111 SPEC Kit 360: Learning Analytics BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf Ensuring that all staff have the training and support necessary to protect data in accordance with this policy, all Data Security Directives, and any Specific Security Procedures applicable to such data. Designating and managing the efforts of one or more Sponsors and Data Security Officers for all Information Resources maintained in their area of responsibility. Approving access authorization of all Users of Information Resources maintained in their area of responsibility having a data classification of Confidential. Promulgating Specific Security Procedures. Ensuring that Confidential or Internal Use Only data sponsored within their area of responsibility are not provided or accessible to, or created or maintained by University vendors or other third-parties without (i) assistance from the Director of Computer Policy and Security and the Director of Internal Audit, verifying that the third party has the capability of adequately protecting such data (ii) review and approval of the relevant contract and the underlying terms and specifications by the Director of Computer Policy and Security and the Office of the General Counsel and (iii) unless approved otherwise by the Office of the General Counsel, verifying that the third party has executed the University’s standard form of Privacy and Security Addendum. 3. Sponsors. A Sponsor has primary responsibility for overseeing the collection, storage, use and security of a particular Information Resource. In cases where a Sponsor is not identified for any Information Resource, the cognizant Vice President or Dean shall be deemed the Sponsor. A Sponsor is responsible for the following specific tasks associated with the security of the information: Ensuring that the Information Resource is assigned a security classification and that such data is marked where appropriate. Identifying authorized Users of the Information Resource, whether by individual identification of by job title, and obtaining approval for such access from their Vice President or Dean. Proposing to their Vice President or Dean Specific Security Procedures for the handling of data under their sponsorship, consistent with this policy and other applicable University policies and procedures. 4 Data Security Officers. A Data Security Officer works with Information Technology and other appropriate University functions under the direction of a Vice President or Dean and in consultation with a Sponsor, to support the implementation and monitoring of security measures associated with the management of Information Resources. Data Security Officers shall be responsible for: Ensuring adequate security technology is applied to Information Resources in keeping with their classification and to comply with this policy and all Data Security Directives, and Specific Security Procedures. Monitoring for indicators of loss of integrity. Promptly reporting to the Director of Computer Policy and Security any incidents of data being accessed or compromised by unauthorized Users, and any violations of this policy, Data Security Directives or Specific Security Procedures. Monitoring for risks to data security and reporting any known or reasonably foreseeable risks to the Data Security Working Group.