Curry College  General Data Protection Regulation (GDPR) Privacy Notice Last Edited:  June 7, 2019  1.0 Background  The General Data Protection Regulation (EU) 2016/679 (GDPR) is European Union (EU) law on data protection and privacy for all individuals within EU and the European Economic Area (EEA) Member States. The GDPR also addresses the export of Personal Data outside the EU /EEA. The GDPR gives control to individuals over their Personal Data.  2.0 Overview & Purpose  This privacy notice describes how Curry College collects and processes Personal Data through Curry websites, systems and applications, how this information is protected, and the rights of a natural person (data subject) to control this information. Curry College is committed to respecting and protecting the privacy rights of persons in the EU and EEA and those EU/EEA residents/citizens that provide Personal Data to the College. The GDPR defines these as rights of: access, rectification, erasure, notification, restriction, data portability, and to reject automated decision making.  3.0 Scope  The GDPR is a data protection regulation that applies broadly to the processing of Personal Data relating to an identified or identifiable natural person (data subject) within the EU and EEA (regardless of citizenship). Personal Data, as used in this notice, is defined in the College’s Written Information Security Program [WISP; posted at https://my.curry.edu/group/mycampus/policies/wisp].  Data Protection Principles  In compliance with the GDPR requirements that data be collected, processed and maintained in compliance with articulated standards, Curry College has a policy of collecting only data germane to the support of its mission, and in service of maintaining the required operations of the College. Incidental data are not collected beyond those that are explicitly and implicitly collected in the service of College operations and functions. Curry retains Personal Data as required by law and as further defined by the Curry Records Retention and Destruction Policy [posted at https://my.curry.edu/group/mycampus/help/record-retention].  Accountability and Governance  The Institutional Information Security Workgroup, chaired by the College’s Chief Information Officer (CIO), has overall responsibility for the College’s compliance with data security laws, regulations and policies, and through delegation and oversight is responsible for related implementation, oversight, training, auditing, and, in collaboration with the College Counsel, responding to requests from data subjects.  Acknowledgement  Residents and citizens of EU/EEA Member States who process Personal Data through the College as employees or students will be asked to sign an Acknowledgement of their rights under GDPR, as will faculty, staff and students that travel to EU/EEA Member States for study away or other employment- or academic-related purposes.  Contact  If you have questions or concerns regarding the way in which your Personal Data has been used or would like to exercise your data subject right(s), please contact the Data Privacy Officer, Deborah Gelch, at support@curry.edu. You will receive a response within 30 days

Introduction: Mobile technology is no longer the future of education—it is here. Colleges across the country are embracing the opportunities provided by mobile technology to expand student learning and faculty efficiency. As part of this new environment, Curry College is revising its procedures and policies regarding purchasing, maintaining, and supporting computers provided to our employees.   Eligible employees will receive mobile Windows devices with all issued accessories in lieu of a desktop computer when their current computer is due for replacement under the College’s regular replacement cycle. Employees wishing to request an Apple computer must submit a business justification to their Executive team member justifying the need for the more expensive device. The justification must include rationale pertaining to work functionality that Apple devices have over the windows counterpart. The employee must agree to the usage policies outlined below with regards to the College issued computer. The department requesting the Apple device must furnish ITS with the appropriate budget code as well as the signed justification. Conditions: Employees may opt to obtain a College issued mobile computer in lieu of a desktop computer under the following conditions: A mobile computer is considered a complete system purchased in place of an office desktop computer. The College will not provide peripheral equipment other than what is specifically outlined on the portal since they may change at any time. Click HERE to view the list. The same replacement guidelines for a desktop computer will apply to mobile computer. Mobile computers are considered College property and should be treated as such. Employees can select a mobile computer from the choices set forth by the Technology Center (see item 1 above) which are chosen on the basis of availability, compatibility with campus systems, cost effectiveness, and other such considerations. Eligible employees need to opt for a mobile computer during the established timeframe, which is typically during the late spring or summer. Employees will be contacted by e-mail when they are eligible and must meet the stated deadline for selection. Responsibilities: Employee must:   Secure any sensitive data according to FERPA, HIPAA, PCI standards, as well as the Curry network policy, which can be found in the Employee Handbook Establish a password that has a minimum of 8 characters (combination of numbers and letters & one capital) Ensure that the computer remains encrypted (if the computer supports encryption) Work with the Tech Center or contact the appropriate vendor for all support in the event of a hardware problem. Vendor contact information will depend on the brand of computer you have been provided and will be available to you within the Curry portal Return the laptop (including all issued peripherals) to the Technology Center upon separation from the College or when a replacement is issued Back up data regularly. See recommended backup options on the Curry College portal   Employee must NOT: Install any software that is unrelated to professional work Install any unlicensed or illegal software Download or install any unlicensed or illegal files Cancel or disable encryption, firewall, security, windows updates or antivirus update programs Allow others to use the mobile computer   The Tech Center is responsible for: Selecting appropriate mobile computer models and warranty programs Purchasing the mobile computer and any applicable warranty Initially configuring the mobile computer for office use Initially setting security updates and antivirus updates to load automatically (if possible) Encrypting the mobile computer (if possible) Providing a loaner mobile computer (for no more than 7 days) if your unit needs to be sent out for repairs. Due to limited availability, similar computer (or any computer) is not guaranteed to be available Assisting with routine support, diagnostics and sending out for repairs (if necessary) provided that the computer is brought to the Tech Center. NOTE: Repairs to your mobile computer may require resetting the computer to its original condition. The Tech Center will not be responsible for any files or s/w that you may have installed.   The Tech Center is NOT responsible for: Assisting with home internet connectivity or connections to home wireless networks, printers, scanners or other external hardware Backing up or restoring your files, data or software you have added Data losses, including loss from a system re-image, maintenance or restoration Costs for any software not included as part of the original package Purchase of accessories, such as additional batteries, monitors, keyboards, mice, carrying cases, etc.   Theft or Loss Conditions: Mobile computers are more susceptible to theft than desktops computers. Employees who elect to have a laptop in place of a desktop computer are expected to take particular care to ensure the security of their laptop. Replacement of stolen College laptops will be considered on an individual basis by the Dean’s Office (for faculty) or the employee’s senior staff member. There is no guarantee that you will be issued a mobile computer. Employees must report any theft to the proper authorities immediately (Public Safety for on- campus theft; local law enforcement and Public Safety for off-campus theft). In addition, employees must always notify the Technology Center immediately of loss or theft.  

Password Policy  Modified on: Wed, July 24, 2024  Curry College Password Policy      Overview   Passwords are an important aspect of account and data access security. A poorly chosen password may result in unauthorized access and/or exploitation of Curry's resources. All users, including contractors and vendors with access to Curry’s systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.     Purpose   This policy establishes a standard for creation of strong passwords, their protection, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Curry College facility, use or otherwise access or interact with the Curry College network or any Curry College technology information resource.     Policy   Any and all passwords, including initial passwords, must meet the following requirements when technically feasible:  must have a minimum length of 14 characters   must contain a mixture of both upper and lower-case characters   must include at least one (1) number and one (1) special character.  must be changed at least every 120 days  must lock a User Account after ten (10) invalid login attempts, and will require an authorized administrator to unlock the account  must be forced to be changed upon first use  must keep history for at least two (2) previous passwords  Passwords must be encrypted during transmission and storage including automation, scripting, and password remembering features.  A screensaver or a power timeout shall be configured for no greater than 30 minutes of idle activity to the extent technically feasible, and such timeout shall require password re-enter.  Always use different passwords for Curry College accounts from other Non-curry College access  Default passwords must be changed prior to system use.  User account passwords must not be shared with anyone.  Computing devices must not be left unattended without enabling a password-protected screensaver or logging off the device.  must not be anything that can be easily tied back to the account owner such as: username, social security number, nickname, relative’s names, birth date, etc    If the User suspects or has reason to know that the security of a password may be compromised, the password must be changed immediately.  Users should immediately report the discovery to the Curry College ITS Help Desk at 617-333-2911.       Revision History  CISO – July 2024 

Curry College Written Information Security Program (WISP) Last Edited: July 15, 2021 Policy Statement The Curry College Written Information Security Program (WISP) is intended as a set of basic safeguards to protect the confidentiality, integrity, and availability of sensitive information collected and maintained by the College, and to comply with applicable laws and regulations on the protection of that paper and electronic data while at rest in databases, spreadsheets, archive, storage devices, paper, cloud storage, backups, flash storage, laptops and portable devices or in motion through wireless, paper in transport, the internet or private network. Overview & Purpose The information security program outlines the administrative, technical and physical safeguards to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle sensitive information. The WISP was implemented to comply with the following regulations (not an exhaustive list): Standards For The Protection Of Personal Information Of Residents Of The Commonwealth, 201 CMR 17.00 Massachusetts regulations to safeguard personal information, M.G.L. c. 93H et seq. and 940 CMR 27.00 Federal Trade Commission, Privacy of Consumer Financial Information & Standards for Safeguarding Customer Information, 16 CFR Part 313 & 314 Financial customer information security provisions of the federal Gramm-Leach-Bliley Act (GLB), 15 USC 6801(b) and 6805(b)(2) Health Insurance Portability and Accountability Act (HIPPA), Pub. Law 104-191 and related regulations Family Education Rights and Privacy Act (FERPA), 20 U.S.C. 1232g (and related regulations) Fair Credit Reporting Act (FRCA), 15 U.S.C. 1681 (and related regulations) Payment Card Industry Security Standard Council (PCI DSS) General Data Protection Regulations (GDPR) In accordance with these federal and state laws and regulations, Curry College is required to take measures to safeguard sensitive data, including financial information, and: ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer; and provide notice about security breaches of sensitive information at the college to affected individuals and appropriate state agencies. Curry College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work and study at the College. Curry College has implemented a number of policies to protect such information, and the WISP should be read in conjunction with these policies that are cross-referenced at the end of this document. Scope This Program applies to all Curry College employees, whether full- or part-time, including faculty, administrative staff, union staff, contract and temporary workers, consultants, interns, and student employees, third party service providers, as well as to all other members of the Curry College community (Community). This program does not apply to volunteers of Curry as they are prohibited from having any contact with sensitive data. The data covered by this WISP includes any information collected, stored, maintained, processed, owned, and licensed by Curry College in connection with the mission, partnerships, or employment. The WISP is not intended to supersede any existing Curry College policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personal Information and Nonpublic Financial Information, Protected Health Information, and FERPA protected data as defined below. If such policy exists and is in accordance with the requirements of the WISP, the more restrictive policy is controlling. Data Types Protected by Laws and Regulations Family Education and Rights Privacy Act (FERPA) Protected Data: FERPA protected data, as defined by FERPA is the educational record of a student in whatever medium (handwritten, print, tape, film, disk, and etc.) that are in the possession of any school official (includes a faculty, deans, president, provost, board member, trustee, registrar, counselor, admissions officer, attorney, accountant, human resources professional, information systems specialist, and support or clerical personnel). Nonpublic Personal Information (NPI): Any personally identifiable financial information; provided by a consumer to a financial institution; resulting from any transaction with the consumer or any service performed for the consumer; or otherwise obtained by the financial institution. NPI does not include publicly available information. NPI does include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information. Payment Card Industry (PCI) Security Standard: The primary account number (PAN) of a credit card, debit card, or bank account number in combination with any one or more of the following: cardholder name; service code; or expiration date Personal Information (PI): The first name and last name or first initial and last name of a person (including a corporation, association, partnership or other legal entity) in combination with any one or more of the following: Social Security number; Driver’s license number or state-issued identification card number; or Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password. For the purposes of this Program, PI also includes passport number, alien registration number or other government- issued identification number. Personal Data (PD) of Person(s) Located in European Union (EU) and Member States within the European Economic Area (EEA) (regardless of citizenship): Any information relating to an identified or identifiable natural person (data subject) within the EU and EEA ( which, in addition to EU Member States, includes Iceland, Norway, Liechtenstein, United Kingdom and Switzerland); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (IP address or cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Protected Health Information (PHI): Any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual. Sensitive Information: Data that is protected by this Program and the following federal or state laws or regulations: 201 CMR 17.00, [PI] M.G.L. c93H, s 2 [NPI], 16 CFR Part 313 & 314 [NPI], GLB 15 USC 6801(b) and 6805(b)(2) [NPI], and HIPPA Pub.L. 104–191 [PHI], 20 U.S.C. 1232g [FERPA], Payment Card Industry Data Security Standard [PCI], and GDPR [PD] Data Classification Data covered by this Program will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level. This Program is explicitly intended to meet legal requirements relating to the protection of Sensitive Data. Sensitive: Unauthorized access, use, alteration or disclosure of such data could present a significant level of risk to Curry College or the Community or violate applicable laws or regulations. Sensitive data should be treated with the highest level of restrictions to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure. Confidential/Private: Proprietary or business information that may be exchanged within the College or with authorized vendors or other third parties, but represents a reputational or business risk if disclosed. As examples, such data might include College financial information, donor records or vendor lists. Public: The least sensitive data used by the College and would cause the least harm if disclosed. As examples, such data might include directory information, website information and admissions recruiting materials. 4.0 Written Information Security Program 4.1 Responsibilities Institutional Information Security Workgroup: The Institutional Information Security workgroup, chaired by the College’s CIO has overall responsibility for this Program and through delegation and oversight is responsible for implementation, compliance, oversight, ensuring violations are corrected, assuring regular and appropriate training, overseeing audits, and in collaboration with the College Council evaluating the ability of Third Party Services provider to protect Curry College sensitive information. Division/Department Heads: Each department that collects and maintains sensitive information will identify a person in the department responsible for adherence to this policy and the implementation of procedures required to protect the confidentiality, integrity, and availability of sensitive information. The Community: All members of the Curry Community are responsible for maintaining the privacy and integrity of all sensitive data they come in contact with, and must protect the data from unauthorized use, access, disclosure or alteration. Administrative Safeguards Administrative safeguards focus on two areas: personnel and business practices. Administrative safeguards should never be circumvented by anyone in the Community. Security Awareness A copy of the WISP will be distributed to each employee, student or temporary employee, third party service provider, vendor or Curry affiliate when access to sensitive data is requested. Upon receipt of the WISP, acknowledge in writing or electronically that he/she has received a copy of the Program, access to the sensitive data will be provisioned. Information Technology Services (ITS) is responsible for regular ongoing training and retraining of employees, student or temporary workers, third party service provider, vendors or Curry affiliates with access to sensitive information will be offered by Curry. Data Owners (as defined in section 4.2.4 of this Program), or appointed designees, are responsible for updating their area and the CIO on new and changing regulations covering data they own. The Data Owner will communicate the name of the appointed designee, if assigned, in writing to the CIO. Collecting Sensitive Data The amount of sensitive information collected must be limited to that amount reasonably necessary to accomplish the Curry’s legitimate educational and business purposes, or necessary to comply with other state or federal regulations. Credit card holder data defined by the Payment Card Industry Data Security Standard (PCI DSS) including a credit card number with or without any required security code or expiration date are never to be written down on paper, form, or stored on a system that is not PCI DSS compliant. The collection and processing of Personal Data of natural persons within the European Union and European Economic Area, regardless of nationality or residence is highly regulated and is outlined in the Curry Data Protection Regulation (GDPR) Privacy Notice. Storing Sensitive and Confidential/Private Data Electronic records containing sensitive, confidential/private data should only be stored on the Curry College network, approved systems and media, and paper in secured location, and not on any desktop computers, laptops, mobile devices, personal smart phones, external hard drives, USB drives, or unapproved cloud storage. Questions about the College’s Record Retention and Destruction Policy may be directed to the Chief Financial Officer. Access to Sensitive Data Access to records containing sensitive data shall be based on the principle of least privilege and need-to- know according to their requirement to accomplishing the Curry’s legitimate educational and business. The identity of a person must be verified before access is granted. All sensitive data at the College is assigned a Data Owner and Administrator according to data type. Data Owner: Has control over data and is responsible for approving requests for access to such data. Administrator: Has technical control over Enterprise Application (EA) and Enterprise Infrastructure (EI) data within the Tech Center, and is responsible for the technical security of such data. Type of Data Data Owners & Appointed Designees Administrators (System & Network) Faculty Provost EA and EI Teams within Tech Center Staff VP of Human Resources EA and EI Teams within Tech Center Student VP of Student Affairs/Dean, Registrar, VP of Admission/Dean, and Associate VP of Finance for SFS, Associate VP of Academic Affairs EA and EI Teams within Tech Center Alumni VP for Advancement EA and EI Teams within Tech Center *The data owner may appoint a designee to serve in their place. Internal and External Risk Risk Analysis: Division/Department heads will perform an annual risk analysis or whenever there is a material change in business practices that may impact sensitive information, which will provide an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of sensitive information as well as a review of compliance to this Program. Risk Management: Division/Department heads will implement measures to reduce computer risks and vulnerabilities, including identifying and documenting potential risks and vulnerabilities that could impact systems collecting and storing sensitive information as well as the proper disposition of sensitive information. Risk Management reports will be sent to the CIO annually. Annual WISP Audit: Data Owners, or appointed designees, will perform an annual update inventory of systems and devices containing sensitive data, review of access controls within their area to assure access supports principle of least privilege and need-to-know. Employees and Third-Party Service Providers Human Resources will inform ITS of an employee’s change of status or termination as soon as is practicable but before an employee’s departure date from the College. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to College data. Third party service providers with whom the College shares sensitive information or who has incidental access to sensitive information within the scope of their work shall either sign an agreement acknowledging this policy and assuring to keep such information protected and confidential, or submit a copy of their company policy on confidentiality and protection of sensitive information for review and approval by the College’s Counsel. Division/Department heads will alert ITS via email at the conclusion of a contract for individuals that are not considered Curry College employees in order to terminate access to their Curry College accounts. Physical Safeguards Physical safeguards focus on physical measures to protect sensitive information. Physical safeguards should never be circumvented by anyone in the Community. Secure Paper Files: Paper or electronic records (including records stored on hard drives or other electronic media) containing personal information shall kept in locked files or other secured areas when unattended, not in use, and at the end of the work day. Limit Access to Printouts: Fax machines, printers, multifunction, and other devices receiving or printing sensitive information shall be located in secure areas, not accessible to the general public, that can be locked at night. When printing or receiving faxed sensitive data, immediately retrieve the fax transmission from the fax machine. Disposition of Paper Records: Paper records with sensitive data will be disposed of in a locked secure bin or in a manner that complies with M.G.L. c. 93I. Sensitive Information Collection: Sensitive information including credit card holder data defined by the Payment Card Industry Data Security Standard (PCI DSS) including a credit card number with or without any required security code or expiration date are never to be written down on paper or requested on a College paper form or non-secure form over the internet or private network. Device and Media Controls: Devices with sensitive information stored (laptops, computers, fax machines, copiers, multifunction devices, etc.) shall be wiped before being disposed. Devices with sensitive information may not be transported through campus mail or other mail or package delivery companies. Physical Safeguards Specific to Departments: Each department shall consider developing procedures that ensure that reasonable restrictions upon physical access to records containing sensitive data are in place, including a written procedure that sets forth the manner in which physical access to such records in that department is to be restricted. Facility Access Control: Systems containing sensitive information (servers) will be kept in areas with physical security controls that restrict access. Contingency Plan: ITS will assure that all systems containing sensitive information have disaster recovery plans in place to respond to an emergency or other occurrence that damages the system. Technical Safeguards Technical safeguards focus on technology (systems, configurations, etc.) to protect sensitive information. Technical safeguards should never be circumvented by anyone in the Community. Auto-Lock Computer Screens: As a safeguard, all college computers will be programmed to automatically lock (requiring re-entry of a password) after a specified time of no activity. System Credentials: Credentials for active employees, student or temporary workers, third party service providers, vendors or Curry affiliates with access to sensitive information shall have a minimum length of 10 characters, as recommended by the NIST security framework. Access Control: Only those employees or authorized third parties requiring access to sensitive data in the regular course of their duties are granted access to this data. When systems are available, electronic access to system and files with sensitive data after multiple unsuccessful attempts to gain access shall be blocked. Access to sensitive data shall be restricted to active users and active user accounts only. Access to electronically stored sensitive information shall be limited to those employees having a unique logon; and re-logon shall be required when a computer has been inactive after a certain period of time. Unique usernames (if feasible) and passwords which are not vendor-supplied default passwords, will be assigned to each person and process with access to sensitive information. Monitoring of Systems: Logs will be enabled and on systems with sensitive information and retained for six months. Reasonable monitoring of exceptions will be put in place, for unauthorized use of or access to sensitive information. Firewall Protection: There must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the sensitive data, installed on all systems processing sensitive data and connected to the internet. Anti-Virus Software: There must be reasonably up-to-date versions of system security agent software which must include reasonably up-to-date patches and virus definitions, installed on all systems processing sensitive information. Encryption Devices: To the extent operationally feasible, all sensitive information stored on backups, laptops and other portable devices must be encrypted, as must all records and files containing sensitive data transmitted across public networks or wirelessly. Encryption here means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. Detection and Prevention: To the extent operationally feasible, a means of detecting and preventing security system failures will be in place. User Authentication: There must be secure user authentication protocols in place, including: Protocols for control of user IDs and other identifiers; A reasonably secure method of assigning and selecting passwords; Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; Restriction of access to active users and active user accounts only; and Blocking of access to user identification after multiple unsuccessful attempts to gain access, when possible. Separate Credit Card Holder Data Traffic: Traffic transporting credit card holder data is segmented so it is separate from the other network traffic. Reporting Attempted or Actual Breach of Security A breach of security is defined as unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information maintained by Curry College. Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of sensitive information, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the CIO. The CIO will contact the Director of Finance. The Director of Finance and CIO are responsible for coordinating an ad-hoc Data Incident Workgroup which will include appropriate staff from the Tech Center, Finance, Counsel, and the subject department division(s) or department(s) head and determining appropriate actions in their response to the breach. The Data Incident Workgroup will document the attempts and actual breaches, and subsequent responsive actions taken. All related documentation will be stored in the Finance Office. Enforcement Any member of the Community who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises sensitive data without authorization, or who fails to comply with this Program in any other respect, will be subject to disciplinary action, which may include termination in the case of employees and expulsion in the case of students. Under federal law, violation of the HIPAA privacy rule may result in civil monetary penalties of up to $250,000 per year and criminal sanctions including fines and imprisonment. Appendix The following Curry College policies & programs provide advice and guidance that relates to this Program: CurryNet Acceptable Use Policy FERPA Policy Record Retention Policy Red Flag Rules Data Privacy Disaster Recovery Program Incident Response Plan GDPR Program (to be implemented) Recurring WISP Undertakings When WISP Undertaking Responsible Area First day of employment Distribute WISP to new employees Human Resources Prior to Employment Distribute WISP to student workers Hiring Manager When contract is signed Third party service provider, vendor or Curry affiliate with access to sensitive information Manager and Director of Finance March (security awareness month) Ongoing Security Awareness Training ITS March Annual WISP Audit Due Data Owner or Appointed Designees Prior to Date of Change or Term Notification of employee change of status or termination Human Resources Annually Employee Account Verification Human Resources/ITS Weekly Review Logs of account access to sensitive data in Banner CISO and Director of Application Support Quarterly Review Firewall change logs CISO Annually Review Firewall rules CISO Sensitive Data Type and Approved Storage Devices Locations Type of Sensitive Data Approved Storage of Data Approved Transport of Data PI Curry network drives, Banner, and Salesforce FaxFinder, and analog fax NPI Curry network drives, Banner, and Salesforce FaxFinder, and analog fax HIPPA Protected CoVerified/CareEvolve, Curry network drives, Banner, and Salesforce FaxFinder, and analog fax FERPA Protected Curry network drives, Banner, and Salesforce FaxFinder, and analog fax Credit Card Holder Data Flywire Payment Processing, GiveCampus, and EventBright FaxFinder, and analog fax Written Information Security Program Version Control Policy Version Implemented Date Replaces Reviewed By Date 1.2 CISO 7/15/21 1.1 Executive Team 7/15/21 1.1 Institutional Information Security Workgroup 8/19/19 1.0 Institutional Information Security Workgroup and Executive Team 7/19/19 1.0 Institutional Information Security Workgroup 1/18/19 New Institutional Information Security Workgroup and Executive Team 11/26/19

Acceptable Use Policy Modified on: Wednesday, November 20, 2024 This policy replaces the previous Network Usage Policy: https://currycollege.freshservice.com/support/solutions/articles/19000062618-Network-Usage-Policy Purpose and Scope Curry College’s data and information systems are valuable assets that must be protected. Proper and acceptable use of information technology (IT) assets and data will mitigate risks associated with malware attacks, network and system compromises, and data breaches. This Acceptable Use Policy (AUP) applies to the use of Curry College’s IT assets, including applications, networks, devices, and business systems, whether owned or leased by Curry, the user, or a third party. All faculty, staff, contractors, consultants, temporary employees, undergraduate and graduate students, and guests (“users”) of Curry’s devices, networks, and systems must act in a responsible and ethical manner to protect Curry’s systems, information, and reputation. It is expected that all users be familiar with and stay current with this policy. General Requirements Curry College has critical technology and data dependencies for day-to-day operations and strategic goals. General obligations related to the acceptable use of IT assets are as follows: At all times, users must protect Curry IT assets and data (regardless of where it is stored or how it is accessed) consistent with the requirements set forth in Curry College policies and procedures. Users must always protect their credentials (username/password); see the password section below for more details. Users must not download College data to unauthorized locations (e.g., non-Curry cloud or non- Curry laptop/desktop, USB devices or portable media) or disclose to unauthorized individuals, systems, or entities (e.g., highly confidential, financial, personally identifiable information, personal health information). See a supervisor if you have questions. Independent businesses may not be developed or run using College computing/networking resources unless it is a sanctioned campus organization and/or part of academic programs (e.g., service-learning, scholarship fund raising). Curry College reserves the right to remove, without warning, unapproved commercial activities. Faculty, staff, and students are expected to maintain accurate data (e.g., date of birth, address, Social Security number) when updating personal information on any of Curry's administrative and instructional databases. Users are expected to report potential information security incidents to the Help Desk support@Curry.edu. The following are examples of activities that are strictly prohibited while utilizing Curry information assets and technology, which list includes but is not limited to: Promoting and/or facilitating illegal activities; including but not limited to identity theft, hacking, fraud, child pornography, and/or copyright violation. Unauthorized access, duplication, alteration, modification, or destruction of Curry data, systems, configurations, and resources. Devices may not be used at any time to harass, retaliate towards others, or discriminate based on race, national origin, sex, sexual orientation, gender identity, gender expression, age, disability, religious beliefs, or any other characteristic protected by law. This includes any behaviors that violate the College’s Code of Ethics, Online Misconduct policy, Code of Conduct, and/or other harassment policies. Tampering with or changing anti-virus, firewall, or other security-related computer settings. Installing prohibited software. Deliberate introduction of malicious programs onto Curry systems (e.g., virus; worm; keystroke logger). Causing or contributing to security breaches or disruptions of network communication. Examples include excessive use of systems or network capacity for personal gain/benefit, accessing data without authorization, and logging into a server or account without authorization. Interfering with or denying service to any other user, host, or Curry system. Using a program, script, or command, or sending messages with the intent to interfere with or disable a user’s session locally or via the Curry College network. Violations of academic integrity and/or the rights of the College or any person. This includes, but is not limited to selling papers, unauthorized copying of copyrighted material, use of Artificial Intelligence/Large Language Model generated content without prior approval, and installation or distribution of pirated and/or software products that are not properly licensed for use by the user and/or Curry College. Use of technology resources (e.g., a smartphone) to record conversations, lectures, or classroom interactions without the express consent of those individuals being recorded. Making fraudulent offers of products, items, or services originating from any Curry College account and/or making statements about warranty, express or implied. Exporting software, technical information, encryption software, or technology that may violate International or regional export control laws. (Consult legal counsel if you have questions on this topic.) Note: The above list is not comprehensive, but rather a means to provide a framework for activities in the category of unacceptable use. Certain users may be exempted from specific restrictions during legitimate job responsibilities (e.g., systems administration staff may be required to disable the network access of a host). Phishing and Email Use All users must be cautious when opening email. A valid-looking email may be a phish. A phish is a fake email that looks real. Users should beware of emails that engender feelings of urgency, fear, strong curiosity, and exceptional opportunity. Users should report suspicious phishing emails by forwarding the email to support@curry.edu Note: Curry will never ask users for their Curry credentials. The following are requirements related to emails and phishing which users should follow: When conducting College business, users are to use College-provided email accounts, rather than personal email accounts. Incidental/personal use of email should not interfere with Curry’s email system. Email distribution lists are College property. Distribution lists may only be provided to external third parties in conjunction with legitimate academic or administrative initiatives and only after obtaining approval from a division head. Under no circumstances may College distribution lists be sold to an external party, nor may the lists be used for individual gain (e.g., marketing a product or service). Employee use of distribution lists for surveys is allowed for legitimate academic or administrative purpose. Internet Use Users accessing the internet through Curry’s network and/or on a Curry device should do so in a manner that supports business operations and does not interfere with Curry’s business or infringe on the rights of others. The following are examples of inappropriate internet use: Any illegal activities, including illegal gambling, or viewing of illegal content. Copyright infringement when downloading or file-sharing/swapping. Hacking or unauthorized access. Accessing pornographic/adult services sites. Running a sideline internet business without an approved exception to this policy (conflict of interest) Access and Privacy The College has the legal right to access, preserve and review all information stored on or transmitted through its electronic services, equipment, and systems (collectively, “IT Systems"). The College endeavors to afford reasonable privacy for individual users and does not access information created and/or stored by individual users on its IT Systems except when it determines that it has a legitimate operational need to do so. Enforcement Curry information technology and assets may be audited and/or monitored for unauthorized activity and usage. Certain kinds of data and IT fraud are illegal and punishable by civil sanctions, criminal fines, and/or imprisonment. The College is obligated to report instances of illegal activities to the authorities and will cooperate with authorities in the investigation of illegal activities. Curry reserves the right to require the registration of all technology-related devices used on campus, regardless of whether the device is owned by the institution or an individual. Curry may identify and quarantine, block, and or disable accounts and or devices suspected of adversely affecting the network; violating this acceptable use policy, employ tools to monitor network-related activity; and may restrict or eliminate bandwidth allocation to specific devices. Curry also reserves the right to block access to internet websites and protocols that are deemed malicious or contrary to the mission of the College. Employee violations will be handled by the employee's supervisor, in conjunction with Human Resources. Student violations will be referred to the Student Affairs judicial process or Curry’s academic integrity process, or both. Curry College reserves the right to change provisions of this and other College policies periodically. Curry College may take disciplinary action up to and including termination of access, ending of contracts, legal action and/or dismissal of individuals not in compliance with this policy. Related Policies and Procedures The Acceptable Use Policy is one of several College policies and procedures. Curry’s Chief Information Officer (CIO) maintains authority over, and enforcement of, the AUP and related policies. Related policies include the Curry College Password Policy and Written Information Security Program. A full list of ITS Policies can be found at: https://www.curry.edu/ITSPolicies Policy Compliance All members of the Curry College community are expected to review and understand this policy. By using the Curry College network, users acknowledge their agreement to comply with this policy. The college reserves the right to amend this policy as necessary. No Warranties or Assurances Curry College makes no warranties of any kind, whether express or implied, with respect to the Network Resources it provides. Curry College is not responsible for any damage resulting from use of Network Resources, including service interruptions, loss of data or damage to hardware or software on your personal systems at home, in the residence halls or public access computer labs on campus. Computer and network availability is subject to periodic system updates, security patches, ISP maintenance, system protocol improvements and changes. Contact Information For questions or concerns regarding network usage or this policy, please contact the Curry College IT Help Desk by calling 617-333-2911 during business hours or by emailing Support@curry.edu. For status on open tickets, submission of new tickets, and to browse our knowledge articles, please visit https://support.curry.edu (https://support.curry.edu/). This policy is designed to create a safe, secure, and productive digital environment for all members of the Curry College community. Your cooperation and adherence to these guidelines contribute to a positive network experience for everyone. https://support.curry.edu/support/solutions/articles/19000062618 2/2

CURRY COLLEGE Chromebook – STUDENT USER AGREEMENT INTRODUCTION This User Agreement is intended to describe the terms under which Curry College (herein referred to as the “College”) will loan the use of a College-owned Chromebook (here referred to as “Chromebook”) at no cost to the student signing this agreement (herein referred to as “you” or the “student”) to support the delivery of educational programming. The Chromebook shall remain the property of the College throughout the term of this User Agreement and shall be provided for the student’s use during the term of the student’s enrollment at the College for the current Spring 2022 traditional academic semester only, or until such time as the College exercises its sole discretion to terminate this loan. This document is an agreement between a student of the College and the College. This agreement establishes use and maintenance expectations for the Chromebook issued to the student by the College in connection with the student’s active enrollment status at the College. By entering into this User Agreement (herein referred to as “Agreement”), the undersigned student agrees to the following terms and conditions for use and maintenance of the Chromebook (and related peripherals) issued to the student by the College. TERM OF USE At any time and for any reason, the College in its discretion may notify and require the student to return the Chromebook (and related peripherals). Notwithstanding, the following terms of use apply to all College-issued Chromebooks: Original Term of Use. The student shall be issued a Chromebook upon signature of this Agreement. A student’s initial term of use for the College-issued Chromebook shall be for the remainder of the student’s enrollment at the College during the Spring 2022 traditional academic semester, or until this Agreement is terminated by the College in its sole discretion. Students will be informed if their Chromebook is to be returned sooner. Students No Longer Enrolled at the College. A student that is dismissed, withdraws from, defers entry to, takes a leave of absence, or otherwise exits the College must return the College-issued Chromebook to the College’s Information Technology Services (herein referred to as “ITS”, and sometimes known as the “Tech Center”) within fifteen (15) calendar days following the date of such exit, or a replacement value fee will be assessed on the student’s account in accordance with Exhibit A. MATERIALS PROVIDED The College will provide the student with the following materials: One (1) Chromebook, including charger and USB cord Other peripherals as determined by the College GENERAL TERMS AND RESPONSIBILITIES At all times, the College retains ultimate control over and ownership of the Chromebook (and related peripherals) issued to the student. By taking possession of the Chromebook, the student assumes responsibility for complying with the terms and conditions of this Agreement. The College advises the student to take care that the Chromebook is: never left unattended; never exposed to excessive temperatures; and is never cleaned with anything other than materials described in the Chromebook’s owner’s manual. PRIMARY USE TERMS The primary use of the Chromebook is for educational programming. As part of this Agreement, the student agrees to the following: The student agrees to complete assignments, assessments, training and other program-related work on the Chromebook as part of the student’s registered College coursework for Spring 2022. The student may use the Chromebook for other purposes to the extent that such uses do not interfere with the primary use. The student may store documents or other files on the Chromebook, as needed and as possible provided storage capacity on the Chromebook, and the student is responsible for making backup copies of such documents or other files. The student may also utilize cloud storage through the student’s College-issued Google account. In the event of loss of such documents or other files, the College’s responsibility is limited to restoring the factory default configuration and applications. SECURITY RELATED TERMS By accepting the terms of this Agreement, the student agrees to the following security- related terms of use: to enable all recommended passcode security on the Chromebook, including two- step verification (if applicable); to not remove or alter any of the identification tags attached to or displayed on the Chromebook. Services and support are contingent on proper display of the identification tags; to back up the Chromebook using the student’s College-issued Google account storage utility; to accept the Terms & Conditions set forth by Google governing the use of the Chromebook; to enable automatic software updates from Google and to install any applicable Google software updates or Google Play Store application updates in a timely manner; to use the Chromebook in a responsible manner and in accordance with College policies, including the College’s computer use and related information technology policies, in effect now and in the future; to comply with all applicable State and Federal laws, including but not limited to copyright and intellectual property law pertaining to software and file content; to keep the Chromebook within the student’s possession at all time and restrict use to the student only; to take necessary and responsible care to keep the Chromebook secure, safe and in good working condition. to use the Chromebook in a careful and lawful manner, and not make any physical alterations, additions or hardware changes/improvements. to not remove any installed software or apps on the Chromebook that were provided by the College. to not engage in “jailbreaking.” Jailbreaking is generally defined as a process that removes any manufacturer’s limitations or other restrictions on Chromebook use. Jailbreaking can reduce Chromebook security and, by extension, the College’s network security, and is strictly prohibited. The student is further prohibited from installing any software applications that are not available from or authorized by the Google Play store (unless the student requests from and receives in writing permission from ITS). that, as provided in the College’s computer use and related information technology policies, the College is not responsible for the loss or theft of any personal information, confidential data, and/or other data that the student downloads to or saves on the Chromebook. SUPPORT AND SERVICE The student agrees to enroll in and maintain enrollment in the College’s mobile device management (herein referred to as “MDM”) system. Complete details on the MDM system are available from ITS upon request. The College may be able to repair most accidental damage to College-issued Chromebooks. Contact ITS at support@curry.edu or (617) 333-2911 for assistance. The College does not cover loss, theft or damage incurred by willful, wanton or reckless misuse of the Chromebook. In addition, the College may not extend coverage for damage incurred as a result of violations of this Agreement. By accepting the terms of this Agreement, the student: is prohibited from opening or making internal hardware modifications to the Chromebook; may only install applications with a valid and current license; will not attempt to repair the Chromebook independently; must report any damage to the Chromebook immediately to ITS. The College will work with the student to repair or replace the damaged Chromebook. agrees to enable the “Find my Device” service or equivalent on the Chromebook to assist with recovery efforts if the Chromebook is lost or stolen. In the event of loss or theft: You must immediately report loss or theft to the College’s Public Safety and ITS. You agree to cooperate with the College’s efforts to recover and/or disable the Chromebook. In the case of repairs or replacements that are necessary due to damages to the College-issued Chromebook that are caused by the student’s willful, wanton or reckless misuse of the Chromebook or by violation of this Agreement, the College will assess fees, as outlined in Appendix A, at its discretion for failing to comply with the terms of this Agreement. RELATED COLLEGE POLICIES At all times when the Chromebook is in the student’s possession and use, the student must comply with College policies and procedures, including but not limited to those policies on computer use and information technology. Please review the policies and procedures in the Student Handbook, at http://curry.edu/handbook, for more information. Failure to follow College policies and procedures may result in termination of this Agreement. TERMINATION OF THIS USE AGREEMENT This Chromebook program may be terminated at the sole discretion of the College, for any reason (including but not limited to those referenced in this Agreement) and at any time. Notice. The College may amend the terms of this Agreement (to include cancellation) and you may be asked to review and sign a new Agreement. If a new Chromebook is issued, you will be asked to sign a new Agreement. Returning the Chromebook to the College As provided under the Term of Use provisions of this Agreement, the student may be liable for fees and deposits according to those outlined in Appendix A as applicable. As further provided by this Agreement, the student must return the Chromebook to ITS within fifteen (15) calendar days of (a) the student’s enrollment status change at the College, or (b) receipt of notice from the College that this Agreement has been terminated (whichever occurs first). This Agreement may only be modified in writing with signatures from the student and an authorized representative of the College. This Agreement represents the full and final understanding between the student and the College on the subject herein (Spring 2022 Chromebook loan), unless modified in the manner described in the previous sentence. This is a binding contract and enforceable under the laws of the Commonwealth of Massachusetts in the courts located in Norfolk County. Chromebook – STUDENT USER AGREEMENT APPENDIX A FEE SCHEDULE Type Amount Description Repairs $50.00 Repairs are provided free of charge for up to one (1) incident of accidental damage. Each additional incident is subject to the fee listed. Replacement Market Value Upon second replacement request, student is responsible for full cost of Chromebook and peripherals. Also applies if student fails to return Chromebook upon exit from College or termination of Agreement.