{"id":2579,"date":"2015-06-23T12:43:16","date_gmt":"2015-06-23T16:43:16","guid":{"rendered":"http:\/\/id-andrea.cms-devl.bu.edu\/policies\/?page_id=2579"},"modified":"2023-04-21T15:31:56","modified_gmt":"2023-04-21T19:31:56","slug":"information-security-policy","status":"publish","type":"r_policies_policy","link":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/information-security-policy\/","title":{"rendered":"Information Security Policy"},"content":{"rendered":"

<\/a>Reviewed: April 2023 (BY CSIS GOVERNANCE)<\/p>\n

Policy Statement<\/strong><\/h1>\n

Boston University recognizes that in certain instances it must collect, store and use Sensitive Information relating to its students, employees and individuals associated with the University as well as certain types of research data. The University is dedicated to collecting, handling, storing and using Sensitive Information properly and securely.<\/p>\n

Reason for Policy \/ Implication Statement<\/strong><\/h1>\n

Boston University is committed to collecting, handling, storing and using\u00a0Sensitive Information properly and securely. This Policy establishes an\u00a0Information Security Program to create administrative, technical and physical\u00a0safeguards for the protection of Sensitive Information throughout the University.\u00a0The purpose of this Program is to comply with applicable laws and to:<\/p>\n

    \n
  1. Provide a framework for comprehensive stewardship of Sensitive\u00a0Information;<\/li>\n
  2. Increase awareness of the confidential nature of Sensitive Information;<\/li>\n
  3. Eliminate unnecessary collection and use of Sensitive Information;<\/li>\n
  4. Protect against anticipated threats or hazards to the security or\u00a0integrity of Sensitive Information; and<\/li>\n
  5. Protect against unauthorized access to or use of Sensitive\u00a0Information in a manner that creates a substantial risk of identity\u00a0theft, fraud or other misuse of the data.<\/li>\n<\/ol>\n

    University Roles Affected By Policy<\/strong><\/h1>\n

    Any member of the University community, including all faculty, staff and students, who has access to University records that contain Sensitive Information covered by this Policy must comply with this Policy.<\/p>\n

    Definitions<\/strong><\/h1>\n

    Breach of Security<\/strong>: the unauthorized acquisition or use of Sensitive Information\u00a0that creates a substantial risk of identity theft or other harm. This definition\u00a0includes the unauthorized acquisition or use of encrypted electronic Sensitive\u00a0Information where the confidential process or key has been compromised.<\/p>\n

    Electronic<\/strong>: relating to technology having electrical, digital, magnetic, wireless,\u00a0optical, electromagnetic or similar capabilities.<\/p>\n

    Employee<\/strong>:\u00a0includes all Boston University faculty, staff and students, volunteers, trainees, visiting researchers, and any\u00a0other individual who provides services to Boston University, whether compensated or not, and who, in connection with such\u00a0services, has access to University records that contain Sensitive Information.<\/p>\n

    Encryption<\/strong>: transformation of data through the use of an algorithmic process, or\u00a0an alternative method at least as secure, into a form in which meaning cannot be\u00a0assigned without the use of a confidential process or key.<\/p>\n

    Record<\/strong>: any material upon which written, drawn, spoken, visual or\u00a0electromagnetic information or images are recorded or preserved, regardless of\u00a0physical form or characteristics that contain Sensitive Information. The term\u00a0Record includes both paper and electronic material.<\/p>\n

    Sensitive Information<\/strong>:\u00a0Information that is designated as Restricted Use, Confidential or Internal Data under the Data Protection Standards.<\/p>\n

    Responsibilities<\/strong><\/h1>\n

    The University\u2019s Chief Information Security Officer is responsible for the administration of this Policy and the Information Security Program across departments and units that maintain Records in any format. The University\u2019s Chief Information Security Officer shall oversee, with the assistance of the Common Services and Information Security Committee (the \u201cCommittee\u201d), the administration of this Policy, including developing procedures concerning the review, oversight and governance of this Policy, and including any necessary training. University Employees may request, collect, store or use Sensitive Information only as permitted by this Policy, the Data Protection Standards and practices required by his or her unit or department.<\/p>\n

    Every member of the University community should strive to minimize the collection, handling, storage and use of Sensitive Data.\u00a0 Only those who have a legitimate business need to access Sensitive Information should do so, and for as limited as time as possible.\u00a0 Minimize or eliminate the collection, handling, storage and use of Sensitive Data whenever and wherever possible.<\/p>\n

    Procedures<\/h2>\n

    I. Information Security Program Director and Committee<\/strong>
    \nA. University Chief Information Security Officer
    \nThe University\u2019s Chief Information Security Officer shall, in consultation with the Committee, maintain a list of categories of\u00a0information that will be included within the definition of Sensitive Information and\u00a0prescribe appropriate levels of protection in a series of procedures collectively known as the Data Protection Standards. The Chief Information Security Officer may\u00a0consult with the Committee and charge the\u00a0Committee with responsibilities concerning the administration and review of this\u00a0Policy.<\/p>\n

    The Chief Information Security Officer may assign responsibility for developing more specific\u00a0Information Security Guidelines to appropriate central University offices with\u00a0responsibility for and expertise concerning the collection, use, storage and\u00a0disposal of particular types of Sensitive Information. The Director shall provide a\u00a0mechanism for reporting any suspected Breach of Security and shall respond to\u00a0any reported Breach of Security as outlined below.<\/p>\n

    B. University Common Services and Information Security Committee
    \nThe Chief Information Security Officer shall convene a Common Services and Information Security Committee to assist with the administration of this Policy and to help ensure compliance. In addition, the Committee may advise University offices charged with the development of Information Security Guidelines and review Information Security Guidelines.<\/p>\n

    C. Data Protection Standards
    \nThe Chief Information Security Officer, in consultation with the Committee, shall identify categories of Sensitive Information and the appropriate safeguards required to protect each category.\u00a0 The Data Protection Standards shall specify administrative, technical and physical safeguards for the protection of Sensitive Information. The Committee may review, and the Chief Information Security Officer shall approve the Data Protection Standards.<\/p>\n

    D. Training
    \nThe Chief Information Security Officer or the Chief Information Security Officer \u2019s designee, together with the Committee, shall\u00a0develop a training program for Employees who will have access to Sensitive\u00a0Information.<\/p>\n

    E. Vendors and Service Providers
    \nThe Chief Information Security Officer or the Chief Information Security Officer \u2019s designee, together with the Committee,\u00a0may recommend that University vendors, service providers or\u00a0any other third-party to whom the University provides Sensitive Information be required to meet appropriate criteria or agree to appropriate contract terms before being granted access to Sensitive Data.<\/p>\n

    F. Program Review
    \nAt least annually the Chief Information Security Officer, together with the Committee, shall review\u00a0the Information Security Program and the Data Protection Standards.\u00a0During the course of the review, the Director and the Committee shall review any\u00a0Breach of Security that is reported to outside authorities, including the results of any investigation and\u00a0the University\u2019s response to any Breach.<\/p>\n

    II. Security Breach Response Team
    \n<\/strong>The Chief Information Security Officer shall review any suspected Breach of Security of Sensitive Information as specified in the Data Breach Response and Management Plan.<\/p>\n

    Related Documents & Policies:<\/h1>\n

    Data Protection Standards<\/a>
    \n    Data Breach Response and Management Plan<\/a> (maintained by Information Security)
    \n    FERPA Policy<\/a>
    \n    HIPAA Policy<\/a><\/p>\n","protected":false},"parent":0,"template":"","responsible-office":[504],"policy-category":[539,583],"policy-type":[544],"keyword":[36,567,204,1125,1123,1124],"_links":{"self":[{"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/policies\/2579"}],"collection":[{"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/policies"}],"about":[{"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/types\/r_policies_policy"}],"wp:attachment":[{"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/media?parent=2579"}],"wp:term":[{"taxonomy":"r_policies_office","embeddable":true,"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/responsible-office?post=2579"},{"taxonomy":"r_policies_category","embeddable":true,"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/policy-category?post=2579"},{"taxonomy":"r_policies_type","embeddable":true,"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/policy-type?post=2579"},{"taxonomy":"r_policies_keyword","embeddable":true,"href":"https:\/\/id-andrea.cms-devl.bu.edu\/policies\/wp-json\/wp\/v2\/keyword?post=2579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}