1.0 Policy Statement
The Nyack College Written Information Security Program (WISP) is intended as a set of comprehensive guidelines and policies designed to safeguard all sensitive data maintained at the College, and to comply with applicable laws and regulations on the protection of Personal Information, as found on records and in systems owned by the College.
The WISP was implemented to comply with all regulations. In accordance with federal and state laws and regulations, Nyack College is required to take measures to safeguard personally identifiable information, and to provide notice about security breaches of protected information at the college to affected individuals and appropriate state agencies.
In addition, Nyack College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the College. Nyack College has implemented a number of policies to protect such information, and the WISP should be read in conjunction with these policies that are cross-referenced at the end of this document.
The purposes of this document are to:
- Establish a comprehensive information security program for Nyack College with policies designed to safeguard sensitive data that is maintained by the College, in compliance with federal and state laws and regulations;
- Establish employee responsibilities in safeguarding data according to its classification level; and
- Establish administrative, technical and physical safeguards to ensure the security of sensitive data.
This Program applies to all Nyack College employees, whether full- or part-time, including faculty, administrative staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Nyack College community (hereafter referred to as the “Community”). The data covered by this Program includes any information stored, accessed or collected at the College or for College operations. The WISP is not intended to supersede any existing Nyack College policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personal Information, as defined below. If such policy exists and is in conflict with the requirements of the WISP, the other policy takes precedence.
Personal Information (PI), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:
- Social Security number;
- Driver’s license number or state-issued identification card number; or
- Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.
For the purposes of this Program, PI also includes passport number, alien registration number or other government-issued identification number.
4.2 Data Classification
All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.
Confidential data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a significant level of risk to Nyack College or the Community. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure.
Confidential data includes any data that is protected by federal or state laws or regulations, including, but not limited to, data protected under the following privacy laws: Health Insurance Portability and Accountability Act of 1996 (HIPAA), Family Educational Rights and Privacy Act (FERPA). Information protected by these laws includes, but is not limited to, PI, Protected Health Information (PHI), student education records and financial aid information.
Confidential data also includes other sensitive personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of Nyack College. This data includes, but is not limited to, donor information, college financial records, employee salary information, or information related to legal or disciplinary matters.
Internal Use Only
Internal Use Only data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a moderate level of risk to Nyack College. This data should be limited to access by the office of Institutional Research or individuals who are employed by Nyack College and who have legitimate reasons for accessing such data. Any non-public data that is not explicitly designated as Confidential should be treated as Internal Use Only data. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.
Public (or Unrestricted)
Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to Nyack College or members of the Nyack College community. Any data that is not classified as Confidential or Internal Use Only should be considered Public data.
All data at the College is assigned a data owner according to the constituency it represents. Data owners are responsible for approval of all requests for access to such data. The data owners for each constituency group are designated as follows:
- Faculty data - the Provost (or his or her designees) serve as the data owners
- Staff data - the Vice President for Finance and Treasurer (or his or her designee) serves as data owner
- Student data - ownership is distributed across many departments. A Nyack College security policy regarding student data ownership has been developed and every faculty/staff/administration’s security role determines what student data is hidden, what student data they can see, and what student data they have rights to edit or run reports on.
Nyack’s Information Technology department serves as the data stewards for all data stored centrally on the College’s servers and administrative systems. They are also responsible for the security of such data. For distributed data stored on departmental servers, the department head or their designee serves as the data steward, and the IT department (does not share/ shares) joint responsibility for securing this data.
Human Resources will inform the IT Department staff about an employee’s change of status or termination as soon as is practicable, but before an employee’s departure date from the College. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s amount of access to College data. The IT Department staff will terminate all of the employee’s account access upon the employee’s termination date from the College, as specified by Human Resources.
Department heads will alert Human Resources at the conclusion of a contract for individuals that are not considered Nyack College employees in order to terminate access to their Nyack College accounts.
The Director of Information Technology and Executive Vice President/VP of Finance are in charge of maintaining, updating, and implementing this Program.
All members of the Community are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing sensitive data in compliance with this Program.
5.2 Identification and Assessment of Risks to College Information
Nyack College recognizes that it has both internal and external risks to the privacy and integrity of College information. These risks include, but are not limited to:
- Unauthorized access of Confidential data by someone other than the owner of such data
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of Confidential data by employees
- Unauthorized requests for Confidential data
- Unauthorized access through hard copy files or reports
- Unauthorized transfer of Confidential data through third parties
Nyack College recognizes that this may not be a complete list of the risks associated with the protection of Confidential data. Since technology growth is not static, new risks are created regularly. Accordingly, our IT Dept will monitor advisory groups such as the Educause Security Institute and SANS for identification of new risks.
Nyack College believes the College’s current safeguards are reasonable and sufficient to provide security and confidentiality to Confidential data maintained by the College. Additionally, these safeguards also protect against currently anticipated threats or hazards to the integrity of such information.
5.3 Policies for Safeguarding Confidential Data
To protect Confidential data, the following policies and procedures have been developed that relate to protection, access, storage, transportation, and destruction of records, computer system safeguards, and training.
- Only those employees or authorized third parties requiring access to Confidential data in the regular course of their duties are granted access to Confidential data, including both physical and electronic records.
- Computer and network access passwords are disabled upon termination of employment or relationship with Nyack College.
- Upon termination of employment or relationship with Nyack College, physical access to documents or other resources containing Confidential data is immediately prevented.
- Members of the Community will not store Confidential data on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). In rare cases where it is necessary to transport Confidential data electronically, the mobile device containing the data must be encrypted.
- To the extent possible, making sure that all Confidential data is stored only on secure servers maintained by the College and not on local machines, unsecure servers, or portable devices.
- Paper records containing Confidential data must be kept in locked files or other secured areas when not in use. Once they are no longer needed, they should be shredded using the approved mechanisms.
- Electronic records containing Confidential data must be stored on secure servers, and, when stored on authorized desktop computers, must be password protected.
Removing Records from Campus
- Members of the Community are strongly discouraged from removing records containing Confidential data off campus. In rare cases where it is necessary to do so, the user must take all reasonable precautions to safeguard the data. Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in any insecure location.
- When there is a legitimate need to provide records containing Confidential data to a third party, electronic records shall be password-protected and/or encrypted, and paper records shall be marked confidential and securely sealed.
Traveling Abroad with Students’ Personal Information
- In the event that transmission of student passport information is required by the hotel or program abroad in advance of the travel, only the relevant information requested (e.g., Name, Passport Number, Date of Expiry, and Date of Birth) will be provided, not complete copies of the passport images. This information should first be transmitted via Fax, provided that the Nyack College department arranging the travel confirms the accuracy of the Fax number by sending an initial confirmation message before the actual data. If Faxing is unavailable, the data may be sent securely via email (using SSL version of Google Mail), provided that the same confirmation of transmission takes place.
- Faculty/staff who need to retain these passport numbers for arranging travel will store this data in spreadsheets that are saved on the College’s secure Vault server. Any spreadsheets containing student passport information will be routinely deleted when not needed.
- Faculty/staff who are traveling with the students abroad that need student passport and visa information for hotel check-in will keep a paper record on their person that contains relevant information (such as the passport and visa numbers and their expiry dates) and the last names of the students only. Faculty/staff must not retain or travel with copies of student passports.
Destruction of Confidential Data
- Paper and electronic records containing Confidential data must be destroyed in a manner that prevents recovery of the data.
Third-Party Vendor Agreements Concerning Protection of Personal Information
Nyack College exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for Personal Information provided by the College to them. The primary budget holder for each department is responsible for identifying those third parties providing services to the College who have access to PI. It is the responsibility of the primary budget holders to confirm that the third parties maintain appropriate security measures to protect PI consistent with this Program and all other laws and regulations.
5.4 Computer system safeguards
The IT Department monitors and assesses information safeguards on an ongoing basis to determine when enhancements are required. The College has implemented the following to combat external risk and secure the College network and data containing PI:
- Secure user authentication protocols
- Unique passwords are required for all user accounts; each employee receives an individual user account.
- Server accounts are locked after multiple unsuccessful password attempts.
- Computer access passwords are disabled upon an employee’s termination.
- User passwords are stored in an encrypted format; root passwords are only accessible by system administrators.
- Access to specific files or databases containing PI is limited to those employees who require such access in the normal course of their duties.
- Files containing PI transmitted outside of the Nyack College network are to be encrypted.
- All College-owned computers and servers are firewall protected and regularly monitored.
- Operating system patches and security updates are installed to all servers.
- Antivirus and anti-malware software is installed and kept updated on all servers and workstations. Virus definition updates are installed on a regular basis.
Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the Director of Information Technology. The Director of Information Technology will document all breaches and subsequent responsive actions taken.
Any employee who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises data classified as Confidential or Internal Use Only without authorization, or who fails to comply with this Program in any other respect, will be subject to disciplinary action, which may include termination in the case of employees.
7.0 Policies cross-referenced
The following Nyack College policies provide advice and guidance that relates to this Program:
8.0 Annual Review
The College will review this Program at least annually and reserves the right to change, modify, or otherwise alter this Program at its sole discretion and at any time as it deems circumstances warrant.