You are here
Information Security Policy
A harsh reality of the modern age is that all community members -- staff, faculty, and students alike -- must be very conscious, and share in the responsibility, of safeguarding private personal and institutional data. Though IT strives to keep firewalls, virus protection, and other mechanical security devices in place, you, the user, are often unwittingly a critical attack vector in a data breach. Confidentiality, integrity, and accessibility of all data, are of the most importance in response to protect the quality and validity of stored information. Any inspections of electronic data, emails, and data stored on Marlboro College servers and computers that may occur will be governed by Marlboro's College Operating Procedures and laws that may be applicable for both State and Federal data regulations.
The Information Security Policy is designed to protect data that is maintained by Marlboro College while providing education on safe computer practices that includes receiving e-mails, data-retention, and Cyber Security.
- DO NOT ever give anyone your password. IT will never ask for it and any request should be treated as a phishing attempt and security incident.
- Passwords must be changed every 180 days.
- Computer equipment and sensitive data must be secured at all time.
- Doors to offices are to be locked when not in use.
- Log out of all secure websites and or databases before leaving the computer.
- Computers in public spaces are to be locked to a desk and or other permanent device located in the office using a "Computer Cable Security Lock."
- Users are to lock their devices when not in use by hitting "Ctrl+Alt+Delete" then selecting lock.
- No software may be downloaded without the knowledge and consent of the IT department.
- No plug and play USB storage devices are to be used on ITS without prior IT approval.
- No personal devices are to be connected to the "Admin" network. A "Marlboro College" wireless network is provided for personal devices.
- E-mails are very useful for spear phishing and malware attacks. Most reconnaissance for malware and spear phishing attacks are performed by e-mail. Therefore, the following provisions have been adopted.
- Do not open email attachments or embedded links from unknown senders.
- Do not follow suspicious web links in email. If you are unsure if it is suspicious or not contact firstname.lastname@example.org for information.
- No files are to be downloaded from untrusted sources. When in doubt send an email to "email@example.com" for further guidance.
- Do not send secure information through email. See charts below for more guidance.
Types of Information
|Legally protected data and other data where disclosure would pose a significant legal risk to individuals and/or the college. Typically contains personally identifying information.||
||Data that should be carefully protected, but poses less financial or legal risk to the individual or college if exposed.||
|Public||Low to none||Publically available data||Anything you'd on a public page of the college's website, including names, email addresses, etc.|
Ideally, all secure and confidential data should be stored and accessed only via the system that houses it. For example, if a staff member needs a list of students on academic probation, or health insurance information, or students with financial needs, she should be granted access in the authoritative systems (e.g. Sonis, Education Edge, PowerFaids, et cetera) to view that data directly, avoiding creating and emailing external spreadsheets. When that's not feasible, there are several solutions for storing and sharing information.
|Storage or Transport Mechanism||Secure||Confidential||Public|
|Google Drive/Docs||DO NOT USE||OK, with caution||OK|
|Email/Gmail||DO NOT USE||OK, with caution||OK|
|Marlboro laptop||DO NOT USE||OK, with caution||OK (Google Drive Recommended)|
|Your own computer||DO NOT USE||DO NOT USE||OK (Google Drive Recommended)|
|Your phone or tablet||DO NOT USE||DO NOT USE||OK (Google Drive Recommended)|
|Thumb drive||DO NOT USE||DO NOT USE||OK (Google Drive Recommended)|
|Marlboro encrypted drive or file||OK, with caution||OK, with caution||OK (Google Drive Recommended)|
Echo Common (K Drive)
Nook secure file upload
|OK||OK||OK (Email reccomended)|
|Website (main site, public area of Nook)||DO NOT USE||DO NOT USE||OK|
|Social media (Facebook, Twitter, YouTube, Instagram, et cetera)||DO NOT USE||DO NOT USE||OK, with caution|
Email is not a secure medium and should never be used for secure data with the possible exception of encrypted files. Email sent to another @marlboro.edu address stays on Google and Marlboro servers and can be considered confidential as long as both you and the other users are following best practices (e.g. not auto-forwarding Marlboro mail to another account). However, confidential data should not be sent to an address in another domain as confidentiality cannot be assured.
Phone and Tablet Policy
Content under revision.
Google Apps for Education
Google Apps for Education consists of a set of applications including Gmail, Calendar, Google Drive, Google Docs, Google Sheets, Google Slides, and Google+. Marlboro users should consider the following general issues when using Google Apps For Education.
- Google Apps logins are pervasive across all Google content and remain in effect until you Sign Out: When you sign into YouTube, you are also logged in to Google’s mail, calendar, map, and news applications. Google’s search engine will tie your searches to your identity -- that’s great if you’re trying to remember arcane search criteria, but not helpful if you’ve forgotten to sign off from a publicly accessible computer. You need to sign out after using apps in order to be ensure that a password is requested next time. As such you should not use Apps from any computer or device not owned by Marlboro College and password protected if you work with confidential data.
- You can work with multiple Apps accounts in the same browser, but if you do, caution should be used to avoid data mismanagement.
- If you sign into one App on your browser or device you sign into all apps.
- Google Apps is FERPA compliant. However, you must be follow of FERPA guidelines and best practices.
- Marlboro has worked with Google to insure letter-of-the-law HIPPA compliance. However, due to general security issues Google Apps SHOULD NOT be used for health information without arrangements with IT to insure security. (For example, though a Google calendar is technically "HIPPA Compliant," nothing stops you from adding private information to it, or sharing that calendar with someone who shouldn't see it.)
- Google Apps should not be used for secure data.
Gmail Specific Issues
Email in general is not considered to be a secure medium and should never be used for secure data with the possible exception of encrypted files. Email sent to another @marlboro.edu address stays on Google and Marlboro servers and can be considered confidential as long as both you and the other users are following best practices (e.g. not auto-forwarding Marlboro mail to another account). However, confidential data should not be sent to an address in another domain as confidentiality cannot be assured.
Google Drive/Docs Specific Issues
The biggest pitfall with Google Drive is that it’s easy to accidentally share documents with the wrong people. Documents stored on Google Drive cannot be given the same fine grained permissions that IT can assign to documents saved on Marlboro servers. Thus extreme care needs to be taken with confidential data; secure data should not be stored on Google Drive at all. When you share documents, unless they are public data, be very careful with whom you share them -- particularly when sharing with addresses out of the marlboro.edu domain. If you are simultaneously logged into your personal Gmail account and your Marlboro account be sure to double check the current logged-in address in the upper right corner before starting a new document with Marlboro information or uploading something to your drive.