Program for complying with the standards for the protection of personal information

Revised 2011-01-20 (Minor revision 2013-02-20)

This document references Massachusetts 201 CMR 17.00 which can be found at:

  1. Purpose

    This document describes the ongoing program of establishing and maintaining security of personally identifiable information (PII, as defined by Massachusetts 201 CMR 17.00) at Mount Holyoke College. It is expected this document will become transformed as policies and procedures are changed in response to new factors. This is not a policy document, but it will refer to existing policies and procedures.

    The information security program (subsequently called "the Program") describes the administrative, technical, and physical safeguards that are in place and the mechanisms for the review, improvement, monitoring, and education of personnel in this program.

  2. Maintaining the program

    At Mount Holyoke College, the functions of a chief security officer are met by the Privacy and Security Task Force. Individuals designated by this Task Force are responsible for the review, improvement, monitoring, and education of personnel in this program.

    The Task Force develops policies, reviews compliance, and oversees the training of employees in those policies, and oversees the information security program.

  3. Administrative and Educational Safeguards:

    The College has enacted policies for employees dealing with confidential information in general and PII specifically. This information is contained in the following documents, collectively known as "The Privacy and Security Policy and Educational Documents" (see Policy and Education pages for the following documents).

    1. Policy documents:

      The first document ("Responsible Use") is the primary policy document that governs working with electronic information. The other policies provide more detail about elements of the "Responsible Use" policy.

      • Policy on Responsible Use of Computing Resources at Mount Holyoke College
      • Working with Confidential Information for Employees, including Student Employees
        • This document does not properly define PII.
        • The document needs to talk about encrypting removable media, including laptops
        • Encryption requirements for sending PII across public networks
        • Encryption requirements for using wireless.
      • Mount Holyoke College Employee Confidentiality Statement
        • This document does not define PII but uses term "personal information" in a wider way than PII specifically.
        • This document is more of an umbrella statement for the other two.
      • Summaries of Privacy Regulations and Implications for Mount Holyoke College
        • This document does not have PII specifically mentioned.
        • Email should not be used to send PII unless the message is encrypted.
    2. Training materials:
      • Complying with Privacy and Security Regulations — Overview
      • Complying with Privacy and Security Regulations — Frequently Asked Questions
      • Complying with Privacy and Security Regulations — Glossary of Terms
  4. Physical Safeguards:

    Storage and handling of paper records including PII are consistent with the policies set forth in the Privacy and Security Policy and Educational Documents.

    Physical access to the Data Centers in Kendade and Williston Library is protected and monitored by the campus card system. Access includes designated members of Information Technology and, for emergency purposes, designated trade supervisors and Life/Safety personnel (Public Safety, Fire). The access list is reviewed at least annually by the Director of Networking and the Director of Auxiliary Services (campus card).

  5. Technical Safeguards:

    The technical safeguards relate to the storage and access to electronic information. See also the document, "Policy on Responsible Use of Computing Resources at Mount Holyoke College" at the Policy and Education pages.

    1. User authentication and authorization
      • Authentication is based on 8-32 character passwords that meet specific strength standards.
      • Passwords must be changed at least twice per year and cannot be reused.
      • Login failures to the UNIX ERP systems use the standard UNIX method of blocking subsequent logins with an increasing time value for every failed login attempt.
      • User access is restricted based on profiles assigned to specific users.
      • Daily reports from Human Resources provide employee departure information by which computer account access is terminated or modified. Supervisors may, for special circumstances, request that a former employee be granted continuing access for a specific period of time.
    2. Network access control Individual computers need to be registered for use on campus. There is a mechanism for guest registrations.
    3. Firewalling At the campus border, traffic to specific IP ports and specific campus computers is blocked. A more restrictive firewall is in front of the primary ERP systems.
    4. Anti-virus Individual computers are set up to run up-to-date versions of anti-virus software. The College maintains a license to provide standard anti-virus software for students, faculty, and staff on both College and personally owned computers.
    5. Storage of PII

      The primary storage for PII are the main ERP systems. However, reports, documents, and spreadsheets containing PII may also be found on local computers.

      Portable devices (flash drives, removable disks, laptops) that are identified as storing PII must have the storage area encrypted. Currently the program TrueCrypt is used, but Macintosh encryption or Windows 7 encryption may also be used.

  6. Monitoring

    Monitoring is done at several levels:

    1. Network level
      • Network IP source/destination traffic information is maintained for a period of time (currently 3 days). In the event of a suspected security breach, traffic on a particular computer may be checked.
      • An intrusion detection system monitors traffic at the campus border and blocks or notifies the Networking Department of suspicious traffic.
    2. Systems and application level
      • Host computer systems are monitored for repeated login failures. The email system detects suspicious patterns of email that may indicate a particular computer account is sending spam, indicating that it has been compromised.
      • Individual computer systems have anti-virus and anti-spyware installed. Employees who use their own computers use the College anti-virus software. The anti-virus software not only protects the system but also notifies users of problems.
    3. User level
      • Individual users are responsible for identifying and reporting suspicious behavior of their computers which might indicate an infection or other compromise.
      • A program of identifying the scope and distribution of PII on campus is being developed in order to:
        1. Identify who has access to PII
        2. Identify where PII is being stored and in what form
        3. Provide targeted education for those employees regarding storage, handling, and transmission of PII.
        4. Provide user-level support to ensure that any storage of the data is properly encrypted, if required.
  7. Response to suspected computer compromise

    The procedures describing the response to a suspected computer compromise are found in this document.