Written Information Security Policy (WISP)

1. Purpose of this Policy

1.1. NEC recognizes its need to maintain the confidentiality of Personal Identity Information (PII) and understands that such information is unique to each individual. The PII covered by this policy may come from various types of individuals performing tasks on behalf of the Conservatory and includes employees, faculty, students, independent contractors and any PII maintained on its customer base. The scope of this policy is intended to be comprehensive and will include Conservatory requirements for the security and protection of such information throughout the Conservatory and its approved vendors both on and off work premises.

1.2. Departments named in this policy have delegated authority for developing and implementing procedural guidance for ensuring that their departmental responsibilities under this policy are communicated and enforced.

2. Definitions:

2.1. Personal Identity Information (PII): Unique personal identification numbers or data, including:

2.1.1. Social Security Numbers (or their equivalent issued by governmental entities outside the United States).

2.1.2. Taxpayer Identification Numbers (or their equivalent issued by governmental revenue entities outside the United States).

2.1.3. State or foreign drivers license numbers.

2.1.4. Bank account numbers.

2.1.5. Corporate or individually held credit or debit transaction card numbers (including PIN or access numbers) maintained in organizational or approved vendor records.

2.2. For context, the definition of Personal Information according to Massachusetts regulations is: a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

2.3. PII may reside in hard copy or electronic records; both forms of PII fall within the scope of this policy.

2.4. NEC representative: employee, staff, faculty, student, contract/temporary employee or anyone working on behalf of New England Conservatory

2.5 Portable Storage Device: a device designed to store any kind of electronic data. This may include, but is not limited to, portable computers, tablets, phones, hard or USB/SD drives or cards.

3. Data Security, Access, Transmission, Transport and Retention

3.1. Conservatory Network Security:

3.1.1. Physical security of Conservatory servers--servers are kept in a locked computer room with access limited to the Conservatory IT, Security/Public Safety and Building Operations staff.

3.1.2. Conservatory network is secured by up to date and robust virus protection.

3.1.3. The Conservatory internal network is secured behind a robust firewall.

3.1.4. Remote access is available using a secure encryption protocol.  This service is made available to select and approved administrative positions, only.

3.2.1. Conservatory Premises Electronic Access to PII: Finance, Human Resources and IT have defined responsibilities for on-site access of data that may include access to PII; IT has the responsibility for all electronic records and data access capabilities. Finance and Human Resources have the operational responsibility for designating initial access and termination of access for individual users within their organizations and providing timely notice to IT.  The security controls include but are not limited to password protected accounts, network folders/files and services. Termination of an employee, vendor or independent contractor with access will immediately result in the termination of the user’s access to all systems where the PII may reside.

3.2.2. NEC representatives must never transmit PII though any type of messaging system (i.e. email, instant messaging, text messages, etc.)

3.2.3. Portable Storage Devices: NEC reserves the right to restrict PII data it maintains in the workplace. In the normal course of doing business, NEC does not allow the downloading of PII data to portable computing storage devices.  In the event of an approved need to download PII to a portable computing storage device, such data shall be encrypted and/or utilize acceptable security protection software while such devices are in use on or off Conservatory premises. The IT department has responsibility for maintaining data encryption and data protection standards to protect PII data that resides on these portable storage devices.

3.2.4. Off-Site Access to PII: NEC understands that employees may need to access PII while off site and access to such data shall not be prohibited, subject to the provision that the data to be accessed is minimized to the degree possible to meet business needs and that such data shall be accessed only via secured and encrypted access methods and reside only on assigned laptops/approved storage devices that have been secured in advance by the IT department. Any approved remote access to PII shall be through a secured and encrypted method.

3.3.1. Conservatory Premises Physical Access to PII: All PII will be maintained in designated locations as determined by the Finance department. Such locations shall in all cases be within a locked room with limited access. The Finance department shall be responsible for control of any keys.

3.3.2. Physical hardcopies containing PII – Any transfer of PII to any type of physical media (i.e. saving information to a portable device or hardcopy printing) must be explicitly approved by the Department Head.  In the event a Department Head approved event requires the printing of PII information, the approving Department Head is responsible for ensuring the information is used solely for institutional business, for the physical security of the information at all times and for the secure destruction/shredding of all hardcopies.  

3.4.1. Vendors: Individual(s) or companies that have been approved by the Finance department as a recipient of organizational PII and from which the Finance department has received certification of their data protection practices conformance with the requirements of this policy. Vendors include all external providers of services to the Conservatory and include proposed vendors. No PII information can be transmitted to any vendor in any method unless the vendor has been certified for the receipt of such information.

3.4.2. Vendors must use secure encryption to transmit files containing PII to/from the Conservatory network.

3.5.1. Transport:  When it is necessary for physical hardcopies to be transported from one area of the institution to another the transmitting Department Head is responsible for ensuring the information is used for institutional business, for the physical security of the information at all times and for the secure destruction/shredding of all hardcopies.  

3.6.1. PII Retention: NEC understands the importance of minimizing the amount of PII data it maintains and retains such PII only as long as necessary. PII data shall be retained by NEC only in accordance with Conservatory record retention policies [currently under development] and applicable laws.

4. Data Breaches/Notification:

4.1. Upon becoming aware of a PII data breach, the Conservatory will notify all affected individuals whose data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible.

4.2. NEC Legal council will handle breach notifications(s) to all governmental agencies and to whom such notice must be provided in accordance with time frames specified under these laws. Notices to affected individuals will be communicated by the Human Resources department after consultation with the legal counsel and within the time frame specified under the appropriate law(s).

5. Training and Annual Compliance Review

5.1. PII Training: All new hires entering the Conservatory who may have access to PII are provided with training by the Human Resources department regarding the provisions of this policy.  Employees in positions with regular ongoing access to PII or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PII data and shall receive annual training regarding the security and protection of PII data and Conservatory proprietary data.

5.2. PII Compliance Reviews: NEC will conduct periodic reviews of PII information maintained by the Conservatory to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PII information.

5.3. Regulatory Requirements: It is the policy of the Conservatory to comply with any applicable federal or state statute and reporting regulations. NEC has delegated the responsibility for maintaining PII security provisions to the departments noted in this policy. Legal shall oversee all regulatory reporting compliance issues. If any provision of this policy conflicts with an applicable statutory requirement of federal or state law governing PII, the policy provision(s) that conflict shall be superseded.

5.4. Confirmation of Confidentiality: All Conservatory representatives must maintain the confidentiality of PII as well as Conservatory proprietary data to which they may have access and understand that that such PII is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this Conservatory requirement.

5.5. Violations of PII Policies and Procedures: NEC views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under the Conservatory’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PII violations and disciplinary actions are incorporated in the Conservatory’s PII on-boarding process and annual refresher training to reinforce the Conservatory’s continuing commitment to ensuring that this data is protected by the high standards contained herein.