Information Security Policy
Information Security Policy and Program
1. Overview and Guiding Principles
Whitman College has legal, contractual, and ethical obligations to protect the confidentiality, integrity, and availability of its systems and data. This policy strikes a balance between protecting university systems and data, maintaining the open environment that enables faculty, staff, and students to excel, innovate, and collaborate across the world, and ensuring that Whitman Colleges core missions and institutional priorities remain paramount.
The College promotes and supports an institutional culture that elevates its overall information security posture by following these principles:
- Protection of Data and Information Assets. The College will work to protect institutional data, systems, resources, and services from unauthorized access and other threats or attacks that could potentially result in harm to the College or to members of the community.
- Shared Responsibility. Members of the College community have individual and shared responsibilities to protect the College's information assets and comply with applicable laws, regulations, and policies.
- Regulatory Compliance. Whitman College will comply with federal, state, and local law, College policies, and contracts and agreements that require the College to implement security safeguards in as cost-effective manner as possible.
- Secure Whitman College IT Services. Whitman College will maximize the use of secure and compliant College-provided services that are readily and affordably accessible to students, faculty, and staff.
- Education and Awareness. The College has an obligation to educate, inform, and enable Whitman community members to use information in a secure and compliant manner.
This Program is platform and technology neutral. It applies to both on- and off-campus operations as well as all faculty, staff, workforce members, and students. It also encompasses:
- All institutional data, including administrative and academic data. Institutional data is defined as any data that is owned, licensed by, or under the direct control of the College, whether stored locally or with a cloud provider.
- Third-party vendors who collect, process, share, or maintain College institutional data, whether managed or hosted internally or externally.
- Personally owned devices of members of the Whitman community that access or maintain sensitive institutional data classified as Sensitive or Restricted.
All institutional data must be protected in accordance with the provisions below, which take into consideration the level of sensitivity and criticality that the data has to the College.
- Sensitive Data Classification: All university information is classified into one of three levels based on its sensitivity and risk of harm to individuals and the university if the information is subject to a breach or unauthorized disclosure. Harm may encompass negative psychological, reputational, financial, personal safety, legal, or other ramifications to individuals or the College, or otherwise result in an adverse impact on the College's mission or operations.
- Data Security: The College establishes minimum security controls appropriate for safeguarding data based on the data's classification level.
- Risk Management: The College performs periodic and on-going risk assessments of systems and applications that maintain sensitive institutional data.
- Risk Acceptance: College executive officers exercise authority to accept information security and privacy related risks to the College's information assets. College units and individuals may not unilaterally accept information security, privacy, and compliance risks that have the potential to increase the College's vulnerability to cyber risks.
- Privacy Review: The College Privacy Officer will coordinate any review of the privacy or civil liberties implications and risks of the College's information security program and its information security technologies or activities to minimize or mitigate such risks.
4. Supplemental IT Standards
This information security policy is supported and supplemented by specific operational, procedural, and technical standards. These Standards are mandatory and are enforced in the same manner as this policy.
This policy recognizes the need to accommodate unique administrative, academic, and operational needs that may not be practical to accomplish through the use of College-managed IT services. In those cases, it is the the responsibility of the department or user to adhere to the appropriate information security requirements as outlined in this policy and the supplemental Standards.
5. Oversight and Enforcement
The Information Security Officer (ISO) is responsible for the development, implementation, monitoring, and enforcement of the College's information security program. Other College staff perform essential information security and cybersecurity risk management functions contributing to program implementation and regulatory compliance.
The ISO will periodically present an update on the status of the university information assurance program to College governance bodies, executive officers, and the Board of Trustees.
Violations of this policy may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, dismissal, and/or legal action. The connectivity of machines and servers to the Whitman network that do not comply with this policy may be limited or disconnected.
Disciplinary action for faculty and staff, if any, for violation of this policy shall be consistent with the Whitman College Human Resource policies and procedures. Disciplinary action for students, if any, for violation of this policy shall be consistent with the Whitman College Dean of Students' policies and procedures.