This policy is applicable to all College students, faculty and staff and to all others granted use of Emerson College’s information resources. Every user of any of Emerson's information resources has some responsibility toward the protection of those assets; some offices and individuals have very specific responsibilities. This policy refers to all College information resources whether individually-controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the College. This includes networking devices, personal digital assistants, telephones, wireless devices, personal computers, workstations, tablets and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.
Reason for Policy
The purpose of this policy is to ensure the protection of Emerson's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture. This policy states requirements for the protection of Emerson's information assets in accordance with Emerson College’s Written Information Security Policy.
Statement of Policy
1. Principles of Data Security
The purpose of data security is to protect the information resources of the College from unauthorized access or damage in accordance with Emerson College’s Written Information Security Policy. The underlying principles followed to achieve that objective are:
a. Information Resource Availability
The information resources of the College, including the network, the hardware, the software, the facilities, the infrastructure, and any other such resources, are available to support the teaching, learning, research, or administrative roles for which they are designated.
b. Information Integrity
The information used in the pursuit of teaching, learning, research, or administration is unadulterated.
c. Information Confidentiality
The ability to access or modify information is provided only to authorized users for authorized purposes.
d. Support of Academic Pursuits
The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives.
e. Access to Information
The value of information as an institutional resource increases through its appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
2. Security Controls
Emerson College bases it security controls on the standards and framework published by the NIST (National Institute of Standards and Technology) 800-53. This set of recognized standards addresses various security requirements including risk assessment and mitigation, asset management, organization of information security, physical and environmental security, access control, human resources security, development and maintenance, and incident management.
The Office of Information Technology develops and publishes security controls to ensure College information is properly protected. The Office of Information Technology review and update these controls as necessary to ensure compliance with industry best practices and regulatory requirements. The security controls apply to all departments, data processing platforms and systems owned, managed, or leased by Emerson College or by any third party providers.
3. Classification of Data
All College data is classified into one of 3 levels based on sensitivity and risk. These classifications take into account legal protections, contractual agreements, ethical considerations, privacy issues, and strategic or proprietary worth. The classification level determines the security protections and access authorization mechanisms which must be used for the information. Security guidelines can be found in the Data Classification, Access, Transmittal and Storage Guideline. Any questions about data and its classification should be directed to the Information Security Officer (ISO). The data classifications are as follows:
a. High Risk Data
Data is classified as "High Risk" if protection of the information is required by law or government regulation, or if Emerson College is required to provide notice to the individual if information is inappropriately accessed and to report unauthorized access to the appropriate government agencies.
b. Moderate Risk Data
Data is classified as "Moderate Risk" if it does not qualify as "High Risk" and unauthorized access would impair the academic, research, or business of the College, if it is made confidential pursuant to a legal contract, or it is not generally shared, as determined by the Information Security Officer and the Data Custodians, or is listed as Moderate Risk in the Data Classification, Access, Transmittal and Storage Guideline.
c. Low Risk Data
All information which does not fall into one of these categories is considered to be "Low Risk". Please see the Data Classification, Access, Transmittal and Storage Guideline for a listing of examples.
a. Information Security Officer (ISO)
The Information Security Officer is responsible for developing and implementing policies and procedures governing the privacy of data that the College is required or elects to protect and for disseminating policy related information.
b. Data Custodians
Data Custodians, who are responsible for granting access to their data, are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control. Data Custodians are also responsible for compliance with the College’s Records Management Policy.
c. System Developers\Integrators\Network Administrators
System Developers/Integrators/Network Administrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care at the direction of the Data Custodians.
Every user of Emerson's information resources is responsible for understanding the classifications that apply to his or her data, to safeguarding the data in accordance with the standards set for that classification, and for the application of this and related policies to the systems, information, and other information resources which they use, access, transmit or store.
e. Third-party Affiliates
Emerson expects all partners, consultants and vendors to abide by Emerson's information security and privacy policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Emerson's information security and privacy policies. The Office of the General Counsel can assist users in drafting contract language that incorporates this requirement to abide by Emerson policies into third–party legal contracts.
5. Violations of Policy and Misuse of Information
Violations of this policy include, but are not limited to: accessing information to which the individual has no legitimate right; enabling unauthorized individuals to access information; disclosing information in a way that violates applicable policy, procedure, or other relevant regulations or laws; inappropriately modifying or destroying information; inadequately protecting information; or ignoring the explicit requirements of Data Custodians for the proper management, use, and protection of information resources.
Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the College.
a. Any School or Department using the services of an individual who is found to have violated this policy may be held accountable for the costs associated with a resulting information security incident.
b. Users must include, in third party legal contracts, provisions stating that third party vendors found to have violated this policy may incur financial liabilities, in addition to termination of the contract. The Office of the General Counsel can assist users in drafting contract language that incorporates this provision into third-party legal contracts.
6. Emerson’s Rights to Data on Enterprise Systems
Emerson College reserves the right to inspect, review, deny access to, modify, or remove any data that does not comply with College policies, guidelines, or state or federal law if that data is stored, transmitted, or redirected across its network or any enterprise storage/data transmission system. Emerson also reserves the right to deny access to its network or any enterprise storage/data transmission systems.