Williams College Information Security Plan

I. Overview

This Information Security Plan (the “Plan”) describes Williams College’s safeguards to protect confidential personal information.

Confidential Personal Information (“CPI”), for purposes of this Plan, includes the following categories of information:

• Customer Information is defined in the Gramm-Leach-Bliley Act (GLBA) to include any nonpublic personal information that the College obtains from a customer in the process of offering a financial product or service. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent or guardian when offering a financial aid package, entering into mortgage loans with faculty or staff, and providing other financial services. Nonpublic personal information includes but is not limited to bank and credit card account numbers and income and credit histories, whether in paper or electronic format.
• Personal Information is defined in Massachusetts General Law 93H, to include any data record (electronic or hard copy) that contains an individual’s first name and last name or first initial and last name in combination with any of the following data elements that relate to the individual: (a) Social Security number; (b) driver’s license number or government-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; provided, however, that personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

These safeguards are provided in order to:

• Protect the security and confidentiality of CPI
• Protect against threats or hazards to the security or integrity of CPI
• Protect against unauthorized access to or use of CPI that could result in harm or inconvenience to any person.

This Plan also provides for mechanisms to:

• Identify and assess the risks to CPI maintained by Williams
• Develop policies and procedures to manage and control these risks
• Implement and review the Plan
• Adjust the Plan to reflect changes in technology, the sensitivity of CPI and internal or external threats to information security.

II. CPI Risk Management

Williams recognizes the existence of both internal and external risks to the security of CPI. These risks include, but are not limited to:

• Unauthorized access of CPI by someone other than its owner
• Compromised system security as a result of system access by an unauthorized person
• Interception of data during transmission
• Loss of data integrity
• Physical loss of data in a disaster or otherwise
• Errors introduced into systems
• Corruption of data or systems
• Unauthorized access of CPI by employees
• Unauthorized requests for CPI
• Unauthorized access through hard copy files or reports
• Unauthorized transfer of CPI through third parties

Williams recognizes that this may not be a complete list of the risks associated with the protection of CPI. Since technology is not static, new risks are created regularly. Accordingly, the Office for Information Technology (OIT) will actively participate in and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.

A. Information Security Plan Coordinators

Barron Koralesky, Chief Information Officer and Information Security Officer, Criss Laidlaw, Director of Administrative Information Systems, Matt Sheehy, Associate Vice President for Finance, and James Art, College Counsel serve as the coordinators of this Plan. They are responsible for assessing the risks associated with maintaining and transmitting CPI and implementing procedures to minimize those risks to Williams.

B. Design and Implementation of Safeguards Program

1. Employee Management and Training
   Employees in departments that use or have access to CPI in the course of their work for the College receive training on the importance of the confidentiality of CPI, including a review of the requirements of laws such as FERPA, HIPAA, GLBA, and the Massachusetts Identity Theft law. Employees are trained in how to avoid risks such as laptop theft, wireless snooping, phishing attacks, virus infections, and spyware. Employees are also trained in the importance of keeping passwords secure. Departments which routinely handle CPI are responsible for training their employees in controls and procedures to prevent employees from providing confidential information to unauthorized individuals. Employees are also trained how to properly dispose of documents that contain CPI. Each department responsible for maintaining CPI is instructed to take steps to protect CPI from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard CPI security.
2. Physical Security
   Williams has addressed the physical security of CPI by limiting access to only those employees who have a business reason to know such information. CPI is available only to Williams employees with an appropriate business need for such information.
   Paper documents containing CPI are kept in office file cabinets or rooms that are locked each night. Only authorized employees have access to those spaces. Storage areas holding paper documents containing CPI are kept secure at all times. No paper documents containing CPI may be removed from campus without the approval of a department manager. Paper documents that contain CPI are shredded or securely destroyed at the time of disposal.
3. Information Systems
   Access to CPI via the College’s computer information system is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password. Databases containing CPI, including but not limited to accounts, balances and transactional information, are available only to Williams employees in appropriate departments and positions.
   Williams takes reasonable and appropriate steps consistent with current technological developments to make sure that all CPI in electronic form is secure and to safeguard the integrity of records in storage and during transmission. OIT runs threat detection software to identify systems that are compromised and/or infected so they can take appropriate steps to mitigate the risk. Passwords for central software systems are required to comply with complexity rules and must be changed regularly. When technically feasible, encryption technology is utilized for transmission of CPI. All CPI stored on laptops or other portable devices must be encrypted. When personal computers are redeployed, all memory components are completely reformatted or otherwise erased for any new use.
4. Responding to System Failures
   Williams maintains systems to prevent, detect, and respond to attacks, intrusions, and other system failures. OIT regularly reviews network access and security policies and procedures, as well as protocols for responding to network attacks and intrusions. Any security breaches or other system failures must be reported immediately to the Information Security Officer. Information Security Plan Coordinators shall be responsible for documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of CPI.

C. Service Provider Oversight

Whenever the College retains a service provider that will maintain, process or have access to CPI, the College will ensure that the provider has in place an information security program sufficient to protect CPI. The College will include in the contracts with service providers having access to CPI a provision requiring the providers to have in place security measures consistent with the requirements of Massachusetts General Law c. 93H and regulations thereto and to assure that such CPI is used only for the purposes set forth in the contract.

D. Computer System Security Infrastructure

Williams maintains a computer security system that provides at a minimum to the extent technically feasible:

1. Secure user authentication protocols including:
   • control of user IDs and other identifiers
   • a reasonably secure method of assigning and selecting passwords
   • control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect
   • restricting access to active users and active user accounts only
   • blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
2. Secure access control measures that:
   • restrict access to records and files containing CPI to those who need such information to perform their job duties
   • assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls
3. Encryption of all transmitted records and files containing CPI that will travel across public networks, and encryption of all data containing CPI to be transmitted wirelessly
4. Reasonable monitoring of systems, for unauthorized use of or access to CPI
5. Encryption of all CPI stored on laptops or other portable devices
6. For files containing CPI on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the CPI
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis
8. Education and training of employees on the proper use of the computer security system and the importance of CPI security.

The Information Security Plan Coordinators work with the appropriate College departments to ensure that this security system infrastructure is appropriately maintained.

E. Retention of CPI

CPI will only be retained for as long as needed for the College’s reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores CPI will annually review the CPI it has retained for the purpose of determining which information may be purged.

F. Violations of this Policy

Any employee who violates this policy shall be subject to discipline pursuant to the College’s Code of Conduct or other relevant disciplinary policy.

G. Termination of Access to CPI

Once an employee who has access to CPI concludes his/her employment, either voluntarily or involuntarily, such employee’s access to CPI shall be terminated.

H. Continuing Evaluation and Adjustment

This Plan is subject to periodic review and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the Information Security Plan Coordinators, who may assign specific responsibility for implementation and administration as appropriate.