Brandeis University Information Security Plan

I. Overview

This Information Security Plan (the "Plan") describes Brandeis University's safeguards to protect confidential personal information.

Confidential Personal Information ("CPI"), for purposes of this Plan, includes the following categories of information:

  • Customer Information as defined in the Gramm-Leach-Bliley Act (GLBA) to include any nonpublic personal information that the University obtains from a customer in the process of offering a financial product or service. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent or guardian when offering a financial aid package, and providing other financial services. Nonpublic personal information includes but is not limited to bank and credit card account numbers and income and credit histories, whether in paper or electronic format.
  • Personal Information as defined in Massachusetts General Law 93H, to include any data record (electronic or hard copy) that contains an individual's first name and last name or first initial and last name in combination with any of the following data elements that relate to the individual: (a) Social Security number; (b) driver's license number or government-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual's financial account; provided, however, that personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
  • Human Subject Information defined as information obtained through all research conducted at Brandeis that includes human subjects. Personally identifiable data collected for, used in, or produced by research involving human subjects. Such data may also be subject to the security requirements defined in the Federal Information Security Management Act of 2002 (FISMA).
  • Protected Health Information defined by the Health Insurance Portability and Accountability Act (HIPAA) as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" is information, including demographic data, that relates to: 1) the individual's past, present or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

These safeguards are provided in order to:

  • Protect the security and confidentiality of CPI;
  • Protect against anticipated threats or hazards to the security or integrity of CPI; and
  • Protect against unauthorized access to or use of CPI that could result in substantial harm or inconvenience to any customer.

This Plan also provides for mechanisms to:

  • Identify and assess the risks that may threaten CPI maintained by Brandeis;
  • Develop written policies and procedures to manage and control these risks;
  • Implement and review the Plan; and
  • Adjust the Plan to reflect changes in technology, the sensitivity of CPI and internal or external threats to information security.

II. CPI Risk Management

Brandeis recognizes that both internal and external risks may potentially exist. These risks include, but are not limited to:

  • Unauthorized access of CPI by someone other than its owner
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems
  • Unauthorized access of CPI by employees
  • Unauthorized requests for CPI
  • Unauthorized access through hardcopy files or reports
  • Unauthorized transfer of CPI through third parties

Brandeis recognizes that this may not be a complete list of the risks associated with the protection of CPI. Since technology growth is not static, new risks are created regularly. Accordingly, the LTS Department will actively participate and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.

A. Information Security Plan Coordinators

Dennis Devlin, the LTS Chief Information Security Officer, and Peter Giumette, Dean of Student Financial Services, serve as the coordinators of this Plan. They are responsible for assessing the risks associated with unauthorized transfers of CPI and implementing procedures to minimize those risks to Brandeis.

B. Design and Implementation of Safeguards Program

1. Employee Management and Training

Employees in departments that handle CPI, including certain confidential financial information, receive ongoing training on the importance of confidentiality of CPI. Employees are also trained in the proper use of computer information and passwords. Training further includes controls and procedures to prevent employees from providing confidential information to unauthorized individuals, including "pretext calling." ("Pretext calling" occurs when an individual attempts to improperly obtain personal information so as to be able to commit identity theft.) Employees are trained on how to properly dispose of documents that contain CPI. Each department responsible for maintaining CPI is instructed to take steps to protect CPI from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard CPI security.

2. Physical Security

Brandeis has addressed the physical security of CPI by limiting access to only those employees who have a business reason to know such information. CPI is available only to Brandeis employees with an appropriate business need for such information.

Student loan files, account information and other paper documents containing CPI are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Unmonitored storage areas holding paper documents containing CPI are kept secure at all times. No paper documents containing CPI may be removed from campus without the express authorization of a department manager. Paper documents that contain CPI are shredded at the time of disposal.

3. Information Systems

Access to CPI via the University's computer information system is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password. Databases containing CPI, including but not limited to accounts, balances and transactional information, are available only to Brandeis employees in appropriate departments and positions.

Brandeis takes reasonable and appropriate steps consistent with current technological developments to make sure that all CPI in electronic form is secure and to safeguard the integrity of records in storage and transmission. All systems connected to the Brandeis network are scanned for known vulnerabilities, allowing LTS to identify systems where patches and updates are not applied in a timely fashion and to take appropriate steps to mitigate the risk. Passwords for central UNet systems are required to comply with complexity rules and must be changed as described in the UNet Account Policy. When technically feasible, encryption technology is utilized for both storage and transmission. Legacy systems unable to support password policies or encryption will not be used. With regard to personal computers containing CPI, all memory components will be completely reformatted or otherwise erased for any new use. All CPI stored on laptops or other portable devices must be encrypted.

4. Responding to System Failures

Brandeis maintains systems to prevent, detect, and respond to attacks, intrusions, and other system failures. The Information Security Plan Coordinators regularly review network access and security policies and procedures, as well as protocols for responding to network attacks and intrusions. Any security breaches or other system failures must be reported immediately to the Information Security Plan Coordinators. Information Security Plan Coordinators shall be responsible for documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of CPI.

C. Service Provider Oversight

If the University chooses to retain a service provider that will maintain, process or regularly access CPI, Brandeis will carefully review the service provider's information security programs or other measures used by the service provider to protect CPI. Brandeis will assess the adequacy of the service provider's system of safeguarding information based upon CPI to which the service provider has access, the nature of services provided by the service provider, and the level of risk. The service provider will be required to have in place controls to assure that any subservicer (or subcontractor) used by the service provider will also be able to protect the University's CPI.

A clause will normally be included in all contracts with service providers having access to CPI related to Brandeis that will require them to implement security measures consistent with 201 CMR 17.00 et seq. to safeguard such CPI and to assure that such CPI is used only for the purposes set forth in the contract.

D. Computer System Security Infrastructure

Brandeis maintains a computer security system that provides at a minimum to the extent technically feasible:

  1. Secure user authentication protocols including:
    1. control of user IDs and other identifiers;
    2. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
    3. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
    4. restricting access to active users and active user accounts only; and
    5. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
  2. Secure access control measures that:
    1. restrict access to records and files containing CPI to those who need such information to perform their job duties; and
    2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
  3. Encryption of all transmitted records and files containing CPI that will travel across public networks, and encryption of all data containing CPI to be transmitted wirelessly.
  4. Reasonable monitoring of systems, for unauthorized use of or access to CPI;
  5. Encryption of all CPI stored on laptops or other portable devices;
  6. For files containing CPI on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the CPI.
  7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
  8. Education and training of employees on the proper use of the computer security system and the importance of CPI security.

The Information Security Plan Coordinators work with the appropriate University departments to ensure that this security system infrastructure is appropriately maintained.

E. Retention Time

CPI will only be retained for as long as needed for the University's reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores CPI will annually review the CPI it has retained for the purpose of determining which information may be purged.

F. Violations of this Policy

Any employee who violates this policy shall be subject to discipline pursuant to the University's Corrective Action Policy or other relevant disciplinary policy.

G. Discontinuing Access upon Termination

Once an employee who has access to CPI concludes his/her employment, either voluntarily or involuntarily, such employee's access to CPI shall be terminated.

H. Continuing Evaluation and Adjustment

This Plan is subject to periodic review and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the Information Security Plan Coordinators, who may designate specific responsibility for implementation and administration as appropriate.

This page was last modified on: Aug 31, 2009