Information Technology Division
Computing & Communications Center

Written Information Security Plan

Purpose

The purpose of the plan is to:

Discussion

The University’s objective, in the development and implementation of this comprehensive Written Information Security Plan (“WISP” or “Plan”), is to create effective administrative, technical and physical safeguards for the protection of personal information of Faculty, Staff, Students, Alumni and customers and residents of the Commonwealth of Massachusetts, and to comply with our obligations under 201 CMR 17.00. The Plan sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information of residents of the Commonwealth of Massachusetts. For purposes of this Plan, “personal information” means a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Written Information Security Plan

In formulating and implementing the Plan, we will

1.0 Data Security Manager

The University has identified the combined efforts of the Risk and Compliance Office, along with the Data Access Working Group, as the Data Security Managers with the following responsibilities:

2.0 Data Security Coordinators

The Data Access Working Group and the Data Stewards are designated as the Data Security Coordinators and are responsible for:

3.0 Internal Risks

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately.

4.0 External Risks

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately.


Please visit the Data Security site for references and information on other Data Security standards.

Maintained by itweb
Last modified: May 14, 2010, 11:08 EDT
[WPI] [CCC] [Top]