Oneonta Header Bar
Information Technology Security

Oneonta's IT Security Program
Page divider

“A strategic plan to ensure confidentiality, integrity, and accessibility of Oneonta’s information assets.”

Approved by President’s Cabinet March 22, 2005

Revised by President's Cabinet October 27, 2009

TABLE OF CONTENTS


PURPOSE
SCOPE
PROGRAM

  • Individual Accountability
  • Confidentiality / Integrity / Availability
  • Privacy and Handling of Private Information
  • Including Security in Job Responsibilities
  • User Training
  • Responding to Security Incidents and Malfunctions
  • Reporting Security Weaknesses
  • Reporting Security Software Malfunctions
  • Incident Management Process
  • Physical Security Barrier 9 Secure Disposal or Re-use of Equipment
  • Clear Screen
  • Network Management
  • Host Scanning
  • Network Security Checking
  • Internet and Electronic Mail Acceptable Use
  • External Internet and VPN Connections
  • Security of Electronic Mail
  • Portable Computers
  • Telephones and Fax Equipment
  • Wireless Networks
  • Modem Usage
  • Public Websites
  • Electronic Signatures
  • Incident Management Procedures
  • Segregation of Duties
  • Separation of Test and Operational Facilities
  • Protection against Malicious Software
  • Software Maintenance
  • Information Back-up
  • System Security Checking
  • Disposal of Media
  • User Registration and Management
  • Privileged Account Management
  • User Password Management
  • Network Access Control
  • User Authentication for External Connections (Remote Access Control)
  • Segregation of Networks
  • Operating System Access Control
  • Monitoring System Access and Use
  • Control of Internal Processing
  • Cryptographic Controls
  • Change Control Procedures
  • Gramm-Leach-Bliley Act
  • Safeguarding of College Records
  • Prevention of Misuse of Information Technology Resources
  • Compliance
  • Enforcement and Violation Handling

PURPOSE

The purpose of this document is to define a set of minimum information technology (IT) security requirements that the College must meet to comply with State and Federal directives.The College may, based on its individual business needs and specific legal requirements such as FERPA or the GLBA, exceed any or all of the information security requirements put forth in this document, but must, at a minimum, achieve the information security levels defined in this document.


The primary objectives of the IT Security Program are:


SCOPE

This program applies to all faculty, staff and students of the College, or others (e.g., Research Foundation employees, OAS employees, vendors, contractors, etc) who may utilize the College’s technology and related facilities.

This program encompasses all computer systems, for which the College has responsibility, including systems managed or hosted by third parties on behalf of the College. It addresses all electronic information, regardless of the form or format, which is created or used in support of the College mission.

IT security refers to the protection of information from unauthorized access, destruction, modification or disclosure. For the purposes of this document, information is defined as the representation of facts, concepts, or instructions in an electronic manner suitable for communication, interpretation, or processing by human or automated means. Information is relayed in a variety of methods such as in written documentation or through computer networks. Information is also stored and retrieved in several formats. The formats can include but are not limited to: computer databases or transmissions, tapes, CD ROMS, diskettes, computer generated reports, hard copy documentation, e-mail messages, voice mail, etc.

This program must be communicated to all faculty, staff, students and all others who have access to or manage College information. This IT security program is not specific to any type of hardware, communications method, network topology, or software applications. As such, it is designed to be implemented across campus.


PROGRAM

Section 1. Preface

The President’s Cabinet is fully committed to IT security and agrees that every person in the College community has an important responsibility to continuously maintain the security and privacy of College data. This IT Security Program is a statement of the minimum requirements, ethics, responsibilities and accepted behaviors required to establish and maintain a secure environment, and achieve the College’s IT security objectives. This IT Security Program sets the direction, gives broad guidance and defines requirements for IT security related processes and actions across the College. This program follows the framework of the International Standards Organization’s ISO 27002 - The Information Security Standard.

Section 2. Organizational and Functional Responsibilities

A. The College: The President will designate an Information Security Officer (ISO). The ISO will ensure that an organization structure is in place for:

B. College Designated Staff: College designated staff will be responsible for the implementation of this and other IT Security policies and the compliance of College employees to this program. The designated staff must educate College employees with regard to IT Security issues, explain the issues, why the policies have been established, and what role(s) individuals have in safeguarding IT assets. Consequences of non-compliance will also be explained.

C. Information Owners: Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.). These access privileges must be in accordance with the user’s job responsibilities. Information owners also communicate to the College ISO the legal requirements for access and disclosure of their data. Information owners must be identified for all College information assets and assigned responsibility for the maintenance of appropriate information security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc. Responsibility for implementing information security measures may be delegated, though accountability remains with the identified owner of the asset.

D. College Information Security Officer: The College Information Security Officer has overall responsibility for ensuring the implementation, enhancement, monitoring and enforcement of this program. The College Information Security Officer is responsible for providing direction and leadership to the College through the recommendation of IT security policies, standards, processes and education and awareness programs to ensure that appropriate safeguards are implemented, and to facilitate compliance with those policies, standards and processes. The College Information Security Officer is responsible for investigating all alleged IT security violations. In this role, the College Information Security Officer may refer the investigation to other investigatory entities, including law enforcement. The College Information Security Officer will coordinate and oversee IT security program activities and reporting processes in support of this program and other IT security initiatives.

E. IT Security Administrator: This individual will report to the College Information Security Officer and be responsible for administering IT security tools, auditing IT security practices, identifying and analyzing IT security threats and solutions, and responding to IT security violations.

F.Departments or Individuals with Direct Responsibility for Technology Support: : These areas have responsibility for the data processing infrastructure and computing networks which support the information owners. It is their responsibility t to support the IT Security Program and provide resources needed to enhance and maintain a level of IT Security control consistent with the College’s IT Security Program.
These departments have the following responsibilities in relation to the IT security: