112 Data Security Policies BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf 5. Users. Users are responsible for complying with all security-related procedures pertaining to any Information Resource to which they have authorized access or any information derived therefrom that they possess. Specifically, a User is responsible for: Becoming familiar with and complying with all relevant University policies, including, without limitation, this policy, and all Data Security Directives contemplated hereby, the policy on Professional Standards and Business Conduct, and other policies related to data protection, technology use and privacy rights (including the University Student Education Records). Providing appropriate physical security for information technology equipment, storage media, and physical data. Such equipment and files shall not be left unattended without being locked or otherwise protected such that unauthorized Users cannot obtain physical access to the data or the device(s) storing the data. Ensuring that Confidential or Internal Use Only information is not distributed or accessible to unauthorized persons. Users must not share their authorization passwords under any circumstances. Users must avail themselves of any security measures, such as encryption technology, security updates or patches, provided by Data Security Officers. Users must log off from all applications, computers and networks, and physically secure printed material, when not in use. To the extent possible, making sure that any Massachusetts PI accessed by the User is stored only on secure servers maintained by the University and not on local machines, unsecure servers, or portable devices. Boston College Confidential or Internal Use Only data, when removed from the campus or when accessed from off-campus, is subject to the same rules as would apply were the data on campus. Sponsors and Users will comply with this Policy and all relevant Data Security Directives irrespective of where the Boston College data might be located, including, for example, on home devices, mobile devices, on the Internet, or other third-party service providers. When access to information is no longer required by a User, disposing of it in a manner to insure against unauthorized interception of any Confidential or Internal Use Only information. Generally, paper-based duplicate copies of Confidential documents should be properly shredded, and electronic data taken from Confidential databases should be destroyed. Immediately notifying his or her cognizant Data Security Officer of any incident that may cause a security breach or violation of this policy. 6. Vice President for Human Resources. The Vice President for Human Resources shall be responsible for: Working with the Data Security Working Group to educate incoming employees (including temporary and contract employees) regarding their obligations under this policy and to provide on-going employee training regarding data security Ensuring that terminated employees no longer have access to University systems that permit access to Confidential or Internal Use Only information and Carrying out any disciplinary measures against an employee taken in response to a violation of this policy as required by the Data Security Committee. SECURITY BREACH RESPONSE As provided above, Users and Data Security Officers must report any known Security Breach or any incident that is likely to cause a Security Breach. These incidents include thefts of computer devises, viruses, worms, or computer “attacks” that may lead to unauthorized access to confidential information.