You are here

Information Security Policy

A harsh reality of the modern age is that all community members -- staff, faculty, and students alike -- must be very conscious, and share in the responsibility, of safeguarding private personal and institutional data. Though IT strives to keep firewalls, virus protection, and other mechanical security devices in place, you, the user, are often unwittingly a critical attack vector in a data breach.

Do NOT give anyone your password (IT will never ask for it), DO change your passwords at least every few months, and never answer, nor click on links or attachments, of any even vaguely suspicious looking email. Likewise, never give anyone information, or follow the directions of, someone calling on the phone unless you recognize the caller and expected the call. Contact IT when in doubt.

Because electronic data can be accessed remotely without the owner's knowledge, you need to be careful how files and information are handled.

Types of Information

Security Level Risk Description Examples
Secure High
  • Identity Theft
  • Financial Fraud
  • Illegal Info Disclosure
Legally protected data and other data where disclosure would pose a significant legal risk to individuals and/or the college. Typically contains personally identifying information.
  • Social Security numbers
  • Birthdates
  • Passports (scans, numbers, etc.)
  • Drivers' licenses (scans, number, etc.)
  • Credit card numbers
  • Bank information and account numbers
  • Medical information (HIPPA)
  • Login passwords
Confidential Medium
  • Academic fraud
  • Privacy violation
  • Inappropriate PR issue
Data that should be carefully protected, but poses less financial or legal risk to the individual or college if exposed.
  • Student advising reports
  • Final grades
  • Classwork
  • Intellectual property
  • College ID numbers
  • Human resources Data
  • Software licenses
  • Trustee reports
Public Low to none Publically available data Anything you'd on a public page of the college's website, including names, email addresses, etc.

 

Ideally, all secure and confidential data should be stored and accessed only via the system that houses it. For example, if a staff member needs a list of students on academic probation, or health insurance information, or students with financial needs, she should be granted access in the authoritative systems (e.g. Sonis, Education Edge, PowerFaids, et cetera) to view that data directly, avoiding creating and email external spreadsheets. When that's not feasible, there are several solutions for storing and sharing information.

Storage or Transport Mechanism Secure Confidential Public
Google Drive/Docs DO NOT USE OK, with caution OK
Email/Gmail DO NOT USE OK, with caution OK
Marlboro laptop DO NOT USE OK, with caution OK (Google Drive Recommended)
Your own computer DO NOT USE DO NOT USE OK (Google Drive Recommended)
Your phone or tablet DO NOT USE DO NOT USE OK (Google Drive Recommended)
Thumb drive DO NOT USE DO NOT USE OK (Google Drive Recommended)
Marlboro encrypted drive or file OK, with caution OK, with caution OK (Google Drive Recommended)

Echo Common (K Drive)

OK OK OK

Nook secure file upload

OK OK OK (Email reccomended)
Website (main site, public area of Nook) DO NOT USE DO NOT USE OK
Social media (Facebook, Twitter, YouTube, Instagram, et cetera) DO NOT USE DO NOT USE OK, with caution

 

Google Apps for Education

Google Apps for Education consists of a set of applications including Gmail, Calendar, Google Drive, Google Docs, Google Sheets, Google Slides, and Google+. Marlboro users should consider the following general issues when using Google Apps For Education.

  • Google Apps logins are pervasive across all Google content and remain in effect until you Sign Out: When you sign into YouTube, you are also logged in to Google’s mail, calendar, map, and news applications. Google’s search engine will tie your searches to your identity -- that’s great if you’re trying to remember arcane search criteria, but not helpful if you’ve forgotten to sign off from a publicly accessible computer. You need to sign out after using apps in order to be ensure that a password is requested next time. As such you should not use Apps from any computer or device not owned by Marlboro College and password protected if you work with confidential data.
  • You can work with multiple Apps accounts in the same browser, but if you do, caution should be used to avoid data mismanagement.
  • If you sign into one App on your browser or device you sign into all apps.
  • Google Apps is FERPA compliant as long as you are.
  • Marlboro has worked with Google to insure letter-of-the-law HIPPA compliance. However, due to general security issues SHOULD NOT be used for health information without arrangements with IT to insure security. (For example, though a Google calendar is technically "HIPPA Compliant," nothing stops you from adding private information to it, or sharing that calendar with someone who shouldn't see it.)
  • Google Apps should not be used for secure data in general.

Gmail Specific Issues

Email in general is not considered to be a secure medium and should never be used for secure data with the possible exception of encrypted files. Email sent to another @marlboro.edu address stays on Google and Marlboro servers and can be considered confidential as long as both you and the other users are following best practices (e.g. not auto-forwarding Marlboro mail to another account). However, confidential data should not be sent to an address in another domain as confidentiality cannot be assured.

Google Drive/Docs Specific Issues

The biggest pitfall with Google Drive is that it’s easy to accidently share documents with the wrong people. Documents stored on Google Drive cannot be given the same fine grained permissions that IT can assign to documents saved on Marlboro servers. Thus extreme care needs to be taken with confidential data; secure data should not be stored on Google Drive at all. When you share documents, unless they are public data, be very careful with whom you share them -- particularly when sharing with addresses out of the marlboro.edu domain. If you are simultaneously logged into your personal Gmail account and your Marlboro account be sure to double check the current logged-in address in the upper right corner before starting a new document with Marlboro information or uploading something to your drive.