Last Updated:
Purpose:
The State University of New York at Cortland security program for information security is a combination of policy, security architecture modeling, and descriptions of current IT security services and control practices. When integrated, the overall program describes administrative, operational, and technical security safeguards that must be implemented for/in information systems involved in the processing and storage of sensitive or private information.
Applicability and Scope
SUNY Cortland Information Resources staff as well as any data processors, data custodian, data stewards and other persons responsible for the creating, storing and transmitting of data.
Policy statement
PART 1: OVERVIEW AND SECURITY PROGRAM OBJECTIVES
The State University of New York at Cortland security program for information security is a combination of policy, security architecture modeling, and descriptions of current IT security services and control practices. When integrated, the overall program describes administrative, operational, and technical security safeguards that must be implemented for/in information systems involved in the processing and storage of sensitive or private information.
The Security Program provides business value by enabling the delivery of applications to more individuals, in a timelier manner, with integral data. Appropriate information security is crucial to this environment, in order to manage the risks inherent in a distributed, open computing environment.
The practice of “Defense in Depth” is utilized at the SUNY Cortland, providing several different layers of protection, each working to contribute to the overall protection of information assets:
- Information integrity and access controls
- Application logic, error checking, and data validation controls
- Server and client based logical and physical protections
- Internal and perimeter network level protections
- Employee policy, practices, and procedures
Business Owners, along with the university’s Information Security Team, are responsible for taking appropriate steps to assess internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data. Risks in a large and diversified computing environment may include, but are not limited to:
- Unauthorized access to sensitive or confidential institutional information
- Compromised computer system(s) integrity as a result of access by an intruder
- Interception of data traversing network(s)
- Physical loss of data center, infrastructure, facilities, or computer equipment
- Errors or other corruption introduced into computer systems or applications
- Inadequate system administration support practices
- Loss of system availability
Documentation supporting the University’s compliance with regulatory controls, as appropriate, will be maintained by the Information Security Team. This may include audit reports, assessment reports, and other documents that are prepared.
PART 2: SECURITY PROGRAM CONTROL AREAS
Risk Assessment and Planning
Risk assessments are performed on critical information technology assets of the University on a regular basis
The Director of Information Systems and Security performs technical risk assessments, and/or coordinates penetration tests for management and business owners upon request, which are conducted and maintained in a strictly confidential manner.
The Information Security Team will facilitate an entity wide security risk assessment, as necessary whenever significant changes to the computing environment are implemented, or minimally within five years.
Security must be a consideration from the very beginning of any project at the University rather than something that is added later. The Director of ISS is a resource available to assist with this effort throughout the planning phase of a project. In addition, a control review should be performed before implementation of computer systems which house or handle confidential institutional information. This may include a:
- technical security evaluation to ensure appropriate safeguards are in place and operational
- risk assessment, including a review for regulatory, legal, and policy compliance
- contingency plan, including the data recovery strategy
- review of on-going production procedures, including change controls and integrity checks
- penetration test to evaluate and ensure controls operate as expected
- collection of required HEVCAT (Higher Education Community Vendor Assessment Toolkit)
Security Policy
The Acceptable Use Policy which describes the expectations for all members of the user community for appropriate use of technology, protection of privacy, and protection of academic freedoms.
*Future Plan
The University provides an annual campus e-mail notification to all members of the University community describing a selection of important IT policies. The notification also directs them to the IT policy repository as an additional educational measure, and includes key aspects of policy in the computer based security awareness program offered to campus personnel.
Organization of Information Security
All Information Resources personnel are required to agree to a data confidentiality agreement at hire time.
The statement is available at https://www2.cortland.edu/offices/information-resources/pdf/policies/security/SUNYCortlandInformationResourcesConfidentialityPolicyandProcedures082410.pdf
Asset Management
The Data Classification Policy describe individual responsibilities for managing and inventorying our physical and logical assets.
A tool is available to assist business owners of institutional data to appropriately classify the sensitivity of their information, using Appendix A of the Data Classification Policy. Once a set of institutional data is classified, appropriate protections can be applied.
In addition, the University has developed a policy regarding the use and protection of Personally Identifiable Information: https://www2.cortland.edu/offices/information-resources/pdf/policies/security/Personally_Identifiable_Information_Policy.pdf
Personnel Security
A computer based, self enrolled, Computer Security Awareness Program is available to all University employees, through the myRedDragon using KnowBe4.
A marketing campaign is conducted periodically to raise awareness of its availability, along with other directed reminders. In addition, security seminars are offered to campus IT staff, as well as a “Security Month” training event. Poster and postcard campaigns are also used, to highlight current and relevant issues.
Specialized training is also offered for privacy issues related to standards and regulations such as Family Education rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI-DSS).
Account provisioning and authentication are provided by Automated process derived from Human Resources data via a nightly feed.
Physical Security Measures
Limit physical and logical access to information assets, including:
Equipment control (inventory and maintenance records), and physical security of equipment (e.g., locks, HVAC).
Authorization procedures prior to physical access to restricted areas, such as data centers, with sign-in or escort of visitors, as appropriate.
Implement a system for software change management and revision controls.
Maintain appropriate internal audit, which record system activity such as log-ins, file accesses, and security incidents.
Maintain records of those granted physical access to restricted areas (e.g., key card access lists).
Provide appropriate handling and physical protection for health information assets
Ensure operation and maintenance personnel are given access only as necessary to perform system maintenance responsibilities. Ensure authorized University staff supervise all external personnel performing maintenance activities.
Some of the above requirements may be delegated to others, when hosting within an institutional data center or when in the cloud.
Backup: Institutional data must have sufficient backup and be fully recoverable. Responsibilities are described for the regular backup and safe recovery of systems. Backups containing non-public data should be encrypted. Backups are stored in a digital air gap and are not accessible for a period of 10 days unless needed sooner.
Communication and Operations Management
The Information Security Standards includes a section on information integrity controls which includes requirements for segregation of critical functions, maintenance of systems and applications software, change management procedures for applications, as well as anti-malware control requirements. In addition, automated operations and contractor access are outlined, as well as auditing and logging requirements and communications security requirements.
The Data Classification Policy describes data handling controls for various sensitivity levels of data, requirements for backups, and requirements for secure disposal of information.
Access Control
Systems Development and Maintenance
Information Integrity Controls are described in the Server Policy, Software Development Policy and include separation of duties and functions, emergency access procedures, system and application management process, and software development change management procedures.
Information Security Incident Response
The Incident Response Plan (Draft) describes processes related to incident response and breach notification. The Information Security and Policy Office has analysts available via our on-call process to assist with security incident response, forensic analysis, e-discovery requests, and to aid in controlling liability to the university in the event of a breach.
Compliance
The following regulations pertain to information security and privacy, to which all or part of the University’s electronic information applies:
The Information Security Team assists all University units and areas with assessments and testing methods to ensure compliance with all applicable privacy and security regulations.
Approved by IR Information Security Advisory Committee 04/2024