The College complies with Massachusetts General Law 93h, which went into effect in 2010, and requires notification of victims and two government agencies in the event of a data breach. 201 CMR 17 is a regulation that governs how data must be secured. It also went into effect in 2010.
Data Classifications
To meet the requirements of Massachusetts law, and to facilitate in the application of security to specific types of data, College data is classified into three categories. For the official policy, see Data Classification policy on the policies section of the website. To summarize, the categories and data they contain are:
- Protected Data
- Bank account numbers
- Credit card numbers
- Drivers license numbers
- Financial account numbers
- Social security numbers
- Sensitive Data
- Academic advising records
- Student education records
- Admission files, including test scores and transcripts
- Student account data and Perkins loan information
- Financial assistance application files, student federal work-study information, scholarships and Stafford loan information.
- Directory information for those students requesting FERPA data privacy protection as indicated in STAR.
- Alumni Information
Data classified as "Protected" requires very specific safeguards per College policy, law and industry regulation. The required protections are largely detailed in the College's Written Information Security Plan (WISP), also found in the policies section of the website.
See the malware protection, software updates, training, and remote access sections for details on the implementation of these requirements, and how the implementation may affect you.
Data Security Practices
Information Security maintains data loss prevention tools and practices to prevent the loss of Protected and Sensitive Data.
Email Scanning for Protected Data
Automated systems scan outbound email for Protected data and quarantine flagged messages for administrator review. False positives are released, email containing protected data is not. The sender is notified and multiple instances of attempting to email protected data can lead to a policy violation notice.
Endpoint and Network Drive Scanning for Protected Data
College-owned machines and network drives are periodically scanned for Protected data. Hits are reviewed for false positives and then reports are generated and delivered to department heads for remediation. Protected data may not be stored on College computers (laptops or desktops), nor can it be stored on shared network drives (M:, P:). Safe alternatives exist, please contact us for assistance in finding a safer alternative if necessary.
Best Practices
Here are some quick guidelines:
- Store paper with Protected data in a locked container, in a locked office.
- Lock your office when you leave it unattended.
- Lock your screen when you're away from it.
- On Windows, hit CTRL+L
- On a Mac, read these instructions. we prefer the fast user switching and keychain lock options.
- Choose strong passwords.
- Keep your software up-to-date.
- Take the data security awareness training.