Information Security Policy

Tags policy


Pursuant to federal and New York State laws, and the policies and procedures of the State University of New York, SUNY New Paltz must maintain an effective, comprehensive information security program that addresses the full range of information security issues that affect the University. The policy must be implemented to support the core teaching, learning, and research activities of the University, as well as the administrative functions of the University. 


It is the policy of the University to comply with legal and regulatory requirements (federal and state) governing the collection, retention, dissemination, protection, and appropriate destruction of sensitive information. This requires the University to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable, and assure the core teaching, learning, and research activities of the University, and support its administration. 

The Information Security Program: 

  • Will include the administrative, technical, and physical safeguards appropriate to the size and complexity of the University and the sensitivity of its information. 

  • The program will be based on established risk management practices. 

  • The program will implement the standards set out in SUNY's Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Document #6608) and the SUNY Information Security Policy (Document #6900) 

  • The program will be based on industry best practices and both internal and third-party risk assessments.  It will be updated, as needed, based on results of risk assessments, , changes in systems and services, and the threat landscape. 

  • The University is using the National Institute of Standards and Technology (NIST) controls, particularly NIST 800-53 and NIST 800-171, as our standard for security and privacy measures and procedures. 

In doing so, the program must: 

  • lead and assist the workforce in preserving the confidentiality, integrity, and availability of university systems, services, and data, particularly with respect to sensitive information 

  • engage all employees, as appropriate to their roles, in actively anticipating and addressing threats and hazards to the security of Sensitive Information and Sensitive Systems 


Roles and Responsibilities 


  • The Assistant Vice President for Information Technology/Chief Information Officer and the Assistant Vice President for Administration & Finance are primarily responsible for assuring an effective Information Security Program. 

  • The University, in compliance with the Gramm-Leach-Bliley Act, has named Paul Chauvet, Information Security Officer (ISO) as the qualified individual responsible for overseeing and implementing and enforcing the University’s Information Security Program. 

  • Responsibility for developing, deploying, and managing the Information Security program lies with both internally with the Chief Information Officer, the Information Security Officer, and the Internal Controls Coordinator.  Any university-wide policies must be approved by the President's Cabinet, with review by SUNY legal counsel when appropriate. 


  • The Information Security and Risk Oversight (ISRO) Committee, which contains stakeholders from departments across the university, will work to develop appropriate controls while facilitating the operations of the University. 

  • The Information Security Officer will regularly report on the state of the information security program.  Such report will occur at least annually, and be made in writing to the President of the University, and the President’s Cabinet. 


  • Campus information technology service staff, including Systems Administrators, Network Administrators, and Database Administrators, are primarily responsible for the implementation of technical/operational controls.  Members of the University community at-large are responsible for implementing and adhering to relevant policies, standards, procedures, and guidelines. 


  • The Information Security Officer and Chief Information Officer are primarily responsible for enforcement. Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines, and procedures. 

  • Compliance is determined via periodic audits, scans, simulated training exercises, internal and third-party risk assessments, and reviews and is measured against this policy and all published related documents. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations. 

  • Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and notifications sent to responsible parties. These notices will include recommendations for corrective action.  A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action.  Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions. 

  • Nothing in this section will be construed as an impediment to responding to a security breach incident. 


This policy will be reviewed and updated as needed. Said review will occur at least once every two years. 

Policy History 

  • Date of first approval by President’s Cabinet: Fall 2014

  • Current version approved by President’s Cabinet December 1, 2023



Related Documents 

New Paltz Information Security Policies 

These additional policies are in effect and supplement the Campus Information Security Policy.  Other policies relating to Information Security that have been approved by the President's Cabinet may be included in this list without a formal change to this policy. 

Relevant Federal, State, and SUNY Policies, Laws, and Regulations 

  • SUNY Information Security Policy 

  • Federal Educational Rights and Privacy Act (FERPA) 

  • Gramm Leach Bliley Act (GLBA) 

  • NYS Information Security Breach and Notification Law 

  • NYS Information Security Policy P03-003 

  • Other State and Federal regulations governing the acquisition, retention, and dissemination of protected data 

  • SUNY system-wide information security policies and requirements 

  • SUNY Policies of the Board of Trustees 

  • Other University IT and Information policies 

100% helpful - 1 review
Print Article


Article ID: 20998
Wed 12/7/16 9:48 AM
Mon 5/13/24 11:31 AM