114 Data Security Policies BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf Boston College Computer System Security Requirements The University maintains a computer security system that provides at a minimum to the extent technically feasible: 1. Secure user authentication protocols including: a) control of user IDs and other identifiers b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect d) restricting access to active Users and active User accounts only and e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. 2. Secure access control measures that: a) restrict access to records and files containing Confidential information to those who need such information to perform their job duties and b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. 3. Encryption of all transmitted records and files containing Massachusetts PI that will travel across public networks, and encryption of all data containing Massachusetts PI to be transmitted wirelessly. 4. Reasonable monitoring of systems, for unauthorized use of or access to Massachusetts PI. 5. Encryption of all Massachusetts PI stored on laptops or other portable devices. 6. For files containing Massachusetts PI on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the Massachusetts PI. 7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. 8. Education and training of employees on the proper use of the computer security system and the importance of data security.