Tufts Security and Privacy Program
This Security and Privacy Program supports compliance with Massachusetts laws for safeguarding personal information and the requirement for a Written Information Security Program (WISP)
The objective of Tufts University, in developing and implementing this Security and Privacy Program (“Program”), is to create effective administrative, technical and physical safeguards to protect sensitive and personal information, and to comply with the University’s obligations under M.G.L. 93 H, 93 I and 201 CMR 17.00 (the “Data Laws and Regulations”) and other applicable laws, regulations, and contractual obligations. This plan explains the elements of the Program, including the requirements for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information. The Program covers all forms of personal information, whether it is maintained on paper, digital, or other media.
For purposes of this Program, “personal information” shall have the meaning set forth in the Data Laws and Regulations, as applicable and as amended from time to time. In general, “personal information” includes an individual’s first name and last name or first initial and last name, in combination with that person’s: (a) Social Security number; (b) driver’s license or other state-issued identification card number; or (c) credit or debit card number or other financial account number, in each case with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. “Personal information” does not include publicly available information. The University, from time to time, may elect to include additional types of personally identifiable information in some or all of the Program’s elements
In addition to the requirements of this Program, University units that are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are also subject to the HIPAA Privacy Rule.
The purpose of the Program is to affect compliance with applicable laws (including the Data Laws and Regulations) by:
- identifying reasonably foreseeable internal and external risks to the confidentiality and/or integrity of any electronic, paper, or other records containing personal information;
- assessing the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;
- evaluating the sufficiency of existing policies, procedures, information systems, internal controls and security practices, in addition to other safeguards in place to control risks;
- designing and implementing a plan that puts safeguards in place to minimize those risks, consistent with the requirements of Massachusetts laws; and
- periodically monitoring the effectiveness of those safeguards.
III. Program Components
The Program will include the following components:
1. Information Stewards
Information Stewards are appointed within each division or school of the University. The Information Stewards will assist their managers in implementing and maintaining the Program, using resources provided by the Program as well as local resources.
2. Information Stewardship Subcommittee (ISS)
The ISS is a subcommittee of the IT Steering Committee. Members of the ISS will provide guidance on information security policy and on the development of resources for compliance with the Program and the law.
3. The Office of University Counsel (OUC)
The OUC coordinates the delivery of all legal services on behalf of Tufts University. This office provides advice and support to the University's administrative and academic departments on legal matters and the development of related policy and Program oversight.
4. Tufts Technology Services (TTS) / Information Security
TTS delivers information technologies to the Tufts community in support of teaching, learning, research, administration, and outreach. TTS’s Directorate of Information Security provides University-wide IT security services.
The University will provide personnel training on how to handle personal information appropriately as part of their job responsibilities.
Information - such as new tools, policies, or best practices for personal information - will be disseminated to organizational units in a timely manner.
7. Policies and Procedures
The University will create policies and procedures to protect the confidentiality of personal information and to comply with the requirements of the Data Laws and Regulations.
8. Tools & Resources
The University will make appropriate software, hardware, guidelines, and other resources available to business units to help protect the confidentiality of personal information.
The buildings, networks, and appliances that comprise the work environment of the business units at Tufts and help support secure management of personal information.
10. Vendor Management
The process for ensuring that vendors contractually comply with applicable law concerning the secure handling and disposition of personal information and meet Tufts’ legal requirements.
11. Monitor & Audit
The process for checking compliance with the Program.
12. Security Breach Response
The controlled process for investigating a potential security breach, mitigating the impact of a breach, and taking appropriate notification and corrective action as necessary.
IV. Roles and Responsibilities
1. Office of University Counsel & Tufts Technology Services
TTS, in consultation with OUC, shall be responsible for establishing, operating, and monitoring the Program, including managing and coordinating the following with respect to personal information:
- Developing and implementing a documented data privacy program.
- Planning and facilitating a University-wide outreach and awareness program.
- Advising business units on security measures, acceptable practices, breach notification, and data destruction procedures.
- Planning and facilitating the development and implementation of information policies and procedures.
- Developing best practices for ensuring that third party vendors comply with applicable laws and regulations concerning the secure handling and destruction of personal information.
- Monitoring changes to applicable laws, regulations, standards, and best practices.
The Director, Information Security, TTS, and the Director’s designees shall be responsible for maintaining this Program.
2. Information Stewards
Each business unit or group shall appoint one or more representatives as designated Information Stewards. Information Stewards are responsible for organizing and supporting the proper handling of personal information in their unit or group. Information Stewards carry out their responsibilities by coordinating and collaborating with their unit or group’s manager, who shares with the Information Steward responsibility for the proper management and protection of personal information.
An information steward:
- Knows about protecting personal information:
- Regularly attends training and reviews information provided by Information Security, especially through the Information Steward Portal
- Is familiar with the laws and regulations and the university policies that apply to personal information
- Is familiar with best practices for protecting personal information
- Knows and learns about their group:
- Knows and learns about what type of personal information their group uses or stores
- Is able to describe the activities that use or store personal information in their group
- Using supporting tools, documents what personal information is used and how it is used
- Consults with Information Security to evaluate and develop their group’s practices to protect personal information:
- Develops local policies and procedures for their group for collecting, accessing, transporting, storing, and disposing of records containing personal information
- Coordinates and supports implementing university and local policies and procedures to safeguard handling personal information by their group
- For the staff, faculty, students and others that are part of their group, raises their awareness of the importance of protecting personal information:
- Educates and provides training, using supplied materials
- Acts as a resource as staff and others implement practices to protect personal information
- Understands what to do if there is a possible breach of personal information
3. Information Stewardship Subcommittee
The Information Stewardship Subcommittee shall provide advice and guidance on matters concerning the proper stewardship and protection of information, information policy, and resource development for compliance with the Program and the law.
V. Response to Internal & External Risks
To address both internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving the effectiveness of the current safeguards for limiting such risks, Tufts shall implement the following measures:
- The University shall make available a description of the Program to persons with access to personal information within their business unit and such persons must comply with the processes and procedures of the Program that are generally applicable or specifically applicable to a business unit.
- The University shall provide ongoing training to all persons who access personal information as part of their job or contracted process and employees who use the University’s computer security systems.
- Employee training shall include information on the importance of personal information security.
2. Employee Compliance & Disciplinary Action
- Per Tufts’ Business Conduct Policy, all employees must operate in compliance with applicable laws and regulations.
- Tufts shall take appropriate disciplinary action against employees and others for violating security provisions of the Program.
3. Limiting Collection of Personal Information
- The amount of personal information collected shall be limited to that amount reasonably necessary to accomplish Tufts’ legitimate business purposes, or necessary for Tufts to comply with state or federal laws and regulations.
- Access to records containing personal information shall be limited to those persons who reasonably require such access to such information in order to accomplish Tufts’ legitimate business purposes, or as necessary to comply with state or federal laws and regulations.
- The retention period for personal information shall be limited to the period that is reasonably necessary to accomplish Tufts’ legitimate business purposes, or necessary for Tufts to comply with state or federal laws and regulations.
- The head of each business unit, working with Digital Collections and Archives, shall define retention periods for records and data with personal information in accordance with University policies and procedures.
4. Monitoring Upgrades
- The University shall perform regular monitoring to ensure that the Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information. The University shall upgrade its information safeguards based upon its assessment of risk.
- The University shall reasonably monitor computer systems that maintain or process personal information for excessive access to personal information or unauthorized use.
5. Security Scope Review
- The University shall review security measures at least annually, or whenever there is a material change in Tufts’ business practices that may reasonably implicate the confidentiality or integrity of records containing personal information.
6. Separated Employees
- Any separated employee shall return all records containing personal information, in any form, that may be in his or her possession at the time of such separation (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.).
- A separated employee’s physical and electronic access to personal information shall be blocked as soon as reasonably possible. The separated employees shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the University’s premises or information. A separated employee’s remote electronic access to all forms of personal information shall be promptly disabled.
7. System and Application Passwords
- Passwords shall be robust and changed periodically in a manner consistent with password standards adopted by TTS.
8. Access Control
- Access to personal information shall be restricted to active users and active user accounts only.
- Access to electronically stored personal information shall be limited to those employees having a unique log-in ID; this means users shall not share a common login token or use a generic account.
- The secure access control measures in place shall include assigning unique identification tokens and passwords, which are not vendor-supplied default passwords, to each person with authorized access to personal information.
9. Secure Authentication
There shall be secure user authentication protocols in place, including:
- Documented protocols for control of user IDs and other tokens or identifiers;
- A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies;
- Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; and
- Blocking of access to user identification after multiple unsuccessful attempts to gain access where technically feasible and in accordance with TTS policies on authentication. When not feasible, exceptions must be formally documented and require approval from the appropriate manager(s) and IT unit(s).
10. Physical Security
- Each business unit shall ensure that reasonable restrictions for physical access to and secure storage of records containing personal information are in place.
- Employees shall be prohibited from leaving files containing personal information unattended in an unsecure area.
- At the end of the workday, all files and other records containing personal information shall be secured in a manner that is consistent with the Program’s rules for protecting the security of personal information.
11. Secure Data Destruction (Physical & Electronic)
- All personal information stored electronically, on paper, or on other media that requires destruction at the end of its life cycle shall be destroyed in a manner such that the information cannot practicably be read or reconstructed, as required by M.G.L. 93 I. For purposes of this paragraph, personal information shall include biometric indicators, as provided in M.G.L. 93 I.
12. Firewall & Security Software
- The University shall maintain reasonably up-to-date firewall protection and operating system security patches, designed to reasonably maintain the integrity of the personal information, installed on all systems processing and containing personal information connected to the internet.
- The University shall make available reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions. The most current security updates shall be applied on a regular basis.
13. Data Encryption
- All personal information when stored on laptops or other portable devices, and all records and files containing personal information transmitted across public networks or wirelessly, shall be encrypted to the extent technically feasible*.
- Portable devices include all media for backups of devices storing PI.
*Encryption here means the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which there is a low probability of meaning being assigned without the use of a confidential process or key, unless further defined by applicable laws or regulations.
14. Suspicious Activities & Breach Reporting
- Employees shall be instructed to report any suspicious or unauthorized use of personal information in accordance with the University’s policies and procedures. See Reporting Information Security Incidents.
- Whenever there is an incident that requires notification under M.G.L. c. 93H, §3, per the decision of OUC, all responsive actions shall be documented and a post incident review of events and actions taken conducted.
15. Third-Party Service Providers
- For services that will include personal information, the University shall take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the Data Laws and Regulations..
- The University shall require such third-party service providers by contract to implement and maintain such appropriate security measures.
Patricia Campbell, Executive Vice President
February 26, 2010
September 6, 2016
March 1, 2010
David Kahle, Vice President for Information Technology and Chief Information Officer
Tufts University places a priority on protecting combinations of personal information, the unauthorized disclosure of which is most likely to cause substantial harm such as identity theft and major financial fraud. High-risk personal information combinations include the use of names in combination with financial account numbers, Social Security Numbers and/or state issued ID numbers.