|Document Title||Information Management and Cyber Security Policy|
|Approved by||Approved by authority of the President’s Cabinet|
TABLE OF CONTENTS
This policy defines security requirements that apply to the information assets of the entire SUNY Fredonia enterprise. Any unit of SUNY Fredonia may, to meet its individual business needs or to satisfy specific legal requirements such as listed below exceed the security requirements instituted in this document; but all units must, at a minimum, achieve the security levels required by this policy.
The primary objectives of this policy and security program are to:
This policy is applicable to entities, staff and all others who have access to or manage SUNY Fredonia information. This policy encompasses all information systems for which SUNY Fredonia has administrative responsibility. It addresses all digital information which is created or used in support of SUNY Fredonia business activities. Where conflicts exist between this policy and a SUNY Fredonia departmental policy, the more restrictive policy will take precedence.
Information security refers to the protection of information from accidental or unauthorized access, destruction, modification or disclosure. Digital information is defined as the representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by computer automated means. Digital information is relayed in a variety of methods, including through computer networks and portable media, such as jump drives, CD‟s and DVD‟s. Digital information is also stored and retrieved in several formats, including but not limited to computer databases or transmissions, tapes, CD ROMs, diskettes, computer generated reports, hard copy documentation, e-mail messages, and voice mail.
This policy must be communicated by supervisors to all employees and all others who have access to or manage SUNY Fredonia digital information. This security policy is technology independent and does not include implementation standards, processes or procedures.
Authorized User refers to any individual granted credentials to access SUNY Fredonia Information Technology Resources.
Credentials refer to the unique username and password provided each authorized user to access SUNY Fredonia resources.
Database Administration - The function of applying formal guidelines and tools to manage the university's information resource and specifying, implementing, and maintaining access control to assure that Data Users have the appropriate authorized access needed to perform assigned duties or to fulfill university roles is termed database administration. Responsibility for database administration activities is shared among the Data Stewards, Data Experts/ and ITS Database Administrators.
Data Definition - Data Stewards and Data Experts provide data descriptions so Data Users know what shareable data are available, what the data mean, and how to access and process the data. These data about the data are referred to as data definitions and sometimes called metadata. Data definitions may be stored in an integrated or complementary database known as a Metadata Repository. Data definitions should be based on actual usage, documented and modified only through procedures established by the Data Stewards, and periodically reviewed for currency.
Data Integration Model is a logical construct that describes the data entities that comprise the University Enterprise Database (UEDB) and the relationship among those entities. The Data Stewards, or designated Data Experts and ITS Database Administrators, collaborate to establish and maintain a university-wide Data Integration Model that describes all major data entities of the UEDB and the relationships among those data entities. Included in the model are the linkages among data collected or maintained by the various organizational units of the university.
Data Ownership - The UEDB is a university resource; individual units or departments may have stewardship responsibilities for portions of the enterprise data.
Data Warehouse refers to a query-only database containing historical point-in-time data and summary information from university operational systems. The data warehouse is used to support business analysis and decision-making.
Digital Information is defined as the representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by computer automated means.
Digital Systems refers to the computer platform on which digital information is stored and used.
Highly Sensitive Information refers to information that is considered confidential. (Reference “Information Management and Security Procedural Document” for categorization detail.)
Information Assets refers to the data and resources owned and protected by SUNY Fredonia.
Metadata Repository refers to a database system that contains descriptive information about the university's enterprise data and administrative systems. The repository is a complementary facet of the Data Warehouse.
Moderately Sensitive Internal Business-Use Data refers to those elements of the UEDB that may be accessed by all employees of the university, with authorization, for the conduct of university business. (Reference “Information Management and Security Procedural Document” for categorization detail.)
Non-sensitive Public Data refers to the elements of the UEDB that are available to the general public, including people outside of SUNY Fredonia. (Reference “Information Management and Security Procedural Document” for categorization detail.)
Open-port facilities refers to the communication end point in computer networking configured to accept units of data.
Portable Computing Devices and Information Media refers to any mobile computing device such as a laptop, smart phone, personal data assistant, flash drive or other storage media.
Sensitive (or critical) systems and applications refers to systems such as the Student Information System and Human Resource system that house confidential student and employee data.
SUNY Fredonia Application Owners refers to the users of software such as Banner, ANGEL, People Admin, Smart Catalogue, Digital Measures, etc.
SUNY Fredonia Electronic Resources refers to information available online via the SUNY Fredonia network or the World Wide Web.
System Administration - The function of maintaining and operating hardware and software platforms is termed system administration. Responsibility for system administration activities belongs to the Computing Services unit of ITS.
UEDB (University Enterprise Database) is a conceptual term used to identify that body of data critical to university planning, management, and business operations of both administrative and academic units. This data may reside in different database management systems and on different machines, but in aggregate may be thought of as forming one logical university resource, which is called the UEDB. The UEDB contains data from multiple operational areas that need to be integrated in order to support institutional research, business analysis, reporting, and decision making.
University Information System is a conceptual term used to identify the collection of computer hardware, software, and network connections, which together form the integrated system underlying the logical University Enterprise Database (UEDB).
Part 1. Preface
This policy is a statement of the goals, ethics, responsibilities and accepted behaviors required to establish and maintain SUNY Fredonia‟s information security objectives; it sets the direction, offers broad guidance and defines senior management‟s requirements for digital information security related processes and actions. Compliance is mandatory. This policy follows the framework of ISO17799 for Security Policy guidelines and is consistent with existing SUNY Fredonia policies, rules and standards. This policy documents many of the security practices already in place. Senior management is fully committed to information security and agrees that every person employed by or on behalf of New York State government has important responsibilities to continuously maintain the security and privacy of SUNY Fredonia data.
Part 2. Document Change Management
Requests for changes to this policy should be presented by the SUNY Fredonia Information Security Program Team to Senior Management. If senior management agrees to the change(s), the Information Security Program Team will be responsible for communicating the approved change(s) to the SUNY Fredonia community. The document is maintained by the office of Associate Vice President for ITS.
This policy and supporting policies and standards will be reviewed on an annual basis.
Part 3. Data Management Roles and Responsibilities
Authorized User refers to any individual granted credentials to access SUNY Fredonia Information Technology Resources.
Chief Information Officer, CIO: (at Fredonia the comparable title is Associate Vice President for Information Technology Services-AVPITS)-The university official responsible for overseeing the management of university-wide data systems. The CIO will make recommendations for policy and problem resolutions in consultation with the Data Steering Committee and the Information Technology Advisory Board (ITAB) to the ITS Executive Board (Data Trustees).
Database Administrators (DBAs): Data administration involves the application for formal guidelines and the appropriate tools to manage SUNY Fredonia‟s information resources (provide a secure infrastructure in support of data including, but not limited to, providing physical security, backup and recovery processes, granting and terminating access privileges as authorized by data stewards, and implementing and administering controls over the information). The University Data Administration function (within the Office of the Vice President for Information Technology) exists to support and further the goals of the University data management committees and structure.
Data Experts/Managers: Data Experts/Managers in functional areas have day-to-day responsibilities for managing business processes, establishing business rules for the production transaction system as related to data capture, maintenance, and dissemination.
Data Steering: Data Steering is a representative group of IT and Data Stewards which makes recommendations to the Information Security Program Team and to Senior Management. These recommendations are related to data, issues, and standards that affect more than one administrative area. Data Steering will establish and document data management standards and procedures, including integration standards for code mappings and crosswalks between administrative applications and systems, and insure that individual responsibilities and procedures are clearly outlined and appropriately communicated.
Data Stewards: Data Stewards are University officials (e.g Directors, Managers, or their designees) having direct operational level responsibility for information management (capture, maintenance, and dissemination of data). Data stewards are responsible for working with Data Trustee/Owner to classify data, approving data access on behalf of Data Trustee/Owner, determining/specifying user access level(s), securing paper infrastructure and implementing and enforcing departmental policy and procedures.
Data Trustees/Owners: Data Trustees/Owners are senior University officials (e.g. Deans, VPs, AVPs, or their designees) responsible for overseeing the establishment of data management policies and procedures, the assignment of data management responsibility (assigning data stewards) and promoting data resource management for the good of the entire University.
Data Users: Data users are individuals who need and use SUNY Fredonia data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust, and as such, are responsible for protecting the security and integrity of those data. Anyone who has intentionally breached the confidentiality and/or compromised the integrity of protected data/information (e.g., category HS data) may be subject to disciplinary action and/or sanctions up to, and including discharge or dismissal in accordance with SUNY Fredonia policy and procedures. Additionally, breach of confidentiality and/or compromising integrity of data/information that are protected by law, acts, or regulations, will result in criminal prosecution.
Information Security Program Team (ISec): The Information Security Program Team, appointed by the SUNY Fredonia President, will coordinate and oversee implementation of information security awareness program activities, will approve and support major initiatives to enhance information security, and will develop a process to measure compliance with policy. The Information Security Program Team is responsible for investigating (and responding to) all alleged security violations.
Information Technology Services (ITS): ITS is responsible for the data processing infrastructure and computing network which support information owners. It is the responsibility of ITS to support this policy and provide resources needed to enhance and maintain the required level of digital information security.
Non-SUNY Fredonia Employees: Employees such as FSA, Contractors, Consultants, Vendors and other persons, to the extent of their present or past access to SUNY Fredonia information assets are also covered by this policy.
Senior Management: Senior Management includes the President and Vice Presidents (known as members of the SUNY Fredonia President‟s Cabinet).
SUNY Fredonia Employees: It is the responsibility of all employees to protect SUNY Fredonia information and resources, to note variances from established procedures, and to report such variances for suspected security incidents to the appropriate supervisor(s) and to the Director of Internal Control, co-chair of the Information Security Program Team.
Supervisors: Supervisorswillberesponsiblefortheimplementationofthisandother information security policies and the compliance of their employees. Supervisors must educate their employees with regard to information security issues, including information retention policies. Supervisors will explain the issues, the rationale for the policies, the role(s) individuals have in safeguarding information assets, as well as the consequences of non-compliance. It is the responsibility of the supervisor to notify DBA and System Administrators when staff members terminate employment.
System Administrators: System Administrators are the staff members responsible for administering security tools, auditing security practices, identifying and analyzing security threats and solutions, implementing specific security controls and responding to security violations. They have administrative control over user-IDs and passwords and the associated processes for reviewing, logging, implementing access rights, emergency privileges, exception handling, and reporting requirements.
Part 4. Information Security Policy
Information is among SUNY Fredonia‟s most valuable assets and SUNY Fredonia relies upon that information to support its mission of teaching, research and service as well as its business activities. Information must be protected from the time it is created, through its useful life, and authorized disposal since quality and availability of that information is key to SUNY Fredonia‟s ability to carry out these missions. Therefore, the security of SUNY Fredonia‟s information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of SUNY Fredonia information has an obligation to preserve and protect said information assets in a consistent and reliable manner. Information must be classified and protected based on its importance to business activities, risks and security practices as defined in ISO 17799, a Code of Practice for Information Security Management, and as implemented by this policy. Security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals. Information security management enables information to be shared while protecting the information and its associated computer assets including the network over which the information travels. SUNY Fredonia Data Trustees and Stewards are responsible for ensuring that appropriate physical, logical and procedural controls are in place on these assets to preserve the confidentiality, integrity, availability and privacy of SUNY Fredonia information.
Individual accountability is the cornerstone of any security program. Without it, there can be no security. Individual accountability is required when accessing all SUNY Fredonia electronic resources or when terminating employment. Access to SUNY Fredonia computer systems and networks is provided through the use of individually assigned unique computer identifiers known as user-ID and password. Individuals who use SUNY Fredonia computer resources must only access resources to which they are authorized. Passwords must be treated as confidential information and must not be disclosed. All individuals are responsible for all activities performed under their user-ID. For the user‟s protection and for the protection of SUNY Fredonia resources, passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared. Upon termination of employment, individuals are required to archive or delete information according to record retention policy.
A. All SUNY Fredonia information will be protected from unauthorized access to help maintain information‟s confidentiality and integrity. The information owner will classify and secure information within their jurisdiction based on the data classification guidelines in the “Information Management and Security Procedural Document” according to the information‟s value, sensitivity to disclosure, consequences of loss or compromise and ease of recovery.
B. Information will be readily available for authorized use as needed by the user in the normal performance of their duties. Appropriate processes will be implemented to ensure the reasonable and timely recovery of all SUNY Fredonia information, applications and systems, regardless of computing platform, should that information become corrupted, destroyed, or unavailable for a defined period.
C. Business impact analysis will be performed periodically to determine the criticality of SUNY Fredonia processes and establish a schedule for backup and recovery of those systems and data to ensure their timely recovery in the event of an extended outage. When performing a business impact analysis, the data stewards as charged by senior management, will:
Policy and Standards Relationship
SUNY Fredonia will develop standards that support the implementation of this policy for systems and technologies being used within their domains. These security standards will be produced and implemented to ensure uniformity of information protection and security management across the different technologies deployed within SUNY Fredonia. The standards can be used as a basis for policy compliance measurement.
Part 5. Security Organization Policy
SUNY Fredonia‟s Information Security Program Team (ISec Team) is responsible for researching and managing information security issues. The SUNY Fredonia ISec Team reports to the President who is responsible for its organization and leadership. The ISec Team is a campus-wide organization of Information owners and professionals who contribute to the overall mission of the function. Members are nominated to the function by the leadership of their respective business or academic area and are typically supervisors authorized to commit resources for their responsibility area. ISec Team members remain accountable to their leadership who define their degree of authority in their responsibility area. The ISec Team must include director-level members for SUNY Fredonia‟s central infrastructure and major distributed IT areas. The ISec Team operates as a standing committee guided by policy and standard procedures.
The mission of the ISec Team is to:
Part 6. Asset Classification and Control Policy
Privacy and Handling of Private Information
Release of Private Information to Third Party Consultants
Protection of Third Party Information
Part 7. Personnel Security Policy
The Human Resources Information Security Program is intended to reduce the risks of human error, theft or misuse of SUNY Fredonia information and facilities. Security responsibilities must be defined and addressed at the employee hiring stage, included in contracts with third parties, and monitored by the employee‟s direct supervisor during an individual‟s employment.
Including Security in Job Responsibilities
Security roles and responsibilities as defined in this policy in the section titled „Organizational and Functional Responsibilities‟ must be documented where appropriate. They will include any general responsibilities for implementing or maintaining the security policy as well as any specific responsibilities for the protection of particular assets, or for the execution of specific security processes.
SUNY Fredonia will follow the State guidelines with regard to pre-employment screening. SUNY Fredonia may perform, or have performed, additional screening for sensitive positions with State approval. These additional checks could include but are not limited to the following:
An information security awareness program will be developed, implemented, and maintained to address security education for SUNY Fredonia employees. The awareness program will review information security policy, threats and concerns, and the proper use of information processing facilities (e.g. logon procedures and use of software packages) to minimize possible security risks. The program will additionally include the procedure to follow to report incidents (security breach, threat, weakness or malfunction) that might have an impact on the security of SUNY Fredonia information.
Reporting Security Weaknesses
Users of SUNY Fredonia Information Technology resources will be required to note and report any observed or suspected security weaknesses or threats to the appropriate manager/supervisor or the Director of Internal Control via email@example.com. They must report these weaknesses as soon as possible. Users must not attempt under any circumstances to prove a suspected weakness. This is for their own protection, as testing weaknesses could be perceived as a potential misuse of the system.
Information Technologies established specifically to research Information Assurance as a legitimate academic pursuit are not restricted by this reporting policy.
Procedures must be established for reporting security software malfunctions. The following should be considered:
Part 8. Physical and Environmental Security
Critical or sensitive SUNY Fredonia business information processing facilities must be housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls to protect from unauthorized access, damage and interference. Physical security perimeters should be established in SUNY Fredonia environments where servers are stored or operational in wiring closets for network and telephonic connections, where printers used for printing confidential or sensitive information, and any other location where critical or sensitive SUNY Fredonia computer equipment may be in use or stored. The purpose of the security perimeter is to prevent unauthorized access to the computer resource, or to prevent theft of the resource.
The ITS designees of the information Security Team will perform periodic threat and risk analysis to determine the extent of the perimeter vulnerabilities.
Clean Desk and Clear Screen
Sensitive information must be removed from view and physically secured when not in use. Measures must be taken to insure that such information cannot be read or copied by unauthorized persons. Physical security for the machine when unattended is one approach. The use of computer screen savers or similar technology is required to ensure that sensitive information is not displayed after a specified period of inactivity. When unattended or physically unsecured for more than a few minutes, all computers must be screen locked.
Part 9. Communications and Network Management
A. SUNY Fredonia network monitoring follows best practice to the extent appropriate resources are available for staffing and monitoring tools.
SUNY Fredonia implements a range of network controls to maintain security in its trusted, internal network, and to protect connected services and networks. The "network" includes any device that is attached via a wired or wireless connection with an IP (Internet Protocol) address.
ITS reserves the right to scan any device attached to the SUNY Fredonia network on a periodic and tiered basis to ensure optimal configuration to protect against known vulnerabilities and to advise Data Trustees/Steward of unencrypted storage of highly sensitive/confidential data (e.g. SS#). For example, a system integrity check, using an appropriate tool, may be run as frequently as current standards recommend checking for system integrity. Sensitive or critical systems will be scanned as frequently as current standards recommend. Due to the complex nature of various vulnerabilities, central scanning should be used where possible, and a notification mechanism developed to propagate vulnerability information to data trustees/owners and ITS staff for appropriate remediation.
Network Security Checking
Penetration and Intrusion Testing
Internet and Electronic Mail Acceptable Use
All uses of the SUNY Fredonia network and of SUNY Fredonia electronic mail facilities must be within the bounds of SUNY Fredonia‟s Computer and Network Authorization and Use policy http://www.fredonia.edu/helpdesk/Policies.asp.
External Internet and VPN Connections
SUNY Fredonia acts as an Internet Service Provider for its faculty, staff and students in support of its teaching, research and service missions. This mission is best served by minimizing controls on network traffic while ensuring that the network facilities are not abused.
Connections to Third Party Networks
A. Any permanent connection intended to route traffic from the SUNY Fredonia private network to a third party private network must have a business case documented and approved by the SUNY Fredonia AVPITS or designee. A risk analysis may be performed to ensure that the connection to the third party network will not compromise SUNY Fredonia‟s network. Controls, such as the establishment of firewalls and/or a DMZ (demilitarized zone), may be implemented between the third party and SUNY Fredonia to protect SUNY Fredonia‟s trusted networks. These connections may be periodically reviewed or tested by the SUNY Fredonia AVPITS or her/his designee to ensure:
B. This policy requires that connection to the SUNY Fredonia network be done in a secure manner to preserve the integrity of the SUNY Fredonia network, data transmitted over that network, and the availability of the network. The security requirements for each connection will be assessed individually, and be driven by the business needs of the parties involved. Only authorized Information Security or IT network staff will be permitted to use “sniffers” or similar technology on the network to monitor operational data and security events.
C. Third parties requesting permanent access to the SUNY Fredonia network must have an internal SUNY Fredonia sponsor develop a business case for the network connection. A SUNY Fredonia non-disclosure/non-access agreement must be signed by an authorized SUNY Fredonia representative and a duly appointed representative from the third party organization who is legally authorized to sign such an agreement. This document, describing the business case and network connection requirements, must be submitted to the SUNY Fredonia AVPITS and security staff. The SUNY Fredonia AVPITS or her/his designee has final approval authority. Failure to sign this document by either party will result in the connection being disapproved.
D. If a VPN connection is to be provided, refer to the section above, “External Internet and VPN Connections” for security requirements.
Security of Electronic Mail
Electronic mail is inherently not secure and should not be used to transmit highly sensitive/confidential information, due to the security risks which include but are not limited to:
Messaging and Conferencing
When making use of commercial communications facilities or services, methods of authorization and encryption should be employed, when appropriate, to ensure that information is not disclosed to unauthorized individuals.
Portable Computing Devices and Information Media
Remote connection to SUNY Fredonia‟s networks is allowed only through a Virtual Private Network (VPN) maintained by ITS for administrative business use access when remote work-related business is an absolute necessity. The VPN application and terms of agreement require data trustee authorization and data steward agreement and understanding of their responsibility to: 1) protect university information by ensuring unauthorized users are not allowed access to SUNY Fredonia internal networks via the VPN; 2) maintain system security patches and anti-virus definitions; 3) secure the equipment used to access SUNY Fredonia information resources; 4) ensure no unencrypted highly sensitive (confidential) information resides on the device.
Connecting dial-up modems to workstations that are stand-alone or simultaneously connected to SUNY Fredonia‟s local area network or to another internal communication network is prohibited.
SUNY Fredonia complies fully with Federal and State law. ITS may inspect, monitor or search SUNY Fredonia information systems to comply with subpoenas and search warrants issued by appropriate authorities. Network traffic may be monitored for indications of system compromise or attack.
Part 10. Operations Management
Operational Change Control
Changes to SUNY Fredonia administrative information processing facilities and systems must be authorized and controlled through a change management process with appropriate checks and balances. Formal management responsibilities and procedures ensure satisfactory control of all changes to equipment, software or procedural documentation. Operational software will be subject to strict change control. When programs are changed, an audit log containing all the relevant information will be created and maintained. The change control process will consider the following activities:
Incident Management Procedures
An incident management process will be established to track the types, volumes and costs of security incidents and malfunctions. This information will be used to identify recurring or high impact incidents and to record lessons learned. This may indicate the need for additional controls to limit the frequency, damage and cost of future incidents, or to be taken into account in the policy review process.
A. All users of SUNY Fredonia systems should be made aware of the procedure for reporting security breaches, threats, weaknesses, or malfunctions that may have an impact on the security of SUNY Fredonia information. All SUNY Fredonia staff and contractors are required to report any observed or suspected incidents to local management as quickly as possible.
B. Incident management responsibilities and procedures will be clearly defined and documented to ensure a quick, effective and orderly response to security incidents. These procedures will address incidents such as:
C. In addition to normal contingency plans designed to recover systems or services, the incident response procedures will also cover:
D. SUNY Fredonia senior management will investigate significant security incidents and implement corrective actions to reduce the risk of reoccurrence.
Segregation of Duties
A. Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. Separating the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services, should be implemented wherever possible, especially in support of the University administrative systems.
Separation of Test and Operational Facilities
A. Where possible, separating development, test and operational facilities is important to achieve segregation of the roles involved. Rules for the transfer of software from development to operational status must be defined and documented.
System Planning and Acceptance
Protection Against Code
Software and associated controls will be implemented across all SUNY Fredonia systems to prevent and detect the introduction of malicious software. The introduction of malicious software such as a computer virus, network worm programs and Trojan Horses can cause serious damage to networks, workstations and business data. User education will outline the dangers of unauthorized or malicious software. The types of controls and frequency of updating signature files, etc., is dependent on the value and sensitivity of the information that could be potentially at risk. For most SUNY Fredonia workstations, and all systems or servers, virus signature files are updated at least daily.
Back-ups of critical SUNY Fredonia data and software are performed regularly. A threat and risk assessment is performed at least annually to determine the criticality of business systems, and the time frame required for recovery. Processes will be developed to back-up the data and software. Restoration of data is tested periodically. Formal disaster recovery plans for each critical SUNY Fredonia application will be developed, documented and tested periodically. Test results will inform changes to disaster recovery plans.
An inventory will be maintained of all central IT hosts and servers, together with an assessment of the criticality of the services provided and the sensitivity of the information held on these systems.
System Security Checking
Disposal of Media
Media such as tapes, diskettes, servers, mainframe and PC hard drives which contain sensitive data, must be disposed of in accordance with State Law. Sensitive information could be leaked to outside persons through careless disposal of media. Formal processes must be established to minimize this risk. Media containing sensitive SUNY Fredonia data must be destroyed by incineration, shredding, or electronic erasure of data before disposal consistent with record retention laws.
Part 11. Access Control Philosophy
The value of data as a university resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. Furthermore, increased data access and use improves data integrity because discrepancies are identified and errors are subsequently corrected. As an educational institution with a mission to disseminate knowledge, SUNY Fredonia values ease of access to information, including administrative data. Permission to view or query data contained in the UEDB should be granted to all Data Users for all legitimate business purposes. Update access should be restricted as necessary, but granted to university employees at the location where data are initially received or originates whenever this is feasible. Information specifically protected by law or regulation must be rigorously protected from inappropriate access. Examples include student grades or personnel evaluations that are identifiable with a specific person. To preserve the qualities of integrity, confidentiality and availability, SUNY Fredonia‟s information assets will be protected by logical and physical access control mechanisms commensurate with the value, sensitivity, consequences of loss or compromise, legal requirements and ease of recovery of these assets.
As part of the data definition process, Data Stewards assign each data element and each data view in the UEDB to one of three data access categories:
Except as noted below, all enterprise data are designated as university-internal data for use within the university. Data users have access to these data by authorization of the Data Trustees and Stewards and by authentication for use in the conduct of university business. These data, while available within the university, are not designated as open to the general public. Where appropriate, Data Stewards may identify elements or views of the UEDB that have no access restriction whatsoever. Designated Non-sensitive Public data may be released to the general public. Where necessary, Data Stewards may specify some data elements as limited-access. Designated Highly sensitive confidential data includes those data for which Data Users must obtain individual authorization prior to access, or to which only need based access may be granted. When data are designated as Highly sensitive, the Data Steward should provide the following to the ITS DBA unit:
Note that a data view can possibly have more open access than that of the underlying data elements that comprise it. For example, removal of person-identifying data elements from a view may result in a view that contains some otherwise-restricted data elements but that the Data Steward may now designate as public or university-internal. The appropriate Data Steward in collaboration with ITS is responsible for determining and documenting data access procedures that are unique to a specific information resource, view, or set of data elements.
Data Access Control
Data Trustees and Stewards are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges will be (read, update, etc.).
Any Data User may request that a Data Steward review the restrictions placed on a data element or data view, or review a decision to deny access to limited-access data. The appropriate Data Trustee makes the final determination about restrictions and access rights for enterprise data.
Data Stewards and the ITS DBAs share security administration responsibilities (i.e., the functions of specifying, implementing, and managing system and data access control). To the extent possible, the Data Stewards work together and with the DBAs to define a single set of university procedures for requesting and authorizing access to limited-access data elements in the UEDB. Data Stewards and DBAs are jointly responsible for documenting these access request and authorization procedures. Data Stewards, with the assistance of ITS, are responsible for monitoring and annually reviewing security implementation and authorized access. All Data Users who are cleared for the highly sensitive category of UEDB data must acknowledge (by signed statement or other documented means) that they understand the level of access provided and accept responsibility to both protect their access privileges and to maintain the confidentiality of the data they access. Data Stewards are responsible for defining and implementing procedures to assure that data are backed up and recoverable in response to events that could compromise data integrity. ITS or other university organizations may assist in this effort. Data Stewards may delegate specific security administration activities to operational staff. The Information Security Program Team is responsible for maintaining a plan for security policies and practices and for keeping abreast of security related issues internally within the university community and externally throughout the information technology marketplace.
University enterprise data may be stored on a variety of computing hardware platforms, and is considered part of the UEDB. Every data storage platform must have a defined System Administration function with a designated system administrator whose responsibilities include:
User Registration and Management
The issuance and use of privileged accounts will be restricted and controlled. Inappropriate use of system privileges is often found to be a major contributing factor to the failure of systems that have been breached. Processes must be developed to ensure that use of privileged accounts is monitored, and any suspected misuse of these accounts is promptly investigated.
User Password Management
Passwords are a common means of authenticating a user‟s identity to access an information system or service. Password standards are implemented and communicated to ensure all authorized individuals accessing SUNY Fredonia resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible. See Information Security Program Appendix H for detailed password management information. http://www.fredonia.edu/helpdesk/Policies.asp
Network Access Control
Access to SUNY Fredonia‟s trusted internal network must require all authorized users to authenticate themselves through use of an assigned user ID and an authentication mechanism, e.g., password, token or smart card, and/or digital certificate.
User Authentication for External Connections (Remote Access Control)
Segregation of Networks
When the SUNY Fredonia network is connected to another network, or becomes a segment on a larger network, (e.g., the State‟s SUNYNet network), controls are in place to prevent users from other connected networks from unauthorized access to sensitive areas of SUNY Fredonia‟s private network. Routers or other technologies are implemented to control access to secured resources on the trusted SUNY Fredonia network.
Operating System Access Control
Application Access Control
Access to SUNY Fredonia applications must be restricted to those individuals who have a business need to access those applications or systems in the performance of their job responsibilities. Access to source code for applications and systems must be restricted. This access should be further restricted so that authorized SUNY Fredonia staff and contractors can access only those applications and systems they directly support.
Monitoring System Access and Use
Sensitive systems and applications are monitored to detect deviation from the access control policy and record events to provide evidence and reconstruct lost or damaged data. Depending on the nature of the events continuous and/or periodic monitoring may be appropriate. Audit logs recording exceptions and other security-relevant events that represent security incidents/deviations from policy are produced and kept to assist in future investigations and access control monitoring. Audit logs will include where technically feasible:
Part 12. Systems Development and Maintenance
Input Data Validation
Control of Internal Processing
Data that has been correctly entered can be corrupted by processing errors or through deliberate acts. Validation checks and business rules must be incorporated into systems and automated where possible. The design of applications must ensure that restrictions are implemented to minimize the risk of processing failures leading to a loss of data or system integrity. Specific areas to consider include:
Use of cryptography for protection of high-risk information must be considered when other controls do not provide adequate protection. Encryption is a technique that can be used to protect the confidentiality of information. It must be considered for the protection of sensitive or critical information. Based on a risk assessment, the required level of protection will be identified taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys employed. To the extent possible, consideration must also be given to the regulations and national restrictions that may apply to the use of cryptographic techniques in different parts of the world. In addition, and to the extent possible, consideration must be given to controls that apply to the export and import of cryptographic technology.
Protection of cryptographic keys is essential if cryptographic techniques are going to be used. A secured environment must be established to protect the cryptographic keys used to encrypt and decrypt information. Access to these keys must be tightly controlled to only those individuals who have a business need to access the keys. Loss of confidentiality of a cryptographic key would cause all information encrypted with that key to be considered compromised.
Protection of System Test Data
Test data must be protected and controlled. Live operational data must never be connected to a testing environment. Acceptance testing usually requires large volumes of test data that closely resembles operational data. The use of test data populated from operational databases containing sensitive information requires that those performing the tests are authorized by the appropriate data custodians to access such information.
Change Control Procedures
Part 13. Business Continuity Planning
Part 14. Compliance
To avoid breaches of any criminal and civil law, statutory or State regulatory or contractual obligations, and security requirements, the design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements. Advice on specific legal or SUNY Fredonia requirements will be provided by SUNY System Administration Legal Counsel.
Intellectual Property Rights
Safeguarding of SUNY Fredonia Records
Prevention of Misuse of Information Technology Resources
The information technology resources and the data processed by these resources are provided for SUNY Fredonia business purposes. Management should authorize their use. Any use of ITS facilities for non-business or unauthorized purposes, without management‟s consent, should be considered a misuse of SUNY Fredonia facilities. Controls must be implemented to detect and report such activity to the appropriate responsible officer.
Compliance with Security Policy
SUNY Fredonia supervisors will ensure that all security processes and procedures within their areas or responsibility are followed. In addition, all business units within SUNY Fredonia will be subject to regular reviews to ensure compliance with security policies and standards.
Part 15. Other Related SUNY Fredonia Policies
Part 16. References
Part 17. Policy Change Management and Approval
The original policy was adopted with permission from University of Buffalo and from Virginia Polytechnic Institute and edited for SUNY Fredonia.