- Policy Objective and Scope
- Simmons Information Security Officer
- Storage and Access of Sensitive Information
- Retention and Destruction of Sensitive Information
- Policy Compliance and Incident Response
Policy Objective and Scope
The objective of the Simmons Sensitive Information Policy is to advise and govern faculty, staff, and students on the storage and release of sensitive information at Simmons and to ensure that such storage and release is in compliance with Massachusetts General Laws as codified in 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.
(back to top)
For the purposes of this policy, sensitive information is an individual's name, address, or telephone number combined with any of the following:
- Social security number or taxpayer ID number
- Financial account, credit or debit card number
- Financial/salary data
- Driver's license number
- Date of birth
- Medical or health information protected under state or federal law (e.g. HIPAA)
- Student data protected under state or federal law (e.g. FERPA)
- Access codes, security codes or passwords that would permit access to sensitive information
In addition, the security of other types of sensitive or confidential information is provided for in this policy. This includes, but is not limited to, information relating to any of the following:
- Current or future fundraising campaign strategies
- Donor information such as wealth, asset holdings, and giving history, internal and external to Simmons
- Planning and construction of facilities
- Information regarding Simmons current or projected financial matters, including its schools and programs
- Vendor proprietary information (e.g. information from a third-party held confidential by agreement)
- Information explicitly marked as confidential (e.g. documents prepared for the Board of Trustees)
Simmons Information Security Officer
In conformance with state law, Simmons has designated an Information Security Officer to maintain and monitor a comprehensive information security program.
(back to top)
Storage and Access of Sensitive Information
All remote access to sensitive information contained in applications and servers must be managed and secured exclusively by Technology. Technology provides encrypted remote access to applications and servers for this purpose. In all cases, data security can more easily be maintained and verified within the confines of Simmons, than on personally owned laptops and computers. Transporting unencrypted sensitive information on portable devices, such as laptops, CD media, or USB keys, which are subject to loss or theft, is not allowed.
Often times, gaining physical access to or observing the use of a computer can result in impermissible disclosure of sensitive information. Simmons requires steps to reduce the possibility of accidental disclosure in this manner including:
- Using an automatically activated screensaver password to secure the computer when it is unattended.
- Positioning monitors to prevent inadvertent disclosure of sensitive information on screens, or if repositioning is not possible, using physical "screen guards".
- Securing computer and portable media physically from theft or tampering by locking them within a secure area or securing them with a cable lock or audible alarm.
- Implementing software/hardware solutions that aid in recovery of lost or stolen computers.
- Implementing tools that aid in the identification of persons who unlawfully gain access to sensitive information to facilitate disciplinary action and/or prosecution by law enforcement agencies.
- Storing documents and data in a coded or encrypted form.
Virus and malware constitute a significant threat to sensitive information and may allow unwanted disclosure. All Simmons computers are equipped with virus and malware protection. Faculty and staff with Administrative Rights to Simmons computers shall not alter or disable this protection. Virus and malware protection is available free to students, faculty, and staff of the college for their personally owned computers from the Simmons Technology website. All computers, including those personally owned and attached to the campus network or used for the processing or storage of sensitive information, must have virus protection installed and up-to-date. Additionally, all computers must have their operating system and software security patches up-to-date.
Permissions and Passwords
Remote access to applications and systems is granted by authentication and authorization systems managed by Technology. In most cases, access is allowed via username and password. Faculty, staff and students must take precautions to safeguard usernames and passwords including:
- Not writing usernames and passwords down or keeping them where others could gain access.
- Never sharing or divulging to anyone usernames or passwords, including others at Simmons.
- Choosing strong passwords, including both letters and numbers, and at least one non-alphanumeric character (e.g. "$MmonsC011eg3").
- Not entering passwords on computers that have potential to be compromised, such as public computers in Internet cafés or airports.
- Refraining from saving or caching passwords in browsers or other applications.
Frequently, sensitive information in documents is sent between people and stored in email for later retrieval. This may result in sensitive information being vulnerable while stored on email servers, local computers both at work or home, and during transition. Users should avoid transmission or storage of sensitive information in email unless absolutely necessary, and only after the data is adequately encrypted. Technology is available to advise users on alternatives to storing sensitive information in email.
Any sensitive information downloaded from secure applications or servers to a non-college owned computer, laptop, or portable device or media shall not be stored unencrypted beyond the session of computer use in which it was downloaded. Such sensitive information must be either encrypted or deleted immediately after use.
(back to top)
Retention and Destruction of Sensitive Information
In some cases, the retention of data may be mandated by government and/or other regulations. In such cases, retention of data shall comply with these rules. Otherwise, copies of sensitive information that are made for a specific purpose must be deleted after that purpose has been fulfilled. In the case of paper or other disposable media, such as CDs, floppies, or magnetic tape, destruction should be complete and permanent. For assistance or advice, please contact the Simmons Help Desk.
If you have access to or copies of sensitive information in your possession or under your control, you are responsible for surrendering that information upon termination of your employment. Your manager, Dean, Vice President, or a member of Human Resources will work with you to assist you in this critical task prior to your last day of work. No Simmons employee - faculty or staff - should delete information at the conclusion of employment without consulting his/her supervisor.
Note: If your position gives you access to sensitive information as defined in this policy, your Simmons e-mail, computer, and network access shall be terminated immediately upon the conclusion of your employment.
(back to top)
Policy Compliance and Incident Response
All persons with access to sensitive information at Simmons College are responsible for compliance with this policy. Violations of this policy are serious and may result in disciplinary action up to and including termination of employment. Any disclosures of sensitive information that are not for Simmons College business purposes, shall be reported expeditiously to the Information Security Officer, the Office of the Senior Vice President of Finance & Administration, or the college Vice President and General Counsel. Such report shall include:
- The type and scope of information disclosed (who, what, when)
- Circumstances under which the disclosure occurred (where, how)
Contractors with whom the College shares sensitive information or who have incidental access to sensitive information within the scope of their work shall either sign an agreement acknowledging this policy and assuring to keep such information protected and confidential, or submit a copy of their company policy on confidentiality and protection of sensitive information for review and approval by the Information Security Officer and Vice President and General Counsel.
(back to top)
Approved by President's Council, February 10, 2009