Home
LITS

Written Information Security Program (WISP)

Purpose

This is the public-facing version of Trinity College’s Written Information Security Program (WISP). It summarizes how the College protects sensitive information and is written for students, employees, visitors, and members of the public. Detailed internal procedures and technical standards are maintained separately to support security operations and compliance obligations.

Program Statement

Trinity College is committed to protecting the confidentiality, integrity, and availability of sensitive information. This Written Information Security Program (WISP) describes the administrative, technical, and physical safeguards the College uses to protect Personal Information and Nonpublic Financial Information, and to meet applicable legal and regulatory requirements.

The WISP aligns with widely recognized security and privacy practices, including the NIST Cybersecurity Framework, and is supported by related College policies and standards. If a more specific College policy applies to a situation, that policy should be followed.

Scope

This Program applies to Trinity College employees (including faculty and staff), contractors and consultants, and other individuals or entities that access, store, transmit, or process College information on Trinity’s behalf.

It covers information handled for College operations, whether managed on-campus or through approved third-party services.

Definitions

  • Data: Information in any form (electronic or paper) that the College creates, receives, stores, or uses to support College operations, including information processed by approved third-party service providers.
  • Data classification: A way of grouping College information by sensitivity so that appropriate safeguards and handling requirements are applied.
  • Personal Information (PI) – As defined by Conn. Gen. Stat. § 36a-701b: an individual’s first and last name (or first initial and last name) combined with any of the following:
    • Social Security number
    • Driver’s license or state-issued identification card number
    • Financial account, credit, or debit card number, with or without any required access code or password
    • Passport number, alien registration number, or other government-issued identification number
  • Nonpublic Financial Information (NFI) – As defined under the Gramm-Leach-Bliley Act (GLBA) and 16 CFR Part 313: any record containing nonpublic financial information about a student or other party with a College relationship, in paper, electronic, or other form. This includes information provided by or obtained about a student or third party in connection with obtaining, using, or servicing a financial product or service through the College.

Program Ownership and Responsibilities

Trinity College assigns responsibility for the administration of the WISP to the Chief Information Security Officer (CISO), who coordinates with Information Technology Services and relevant campus partners.

The CISO may designate qualified College personnel or groups to assist with implementing, maintaining, and monitoring this Program.

Individuals who handle College information are expected to follow applicable policies and standards, use approved services for sensitive data, and promptly report suspected security incidents.

Governance and Oversight

The College reviews and maintains the WISP as part of its overall information security governance and compliance program.

Requests for exceptions to this Program must be reviewed and approved through the College’s established governance processes.

Data Classification

The College classifies information based on sensitivity, compliance requirements, and risk, and applies handling requirements accordingly.

Level Description
Level 4 Highly sensitive information protected by law, regulation, or contract. Unauthorized disclosure could cause serious harm to individuals or the College.
Level 3 Confidential information that is not intended for public release. Unauthorized disclosure could cause significant harm to individuals or the College.
Level 2 Internal-use information that is not typically shared publicly. Unauthorized disclosure could cause limited harm or operational impact.
Level 1 Public information that may be shared openly. Standard security practices still apply.

Risk Management

The College identifies and assesses risks to sensitive information, including risks related to unauthorized access, system compromise, data loss, and disruptions to operations.

  • Unauthorized access or misuse of sensitive information
  • Malicious software, phishing, and other cyber threats
  • Accidental disclosure or loss of information
  • Service disruptions, disasters, or other events that impact operations

Risk assessments are performed at least annually and when significant changes occur. The College selects, implements, and updates safeguards based on risk assessment results, compliance requirements, and evolving threats.

Administrative Safeguards

  • Access control: Access to sensitive information is limited to authorized individuals with a legitimate business or educational need, and access is removed when no longer needed.
  • Service provider oversight: Vendors and service providers that handle sensitive information are evaluated as part of due diligence and are expected to maintain appropriate security and privacy practices. Contracts require providers to protect the information they process for the College, and the College conducts oversight appropriate to the risk.
  • Security testing: The College performs periodic security assessments and testing to identify and address vulnerabilities.
  • Payment card information: When the College processes payment card transactions, it follows applicable payment card security standards and maintains related procedures.
  • Incident response: Suspected or confirmed security incidents involving sensitive information are promptly investigated, contained, remediated, and reported as required by law and College procedures, including breach notification obligations where applicable.
  • Training and awareness: Employees receive periodic security awareness training, and additional training is provided based on role and access to sensitive information.
  • Secure disposal: Sensitive records are retained only as long as needed and are securely disposed of when no longer required.

Technical Safeguards

  • Authentication
    • Accounts use secure authentication practices, including multi-factor authentication where appropriate.
    • Privileged (administrative) access is restricted and managed with additional safeguards.
    • Access is removed or adjusted when roles change or individuals leave the College.
  • Network and Endpoint Security
    • The College uses security tools and processes to help detect, prevent, and respond to cyber threats.
    • Institution-owned devices are managed and kept up to date with security patches.
    • Protective controls are used to reduce the risk of data loss and unauthorized disclosure.
  • Encryption and Storage
    • Sensitive information is stored using College-approved services and configurations.
    • Encryption is used to protect sensitive information in transit and, where appropriate, at rest.
    • Mobile devices that access sensitive information use appropriate security protections.
  • Access Controls
    • Access to sensitive information is granted based on least privilege and job responsibilities.
    • Access is periodically reviewed to help ensure it remains appropriate.

Health information (as applicable): When the College handles protected health information, it uses appropriate safeguards and, where applicable, follows HIPAA requirements.

Physical Safeguards

  • Sensitive paper records are secured (for example, in locked files or controlled areas) when not in use.
  • Reasonable precautions are taken to protect sensitive information when it must be transported or used outside secured areas.
  • When sharing sensitive paper records with third parties, the College uses appropriate secure handling practices.

Travel and sensitive information: When traveling, community members should take reasonable precautions to protect sensitive information and use College-approved tools for storage and transmission.

Password Requirements

The College maintains password and authentication requirements to reduce the risk of unauthorized access. Requirements may vary by system based on risk and regulatory needs.

  • Use strong, unique passphrases (do not reuse passwords across services).
  • Do not share passwords/passphrases or approve unexpected sign-in prompts.
  • Use strong multi-factor authentication methods.

If you believe your account may be compromised, change your password promptly (if you can) and contact the College’s IT support resources for assistance.

Enforcement

Failure to follow this Program and related College policies may result in administrative action under applicable College processes and may have legal or regulatory implications where sensitive information is involved.

Standards and Regulations  

This Program is intended to comply with the following standards: 

Related Policies  

Questions and reporting: If you have questions about this Program, or want to report a suspected security issue, contact the Information Security team at [email protected].

Additional resources: Information technology policies and guidance are available through the College’s IT website. 

Review and Revision

The College reviews this Program at least annually and may update it as needed to address changes in risk, technology, and regulatory requirements.

Program Owner: Chief Information Security Officer (CISO)

Approved by: VP & Chief Information Officer (CIO)

Date Posted: May 1, 2026