Admitted Students – Make Your Deposit Today!

Congratulations to all our Fall 2024 admitted students! We can’t wait to welcome you to NYC this fall. Be sure to make your deposit today to secure your spot.

Written Information Security Program (WISP)

 

WRITTEN INFORMATION SECURITY PROGRAM (WISP) FOR PROTECTION OF PERSONAL INFORMATION


 

I.            GENERAL

 

A.          Objective of WISP

 

The objective of Marymount Manhattan College (“the College”), in the development and implementation of this comprehensive Written Information Security Program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of Personal Information and to comply with the College’s obligations with applicable regulations.

 

The WISP sets forth procedures for evaluating the College’s electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Personal Information.

 

For purposes of this WISP, “Personal Information” means the following, whether in paper, electronic or other form:

 

1.        first name and last name or first initial and last name;

2.        in combination with any one or more of the following data elements that relate to such resident:

a.        Social Security number;

b.        driver’s license number or state-issued identification card number; or

c.        financial account number, or credit or debit card number(with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account).

 

B.           Purpose of WISP

The purpose of the College’s WISP is to:

1.        ensure the security and confidentiality of Personal Information;

2.        protect against threats or hazards to the security or integrity of such information; and

3.        protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

 

C.           Scope of WISP

In formulating and implementing the College’s WISP, the intended scope is to do the following:

1.        identify reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Personal Information;

2.        assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Personal Information;

3.        evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks to Personal Information;

4.        design and implement a WISP that puts safeguards in place to minimize those risks, consistent with the requirements of 201CMR 17.30; and

5.          regularly monitor the effectiveness of those safe guards.

 

D.          Data Security Coordinator:

The College has designated the Assistant Vice President for Information Technology (IT) to be the College’s Data Security Coordinator. He or she will be responsible for implementing, supervising and maintaining the College’s WISP, including:

1.        initial implementation of the College’s WISP;

2.        training of the following persons regarding the College’s WISP and Personal Information security:

(a) all employees;

(c)     independent contractors with access to Personal Information; and

(d)     any other person involved with the College who has or will have access to Personal Information;

3.        regular testing of the WISP’s safeguards;

4.        evaluating the ability of each of the College’s third-party service providers to implement and maintain appropriate Personal Information security measures for the Personal Information to which the College has permitted them access, consistent with 201 CMR 17.03, and requiring such third party service providers by contract to implement and maintain appropriate Personal Information security measures;

5.        reviewing the scope of the Personal Information security measures in the WISP at least annually, or whenever there is a material change in the College’s business practices that may implicate the security or integrity of records containing Personal Information. 

 

E.           Limits on Collection and Storage of Personal Information at Marymount Manhattan College

1.        The College is in possession of Personal Information as a non-profit provider of educational services.

2.        As part of its legitimate organizational purpose, the College possesses Personal Information obtained during the course of the College’s activities. The Personal Information that is collected and stored shall be limited to: that information which is reasonably necessary to accomplish the College’s legitimate organizational purpose.

 

F.           Review of WISP and Procedures

The College’s WISP and all security measures and procedures shall be reviewed at least annually and, in addition, whenever there is a material change in the College’s business practices that may reasonably implicate the security or integrity of records containing Personal Information. The Assistant Vice President for IT shall be responsible for this review and shall fully apprise the Organization’s management of the results of that review and any recommendations for improved security arising out of that review.

 

II.         PROTECTIONS AGAINST INTERNAL DATA SECURITY BREACH

 

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Personal Information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

 

A.          Information and Access

1.        The amount of Personal Information collected shall be limited tothat amount reasonably necessary to accomplish the College’s legitimate business purposes, or necessary to the College to comply with other state or federal regulations.

2.        Access to records containing Personal Information shall be limited to those persons who are reasonably required to know such information in order to accomplish the College’s legitimate business purpose or to enable the College to comply with other state or federal regulations.

3.        Access to electronic Personal Information shall be restricted to active users and active user accounts only.

4.        Access to electronically stored Personal Information shall be electronically limited to those employees having a unique log-in ID; and re-log-in shall be required when a computer has been inactive for more than 15 minutes.

5.        Paper or electronic records (including records stored on hard drives or other electronic media) containing Personal Information shall be disposed of only in the following manner, in compliance with M.G.L. c. 93I:

a.        paper documents containing Personal Information shall be either redacted, burned, pulverized or shredded so that Personal Information cannot practicably be read or reconstructed; and

b.        electronic media or other non-paper media containing Personal Information shall be destroyed or erased so that Personal Information cannot practicably be read or reconstructed.

 

B.           Employees

1.        A copy of the WISP must be distributed to each employee and/or readily accessible on the College’s website for each employee to access, including part-time, temporary and contract employees and the College expects all employees to comply with the provisions of the WISP.

2.        There must be regular training of employees on the detailed provisions of the WISP. The Assistant Vice President for IT and the Associate Vice President for HR shall organize such training.

3.        Employees are prohibited from keeping unsecured files containing Personal Information in their work area when they are not present, or otherwise failing to take reasonable measures to protect the security of Personal Information.

4.        At the end of the work day, all files and other records containing Personal Information must be secured in a manner that protects the security of Personal Information.

5.        All employees are required to comply with the provisions of the WISP, and if the security provisions of the WISP are violated by an employee, the Associate Vice President for Human Resources hall implement disciplinary procedures in accordance with the College’s employee handbook and disciplinary procedures.

6.        Resigned or terminated employees must return all records containing Personal Information, in any form, that may be in the former employee’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)

7.        A resigned or terminated employee’s physical and electronic access to Personal Information must be immediately blocked. Such resigned or terminated employee shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the College’s premises or information. Moreover, such terminated employee’s remote access to Personal Information (such as internet access, e-mail access, voice-mail access) must be disabled. The Executive Director of Infrastructure and Operations shall maintain a secured or password protected master list of all lock combinations, passwords and keys.

8.        Employees are encouraged to report any suspicious or unauthorized use of Personal Information to the Assistant Vice President for IT.

 

III.       PROTECTIONS AGAINST EXTERNAL DATA SECURITY BREACH

 

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Personal Information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are effective immediately:

 

A.          Marymount Manhattan College’s Office:

1.        The College’s office is intended to be a secure facility, due to the Personal Information contained in the College’s files. All paper records containing Personal Information shall be maintained in locked storage when the office is unoccupied.

2.        Visitors shall not be permitted to visit unescorted any area within the College’s office that contain Personal Information.

3.        The College’s office shall be locked at all times when unoccupied.

 

B.           Third Party Service Providers

1.        “Third Party Service Providers” are defined as any non-employee to whom the College grants partial or full access to the College’s paper or electronic data that contains Personal Information or to areas within the College’s office in which Personal Information is stored.

2.        All Third Party Service Providers must acknowledge in writing that they have instituted Personal Information security measures and their business operations are in compliance with the requirements ofCMR17.03 as it relates to Personal Information to which the College has granted them access.

3.        The Director of IT Operations or the Procurement Manager shall maintain all Third Party Service Providers acknowledgments.

 

C.           Marymount Manhattan College’s Computers and Electronic Information Systems

1.        The wireless network at the College shall always been encrypted.

2.        All laptops used by the College personnel must be password protected.

3.        All portable devices used by employees of the College to send and receive their college e-mail shall be password protected, and shall be locked when not in use.

a.        The College’s computers and computer system, including any wireless system, shall, at a minimum, and to the extent technically feasible, have the following elements:

b.        Secure user authentication protocols including:

i.              control of user IDs and other identifiers;

ii.              a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

iii.               control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

iv.               restricting access to active users and active user accounts only; and

v.              blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

c.        Secure access control measures that:

i.              restrict access to records and files containing Personal Information to those who need such information to perform their job duties; and

ii.              assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.

d.        Encryption of all transmitted records and files containing Personal Information that will travel across public networks, and encryption of all data containing Personal Information to be transmitted wirelessly.

e.        Reasonable monitoring of systems, for unauthorized use of or access to Personal Information;

f.         Encryption of all Personal Information stored on laptops or other portable devices;

g.        For files containing Personal Information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the Personal Information.

h.        Reasonably up-to-date versions of system security agent software installed and active at all times, which must include:

end-point-protection, anti-virus, anti-spyware, and anti-malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to- date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

 

D.          Personal Information Removed from Marymount Manhattan College

 

1.        Employees shall only remove paper or electronic Personal Information from the College when they have a legitimate and authorized business purpose for removing such information and only with prior authorization of President.

2.        Any employee of the College removing electronic Personal Information from the College’s office shall only do so on a secure device, such as an encrypted laptop or encrypted USB drive.

3.        Any employee who removes Personal Information from the College must keep the Personal Information secured. The measures taken to secure such Personal Information shall include whatever is necessary to secure the information from unauthorized use or access in the environment in which the employee must use the information for their legitimate business purpose.

4.        Any employee who experiences a data security breach relating to Personal Information removed from the College shall immediately inform the Managing Director of Operations.

 

IV.       PERSONAL INFORMATION SECURITYBREACH

 

A.              Employees must notify the Assistant Vice President for IT in the event of a known or suspected Personal Information security breach or unauthorized use of Personal Information.

 

B.           The College shall provide notice as soon as practicable and without unreasonable delay when the College (a) knows or has reason to know of a Personal Information security breach, or (b) knows or has reason to know that the Personal Information was acquired or used by an unauthorized person or used for an unauthorized purpose. The following notices shall be issued:

1.        Notice shall be provided to the individual(s) whose information was acquired or otherwise affected by an unauthorized person.

2.        To the extent required by applicable regulations, notice shall be provided to the state Attorney General and other required regulatory bodies. Such notice shall include the nature of the breach of security or unauthorized acquisition or use, the number affected by such incident at the time of notification, and any steps the College has taken or plans to take relating to the incident.

 

C.           Whenever there is a Personal Information security breach or unauthorized use of Personal Information, there shall be an immediate mandatory post- incident review of events and actions taken, if any, with a view to determining whether any changes in the College’s security practices are required to improve the security of Personal Information for which the College is responsible.

Contact