Dartmouth Information Security Policy

Summary of Policy

Requirements for the protection of the institution's confidential information; policy is embodied in Dartmouth's Information Security Objectives, a matrix of risk-based security controls.

Affected Parties

All Groups

Policy Statement

Approved by Academic Planning Committee on May 3, 2012

The goal of Dartmouth's Information Security Policy is to protect the institution's confidential information. Faculty and staff have key roles safeguarding critical information by implementing information security policies, standards, and controls. To this end, Dartmouth has adopted a comprehensive security policy for the processing, sharing, and storage of information, including electronic, paper, and other media. This policy is embodied in Dartmouth's Information Security Objectives, a matrix of risk-based security controls, attached to this article. 

All Dartmouth offices and employees (faculty and staff) must comply with institutional information security policy, and apply the standards and controls that are applicable to the Dartmouth information they manage and use. Students, alumni, and others who have access to Dartmouth confidential information must also comply with this policy. Applicability is determined by the nature of the information, the risks of unauthorized disclosure or corruption of the information, and relevant regulatory requirements. Personally owned information is not subject to this policy.

Most of the security controls are already in place, or easily implemented. However, in certain circumstances, some security requirements may be difficult to configure, and the Chief Information Security Officer (CISO) will work with concerned parties to implement the security controls within a two-year period. Waivers from compliance with certain security controls may be requested via application to DISC (the Dartmouth Information Security Committee) through the CISO. All new IT systems must comply with the security policy and meet its standards and controls upon implementation. 

Guidelines for Dartmouth Community and the DISC Information Security Control Objectives (DISC Policy)

IT Security Resources available include:

  • IT Staff and ISRs should use security control objectives found in the DISC Policies spreadsheet attached to this article on the right.
  • Security Guides are available for studentsfaculty, and staff.
  • Vendors doing business with Dartmouth should review the Vendor Self-Assessment Checklist attached to this article on the right.
  • Written Information Security Program, attached to this article on the right (WISP Final Approved).

Data Security Level Definition

  • Level 0 - Data meant for public disclosure is defined as Level 0. 
  • Level 1 - Data with no confidentiality classification, but not intended for public disclosure, is considered Level 1 data. This is general business data for use within Dartmouth, and protected at a baseline level of control (available to the Dartmouth community via authenticated IT access, or authorized physical access to Dartmouth facilities).
  • Level 2 - Data classified as level 2 are data which can only be shared with individuals deemed to have a 'need to know' as defined by the data owner.
  • Level 3 - Data classified as level 3 are data classified as strictly confidential, requiring the highest level of sensitivity. This includes FERPA data, personally identifiable information (PII), personal health information (PHI), credit card information (PCI), among others.

Contact the IT Service Desk if you have questions.

Policy ID

054-0001

Effective Date

August 5, 2019

Division

Office of the Provost

Office of Primary Responsibility

Information, Technology and Consulting (ITC)

Last Reviewed Date

August 5, 2019

Next Review Date

2022