Information Security Policy

Tags policy


Pursuant to federal and New York State laws, and the policies and procedures of the State University of New York, SUNY New Paltz must maintain an effective, comprehensive information security program that addresses the full range of information security issues that affect the college.  The policy must be implemented to support the core teaching, learning, and research activities of the College, as well as the administrative functions of the College.


It is the policy of the College to comply with legal and regulatory requirements (federal and state) governing the collection, retention, dissemination, protection, and appropriate destruction of sensitive information.  This requires the College to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable and assure the core teaching, learning, and research activities of the College, and support its administration.

The Information Security Program will include the administrative, technical and physical safeguards appropriate to the size and complexity of the College and the sensitivity of its information. The program will be based on established risk management practices.  The program will implement the standards set out in SUNY's Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Document #6608.  

In doing so, the program must:

  • lead and assist the workforce in preserving the confidentiality, integrity, and availability of Sensitive Information
  • lead and assist the workforce in protecting Sensitive Systems
  • engage all employees, as appropriate to their roles, in actively anticipating and addressing threats and hazards to the security of Sensitive Information and Sensitive Systems


Roles and Responsibilities


The Assistant Vice President for Information Technology/Chief Information Officer and the Assistant Vice President for Administration & Finance are primarily responsible for assuring an effective Information Security Program. Responsibility for developing, deploying, and managing the Information Security program lies with both internally within IT, with the Information Security Officer, Information Security Oversight Committee, and with the Internal Controls Officer.  Any campus-wide policies must be approved by the President's Cabinet, with review by SUNY legal counsel when appropriate.


The ISO Committee, which contains stakeholders from departments across campus, will work to develop appropriate controls while facilitating the operations of the College.


Campus information technology service staff, including Systems Administrators, Network Administrators, and Database Administrators, are primarily responsible for the implementation of technical/operational controls.  Members of the College community at-large are responsible for implementing and adhering to relevant policies, standards, procedures, and guidelines.


The Assistant Vice President for Technology, and the Assistant Vice President for Administration and Finance, are primarily responsible for enforcement.  This responsibility may be delegated.

Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines and procedures.

Compliance is determined via periodic audits, scans, simulated training exercises, and reviews and is measured against this policy and all published related documents.  The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations.

Instances of non-compliance will be addressed on a case-by-case basis.  All cases will be documented and notifications sent to responsible parties.  These notices will include recommendations for corrective action.  A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action.  Follow up review(s) will determine the subsequent degree of compliance.  Failure to meet compliance requirements may result in sanctions.

Nothing in this section will be construed as an impediment to responding to a security breach incident.


This policy will be reviewed and updated as needed.  Said review will occur no less than once every five years.


Related Documents

New Paltz Information Security Policies

These additional policies are in effect and supplement the Campus Information Security Policy.  Other policies relating to Information Security that have been approved by the President's Cabinet may be included in this list without a formal change to this policy.

Relevant Federal, State, and SUNY Policies, Laws and Regulations
  • SUNY Information Security Policy
  • Federal Educational Rights and Privacy Act (FERPA)
  • Gramm Leach Bliley Act (GLBA)
  • NYS Information Security Breach and Notification Law
  • NYS Information Security Policy P03-003
  • Other State and Federal regulations governing the acquisition, retention, and dissemination of protected data
  • SUNY system-wide information security policies and requirements
  • SUNY Policies of the Board of Trustees
  • Other University IT and Information policies


Article ID: 20998
Wed 12/7/16 9:48 AM
Tue 11/14/17 11:54 AM