You are here:
Issued: March 1st, 2010
Related Policies: Hampshire College Information Security Policy
The Data Security Policy is intended to help employees determine the sensitivity and confidentiality level of information. Massachusetts State law 201 CMR 17 requires sensitive data to be handled in such a manner as to limit the risk of data loss, theft, or leakage of sensitive information.
This policy applies to information that is stored or shared in any way. This includes, but is not limited to: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
These guidelines explain the different levels of information sensitivity and illustrate common sense steps that you can take to protect Hampshire College's confidential information (e.g., confidential information should not be left unattended in conference rooms).
Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the division of finance and administration.
All Hampshire College data will be assigned to one of the following categories:
Public information is information that has been declared public knowledge by the College, and can freely be given to anyone without any possible damage to Hampshire College.
Non-public or internal information is information available only to Hampshire College employees and students. This includes any information that requires a HampNet login to view. Examples of such information are: online directory, intranet content, and electronic mail (email). For non-electronic documents this includes business plans or projects.
Confidential information contains all other information. Included is information that should be protected very closely, such as student records, employee records, financial records, social security numbers, drivers license numbers and any other personal information classified as such under applicable state and federal laws. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact his/her manager.
The sensitivity guidelines below provide details on how to protect information at varying sensitivity levels.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Approved Electronic File Transmission Methods
Includes supported SCP (Secure encrypted file transfer clients) and HTTPS (secure encrypted web pages).
Approved Electronic Mail
Includes all mail systems supported by Information Technology. These include, but are not necessarily limited to, Thunderbird and Hampshire Webmail.
To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data. The PC or Mac's normal erasure routine keeps the data intact until overwritten.
Individual Access Controls
Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner. On Macs and PCs, this includes using passwords to login and on resuming from screensavers, sleep, standby or hibernation.
Physical security means either having actual possession of an item at all times, or locking it in an unusable state to an object that is immovable. If it is a laptop or other portable computer or storage device, never leave it alone in a conference room, hotel room, or on an airplane seat, etc. In the office, always lock your door or secure via a lock cable when not in use. When leaving the office for the day, secure laptops, and any other sensitive material in a locked drawer or cabinet. Paper materials of this nature should be kept in a locked cabinet.