A Written Information Security Program (“WISP”) is a compliance requirement for various laws, mandates and regulations blanketing Higher Education. Higher education institutions are subject to the provisions of the Gramm Leach Bliley Act (GLBA) related to the administrative, technical, and physical safeguarding of customer records and information as specified in the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information ruling, known as the Safeguards Rule, which requires all covered financial institutions to have in place a comprehensive, written information security program.

Hartwick College strives to ensure the implementation of appropriate and effective safeguards that are needed for an effective information security program. The College has adopted the NIST and CMMC information security frameworks, which are industry leading approaches widely used within the HE realm. The National Institute of Standards and Technology (NIST) and the Cybersecurity Maturity Model Certification (CMMC), are commonly used in conjunction with one another, to establish controls, procedures and processes that can be used to improve the information security program.

The objective of Hartwick College, in the development, maintenance and implementation of this comprehensive written information security program (“WISP”) is to create effective administrative, technical, and physical safeguards for the protection of personal information of our employees, faculty, and students. This WISP sets forth Hartwick College’s procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.

his WISP applies to all employees, faculty, and students in the Hartwick College community who have access to Hartwick College information and technology assets. Such assets include but are not limited to, computers, data, images, text, and software, whether stored on hardware, paper or other storage media. Additionally, it applies to any records that contain personal information in any format and on any media.

The Hartwick College WISP is a standard of security practices to protect and maintain the confidentiality, integrity, deletion, or disclosure of information assets that if mishandled, could compromise the mission of the College, violate privacy rights, and possibly constitute a criminal act. The WISP applies to the following:

• Central and departmentally managed College information assets.
• All users employed by the College or any other person with access to College information assets.
• All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g. physical or electronic).
• Information technology facilities, applications, hardware systems, and network resources owned or managed by the College.

It is the collective responsibility of all users to ensure:

• Confidentiality of information, which the College must protect from unauthorized access.
• Integrity and availability of information stored on or processed by College information systems.
• Compliance with applicable laws, regulations, and College policies governing information security and privacy protection.

Hartwick College has an institutional obligation to protect and secure the data and information of its customers and campus community members. Ineffective security programs, breach or loss of data and unauthorized disclosure of data can lead to severe consequences, including fines, negative publicity and even criminal charges. The data Hartwick College collects and stores is only to be used for purposes necessary to fulfill academic and business needs.

Personally Identifiable Information (PII)
For purposes of this WISP, “personal information” means data that includes either first and last name or first initial and last name in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:

• Social Security number;
• Hartwick-issued Unique ID Number;
• Driver’s license number, other government-issued identification numbers, including passport number or tribal identification number;
• Account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual’s financial account.
• Health insurance identification number, subscriber identification number, or other unique identifier used by an insurance or fringe benefit provider.
• Biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris; or Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, fringe benefit, employment, or financial account.

Personal information does not include lawfully obtained information that is available to the general public, including publicly available information from federal, or local government records.

Controlled Unclassified Information (CUI)
CUI is data and information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies. As instances of data and information breaches rise, it is vital that institutions of higher education (IHEs) protect Controlled Unclassified Information (CUI) used in the administration of federal student aid programs authorized under Title IV, of the Higher Education Act.

CUI is government-created or -owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. Most data sourced from the Department of Education and Federal Student Aid and the information used in the administration of Title IV programs are considered CUI.

Hartwick has designated an Information Security Coordinator responsible to implement, coordinate, and maintain this WISP. This designated employee (the “Information Security Coordinator”) will be accountable and responsible for ensuring the effective implementation and maintenance of this WISP.

In collaboration with other campus community members and stakeholders, the Information Security Coordinator will lead efforts to communicate risks, projects, and other needs relevant to the effective management of the WISP as appropriate including:

• Assessing internal and external risks to personal information and maintaining related documentation, including risk assessment reports and remediation plans;
• Coordinating the development, distribution, and maintenance of information security policies and procedures;
• Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal information;
• Ensuring that the safeguards are implemented and maintained to protect personal information throughout the campus community, where applicable;
• Overseeing service providers that access or maintain personal information;
• Monitoring and testing the information security program’s implementation and effectiveness on an ongoing basis;
• Defining and managing incident response procedures;
• Establishing and managing enforcement policies and procedures for this WISP, in collaboration with Hartwick College’s Information Technology Committee and Senior Leadership Team;
• Develop and conduct employee and contractor Security Awareness training;
• Providing periodic training regarding this WISP, institutional safeguards, and relevant information security policies and procedures for all employees, faculty, students, and contractors who have or may have access to personal information to ensure users are made aware of the security risks associated with their activities and the security systems and networks (NIST SP 800-171 REV 2 SP 800-171 Rev 2 3.2.1/CMMC AT.L2 AT.L2 3.2.1)(NIST SP 800-171 REV 2 SP 800-171 Rev 2 3.2.3/CMMC AT.L2 AT.L2 3.2.3);
• Training of the WISP and relevant policies and procedures will be provided at least on an annual basis through a multitude of training and awareness tactics and methods as appropriate;
• Ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation for the WISP on an annual basis.
• Reviewing the WISP and the security measures defined herein at least annually, or whenever there is a material change in business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal information and update security plans as appropriate (NIST SP 800-171 REV 2 3.12.4/CMMC AT.L2 3.12.4);
• Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this WISP or information security policies and procedures.
• Periodically reporting to the Senior Leadership Team regarding the status of the information security program and safeguards to protect personal information.

Risk assessments vary in scope, methodology and delivery, but in conjunction with other assessments, they are extremely critical to The College’s comprehensive understanding of the many risks facing the institution. A sound information security program will utilize risk assessments to help guide and steer its overall security strategy to remediate or mitigate discovered vulnerabilities and risks.

As a part of developing and implementing this WISP, Hartwick College will conduct a documented risk assessment on a regular basis, or whenever there is a material change in College business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal information. (NIST SP 800-171 REV 2 3.11.1/CMMC AT.L2 3.11.1)

The risk assessment shall:

• Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal information.
• Assess the likelihood and potential damage that could result from such threats, taking into consideration the sensitivity of the personal information.
• Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified (NIST SP 800-171 REV 2 3.11.2/CMMC AT.L2 3.11.2)
• Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to (NIST SP 800-171 REV 2 3.12.1/CMMC AT.L2 3.12.1):
  o Employee, student, and contractor training and management;
  o Employee, student, and contractor compliance with this WISP and related policies and procedures;
  o Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal; and
  o Hartwick College’s ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.

Following each risk assessment, the College will:

• Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;
• Reasonably and appropriately address any identified gaps and remediate threats in accordance with risk assessments (NIST SP 800-171 REV 2 3.11.3/CMMC AT.L2 3.113)
• Regularly monitor the effectiveness of The College’s safeguards, as specified in this WISP.

As part of this WISP, Hartwick College will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, students, and contractors, to:

• Detail the implementation and maintenance of The College’s administrative, technical, and physical safeguards.
• Provide privacy and security notices consistent with applicable rules, laws and regulations. (NIST SP 800-171 REV 2 3.1.9/CMMC AT.L2 3.1.9)
• Identify, report, and correct information and information system flaws in a timely manner (NIST SP 800-171 REV 2 3.14.1/CMMC AT.L2 3.14.1)

Establish policies regarding:

• The collection of personal information that is reasonably necessary to accomplish The College’s legitimate business transactions or to comply with any and all federal, or local regulations;
• The storage of personal information that is limited to the time reasonably necessary to accomplish
• The College’s legitimate business transactions or to comply with any and all federal, or local regulations;
• Information classification;
• Information handling practices for personal information, including the storage, access, disposal, and external transfer or transportation of personal information;
• User access management, including identification and authentication (using passwords or other appropriate means);
• Encryption;
• Computer and network security;
• Incident Reporting and Response;
• USB/External Storage Devices (NIST SP 800-171 REV 2 3.1.21/CMMC AT.L2 3.1.21);
• Physical security, including;
  o Limiting physical access to organizational systems, equipment, and the respective operating environments to authorized individuals only (NIST SP 800-171 REV 2 3.10.1/CMMC AT.L2 PE.1.131);
  o Ensuring that all non-authorized individuals will be escorted, monitored, and required to sign in and out of any secure facilities or location housing Controlled Controlled Unclassified Information (CUI), Personal Identifiable Information (PII), or Critical Infrastructure (NIST SP 800-171 REV 2 3.10.3/CMMC AT.L2 3.10.3);
  o Recording visits and maintaining physical audit logs (NIST SP 800-171 REV 2 3.10.4/CMMC AT.L2 3.10.4)

Hartwick College will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal information that The College owns or maintains on behalf of others.

• Safeguards shall be appropriate to the size, scope, and business; its available resources; and the amount of personal information that is owned or maintained on behalf of others, while recognizing the need to protect both customer and employee information;
• Hartwick College shall document its administrative, technical, and physical safeguards in information security policies and procedures;
• Hartwick College shall implement Segregation of Duties
• Administrative safeguards and technical safeguards shall include appropriately configured controls and processes that match and align with the necessary requirements needed for effective security, which may include:
  o Designating one or more employees to coordinate the information security program;
  o Identifying reasonably foreseeable internal and external threats , and assessing whether existing safeguards adequately control the identified risks;
  o Training employees in security program practices and procedures with management oversight;
  o Selecting third party service providers that are capable of maintaining appropriate safeguards and requiring service providers to maintain safeguards by contract;
  o Adjusting the information security program in light of business changes or new circumstances;
  o Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices;
  o Restricting access to active users and active user accounts only, including preventing terminated employees or contractors from accessing systems or records;
  o Blocking access to a particular user identifier after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system. (NIST SP 800-171 REV 2 3.1.8/CMMC AT.L2 3.1.8);
  o Limiting use of portable storage devices (NIST SP 800-171 REV 2 1.3.1/CMMC AT.L2 1.3.1)
• Secure access control measures may include:
  o Identifying system users, processes acting on behalf of users, and devices (NIST SP 800-171 REV 2 3.5.1/CMMC AT.L2 3.5.1);
  o Limiting system access to authorized users, processes acting on behalf of authorized users, and devices, including other information systems. (NIST SP 800-171 REV 2 3.1.1/CMMC AT.L2 3.1.1);
  o Limiting system access to the types of transactions and functions that authorized users are permitted to execute. (NIST SP 800-171 REV 2 3.1.2/CMMC AT.L2 3.1.2);
  o Restricting access to records and files containing personal information based upon the principle of least privilege;
  o Limiting access to systems containing PII to authorized users as configured and enforced by the systems/ERP application; Auditing access on an annual basis;
  o Ensuring that CUI is only permitted to flow from the server to end user based on approved authorization (NIST SP 800-171 REV 2 3.1.3/CMMC AT.L2 3.1.3);
  o Assigning unique identifiers and passwords (or other authentication means) to each individual with computer or network access that are reasonably designed to maintain security;
  o Using non-privileged accounts or roles when accessing nonsecurity functions. (NIST SP 800-171 REV 2 2.3.1/CMMC AT.L2 2.3.1);
  o Separating the duties of individuals to reduce the risk of malevolent activity without collusion (NIST SP 800-171 REV 2 3.1.4/CMMC AT.L2 3.1.4);
  o Preventing non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. (NIST SP 800-171 REV 2 3.1.7/CMMC AT.L2 3.1.7);
  o Terminating (automatically) user sessions after a defined condition. (NIST SP 800-171 REV 2 3.1.11/CMMC AT.L2 3.1.11);
  o Ensuring least privilege admin NIST SP 800-171 Rev 2 ration will be regularly practiced on systems and applications and privileged access will be reviewed annually or after any system changes or significant upgrades (NIST SP 800-171 REV 2 3.4.6/CMMC AT.L2 3.4.6);
  o Employing the principle of least privilege, including for specific security functions and privileged accounts. (NIST SP 800-171 REV 2 3.1.5/CMMC AT.L2 3.1.5);
  o Ensuring privileged user account will only be used when performing privileged tasks and responsibilities;
  o Ensuring privileged users will maintain separate accounts in order to limit privileged access to privileged tasks only. (NIST SP 800-171 REV 2 3.1.6/CMMC AT.L2 3.1.6);
  o Requiring MFA for all network access for all accounts and local access for privileged accounts. (NIST SP 800-171 REV 2 3.5.3/CMMC AT.L2 3.5.3);
  o Utilizing replay resistant authentication mechanisms. (NIST SP 800-171 REV 2 3.5.4/CMMC AT.L2 3.5.4);
  o Not reusing identifiers. (NIST SP 800-171 REV 2 3.5.5./CMMC AT.L2 3.5.5);
  o Disabling user accounts after a defined period of time. (NIST SP 800-171 REV 2 3.5.6/CMMC AT.L2 3.5.6);
  o Enforcing a minimum password complexity and change of characters when new passwords are created. (NIST SP 800-171 REV 2 3.5.7/CMMC AT.L2 3.5.7);
  o Maintaining audit logs and records that are created and retained to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized systems activity (NIST SP 800-171 REV 2 3.3.1/CMMC AT.L2 3.3.1).
• Segregation of Duties may include:
  o Ensuring segregation of duties based on its internal User Roles and Responsibilities table and it will encompass the auditing of systems activity, events and admiNIST SP 800-171 Rev 2rator access to different systems and functions;
  o Auditing to ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions (NIST SP 800-171 REV 2 3.3.2/CMMC AT.L2 3.3.2);
  o Providing a secure access environment by enforcing segregation of duties where appropriate and possible.
• Secure Remote Access/Connection to Systems and Networks may include:
  o Verifying, controlling, and limiting connections to and use of external information systems (NIST SP 800-171 REV 2 3.1.20/CMMC AT.L2 3.1.20);
  o Authorizing wireless access prior to allowing such connections (NIST SP 800-171 REV 2 3.1.16/CMMC AT.L2 3.1.16);
  o Monitoring and controlling remote access sessions (NIST SP 800-171 REV 2 3.1.12/CMMC AT.L2 3.1.12);
  o Routing remote access via managed access control points (NIST SP 800-171 REV 2 3.1.14/CMMC AT.L2 3.1.14);
  o Protecting wireless access using authentication and encryption (NIST SP 800-171 REV 2 3.1.17/CMMC AT.L2 3.1.17);
  o Employing cryptographic mechanisms to protect the confidentiality of remote access sessions. (NIST SP 800-171 REV 2 3.1.13/CMMC AT.L2 3.1.13);
  o Authorizing remote execution of privileged commands and remote access to security-relevant information. (NIST SP 800-171 REV 2 3.1.15/CMMC AT.L2 3.1.15);
  o Controlling connection of mobile devices. (NIST SP 800-171 REV 2 3.1.18/CMMC AT.L2 3.1.18).
• Login and Access behavior safeguards may include:
  o Limiting unsuccessful login attempts (NIST SP 800-171 REV 2 3.1.8/CMMC AT.L2 3.1.8);
  o Using session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity (NIST SP 800-171 REV 2 3.1.10/CMMC AT.L2 3.1.10).
• Encryption as a safeguard may include:
  o Encryption of all CUI;
  o Encryption (Data in Transit & at Rest) of all personal and CUI information traveling across networks, including email, as well as personal and CUI in storage on laptops, desktops, and mobile devices. (NIST SP 800-171 REV 2 3.13.8/CMMC AT.L2 3.13.8);
  o Use encrypted sessions for the management of network devices (CMMC AT.L2 SC.2.179);
  o Encrypt CUI on mobile devices and mobile computing platforms (NIST SP 800-171 REV 2 3.1.19/CMMC AT.L2 3.1.19).
• System Monitoring, Prevention, and Detection safeguards may include:
  o Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to personal information or other attacks or system failures;
  o Reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) personal information running malicious code protection (NIST SP 800-171 REV 2 3.14.2/CMMC AT.L2 3.14.2);
  o Configuring firewall and malicious code protection update automatically (NIST SP 800-171 REV 2 3.14.2/CMMC AT.L2 3.14.2) (NIST SP 800-171 REV 2 3.14.6/CMMC AT.L2 3.14.6);
  o Reasonably current system security software (or a version that can still be supported with reasonably current patches and malware definitions) that (1) includes malicious software (“malware”) protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis. (NIST SP 800-171 REV 2 3.14.2/CMMC AT.L2 3.14.2);
  o Controlling information posted or processed on publicly accessible information systems. (NIST SP 800-171 REV 2 3.1.22/CMMC AT.L2 3.1.22).
• Physical safeguards shall, at a minimum, provide for:
  o Defining and implementing reasonable physical security measures to protect areas where personal information may be accessed, including reasonably restricting physical access and storing records containing personal information in locked facilities, areas, or containers;
  o Preventing, detecting, and responding to intrusions or unauthorized access to personal information, including during or after data collection, transportation, or disposal;
  o Securing disposal or destruction of personal information, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards, and sanitizing or destroying information system media containing private or regulatory restricted data before disposal or release for reuse. (NIST SP 800-171 REV 2 3.8.3/CMMC AT.L2 3.8.3).

Reasonable steps will be taken to select, retain and oversee each third party service provider that may have access to or otherwise create, collect, use, or maintain personal information on its behalf by:

• Evaluating the service provider’s ability to implement and maintain appropriate security measures consistent with this WISP and all applicable laws, regulations, mandates and institutional policy and obligation; (Evaluation may include review of service provider security documentation including HECVAT, VPAT, SOC reports, ISO Certifications, etc.);
• Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws, regulations, mandates and institutional policy and obligations;
• Monitoring and auditing the service provider’s performance to verify compliance with this WISP and all applicable laws, regulations, mandates and institutional policy and obligations.

Testing and monitoring of the implementation and effectiveness of the information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information shall be conducted regularly. Any identified gaps shall be addressed reasonably and appropriately.

Establish and maintain policies and procedures regarding information security incident response. Such procedures shall include:

• The preparation, detection, analysis, containment, recovery and user response activities (NIST SP 800-171 REV 2 3.6.1/CMMC AT.L2 3.6.1);
• Specific response actions to security alerts shall be conducted either by institution personnel or contracted third party SOC provider (NIST SP 800-171 REV 2 3.14.3/CMMC AT.L2 3.14.3);
• Monitoring of alerts by institution personnel or third party SOC (NIST SP 800-171 REV 2 3.14.3/CMMC AT.L2 3.14.3);
• Appropriately acting upon alerts by institution technology and security personnel. (NIST SP 800-171 REV 2 3.14.3/CMMC AT.L2 3.14.3);
• Ensuring the analysis and triage of events to support event resolution and incident declaration (CMMC AT.L2 IR.2.094);
• Documenting the response to any security incident or event that involves a breach of security;
• Performing a post-incident review of events and actions taken;
• Reasonably and appropriately addressing any identified gaps.

Violations of the Written Information Security Program (WISP) may result in disciplinary action in accordance with information security policies and College policies, including, but not limited to the General Rules of Conduct for Employees; User Responsibility and Appropriate Use; and Confidentiality policies.

Hartwick College will review this WISP and the security measures defined herein at least annually, or whenever there is a material change in The College’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of institutional assets and data.

• Hartwick College shall retain documentation regarding any such program review, including any identified gaps and action plans;
• Hartwick College will track, review, approve, or disapprove, and log changes to organizational systems (NIST SP 800-171 REV 2 3.4.3/CMMC AT.L2 3.4.3);
• Prior to approving and implementing any system changes, Hartwick College will analyze the security impact of such requested or required change (NIST SP 800-171 REV 2 3.4.4/CMMC AT.L2 3.4.4).

Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies

Cybersecurity Maturity Model Certification (CMMC): An assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

Encryption: A process that scrambles readable text so it can only be read by the person who has the secret code, or decryption key.

Higher Education Community Vendor Assessment (HECVAT): The Higher Education Community Vendor Assessment Tool, or HECVAT, is a questionnaire tool intended to help higher education institutions assess their vendor risk.

Incident Response: The preparation, detection, analysis, containment, and recovery activities to support incident declaration/resolution

Information/Data Classification: The process of categorizing data assets based on their information sensitivity

International Organization for Standardization (ISO): ISO certification is a credential that validates a business’s fulfillment of requirements relating to quality process standards as defined by the International Standards Organization (ISO).

Least Privilege: A concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform their functions

Malware: Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

Multi Factor Authentication (MFA): A security technology that requires multiple methods of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction.

National Institute of Standards & Technology (NIST): A set of guidelines for mitigating cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on industry standards, guidelines, and best practices.

Personal Identifiable Information (PII): Information that, when used alone or with other relevant data, can identify an individual

Risk Assessment: A process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business

Safeguards: Appropriately configured controls and processes that match and align with the necessary requirements needed for effective security

Security Incident: An event that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have failed.

Service Provider: A vendor that provides IT solutions and/or services to end users and organizations

Service Organization Controls (SOC): A service organization controls (SOC) report is a type of audit that ensures internal controls and best practices are being met by an organization. The controls audited can be related to finances, trust services, security, integrity, privacy, confidentiality, and availability.

Voluntary Product Accessibility Template (VPAT): A Voluntary Product Accessibility Template (VPAT) is a template containing information regarding how an information and communications technology product or service conforms with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794 (d)).

Vulnerabilities: An unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.

Written Information Security Program (WISP): Policies, procedures and processes to ensure effective administrative, technical and physical safeguards for protection of employees, faculty, and student data.