Purpose:

In order for SUNY Cortland to execute its mission of supporting technology used for teaching and learning, the University is committed to providing a secure yet open network that protects the integrity and confidentiality of information while maintaining its ease of access.

Applicability and Scope

Part 1: Overview

Each member of the campus community is responsible for the security and protection of electronic information resources over which they have control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.

Definitions

Providers (individuals who design, manage, and operate campus electronic information resources, e.g. application programmers, systems operators, network and system administrators) must:

• become knowledgeable regarding relevant security requirements and guidelines;
• analyze potential threats and the feasibility of various security measures in order to provide recommendations to the administration;
• implement security measures that mitigate threats, consistent with the level of acceptable risk established by administrative officials;
• establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access guidelines;

Users (individuals who access and use campus electronic information resources) must:

• become knowledgeable about relevant security requirements and guidelines;
• protect the resources under their control, such as access passwords, computers, and data they download

Policy statement

SECURITY ELEMENTS:

Logical Security:

All computers which access category 1 or 2 data as defined in the data classification policy, must have the most recently available and appropriate software security patches and the most current level of antivirus installed. As directed in the Patching Procedure and Guidelines.  Devices that connect to the network, and access protected resources, are defined as operational IT or virtual appliances must also adhere to the Patching Procedures and Guidelines.

Adequate authentication and authorization functions must be provided.

Physical Security:

Appropriate controls must be employed to protect physical access to all technology resources. These may range in scope and complexity from extensive security installations to protect a room or facility where enterprise technology is house, to measures taken to protect a user's endpoint device. All data center access is recorded, and card access is used.

Minimum Security Standards for SUNY Cortland’s computing resources

The following minimum standards are required for devices connected to the campus network. 

1. Software patch updates

See Patching Procedure and Guidelines..   

2. Managed Detection and Response

All campus endpoints, servers, and assets capable of running a detection and response security package are required to do so.  Windows and Apple Mac OS end points shall be enrolled and running the approved verified mdr application.  Servers shall be enrolled and running the server MDR as well as Security Information and Event Management (SIEM) approved tools.  All endpoints and servers shall under going automated vulnerability scanning.

3. Enterprise and client levels hardware/software firewall

The campus network will be segmented and protected at all times from potential intrusion by utilizing an enterprise-level firewall application.

Host-based firewall software for any particular type of device currently connected to the campus network must be running the campus standard host-based firewall software.

4. User Authorization

All users shall utilize a username and password to connect to protected resources, including endpoints, applications, network resources, wifi, lan access and cloud services.  Whenever possible all services shall use a single sign to provide a single identity to all resources.  Cost should not be a factor in evaluating the usage of SSO.

All default passwords for access to network-accessible devices must be modified.

Passwords: 

• will have no maximum life span unless a qualifying event forces a password reset
• must be at least 8 characters in length
• will have password history enforced
• will auto-expire at initial login

Multifactor Authentication (MFA):

• All current employees, students, volunteers, and affiliated agencies are required to use MFA to access SSO-protected resources.

Administrative Management:

Accounts and passwords used by administrators for their access to a service or device must not be the same as those used for privileged access to any service or device. 

All remote access sessions for servers must require MFA

All cloud services administrative interfaces where available shall use MFA

5. Remote Access

Remote access to all campus technology resources will be provided through Cloudflare's WARP client. Remote access requires the use of a standard user account and Multifactor Authentication.

6. Physical security

Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for a predetermined period of time.

7. Backup/Recovery

Electronic backups are a requirement to enable the recovery of data and applications in case of events such as natural disasters, system disk drive failures, corruption, data entry errors, or system operations errors. The purpose of the University backup/recovery procedure is to establish the process for the backup and storage of information resources.

Applicability

This procedure applies to all University resources that contain mission-critical information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Backup/Recovery of information resources. The intended audience is all University staff responsible for the support and operation of University information resources which contain mission-critical information. In addition, these procedures may be applied to non-mission critical information systems to aid in their recovery.

Procedure

1. The frequency and extent of backups shall be determined by the importance of the information, potential impact of data loss/corruption, and risk management decisions by the information system owner or data owner.

2. Mission-critical information backup and recovery processes for each system, including those for offsite storage, shall be documented and reviewed periodically.

3. Appropriate physical access controls must be documented and implemented at offsite backup storage locations.

4. Processes must be in place to verify that the actual offsite storage of mission critical data is taking place.

5. Backups shall be periodically tested to ensure that they are recoverable.

6.  All backups on site are done using disk to disk technology with an encrypted landing space.  Backups are replicated to a cold site across campus.  Critical data is replicated to a cloud infrastructure.