| Objective | Implementation and Program Components | Roles and Responsibilities |
The objective of Tufts University, in developing and implementing this Information Security Program (“Program”), is to create effective administrative, technical and physical safeguards to protect personal information, and to comply with the University’s obligations under M.G.L. 93 H, 93 I and 201 CMR 17.00 (the “Data Regulations”). This Plan explains the elements of the Program Tufts intends to establish, including the requirements for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information. The Program covers all forms of personal information, whether it is maintained on paper, digital, or other media.
For purposes of this Program, “personal information” shall have the meaning set forth in the Data Regulations. In general, “personal information” includes an individual’s first name and last name or first initial and last name, in combination with that person’s: (a) Social Security number; (b) driver’s license or other state-issued identification card number; or (c) credit or debit card number or other financial account number, in each case with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. “Personal information” does not include publicly available information.
II. PurposeThe purpose of the Program is to affect compliance with applicable laws (including the Data Regulations) by:
- identifying reasonably foreseeable internal and external risks to the confidentiality and/or integrity of any electronic, paper, or other records containing personal information;
- assessing the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;
- evaluating the sufficiency of existing policies, procedures, information systems, internal controls and security practices, in addition to other safeguards in place to control risks;
- designing and implementing a plan that puts safeguards in place to minimize those risks, consistent with the requirements of Massachusetts laws; and
- periodically monitoring the effectiveness of those safeguards.
Patricia Campbell, Executive Vice President
IV. Approval DateFebruary 26, 2010
V. Effective DateMarch 1, 2010
VI. Executive SponsorDavid Kahle, Vice President for Information Technology and Chief Information Officer
VII. Policy ManagersUniversity Information Technology
Office of University Counsel
Digital Collections and Archives
|page 2 | page 3 |