Information Technology Services

Dartmouth Information Security Policy

Approved by Academic Planning Committee on May 3, 2012

Details

The goal of Dartmouth's Information Security Policy is to protect the institution's confidential information. Faculty and staff have key roles safeguarding critical information by implementing information security policies, standards, and controls. To this end, Dartmouth has adopted a comprehensive security policy for the processing, sharing, and storage of information, including electronic, paper, and other media. This policy is embodied in Dartmouth's Information Security Objectives, a matrix of risk-based security controls, attached to this article.

All Dartmouth offices and employees (faculty and staff) must comply with institutional information security policy, and apply the standards and controls that are applicable to the Dartmouth information they manage and use. Students, alumni, and others who have access to Dartmouth confidential information must also comply with this policy. Applicability is determined by the nature of the information, the risks of unauthorized disclosure or corruption of the information, and relevant regulatory requirements. Personally owned information is not subject to this policy.

Most of the security controls are already in place, or easily implemented. However, in certain circumstances, some security requirements may be difficult to configure, and the Chief Information Security Officer (CISO) will work with concerned parties to implement the security controls within a two-year period. Waivers from compliance with certain security controls may be requested via application to DISC (the Dartmouth Information Security Committee) through the CISO. All new IT systems must comply with the security policy and meet its standards and controls upon implementation.

Guidelines for Dartmouth Community and the DISC Information Information Security Control Objectives (DISC Policy)

Security Resources available include:

Data Security Level Definition

  • Level 0 - Data meant for public disclosure is defined as Level 0. 
  • Level 1 - Data with no confidentiality classification, but not intended for public disclosure, is considered Level 1 data. This is general business data for use within Dartmouth, and protected at a baseline level of control (available to the Dartmouth community via authenticated IT access, or authorized physical access to Dartmouth facilities).
  • Level 2 - Data classified as level 2 are data which can only be shared with individuals deemed to have a 'need to know' as defined by the data owner.
  • Level 3 - Data classified as level 3 are data classified as strictly confidential, requiring the highest level of sensitivity. This includes FERPA data, personally identifiable information (PII), personal health information (PHI), credit card information (PCI), among others.
Topic: 
Policies
Subtopic: 
FAQ
Last updated: 
Monday, February 6, 2017

If you have questions or need further information, contact your department's IT support office, or contact the IT Service Desk via email at help@dartmouth.edu, via phone at 603-646-2999 or walk in to see them in Baker/Berry 178J.

Close
Information Technology Services