Information Technology Security Program and Related Policies
IT Security Program
SUNY Oneonta's I. T. Security Program (ITSP) was adopted by the Cabinet in 2005. It was designed to comply with the NYS Security Policy and provide a framework around which the College will construct its information security environment.
Information Technology Security Program
A number of State and Federal regulations as well as the ITSP require us to maintain the confidentiality of sensitive or personally identifiable information." This policy declares our intention to comply with those regulations and will provide a basis for procedures that will be implemented to do so. The policy can be viewed here: Confidentiality Policy and the Vendor Agreemnt can be found at the end of the policy.
Identity Theft Prevention Program
This program is required by the FTC under their "Red Flag" rules. SUNY Oneonta must comply with the Red Flag rules as required by SUNY Policy and FTC regulations. The program is intended to detect attempts to commit fraud through identity theft and must be followed by all users who have access to the covered accounts defined in the program. The policy can be viewed here: Identity Theft Prevention Program
As detailed in section 8 of our ITSP, maintaining up-to-date patch levels on network computers and devices is essential to information security. Vulnerabilities must be addressed or mitigated in order to prevent loss of confidentiality, integrity or availability of data and preserve the stability of our network. This policy defines a system administrator's responsibilities toward patch management and complies with OSC's recommendations. The policy can be viewed here: Patch Management Policy
In support of Section 7 of SUNY Oneonta's I. T. Security Program, this policy sets out requirements for users who wish to use our Virtual Private Network in order to access sensitive information via a secure connection from remote locations. This policy has been in use for several years but has been edited to conform to the College's new policy template. It has not previously been presented for Cabinet approval. The policy can be viewed here: VPN Policy
Credit Card Number Handling Procedures
Every business that accepts credit and debit card payments is required to comply with the Payment Card Industry (PCI) Data Security Standards. The guidelines specify that an institutional information security policy must be in place that prohibits insecure (unencrypted) transmission of cardholder data, including end user messaging technologies (email, instant messaging, chat). In addition to this requirement, we have included provisions about access, recording, storing, and delivery of credit card information and cardholder data. Employees who work directly with credit card processing and documentation are required to review and sign this policy on an annual basis. The policy can be viewed here: Credit Card Number Handling Procedures Policy