This policy is to comply with internal SUNY New Paltz security requirements, as well as to comply with SUNY Procedure 6608: Information Security Guidelines, Part 1 and is based, in part, by the “New York State Cyber Incident Reporting Policy” from the NYS Office of Cyber Security.
What is an Information Security Incident?
An information security incident is an adverse event that threatens the confidentiality, integrity, or availability of student, employee, or donor information. This includes but is not limited to the following:
- Loss or theft of devices or media (such as laptops, flash drives, smart phones, and CD/DVDs) that contain or enable access to our records & data
- Loss or theft of physical records or documents containing sensitive information
- Unauthorized access to physical records or documents containing sensitive information
- Suspected criminal use of systems or services including:
- Identity theft
- Disclosure, destruction, or alteration of New Paltz hosted, managed or affiliated systems or data
- Compromise of a web page or web server
- Compromise of user credentials (which allow access to more than the individual user’s own data)
- Successful attempts to gain unauthorized access to a system or its data, or unsuccessful attempts where there is considered to be a risk of future success
- Unwanted disruption or denial of service (DoS)
- Unauthorized use of a system for transmission, processing, or storage of data
- Unauthorized changes to system hardware, firmware, operating system, or applications without our consent, instruction or knowledge.
- Execution of malicious code (malware, ransomware, spyware, viruses, botnets, rootkits, etc.)
Policy
This is a University wide policy that applies to all SUNY New Paltz employees and the employees of those entities and affiliates that rely on our IT infrastructure, data, or applications.
Roles and Responsibilities
- University personnel and employees of university affiliates – All staff are required to comply with the standards and procedures of the SUNY New Paltz Incident Response Policy.
- Incident Response Team – The team will coordinate the response to the incident as per the Incident Document Plan.
- Information Technology – The Information Technology staff will be the primary group responsible for preventing and detecting incidents.
- Information Security and Risk Oversight Committee – The ISRO Committee is responsible for drafting the policy with consultation with appropriate staff on campus. The committee has representatives from Information Technology as well as other administrative and academic departments. The policy will be reviewed by the SUNY New Paltz Cabinet.
Procedures
The following issues must be reported to Information Technology Services, who will make a determination as to whether the issue involves the loss or suspected loss of sensitive data:
- Malicious Code – report instances of malware, especially those that have infected systems with sensitive data
- Unauthorized access to systems (note: unsuccessful attempts to access systems need be reported only if the attempts are persistent or cause problems)
- Denial of Service attempts
- Reconnaissance Scans & Probes
- Loss or theft of devices or media (such as laptops, flash drives, smart phones CD/DVDs) that contain or enable access to our records & data
- Loss or theft of physical records or documents containing sensitive information
Any of the issues listed above or suspected issues should be reported as soon as possible to: IRT@newpaltz.edu
The email should include a description of the issue(s) and contact information for the person reporting the incident.