Introduction

Worcester Polytechnic University maintains computing resources, including data and information that are essential to performing University business. These are University assets over which the University has both rights and obligations to manage, protect, and utilize to fulfill its mission.

Wherever possible, this policy attempts to establish a balance between the risk of loss of information resources, including data misuse, and the effort and cost of the security measures. It includes provisions to reduce, as far as feasible, the risk of theft, fraud, destruction or other misuses of the University's information technology resources.

Intellectual property is protected for the benefit of the faculty and the integrity of the University.

Relevant Standards, Procedures, and Guidelines are defined on http://www.wpi.edu/Academics/CCC/Policies/datasecurity.html in reference to this policy, and receive their authority from this policy.

Purpose

The purpose of this policy is as follows:

  • To assure employees access to relevant data they need to conduct University business.
  • To prevent unauthorized access to systems, data, facilities, and networks.
  • To protect the personal information and intellectual property of faculty, students, staff, and the University.
  • To prevent any misuse of, or damage to, computer assets or data.
  • To assist the University and employees in complying with deferral and state legislation regarding information security, privacy, disclosure, computer crime, and other information and computer legislation.

Scope

This policy applies to administrative computing resources and administrative and academic confidential or critical data regardless of where they reside, be it in electronic, paper, or verbal form. This policy includes centralized and decentralized administration, audit, and control of access and security. An audit trail of the updates made to data is recorded for periodic review by security administrators and/or Internal Audit.

The scope includes systems in one or more of the following categories:

  • Systems storing and/or processing any of the following information:
    • Information protected by US federal or state privacy or other legislation
    • Information protected by a non-disclosure agreement
    • Classified for non-disclosure by federal or state government
    • WPI confidential business information
    • Confidential employee information
    • Confidential information that is maintained by WPI about individuals
    • WPI intellectual property
  • IT supported administrative and academic computers
  • Computers in WPI laboratories
  • Systems connected to the WPI network

Policy

Data Access

University employees are granted access to those data and information resources required to carry out the responsibilities of their position. No University employee will knowingly damage or misuse computing resources or data.

Access capabilities/restrictions apply to all computing and information resources owned by the University. Safeguards are taken to ensure the security of the resources and to maximize the integrity of the information.

Access privileges are determined by the administrative or academic departments, based on the duties and responsibilities of each position. Users with access privileges are assigned an access WPI user name. Use of another person's user name is prohibited. Users are responsible for adhering to the Password Standard.

The University employs various measures to protect the security of its computing resources and of users' accounts. Users should engage in "safe computing" practices by establishing appropriate access restrictions for their accounts, guarding their passwords and changing them regularly, backing up files and using virus protection. Because university computing resources are university property, uses of those resources are not private and may be monitored. The normal operation and maintenance of the university's resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the provision of service.

Data Security

While recognizing the University's responsibility toward data security, the procedures established to protect those data must not unduly interfere with the efficient conduct of University business or be unduly expensive to implement.

All University employees with an access ID have inquiry access to core data (i.e., data used by multiple University departments or by a single department across multiple business functions) on a need to know basis, without restriction or prior authorization, for use in conducting University business, except in those instances where legal, ethical, internally-imposed, or externally-imposed constraints require restricting access to certain specific data. Employees requiring access to restricted data are assigned specific access codes which they are responsible for protecting from misuse.

The employee's need to access data does not equate to casual viewing. It is the employee's obligation, and his/her supervisor's responsibility, to ensure that access to data is only to complete assigned functions. Data may be shared only for appropriate business purposes. Information sharing is governed also by other university polices, which include but is not limited to Acceptable Use Policy (AUP), Network Security Policy, Confidentiality Policy, FERPA Policy and HIPAA Policies for employee health-related information and student health information.

Some University employees have update access to certain core data based on their duties and responsibilities. These privileges are granted by those stewards responsible for the data.

Physical Security

Centralized computer facilities that house core data are protected via a physically secure location with controlled access. Computer facilities that process departmental or scholarly data may require physical security depending on the value and sensitivity of the data they process, the resources they access, and their cost.

Information residing in offices in paper and electronic format are located in a secure environment. Information removed from the office is stored securely.

Every individual in the WPI community is responsible for safeguarding the security of information and resources.

Standards

The Data Security Policy is administered through a collection of standards that were developed from known best practices.

Incident Reporting

Report all security incidents to the Office of Information Security, at itsecurity@wpi.edu. Refer security policy questions and issues to Office of Information Security, at itsecurity@wpi.edu.

Questions and Assistance

The ITS Service Desk is available to answer non-policy related questions and provide technical assistance. The ITS Service Desk may be reached by email at its@wpi.edu or by (508) 831-5888.

Revision:

  • The Information Technology Division endorsed the policy in January 2008.
  • After minor revisions, the faculty Committee on IT Policy endorsed the policy on May 8, 2008.