This document describes the ongoing program of establishing and maintaining
security of personally identifiable information (PII, as defined by
Massachusetts 201 CMR 17.00) at Mount Holyoke College. It is expected
this document will become transformed as policies and procedures are changed
in response to new factors. This is not a policy document, but it will refer
to existing policies and procedures.
The information security program (subsequently called "the Program")
describes the administrative, technical, and physical safeguards that
are in place and the mechanisms for the review, improvement, monitoring, and
education of personnel in this program.
Maintaining the program
At Mount Holyoke College, the functions of a chief security officer are met by
the Privacy and Security Task Force. Individuals designated by this Task Force
are responsible for the review, improvement, monitoring, and
education of personnel in this program.
The Task Force develops policies, reviews compliance, and oversees the
training of employees in those policies, and oversees the information
Administrative and Educational Safeguards:
The College has enacted policies for employees dealing with confidential information
in general and PII specifically. This information is contained in the
collectively known as "The Privacy and Security Policy and Educational Documents"
(see Policy and
Education pages for the following documents).
The first document ("Responsible Use") is the
primary policy document that governs working with electronic
information. The other policies provide more detail about
elements of the "Responsible Use" policy.
- Policy on Responsible Use of Computing Resources at Mount Holyoke College
Working with Confidential Information for Employees, including Student Employees
This document does not properly define PII.
The document needs to talk about encrypting removable media,
Encryption requirements for sending PII across public networks
Encryption requirements for using wireless.
- Mount Holyoke College Employee Confidentiality Statement
This document does not define PII but uses term "personal information"
in a wider way than PII specifically.
This document is more of an umbrella statement
for the other two.
Summaries of Privacy Regulations and Implications for Mount Holyoke College
- This document does not have PII specifically mentioned.
- Email should not be used to send PII unless the message is encrypted.
Complying with Privacy and Security Regulations Overview
Complying with Privacy and Security Regulations Frequently Asked Questions
Complying with Privacy and Security Regulations Glossary of Terms
Storage and handling of paper records including PII are consistent with the policies
set forth in the Privacy and Security Policy and Educational Documents.
Physical access to the Data Centers in Kendade and Williston Library is
protected and monitored by the campus card system. Access includes designated
members of Information Technology and, for emergency purposes, designated
trade supervisors and Life/Safety personnel (Public Safety, Fire).
The access list is reviewed at least annually by the Director of Networking
and the Director of Auxiliary Services (campus card).
The technical safeguards relate to the storage and access to electronic
information. See also the document, "Policy on Responsible Use of
Computing Resources at Mount Holyoke College" at
the Policy and
User authentication and authorization
Authentication is based on 8-32 character passwords that meet specific
Passwords must be changed at least twice per year and cannot be reused.
Login failures to the UNIX ERP systems use the standard UNIX method of
blocking subsequent logins with an increasing time value for every
failed login attempt.
User access is restricted based on profiles assigned to specific users.
Daily reports from Human Resources provide employee departure information
by which computer account access is terminated or modified. Supervisors
may, for special circumstances, request that a former employee be
granted continuing access for a specific period of time.
Network access control
Individual computers need to be registered for use on campus.
There is a mechanism for guest registrations.
At the campus border, traffic to specific IP ports and specific campus
computers is blocked.
A more restrictive firewall is in front of the primary ERP systems.
Individual computers are set up to run up-to-date versions of
anti-virus software. The College maintains a license to provide
standard anti-virus software for students, faculty, and staff
on both College and personally owned computers.
Storage of PII
The primary storage for PII are the main ERP systems. However,
reports, documents, and spreadsheets containing PII may also be found
on local computers.
Portable devices (flash drives, removable disks, laptops) that are
identified as storing PII must have the storage area encrypted.
Currently the program TrueCrypt is used, but Macintosh encryption
or Windows 7 encryption may also be used.
Monitoring is done at several levels:
Network IP source/destination traffic information is maintained for
a period of time (currently 3 days). In the event of a suspected
security breach, traffic on a particular computer may be checked.
An intrusion detection system monitors traffic at the campus border
and blocks or notifies the Networking Department of suspicious
Systems and application level
Host computer systems are monitored for repeated login failures.
The email system detects suspicious patterns of email that may
indicate a particular computer account is sending spam, indicating
that it has been compromised.
Individual computer systems have anti-virus and anti-spyware installed.
Employees who use their own computers use the College anti-virus
software. The anti-virus software not only protects the system but
also notifies users of problems.
Individual users are responsible for identifying and reporting
suspicious behavior of their computers which might indicate
an infection or other compromise.
A program of identifying the scope and distribution of PII on campus
is being developed in order to:
Identify who has access to PII
Identify where PII is being stored and in what form
Provide targeted education for those employees regarding storage,
handling, and transmission of PII.
Provide user-level support to ensure that any storage
of the data is properly encrypted, if required.
Response to suspected computer compromise
The procedures describing the response to a suspected computer
compromise are found in