Comprehensive Written Information Security Plan ("WISP")
This document draws on the text of 201 CMR 17.00 and a guide developed by the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation.
- I. Definitions
- II. Objective
- III. Purposes
- IV. Scope
- V. Commitment to Limited Collection of, and Access to, PIRN
- VI. Identified Locations of PIRN
- VII. Identified Potential Risks to PIRN Security
- Appendix A: Identified Locations of Personal Information Requiring Notification (“PIRN”)
- Appendix B: Minimal Text to be included in Letter to Attorney General
- Appendix C: Minimal Text to be included in Letter to Affected Massachusetts Residents
- WISP: The term “WISP” refers to Emerson College’s Comprehensive Written Information Security Plan.
PIRN: The term “PIRN” shall mean “Personal Information Requiring Notification.” PIRN is encompassing of any and all data regarding Massachusetts residents held by Emerson College, written or electronic, the improper disclosure of which would trigger written notification to both the Massachusetts Attorney General and the affected Massachusetts residents.
Emerson College follows the statutory definition of “personal information as it is used in 201 CMR 17.00. As such, PIRN means a Massachusetts resident’s first name and last name, or first initial and last name in combination with any one or more of the following data elements which relate to such resident (a) Social Security Number, or truncated Social Security Number (b) Driver’s License number or state-issued identification card number (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number (“PIN”) or password that would permit access to a resident’s financial account. PIRN does not include that information which is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Breach: A “breach” shall mean the unauthorized acquisition or unauthorized use of either unencrypted PIRN or, encrypted electronic PIRN along with the confidential decryption process or key that is capable of compromising the security, confidentiality, or integrity of PIRN, maintained by the College, creating a substantial risk of identity theft or fraud against a resident of the Commonwealth.
A good faith but unauthorized acquisition of PIRN by a person, for the lawful purposes of such person, is not a breach unless the PIRN is used in an unauthorized manner or subject to further unauthorized disclosure.
A “breach” shall not include disclosure of PIRN which is legally accessible from an outside legitimate source, or where disclosure is required by court order or where necessary to comply with state or federal regulations.
- Data Custodian: A “Data Custodian” is a person or persons, in high-level management or their permitted and documented designee, who have been officially identified as responsible for the operation of a department within the College that requires access to PIRN. Assignment of a designee by a high-level manager, who is expressly or inherently entrusted with PIRN, does not relieve that manager of responsibilities regarding the PIRN.
Data Security Coordination Team: Emerson College has designated a team, led by the Vice President for Information Technology and consisting of the Director of Networking and Telecommunications, Director of Information Systems, Information Security Administrator, and the Data Custodians. This Data Security Coordination Team shall be responsible for:
- Initial implementation of the WISP;
- Ensuring that training of employees is taking place in a manner consistent with the requirements of the WISP;
- Appropriate testing and annual review of the WISP;
- Evaluating the ability of third-party vendors, contractors and service providers to protect the PIRN to which they have been granted access by Emerson College in a manner consistent with 201 CMR 17.00; and taking the steps reasonably necessary to ensure that such third-parties are applying protective security measures at least as stringent as those required to be applied to PIRN under 201 CMR 17.00.
Emerson College’s objective in the development and implementation of this Written Information Security Plan is to ensure effective procedural, administrative, technological and physical safeguards for protecting the personal information of the residents of the Commonwealth of Massachusetts, and to ensure compliance with 201 CMR 17.00.
This WISP sets forth Emerson College’s procedures for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PIRN.
Emerson College has made the affirmative decision to identify what is and is not PIRN, and has declined the invitation to treat all records it maintains as PIRN.
The purpose of the WISP is to:
- Safeguard the security and confidentiality of PIRN.
- Protect against any reasonably foreseeable threats or hazards to the security of PIRN.
- Protect against unauthorized access to, or use of PIRN in a manner that creates a substantial risk of identity theft or fraud.
Emerson College shall complete annual reviews of the WISP, and make adjustments, where necessary, to maintain compliance with 201 CMR 17.00.
In formulating and implementing the WISP, Emerson College seeks to (1) identify reasonably foreseeable internal and external risks to the security and confidentiality of any electronic, paper, or other records containing PIRN; (2) assess the likelihood and potential damage from these threats; (3) evaluate the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks consistent with the requirements of 201 CMR 17.00 and; (4) regularly monitor the effectiveness of those safeguards.
A copy of the WISP shall be distributed to each employee.
V. Commitment to Limited Collection of, and Access to, PIRN
Emerson College will collect, maintain and store only that PIRN which is reasonably necessary to accomplish the legitimate business purpose for which it is collected; limiting the time PIRN is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to have access to PIRN in order to accomplish such purpose or to comply with state or federal record retention requirements. All persons granted access to PIRN shall be informed of Emerson College’s PIRN security plans, and shall be provided basic training for compliance with its requirements.
VI. Identified Locations of PIRN
Emerson College has identified specific electronic databases and servers, along with physical locations, where PIRN is known to exist. These locations, while not an exhaustive list, are enumerated in Appendix A. It is incumbent upon the Data Custodians in each department, to promulgate amongst their staff with PIRN access, any and all identified locations of PIRN they have access to, and the importance of preserving its confidential nature.
VII. Identified Potential Risks to PIRN Security
- Weak passwords used with accounts that have access to PIRN.
- Computers in publicly accessible areas that are not locked when an assigned employee with access to PIRN has temporarily stepped away from them.
- Insufficient physical security and controls which compromise access to workspaces and permit use of terminals, theft of equipment or access to paper files.
- Termination procedures that are not followed, resulting in continued access by former employees to PIRN.
- Employees transporting data on laptops, or on USB “thumb drives” and other types of removable media.
- Unencrypted connections to Emerson College data systems over which PIRN could be carried.
- Incomplete or ineffective training programs explaining to employees what PIRN is, and what the College’s responsibilities are in its handling.
- Insufficient physical controls, resulting in access to PIRN by unauthorized persons.
- Malware (including, but not limited to spyware, viruses, worms and trojans), which could compromise the security and integrity of PIRN.
- Hacking, spoofing and other activities intended to compromise data security and access data and data systems without authorization.
- Social engineering and improper sharing of PIRN by employees with those not granted permissions to it.
- Lack of audit procedures.
- Insufficient separation of systems into particular subnets.
- Sending/Forwarding PIRN to non-Emerson email addresses, or off-campus data systems.
Sending paper-based PIRN through campus mail.
- Vendors of the College who have been granted access to PIRN.
- Data accessed through the improper disposal of electronic media (including hard drives from disposed computers) and paper files.
- Off-site storage of electronic and paper media.
- Hacking and other activities intended to compromise data security and access data and data systems without authorization.
- Consultants and contractors who are not properly vetted.
- Weak physical security at off-site locations.
Electronic Data Safeguards
- Identity Management: Emerson College will maintain a mechanism for managing computer accounts for active employees, and will have in place a mechanism for promptly disabling accounts of those individuals who are no longer employed and/or entrusted by the College.
Passwords: Emerson College requires passwords for accessing any system that may contain PIRN. Passwords must be at least eight characters in length, and contain at least three of the following: a numeric character; a special character; a lower case alpha character; and an upper case alpha character. Passwords must be changed at least once every 120 days. Emerson College’s password history is four years, and passwords cannot be reused during this duration. Accounts shall be locked after excessive unsuccessful login attempts. Enforcement of the password policy shall be maintained through electronic means.
Vendor assigned and default passwords shall be changed reasonably promptly, but must be changed before the system accessed through said password contains any PIRN.
Access to PIRN shall be electronically limited to those employees with unique usernames. Access to PIRN shall be electronically limited to those employees with unique usernames. Usernames and passwords with access to PIRN shall not be shared amongst individuals.
- Timeouts: On a data system where a significant quantity of PIRN is stored, where it is practical, electronic timeouts shall be employed to screen-lock or timeout the user’s session.
- Access to Computers: Access to computers shall be restricted to those for whom the access is necessary. Persons entrusted with access to PIRN from their accounts shall ensure that they lock their computer screens, their office doors, or both, so that unauthorized access to PIRN does not occur.
Data Security and Access Control Lists: Emerson College makes ongoing, self-audited efforts to ensure that only those persons, whose job descriptions and/or College-assigned objectives necessitate access to electronically stored PIRN will be granted such access. A Data Custodian must authorize, in writing, any permissions that grant electronic access to shared files and folders that are designated to contain PIRN.
For the purposes of this section, a job description, approved by the appropriate Data Custodian, that necessitates electronic access to share locations which are designated to contain PIRN, shall constitute written permission.
Network Design Considerations: Emerson College shall maintain its firewall and Intrusion Prevention Systems so that networks which contain data servers can be discrete from end-user systems.
- Firewall: A commercial-grade firewall shall be maintained at Emerson College protecting systems containing PIRN from both external and internal unauthorized access. The software running on the firewall shall be reasonably current.
IPS: a commercial-grade Intrusion Prevention System (“IPS”) shall be employed to detect and prevent known attack signatures from traversing to portions of Emerson College’s network. The IPS must have an available subscription service to keep its signatures current, and the College must maintain that subscription.
At a minimum, the IPS must have the capacity to monitor traffic between the major sections of the Emerson College data network including, but not limited to, Internal, Public, Students and DMZ.
- Data Encryption: Where electronic files containing PIRN must unavoidably be taken from a network drive and placed on portable media (including, but not limited to, a computer’s internal hard drives, USB “thumb drives,” externally connected drives and other removable media such as floppy disks), where it is practical, the files containing PIRN shall be encrypted in their entirety using encryption schemes that are commercially-accepted industry standards.
Encrypted Network Transmission: Where feasible, when PIRN is transmitted over a data network where data interception is reasonably foreseeable, PIRN will be encrypted using industry standard encryption algorithms.
Emerson College shall maintain SSL Certificates, managed by a trusted root host, which shall be used on web pages served by the College over which there exists the reasonably foreseeable possibility that PIRN may be accessed.
- VPN: Emerson College shall maintain a Virtual Private Network (“VPN”), which will necessarily be used to encrypt data connections to the College where there is a reasonably foreseeable possibility that PIRN will be carried over the connection and an SSL HTTP connection is not feasible.
Security Patches: There shall be reasonably up-to-date versions of virus/malware protective agents running on College-owned computers, which report back to a central server that is reviewed regularly for compliance with policy.
Reasonable means and methods shall be taken to ensure that security-related critical patches are applied to operating systems and application software.
- Central File Storage: The College shall maintain a file server of sufficient speed and storage capacity to hold any and all electronic documents that may contain PIRN. No PIRN should be stored on individual desktop computers, and PIRN shall not be placed on laptops or removable media absent notification to, and prior written consent from, the appropriate Data Custodian.
- Encrypted Backups: Wherever feasible, server backups shall be encrypted using an industry-accepted data encryption standard.
Employee Orientation, Ongoing Data Security Training and Acceptable Use: The College shall maintain a data security employee training program. A training program will be part of employee orientation, and employees whose positions at the College necessarily place them in contact with PIRN shall be provided additional training, within their departments, commensurate with the potential exposure.
The College will maintain an acceptable use policy with which all persons granted access to Emerson College’s network will be required to comply.
Data Retention and Destruction
- Destruction of records will be done in a commercially acceptable manner so that PIRN cannot be practically read or reconstructed.
- Where the College contracts with a third-party data destruction company, the College shall obtain written assurances from the third-party that its disposal practices are in compliance with M.G.L. ch. 93I
Paper Based Data Safeguards
- File Cabinets: Where filing cabinets are to be used for the storage of PIRN, the filing cabinets are to remain locked unless the need to access the files within is imminent or current. Should removal of files containing PIRN from a filing cabinet be necessary, the files themselves must be protected against unauthorized access, and if the files will not be returned to the filing cabinet promptly, the filing cabinet shall be locked. Files must be returned to filing cabinets, which are then to be locked, no later than the end of the workday of the employee which removed them, unless their overnight storage outside their designated filing cabinet is approved, in writing, by the appropriate Data Custodian.
- Transport: All efforts will be made to minimize the physical transport of printed PIRN, substituting encrypted electronic data transport instead. Where printed PIRN must be transported, the carrier shall either be commercial and bonded, or a trained member of the Emerson College community.
Third Party Entrustment
- Emerson College shall take all reasonable steps to verify that any third-party vendor, contractor or service provider with access to PIRN maintained by the College has the capacity to protect such PIRN in the manner required by 201 CMR 17.00.
- Emerson College desires that all third-party vendors, contractors or service providers entrusted with PIRN complete, and submit to the College, a written manifestation of their current and ongoing compliance with the requirements of 201 CMR 17.00. Should the third-party not provide such documentation, or later withdraw their assent to the requirements, the College shall no longer provide any PIRN to said third-party and will take affirmative steps to ensure that previously entrusted PIRN is destroyed in a manner in-line with that which the College would use.
Termination of the Relationship that Requires Entrustment of PIRN
Employees may leave, be terminated, or switch roles within Emerson College. The relationship between Emerson College and third parties may change. Where the employee or third-party had access to specific PIRN and the changed relationship negates the need for access, Emerson College shall take specific affirmative steps to ensure that access to PIRN is withdrawn.
- All records containing PIRN, in any form, must be returned at the time of termination of the relationship. If return is not feasible, destruction in accordance with industry standards, along with proof of such destruction, is acceptable.
- At the time of termination of the relationship, all electronic and physical access to PIRN must immediately cease and be blocked. Former employees and third parties must return keys, IDs (if not required for other legitimate purposes), access control tokens and cards. Electronic locks access shall be disabled.
- Continued access to PIRN by former employees and third parties with whom the business relationship has been terminated must be expressly authorized, in writing, by the appropriate Data Custodian.
Disciplinary Actions for Violations of the WISP
Employees must comply with the requirements of the WISP. Use of PIRN in a manner not expressly or impliedly granted by the College is prohibited during, and subsequent to, employment at Emerson College. Disciplinary action for infractions of the WISP shall be mandatory, the severity of which shall be commensurate to the infraction and may depend on a number of factors, including but not limited to, the nature of the violation, the nature of the PIRN, and the extent of the unauthorized use, exposure, or disclosure.
Whenever there is a breach that requires notification under M.G.L. c. 93H § 3, the College shall take, at a minimum, the following steps:
- A letter shall be sent to the Massachusetts Attorney General, minimally putting forth the information in Appendix B. The letter shall include as an attachment a copy of Emerson College’s WISP, but not including the WISP’s appendices.
- A letter shall be sent to the affected Massachusetts residents notifying them of the breach and minimally including the information in Appendix C.
- An immediate mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in the security practices are required to improve the security of PIRN.
- Disciplinary action shall be taken against the individual, or individuals, who caused, or contributed to, the breach.
--Information available to authorized persons only.--
Pursuant to M.G.L. c. 93H, we are writing to notify you of [a breach of security/an unauthorized access or use of personal information] involving [number] Massachusetts residents].
NATURE OF THE SECURITY BREACH OR UNAUTHORIZED USE OR ACCESS
[This paragraph should provide the date of the incident, a summary of the nature of the incident, a description of the categories of personal information involved in the incident, and whether the personal information that was the subject of the incident was in electronic or paper form].
NUMBER OF MASSACHUSETTS RESIDENTS AFFECTED
[This paragraph should specify the number of affected individuals residing in Massachusetts whose personal information was the subject of the incident. This paragraph should also indicate that these Massachusetts residents have received or will shortly receive notice pursuant to M.G.L. c. 93H, s. 3(b) and should specify the manner in which Massachusetts residents have or will receive such notice. We should also include a copy of the notice to affected Massachusetts residents in our notification to the Attorney General].
STEPS TAKEN OR PLAN TO TAKE RELATING TO THE INCIDENT
[This paragraph should outline all the steps we have taken or plan to take relating to the incident including, without limitation, what we did when we discovered the incident; whether we have reported the incident to law enforcement; whether we have any evidence that the personal information has been used for fraudulent purposes; whether we intend to offer credit morning services to consumers; and what measures we have taken to ensure that similar incidents do not occur in the future.]
OTHER NOTIFICATION AND CONTACT INFORMATION
[Finally, our letter should indicate whether we have provided similar notification to the Director of Consumer Affairs and Business Regulation. We should also include the name and contact information for the person whom the Office of the Attorney General may contact if they have any questions or need further information.]
City, MA, Zip
We are writing to notify you that a [breach of security/unauthorized acquisition or use] of your personal information occurred on [date(s)].
OUR NOTICE MUST INCLUDE THE FOLLOWING INFORMATION:
Under Massachusetts law, you have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
Massachusetts law also allows consumers to place a security freeze on their credit reports. A security freeze prohibits a credit reporting agency from releasing any information from a consumer's credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services.
If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze.
To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies: Equifax; Experian; and TransUnion by regular, certified or overnight mail at the addresses below:
- Equifax Security Freeze, P.O. Box 105788, Atlanta, GA 30348
- Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
- Trans Union Security Freeze, Fraud Victim Assistance Department, P.O. Box 6790, Fullerton, CA 92834
In order to request a security freeze, you will need to provide the following information:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security Number
- Date of birth
- If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
- If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
- If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
If you should have any further questions, please contact [provide contact information].