Skip to main content
St. Vincent Homepage

Written Information Security Plan (WISP)

SECTION 1: OBJECTIVE

The objective of Saint Vincent College in the development and implementation of this comprehensive written information security plan (“WISP”), is to create effective administrative, technical, and physical safeguards to ensure the protection and integrity of all information received, maintained, and created by Saint Vincent College and Seminary. The WISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting all information received, maintained, and created by Saint Vincent College and Seminary.

SECTION 2: PURPOSE

The WISP was implemented to comply with various federal and state regulations including but not limited to; the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”) [15 USC 6801(b) and 6805(b)(2)], and the FTC’s Red Flag Rules.

As such, the purpose of this Plan is to:

  1. Ensure the security and confidentiality of “personal information”.
  2. Protect against any potential threats or hazards to the security or integrity of such information; and
  3. Protect against unauthorized access to, or use of, such information in a manner that creates a substantial risk of identity theft or fraud.
SECTION 3: SCOPE

This Plan applies to all Saint Vincent College and Seminary employees, whether full- or part-time, including faculty, administrative staff, contract, and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Saint Vincent Community (hereafter referred to as the “Saint Vincent”). It is to be considered a plan setting a minimum standard for the securing of data. Each department is free to adopt more stringent restrictions for its employees. Any request by a department for adoption of standards or practices below the minimum set in this document must be approved in writing by the President and/or Vice-President of Saint Vincent. The department must renew its request annually. This Plan also applies to certain contracted third-party vendors (see section 8 for further information). The data covered by this Plan includes any information stored, accessed, or collected at the College or for College operations.

SECTION 4: DEFINITIONS

Confidentiality
Data or information is not made available or disclosed to unauthorized persons or processes.

Integrity
Data or information has not been altered or destroyed in an unauthorized manner.

Availability
Data or information is accessible and usable upon demand by an authorized person.

Risk
The probability of a loss of confidentiality, integrity, or availability of information resources.

Data
For the purposes of this document, data refers to information stored, accessed, or collected at the Saint Vincent about members of the College Community.

Personal Information or Personally Identifiable Information (PI/PII)
As defined by Pennsylvania law (73 P.S. Chapter 43), the first name and last name or first initial and last name of a person in combination with any one or more of the following:

  • Social Security number.
  • Driver's license number or a State identification card number issued in lieu of a driver's license; or
  • Financial account number, credit, or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.

For the purposes of this Plan, PI/PII also includes passport number, alien registration number or other government-issued identification number.

Controlled Unclassified Information (CUI)
Unclassified information (data) that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is:

  1. Pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and
  2. under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.

Federal financial aid data is considered CUI and as such, the Federal Government strongly recommends implementing protection of unclassified information according to the National Institute of Standards and Technology (NIST) NIST SP 800-171 framework.

Nonpublic Financial Information

  • The Gramm-Leach-Bliley Act (FTC 16 CFR Part 313) requires the protection of “customer information”, that applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with the College, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the College. For these purposes, NFI shall include any information:
  • A student or other third party provides in order to obtain a financial product or service from the College.
  • About a student or other third party resulting from any transaction with the College involving a financial product or service; or
  • Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.

SECTION 5: DATA CLASSIFICATION

All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.

Confidential
Confidential data refers to any data where unauthorized access, use, alteration, or disclosure of this data could present a significant level of risk to Saint Vincent. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration, or disclosure.

Confidential data includes data that is protected by the following federal or state laws or regulations: 16 CFR 313 (Privacy of Consumer Financial Information), the Federal Gramm-Leach-Bliley Act, and the FTC’s Red Flag Rules. Information protected by these laws includes, but is not limited to, PI/PII, NFI and CUI.

Restricted
Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations, or reputation of Saint Vincent. Any non- public data that is not explicitly designated as Confidential should be treated as Restricted data.

Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), College financial and investment records, employee salary information, or information related to legal or disciplinary matters.

Restricted data should be limited to access by individuals who are employed by or matriculate at Saint Vincent and who have legitimate reasons for accessing such data, as governed by FERPA, or other applicable law or College policy. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.

Public (or Unrestricted)
Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to Saint Vincent or members of the Saint Vincent Community. Any data that is not classified as Confidential or Restricted should be considered Public data.

SECTION 6: DATA SECURITY COORDINATOR

Saint Vincent College has designated the Chief Information Officer, and the Network and Cyber Security Services Manager, to implement, supervise and maintain the WISP. These designated employees (the “Data Security Coordinators”) will be responsible for:

  1. Initial implementation of the WISP.
  2. Oversight of ongoing employee information security awareness training for all owners, managers, employees, and independent contractors that have access to “personal information” on the elements of the Plan.
  3. Monitoring the Plan’s safeguards.
  4. Assessing Third Party Service providers that have access to and/or host/transmit/backup/maintain “personal information” and requiring those service providers by contract to implement and maintain such appropriate security measures for “personal information”.
  5. Reviewing the scope of the security measures whenever there is a material change in our business practices that may implicate the security or integrity of records containing “personal information”.
  6. Identify and utilizes resources to be informed about information security threats and emerging vulnerabilities.
  7. Reviewing legislation and laws and updating policies and procedures as required.
  8. Report regularly to Executive Management and the Technology Board of Directors Committee the College’s status regarding information security and risk posture.

SECTION 7: INTERNAL RISKS

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective as of June 22, 2021:

Administrative Measures:

  • A copy of this WISP must be distributed to each current Saint Vincent employee at the commencement of their employment.
  • Conducting an annual training session for all data stewards, managers, employees, and independent contractors who have access to confidential or personal information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with our requirements for ensuring the protection of confidential or personal information.
  • When unfeasible to annual train part-time or contractual workers, training shall be provided during reactivation of their network access.
  • The amount of “personal information” collected must be limited to the amount reasonably necessary to accomplish our legitimate business purposes.
  • All data security measures shall be reviewed whenever there is a material change in our business practice that may reasonably implicate the security or integrity of records containing personal information. The Data Security Coordinators or a designee shall be responsible for this review and shall fully apprise Senior Cabinet and Departmental Management of the results of that review and any recommendations for improved security arising from that review.
  • Confidential or personal information shall not be removed from the College premises in electronic or written form without legitimate business need and without the use of reasonable security measures including redaction or encryption of said confidential information.
  • Written and electronic records containing confidential or personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements. Our retention and secure destruction periods are included in the Saint Vincent College’s Retention and Destruction Policy. The document link can be found in this WISP’s Appendices.
  • Employees are required to report suspicious or unauthorized use of confidential or personal information to a supervisor or the Data Security Coordinators.
  • Whenever there is an incident that requires notification, there shall be an immediate mandatory post- incident review of events and actions taken, if any, with a view to determining whether any changes in our security practices are required to improve the security of “personal information” for which we are responsible.

Physical Measures:

  • Access to records containing “personal information” shall be limited to those persons who are reasonably required to know such information in order to accomplish our legitimate business purpose.
  • At the end of the workday, all files and other records containing “personal information” must be stored in locked rooms, offices, or cabinets. All data security measures shall be reviewed whenever there is a material change in our business practice that may reasonably implicate the security or integrity of records containing personal information. The Data Security Coordinators or a designee shall be responsible for this review and shall fully apprise management of the results of that review and any recommendations for improved security arising from that review.

Technical Measures:

  • When employees who have access to “personal information” are terminated (voluntary or involuntary), Saint Vincent College terminates their access to network resources and physical devices that contain “personal information”. This includes termination or surrender of network accounts, database accounts, keys, badges, phones, and laptops or desktops.
  • Employees’ user IDs and passwords shall conform to accepted security standards. All accounts with multi-factor authentication shall follow Digital Identity Guidelines (NIST SP 800-63-3) guidelines for password strength, security, two-factor authentication, and expiration.
  • Where technically possible, all Saint Vincent maintained systems that store “personal information” will employ automatic locking features which lock access after multiple unsuccessful login attempts.
  • Electronic records (including records stored on hard drives and other electronic media) containing “personal information” shall be disposed of in accordance in a manner that complies with Guidelines for Media Sanitization (NIST SP 800-88). This requires that information be destroyed or erased so that personal information cannot practicably be read or reconstructed.

SECTION 8: EXTERNAL RISKS

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective as of June 22, 2021:

  • Employees must not email any student, parent, alumni, donors, supplier, vendor, staff or employees’ information or documents containing Confidential data without encryption.
  • Reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the integrity of personal information installed on systems with “personal information”.
  • Reasonably up-to-date versions of system security agent software that includes malware protection and reasonably up-to-date patches and virus definitions installed on systems processing “personal information”.
  • Vulnerability scanning and access monitoring versions of system security agent software that includes malware protection and reasonably up-to-date patches and virus definitions installed on systems processing “personal information”.

SECTION 9: THIRD-PARTY VENDOR AGREEMENTS

Saint Vincent exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI/PII. The primary budget holder for each department is responsible for identifying those third parties providing services to the College that have access to PI/PII. All relevant contracts with these third parties are reviewed and approved by the Data Coordinators to ensure the contracts contain the necessary safeguarding of PI/PII. It is a collaborative responsibility of the primary budget holders and Data Coordinators to confirm the third parties are annually maintaining appropriate security measures to protect PI/PII consistent with this WISP.

SECTION 10: REPORTING DATA BREACHES

If you have reason to believe that any Regulated, Restricted, or Confidential data has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, report the incident immediately by contacting InfoSec@stvincent.edu.

SECTION 11: DEPARTMENTAL REQUIREMENTS

The Information Technology Department (Data Custodian) is responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport, and storage of the data and provide technical support for its use.

Each College department (Data Steward) is responsible for the implementation of this WISP in each office or business unit within its department, and shall develop associated written processes and rules, consistent with the WISP, that address how the WISP will be followed. A copy of the departmental rules shall be provided to the Information Technology Department.

SECTION 12: ENFORCEMENT

Violations of this WISP or departmental rules related to may result in the suspension or loss of user privileges, and/or discipline up to and including termination of employment. If warranted, at Saint Vincent College’s sole discretion, additional civil, criminal, and equitable remedies may be pursued.

SECTION 13: POLICY APPROVAL

Fr. Paul Taylor
President
6/23/2021

Justin Fabin
CIO
6/23/2021

Anthony Concannon
Network and Security Services Manager
6/23/2021

SECTION 14: REVISION HISTORY

Revision Date Created By
Draft 6/15/2021 Justin N. Fabin (CIO)
Policy Approved 5/15/2021 Justin N. Fabin (CIO)

 

SECTION 15: APPENDICES

Policies Cross-referenced:


Acceptable Use Policy:
https://mysv.stvincent.edu/CampusServices/InformationTechnology/Documents/Acceptable%20Use%20Policy.pdf

Information Risk Management Policy:

https://mysv.stvincent.edu/CampusServices/InformationTechnology/Documents/IT.POL.01.003%20InfoSec%2 0Risk%20Management.pdf

Retention and Destruction Policy:

https://mysv.stvincent.edu/CampusServices/InformationTechnology/Documents/IT.POL.01.002%20Document%20Retention%20and%20Destruction.pdf

Information and IT
Information and IT
Back to Top