Information Technology

Written Information Security Plan

  1. Objective

Our objective, in the development and implementation of this comprehensive written information security plan (“Plan”), is to create effective administrative, technical and physical safeguards for the protection of “personal information” of recruits, applicants, students, employees, alumni and friends of Bentley University, and to comply with our obligations under Massachusetts regulation 201 CMR  17.00. The Plan sets forth our procedures for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting “personal information” of residents of the Commonwealth of Massachusetts.

For purposes of this Plan, “personal information” is defined as a Massachusetts resident’s first name and last name, or first initial and last name, in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account where Bentley is the custodian of that data; provided however, that “personal information” shall not include information that is lawfully obtained from publically available information, or from federal, state or local government records lawfully made available to the general public.

  1. Purpose

The purpose of this Plan is to:

  1. Ensure the security and confidentiality of “personal information”;
  2. Protect against any potential threats or hazards to the security or integrity of such information; and
  3. Protect against unauthorized access to, or use of, such information in a manner that creates a substantial risk of identity theft or fraud.

 

  1. Scope

In formulating and implementing the Plan, we will (1) identify reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information; (3) evaluate the sufficiency of existing policies, practices, procedures, information systems, and other safeguards in place to control risks; (4) design and implement a plan that puts safeguards in place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5) regularly monitor the Plan.

  1. Data Security

Bentley designated the Chief Information Security Officer to implement, supervise and maintain the Plan. The Information Security and Privacy Administrator will be responsible for:

  1. Initial implementation of the Plan;
  2. Oversight of ongoing employee training for all owners, managers, employees and independent contractors that have access to “personal information” on the elements of the Plan.
  3. Monitoring the Plan’s safeguards;
  4. Assessing Third Party Service providers that have access to and/or host/transmit/backup/maintain “personal information” and requiring those service providers by contract to implement and maintain such appropriate security measures for “personal information”;
  5. Reviewing the scope of the security measures whenever there is a material change in our business practices that may implicate the security or integrity of records containing “personal information”;
  6. Reviewing legislation and laws and updating policies and procedures as required.

 

  1. Internal Risks

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective as of 11/20/2015: 

Administrative measures:

  • The amount of “personal information” collected must be limited to the amount reasonable necessary to accomplish our legitimate business purposes. This risk is being addressed through privacy audits in various areas.
  • All data security measures shall be reviewed whenever there is a material change in our business practice that may reasonably implicate the security or integrity of records containing personal information. The Chief Information Security Officer shall be responsible for this review and shall fully apprise management of the results of that review and any recommendations for improved security arising from that review.
  • Through Confidentiality Agreements, staff members are required to report any suspicious or unauthorized use of “personal information” to Bentley’s Chief Information Security Officer.
  • Whenever there is an incident that requires notification under M.G.L. c 93H, there shall be an immediate mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in our security practices are required to improve the security of “personal information” for which we are responsible.

Physical measures:

  • Access to records containing “personal information” shall be limited to those persons who are reasonably required to know such information in order to accomplish our legitimate business purpose. This risk is being addressed through redaction of sensitive information, storing paper records in locked facilities and implementing data security controls for electronic records.
  • At the end of the work day, all files and other records containing “personal information” must be stored in locked in rooms, offices or cabinets.
  • Paper records containing “personal information” shall be disposed of in accordance in a manner that complies with M.G. L. c 93I.

Technical measures:

  • When employees who have access to “personal information” are terminated, Bentley terminates their access to network resources and physical devices that contain “personal information”. This includes termination or surrender of network accounts, database accounts, keys, badges, phones, and laptops or desktops.
  • Employees are required to change their passwords, at a minimum, annually for systems that contain “personal information”.
  • Access to “personal information” shall be restricted to active users and active user accounts only.
  • Where technically possible, all Bentley maintained systems that store “personal information” will employ automatic locking features which lock access after multiple unsuccessful login attempts.
  • Electronic records (including records stored on hard drives and other electronic media) containing “personal information” shall be disposed of in accordance in a manner that complies with M.G. L. c 93I. This requires that information be destroyed or erased so that personal information cannot practicably be read or reconstructed.

 

  1. External Risks

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information and evaluating or improving where necessary the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective as of 11/20/2015:

  • There is reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the integrity of personal information installed on systems with “personal information”.
  • There are reasonably up-to-date versions of system security agent software that includes malware protection and reasonably up-to-date patches and virus definitions installed on systems processing “personal information”.

 

This policy has been approved by the Bentley University IT Steering and Privacy Committee on 11/20/2015