Information Security Policy

Purpose and Scope

Information is a critical asset of Babson College (“the College”) and the protection of information assets is the primary goal of this Information Security Policy. All information created by or used in support of the College’s business is considered College information. Minimizing the risks associated with accidental, malicious or unauthorized disclosure, misuse, modification, destruction, loss and/or damage of this information is a goal the College is committed to achieving.

By identifying and monitoring security risks and mitigating those risks through the implementation of information security controls, the information security posture of the College is heightened and trust is established between the College and its various constituents and regulators.

Policy and Controls

This policy is established to protect the assets and interests of the College, to increase overall information security awareness, and to ensure a coordinated approach for implementing, managing and maintaining a control environment based on industry best practices. This policy sets the direction for protecting the information assets created and maintained by Babson’s faculty, staff, students, alumni, affiliates, and third party service providers. The objective of this policy is to align, over time and given available resources, College practices and policies with the industry standard information security framework published by ISO (International Organization for Standardization)/IEC (International Electrotechnical Commission) 27002, the recognized standard for the Babson College security program. This set of standards addresses various security requirements including risk assessment and treatment, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, incident management, business continuity and compliance.

Information security controls will be developed, updated, and published to ensure College information is adequately protected. These controls will be reviewed and updated as needed to ensure continued compliance with industry best practices and regulatory requirements. The information security controls apply to all departments, information processing platforms and systems owned, leased or managed by Babson College or by third parties acting on behalf of the College.

Information Security Governance

Additional details supporting this Information Security Policy are included in the Written Information Security Plan (WISP). The WISP sets forth College procedures for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Personal Information (as defined in the WISP).

The WISP is managed by the Information Security Officer & Enterprise Architect with oversight and direction from the College’s IT Steering Committee. The Chief Information Officer has overall responsibility for maintaining the information security program at the College and the Information Security Officer & Enterprise Architect has College-wide authority to conduct activities to secure the infrastructure and information assets as necessary to align with this policy and the WISP.

Approved by IT Steering Committee

May 10, 2018

Access the More in this section