Data Security Policy

1.0 Overview

Champlain College takes seriously its commitment to respect and protect the privacy of its students, alumni, applicants, faculty and staff, as well as to protect the confidentiality of information important to the College's academic mission. This policy and associated controls are designed to protect the confidentiality and integrity of Champlain College data in accordance with the levels defined in the Data Classification Policy.  In addition to complying with regulatory requirements and industry accepted standards, they serve to advance the educational mission of the College while also minimizing damage that could result from unauthorized disclosure, mishandling, or corruption of College data.

2.0 Scope

Protecting Champlain College's Information assets is the responsibility of every member of the Champlain community. This document applies to, and must be read by, all members of the Champlain College community.
Specific users bound by this policy include:

  • Faculty, including full-time, part-time and retired faculty members
  • Staff, including full-time, part-time and temporary workers
  • Student workers that have access to any of the sensitive data listed in the policy
  • Members of 3rd-party organizations given access to Champlain systems, such as vendors, contractors or consultants

3.0 Data Security Controls

Restricted Confidential Unrestricted NIST-800-171 Requirements
Level 3 Level 2 Level 1
Electronic Storage Stored only in designated secure areas of Champlain's file servers in an encrypted format or in applications designed for holding such data and approved by the Chief Information Officer.

Storage of Restricted data on home computers or personal cloud storage services like Google Drive and Dropbox is strictly prohibited (storage is permissible in your Champlain managed Google Drive).
Cloud storage of Confidential data is permitted in approved accounts provided by the  College, though access to this data must be carefully controlled and reviewed regularly
Storage of Confidential data on personal computing devices is allowed if devices fully comply with Champlain College Data Security Policy
No restrictions on storage 3.1.23.1.20 HIPAA:164.312(a)(1)PCI: 1.4
Access Access must be strictly limited to only those school officials or authorized companies required to use data as part of their job function. Access requires authorization by the Restricted Data Stewards (see section 5.1 of Data Classification Policy)
Access requirements for Personally Identifiable Information is detailed in the Personally Identifiable Information Policy
Access to Confidential data is limited to a "need to know" basis. Access must be approved by the appropriate  Confidential Data Steward (see section 5.2 of Data Classification Policy
Access to Confidential data is limited to a "need to know" basis.  Persons disclosing Confidential data have the responsibility to determine whether the recipient is a school official with a legitimate educational interest in the information in order to perform his/her job function or whether the outside vendor has a legitimate reason to receive this information.
Anyone may access Unrestricted information. However, care must be taken to use all College information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder 3.1.1 HIPAA:164.308(a)(4)(ii)PCI: 7.1
Access by 3rd  Parties Access by 3rd parties must be secured by a contractual agreement approved by the Risk Officer that mandates the 3rd party adhere to all relevant compliance requirements (PCI, FERPA, HIPAA, etc). Access must also be authorized by the Restricted Data Stewards (President, the SVP of Institutional Advancement & Finance, or the Provost) Access by 3rd parties must be approved by the Confidential Data Steward (see  section 5.2 of Data Classification Policy) Unrestricted data may be shared with 3rd parties, however, care must be taken to attribute works and respect all copyrights.



3.1.3 HIPAA:164.308(a)(4)MA 210: 17.03(2)PCI: 12.8
Physical Storage of Paper Records Must be stored in a locked facility (file cabinet or storage room) with access limited only to required personnel
Champlain Restricted documents must be clearly labeled as such
Must be stored in locked facility (file cabinet or storage room) with access limited only to required personnel

No restrictions 3.8 HIPAA:164.310(a)(1)
Transmission Approved encryption required to prevent unauthorized disclosure of Restricted data during transmission. Approved encryption required to prevent unauthorized disclosure of Confidential data during transmission. No restrictions 3.13.8 HIPAA:164.312(e)(2)(ii)MA 201 17.04(3)PCI: 4.1
Disposal Restricted data must be destroyed as soon as it is no longer needed, consistent with the College's record retention policy
Physical data must be shredded in an approved manner. Currently, Champlain has a relationship with SecureShred that provides locked containers around campus that are periodically retrieved by SecureShred personnel
Electronic data must be deleted, not just recycled
Prior to disposal, any storage media that contained restricted data must be wiped with a process that renders the data unreadable. Records of the wiping process are required for both internal and third-party disposal procedures.
Confidential data must be destroyed as soon as it is no longer needed, consistent with the College's record retention policy
Physical data must be shredded in an approved manner using a departmental shredder or placed in a SecureShred container
Electronic data must be deleted, not just recycled
Prior to disposal, any storage media that contained Confidential data must be wiped with a process that renders the data unreadable
No restrictions 3.8.3 HIPAA:164.310(d)(2)(i)
Authentication Access to systems housing or processing Restricted data requires College-approved Multi-Factor authentication Over-the-network access systems housing or processing Confidential data requires multi-factor authentication 3.5.3 HIPAA:164.312(d)MA 201: 17.04(1)PCI:8.2, 8.3

4.0 Endpoint Data Protection Controls

Restricted Confidential Unrestricted NIST-800-171 Requirements
Level 3 Level 2 Level 1
Device Authentication Access to device must be restricted by password meeting Champlain College password policy and/or approved alternative factor of authentication Access to device must be restricted by password meeting Champlain College password policy and/or approved alternative factor of authentication Strongly recommended that access to device  be restricted by password meeting Champlain College password policy and/or approved alternative factor of authentication 3.1.1 HIPAA:164.312(a)(1)MA 201: 17.04(a)PCI: 8.5
Screen Lockout Use session lock with pattern-hiding screen-savers to prevent access/viewing of data immediately on unattended systems or after 15 minutes of inactivity. Use session lock with pattern-hiding screen-savers to prevent access/viewing of data immediately on unattended systems or after 15 minutes of inactivity. Password-protected screen-saver recommended 3.1.10 HIPAA:164.308(a)(4)(ii) & 164.310(b)MA 201: 17.04(1)(d)PCI: 8.5
Unsuccessful Login Attempts After more than 6 unsuccessful login attempts, the account must be automatically locked for at least 30 minutes or until identity is confirmed Mobile devices using PIN passcodes must restrict 10 failed attempts within 24 hours. No restrictions 3.1.8 HIPAA: 164.308(a)(5)MA 201: 17.04(1)(e)PCI: 8.5
Device Encryption All mobile computing devices, including but not limited to laptops, tablets, smartphones, containing Restricted data must be encrypted using Champlain College approved encryption mechanisms. All mobile computing devices, including but not limited to laptops, tablets, smartphones, containing Confidential data must be encrypted. Device encryption recommended 3.1.193.8.6 HIPAA:164.312(a)(2)(iv)MA 201: 17.04(5)PCI:21.3
Portable Media Removable media (CDs, DVDs, thumb drives, etc) containing Restricted data must be password protected and encrypted using Champlain College approved methods Removable media (CDs, DVDs, thumb drives, etc) containing Confidential data must be password protected and encrypted No restrictions 3.1.193.8.6 HIPAA:164.312(a)(2)(iv)MA 201: 17.04(5)PCI: 12.3
Anti-Malware All systems processing or storing Restricted data must utilize and regularly update College-approved anti-malware protection. All systems processing or storing Confidential data must utilize and regularly update anti-malware protection Anti-malware protection strongly recommended 3.14.23.14.4 HIPAA:164.308(a)(5)(ii)MA 201 17.04(7)PCI: 5
Security Patching Ensure that all system components and software are protected from known vulnerabilities by automatic installation of applicable vendor supplied security patches. Ensure that all system components and software are protected from known vulnerabilities by automatic installation of applicable vendor supplied security patches. Auto-updates for vendor supplied security patches strongly recommended 3.4.2 HIPAA:164.308(a)(8);164.310(b)MA 201 17.04(6)PCI: 6.2
Firewall Protection Implement College-approved host-based firewall that denies inbound network communication traffic by default Implement host-based firewall that denies inbound network communication traffic by default Host-based firewall strongly recommended 3.13.6 MA 201 17.04(6)PCI: 1
Device Disposal All devices containing Restricted data must be securely overwritten using College-approved methods prior to disposal.   All devices containing Confidential data must be securely overwritten using College-approved methods prior to disposal.   Secure overwrite recommended prior to disposal 3.8.3 HIPAA:164.310(d)(2)(i)

5.0 Disclosure of Student Work Submissions

Student work maintained by faculty or the college must be kept private unless:

  • Syllabus and/or assignment guidelines clearly indicate it is intended for public display or disclosure; or
  • Student signs a waiver allowing for public display or disclosure

NOTE: Faculty may use personal devices that are protected by passwords, anti-malware software, and other recommended security measures for storing and processing ungraded student work submissions. Due care should be exercised in handling work of a sensitive nature.

6.0 Privacy Statement

Members of the Champlain College community have reasonable expectations of privacy in their use of information resources. In accordance with Section 6 of the Acceptable Use Policy, systems operators, supervisors, and other College officials may access information resources to locate business information, maintain the system and network, comply with legal requirements, or administer this or other College policies and procedures.

7.0 Violations

Any individual found to be in violation of this policy shall be subject to the relevant Champlain College disciplinary procedure. Individuals are also subject to federal, state and local laws governing many interactions that occur on the Internet. These policies and laws are subject to change as state and federal laws develop and change.

7.1 Policy Subject to Change

This policy is subject to change. You will be notified of any changes to the policy.  You agree to abide by the policy as updated from time to time.