible. Data Stewards are also responsible for enacting and maintaining the technical, administrative, and physical controls used to ensure the confidentiality, integrity, and availability of data. In addition, Data Stewards may be responsible for providing the mechanism(s) to also ensure the resiliency of the data and information systems used with these data. Requirements, including policies and standards, are set by Data Trustees and Data Owners. Data Stewards ensure that mechanisms and functions are in place to enable and enforce those requirements. Examples of Data Stewards could include coordinators, managers, assistant/associate directors, database and application administrators, etc. who meet the above definition.
- Data User: Employees, independent contractors, or students (e.g., interns, work study, co-op) who have been granted authorization by a Data Steward to access institutional data. Authorization is granted for a specific level of access to a specific set of data, as defined by the data management policies, solely for the conduct of institutional business. Data Users are responsible for adhering to all policies, standards, and best practices as established by Data Trustees and Data Owners.
Personally Identifiable Information (PII): PII is the combination of the full name (first and last) of an individual person plus one or more other elements of uniquely identifying information, such as, but not limited to, date of birth, home address, student or employee ID number, financial account number, bank account number, credit card number, social security number (SSN), credit history, CORI record, medical record number, personal email address, and driver’s license number. Various domestic and foreign laws stipulate special handling and protection of various PII, particularly SSNs, financial account numbers, driver’s license number, and date of birth.
|Rule||Rule Statement||Applicable Role||Digital||Paper|
|3.1||Always Transmit Restricted Information Securely||All employees||Restricted information must be transmitted using industry-standard encryption protocols, such as HTTPS or SSL2|
|3.2||Always Destroy Private and Restricted Information Using an Approved Method.||IT Administrators||Storage devices that may have contained Restricted or Private at any time must be sanitized using a method approved by the ISO3 before disposal, reassignment, or re-use.|
|Shred paper documents containing Restricted or Private information using a crosscut shredder. If shredding cannot be done immediately, store the document in a locked drawer, cabinet, or container within a locked office when unattended until it can be shredded.|
|3.3||Never Disclose Private or Restricted Information to Unauthorized Parties||All employees||Restricted and Private information must only be disclosed to individuals who have previously been approved to see that information and have a valid business justification for each particular instance. Records, files, documents, or databases unnecessarily containing Restricted or Private must have the personally identifiable elements de-identified before being disseminated or shared.|
|3.4||Never Leave Private or Restricted Information Openly Accessible and Unattended||All employees||If viewing Private or Restricted information on a computer screen, lock the screen before leaving. Consider using a privacy screen if regularly viewing Restricted or Private.||Observe the ‘Clean Desk’ security principle and never leave documents with Private or Restricted information unattended in unsecured areas (e.g. shared printers, workstations in open spaces, meeting rooms, etc.); store documents in a locked drawer, cabinet, or container within a locked office.|
|3.5||Never Retain Restricted or Private Information Longer than Required||All employees||Delete files containing Restricted or Private data using a secure file deletion method as soon as the information is no longer needed.||Securely shred all paper documents containing Restricted or Private using a cross-cut shredder once the document is no longer needed.|
|3.6||Never Store or Capture more Restricted or Private Information than Required||All employees||When receiving Restricted or Private data, only record the minimal information needed to perform the business function. For example, for credit card transactions, do not store the full contents of any track, the card verification code or value, personal identification number (PIN) or the encrypted PIN block after authorization. If Restricted or Private within the data set or document is not required, then de-identify the personally identifiable elements.|
|3.7||Never Display more Restricted or Private Information than Required||All employees||When designing screens, dashboards, or reports which show Restricted or Private, only display the minimum amount of information necessary to accomplish the business purpose. For example, if a credit card or SSN must be shown, only reveal the last four digits.|
|3.8||Never Create Unsecured Copies of Restricted or Private Information.||All employees||Only copy a file containing Restricted or Private to an approved and encrypted storage location.||Never write down or print Restricted or Private in a document that could be easily seen by an unauthorized party, such as writing it down in a shared notebook or on a sticky note.|
|3.9||Always Retain Information According to Legal Requirements|
|Be informed about how information in your stewardship is classified and your responsibilities for retaining under applicable Federal, State, and other laws and regulations.|
|3.10||Always Grant Access to Private and Restricted Information on a Need-to-know Basis||Administrators||Before granting any type of access to Private or Restricted information, establish that the employee has a valid business justification for that access.|
- Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:
- Termination, without notice, of access privileges to information and technology resources.
- Disciplinary action, up to and/or termination of employment.
- Civil or criminal penalties as provided by law.
Additional Information & Related Documents
Interpretation & Revision
Any questions of interpretation regarding this policy shall be referred to the Chief Information Officer. They will be the final authority regarding the interpretation of this policy.
This policy shall be annually; however, minor changes and updates can be made at any time.
Wentworth will typically apply the policy in place at the time it receives a report concerning the respected policy.
Review and Revision History
This policy was drafted by representatives from the Division of Technology Services. This policy was reviewed by Cabinet and approved by the President on 9/13/2023.
This policy updates the existing Policy on Stewardship of Information. Below provides more information regarding the history of the policy.
|Date||Name and Title||Annual Review or Revision Summary|
|6/7/22||Bryce Cunningham, Information Security Officer||Annual Review|
|8/11/23||James McFarland, Associate Vice President for Technology Services||Annual Review|