Information Security Plan
Overview: This Information Security Plan describes the safeguards implemented by Davidson College to protect confidential data. The goal of the program is to ensure the security of these assets in an effort to support the academic mission and culture of Davidson College. These safeguards are provided to:
(i) ensure the security and confidentiality of all information assets including confidential and nonpublic data,
(ii) protect against any anticipated threats or hazards to the security of such assets, and
(iii) protect against unauthorized access or use of such assets in ways that could result in substantial harm or inconvenience to customers.
Confidential Data: Within Davidson College’s Administrative Data Security Policy, “confidential data” is defined as data protected by federal and state regulations and are intended for use only by individuals who require that information in the course of performing their college functions. For these purposes, confidential data refers to, but not limited to, financial information, academic and employment information, and other private paper and electronic records.
Designation of Representatives: The Institution’s Information Security Analyst & Program Manager is designated as the Program Coordinator who shall be responsible for coordinating and overseeing the program. The Program Coordinator may designate other representatives of the Institution to oversee and coordinate particular elements of the program. (For instance, the Director of Public Safety/Chief of Police has been designated as the coordinator for all paper records and physical security.) Any questions regarding the implementation of the program or the interpretation of this document should be directed to the Program Coordinator or his or her designees.
Risk Identification and Assessment: Davidson College identifies and assesses external and internal risks to the security and confidentiality of confidential data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and assess the sufficiency of the safeguards in place to control these risks by:
(i) performing a risk assessment annually that rotates from an external vendor performed risk assessment to an internal assessment,
(ii) monitoring of safeguards put in place to detect and identify potential threats, and
(iii) monitoring advisory groups such as SANS, REN-ISAC, EDUCAUSE, and others to keep up to date on any new threats that may develop.
Davidson College identifies and assesses risk in relevant areas, including:
(i) employee training and management,
(ii) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
(iii) detecting, preventing and responding to attacks, intrusions, or other systems failures.
Safeguards: The designated Program Coordinator will regularly monitor administrative, technical, and physical safeguards to control the risks identified through such assessments described above and to regularly test or otherwise monitor the effectiveness of such safeguards. The Technology & Innovation (T&I) division of the college designs and implements safeguards in areas highlighted by the before mentioned assessments. An internal T&I document outlines Davidson College’s procedure for implementing and assessing these safeguards.
Service Providers: Davidson College will, upon hiring or contracting third party service providers, ensure that they take similar steps to protect confidential data as outlined above. T&I has an internal document that states the security requirements current or potential providers must adhere to in order to protect Davidson’s confidential data. Additionally, Davidson College has a documented process for evaluating IT service providers including firms that host Davidson data or provide software as a service (SaaS) or similar solutions.
Adjustments to Program: The designated Program Coordinator is responsible for adjusting and reevaluating the plan as regular risk assessment occurs or as major changes occur that may significantly impact Davidson’s operations. The designated Program Coordinator will revisit this plan at least annually to ensure it is reflective of Davidson’s practices and adherence to regulatory requirements.