Written Information Security Program (WISP)

Authority

This policy is approved by the Chief Information Officer.

Purpose

This policy was implemented to identify and protect against potential information security risks at the institution and to comply with regulations issued by various states. This program has been developed in accordance with the following security best practices and regulations:

• National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF)

• State of Maine Title 10, §1348. Security breach notice requirements

• Payment Card Industry Data Security Standards (PCI-DSS)

• Graham-Leach-Bliley Act (GLBA or GLB Act)

• Family Educational Rights and Privacy Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• 201 CMR 17: Standards for the Protection of Personal Information of MA Residents

• Massachusetts General Laws Chapter 93H

The purpose of this policy is to:

• Establish a comprehensive information security program for Bowdoin College with policies designed to safeguard sensitive data that is maintained by the College, in compliance with federal and state laws and regulations.

• Establish administrative, technical and physical safeguards to ensure the security of sensitive data that aligns with current best practices.

• Ensure clear communication of information security policies and standards.

Bowdoin is committed to protecting the confidentiality of all sensitive data that it maintains. Bowdoin has implemented policies to protect such information, and the WISP should be read in conjunction with these policies that are cross-referenced at the end of this document.

1. Scope

 This Program applies to all Bowdoin employees, whether full- or part-time, including faculty, administrative staff, union staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Bowdoin community (hereafter referred to as the “Community”). This program also applies to contracted third-party vendors. The systems and data covered by this Program includes any information stored, accessed, or collected at the College or for College operations. The WISP is not intended to supersede any existing Bowdoin College policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personally Identifiable Information as defined below. If such policy exists and it conflicts with the requirements of the WISP, the other policy takes precedence. 

2. Definitions

NIST CSF - The National Institute for Standards and Technology publishes the Cybersecurity Framework as a guide to help organizations with the security of critical infrastructure. See: https://www.nist.gov/cyberframework

Data - For the purposes of this Program, data refers to any information collected, accessed and stored about members of the College community.

Personally Identifiable Information (“PII”) - is the first name and last name or first initial and last name of a person in combination with any one or more of the following:

• Social Security number.

• Driver’s license number or state-issued identification card number.

• Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.

For the purposes of this Program, PII also includes passport number, alien registration number or other government-issued identification number.

Nonpublic Financial Information - The GLBA (FTC 16 CFR Part 313) requires the protection of “customer information”, that applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with the College, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the College. For these purposes, NFI shall include any information:

• A student or other third party provides in order to obtain a financial product or service from the College.

• About a student or other third party resulting from any transaction with the College involving a financial product or service.

• Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.

Examples of NFI include:

• Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service.

• Account balance information, payment history, overdraft history, and credit or debit card purchase information.

• The fact that an individual is or has been one of your customers or has obtained a financial product or service from you.

• Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer.

• Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account.

• Any information you collect through an Internet “cookie” (an information collecting device from a web server).

• Information from a consumer report.

Breach - the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

3.0 Roles and Responsibilities

Senior Officers - Responsible for making a final review and approval of this policy.

IT Governance - Responsible for reviewing and providing feedback prior to final approval by Senior Officers.

Chief Information Officer - Responsible for reviewing and approving this policy prior to Executive Leadership. The CIO must report all compliance-related activities pertaining to this policy to the Executive Leadership team.

Chief Information Security Officer - Responsible for creating policies, procedures and standards to meet these established requirements as outlined in this policy. The ISO must report all matters pertaining to compliance with this policy to IT Governance.

Data Governance - Partnership in reviewing, developing and disseminating critical information security policies and standards.

4.0 Information Security Operations

4.1 Data Classification Policy

All data covered by this policy is subject to the Colleges Data Classification Policy. The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access. By default, all institutional data will be designated as "Sensitive".

All data at the College is assigned a data trustee according to the constituency it represents. Data Trustees are senior college officials or their designees who have planning, policy-level and management responsibility for data within their functional areas. Data Stewards are college officials having direct operational-level responsibility for the management of one or more types of data. Data Stewards are assigned by the Data Trustee and are generally associate deans, associate vice presidents, directors, or managers. One of the responsibilities of the Data Governance Committee is to maintain a data inventory of the College’s data assets, which lists the Data Steward(s) for each data set. Please see the Data Governance Committee website to find the current information on the various roles.

4.1.1 Personally Identifiable Information

Additional security controls and safeguards will be implemented to ensure the security and confidentiality of PII. Safeguarded PII includes community, student and employee information. Bowdoin will assess the security controls in place to safeguard PII data on an annual basis to ensure the following:

• The implemented security controls are appropriate based on the type of the business and the need to safeguard the PII.

• The implemented security controls are operating effectively to prevent the unauthorized use and access of personal information

• Adequate resources and staff are available to ensure the security of PII

• The appropriate controls are in place based on the amount of stored data

• Information safeguards are upgraded as necessary to limit security risks.

Please refer to section 4.7 for further details on security monitoring and assessment.

4.2 Information Security Standards and Policies

The Information Security Policies are guiding documents to ensure that Bowdoin keeps the information that it creates or processes secure during regular operations.

The Information Security Standards are to be used when implementing operational security at the College. These standards should be used when deploying technology for the college or protecting information.

All security policies and standards shall be reviewed and approved annually by the CIO and CISO. Security policies and standards will also be reviewed to address any sizable business change, and/or to incorporate lessons from incident response.  

4.3 Acceptable Use Policy

The College has several policies relating to the acceptable use of technology. Users of Bowdoin College network and computer resources have a responsibility to properly use and protect those information resources and to respect the rights of others. Please see the following policies:

• Computer and Network Usage Policy

• Business Computing Policy

• Information Technology Computer Use Policy

All Bowdoin information systems will be monitored for unauthorized uses or access to personal information. Please refer to section 4.7 for additional details on security monitoring and assessment.

4.4 Encryption Standards

• Please see the IT Security Standard: Encryption for the complete encryption standard

• Encryption of data at rest- all Bowdoin employee laptops and desktops are encrypted. Any removable storage media such as external hard drives or usb storage devices must be encrypted if it stores sensitive data.

• Encryption of Data in transit- the transmission of all sensitive data will be encrypted in transit using secure encryption algorithms and methodologies. Transmitted data includes data traveling across public networks and wirelessly. Bowdoin employees that are accessing the College’s internal network resources remotely will only use encrypted VPN connections per the Virtual Private Network (VPN) Policy.

4.5 Incident Response

If there is a breach that requires notification under state or federal law, Bowdoin shall follow the appropriate incident response process outlined in our Incident Response Plan. The Bowdoin Incident Response plan is maintained by the Chief Information Security Officer and includes coordination with the other IT groups.

Incident Reporting:

If a breach or incident is suspected, please contact the security team for further support and guidance at IT Security at itsecurity@bowdoin.edu or by phone at 207-798-4248. If the security team is unreachable, please contact the Service Desk at servicedesk@bowdoin.edu or 207-725-3030.

Post Incident Review: The Bowdoin Incident Response Team will document any responsive actions taken if a security incident involves a data breach. The review will include assessment of the effectiveness of the current security controls and will identify potential technical and business changes to prevent and mitigate security incidents in the future.

4.6 Physical Security

Bowdoin shall implement physical security controls to protect sensitive information such as PII and NFI. Physical security safeguards include but are not limited to the secure storage of records, facilities or containers containing PII.

4.7 Security Monitoring

Access to Bowdoin systems is monitored regularly and the process is outlined in the IT Security Standard: Log Management and Security Monitoring.

The Bowdoin information security program will be monitored to ensure the appropriate security measures and controls are implemented and operating effectively to ensure the protection of sensitive data from unauthorized access and use. Internal assessment is done annually to assess controls against the NIST CSF. Annually external partners are brought in to further validate and assess the appropriateness of controls that have been implemented.

4.8 Risk Management

To successfully manage risk across Bowdoin College, senior leadership must be committed to making information security an underlying principle of operating the College to protect the institution and its community. This top-level commitment ensures that sufficient resources are available to develop and implement an effective, institution-wide security program. Effectively managing information security risk requires the following key elements:

• Assignment of risk management responsibilities to appropriate senior leadership.

• Ongoing recognition and understanding by senior leadership and IT Governance of the information security risks to Bowdoin information assets, operations, and personnel.

• Establishment of the tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities.

• Providing accountability for senior leadership for their risk management decisions.

• Ongoing assessments of internal and external risks

4.8.1 Risk Assessments

Bowdoin recognizes that it has both internal and external risks to the security, integrity and confidentiality of College information. These risks include, but are not limited to:

• Unauthorized access of confidential data

• Compromised system security as a result of unauthorized access

• Interception of data during transmission

• Loss of data integrity

• Physical loss of data in a disaster

• Errors introduced into the system

• Corruption of data or systems

• Unauthorized access of confidential data by employees

• Unauthorized requests for confidential data

• Unauthorized access through hard copy files or reports

• Unauthorized transfer of confidential data through third parties

• Employee compliance with security training and security policies and standards

This is not a complete list of risks and the threat landscape will evolve during the life of the WISP. This list of risks will be updated and reassessed at least annually.  The Information Technology team must implement reasonable and sufficient safeguards to provide security and confidentiality to confidential data maintained by the College.

4.8.2 Third Party Risk

All third-party service providers shall be subject to a security risk review prior to entering into an agreement and on a regular basis. The security team will review the security controls that the Third Party has in place to ensure are consistent with applicable state and federal regulations and Bowdoin Colleges security policies. Compliance of security controls will be mandated through contractual requirements.

This review is performed using the Higher Education Community Vendor Assessment Toolkit (HECVAT) developed by EDUCAUSE. Any vendors that handle Restricted data under our data classification policy will be required to fill out the full assessment, vendors that handle less sensitive data may use the shorter versions of the assessment.

4.9 Employee Training

All administrative employees are required to complete annual information security awareness training. This is achieved through completion of a formal awareness training course and may also be accompanied by additional awareness materials as a part of National Cybersecurity Awareness Month. This course must be completed annually, or access to information resources may be revoked. In the event of a successful phishing attack, remedial training may be required regardless of whether the annual training has already been completed.

4.11 Identification, Authentication and Authorization

User authentication and authorization protocols and passwords are secured using encryption. All information system identifiers are unique, and one identifier is used per individual. Only approved, secure authentication mechanisms are allowed. Management of system accounts and authentication mechanisms follow the Identification, Authentication, and Authorization Policy.

All system account passwords must use a strong, encrypted password in accordance with the Bowdoin Passwords Security Standard.

4.11.1 Remote Access

All employees must abide by Bowdoin’s security policies and standards when accessing Bowdoin’s information systems remotely. Encrypted connections must be used to access information systems containing PII or other types of sensitive data. Employees are forbidden to use personal devices to access or store PII or Restricted data from Bowdoin’s information systems.

4.12 System Maintenance

All information systems, operating systems and software will be patched on a regular basis in accordance with the IT Security Standard: System Maintenance. In addition to patching, virus definitions will be updated on a regular basis for all anti-malware solutions.

5.0 Enforcement

A user of College information resources who is found to have purposely or recklessly violated any of these policies, or who fails to comply with this Program in any other respect, will be subject to disciplinary action according to the policies of Human Resources or the Dean of Student Affairs office, up to and including discharge, dismissal, expulsion and / or legal action.

6.0 Related Policies

Bowdoin has adopted these policies and standards to support this program:

• Data Classification Policy

• Computer and Network Usage Policy

• Business Computing Policy

• Virtual Private Network (VPN) Policy

• Email Policy

• Information Technology Computer Use Policy

• Identification, Authentication, and Authorization Policy

• IT Security Standard: Bowdoin Passwords

• IT Security Standard: Managed Computer/Endpoint Configuration

• IT Security Standard: Logging and Security Monitoring

• IT Security Standard: Encryption

• IT Security Standard: System Maintenance and Vulnerability Management

7.0 Implementation