University Policies

eBusiness and Partner Security Policy

Information Technology Services
Information Technology Services

The purpose of this policy is to establish effective guidelines for protecting electronic information shared between Worcester State University and its business partners, including vendors, state agencies, consultants and other companies. The protection of information during transmission and while stored on Worcester State University or partner information systems must meet the protection requirements of the information owner.

Worcester State business interactions and electronic Business (e-Business) connections with its business partners must be appropriately protected to ensure confidentiality, integrity, authenticity, and availability of all Worcester State University and business partner information.

  • An initial risk assessment will be made to determine the value of the information exchanged and the acceptable level of risk to Worcester State University.
  • As necessary and appropriate, contracted vendors will provide in writing on an annual basis their PII & PCI compliance status.
  • The capability of the business partner to properly protect Worcester State University's proprietary or confidential information during transmission, processing, and storage must be assessed before such information is released to the partner through any available media.
    Worcester State University and its e-Business partners will come to an agreement in regards to the means of securing information prior to the transferring, processing or storing of such information.
  • Worcester State University will ensure that the level of protection provided for information obtained from a business partner is equal to or greater than the protection required by the business partner for its information.
  • When connecting a business partner's network or system to the Worcester State network, the security of the connecting network must be evaluated prior to making the connection.
    Worcester State will only request and release essential information, and then only the minimum information necessary for the stated purpose.
  • All parties requiring access to shared information must have clearly stated security and meet all pre-determined information access requirements.