Data Security Policy
Issued: March 1st, 2010
Related Policies: Hampshire College Information Security Policy
The Data Security Policy is intended to help employees determine the sensitivity and confidentiality level of information. Massachusetts State law 201 CMR 17 requires sensitive data to be handled in such a manner as to limit the risk of data loss, theft, or leakage of sensitive information.
This policy applies to information that is stored or shared in any way. This includes, but is not limited to: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
These guidelines explain the different levels of information sensitivity and illustrate common sense steps that you can take to protect Hampshire College's confidential information (e.g., confidential information should not be left unattended in conference rooms).
Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the division of finance and administration.
All Hampshire College data will be assigned to one of the following categories:
- LEVEL I: Public: Low Sensitivity
- LEVEL II: Non-Public/Internal: Moderate Sensitivity
- LEVEL III: Confidential: High Sensitivity
Public information is information that has been declared public knowledge by the College, and can freely be given to anyone without any possible damage to Hampshire College.
Non-public or internal information is information available only to Hampshire College employees and students. This includes any information that requires a HampNet login to view. Examples of such information are: online directory, intranet content, and electronic mail (email). For non-electronic documents this includes business plans or projects.
Confidential information contains all other information. Included is information that should be protected very closely, such as student records, employee records, financial records, social security numbers, drivers license numbers and any other personal information classified as such under applicable state and federal laws. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact his/her manager.
The sensitivity guidelines below provide details on how to protect information at varying sensitivity levels.
- Examples: Any public data that is associated with the College in an official manner. This may include and is not limited to websites, publications, white papers etc, as well as paper records or files.
- Access: Public.
- Storage Requirements: May be stored on local devices.
- Distribution within Hampshire College: Standard interoffice mail, electronic mail, and electronic file transmission methods.
- Distribution outside of Hampshire College internal mail: U.S. mail and other public or private carriers, electronic mail, and electronic file transmission methods.
- Electronic distribution: No restrictions.
- Disposal/Destruction: No restrictions.
- Examples: Project data, electronic mail (email), business transactions that do not include Level III data, internal directory information. This may include and is not limited to physical and or electronic media and paper records or files.
- Access: Hampshire College employees and non-employees who have a business need to know. Protecting this data will prevent potential liability, data tampering, and/or negative publicity for the college.
- Storage Requirements: May be stored on local devices, but storage on a Hampshire College file server is strongly encouraged.
- Distribution within Hampshire College: Standard interoffice mail, electronic mail and electronic file transmission methods.
- Distribution outside of Hampshire College internal mail: Sent via U.S. mail or approved private carriers.
- Electronic distribution: No restrictions to approved recipients within Hampshire College, but should be securely transmitted when sent to recipients outside of Hampshire College premises. Examples: SCP (secure file transfer) and HTTPS (secured web pages).
- Disposal/Destruction: Electronic data should be expunged/cleared. Reliably erase or physically destroy media (CD, DVD, USB drives etc.).
- Examples: Drivers license numbers; personal information ( DOB, maiden names ,etc ); financial data ( bank account numbers, W-2's-1099's); credit card numbers; social security numbers; official transcripts; and human resource records. This may include and is not limited to physical and or electronic media and paper records or files.
- Access: Only those individuals (Hampshire College employees and non-employees) with a business need to access. Protection of data is required by law (e.g. HIPAA, FERPA, Massachusetts state law 201 CMR 17). Protecting this data prevents potential liability, severe negative publicity, and long-term loss of critical campus or department services, data tampering, and/or legal action against the college. Non Hampshire College employees and third parties must provide written assurance, to the director of information technology ,of compliance with Mass 201 CMR 17. Exceptions may be made for State and Federal agencies
- Storage: Individual access controls (strong passwords) are required for electronic information. Physical security (see definition below) is required. Storage on desktops, laptops, and portable devices is strongly discouraged.and should be avoided if possible. Encryption required. This includes but is not limited to USB sticks, portable hard drives, CD ROM, DVD or by other means of electronic data storage . Paper records and or files must be kept in an area designated as secure with appropriate physical access controls such as card readers or locks. Access to secure areas must be logged by the department responsible for the materials in question.
- Distribution within Hampshire College: Delivered direct; signature required; envelopes stamped confidential; or approved electronic file transmission methods.
- Distribution outside of Hampshire College internal mail: Delivered direct; signature required; approved private carriers.
- Electronic distribution: It is required that all information be strongly encrypted.
- Disposal/Destruction: Electronic data should be expunged/cleared. Reliably erase or physically destroy media. Paper materials should be shredded in accordance with the College's Record Retention and Destruction Policy.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Terms and Definitions
Approved Electronic File Transmission Methods
Includes supported SCP (Secure encrypted file transfer clients) and HTTPS (secure encrypted web pages).
Approved Electronic Mail
Includes all mail systems supported by Information Technology. These include, but are not necessarily limited to, Thunderbird and Hampshire Webmail.
To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data. The PC or Mac's normal erasure routine keeps the data intact until overwritten.
Individual Access Controls
Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner. On Macs and PCs, this includes using passwords to login and on resuming from screensavers, sleep, standby or hibernation.
Physical security means either having actual possession of an item at all times, or locking it in an unusable state to an object that is immovable. If it is a laptop or other portable computer or storage device, never leave it alone in a conference room, hotel room, or on an airplane seat, etc. In the office, always lock your door or secure via a lock cable when not in use. When leaving the office for the day, secure laptops, and any other sensitive material in a locked drawer or cabinet. Paper materials of this nature should be kept in a locked cabinet.