Information Technology Security Program

“A strategic plan to ensure confidentiality, integrity, and accessibility of Oneonta’s information assets.”

Approved by President’s Cabinet March 22, 2005

TABLE OF CONTENTS

The purpose of this document is to define a set of minimum information technology (IT) security requirements that the College must meet to comply with State and Federal directives. The College may, based on its individual business needs and specific legal requirements such as FERPA or the GLBA, exceed any or all of the information security requirements put forth in this document, but must, at a minimum, achieve the information security levels defined in this document.

• effectively manage the risk of IT security exposure or compromise within College systems;
  

• communicate within the College community the responsibilities for the protection of College information;
  

• comply with the Family Educational Rights and Privacy Act of 1974 (FERPA - the Buckley Amendment), and the Gramm-Leach-Bliley Act (GLBA) and other statutes and policies protecting the rights of individuals.
  

• consistently maintain data integrity and accuracy.
  

• assure that authorized individuals have timely and reliable access to necessary data.
  

• deny with reasonable assurance unauthorized individuals access to computing resources or other means to retrieve, modify or transfer data.

This program applies to all faculty, staff and students of the College, or others (e.g., Research Foundation employees, OAS employees, vendors, contractors, etc) who may utilize the College’s technology and related facilities.

This program encompasses all computer systems, for which the College has responsibility, including systems managed or hosted by third parties on behalf of the College. It addresses all electronic information, regardless of the form or format, which is created or used in support of the College mission.

IT security refers to the protection of information from unauthorized access, destruction, modification or disclosure. For the purposes of this document, information is defined as the representation of facts, concepts, or instructions in an electronic manner suitable for communication, interpretation, or processing by human or automated means. Information is relayed in a variety of methods such as in written documentation or through computer networks. Information is also stored and retrieved in several formats. The formats can include but are not limited to: computer databases or transmissions, tapes, CD ROMS, diskettes, computer generated reports, hard copy documentation, e-mail messages, voice mail, etc.

This program must be communicated to all faculty, staff, students and all others who have access to or manage College information. This IT security program is not specific to any type of hardware, communications method, network topology, or software applications. As such, it is designed to be implemented across campus.

The President’s Cabinet is fully committed to IT security and agrees that every person in the College community has an important responsibility to continuously maintain the security and privacy of College data. This IT Security Program is a statement of the minimum requirements, ethics, responsibilities and accepted behaviors required to establish and maintain a secure environment, and achieve the College’s IT security objectives. This IT Security Program sets the direction, gives broad guidance and defines requirements for IT security related processes and actions across the College. This program follows the framework of the International Standards Organization’s 17799, A Code of Practice for Information Security Management.

• coordinating and implementing information security policies, standard, and procedures;
  

• assigning information security responsibilities;
  

• implementing an IT security awareness program;
  

• monitoring significant changes in the exposure of IT assets to major threats, legal or regulatory requirements;
  

• responding to IT security incidents;
  

• leading major initiatives to enhance IT Security;
  

• eading disaster preparedness planning to ensure continuity of College business.

College Designated Staff: College designated staff will be responsible for the implementation of this and other IT Security policies and the compliance of College employees to this program. The designated staff must educate College employees with regard to IT Security issues, explain the issues, why the policies have been established, and what role(s) individuals have in safeguarding IT assets. Consequences of non-compliance will also be explained.

Information Owners: Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.). These access privileges must be in accordance with the user’s job responsibilities. Information owners also communicate to the College ISO the legal requirements for access and disclosure of their data. Information owners must be identified for all College information assets and assigned responsibility for the maintenance of appropriate information security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc. Responsibility for implementing information security measures may be delegated, though accountability remains with the identified owner of the asset.

College Information Security Officer: The College Information Security Officer has overall responsibility for ensuring the implementation, enhancement, monitoring and enforcement of this program. The College Information Security Officer is responsible for providing direction and leadership to the College through the recommendation of IT security policies, standards, processes and education and awareness programs to ensure that appropriate safeguards are implemented, and to facilitate compliance with those policies, standards and processes. The College Information Security Officer is responsible for investigating all alleged IT security violations. In this role, the College Information Security Officer may refer the investigation to other investigatory entities, including law enforcement. The College Information Security Officer will coordinate and oversee IT security program activities and reporting processes in support of this program and other IT security initiatives.

IT Security Administrator: This individual will report to the College Information Security Officer and be responsible for administering IT security tools, auditing IT security practices, identifying and analyzing IT security threats and solutions, and responding to IT security violations.

The Departments of Administrative Computing and Telecommunications: These areas have responsibility for the data processing infrastructure and computing networks which support the information owners. It is the responsibility of Computing and Telecommunications to support the IT Security Program and provide resources needed to enhance and maintain a level of IT Security control consistent with the College’s IT Security Program.

The Department’s of Administrative Computing and Telecommunications have the following responsibilities in relation to the IT security:

• ensuring processes, policies and requirements are identified and implemented relative to IT security requirements defined by the College;
  

• ensuring the proper controls of IT are implemented for which the College has assigned ownership responsibility, based on the College’s classification designations;
  

• ensuring the participation of the College Information Security Officer and technical staff in identifying and selecting appropriate and cost-effective IT security controls and procedures, and in protecting IT assets;
  

• ensuring that appropriate IT security requirements for user access to automated information are defined for files, databases, and physical devices assigned to their areas of responsibility;
  

• ensuring that critical data and recovery plans are backed up and kept at a secured off-site storage facility and that recovery of backed-up media will work if and when needed.

College Employees: It is the responsibility of all employees to protect College information and resources, including passwords, and to report suspected IT security incidents to one or more of the following: the information owner, the IT Help Desk, or the Information Security administrator as appropriate.

Non-College Employees: Oneonta Auxiliary Services (OAS), Research Foundation (RF), Retirees, Contractors, Consultants, Vendors and other persons including students, to the extent of their present or past access to the College IT assets, are also covered by this IT Security Program.

All stored or transmitted electronic information which is created, acquired or used in support of the College’s mission, regardless of the form or format, must be used for College business only. This information is an asset and must be protected from its creation, through its useful life, and to its authorized disposal. It must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Information must be classified and protected based on its importance to business activities, risks, and information security best practices as defined in International Standards Organization’s 17799, A Code of Practice for Information Security Management.

Information is one of the College’s most valuable assets and the College relies upon that information to support our mission. The quality and availability of that information is key to the College's ability to carry out its mission. Therefore, the security of the College’s information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of College information has an obligation to preserve and protect College information assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals.

Information security management enables information to be shared while ensuring protection of that information and its associated computer assets including the networks over which the information travels. College designated staff are responsible for ensuring that appropriate physical, logical and procedural controls are in place on these assets to preserve the information security properties of confidentiality, integrity, availability and privacy of College information.

Information must be properly managed from its creation, through authorized use, to proper disposal and requires different levels of protection. Information will be classified based on its value, sensitivity, consequences of loss or compromise, and/or legal and retention requirements. Criteria for determining the sensitivity of information will include consideration of confidentiality, integrity, availability, privacy, safety, legal and retention compliance requirements.

All information will have an information owner established within the College’s lines of business who will be responsible for assigning the initial information classification, and make all decisions regarding controls, access privileges of users, and daily decisions regarding information management.

Each classification will have a set or range of controls, designed to provide the appropriate level of protection of the information and its associated application software commensurate with the value of the information in that classification. Protective measures will address the above considerations with control categories that include: identification & authentication, access control, confidentiality, network security, host security, integrity, non-repudiation, monitoring and compliance.

Privacy of personally identifiable information must be maintained consistent with laws, rules and regulations. The College’s systems hold personal information (i.e., any information that is unique to any individual) to carry out the mission of the College. The protection of the privacy of personal information is of utmost importance and the College must protect the rights of privacy of all members of the College community. All College employees with access to personal information are required to respect the confidentiality of that personal information to the full extent of the law. Personal data, including information about employees, students, members of the public, organizations and business partners, collected and maintained by the College must:

• be consistent with the provisions of the Internet Security and Privacy Act, the Freedom of Information Law, FERPA, and the Personal Privacy Protection Law;
  
• be used as authorized by law;
  
• be gathered in lawful manner;
  
• be kept in a manner as required by law or regulations;
  
• not be disclosed unless authorized or required by law;
  
• be available for review by authorized individuals;
  
• be corrected if errors are known to exist or if the individual identifies errors;
  
• be erased where appropriate if the individual requests consistent with applicable laws; and
  
• be protected using system access controls.

The intent of this section is to reduce the risk of human error and misuse of College information and facilities.

Information security roles and responsibilities must be documented. These roles and responsibilities will include general responsibilities for all College employees, as well as specific responsibilities for protecting specific information assets and performing tasks related to information security procedures or processes.

All faculty, staff and students must receive general information security awareness training to ensure they are knowledgeable of information security procedures, their roles and responsibilities regarding the protection of the College information assets, and the proper use of information processing facilities to minimize information security risks.

Departments that process or maintain sensitive information are responsible for conducting specific information security awareness training for employees who handle such information in the course of their job duties. This training should include physical handling and disposition of non electronic documents containing sensitive information as well as proper procedures to follow in processing and storing electronic information and documents.

Logon banners will be implemented on all systems where that feature exists to inform all users that the system is for the College business or other approved use consistent with College mission.

Incidents affecting information security must be reported as quickly as possible to one or more of the following: the information owner, the Information Technology (IT) Help Desk or the IT Security Administrator as appropriate.

Formal incident reporting procedures that define the actions to be taken when an incident occurs must be established. Feedback mechanisms must be implemented to ensure that individuals reporting incidents are notified of the results after the incident has been resolved and closed.

Users of information technologies shall report any observed or suspected information security weaknesses or threats to the appropriate manager and the IT Security Administrator. They must report these weaknesses as soon as possible. Users must not attempt to prove a suspected weakness unless authorized by the College ISO to do so. Testing weaknesses could have unintended consequences.

Users are required to report software malfunctions such as a virus not being detected, password change not accepted, etc. Users should report such malfunctions by calling the IT Help Desk. After the IT Help Desk is notified of the problem the following actions will be taken:

• the symptoms of the problem and any messages appearing on the screen will be documented;
  
• the computer will be isolated, if possible, and use of it stopped until the problem has been resolved;
  
• the incident will be reported immediately to the appropriate manager and the IT Security Administrator.

The logging of information security incidents will be used by the College to identify recurring or high impact incidents and to record lessons learned. Review of this information may indicate the need for additional controls to limit the frequency, damage and cost of future incidents.

Breaching physical security can cause a loss of or damage to College information assets. Physical security will be achieved by creating physical barriers around the assets being protected. These barriers could be in the form of an entry point with card key access, a locked door, a staff member, or other physical barrier.

College environments where servers are stored or operational, wiring closets for networks and telephony, printers where confidential or sensitive information may be printed, and any other areas that contain and or process critical or sensitive information must be secured against unauthorized access.

The College will perform periodic threat and risk analysis to determine where additional physical security measures are necessary, and implement these measures to mitigate the risks.

There is risk of disclosure of sensitive information through careless disposal or re-use of equipment. Storage devices such as hard disk drives and other magnetic media such as tape, containing sensitive information will be physically destroyed or securely overwritten to prevent the unauthorized disclosure of sensitive College information.

Desktop, laptop and PDA computers connected to a network and/or containing sensitive or confidential College information must be automatically logged off or the screen locked within 30 minutes of inactivity.

All College owned computer equipment with an acquisition cost greater than $500 will be tagged to identify the College as the owner. An equipment inventory will be conducted annually by the Office of Property Management.

The College must implement a range of network controls to maintain security in its internal networks, and ensure the protection of connected services and networks. These controls help prevent unauthorized access and use of the College networks. The following controls, at a minimum, should be implemented:

• Operational responsibility for networks will be separate from computer operations when possible;
  

• Responsibilities and procedures for remote use must be established (refer to Section 9. Access Control section of this document);
  

• When necessary, special controls will be implemented to safeguard data integrity and confidentiality of data passing over public networks (Internet).

Any devices connected to a network will be scanned periodically to ensure that no major vulnerabilities have been introduced into the environment. The frequency of scans will be determined by the College ISO.

Network vulnerability scanning will be conducted periodically at the discretion of the IT Security Administrator. The output of the scans will be reviewed in a timely manner, and any vulnerability detected will be evaluated for risk and mitigated. The tools used to scan for vulnerabilities will be updated periodically to ensure that recently discovered vulnerabilities are included in any scans.

A process to perform the scanning will be defined by the College, tested and followed at all times to minimize the possibility of disruption to the College networks by such reviews. Reports of exposures to vulnerabilities will be forwarded to the College ISO and IT Security Administrator.

The use of any network vulnerability scanning tools, whether internal or external, by individuals who are not part of the formal test process described above is prohibited. Any vulnerability scanning from the Internet must be conducted exclusively by the College’s authorized, qualified staff or qualified third party.

When College faculty, staff and students connect to the Internet using any College Internet address designation or send electronic mail using the College designation, it should be consistent with the College’s mission. College equipment, systems, facilities and supplies must be used only for conducting activities consistent with the College’s mission. Users are visible representatives of the College and must use the Internet and College e-mail system in a legal, professional and responsible manner. The following is not an all-inclusive list, and provides only examples of behavior that is not acceptable. Specifically, the Internet and electronic mail will not be used:

• for personal gain or profit;
  

• to represent yourself as someone else (i.e., “spoofing”);
  

• for spamming;
  

• for unauthorized attempts to break into any computing system whether the College’s or another organization’s (i.e., cracking or hacking);
  

• for theft or unauthorized copying of electronic files;
  

• for posting sensitive College information without authorization from the College;
  for mass distribution without the College’s authorization, such as “chain letters”;
  

• for non-business communication using “instant messaging” or similar technology;
  

• for “sniffing” (i.e., monitoring network traffic), except for those authorized to do so as part of their job responsibilities.

A computer that is connected to a College network cannot also be connected to a non-College network via dial-up access using a modem unless specifically authorized by the College ISO. For example, users that subscribe to third party Internet service providers like AOL cannot connect to AOL via a modem at the same time they are connected to a College network.

Any connection over a public network (i.e. Internet) that involves sensitive information must use a Virtual Private Network (VPN) or other equivalent encryption technology to ensure the privacy and integrity of the data passing over the public network.

All portable computing resources and information media must be secured to prevent compromise of confidentiality or integrity. No computer device may store or transmit sensitive information without suitable protective measures being implemented and approved by the College ISO.

When using mobile computing facilities such as notebooks, palmtops, laptops and mobile phones, special care must be taken to ensure that information is not compromised. Users of mobile computing are responsible for physical protection, access controls, cryptographic techniques, back-ups, virus protection and the rules associated with connecting mobile facilities to networks and guidance on the use of these facilities in public places. In cases where sensitive information is concerned:

• Care must be taken when using mobile computing facilities in public places, meeting rooms and other unprotected areas outside of the College's premises. Protection must be in place to avoid the unauthorized access to or disclosure of the information stored and processed by these facilities, e.g. using cryptographic techniques.
  

• It is important that when such facilities are used in public places care must be taken to avoid the risk of unauthorized persons viewing information on-screen.
  

• Equipment carrying important and/or sensitive information must not be left unattended and, where possible, must be physically locked away, or special locks must be used to secure the equipment.
  

• Training must be provided to staff using mobile computing resources to raise their awareness of the additional risks resulting from this way of working and the controls that will be implemented.
  

• Employees in the possession of portable, laptop, notebook, palmtop, and other transportable computers must not check these computers in airline luggage systems. These computers must remain in the possession of the traveler as hand luggage unless other arrangements are required by Federal or State authorities.
  

• For all portable computers such as laptops, notebooks, etc, the use of a “bootup” or power-on password must be implemented. For those computers containing sensitive information, data encryption techniques may also be employed.

The use of telephones outside the College for business reasons is sometimes necessary, but it can create security exposures. Examples of best practices:

• take care that they are not overheard when discussing confidential matters;
  

• avoid use of any wireless or cellular phones when discussing sensitive or confidential information;
  

• avoid leaving sensitive or confidential messages on non-College voicemail systems;
  

• if sending sensitive or confidential documents via fax, verify the phone number of the destination fax. Contact the recipient to ensure protection of the fax, either by having it picked up quickly or by ensuring that the fax output is in a secure area;
  

• avoid using Internet fax services to send or receive sensitive or confidential information;
  

• not use third party fax services to send or receive sensitive or confidential information;
  

• not send sensitive or confidential documents via wireless fax devices;
  

• when chairing a sensitive or confidential teleconference, confirm that all participants are authorized to participate, before starting any discussion.

Wireless technology and pervasive devices create opportunities for new and innovative uses. College information systems can be exposed to compromise or to a loss of service if security risks are not addressed correctly.
nbsp;

Wireless technology is a shared medium. Everything that is transmitted over the radio waves can be intercepted if the interceptor is within the coverage area of the radio transmitters. This represents a potential security issue in the wireless Local Area Networks (LANs). The security exposure is more evident in public areas, such as the Library, Residence Halls, and the Student Union.

Suitable controls such as authentication and encryption will be implemented by Telecommunications to reduce the possibility that a wireless network or access point can be exploited to disrupt College information services or to gain unauthorized access to College information.

Using modems to connect to a network can create security risks. When using a modem and a computer that contains sensitive college information the following best practices apply:

• modems must not be left connected to computers in auto-answer mode, such that they are able to receive incoming dial-up calls;
  

• communications systems must not be established that accept incoming dial-up calls;
  

• under no circumstances will a user attempt to add a remote access server to a college network.

• all dial-up modem phone numbers are confidential and must be made available only to authorized users;
  

• only under extreme conditions should a computer have remote control software and dial-in capability;
  

• dial-up modems must be configured to answer calls on the fourth ring;
  

• system configuration will be set to disconnect after three unsuccessful password attempts;
  

• session limits of three hours and inactivity timeouts of 30 minutes will be placed on all sessions.

The World Wide Web provides an opportunity for the College both to disseminate information and to provide interactive services quickly and effectively. Because anything posted on a public web server is globally available and each web presence is a potential connection path to the College networks, care will be exercised in the deployment of publicly accessible servers. There is also potential for an insecure server to be used or exploited to assist in an unauthorized or illegal activity, such as an attack on another web site.

Sensitive or confidential information will not be made available through a server that is available to a public network without appropriate safeguards approved by the College ISO. The College ISO will implement safeguards to ensure user authentication, data confidentiality and integrity, access control, data protection, and logging mechanisms.

The implementation of any web site or software that interacts with the user, requires registration, collects or processes information from users is considered to be application development and, therefore, must be audited and approved by the College ISO to ensure that the collection and processing of information meets College information security and privacy requirements. The review will ensure that the information is adequately protected while in transit over public and College networks, while in storage, and while being processed.

Electronic signatures including digital signatures provide a means of protecting the authenticity and integrity of electronic documents. They can be used in electronic transactions where there is a need for a signature. New York State's Electronic Signatures and Records Act (ESRA) provides that electronic signatures are equivalent to hand-written signatures. The College will comply with the Electronic Signatures and Records Act (ESRA), FERPA, and any other State or Federal regulations regarding electronic signatures.

All users of College information systems must be made aware of the procedure for reporting information security incidents, threats, weaknesses, or malfunctions that may have an impact on the security of College information. All College staff and contractors are required to report any observed or suspected incidents to the appropriate manager and the College ISO as quickly as possible.

Incident management responsibilities must be documented and procedures must be clearly defined to ensure a quick, effective and orderly response to information security incidents. At a minimum, these procedures must address:

• information system failures and loss of service;
  
• denial of service;
  
• errors resulting from incomplete or inaccurate data;
  
• breaches of confidentiality;
  
• loss of integrity of the software or other system component.

In addition to normal contingency plans designed to recover applications, systems or services, the incident response procedures must also cover:

• analysis and identification of the cause of the incident;
  

• planning and implementation of corrective actions to prevent reoccurrence;
  

• collection of audit log information;
  

• communication with those affected by or involved in the recovery from the incident.

College management and the College ISO will investigate all information security incidents and implement corrective actions to reduce the risk of reoccurrence.

To reduce the risk of accidental or deliberate system misuse, separation of duties or areas of responsibility must be implemented where practical. Where appropriate, including where the separation of duties is not practical, other compensatory controls such as monitoring of activities, audit trails and management supervision must be implemented.

Separation of the development, test and operational environments will be implemented, either logically or physically, when feasible. Processes must be documented and implemented to govern the transfer of software from the development environment to the operational platform.

Separation must also be implemented between development and test functions. The College must consider the use of a stable quality assurance environment where user testing can be conducted and changes cannot be made to the programs being tested. The following controls must be considered:

• development and operational software must, where possible, run on different computer processors, or in different domains or directories;
  

• development and testing activities must be separated;
  

• compilers, editors and other system utilities must not be accessible from operational systems when not required;
  

• different log-on procedures should be used for operational, test and development systems, to reduce the risk of error. Users will be encouraged to use different passwords for these systems, and menus should display appropriate identification messages;
  

• programming staff will only have access to operational passwords where controls are in place for issuing passwords for the support of operational systems.

Software and associated controls must be implemented across College systems to prevent and detect the introduction of malicious software. The introduction of malicious software such as computer viruses, network worms and Trojan horses can cause serious damage to networks, workstations, and data. Users must be made aware of the dangers of unauthorized or malicious software. Anti-virus software will be installed on all computers connected to a College network. At a minimum, the virus signature files for this software must be updated weekly. On host systems or servers, the signature files will be updated daily or when the virus software vendor’s signature files are updated and published.

All purchased applications and systems software must be maintained at a vendor-supported level to ensure software accuracy and integrity. Maintenance of College-developed software will be logged to ensure changes are authorized, tested and accepted by College management. Also, all known information security patches must be reviewed and applied in a timely manner to reduce the risk of security incidents that could affect the confidentiality, integrity and availability of data or software integrity.

The scope of this program is limited to the IT infrastructure, and the data and applications of the local College environment. To ensure interruptions to normal College operations are minimized, and critical College applications and processes are protected from the effects of major failures, each College unit, in cooperation with the College IT organization, must develop plans that can meet the backup requirements of the College. Backups of critical College data and software must be performed regularly.

Systems and services that process or store sensitive or confidential information or provide support for critical processes must undergo technical security reviews to ensure compliance with implementation standards and to assess vulnerabilities to subsequently discovered threats. Reviews of systems and services that are essential to supporting a critical College function must be conducted at least once every year. Reviews of a representative sample of all other systems and services must be conducted periodically.

Any deviations from expected or required results that are detected by the technical security review process must be reported to the College ISO and corrected immediately. In addition, the College application owner should be advised of the deviations and must initiate investigation of the deviations (including the review of system activity log records if necessary).

Sensitive information could be leaked to outside persons through careless disposal of media. Formal processes must be established to minimize this risk. Media such as tapes, diskettes, servers, mainframe and PC hard drives containing sensitive College data must be destroyed by incineration, shredding, or electronic erasure of data before disposal, consistent with applicable record retention and disposition laws.

To preserve the properties of integrity, confidentiality and availability, the College’s information assets will be protected by logical and physical access control mechanisms commensurate with the value, sensitivity, consequences of loss or compromise, legal requirements and ease of recovery of these assets.

Information owners are responsible for determining who should have access to information assets within their jurisdiction, and what those access privileges will be (read, update, etc.). These access privileges will be granted in accordance with the user’s job responsibilities.

A process shall be established by the College to outline and identify all functions of user management, to include the generation, distribution, modification and deletion of user accounts for access to resources. The purpose of this process is to ensure that only authorized individuals have access to College applications and information and that these users only have access to the resources required for authorized purposes.

• enrolling new users;
  
• removing user-ids;
  
• granting “privileged accounts” to a user;
  
• removing “privileged accounts” from a user;
  
• periodic reviewing “privileged accounts” of users;
  
• periodic reviewing of users enrolled to any system; and
  
• assigning a new authentication token (e.g. password reset processing).

In most cases the appropriate information owner or supervisor will make requests for the registration and granting of access rights for employees. In some cases access can be automatically granted or taken away based on employment status.

For applications that interact with individuals that are not employed by the College, the information owner is responsible for ensuring an appropriate user management process is implemented. Standards for the registration of such external users must be defined, to include the credentials that must be provided to prove the identity of the user requesting registration, validation of the request and the scope of access that may be provided.

The issuance and use of privileged accounts will be restricted to only those individuals necessary in the normal performance of their job responsibilities. All individuals (systems programmers, database administrators, network and information security administrators, etc.) will have a unique privileged account (user-ID) for their personal and sole use so that activities can be traced to the responsible person. User-ids must not give any indication of the user’s privilege level, e.g., supervisor, manager, administrator. These individuals should also have a second user-ID when performing normal transactions, such as when accessing the College e-mail system.

In certain circumstances, where there is a clear requirement or system limitation, the use of a shared user-id for a group of users or a specific job can be used. Additional compensatory controls must be implemented to ensure accountability is maintained.

Software applications are developed or acquired to provide efficient solutions to College problems. These applications generally store, manipulate, retrieve and display information used to conduct College business. The College units become dependent on these applications, and it is essential the data processed by these applications be accurate, and readily available for authorized use. It is also critical that the software that performs these activities be protected from unauthorized access or tampering.

To ensure that information security is built into all College information systems, all security requirements, including the need for rollback arrangements, must be documented.

Information security requirements and controls must reflect the value of the information assets involved, and the potential damage that might result from a failure or absence of information security measures. This is especially critical for online applications. The framework for analyzing the information security requirements and identifying controls to meet them is associated with threat assessment and risk management which must be performed by the College ISO and the information owner.

Data which have been entered correctly can be corrupted by processing errors or through deliberate acts. Application design must ensure that controls are implemented to minimize the risk of processing failures leading to a loss of data or system integrity. Specific areas to consider include:

• the use and location in programs of add and delete functions to implement changes to data;
  
• the procedures to prevent programs running in the wrong order or running after failure of prior processing;
  
• the use of correction programs to recover from failures to ensure the correct processing of data.

Use of cryptography for protection of high-risk information must be considered when other controls do not provide adequate protection. Encryption is a technique that can be used to protect the confidentiality of information. It must be considered for the protection of sensitive or critical information. Based on a risk assessment, the required level of protection will be identified taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys employed.

To minimize the possibility of corruption of information systems, strict controls over changes to information systems must be implemented. Formal change control procedures for applications must be developed, implemented and enforced. They must ensure that information security and control procedures are not compromised, that support programmers are given access only to those parts of a system necessary to perform their jobs, and that formal agreement and approval processes for changes are implemented. These change control procedures will apply to College applications as well as systems software used to maintain operating systems, network software, hardware changes, etc.

In addition, access to source code libraries for both College applications and operating systems must be tightly controlled to ensure that only authorized individuals have access to these libraries and that access is logged to ensure all access can be monitored.

The designs, operation, use and management of information systems are subject to legal and vendor contractual information security requirements.

The Gramm-Leach-Bliley Act (GLBA) requires “financial institutions” as defined by the Federal Trade Commission (FTC), to protect and secure customer information such as names, Social Security numbers, addresses, account and credit card information. The GLBA sets forth extensive privacy rules which the College is deemed to be in compliance with because of its adherence to the provisions of the Family Education Rights and Privacy Act (FERPA). The GLBA also establishes a Safeguards Rule, from which the College is not exempt, that requires the College to protect and safeguard customer information.

College records must be protected from loss, destruction or unauthorized modification. Some records may need to be retained in a secure manner for extended periods to meet state and Federal legal retention requirements, as well as to support essential operations.

The General Retention and Disposition Schedule for New York State Government Records contains guidelines for complying with legal, fiscal, and administrative requirements for records retention and provides advice on management of records. The College will develop procedures to dispose of any records in accordance with the provisions of Section 57.05 of Arts and Cultural Affairs Law. New York State Archives and Records Administration (SARA) issues general schedules to authorize the retention and disposition of records.

Safeguards that will be taken to protect customer information include the following:

• Computer access will be limited by user ID’s and passwords
  
• Customer information stored in file cabinets will be accessible only to staff in offices who need access and will be locked when not in use
  
• Offices that have access to customer information will be locked after hours
  
• Customer data will be backed up routinely
  
• Passwords will expire periodically and employees must then reset them
  
• Passwords will not be posted in publicly viewable places
  
• Intrusion detection systems will monitor the College networks to allow the prompt detection of attacks and intrusions
  
• Vulnerability scanning of systems containing customer information will be conducted periodically
  
• Antivirus protection will be maintained on all computer systems
  
• Designated staff members will supervise the disposal of records containing customer information
  
• Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contains customer information
  
• Inventories of all computer systems will be maintained
  
• Reduce paper forms and documents through increased electronic access to this information
  
• Implement measures to ensure unauthorized persons cannot access College computer systems when left unattended
  
• Avoid using Social Security numbers as a primary identification number

The information technology resources and the data processed by these resources are provided for College purposes. Management should authorize their use. Any use of IT facilities or data for non-College or unauthorized purposes, without management’s consent, should be considered a misuse of College facilities.

Compliance with this IT Security program is mandatory. Each user must understand his/her role and responsibilities regarding information security issues and protecting the College’s information assets. The failure to comply with this or any other information security program that results in the compromise of College information confidentiality, integrity, privacy, and/or availability may result in appropriate action as permitted by law, rule, regulation or negotiated agreement. The College will take every reasonable step necessary, including legal and administrative measures, to protect its information assets.

The College Information Security Officer shall review this document annually. If significant changes are needed the ISO shall propose the changes to the President’s Cabinet.

The College managers and supervisors will ensure that all information security processes and procedures within their areas of responsibility are followed. In addition, all units within the College may be subject to regular reviews to ensure compliance with information security policies and standards. Areas where compliance with the program requirements is not met will be documented and reported to the College’s Information Security Officer. For each area of non-compliance, a plan will be developed to address the deficiencies.

DEFINITIONS

This is the exchange of security information to verify the claimed identity of a communications partner. In security terms it is particularly to counter attempts to masquerade as an authorized user to enable new connections or associations.

The granting of rights, which includes the granting of access based on an authenticated identity.

Text Only Options

• Change the current font size: larger | default | smaller
• Current color mode is Black on White, other available modes: Yellow on Black | Black on Cream
• Show textual links as buttons
• Do not move navbars
• Do not alert me when leaving text-mode
• Open not handled documents directly
• Hide Text Only Options

Open the original version of this page.