Learning Analytics, SPEC Kit 360

Perry, Michael R.; Briney, Kristin A.; Goben, Abigail; Asher, Andrew; Jones, Kyle M. L.; Robertshaw, M. Brooke; Salo, Dorothea

109 SPEC Kit 360: Learning Analytics BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf  Internal Use Only information includes information that is less sensitive than Confidential information, but that, if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal interests, or on the finances, operations, or reputation of Boston College. Examples of this type of data from an institutional perspective include internal memos meant for limited circulation, or draft documents subject to internal comment prior to public release.  Public information is information that is generally available to the public, or that, if it were to become available to the public, would have no material adverse effect on individual members of the University community or upon the finances, operations, or reputation of Boston College. 2. All Information Resources, whether physical documents, electronic databases, or other collections of information, are to be assigned to a security classification level according to the most sensitive content contained therein. 3. Where practicable, all data is to be explicitly classified, such that Users of any particular data derived from an Information Resource are aware of its classification. 4. In the event information is not explicitly classified, it is to be treated as follows: Any data which includes any personal information concerning a member of the University community (including any health information, financial information, academic evaluations, social security numbers or other personal identification information) shall be treated as Confidential. Other information is to be treated as Internal Use Only, unless such information appears in form accessible to the public (i.e., on a public website or a widely distributed publication) or is created for a public purpose. 5. The Data Security Committee may from time to time provide clarifications relating to the security classifications, and may, through issuance of Data Security Directives establish more detailed requirements concerning the classification of Information Resources or specific data. ROLE OF THE DATA SECURITY WORKING GROUP 1. The University has established the Data Security Working Group to aid in the development of procedures and guidelines concerning the collection, storage, and use of data by the University community, and to assist the Data Security Committee in the implementation of this policy. 2. In consultation with the Office of the General Counsel and the Director of Internal Audit, the Data Security Working Group shall:  Monitor federal, state and local legislation concerning privacy and data security.  Stay abreast of evolving best practices in data security and privacy in higher education, and assess whether any changes should be made to the Computer System Security Requirements.  Establish data privacy and security training and awareness programs for the University community and periodically assess whether these programs are effective.  Periodically reassess this policy to determine if amendments are indicated or if Data Security Directives should be proposed to the Data Security Committee.  Discuss any material violations of this policy and Security Breaches, the University’s actions in response, and recommend any further actions or changes in practice or policy to the Data Security Committee.

Previous Page Next Page

SPEC Kit 360: Learning Analytics (September 2018) resources

Free Attachments

Follow Link Learning-Analytics-SPEC-Kit-360.pdf

Extracted Text (may have errors)

109 SPEC Kit 360: Learning Analytics BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf  Internal Use Only information includes information that is less sensitive than Confidential information, but that, if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal interests, or on the finances, operations, or reputation of Boston College. Examples of this type of data from an institutional perspective include internal memos meant for limited circulation, or draft documents subject to internal comment prior to public release.  Public information is information that is generally available to the public, or that, if it were to become available to the public, would have no material adverse effect on individual members of the University community or upon the finances, operations, or reputation of Boston College. 2. All Information Resources, whether physical documents, electronic databases, or other collections of information, are to be assigned to a security classification level according to the most sensitive content contained therein. 3. Where practicable, all data is to be explicitly classified, such that Users of any particular data derived from an Information Resource are aware of its classification. 4. In the event information is not explicitly classified, it is to be treated as follows: Any data which includes any personal information concerning a member of the University community (including any health information, financial information, academic evaluations, social security numbers or other personal identification information) shall be treated as Confidential. Other information is to be treated as Internal Use Only, unless such information appears in form accessible to the public (i.e., on a public website or a widely distributed publication) or is created for a public purpose. 5. The Data Security Committee may from time to time provide clarifications relating to the security classifications, and may, through issuance of Data Security Directives establish more detailed requirements concerning the classification of Information Resources or specific data. ROLE OF THE DATA SECURITY WORKING GROUP 1. The University has established the Data Security Working Group to aid in the development of procedures and guidelines concerning the collection, storage, and use of data by the University community, and to assist the Data Security Committee in the implementation of this policy. 2. In consultation with the Office of the General Counsel and the Director of Internal Audit, the Data Security Working Group shall:  Monitor federal, state and local legislation concerning privacy and data security.  Stay abreast of evolving best practices in data security and privacy in higher education, and assess whether any changes should be made to the Computer System Security Requirements.  Establish data privacy and security training and awareness programs for the University community and periodically assess whether these programs are effective.  Periodically reassess this policy to determine if amendments are indicated or if Data Security Directives should be proposed to the Data Security Committee.  Discuss any material violations of this policy and Security Breaches, the University’s actions in response, and recommend any further actions or changes in practice or policy to the Data Security Committee.

Help

108 Data Security Policies BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf Computer System Security Requirements. Computer System Security Requirements shall mean a written set of technical standards and related procedures and protocols designed to protect against risks to the security and integrity of data that is processed, stored, transmitted, or disposed of through the use of University information systems, and shall include computer system security requirements that meet or exceed the requirements of regulations promulgated under Chapter 93H of Massachusetts General Laws. The Computer System Security Requirements shall be set forth as an exhibit hereto. The Computer System Security Requirements establish minimum standards and may not reflect all the technical standards and protocols in effect at the University at any given time. Data Security Directives. Data Security Directives shall be issued from time to time by the Data Security Committee to provide clarification of this policy, or to supplement this policy through more detailed procedures or specifications, or through action plans or timetables to aid in the implementation of specific security measures. All Data Security Directives issued by the Committee shall be deemed incorporated herein. Specific Security Procedures. Specific Security Procedures are procedures promulgated by a University Vice President or Dean to address particular security needs of specific Information Resources sponsored within their area of responsibility, not otherwise addressed by this policy, or any Data Security Directives. Data Security Working Group. The Data Security Working Group shall be chaired by the Director of Computer Policy and Security, and shall consist of those Data Security Officers as may be assigned to the group from time to time by the Data Security Committee. Security Breach. A Security Breach is any event that causes or is likely to cause Confidential Information to be accessed or used by an unauthorized person and shall include any incident in which the University is required to make a notification under applicable law, including chapter 93H of the Massachusetts General Laws. DATA CLASSIFICATION 1. All information covered by this policy is to be classified among one of three categories, according to the level of security required. In descending order of sensitivity, these categories (or “security classifications”) are “Confidential,” “Internal Use Only,” and “Public.”  Confidential information includes sensitive personal and institutional information, and must be given the highest level of protection against unauthorized access, modification or destruction. Unauthorized access to personal Confidential information may result in a significant invasion of privacy, or may expose members of the University community to significant financial risk. Unauthorized access or modification to institutional Confidential information may result in direct, materially negative impacts on the finances, operations, or reputation of Boston College. Examples of personal Confidential information include information protected under privacy laws (including, without limitation, the Family Educational Rights and Privacy Act and the Gramm-Leach-Bliley Act), information concerning the pay and benefits of University employees, personal identification information or medical/health information pertaining to members of the University community, and data collected in the course of research on human subjects. Institutional Confidential information may include University financial and planning information, legally privileged information, invention disclosures and other information concerning pending patent applications. Without limiting the generality of the foregoing, Confidential information shall include “personal information” as defined by Massachusetts General Laws Chapter 93H (“Massachusetts PI”). Massachusetts PI means a Massachusetts resident’s first name or first initial and last name in combination with any one or more of the following: (a) social security number (b) driver’s license number or state –issued identification number (c) financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to the resident’s financial account and Confidential information also includes “customer information,” defined by the safeguards rule under the Gramm-Leach-Bliley Act to mean any information containing personally identifiable information that the University obtains in the process of offering a financial product or service.

Previous Page Next Page

SPEC Kit 360: Learning Analytics (September 2018) resources

Extracted Text (may have errors)

108 Data Security Policies BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf Computer System Security Requirements. Computer System Security Requirements shall mean a written set of technical standards and related procedures and protocols designed to protect against risks to the security and integrity of data that is processed, stored, transmitted, or disposed of through the use of University information systems, and shall include computer system security requirements that meet or exceed the requirements of regulations promulgated under Chapter 93H of Massachusetts General Laws. The Computer System Security Requirements shall be set forth as an exhibit hereto. The Computer System Security Requirements establish minimum standards and may not reflect all the technical standards and protocols in effect at the University at any given time. Data Security Directives. Data Security Directives shall be issued from time to time by the Data Security Committee to provide clarification of this policy, or to supplement this policy through more detailed procedures or specifications, or through action plans or timetables to aid in the implementation of specific security measures. All Data Security Directives issued by the Committee shall be deemed incorporated herein. Specific Security Procedures. Specific Security Procedures are procedures promulgated by a University Vice President or Dean to address particular security needs of specific Information Resources sponsored within their area of responsibility, not otherwise addressed by this policy, or any Data Security Directives. Data Security Working Group. The Data Security Working Group shall be chaired by the Director of Computer Policy and Security, and shall consist of those Data Security Officers as may be assigned to the group from time to time by the Data Security Committee. Security Breach. A Security Breach is any event that causes or is likely to cause Confidential Information to be accessed or used by an unauthorized person and shall include any incident in which the University is required to make a notification under applicable law, including chapter 93H of the Massachusetts General Laws. DATA CLASSIFICATION 1. All information covered by this policy is to be classified among one of three categories, according to the level of security required. In descending order of sensitivity, these categories (or “security classifications”) are “Confidential,” “Internal Use Only,” and “Public.”  Confidential information includes sensitive personal and institutional information, and must be given the highest level of protection against unauthorized access, modification or destruction. Unauthorized access to personal Confidential information may result in a significant invasion of privacy, or may expose members of the University community to significant financial risk. Unauthorized access or modification to institutional Confidential information may result in direct, materially negative impacts on the finances, operations, or reputation of Boston College. Examples of personal Confidential information include information protected under privacy laws (including, without limitation, the Family Educational Rights and Privacy Act and the Gramm-Leach-Bliley Act), information concerning the pay and benefits of University employees, personal identification information or medical/health information pertaining to members of the University community, and data collected in the course of research on human subjects. Institutional Confidential information may include University financial and planning information, legally privileged information, invention disclosures and other information concerning pending patent applications. Without limiting the generality of the foregoing, Confidential information shall include “personal information” as defined by Massachusetts General Laws Chapter 93H (“Massachusetts PI”). Massachusetts PI means a Massachusetts resident’s first name or first initial and last name in combination with any one or more of the following: (a) social security number (b) driver’s license number or state –issued identification number (c) financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to the resident’s financial account and Confidential information also includes “customer information,” defined by the safeguards rule under the Gramm-Leach-Bliley Act to mean any information containing personally identifiable information that the University obtains in the process of offering a financial product or service.

110 Data Security Policies BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf ROLE OF THE DATA SECURITY COMMITTEE 1. The University has established the Data Security Committee to formulate University-wide procedures and guidelines concerning the collection, storage, use and safekeeping of data, to update as necessary this policy, and to direct the responsive actions in the event of any material violation of this policy or any Security Breach. 2. The Data Security Committee shall from time to time consult with representatives of the Data Security Working Group to review the implementation of this policy and compliance with the Computer System Security Requirements and Data Security Directives. 3. The Data Security Committee shall periodically review identifiable risks to the security, confidentiality, and integrity of data, and shall review this policy and the scope of Computer System Security Requirements at least annually to assess its effectiveness and determine whether any changes are warranted. 4. The Data Security Committee is authorized to:  Issue Data Security Directives.  Promulgate amendments to this policy, including the Computer System Security Requirements.  Take actions to ensure compliance with this policy, which may include, without limitation, the commissioning of internal audits and investigations.  Take actions in response to violations of this policy or any Security Breach. ROLE OF THE DIRECTOR OF COMPUTR POLICY AND SECURITY 1. The Director of Computer Policy and Security shall, with input from the Data Security Working Group, identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of University data. This identification and risk assessment shall include adopting means for detecting security system failures and monitoring the effectiveness of the Computer System Security Requirements. 2. The Director shall, in conjunction with the Data Security Working Group, oversee the implementation of the Computer System Security Requirements and recommend changes to address risks, failures, or changes to business practices to the Data Security Committee. 3. The Director shall work with other University administrators to investigate any violation of this policy and any incident in which the security or integrity of University data may have been compromised, including taking the steps set forth below in response to a security breach. 4. The Director shall work with other University administrators to develop and review training materials to be used for employee training under this policy. SECURITY RESPONSIBILITIES 1. It is the policy of the University that all confidential and other sensitive information be safeguarded from unauthorized access, use, modification or destruction. All members of the University community share in the responsibility for protecting the confidentiality and security of data. This section of the policy assigns specific duties to each of the roles of Vice President and Deans, Sponsors, Data Security Officers, Users, and the Vice President for Human Resources. However, it is likely that an individual will have responsibilities reflecting multiple roles with respect to certain information. 2. Vice Presidents and Deans. University Vice Presidents and Deans (including the University President, and the University Provost and Dean of Faculties in connection with their immediate staff) are responsible for promoting the institutional awareness of this policy and for ensuring overall compliance with it by their staff. In particular, Vice Presidents and Deans are responsible for:

Previous Page Next Page

Page 1Survey Results click to expand contents

Page 42Representative Documents click to expand contents

Page 43Library Privacy Statements and Policies click to expand contents

Page 77Institution Privacy Policies click to expand contents

Page 106Data Security Policies click to expand contents

Page 145Selected Resources click to expand contents

SPEC Kit 360: Learning Analytics (September 2018) resources

All section downloads (PDF) click to expand contents

Free Attachments

Extracted Text (may have errors)

Help

loading

SPEC Kit 360: Learning Analytics (September 2018) resources

Extracted Text (may have errors)

SPEC Kit 360: Learning Analytics (September 2018) resources