Information Security Policy

policy

Overview

Pursuant to federal and New York State laws, and the policies and procedures of the State University of New York, SUNY New Paltz must maintain an effective, comprehensive information security program that addresses the full range of information security issues that affect the University. The policy must be implemented to support the core teaching, learning, and research activities of the University, as well as the administrative functions of the University.

Policy

It is the policy of the University to comply with legal and regulatory requirements (federal and state) governing the collection, retention, dissemination, protection, and appropriate destruction of sensitive information. This requires the University to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable, and assure the core teaching, learning, and research activities of the University, and support its administration.

The Information Security Program:

Will include the administrative, technical, and physical safeguards appropriate to the size and complexity of the University and the sensitivity of its information.
The program will be based on established risk management practices.
The program will implement the standards set out in SUNY's Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Document #6608) and the SUNY Information Security Policy (Document #6900)
The program will be based on industry best practices and both internal and third-party risk assessments. It will be updated, as needed, based on results of risk assessments, , changes in systems and services, and the threat landscape.
The University is using the National Institute of Standards and Technology (NIST) controls, particularly NIST 800-53 and NIST 800-171, as our standard for security and privacy measures and procedures.

In doing so, the program must:

lead and assist the workforce in preserving the confidentiality, integrity, and availability of university systems, services, and data, particularly with respect to sensitive information
engage all employees, as appropriate to their roles, in actively anticipating and addressing threats and hazards to the security of Sensitive Information and Sensitive Systems

Roles and Responsibilities

Oversight

The Assistant Vice President for Information Technology/Chief Information Officer and the Assistant Vice President for Administration & Finance are primarily responsible for assuring an effective Information Security Program.
The University, in compliance with the Gramm-Leach-Bliley Act, has named Paul Chauvet, Information Security Officer (ISO) as the qualified individual responsible for overseeing and implementing and enforcing the University’s Information Security Program.
Responsibility for developing, deploying, and managing the Information Security program lies with both internally with the Chief Information Officer, the Information Security Officer, and the Internal Controls Coordinator. Any university-wide policies must be approved by the President's Cabinet, with review by SUNY legal counsel when appropriate.

Governance

The Information Security and Risk Oversight (ISRO) Committee, which contains stakeholders from departments across the university, will work to develop appropriate controls while facilitating the operations of the University.
The Information Security Officer will regularly report on the state of the information security program. Such report will occur at least annually, and be made in writing to the President of the University, and the President’s Cabinet.

Operations

Campus information technology service staff, including Systems Administrators, Network Administrators, and Database Administrators, are primarily responsible for the implementation of technical/operational controls. Members of the University community at-large are responsible for implementing and adhering to relevant policies, standards, procedures, and guidelines.

Compliance

The Information Security Officer and Chief Information Officer are primarily responsible for enforcement. Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines, and procedures.
Compliance is determined via periodic audits, scans, simulated training exercises, internal and third-party risk assessments, and reviews and is measured against this policy and all published related documents. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations.
Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.
Nothing in this section will be construed as an impediment to responding to a security breach incident.

Review

This policy will be reviewed and updated as needed. Said review will occur at least once every two years.

Policy History

Date of first approval by President’s Cabinet: Fall 2014
Current version approved by President’s Cabinet December 1, 2023

Details

Article ID: 20998

Created

Wed 12/7/16 9:48 AM

Modified

Tue 12/5/23 11:45 AM

Updating...