This IT policy will be approved by the President, Chief Financial Officer and Chief Information Officer.
The purpose of this policy is to ensure the protection of Bowdoin’s information resources from accidental or intentional access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture.
This policy is applicable to all College students, faculty and staff and to all others granted use of Bowdoin College information resources. Every user of Bowdoin’s information resources has responsibility toward the protection of those assets; some offices and individuals have very specific responsibilities.
This policy refers to all College information resources whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the College. This includes networking devices, personal digital assistants, telephones, wireless devices, personal computers, workstations, minicomputers and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.
Today, information & technology (IT) permeates all aspects of teaching, learning, research, outreach and the business and facilities functions of the college. Safeguarding information and information systems is essential to preserving the ability of the college to perform its missions and meet its responsibilities to students, faculty, staff, and the citizens whom it serves. State and federal statutes, rules, and regulations, College policies and other explicit agreements also mandate the security of information and information systems. Failure to protect the college’s information & technology assets could have financial, legal and ethical ramifications.
Bowdoin College acknowledges its obligation to ensure appropriate security for information and IT systems in its domain of ownership and control. Furthermore, the college recognizes its responsibility to promote security awareness among the members of the Bowdoin College community. This policy establishes the general principles of IT security that will be applied throughout the college, and specifically:
Information & Technology security is critical to the interests of the college and the many constituencies it serves. The following list provides insight into some of the reasons for IT security and show the depth and breadth or information resources that need protection. This list is representative and is not meant to suggest the full range of information and resources that must be protected.
Security can be defined as the state of being free from unacceptable risk. Thus, IT security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, modified or disclosed inappropriately either by intent or accident.
The four primary objectives of IT security are to protect:
Information security necessarily encompasses a broad range of college activities and assets. Within the domain of security this policy incorporates:
Risk assessment in information technology security is a systematic process used to determine the potential for any given information system to be subject to loss and to assess the impact of that loss. In general, risk is a composite of three factors:
Three levels of risk have been defined for the college:
Factors used to determine the level of risk include the effect of the loss on the colleges strategic missions; the extent of loss to major information systems; the potential for injury or damage to individual(s); the inconvenience or loss of productivity for subsets of the college community; the potential for damage to the college’s reputation; the level of administrative involvement required; and the level at which the security problem can be resolved.
|Confidentiality||Disclosure of course offerings before the Registrar publishes the information on the web.||Disclosure of emails detailing a negotiation strategy during a land purchase.||Disclosure of student medical records or payroll.|
|Data Integrity||Malicious modification of a student’s personal webpage.||Malicious modification of classroom schedules, leading to overbooking or confusion for a period of time.||Malicious modification of an administrative report, leading to embarrassment for the college.|
|Availability||Attack on servers holding personal web pages or attack on networked environmental controllers.||Attack on the course registration servers during the student registration weeks.||Attack on network routers, rendering many systems inoperable.|
|Authorized Use||A Bowdoin student shares their password with a high-school friend, thereby granting unauthorized access to computing services for their friend.||Gaining access to a computer with publicly available hacking tools, and then using the computer to capture passwords on the network.||Gaining access to a computer with publicly available hacking tools, and then using the computer as a platform to launch a debilitating attack on the campus network.|
Risk mitigation is that action taken to reduce the risk to an acceptable level. An analysis evaluating the cost versus the benefits along with the impact to the college will become factors in deciding if any action should be taken and if so, what. Some options to reduce risk include risk avoidance, limitation, transfer, and assumption.
Approval of the IT Security Policy is vested with the President. Development and implementation of the policy is the responsibility of the Office of the Chief Information Officer.
The Office of the Chief Information Officer (CIO) has overall responsibility for the security of the college’s information technologies. Implementation of security policies is delegated throughout the college to various college services, departments and other units; and to individual users of campus IT resources.
The Chief Information Security Officer is responsible for providing interpretation of this and other related policies and disseminating related information.
Various offices within the college have the primary responsibility and authority to ensure the Bowdoin College meets external in internal requirements for privacy and security of specific types of confidential and business information. Other departments are responsible for general security issues (i.e. legal issues, security compliance, physical security, communications, and IT infrastructure security). These college services are responsible for assisting in the development of college IT security policies, standards and best practices in their areas of responsibility. They are also responsible for advising departments and individuals in security practices relating to these areas:
Departments and other units are responsible for the security of any information they create, manage, or store, and for any information they acquire or access from other college systems (i.e. student records, personnel records, business information).
Protecting the security of college information and information systems is the responsibility of every member of the college community. Each student, faculty and staff is responsible for knowing and complying with published IT policies and practices including the IT Security Policy. Failure to comply with these policies may result in loss of computing privileges and/or disciplinary action.
Students, faculty and staff who use personally-owned systems to access college resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:
Reporting incidents is an ethical responsibility of all members of the Bowdoin College community. A critical component of security is to address security breaches promptly and with the appropriate level of action. The IT Security Incident Reporting Policy outlines the responsibilities of departments and individuals in reporting as well as defining procedures for handling security incidents.
Creating a heightened awareness of the importance of information technology security is an important component in establishing an environment in which each individual feels both responsible and empowered to act in their own and the community’s best interests. All departments will provide opportunities for individuals to learn about their roles in creating a secure IT environment.