Information Security Policy
91勛圖厙
June 2006
April 2007 (Update)
March 2008 (Update)
May 2014 (Under review by ISC)
Table of Contents
- Purpose
- Scope
- Policy
- Part 1. Responsibilities
- Part 2. Information Security
- Individual Accountability
- Confidentiality / Integrity / Availability
- Part 3. Information Classification
- Privacy of Information
- Protection of Third-Party Information
- Accessibility of Web Content
- Part 4. Personnel Security
- Security in Job Responsibilities
- Personnel Security Training
- Reporting and Responding to Security Incidents
- Tracking of Security Incidents
- Part 5. Physical and Environmental Security
- Physical Security
- Environmental Security
- Part 6. Communications and Network Management
- Sharing Information with External Entities
- Network Management
- Vulnerability Scanning
- Penetration and Intrusion Testing
- Acceptable Use of Computer Systems and Networks
- External Connections
- Internal Connections
- Portable Devices
- Telephones and Fax Equipment
- Wireless Networks
- Modem Usage
- Public Web Servers and Public Websites
- Part 7. Operations Management
- Security Incident Management
- Separation of Development, Test and Production Environments
- System Planning and Acceptance
- Protection against Malicious Code
- Software Maintenance
- Information Back-Up
- System Security Checking
- Part 8. Access Control
- User Registration Management
- Privileged Accounts Management
- User Password Management
- Network Access Control
- Remote Access Control (User Authentication for External Connections)
- Segregation of Networks
- Operating System Access Control
- Application Access Control
- Monitoring Application Access and Use
- Part 9. Systems Development and Maintenance
- Input Data Validation
- Control of Internal Processing
- Message Integrity
- Cryptographic Controls
- Cryptographic Key Management
- Protection of System Test Data
- Change Control Procedures
- Part 10. Compliance
- Monitoring
- Document Change Management
- Appendix A – Definitions
- Appendix B – Protocols for Accessibility of Web Content
Purpose
The purpose of the Information Security Policy is to define a set of security requirements that will help protect all members of the campus community from information security threats that could compromise privacy, productivity and reputation. The Information Security Policy recognizes the vital role of information in support of the mission of the college and the importance of protecting information in all forms in order to foster a secure environment for the dissemination and retention of college information.
The following are the primary goals of the Information Security Policy.
- to communicate campus responsibilities for the protection of college information
- to increase awareness of the importance of information security within the college community
- to manage the risk of security threats to the information resources of the college
- to provide and protect a secure environment for the dissemination and retention of college information
The Information Security Policy will be referred to as the Policy for the remainder of the document.
Scope
This Policy applies to all employees, students, consultants, contractors, vendors and other persons who have access to college information. Compliance with this Policy is mandatory for this constituency. This Policy encompasses all information systems, computer-based and non-computer-based, automated and manual, for which the college has administrative responsibility, including systems managed or hosted by third parties on behalf of the college. This Policy addresses all information, regardless of the form or format, that is created or used in support of the business activities of the college.
Policy
Part 1. Responsibilities
Information Security Officer: The Chief Information Officer will serve as Information Security Officer and will have responsibility for establishing an Information Security Committee to achieve the goals of this Policy. The Information Security Committee will consist of key systems and network personnel within Information Technology Services. The Information Security Officer will serve as Chair of this Committee. The Information Security Officer and the Information Security Committee will have responsibility for the following items.
- to implement and maintain this Policy
- to implement and maintain an information security training program
- to implement and maintain an information security architecture to support this Policy
- to approve all external network connections to the college network
- to approve implementation of new information applications and services based on review of the compliance of these new applications and services with this Policy
- to approve implementation of new initiatives to maintain and enhance this Policy
- to control the security of college information assets
- to proactively monitor college information assets relative to potential security threats
- to investigate and respond to information security incidents
- to report information security incidents to senior administration
- to participate in the maintenance of a disaster recovery plan to insure the continuity of college business operations in the event that information systems become unavailable for an extended period of time
- to provide information security recommendations to senior administration relative to mitigating the risks associated with information security threats that could negatively affect college business operations
Information Owners: Information Owners will be identified for all information resources and will have responsibility for the following items.
- to classify the information resources within their area of responsibility
- to determine the access rights (who should have access) and privileges (what access should be
provided) for information resources within their area of responsibility - to communicate to the Information Security Officer the legal requirements for access and disclosure
for the information resources within their area of responsibility
Information Technology Staff: Information Technology Services will serve as the Information Technology department and will have responsibility for the following items.
- to implement access rights and privileges as defined by Information Owners
- to implement back up and recovery procedures for centrally-maintained information resources
- to recommend back up and recovery procedures for departmentally-maintained information
resources - to provide the computer infrastructure necessary to support this Policy
- to provide the data network infrastructure necessary to support this Policy
Employees: All employees will have responsibility to protect information resources and report any suspected information security incident to the appropriate manager and the Information Security Officer.
Non-Employees: All contractors, consultants, vendors and other persons working under agreements with the college will have responsibility to protect information resources and report any suspected information security incident to the appropriate manager and the Information Security Officer.
Students: All students will have responsibility to protect information resources and report any suspected information security incident to the appropriate manager and the Information Security Officer.
Part 2. Information Security
Information in any form or format that is created or used in support of the business activities of the college is an asset. Information assets must only be used in relationship to the business activities of the college and must be protected from the time of creation, through useful life, and to the time of authorized disposal. Information assets must be maintained in a reliable and secure manner and must be readily available for authorized use. Information assets must be classified and protected based on the sensitivity of the information.
Information is among the most valuable assets of the college. The availability and reliability of information assets are keys to supporting the business activities of the college. The security of information assets is the responsibility of all employees, students, consultants, contractors, vendors and other persons who have access to these information assets.
Each authorized user is obligated to preserve and protect college information assets in a manner consistent with this Policy. Information security controls described within this Policy provide the necessary physical and procedural safeguards to achieve this goal.
Information must be shared and protected. Information security management enables both the sharing and protection of college information assets. Information Owners and Information Technology Staff have responsibility for insuring that appropriate controls are in place to preserve the security of these information assets.
Individual Accountability
Individual accountability is the cornerstone of this Policy and is required when accessing all college information resources. The following are requirements for accessing information on college computer systems and networks.
- access must be provided through the use of individually assigned unique identifiers known as computer usernames
- associated with each computer username is a token known as a computer password that must be used in combination to authenticate the individual requesting access
- an individual must access only information for which he or she has the appropriate authorization
- an individual must be provided access to authorized information only after proper authentication with his or her computer username and password
- an individual must not share his or her computer username and password as each individual is responsible for protection against unauthorized information access through the use of his or her computer username and password
- no individual should ever communicate a computer password using email or any other insecure means of communication
Confidentiality / Integrity / Availability
Information must be protected from unauthorized access to maintain the confidentiality, integrity and availability of the information.
Information Owners will be responsible for working with Information Technology Staff to implement access rights and privileges to provide authorized access to computerized information for use by Employees, Non-Employees and Students as needed for normal business activities.
Information Technology Staff will be responsible for implementing backup and recovery procedures for centrally-maintained information resources and for recommending backup and recovery procedures for departmentally-maintained information resources to provide protection and timely recovery from any corruption, loss or theft of computer-based information.
Part 3. Information Classification
Information is among the most valuable assets of the college and must be properly managed from creation, through authorized use, to proper disposal. Different types of information have different values and purposes and therefore require different levels of protection.
Information Owners will be responsible for classifying information as Public or Confidential based on the consequences of loss, the legal or retention requirements, the sensitivity and the value of the information. This classification process should include consideration of the confidentiality, integrity, availability, legal, privacy and retention properties of the information.
Public information is information that can be freely provided to anyone without any possible damage to the college.
Confidential information is all other information and is represented as a continuum. Some confidential information is more critical and sensitive than other confidential information and should be protected in a more secure manner. Information Owners will be responsible for working with Information Technology Staff to implement different levels of protection for different types of confidential information.
All information will have an Information Owner established within the responsible functional area of the college. The Information Owner will be responsible for assigning the initial information classification of public or confidential and for making decisions regarding user access rights, user access privileges and daily management of the information. The Information Owner should conduct a periodic analysis of the value of the information based on the above criteria in order to confirm the current classification or to reclassify the information.
Privacy of Information
Some information systems of the college maintain information that uniquely identifies individuals. This information must be maintained consistent with federal and state laws and regulations and with college policies. All college employees with access to personally identifiable information must respect the confidentiality of that information consistent with federal and state laws and regulations and with college policies. The college must protect the privacy rights of Employees and Students.
The college must maintain the following characteristics for Employee and Student personally identifiable information.
- must be accessible only by authorized individuals
- must be corrected if incorrect information is known to exist
- must be removed or made inaccessible if appropriate and if the individual makes this request
consistent with federal and state laws and regulations and with college policies - must be gathered in a manner consistent with federal and state laws and regulations and with
college policies - must be protected using computer-based and non-computer-based access controls
- must be retained for the longer amount of time as required by federal and state laws and regulations or as required by college policies and then, unless there is a pending subpoena, must be disposed of by physical destruction of the media on which the information resides or by erasing the information from this media in a manner that results in the information being totally unrecoverable
- must be used only as authorized by federal and state laws and regulations and by college policies
- must not be disclosed unless authorized or required by federal and state laws and regulations and by college policies
Protection of Third-Party Information
The protection of any third-party (Non-Employee) information must be provided in accordance with Federal and State laws and regulations and with college policies.
Some information systems of the college maintain confidential information from third-party organizations in order to conduct the business of the college. This information must be maintained consistent with Federal and State laws and regulations and with college policies. All college employees with access to confidential third-party information must respect the confidentiality of that information consistent With Federal and State laws and regulations and with college policies. The college must protect the confidentiality rights of Non-Employees.
The college must maintain the following characteristics for Non-Employee confidential information.
- must be accessible only by authorized individuals or authorized third-parties
- must be corrected if incorrect information is known to exist
- must be removed or made inaccessible if appropriate and if the third-party makes this request consistent with federal and state laws and regulations and with college policies
- must be gathered in a manner consistent with federal and state laws and regulations and with college policies
- must be protected using computer-based and non-computer-based access controls
- must be retained for the longer amount of time as required by federal and state laws and regulations or as required by college policies and then, unless there is a pending subpoena, must be disposed of by physical destruction of the media on which the information resides or by erasing the information from this media in a manner that results in the information being totally unrecoverable
- must be used only as authorized by federal and state laws and regulations and by college policies
- must not be disclosed unless authorized or required by federal and state laws and regulations and by college policies
Accessibility of Web Content
The college must comply with current federal and state technology access policies, standards and guidelines (Federal Rehabilitation Act Amendments of 1998 for Section 508 Priority 1 and 2, New York State Technology Standards S04-001 and New York State Technology Policy P04-002).
The college has developed Protocols for Developing Accessible Web Content and Protocols for Responding to Accessible Web Content Issues to accomplish this compliance. These protocols are shown in Appendix B of this Information Security Policy.
Part 4. Personnel Security
The intent of Personnel Security is to reduce the risk of human error and misuse of college information by defining information security responsibilities during the hiring phase, by including third-party information security responsibilities during the contract phase and by monitoring compliance with these information security responsibilities during the length of an individual’s employment or a third-party’s contract.
Security in Job Responsibilities
The security responsibilities of employees and third-parties must be documented. For employees these security responsibilities should be included in job descriptions and for third-parties these security responsibilities should be included in contracts. These security responsibilities will include general and specific responsibilities for protecting information and for performing tasks related to security procedures or processes.
Personnel Security Training
Personnel with access to information must be provided with specific information security training to insure knowledge of their security responsibilities to protect information and knowledge of college security policies and procedures to minimize information security risks. These same persons must additionally be provided with specific update training to maintain knowledge of current college security policies and procedures.
All persons must be provided with general information security training to insure knowledge of college security policies and procedures.
Reporting and Responding to Security Incidents
ctual or suspected information security incidents must be reported by the involved person following the procedures defined in the Cyber Incident Reporting Procedure and the Process for Responding to a Suspected Breach of Private Data. All persons must be made aware of these procedures for reporting different types of incidents that might impact the security of college information assets. Actual or suspected information security software malfunctions, such as a virus not being detected, must be reported by the involved person to the Office of Information Technology Services following the procedures defined in the Cyber Incident Reporting Procedure. The event should be thoroughly described by the involved person when reporting this type of information security incident.
Actual or suspected information security threats or weaknesses, such as unauthorized access to Confidential information, must be reported by the involved person to the Office of Information Technology Services following the procedures defined in the Process for Responding to a Suspected Breach of Private Data. The event should be thoroughly described by the involved person when reporting this type of information security incident. Persons must not attempt to prove a suspected security weakness or threat unless authorized to do so by the Information Security Officer as testing a suspected security weakness or threat may have serious, although unintended, consequences.
The Information Security Officer should minimally notify the involved person and their supervisor of the results of the investigation by the Information Technology Staff after the incident has been resolved and closed.
Tracking of Security Incidents
A formal system for tracking security incidents must be established. This system should include recording the description and resolution of the security incident. This information should be used to identify recurring or high-impact incidents in order to focus resources on decreasing or eliminating such types of incidents.
Part 5. Physical and Environmental Security
Information processing and storage facilities for critical or sensitive information must be located in areas protected by a defined security perimeter with security control systems for accessing the facilities. These physical security mechanisms are intended to protect the facilities from unauthorized access, damage or interference and should be periodically tested to insure such protection. The college should review these and other locations on an ongoing basis to determine the need for additional physical security mechanisms to reduce overall information security risks.
Physical Security
A breach of physical security may threaten the integrity of college information assets. Physical security is achieved by creating physical barriers around the assets with each barrier establishing a security perimeter that requires a method of access to control entry. This security perimeter may be created with a staffed reception area, with a secured door or with some other form of a physical barrier.
The college should perform an analysis to determine the extent of the security perimeter necessary for each information processing and storage facility. The physical barriers necessary to create this security perimeter should then be implemented. A physical security perimeter must be established for information processing and storage facilities for critical or sensitive information including the college data center and network wiring closets for data, security and telephone equipment and cabling.
The protection of critical or sensitive information contained on storage devices such as hard disk drives or magnetic tape media is another important element of physical security. The disposal or reallocation of these storage devices must include a process to destroy or securely overwrite the device in order to prevent unauthorized disclosure of information.
Environmental Security
Computer, data, security and telephone equipment protection within physical security perimeters will require a level of environmental security. Special environmental systems for air conditioning and humidity control and for uninterruptible electrical power distribution must be established for information processing and storage facilities for critical or sensitive information including the college data center and major network wiring closets for data, security and telephone equipment and cabling. Special environmental systems for backup electrical power distribution should be established for the college data center and major network wiring closets for data, security and telephone equipment and cabling. Special environmental systems for air conditioning and humidity control and for uninterruptible electrical power distribution should be established for other network wiring closets for data, security and telephone equipment and cabling.
The protection of critical or sensitive information visible on computer screens is another important element of environmental security. In public areas computer screens should be faced so as to be visible only to the authorized user of the computer. In public and in all other areas computer screens should use a screen saver with a screen saver password to insure that information is not displayed after a specified period of inactivity.
Part 6. Communications and Network Management
The college network must implement appropriate security controls to ensure the integrity of data flowing across these networks and if there is a business need, additional measures to ensure the confidentiality of the data must also be implemented. If the college decides to outsource an application to a third-party vendor the Information Security Officer must ensure that measures are in place to mitigate any new security risks created by connecting the college network to a third-party network and must have periodic security reviews performed to ensure compliance with this standard. All connections to the college network must be authorized by the Information Security Officer and the Information Security Committee.
Sharing Information with External Entities
Minimally the below process must be followed before sharing confidential information with an external entity.
- evaluate and document the sensitivity of the information to be shared
- identify the responsibilities of each party for protecting the information
- provide a signoff procedure for each party to accept these responsibilities
- define the minimum controls required to transmit and use the information
- record the measures that each party has in place to protect the information
- define a method for compliance measurement
- establish a procedure and schedule for reviewing the controls
Network Management
Minimally the below controls to prevent unauthorized access and use of the college network must be implemented.
- separate operational responsibility for networks and computer systems
- establish responsibilities and procedures for remote use (See Part 8, Access Control)
- implement special controls when necessary to safeguard the integrity and confidentiality of data passing over public networks
Vulnerability Scanning
Computer systems that provide information through a public network must be subjected to vulnerability scanning. These systems must be scanned for vulnerabilities before being installed on the network and after any software or significant configuration changes have been made to the systems. Network components that are, or will be part of the college network must be scanned for vulnerabilities when installed on the network and after any software or significant configuration changes have been made to the components.
The output of scans will be reviewed in a timely manner by the appropriate members of the Information Security Committee and any detected vulnerabilities will be evaluated and mitigated based on the level of risk.
The tools used for scanning of computer systems and network components will be updated periodically to ensure that recently discovered vulnerabilities are included in any scans. Scans of computer systems and network components must be performed at least annually to ensure that no major vulnerabilities have been introduced into the environment. The frequency of additional scans will be determined by the Information Security Committee taking into account the level of previously detected computer system or
network vulnerabilities.
Vulnerability scanning must only be performed by Information Technology Staff or by a third-party vendor authorized to perform vulnerability scanning by the Information Security Officer.
Penetration and Intrusion Testing
Computer systems that provide information through a public network must be subjected to penetration and intrusion testing. The testing will minimally be used to determine the following.
- if a user can make an unauthorized change to an application
- if a user can access an application and cause it to perform unauthorized tasks
- if an unauthorized individual can access an application and destroy or change data
The output of the testing will be reviewed in a timely manner by the appropriate members of the Information Security Committee and any detected vulnerabilities will be evaluated and mitigated based on the level of risk.
The tools used for the testing will be updated periodically to ensure that recently discovered vulnerabilities are included in any testing. Testing of computer systems must be performed at least annually to ensure that no major vulnerabilities have been introduced into the environment. The frequency of additional tests will be determined by the Information Security Committee taking into account the level of previously detected computer system vulnerabilities.
Penetration and intrusion testing must only be performed by Information Technology Staff or by a third-party vendor authorized to perform penetration and intrusion testing by the Information Security Officer.
Acceptable Use of Computer Systems and Networks
Employees, Non-Employees and Students must adhere to the acceptable use of computer systems and networks as defined in the Computer Use Policy. The following list provides some examples of the types of behavior that would be considered a violation of this policy.
- an unauthorized attempt access to any computer systems (cracking or hacking)
- the representation of yourself as someone else in an electronic mail message (spoofing)
- the blind posting an electronic mail message to a large number of people (spamming)
- the initiation of any activity which creates a denial of service attack
- the unauthorized copying or theft of electronic files
- the unauthorized monitoring of network traffic (sniffing)
External Connections
Connections from the college network to external networks must be approved by the Information Security Officer after a risk analysis has been performed to ensure that the connection to the external network will not compromise the college network. Connections will only be allowed when the external networks have acceptable security controls and procedures or when the college has implemented appropriate security measures to protect the network resources of the college. Firewalls, DMZs (demilitarized zones) or both may be implemented between the third-party and the college to achieve an appropriate level of protection. Any connections between college firewalls over external networks that involve sensitive information must use encryption to ensure the confidentiality and integrity of the data passing over the external network.
External connections will be periodically reviewed by the college to ensure that the security controls in place are functioning properly and that the business case for the external connection is still valid. Only authorized Information Technology Staff and authorized third-party staff will be permitted to use tools to monitor network activity on external connections. Authorized Information Technology Staff will regularly monitor external connections for abuses and anomalies.
Internal Connections
Wired connections from devices that are not maintained by Information Technology staff to the college network must be approved by the Information Security Officer after a risk analysis has been performed to ensure that the connection from the device will not compromise the college network. Connections will only be allowed when the devices that are not maintained by Information Technology staff have acceptable security controls and procedures to protect network resources of the college. These controls and procedures are to include, but are not limited to firewalls and properly updating operating system and virus protection software.
Internal connections will be periodically reviewed by the college to ensure that the security controls in place are functioning properly and that the business case for the internal connection is still valid. Only authorized Information Technology Staff and authorized third-party staff will be permitted to use tools to monitor network activity on internal connections. Authorized Information Technology Staff will regularly monitor internal connections for abuses and anomalies.
Portable Devices
Portable computing resources and information media must be secured to protect the integrity of confidential information. No portable computing resource may be used to store or transmit confidential information without appropriate security measures that have been approved by the Information Security Officer and approved or implemented by Information Technology Staff in order to protect the confidential information.
The use of portable computing resources such as laptops, notebooks, PDAs (personal digital assistants) and mobile phones, must involve special care to protect confidential information. Approval for use of portable computing resources to access confidential information is contingent on satisfaction of the below requirements.
- when using portable computing resources in public and other unprotected locations external to the college the use of encryption to protect the transmission of confidential information must be implemented and special care must be taken to protect against unauthorized persons viewing confidential information
- protection against malicious software on portable computing resources must be implemented and maintained at current levels
- back-ups of confidential information on portable computing resources must be created regularly and the physical information media on which the back-ups are maintained must be adequately secured to protect against loss or theft
- when in use portable computing resources on which confidential information is stored must not be left unattended
- when not in use portable computing resources on which confidential information must be physically secured
- portable computing resources on which confidential information is stored must not be checked into transportation luggage systems and must remain in the possession of the traveler as hand luggage unless other arrangements are required by federal or state authorities
- portable computing resources on which confidential information is stored must use encryption or other means to ensure that confidential information is secured from unauthorized access in the event that the portable computing resource is lost or stolen
While an off-campus desktop PC would not be considered a portable device, the above regulations for the use of portable devices to store or transmit confidential information apply equally to off-campus desktop PCs.
Telephones and Fax Equipment
Employees should adhere to the following guidelines when using telephones and fax equipment both internal and external to the college to mitigate potential information security risks.
- care should be taken to prevent conversations involving confidential matters from being overheard
- avoid the use of mobile phones when discussing confidential information
- avoid leaving messages involving confidential matters on voicemail systems contact the recipient to ensure protection of a fax and verify the destination fax phone number when sending confidential information
- avoid using third-party, Internet or wireless fax services to send or receive confidential information
- avoid sending teleconference access numbers to a pager if confidential information will be discussed during the teleconference
- confirm that all attendees are authorized participants before starting any confidential discussions when chairing a teleconference
Wireless Networks
Wireless devices and technology create new and innovative opportunities for providing instruction and conducting business functions of the college. However, everything that is transmitted on a wireless network could be intercepted by a person within the coverage area of a wireless transmitter. The following guidelines should be adhered to when implementing and using wireless networks.
- wireless network access points must not be installed without approval of the Information Security Officer
- suitable security controls, such as authentication, encryption and MAC (Media Access Control) address restriction must be implemented to ensure that a wireless network access point cannot be exploited to disrupt college services or gain unauthorized access to college information
- confidential information must not be transmitted on a wireless network unless suitable security controls have been implemented and approved by the Information Security Officer (See Part 8, Access Control)
Modem Usage
Dial-up modems must not be connected to computer systems which are also connected to the college network without approval of the Information Security Officer.
Public Web Servers and Public Websites
The Internet provides an opportunity for the college to disseminate information and provide interactive services quickly and cost effectively. However, because a public web server is accessible globally and provides a potential connection path to the college network, care must be exercised in the deployment of public web servers. An insecure public web server may be used to obtain confidential college information, disrupt college services or assist in an illegal activity such as an attack on the website of some other organization. The Computer Use Policy therefore states that website services for the entire campus community are provided on a centralized server(s) by the Office of Information Technology Services and that the use of any other College computer for the purpose of serving a website is prohibited.
Public website content must be approved by the Office of Communications and Marketing. Content will be reviewed with consideration for copyright issues, for confidentiality, privacy and sensitivity, for accuracy and for any potential legal implications of providing the information.
Faculty, staff and students have the ability to create personal web pages. While the content of personal web pages is not reviewed prior to posting on the college website, the content of personal web pages is subject to compliance with the Computer Use Policy, with federal and state laws regarding use of computers and electronic communications and with the NYS Office of Technology Policy 99-3 titled Universal Accessibility for NYS websites. No material included on personal web pages may violate any laws, including but not limited to, those regarding obscenity, harassment of others and copyright infringement. Any person who knowingly violates such laws will be subject to loss of access privileges, disciplinary action and possible prosecution.
Part 7. Operations Management
Operating instructions and incident response procedures should be established and documented for the management and operation of all information processing facilities. Procedures should also be established and documented for activities associated with information processing and communications facilities such as computer startup and shutdown, data backup and equipment maintenance.
Security Incident Management
All Employees and Non-Employees must adhere to the Cyber Incident Reporting Procedure and the Process for Responding to a Suspected Breach of Private Data for reporting any event that may have an impact on the security of college information.
Security incident management procedures and responsibilities must be established and documented to ensure an effective, orderly and timely response to any security incident in order to restore any disrupted services as quickly as possible. The response to any security incident must additionally include analysis of the cause of the incident and implementation of any corrective actions to prevent re-occurrence of the same incident.
Separation of Development, Test and Production Environments
Development, test and production computing environments must be separated either logically or physically. Procedures must be established and documented to implement the transfer of software from a development environment, through a test environment and to a production environment. The following controls must be considered when establishing these separations.
- software and tools for development must be maintained in development environments isolated from production environments
- when not required access to compilers, editors and other system utilities must be removed from production environments
- login procedures and environmental identification must be sufficiently unique between development, test and production environments
- short term access controls must be in place to allow necessary staff access to correct problems
Developing and testing software could potentially cause serious problems to production environments if these environments are not appropriately separated. The degree of separation must be considered by the college to ensure adequate protection of production environments. The college must also consider a stable testing environment where user acceptance testing may be conducted without changes being made to the software being tested.
System Planning and Acceptance
Planning for systems must be a comprehensive process to ensure the implementation of appropriate security measures and the availability of adequate resource capacity. The security requirements of new systems must be documented, implemented and tested prior to acceptance of systems and must be regularly reviewed during use of systems. The processor, memory and storage requirements of systems must be monitored in order to maintain adequate resource capacity for current workload and to project requirements for future workload so that any potential system bottlenecks and related disruptions to the delivery of user services are avoided.
Information Technology Staff and the Information Security Officer must ensure that the criteria for acceptance of security requirements are clearly defined, documented and tested prior to new systems being migrated to a production environment and prior to existing systems being upgraded in a production environment.
Protection against Malicious Code
All systems must be protected with appropriate controls to prevent and detect the introduction of malicious code that could cause serious damage to networks, servers, workstations and data and that could significantly disrupt the operations of the college. Employees and Non-Employees must adhere to procedures defined in the Cyber Incident Reporting Procedure for reporting a suspected malicious code incident.
Software Maintenance
All vendor software must be maintained at supported levels to ensure accuracy, integrity and supportability unless otherwise approved by the Information Security Officer. All college developed software must have appropriate change management procedures to ensure that changes are authorized, tested and accepted prior to deployment in a production environment. All software security patches must be reviewed, evaluated and as appropriate applied in a timely manner to reduce the risk of security incidents that could affect the availability, confidentiality and integrity of systems, software or business data.
Information Back-Up
Critical college data and software must be backed-up regularly. A risk assessment must be performed for all systems on which college data is stored to determine the criticality of each system and the appropriate amount of time for recovery of each system. In this process the criticality of services provided by the system and the sensitivity of information on the system must be considered. Systems to be analyzed must included networks, servers and workstations.
For critical systems processes must be developed to back-up and fully restore the data and software including full restoration at an alternate location should that be necessary. Disaster recovery plans must be developed, implemented and periodically tested for all critical college systems. The results of testing must be documented and any detected deficiencies must be corrected in a timely manner.
System Security Checking
Systems that provide critical services or store confidential information must undergo annual security reviews to ensure compliance with implementation standards and to identify security vulnerabilities to subsequently discovered threats. Any identified security vulnerabilities must be reported to the Information Security Officer and must be immediately corrected by Information Technology Staff. The appropriate Information Owner must be informed of the vulnerability and must initiate an investigation to determine if any confidential information had been compromised.
Part 8. Access Control
Logical and physical access control mechanisms must be implemented in order to protect the availability, confidentiality and integrity of college information assets. The level of security provided by these mechanisms for each information asset should be commensurate with the criticality, sensitivity and legal properties of the asset. Information Owners will be responsible for making decisions regarding user access rights and privileges based on job responsibilities of the user.
User Registration Management
The college must establish a user registration management process to control the generation, distribution, modification and deletion of user accounts for access to information resources. The purpose of the process is to ensure that only authorized individuals have access to college applications and the information required in the performance of their job responsibilities.
The user registration management process must include sub-processes for the following components.
- creating user accounts
- granting user account privileges
- removing user account privileges
- periodic reviewing of user accounts
- periodic reviewing of user account privileges
- assigning of new authentication tokens (password reset processing)
- removing user accounts
Information Owners must approve access rights (who should have access) and privileges (what access should be provided) for information resources within their area of responsibility.
Privileged Accounts Management
The issuance of privileged accounts for performing systems administration functions must be restricted and controlled because the inappropriate use of privileged accounts may significantly contribute to breaches of information security on systems. Processes must be developed to ensure that usage of privileged accounts is regularly monitored and that any suspected misuse of privileged accounts is promptly investigated. The passwords of privileged accounts used by more than one person should be changed on a regular basis.
User Password Management
Passwords are a common means of authenticating the identity of a user to provide access to information systems. Password standards must be developed and implemented to ensure that authorized individuals accessing college resources are following proven password practices or rules. Whenever possible these password practices or rules must be automatically required by system controls and should include but not be limited to the following.
- passwords must not be stored in clear text
- passwords should not be subject to disclosure through dictionary attack or easily guessed
- passwords must be confidential and not shared with any other person
- passwords should be changed at regular intervals
- temporary passwords should be changed at the time of first logon
- passwords should contain a mix of alphabetic, numeric, special and upper/lower case characters
- passwords should not be automatically included in any logon process
Network Access Control
Access to the college internal network must require that users authenticate themselves through use of an individually assigned username and a password constructed to meet established standards. Network controls must be developed and implemented to ensure that authorized users can access only those systems and services necessary to perform their assigned job responsibilities.
Remote Access Control (User Authentication for External Connections)
(See Part 6, Communications and Network Management, External Connections)
The college requires that individual accountability be maintained by Employees and Non-Employees at all times, including during remote access, in order to maintain information security. Any access from an external connection to the college network is a remote access. Remote access to any on-campus college computer system must be authorized by the Information Security Committee and the Information Security Officer. External connections to the college network must be established in a secure manner in order to preserve the integrity and availability of the network including the integrity of data transmitted over the network. Security mechanisms must be in place to control remote access to college systems and networks from fixed and mobile locations.
Connections from the college network to external networks must be approved by the Information Security Officer after a risk analysis has been performed to ensure that the connection to the external network will not compromise the college network. Connections will only be allowed when the external networks have acceptable security controls and procedures or when the college has implemented appropriate security measures to protect the network resources of the college from the external network.
The Information Security Officer must approve any external connection to the college network to ensure that the connection does not compromise the college network. This includes the use of a college computing device to establish an external connection and automatically report a problem or suspected problem.
Employees and Non-Employees must be authorized by college management to work from a remote location. Appropriate arrangements must be made through written policy and procedures to ensure that the remote work environment provides adequate security for college data and computing resources including protection against theft of college equipment, misuse of college equipment, unauthorized disclosure of college information and unauthorized access to the college network or other facilities by anyone other than the authorized Employee or Non-Employee.
Segregation of Networks
When the college network is connected to another network, or becomes a segment on a larger network, appropriate controls must be in place to prevent users from other connected networks access to sensitive areas of the college private network. Routers or other technologies must be implemented to control access to secured resources on the college private network.
Operating System Access Control
Access to operating system code, commands and services must be restricted to those Employees who need this access in the normal performance of their job responsibilities. When possible, each individual should have a unique privileged account for their personal and sole use so that operating system activities are able to be traced back to a responsible person. When there is a clear business requirement or system limitation, a single privileged account for more than one individual may be used. In these cases approval of the Information Security Officer is required and additional controls must be implemented to ensure that individual accountability is maintained.
When possible, the username of a privileged account should not reflect the privileged status of the account. Individuals with privileged accounts must have a second account for performing normal business functions such as use of the college email system.
Application Access Control
Access to college applications and systems must be restricted to those Employees needing such access to perform their job responsibilities. Access to source code for applications and systems must be further restricted to those Employees and Non-Employees whose job responsibilities include direct support for the applications.
Monitoring Application Access and Use
Applications and systems must be monitored to detect deviation from access control policies and to record events for evidence and use when reconstructing lost or damaged data. Depending on the nature of events continuous or periodic monitoring may be appropriate. Audit logs recording exceptions and other security-relevant events that represent security incidents or deviations from policies must be produced and maintained to assist in future investigations and access control monitoring. When technically possible, audit logs will include the following.
- usernames
- dates and times for logon and logoff
- workstation identity (location)
- record of rejected attempts to access applications
- record of rejected attempts to access data
Part 9. Systems Development and Maintenance
The software for information systems is acquired or developed to support the business and instructional needs of the college. These information systems are critical to the operation of the college and must be protected from unauthorized access in order to prevent disruptions with their usage or tampering with their data.
Security must be built into all information systems used by the college. Security issues must be identified during the requirements phase of an implementation project and must be justified, agreed to, documented and presented as part of the overall business case for the implementation project. The Information Security Officer must be kept informed of all security issues during the entire implementation project.
Security requirements and controls must reflect the value to the college of the involved information and the potential damage that could result from an absence or failure of security mechanisms. This is especially critical for web and other online applications. The process of analyzing security requirements and identifying appropriate security controls must be performed by the Information Owner and Information Technology Staff, reviewed by the Information Security Committee and approved by the Information Security Officer.
For information systems that are critical to college operations this process to assess threat and manage
risk must include the following.
- development of a data profile to understand the risks
- identification of security measures based on data protection requirements
- implementation of security controls based on the identified security measures and the technical architecture of the system
- implementation of a process for testing the effectiveness of the security controls
- development of processes and standards to support system changes, to support system administration and to measure compliance with established security requirements
Input Data Validation
Data entered into an information system must be validated in order to detect data input errors and to ensure accuracy and correctness. When possible, the data validation should be applied by the information system to ensure consistent and complete implementation of the rules for determining data accuracy and correctness. When not possible, college personnel must be identified to perform the data validation.
Control of Internal Processing
Even data that has been accurately and correctly entered into an information system may be corrupted by intentional or unintentional acts or by processing errors. Data validation checks and business rules must be incorporated into information systems to identify inaccurate or incorrect data and to prevent or stop a process from running that may be corrupting data.
Information system design must ensure that controls are implemented to minimize the risk of processing failures leading to a loss of data or system integrity. When possible, programs to recover from data failures that access add, change and delete data functions should be developed as part of the information system.
Message Integrity
Message authentication is a technique used to ensure message integrity by detecting unauthorized changes to electronically transmitted data. Message authentication must be considered for information systems where there is a security requirement to protect electronically transmitted data. A security assessment of threats and risks must be performed to determine if message integrity is required and to identify the most appropriate method of message authentication. Message authentication does not protect against unauthorized disclosure. Encryption techniques must be used to protect against unauthorized disclosure during the electronic transmission of data.
Cryptographic Controls
Encryption is a cryptographic technique used to protect the confidentiality of information. Encryption must be considered when other security controls do not provide an adequate level of protection for information. The required level of protection will be determined based on a risk assessment that takes into account the encryption algorithm and the length of cryptographic keys. To the extent possible, consideration must also be given to the regulations and national restrictions that may apply to the use of cryptographic techniques in different parts of the world and to the controls that apply to the export and import of cryptographic technology.
Cryptographic Key Management
If cryptographic techniques are used, a secure environment must be established to protect the deployed cryptographic keys. Access to this secure environment must be tightly controlled and limited to Information Technology Staff responsible for the implementation of this encryption. If a cryptographic key were compromised or lost, all information encrypted with the key would have to be considered at risk.
Protection of System Test Data
Test data must be protected. Acceptance testing of information systems usually requires large volumes of data and oftentimes the best test data is a copy of production data. When this is the case the Employees or Non-Employees performing the tests or having access to test data must be authorized by the appropriate Information Owner in the same way that access is authorized to production data.
Change Control Procedures
Strict controls must be implemented for changes to information systems to minimize the possible corruption of these systems and the resulting disruption to the operations of the college. Formal change control procedures must be developed, implemented and enforced to ensure that information security is not compromised. These change control procedures must apply to college information systems including computer hardware, computer application software, computer system software, network hardware and network software.
Access to source code libraries for college information systems must be tightly controlled to ensure that only authorized individuals have access to these libraries and should be logged to ensure that all access to these libraries can be monitored.
Part 10. Compliance
Compliance with this Information Security Policy is mandatory. Each Employee and Non-Employee must understand their roles and responsibilities regarding information security issues and the protection of college information assets. Failure to comply with this Policy or any other security policy that results in the compromise of college information may result in appropriate action as permitted by negotiated agreement, regulation, rule or law. The Information Security Officer will facilitate all matters relative to compliance with this Policy and the college will take all administrative and legal steps necessary to protect college information assets.
Monitoring
The college reserves the right to inspect, monitor and search all college information systems consistent with applicable law, employee contracts and college policies. College computers and networks are provided for business purposes and therefore, staff members should have no expectation of privacy for information stored on college computers or transmitted across college networks. The college additionally reserves the right to remove any unauthorized material from college information systems.
Document Change Management
Requests for changes to this Policy must be presented to the Information Security Officer. The Information Security Officer will review requested changes with the Information Security Committee. Approved changes will formally be included in a revision to this Policy. This Policy will minimally be reviewed on an annual basis.
Appendix A – Definitions
authentication: the process to establish and prove the validity of a claimed identity
authorization: the granting of rights, which includes the granting of access based on an authenticated identity
availability: the property of a computer system that is accessible, functional, operational and usable upon demand by an authenticated and authorized individual, process or system
Computer Use Policy: the college policy that defines appropriate conduct when using college-provided computer accounts
confidentiality: the property of information that is not disclosed to an unauthorized individual, process or system
Cyber Incident Reporting Procedure: the college procedure that defines the processes for reporting suspected information security incidents within the college and for reporting confirmed information security incidents to SUNY System Administration and the NYS Office of Cyber Security and Critical Infrastructure Coordination
DMZ (demilitarized zone): a semi-secured buffer or region between two networks such as between the public Internet and the private college network
encryption: the transformation of data through an algorithmic process using a cryptographic key to render the information unintelligible during electronic transmission of the information
firewall: a security mechanism that creates a barrier between an internal network and an external network.
information: information is defined as the representation of concepts, facts or instructions in a formalized manner suitable for communication, interpretation, or processing by human or automated means
information assets: (1) all categories of automated information, including but not limited to records, files and databases, and (2) owned or leased information technology facilities, computers and software information security: the concepts, measures and techniques used to protect information from unauthorized access, destruction, disclosure or modification
information security architecture: a framework designed to ensure information security including information security principles that are defined and integrated into business and information technology processes in a consistent manner
information security incident: any adverse event that threatens the accessibility, confidentiality or integrity of information resources
integrity: the property of data that has not been altered or destroyed from its intended form or content in an unauthorized or unintentional manner
malicious code: software code that is intentionally developed to carry out annoying or harmful actions or to consume the resources of a target computer – sometimes masquerades as useful software or sometimes embedded in useful programs so that users are induced into activating them – types of malicious code include computer viruses, Trojan horses and worms
MAC (media access control) address: a hardware address that uniquely identifies each item of equipment on a computer network
penetration and intrusion testing: security testing in which evaluators attempt to exploit physical, network, system or application weaknesses to determine whether these weaknesses can be used to gain unauthorized or elevated privileged access to otherwise protected information resources
personally identifiable information: any information (name, number, personal mark or other identifier) concerning a person which can be used to identify the person
privacy: the right of individuals and organizations to control the collection, storage, and dissemination of information related to themselves
Process for Responding to a Suspected Breach of Private Data: the college procedure that defines the processes for reporting a suspected breach of private data within the college and a confirmed breach of private data to the NYS Offices of the Attorney General, the Cyber Security and Critical Infrastructure Coordination and the Consumer Protection Board
sensitivity: the property of data that reflects a harmful and measurable impact resulting from disclosure, destruction or modification
third party: any non-college contractor, consultant, vendor or other person, acting on behalf of or in conjunction with the college
user: any person authorized to access an information system for legitimate purposes
vulnerability: the property of an information system or a facility that reflects a weakness that can be exploited to compromise the integrity of information vulnerability scanning: see penetration and intrusion testing
Appendix B – Protocols for Accessibility of Web Content
Protocols for Developing Accessible Web Content (Version 02/11/2008)
91勛圖厙 complies with Federal and State technology access policies, standards and guidelines (Federal Rehabilitation Act Amendments of 1998 for Section 508 Priority 1 and 2, New York State Technology Standards S04-001 and New York State Technology Policy P04-002). If you have any questions regarding these technology access policies, standards and guidelines please contact Pablo Negron, ADA Compliance Office at 629-7154 or negropab@hvcc.edu.
Private components of our website include Learning Management System courses, portal content and other content on our website behind a college login and therefore closed to the public.
For Learning Management System Course Content- instructional content should be developed in compliance with universal design principles to ensure web content accessibility
- formal training for faculty electing to teach an online course or a course with online content includes instruction on developing materials in multiple modalities
- some course content may be considered supplementary rather than essential and may be posted in a single modality to accommodate various student learning styles
- all content for online courses, hybrid courses and enhanced courses that is developed collaboratively with distance learning instructional designers will be available in alternate formats
- faculty ensures compliance with Federal and State technology access policies, standards and guidelines
- organizational content must be developed in compliance with universal design principles to ensure web content accessibility
- organizational content developer ensures compliance with Federal and State technology access policies, standards and guidelines
- people involved with developing web content using elements of the IMC (Instructional Media Center) centralized collection must involve the IMC to ensure compliance with licensing agreements
- people involved with developing web content using elements of a departmental collection must involve the department to ensure compliance with licensing agreements
- compliance with Federal and State technology access policies, standards and guidelines is determined by the context of content usage - in a Learning Management System course this compliance is ensured by faculty or distance learning instructional designers - in a portal organization this compliance is ensured by the organizational content developer - in other portal content or other content behind a college login this compliance is ensured by the editor or webmaster
Private components on our website include Learning Management System courses, portal content and other content on our website behind a college login and therefore closed to the public (continued).
For Other Portal Content (Excluding Organizations) and Other Content Behind a College Login (Excluding Repositories of Licensed Instructional Content)- editor or webmaster ensures compliance with Federal and State technology access policies, standards and guidelines
Public components include content on our website not behind a college login and therefore open to the
public.
- editor or webmaster ensures compliance with Federal and State technology access policies, standards and guidelines
- personal content publisher ensures compliance with Federal and State technology access policies, standards and guidelines as documented in the Unofficial Pages section of the Website Policy in the Communications Guide published by the Office of Communications and Marketing
Protocols for Responding to Accessible Web Content Issues (Version 02/11/2008)
91勛圖厙 complies with Federal and State technology access policies, standards and guidelines (Federal Rehabilitation Act Amendments of 1998 for Section 508 Priority 1 and 2, New York State Technology Standards S04-001 and New York State Technology Policy P04-002).
If you have any questions regarding these technology access policies, standards and guidelines please contact Pablo Negron, ADA Compliance Office at 629-7154 or negropab@hvcc.edu.
Private components of our website include Learning Management System courses, portal content and other content on our website behind a college login and therefore closed to the public.
For Learning Management System Course and Portal Organization Content
- student informs instructor of accessibility issue
- instructor resolved problem, or informs Distance Learning staff
- if not accessibility issue Distance Learning staff work with student to resolve
- if accessibility issue Distance Learning staff work to resolve issue with instructor and if applicable with Disability Resources Center staff
- student informs Distance Learning staff of accessibility issue
- if not accessibility issue Distance Learning staff work with student to resolve
- if accessibility issue Distance Learning staff inform instructor, and work to resolve issue with instructor and if applicable with Disability Resources Center staff
- student informs anyone else of accessibility issue
- anyone else informs Distance Learning staff of accessibility issue
- if not accessibility issue Distance Learning staff work with student to resolve
- if accessibility issue Distance Learning staff inform instructor, and work to resolve issue with instructor and if applicable with Disability Resources Center staff
For Portal Content and Other Content Behind a College Login
- user informs content owner or content holder of accessibility issue
- content owner or content holder resolves problem, or informs editor or webmaster
- if not accessibility issue editor or webmaster work with user to resolve
- if accessibility issue editor or webmaster work to resolve issue with content owner or content holder and if applicable with Disability Resources Center staff
Public components include content on our website not behind a college login and therefore open to the public.
For Public Content Not Behind a College Login
- user informs editor or webmaster of accessibility issue
- if not accessibility issue editor or webmaster work with user to resolve
- if accessibility issue editor or webmaster work to resolve issue with content owner and if applicable with Disability Resources Center staff