Oneonta's Information Technology Security Program

“A strategic plan to ensure confidentiality, integrity, and accessibility of Oneonta’s information assets.”

PURPOSE  SCOPE PROGRAM

• SECTION 1. PREFACE

• SECTION 2. ORGANIZATIONAL AND FUNCTIONAL RESPONSIBILITIES

• SECTION 3. INFORMATION SECURITY

• Individual Accountability

• Confidentiality / Integrity / Availability

• SECTION 4. ASSET CLASSIFICATION AND CONTROL

• Privacy and Handling of Private Information

• SECTION 5. PERSONNEL SECURITY

• Including Security in Job Responsibilities

• User Training

• Responding to Security Incidents and Malfunctions

• Reporting Security Weaknesses

• Reporting Security Software Malfunctions

• Incident Management Process

• SECTION 6. PHYSICAL AND ENVIRONMENTAL SECURITY

• Physical Security Barrier 9 Secure Disposal or Re-use of Equipment

• Clear Screen

• SECTION 7. COMMUNICATIONS AND NETWORK MANAGEMENT

• Network Management

• Host Scanning

• Network Security Checking

• Internet and Electronic Mail Acceptable Use

• External Internet and VPN Connections

• Security of Electronic Mail

• Portable Computers

• Telephones and Fax Equipment

• Wireless Networks

• Modem Usage

• Public Websites

• Electronic Signatures

• SECTION 8. OPERATIONS MANAGEMENT

• Incident Management Procedures

• Segregation of Duties

• Separation of Test and Operational Facilities

• Protection against Malicious Software

• Software Maintenance

• Information Back-up

• System Security Checking

• Disposal of Media

• SECTION 9. ACCESS CONTROL

• User Registration and Management

• Privileged Account Management

• User Password Management

• Network Access Control

• User Authentication for External Connections (Remote Access Control)

• Segregation of Networks

• Operating System Access Control

• Monitoring System Access and Use

• SECTION 10. SYSTEMS DEVELOPMENT AND MAINTENANCE

• Control of Internal Processing

• Cryptographic Controls

• Change Control Procedures

• SECTION 11. COMPLIANCE

• Gramm-Leach-Bliley Act

• Safeguarding of College Records

• Prevention of Misuse of Information Technology Resources

• Compliance

• Enforcement and Violation Handling

• DEFINITIONS PURPOSE

The purpose of this document is to define a set of minimum information technology (IT)

security requirements that the College must meet to comply with State and Federal

directives. The College may, based on its individual business needs and specific legal

requirements such as FERPA or the GLBA, exceed any or all of the information security

requirements put forth in this document, but must, at a minimum, achieve the

information security levels defined in this document.

The primary objectives of the IT Security Program are:

• effectively manage the risk of IT security exposure or compromise within College

systems;

• communicate within the College community the responsibilities for the protection

of College information;

• comply with the Family Educational Rights and Privacy Act of 1974 (FERPA - the

Buckley Amendment), the Gramm-Leach-Bliley Act (GLBA), the Payment Card

Industry Data Security Standard (PCI DSS) and other statutes, policies and

standards protecting the rights of individuals.

• consistently maintain data integrity and accuracy.

• assure that authorized individuals have timely and reliable access to necessary

data.

• deny with reasonable assurance unauthorized individuals access to computing

resources or other means to retrieve, modify or transfer data.

SCOPE

This program applies to all faculty, staff and students of the College, or others (e.g.,

Research Foundation employees, OAS employees, vendors, contractors, etc) who may

utilize the College’s technology and related facilities.

This program encompasses all computer systems, for which the College has

responsibility, including systems managed or hosted by third parties on behalf of the

College. It addresses all electronic information, regardless of the form or format, which

is created or used in support of the College mission.

IT security refers to the protection of information from unauthorized access, destruction,

modification or disclosure. For the purposes of this document, information is defined as

the representation of facts, concepts, or instructions in an electronic manner suitable for

communication, interpretation, or processing by human or automated means.

Information is relayed in a variety of methods such as in written documentation or

through computer networks. Information is also stored and retrieved in several formats.

The formats can include but are not limited to: computer databases or transmissions,

tapes, CD ROMS, diskettes, computer generated reports, hard copy documentation, email

messages, voice mail, etc.

This program must be communicated to all faculty, staff, students and all others who

have access to or manage College information. This IT security program is not specific

to any type of hardware, communications method, network topology, or software

applications. As such, it is designed to be implemented across campus.

PROGRAM Section 1. Preface

The President’s Cabinet is fully committed to IT security and agrees that every person in

the College community has an important responsibility to continuously maintain the

security and privacy of College data. This IT Security Program is a statement of the

minimum requirements, ethics, responsibilities and accepted behaviors required to

establish and maintain a secure environment, and achieve the College’s IT security

objectives. This IT Security Program sets the direction, gives broad guidance and

defines requirements for IT security related processes and actions across the College.

This program follows the framework of the International Standards Organization’s ISO

27002 - The Information Security Standard.

Section 2. Organizational and Functional Responsibilities

A. The College: The President will designate an Information Security Officer (ISO). The

ISO will ensure that an organization structure is in place for:

• coordinating and implementing information security policies, standard, and

procedures;

• assigning information security responsibilities;

• implementing an IT security awareness program;

• monitoring significant changes in the exposure of IT assets to major threats, legal

or regulatory requirements;

• responding to IT security incidents;

• leading major initiatives to enhance IT Security;

• leading disaster preparedness planning to ensure continuity of College business.

B. College Designated Staff: College designated staff will be responsible for the

implementation of this and other IT Security policies and the compliance of College

employees to this program. The designated staff must educate College employees with

regard to IT Security issues, explain the issues, why the policies have been established,

and what role(s) individuals have in safeguarding IT assets. Consequences of noncompliance

will also be explained.

C. Information Owners: Information owners are responsible for determining who

should have access to protected resources within their jurisdiction, and what those

access privileges should be (read, update, etc.). These access privileges must be in

accordance with the user’s job responsibilities. Information owners also communicate to

the College ISO the legal requirements for access and disclosure of their data.

Information owners must be identified for all College information assets and assigned

responsibility for the maintenance of appropriate information security measures such as

assigning and maintaining asset classification and controls, managing user access to

their resources, etc. Responsibility for implementing information security measures may

be delegated, though accountability remains with the identified owner of the asset.

D. College Information Security Officer: The College Information Security Officer has

overall responsibility for ensuring the implementation, enhancement, monitoring and

enforcement of this program. The College Information Security Officer is responsible for

providing direction and leadership to the College through the recommendation of IT

security policies, standards, processes and education and awareness programs to

ensure that appropriate safeguards are implemented, and to facilitate compliance with

those policies, standards and processes. The College Information Security Officer is

responsible for investigating all alleged IT security violations. In this role, the College

Information Security Officer may refer the investigation to other investigatory entities,

including law enforcement. The College Information Security Officer will coordinate and

oversee IT security program activities and reporting processes in support of this

program and other IT security initiatives.

E. IT Security Administrator: This individual will report to the College Information

Security Officer and be responsible for administering IT security tools, auditing IT

security practices, identifying and analyzing IT security threats and solutions, and

responding to IT security violations.

F.Departments or Individuals with Direct Responsibility for Technology Support: :

These areas have responsibility for the data processing infrastructure and computing

networks which support the information owners. It is their responsibility t to support the

IT Security Program and provide resources needed to enhance and maintain a level of

IT Security control consistent with the College’s IT Security Program.

These departments have the following responsibilities in relation to the IT security:

• ensuring processes, policies and requirements are identified and implemented

relative to IT security requirements defined by the College;

• ensuring the proper controls of IT are implemented for which the College has

assigned ownership responsibility, based on the College’s classification

designations;

• ensuring the participation of the College Information Security Officer and

technical staff in identifying and selecting appropriate and cost-effective IT

security controls and procedures, and in protecting IT assets;

• ensuring that appropriate IT security requirements for user access to automated

information are defined for files, databases, and physical devices assigned to

their areas of responsibility;

• ensuring that critical data and recovery plans are backed up and kept at a

secured off-site storage facility and that recovery of backed-up media will work

if and when needed.

G. College Employees: It is the responsibility of all employees to protect College

information and resources, including passwords, and to report suspected IT security

incidents to one or more of the following: the information owner, the IT Help Desk, or the

Information Security administrator as appropriate.

H. Non-College Employees: Oneonta Auxiliary Services (OAS), Research Foundation

(RF), Retirees, Contractors, Consultants, Vendors and other persons including

students, to the extent of their present or past access to the College IT assets, are also

covered by this IT Security Program.

Section 3. Information Technology Security

All stored or transmitted electronic information which is created, acquired or used in

support of the College’s mission, regardless of the form or format, must be used for

College business only. This information is an asset and must be protected from its

creation, through its useful life, and to its authorized disposal. It must be maintained in a

secure, accurate, and reliable manner and be readily available for authorized use.

Information must be classified and protected based on its importance to business

activities, risks, and information security best practices as defined in International

Standards Organization’s ISO 27002 - The Information Security Standard.A.

Information is one of the College’s most valuable assets and the College relies upon

that information to support our mission. The quality and availability of that information is

key to the College's ability to carry out its mission. Therefore, the security of the

College’s information, and of the technologies and systems that support it, is the

responsibility of everyone concerned. Each authorized user of College information has

an obligation to preserve and protect College information assets in a consistent and

reliable manner. Information security controls provide the necessary physical, logical

and procedural safeguards to accomplish those goals.

B. Information security management enables information to be shared while ensuring

protection of that information and its associated computer assets including the networks

over which the information travels. College designated staff are responsible for ensuring

that appropriate physical, logical and procedural controls are in place on these assets to

preserve the information security properties of confidentiality, integrity, availability and

privacy of College information.

Individual Accountability

Individual accountability is the cornerstone of any information security program. Without

it, there can be no information security. Individual accountability is required when

accessing all College resources.

• Access to College computer systems and networks must be provided through the

use of individually assigned unique computer identifiers, known as user-IDs.

• Individuals who use College computers must only access information assets to

which he or she is authorized.

• Associated with each user-ID is an authentication token, such as a password,

which must be used to authenticate the person accessing the data, system or

network. Passwords, tokens or similar technology must be treated as

confidential information, and must not be disclosed. Transmission of such

authentication information must be made only over secure mechanisms.

• Each individual is responsible to reasonably protect against unauthorized

activities performed under his or her user-ID.

• For the user’s protection, and for the protection of College resources, user-Ids

and passwords (or other tokens or mechanisms used to uniquely identify an

individual) must not be shared. In certain circumstances, where there is a clear

requirement or system limitation, the use of a shared user-id for a group of

users or a specific job can be used. Additional compensatory controls must be

implemented to ensure accountability is maintained.

Confidentiality / Integrity / Availability

A. All College information must be protected from unauthorized access to help ensure

the information’s confidentiality and maintain its integrity. Information owners will secure

information within their jurisdiction based on the information’s value, sensitivity to

disclosure, consequences of loss or compromise, and ease of recovery. The College

will adopt policies and procedures to guide information owners in securing their

information assets.

B. Information will be readily available for authorized use when it is needed by users in

the normal performance of their duties. Appropriate processes will be defined and

implemented to ensure the reasonable and timely recovery of all the College

information, applications and systems, regardless of computing platform, should that

information become corrupted, destroyed, or unavailable for a defined period (ref to

Section 8 - Operations Management Program, Information Backup section).

Section 4. Asset Classification and Control

A. Information must be properly managed from its creation, through authorized use, to

proper disposal and requires different levels of protection. Information will be classified

based on its value, sensitivity, consequences of loss or compromise, and/or legal and

retention requirements. Criteria for determining the sensitivity of information will include

consideration of confidentiality, integrity, availability, privacy, safety, legal and retention

compliance requirements.

B. All information will have an information owner established within the College’s lines of

business who will be responsible for assigning the initial information classification, and

make all decisions regarding controls, access privileges of users, and daily decisions

regarding information management.

C. Each classification will have a set or range of controls, designed to provide the

appropriate level of protection of the information and its associated application software

commensurate with the value of the information in that classification. Protective

measures will address the above considerations with control categories that include:

identification & authentication, access control, confidentiality, network security, host

security, integrity, non-repudiation, monitoring and compliance.

Privacy and Handling of Private Information

Privacy of personally identifiable information must be maintained consistent with laws,

rules and regulations. The College’s systems hold personal information (i.e., any

information that is unique to any individual) to carry out the mission of the College. The

protection of the privacy of personal information is of utmost importance and the College

must protect the rights of privacy of all members of the College community. All College

employees with access to personal information are required to respect the

confidentiality of that personal information to the full extent of the law. Personal data,

including information about employees, students, members of the public, organizations

and business partners, collected and maintained by the College must:

• be consistent with the provisions of the Internet Security and Privacy Act, the

Freedom of Information Law, FERPA, and the Personal Privacy Protection

Law;

• be used as authorized by law;

• be gathered in lawful manner;

• be kept in a manner as required by law or regulations;

• not be disclosed unless authorized or required by law;

• be available for review by authorized individuals;

• be corrected if errors are known to exist or if the individual identifies errors;

• be erased where appropriate if the individual requests consistent with applicable

laws; and

• be protected using system access controls.

Section 5. Personnel Security

The intent of this section is to reduce the risk of human error and misuse of College

information and facilities.

Including Information Security in Job Responsibilities

Information security roles and responsibilities must be documented. These roles and

responsibilities will include general responsibilities for all College employees, as well as

specific responsibilities for protecting specific information assets and performing tasks

related to information security procedures or processes.

User Training

A. All faculty, staff and students must receive general information security awareness

training to ensure they are knowledgeable of information security procedures, their roles

and responsibilities regarding the protection of the College information assets, and the

proper use of information processing facilities to minimize information security risks.

B. Departments that process or maintain sensitive information are responsible for

conducting specific information security awareness training for employees who handle

such information in the course of their job duties. This training should include physical

handling and disposition of non electronic documents containing sensitive information

as well as proper procedures to follow in processing and storing electronic information

and documents.

C. Logon banners will be implemented on all systems where that feature exists to inform

all users that the system is for the College business or other approved use consistent

with College mission.

Responding to Information Security Incidents and Malfunctions

A. Incidents affecting information security must be reported as quickly as possible to

one or more of the following: the information owner, the Information Technology (IT)

Help Desk or the IT Security Administrator as appropriate.

B. Formal incident reporting procedures that define the actions to be taken when an

incident occurs must be established. Feedback mechanisms must be implemented to

ensure that individuals reporting incidents are notified of the results after the incident

has been resolved and closed.

Reporting Information Security Weaknesses

Users of information technologies shall report any observed or suspected information

security weaknesses or threats to the appropriate manager and the IT Security

Administrator. They must report these weaknesses as soon as possible. Users must not

attempt to prove a suspected weakness unless authorized by the College ISO to do so.

Testing weaknesses could have unintended consequences.

Reporting Information Security Software Malfunctions

Users are required to report software malfunctions such as a virus not being detected,

password change not accepted, etc. Users should report such malfunctions by calling

the IT Help Desk. After the IT Help Desk is notified of the problem the following actions

will be taken:

• the symptoms of the problem and any messages appearing on the screen will be

documented;

• the computer will be isolated, if possible, and use of it stopped until the problem

has been resolved;

• the incident will be reported immediately to the appropriate manager and the IT

Security Administrator.

Incident Management Process

The logging of information security incidents will be used by the College to identify

recurring or high impact incidents and to record lessons learned. Review of this

information may indicate the need for additional controls to limit the frequency, damage

and cost of future incidents.

Section 6. Physical and Environmental Information Security

Physical Security Barriers

A. Breaching physical security can cause a loss of or damage to College information

assets. Physical security will be achieved by creating physical barriers around the

assets being protected. These barriers could be in the form of an entry point with card

key access, a locked door, a staff member, or other physical barrier.

B. College environments where servers are stored or operational, wiring closets for

networks and telephony, printers where confidential or sensitive information may be

printed, and any other areas that contain and or process critical or sensitive information

must be secured against unauthorized access.

C. The College will perform periodic threat and risk analysis to determine where

additional physical security measures are necessary, and implement these measures to

mitigate the risks.

Secure Disposal or Re-use of Equipment

There is risk of disclosure of sensitive information through careless disposal or re-use of

equipment. Storage devices such as hard disk drives and other magnetic media such as

tape, containing sensitive information will be physically destroyed or securely

overwritten to prevent the unauthorized disclosure of sensitive College information.

Clear Screen

Desktop, laptop and PDA computers connected to a network and/or containing sensitive

or confidential College information must be automatically logged off or the screen

locked within 30 minutes of inactivity.

Inventory Control

All College owned computer equipment will be tagged to identify the College as the

owner. An equipment inventory will be conducted annually by the Office of Property

Management.

Section 7. Communications and Network Management

Network Management

The College must implement a range of network controls to maintain security in its

internal networks, and ensure the protection of connected services and networks. These

controls help prevent unauthorized access and use of the College networks. The

following controls, at a minimum, should be implemented:

• Operational responsibility for networks will be separate from computer operations

when possible;

• Responsibilities and procedures for remote use must be established (refer to

Section 9. Access Control section of this document);

• When necessary, special controls will be implemented to safeguard data integrity

and confidentiality of data passing over public networks (Internet).

Host Scanning

Any devices connected to a network will be scanned periodically to ensure that no major

vulnerabilities have been introduced into the environment. The frequency of scans will

be determined by the College ISO.

Network Security Checking

A. Network vulnerability scanning will be conducted periodically at the discretion of the

IT Security Administrator. The output of the scans will be reviewed in a timely manner,

and any vulnerability detected will be evaluated for risk and mitigated. The tools used to

scan for vulnerabilities will be updated periodically to ensure that recently discovered

vulnerabilities are included in any scans.

B. A process to perform the scanning will be defined by the College, tested and followed

at all times to minimize the possibility of disruption to the College networks by such

reviews. Reports of exposures to vulnerabilities will be forwarded to the College ISO

and IT Security Administrator.

C. All connections to College networks must be authenticated.

D. The use of any network vulnerability scanning tools, whether internal or external, by

individuals who are not part of the formal test process described above is prohibited.

Any vulnerability scanning from the Internet must be conducted exclusively by the

College’s authorized, qualified staff or qualified third party.

Internet and Electronic Mail Acceptable Use

When College faculty, staff and students connect to the Internet using any College

Internet address designation or send electronic mail using the College designation, it

should be consistent with the College’s mission. College equipment, systems, facilities

and supplies must be used only for conducting activities consistent with the College’s

mission. Users are visible representatives of the College and must use the Internet and

College e-mail system in a legal, professional and responsible manner. The following is

not an all-inclusive list, and provides only examples of behavior that is not acceptable.

Specifically, the Internet and electronic mail will not be used:

• for personal gain or profit;

• to represent yourself as someone else (i.e.“spoofing”);

• for spamming;

• for unauthorized attempts to break into any computing system whether the

College’s or another organization’s (i.e., cracking or hacking);

• for theft or unauthorized copying of electronic files;

• for posting sensitive College information without authorization from the College

and without protective measures such as encryption

• for mass distribution without the College’s authorization, such as “chain letters”;

• for non-business communication using “instant messaging” or similar technology;

• for “sniffing” (i.e., monitoring network traffic), except for those authorized to do so

as part of their job responsibilities.

External Internet and VPN Connections

A. A computer that is connected to a College network cannot also be connected to a

non-College network via dial-up access using a modem unless specifically authorized

by the College ISO. For example, users that subscribe to third party Internet service

providers like AOL cannot connect to AOL via a modem at the same time they are

connected to a College network.

B. Any connection over a public network (i.e. Internet) that involves sensitive information

must use a Virtual Private Network (VPN) or other equivalent encryption technology to

ensure the privacy and integrity of the data passing over the public network.

Portable Computers

A. All portable computing resources and information media must be secured to prevent

compromise of confidentiality or integrity. No computer device may store or transmit

sensitive information without suitable protective measures being implemented and

approved by the College ISO.

B. When using mobile computing facilities such as notebooks, palmtops, laptops and

mobile phones, special care must be taken to ensure that information is not

compromised. Users of mobile computing are responsible for physical protection,

access controls, cryptographic techniques, back-ups, virus protection and the rules

associated with connecting mobile facilities to networks and guidance on the use of

these facilities in public places. In cases where sensitive information is concerned:

• Care must be taken when using mobile computing facilities in public places,

meeting rooms and other unprotected areas outside of the College's premises.

Protection must be in place to avoid the unauthorized access to or disclosure

of the information stored and processed by these facilities, e.g. using

cryptographic techniques.

• It is important that when such facilities are used in public places care must be

taken to avoid the risk of unauthorized persons viewing information on-screen.

• Equipment carrying important and/or sensitive information must not be left

unattended and, where possible, must be physically locked away, or special

locks must be used to secure the equipment.

• Training must be provided to staff using mobile computing resources to raise

their awareness of the additional risks resulting from this way of working and

the controls that will be implemented.

• Employees in the possession of portable, laptop, notebook, palmtop, and other

transportable computers must not check these computers in airline luggage

systems. These computers must remain in the possession of the traveler as

hand luggage unless other arrangements are required by Federal or State

authorities.

• For all portable computers such as laptops, notebooks, etc, the use of a “bootup”

or power-on password must be implemented. For those computers containing

sensitive information, data encryption techniques may also be employed.

Telephones and Fax Equipment

The use of telephones outside the College for business reasons is sometimes

necessary, but it can create security exposures. Examples of best practices:

• take care that they are not overheard when discussing confidential matters;

• avoid use of any wireless or cellular phones when discussing sensitive or

confidential information;

• avoid leaving sensitive or confidential messages on non-College voicemail

systems;

• if sending sensitive or confidential documents via fax, verify the phone number of

the destination fax. Contact the recipient to ensure protection of the fax, either

by having it picked up quickly or by ensuring that the fax output is in a secure

area;

• avoid using Internet fax services to send or receive sensitive or confidential

information;

• not use third party fax services to send or receive sensitive or confidential

information;

• not send sensitive or confidential documents via wireless fax devices;

• when chairing a sensitive or confidential teleconference, confirm that all

participants are authorized to participate, before starting any discussion.

Wireless Networks

A. Wireless technology and pervasive devices create opportunities for new and

innovative uses. College information systems can be exposed to compromise or to a

loss of service if security risks are not addressed correctly.

B. Wireless technology is a shared medium. Everything that is transmitted over the

radio waves can be intercepted if the interceptor is within the coverage area of the radio

transmitters. This represents a potential security issue in the wireless Local Area

Networks (LANs). The security exposure is more evident in public areas, such as the

Library, Residence Halls, and the Student Union.

C. Suitable controls such as authentication and encryption will be implemented by

Telecommunications to reduce the possibility that a wireless network or access point

can be exploited to disrupt College information services or to gain unauthorized access

to College information.

D. A Wireless Communications Policy will be established to address these issues.

Modem Usage

A. Using modems to connect to a network can create security risks. When using a

modem and a computer that contains sensitive college information the following best

practices apply:

1. For Outbound Service (Configured for outgoing calls only):

• modems must not be left connected to computers in auto-answer mode, such

that they are able to receive incoming dial-up calls;

• communications systems must not be established that accept incoming dial-up

calls;

• under no circumstances will a user attempt to add a remote access server to a

college network.

2. For Inbound Service (Configured for modem to accept incoming calls only):

• all dial-up modem phone numbers are confidential and must be made available

only to authorized users;

• only under extreme conditions should a computer have remote control software

and dial-in capability;

• dial-up modems must be configured to answer calls on the fourth ring;

• system configuration will be set to disconnect after three unsuccessful password

attempts;

• session limits of three hours and inactivity timeouts of 30 minutes will be placed

on all sessions.

Public Websites

A. The World Wide Web provides an opportunity for the College both to disseminate

information and to provide interactive services quickly and effectively. Because anything

posted on a public web server is globally available and each web presence is a potential

connection path to the College networks, care will be exercised in the deployment of

publicly accessible servers. There is also potential for an insecure server to be used or

exploited to assist in an unauthorized or illegal activity, such as an attack on another

web site.

B. Sensitive or confidential information will not be made available through a server that

is available to a public network without appropriate safeguards approved by the College

ISO. The College ISO will implement safeguards to ensure user authentication, data

confidentiality and integrity, access control, data protection, and logging mechanisms.

C. The implementation of any web site or software that interacts with the user, requires

registration, collects or processes information from users is considered to be application

development and, therefore, must be audited and approved by the College ISO to

ensure that the collection and processing of information meets College information

security and privacy requirements. The review will ensure that the information is

adequately protected while in transit over public and College networks, while in storage,

and while being processed.

D. All official web sites will comply with Federal and state legal requirements.

Electronic Signatures

Electronic signatures including digital signatures provide a means of protecting the

authenticity and integrity of electronic documents. They can be used in electronic

transactions where there is a need for a signature. New York State's Electronic

Signatures and Records Act (ESRA) provides that electronic signatures are equivalent

to hand-written signatures. The College will comply with the Electronic Signatures and

Records Act (ESRA), FERPA, and any other State or Federal regulations regarding

electronic signatures.

Section 8. Operations Management

Incident Management Procedures

A. All users of College information systems must be made aware of the procedure for

reporting information security incidents, threats, weaknesses, or malfunctions that may

have an impact on the security of College information. All College staff and contractors

are required to report any observed or suspected incidents to the appropriate manager

and the College ISO as quickly as possible.

B. Incident management responsibilities must be documented and procedures must be

clearly defined to ensure a quick, effective and orderly response to information security

incidents. At a minimum, these procedures must address:

• information system failures and loss of service;

• denial of service;

• errors resulting from incomplete or inaccurate data;

• breaches of confidentiality;

• loss of integrity of the software or other system component.

C. In addition to normal contingency plans designed to recover applications, systems or

services, the incident response procedures must also cover:

• analysis and identification of the cause of the incident;

• planning and implementation of corrective actions to prevent reoccurrence;

• collection of audit log information;

• communication with those affected by or involved in the recovery from the

incident.

D. College management and the College ISO will investigate all information security

incidents and implement corrective actions to reduce the risk of reoccurrence.

Segregation of Duties

To reduce the risk of accidental or deliberate system misuse, separation of duties or

areas of responsibility must be implemented where practical. Where appropriate,

including where the separation of duties is not practical, other compensatory controls

such as monitoring of activities, audit trails and management supervision must be

implemented.

Separation of Test and Operational Facilities

A. Separation of the development, test and operational environments will be

implemented, either logically or physically, when feasible. Processes must be

documented and implemented to govern the transfer of software from the development

environment to the operational platform.

B. Separation must also be implemented between development and test functions. The

College must consider the use of a stable quality assurance environment where user

testing can be conducted and changes cannot be made to the programs being tested.

The following controls must be considered:

• development and operational software must, where possible, run on different

computer processors, or in different domains or directories;

• development and testing activities must be separated;

• compilers, editors and other system utilities must not be accessible from

operational systems when not required;

• different log-on procedures should be used for operational, test and development

systems, to reduce the risk of error. Users will be encouraged to use different

passwords for these systems, and menus should display appropriate

identification messages;

• programming staff will only have access to operational passwords where controls

are in place for issuing passwords for the support of operational systems.

Protection Against Malicious Software

Software and associated controls must be implemented across College systems to

prevent and detect the introduction of malicious software. The introduction of malicious

software such as computer viruses, network worms and Trojan horses can cause

serious damage to networks, workstations, and data. Users must be made aware of the

dangers of unauthorized or malicious software. Anti-virus software will be installed on all

computers connected to a College network. At a minimum, the virus signature files for

this software must be updated weekly. On host systems or servers, the signature files

will be updated daily or when the virus software vendor’s signature files are updated

and published.

Software Maintenance

All purchased applications and systems software must be maintained at a vendorsupported

level to ensure software accuracy and integrity. Maintenance of Collegedeveloped

software will be logged to ensure changes are authorized, tested and

accepted by College management. Also, all known information security patches must be

reviewed and applied in a timely manner to reduce the risk of security incidents that

could affect the confidentiality, integrity and availability of data or software integrity.

Information Backup

The scope of this program is limited to the IT infrastructure, and the data and

applications of the local College environment. To ensure interruptions to normal College

operations are minimized, and critical College applications and processes are protected

from the effects of major failures, each College unit, in cooperation with the College IT

organization, must develop plans that can meet the backup requirements of the College.

Backups of critical College data and software must be performed regularly.

System Security Checking

A. Systems and services that process or store sensitive or confidential information or

provide support for critical processes must undergo technical security reviews to ensure

compliance with implementation standards and to assess vulnerabilities to subsequently

discovered threats. Reviews of systems and services that are essential to supporting a

critical College function must be conducted at least once every year. Reviews of a

representative sample of all other systems and services must be conducted periodically.

B. Any deviations from expected or required results that are detected by the technical

security review process must be reported to the College ISO and corrected immediately.

In addition, the College application owner should be advised of the deviations and must

initiate investigation of the deviations (including the review of system activity log records

if necessary).

Disposal of Media

Sensitive information could be leaked to outside persons through careless disposal of

media. Formal processes must be established to minimize this risk. Media such as

tapes, diskettes, servers, mainframe and PC hard drives, and mobile devices such as

phones, PDAs or USB drives containing sensitive College data must be destroyed by

incineration, shredding, or electronic erasure of data before disposal, consistent with

applicable record retention and disposition laws.

Section 9. Access Control

A. To preserve the properties of integrity, confidentiality and availability, the College’s

information assets will be protected by logical and physical access control mechanisms

commensurate with the value, sensitivity, consequences of loss or compromise, legal

requirements and ease of recovery of these assets.

B. Information owners are responsible for determining who should have access to

information assets within their jurisdiction, and what those access privileges will be

(read, update, etc.). These access privileges will be granted in accordance with the

user’s job responsibilities.

User Registration and Management

A. A process shall be established by the College to outline and identify all functions of

user management, to include the generation, distribution, modification and deletion of

user accounts for access to resources. The purpose of this process is to ensure that

only authorized individuals have access to College applications and information and that

these users only have access to the resources required for authorized purposes.

B. The User Management Process should include the following sub-processes:

• enrolling new users;

• removing user-ids;

• granting “privileged accounts” to a user;

• removing “privileged accounts” from a user;

• periodic reviewing “privileged accounts” of users;

• periodic reviewing of users enrolled to any system; and

• assigning a new authentication token (e.g. password reset processing).

C. In most cases the appropriate information owner or supervisor will make requests for

the registration and granting of access rights for employees. In some cases access can

be automatically granted or taken away based on employment status.

D. For applications that interact with individuals that are not employed by the College,

the information owner is responsible for ensuring an appropriate user management

process is implemented. Standards for the registration of such external users must be

defined, to include the credentials that must be provided to prove the identity of the user

requesting registration, validation of the request and the scope of access that may be

provided.

Privileged Account Management

A. The issuance and use of privileged accounts will be restricted to only those

individuals necessary in the normal performance of their job responsibilities. All

individuals (systems programmers, database administrators, network and information

security administrators, etc.) will have a unique privileged account (user-ID) for their

personal and sole use so that activities can be traced to the responsible person. Userids

must not give any indication of the user’s privilege level, e.g., supervisor, manager,

administrator. These individuals should also have a second user-ID when performing

normal transactions, such as when accessing the College e-mail system.

B. In certain circumstances, where there is a clear requirement or system limitation, the

use of a shared user-id for a group of users or a specific job can be used. Additional

compensatory controls must be implemented to ensure accountability is maintained.

C. Passwords of privileged accounts should be changed at least every 90 days.

User Password Management

A. Passwords are a common means of authenticating a user’s identity to access an

information system or service. Password standards will be implemented to ensure all

authorized individuals accessing College resources follow proven password

management practices. These password rules must be mandated by automated system

controls whenever possible.

B. To ensure good password management, the following password standards will be

implemented where feasible:

• Password cannot not be the same as user-id;

• password length minimum of 8 characters;

• strong passwords including alpha and numeric characters;

• maximum password age 180 days;

• minimum password age 7 days;

• password uniqueness equal to five (5);

• lock out account after an appropriate number of failed logon attempts;

• password lockout duration – 60 minutes, or until reset by authorized person;

• passwords should not be written down;

• passwords must be kept confidential – they must not be shared with another

user;

• temporary passwords must be changed at the first logon;

C. A user who needs a password reset must be authenticated before the request is

granted.

Network Access Control

Access to the College’s internal networks must require all authorized users to

authenticate themselves through use of an individually assigned user-id and an

authentication mechanism, e.g., password, token or smart card, or digital certificate.

Network controls must be developed and implemented that ensure that an authorized

user can access only those network resources and services necessary to perform their

assigned job responsibilities.

User Authentication for External Connections (Remote Access Control)

A. To maintain information security, the College requires that individual accountability

be maintained at all times, including during remote access. For the purposes of this

program, “remote access” is defined as any access coming into a College network from

a non-College network. This includes, but is not limited to:

• dialing in from another location over public lines by an employee or other

authorized individual for the purpose of telecommuting or working from home;

• connecting a third party network via dial or other temporary access technology to

the College networks;

B. Connection to the College’s networks must be done in a secure manner to preserve

the integrity of the networks, data transmitted over those networks, and the availability

of those networks. Security mechanisms must be in place to control access to College

systems and networks remotely from fixed or mobile locations.

C. Because of the level of risk inherent with remote access, use of a strong password or

another comparable method is required prior to connecting to a College network.

D. When accessing the College networks remotely, identification and authentication of

the entity requesting access must be performed in such a manner as to not disclose the

password or other authentication information that could be intercepted and used by a

third party.

E. Use of a common access point is required. This means that all remote connections to

a computer must be made through managed central points-of-entry. Using this type of

entry system to access the College computer provides many benefits, including

simplified and cost effective information security, maintenance, and support.

F. For a vendor to access College computers or software, individual accountability is

also required. For those systems (hardware or software) for which there is a built-in

user-id for the vendor to perform maintenance, the account must be disabled until the

user-id is needed. The activity performed while this vendor user-id is in use must be

logged. When the vendor has completed his work, the vendor user-id should be

disabled, or the password changed to prevent unauthorized use of this privileged

account. Vendor user-ids will be named to be easily identifiable.

G. In the special case where servers, storage devices or other computer equipment has

the capability to automatically connect to a vendor to report problems or suspected

problems, the College Information Security Administrator must review any such

connection to ensure that connectivity does not compromise the College networks.

H. Employees working from a remote location must ensure that the work environment at

the remote location provides adequate information security for College data and

computing resources. Appropriate protection mechanisms must be in place at the

remote location to protect against theft of the equipment, unauthorized disclosure of

College information, misuse of College equipment or unauthorized access to the

College internal networks or other facilities. To ensure the proper information security

controls are in place and all College information security standards are followed, the

following must be considered:

• the existing physical security of the remote location, considering the physical

security of the building and the local environment;

• the communications security requirements, considering the need for remote

access to the College's internal systems, the sensitivity of the information that

will be accessed and transmitted over the communication link and the

sensitivity of the internal system;

• the threat of unauthorized access to information or resources from other people

using the accommodation, e.g. family and friends.

I. The following controls must be considered but are not limited to:

• the provision of suitable communication equipment, including methods for

securing remote access and authentication tokens;

• anti-virus software and method for maintaining current signature files;

• implementation of suitable network boundary controls to prevent unauthorized

information exchange between College networks connected to remote

computers and externally connected networks, such as the Internet. Such

measures include firewalls, VPN’s and intrusion detection techniques;

• encryption of sensitive information in transit and on the local computer

workstation;

• physical security;

• rules and guidance on family and visitor access to equipment and information;

• the provision of hardware and software support and maintenance;

• the procedures for back-up;

• audit and information security monitoring;

• revocation of authority, access rights and the return of equipment when the

remote access activities cease.

Segregation of Networks

Routers, Firewalls, VPN’s or other technologies should be implemented to control

access to secured resources on the College networks.

Monitoring System Access and Use

Systems and applications must be monitored and analyzed to detect deviation from the

access control program and record events to provide evidence and to reconstruct lost or

damaged data. Audit logs recording exceptions and other information security-relevant

events must be produced and kept consistent with record retention schedules

developed in cooperation with the State Archives and Records Administration (SARA)

and College requirements to assist in future investigations and access control

monitoring. Audit logs will include but are not limited to:

• user-ids;

• dates and times for logon and logoff;

• terminal identity or location if possible; and

• records of successful and rejected system access attempts.

Section 10. Systems Development and Maintenance

A. Software applications are developed or acquired to provide efficient solutions to

College problems. These applications generally store, manipulate, retrieve and display

information used to conduct College business. The College units become dependent on

these applications, and it is essential the data processed by these applications be

accurate, and readily available for authorized use. It is also critical that the software that

performs these activities be protected from unauthorized access or tampering.

B. To ensure that information security is built into all College information systems, all

security requirements, including the need for rollback arrangements, must be

documented.

C. Information security requirements and controls must reflect the value of the

information assets involved, and the potential damage that might result from a failure or

absence of information security measures. This is especially critical for online

applications. The framework for analyzing the information security requirements and

identifying controls to meet them is associated with threat assessment and risk

management which must be performed by the College ISO and the information owner.

Control of Internal Processing

Data which have been entered correctly can be corrupted by processing errors or

through deliberate acts. Application design must ensure that controls are implemented

to minimize the risk of processing failures leading to a loss of data or system integrity.

Specific areas to consider include:

• the use and location in programs of add and delete functions to implement

changes to data;

• the procedures to prevent programs running in the wrong order or running after

failure of prior processing;

• the use of correction programs to recover from failures to ensure the correct

processing of data.

Cryptographic Controls

Use of cryptography for protection of high-risk information must be considered when

other controls do not provide adequate protection. Encryption is a technique that can be

used to protect the confidentiality of information. It must be considered for the protection

of sensitive or critical information. Based on a risk assessment, the required level of

protection will be identified taking into account the type and quality of the encryption

algorithm used and the length of cryptographic keys employed.

Change Control Procedures

A. To minimize the possibility of corruption of information systems, strict controls over

changes to information systems must be implemented. Formal change control

procedures for applications must be developed, implemented and enforced. They must

ensure that information security and control procedures are not compromised, that

support programmers are given access only to those parts of a system necessary to

perform their jobs, and that formal agreement and approval processes for changes are

implemented. These change control procedures will apply to College applications as

well as systems software used to maintain operating systems, network software,

hardware changes, etc.

B. In addition, access to source code libraries for both College applications and

operating systems must be tightly controlled to ensure that only authorized individuals

have access to these libraries and that access is logged to ensure all access can be

monitored.

Section 11. Compliance

The designs, operation, use and management of information systems are subject to

legal and vendor contractual information security requirements.

Gramm-Leach-Bliley Act

A. The Gramm-Leach-Bliley Act (GLBA) requires “financial institutions” as defined by

the Federal Trade Commission (FTC), to protect and secure customer information such

as names, Social Security numbers, addresses, account and credit card information.

The GLBA sets forth extensive privacy rules which the College is deemed to be in

compliance with because of its adherence to the provisions of the Family Education

Rights and Privacy Act (FERPA). The GLBA also establishes a Safeguards Rule, from

which the College is not exempt, that requires the College to protect and safeguard

customer information.

Payment Card Industry Data Security Standard

A. The Payment Card Industry Data Security Standard (PCI DSS) requires any entity

that collects credit card data to protect customer data and card numbers.through

security management, policies, procedures, network architecture, software design and

other critical protective measures. The College will comply with the PCI DSS.

Safeguarding of College Records

A. College records must be protected from loss, destruction or unauthorized

modification. Some records may need to be retained in a secure manner for extended

periods to meet state and Federal legal retention requirements, as well as to support

essential operations.

B. The General Retention and Disposition Schedule for New York State Government

Records contains guidelines for complying with legal, fiscal, and administrative

requirements for records retention and provides advice on management of records. The

College will develop procedures to dispose of any records in accordance with the

provisions of Section 57.05 of Arts and Cultural Affairs Law. New York State Archives

and Records Administration (SARA) issues general schedules to authorize the retention

and disposition of records.

C. Safeguards that will be taken to protect customer information include the following:

• Computer access will be limited by user ID’s and passwords

• Customer information stored in file cabinets will be accessible only to staff in

offices who need access and will be locked when not in use

• Offices that have access to customer information will be locked after hours

• Customer data will be backed up routinely

• Passwords will expire periodically and employees must then reset them

• Passwords will not be posted in publicly viewable places

• Intrusion detection systems will monitor the College networks to allow the prompt

detection of attacks and intrusions

• Vulnerability scanning of systems containing customer information will be

conducted periodically

• Antivirus protection will be maintained on all computer systems

• Designated staff members will supervise the disposal of records containing

customer information

• Erase all data when disposing of computers, diskettes, magnetic tapes, hard

drives or any other electronic media that contains customer information

• Inventories of all computer systems will be maintained

• Reduce paper forms and documents through increased electronic access to this

information

• Implement measures to ensure unauthorized persons cannot access College

computer systems when left unattended

• Avoid using Social Security numbers as a primary identification number

Prevention of Misuse of Information Technology Resources

The information technology resources and the data processed by these resources are

provided for College purposes. Management should authorize their use. Any use of IT

facilities or data for non-College or unauthorized purposes, without management’s

consent, should be considered a misuse of College facilities.

Compliance

A. Compliance with this IT Security program is mandatory. Each user must understand

his/her role and responsibilities regarding information security issues and protecting the

College’s information assets. The failure to comply with this or any other information

security program that results in the compromise of College information confidentiality,

integrity, privacy, and/or availability may result in appropriate action as permitted by law,

rule, regulation or negotiated agreement. The College will take every reasonable step

necessary, including legal and administrative measures, to protect its information

assets.

B. The College Information Security Officer shall review this document annually. If

significant changes are needed the ISO shall propose the changes to the President’s

Cabinet.

C. The College managers and supervisors will ensure that all information security

processes and procedures within their areas of responsibility are followed. In addition,

all units within the College may be subject to regular reviews to ensure compliance with

information security policies and standards. Areas where compliance with the program

requirements is not met will be documented and reported to the College’s Information

Security Officer. For each area of non-compliance, a plan will be developed to address

the deficiencies.

DEFINITIONS

Authenticity:

This is the exchange of security information to verify the claimed identity of a

communications partner. In security terms it is particularly to counter attempts to

masquerade as an authorized user to enable new connections or associations.

Authorization:

The granting of rights, which includes the granting of access based on an authenticated

identity.

Availability:

This is the ‘property’ of being available and usable upon demand by an authorized

entity, e.g. a system or user.

Classification:

The designation given to information or a document from a defined category on the

basis of its sensitivity to disclosure, modification or destruction.

Computer:

All physical, electronic and other components, types and uses of computers, including

but not limited to hardware, software, central processing units, electronic

communications and systems, databases, memory, Internet service, information

systems, laptops, Personal Digital Assistants and accompanying equipment used to

support the use of computers, such as printers, fax machines and copiers, and any

updates, revisions, upgrades or replacements thereto.

Confidentiality:

The property that information is not made available or disclosed to unauthorized

individuals, entities, or processes.

Controls:

Countermeasures or safeguards that are the devices or mechanisms that are needed to

meet the requirements of program.

Cracking or Hacking:

Attempting to break into another system in which you have no account, and is treated

as malicious intent.

Critical:

A condition, vulnerability or threat that could cause danger to data, a system, network,

or a component thereof.

Customer:

Faculty, staff, students and others conducting business with the College.

Data:

The collection of information assets complied, generated or maintained to support the

College.

Denial of Service:

An attack that takes up so much of the College’s resources that it results in degradation

of performance or loss of access to the company’s business services or resources.

Disaster:

A condition in which an information asset is unavailable, as a result of a natural or manmade

occurrence, that is of sufficient duration to cause significant disruption in the

accomplishment of the College’s objectives as determined by College management.

Encryption:

The cryptographic transformation of data to render it unintelligible through an

algorithmic process using a cryptographic key.

Firewall:

A security mechanism that creates a barrier between an internal network and an

external network.

GLBA:

The Gramm-Leach-Bliley Act was passed by Congress in 1999 to protect the privacy

and security of customer financial information.

Host:

A system or computer that contains business and/or operational software and/or data.

Incident Response: The manual and automated procedures used to respond to reported

network intrusions (real or suspected); network failures and errors; and other

undesirable events.

Information:

Information is defined as the representation of facts, concepts, or instructions in a

formalized manner suitable for communication, interpretation, or processing by human

or automated means.

Information Assets:

(1) All categories of automated information, including but not limited to: records, files,

and databases, and (2) information technology facilities, equipment (including

microcomputer systems), and software owned or leased by the State.

Information Owner:

An individual or organizational unit having responsibility for making classification and

control decisions regarding use of information.

Information Security:

The protection of automated information from accidental or intentional unauthorized

access, modification, destruction, or disclosure.

Instant Messaging (IM):

The ability to exchange short messages online with co-workers or others. IM solutions

can take several forms. They can use an existing Internet based service, or they can be

an Intranet only solution implemented and controlled within an IT department. The latter

is significantly more secure than the former, but lacks access to business partners.

Integrity:

The property that data has not been altered or destroyed from its intended form or

content in an unintentional or an unauthorized manner.

Internet:

This shall mean a system of linked computer networks, international in scope, that

facilitate data transmission and exchange, which all use the standard Internet protocol,

TCP/IP, to communicate and share data among each other.

Intranet:

The Intranet is an internal (i.e., non-public) network that uses the same technology and

protocols as the Internet.

Intrusion Detection:

The monitoring of network activities, primarily through automated measures, to detect,

log and report upon actual or suspected authorized access and events for investigation

and resolution.

ISO: Information Security Officer

Non-Repudiation: un-forgeable evidence that a specific action occurred. This action

could be the transmission of an electronic message, the competition of a transaction, or

some other action.

PCI DSS:

The Payment Card Industry Data Security Standard was adopted to assure the

protection of customer data and credit card numbers.

Physical Security:

The protection of information processing equipment from damage, destruction or theft;

information processing facilities from damage, destruction or unauthorized entry; and

personnel from potentially harmful situations.

Privacy:

The right of individuals and organizations to control the collection, storage, and

dissemination of information about themselves.

Privileged Account:

The user-ID or account of an individual whose job responsibilities require special

system authorization, such as a network administrator, security administrator, etc.

Special authorizations are allocated to this account such as RACF Administrator,

auditor, Special or UNIX root.

Procedures:

Specific operational steps that individuals must take to achieve goals stated in this

program.

Remote Access Server (RAS):

A server that allows users to gain access to a LAN from a remote location. Once a user

has authenticated he can access network resources as if he were physically connected

to the LAN.

Risk:

The likelihood or probability that a loss of information assets or breach of security will

occur.

Risk Assessment:

The process of identifying threats to information or information systems, determining the

likelihood of occurrence of the threat, and identifying system vulnerabilities that could be

exploited by the threat.

Risk Management:

The process of taking actions to assess risks and avoid or reduce risk to acceptable

levels.

Security Management:

The responsibility and actions required to manage the security environment including

the security policies and mechanisms.

Security Program:

The set of criteria for the provision of security services based on global rules imposed

for all users. These rules usually rely on a comparison of the sensitivity of the resources

being accessed and the possession of corresponding attributes of users, a group of

users, or entities acting on behalf of users.

Sensitivity:

This, in terms of confidentiality, would cause a negative impact to the organization if the

information were leaked or disclosed.

Sniffing:

Monitoring network traffic.

Spamming:

Blindly posting something to a large number of groups.

Spoofing:

Representing yourself as someone else.

Standard:

Sets of rules for implementing program. Standards make specific mention of

technologies, methodologies, implementation procedures and other detail factors.

State:

Shall mean the State of New York.

Technical Security Review:

A technical security review would consist of reviewing the controls built into a system or

application to ensure they still perform as designed. It would also include reviewing

security patches to ensure they have been installed and are operational, review of

security rules such as access control lists for currency, testing of firewall rules, etc.

The College:

The State University of New York, College at Oneonta

Third Party:

Any non-College entity such as a contractor, vendor, consultant, another College, etc.

Threat:

A threat is a force, organization or person, which seeks to gain access to, or

compromise, information. A threat can be assessed in terms of the probability of an

attack. Looking at the nature of the threat, its apability and resources, one can assess it,

and then determine the likelihood of occurrence, as in risk assessment.

Trojan Horse:

Illegal code hidden in a legitimate program that when executed performs some

unauthorized activity or function.

Unauthorized Access Or Privileges:

Insider or outsider who gains access to network or computer resources without

permission.

USENET News group:

A USENET news group is a bulletin board where people can read or post Netnews

messages on specific topics. There are many specialized business news groups. Many

news groups are subscribed to by experts in the given topic and these individuals can

provide valuable information and will sometimes respond to direct queries.

User:

One who has authorized access to information on a computer. The authorization may

include the ability to add or update information as well as access.

Virus:

Any security threat that executes in a manner so that computer resources are damaged,

lost or otherwise occupied so they are unavailable.

VPN:

Virtual Private Network. Internet protocol (IP) virtual private networks (VPNs) are a

collection of technologies that ensure the privacy of data over a shared unsecured IP

network infrastructure. The two key points as to what constitutes an IP VPN are privacy

and an IP network.

Vulnerability:

A weakness of a system or facility holding information which can be exploited to gain

access. Vulnerability can be assessed in terms of the means by which the attack would

be successful.

World Wide Web (WWW):

The World Wide Web is a hypertext-based system designed to allow access to

information in such a way that the information, may physically reside on locally or

geographically different servers. This access was greatly improved through the

introduction of a graphical interface to the World Wide Web called a web browser.

Netscape and Internet Explorer are two of the most popular web browsers.

Worm:

A program similar to a virus that can consume large quantities of network bandwidth

and spread from one network to another.

Effective Dates

• Approved by the President on 3/27/2005

• Revised on 9/25/2010

  • Community
  • |
  • Parents & Families
  • |
  • Alumni & Friends
  • |
  • myOneonta

Information Technology Security Program

Oneonta's Information Technology Security Program

“A strategic plan to ensure confidentiality, integrity, and accessibility of Oneonta’s information assets.”

PURPOSE  SCOPE PROGRAM

• SECTION 1. PREFACE

• SECTION 2. ORGANIZATIONAL AND FUNCTIONAL RESPONSIBILITIES

• SECTION 3. INFORMATION SECURITY

• Individual Accountability

• Confidentiality / Integrity / Availability

• SECTION 4. ASSET CLASSIFICATION AND CONTROL

• Privacy and Handling of Private Information

• SECTION 5. PERSONNEL SECURITY

• Including Security in Job Responsibilities

• User Training

• Responding to Security Incidents and Malfunctions

• Reporting Security Weaknesses

• Reporting Security Software Malfunctions

• Incident Management Process

• SECTION 6. PHYSICAL AND ENVIRONMENTAL SECURITY

• Physical Security Barrier 9 Secure Disposal or Re-use of Equipment

• Clear Screen

• SECTION 7. COMMUNICATIONS AND NETWORK MANAGEMENT

• Network Management

• Host Scanning

• Network Security Checking

• Internet and Electronic Mail Acceptable Use

• External Internet and VPN Connections

• Security of Electronic Mail

• Portable Computers

• Telephones and Fax Equipment

• Wireless Networks

• Modem Usage

• Public Websites

• Electronic Signatures

• SECTION 8. OPERATIONS MANAGEMENT

• Incident Management Procedures

• Segregation of Duties

• Separation of Test and Operational Facilities

• Protection against Malicious Software

• Software Maintenance

• Information Back-up

• System Security Checking

• Disposal of Media

• SECTION 9. ACCESS CONTROL

• User Registration and Management

• Privileged Account Management

• User Password Management

• Network Access Control

• User Authentication for External Connections (Remote Access Control)

• Segregation of Networks

• Operating System Access Control

• Monitoring System Access and Use

• SECTION 10. SYSTEMS DEVELOPMENT AND MAINTENANCE

• Control of Internal Processing

• Cryptographic Controls

• Change Control Procedures

• SECTION 11. COMPLIANCE

• Gramm-Leach-Bliley Act

• Safeguarding of College Records

• Prevention of Misuse of Information Technology Resources

• Compliance

• Enforcement and Violation Handling

• DEFINITIONS PURPOSE

The purpose of this document is to define a set of minimum information technology (IT)

security requirements that the College must meet to comply with State and Federal

directives. The College may, based on its individual business needs and specific legal

requirements such as FERPA or the GLBA, exceed any or all of the information security

requirements put forth in this document, but must, at a minimum, achieve the

information security levels defined in this document.

The primary objectives of the IT Security Program are:

• effectively manage the risk of IT security exposure or compromise within College

systems;

• communicate within the College community the responsibilities for the protection

of College information;

• comply with the Family Educational Rights and Privacy Act of 1974 (FERPA - the

Buckley Amendment), the Gramm-Leach-Bliley Act (GLBA), the Payment Card

Industry Data Security Standard (PCI DSS) and other statutes, policies and

standards protecting the rights of individuals.

• consistently maintain data integrity and accuracy.

• assure that authorized individuals have timely and reliable access to necessary

data.

• deny with reasonable assurance unauthorized individuals access to computing

resources or other means to retrieve, modify or transfer data.

SCOPE

This program applies to all faculty, staff and students of the College, or others (e.g.,

Research Foundation employees, OAS employees, vendors, contractors, etc) who may

utilize the College’s technology and related facilities.

This program encompasses all computer systems, for which the College has

responsibility, including systems managed or hosted by third parties on behalf of the

College. It addresses all electronic information, regardless of the form or format, which

is created or used in support of the College mission.

IT security refers to the protection of information from unauthorized access, destruction,

modification or disclosure. For the purposes of this document, information is defined as

the representation of facts, concepts, or instructions in an electronic manner suitable for

communication, interpretation, or processing by human or automated means.

Information is relayed in a variety of methods such as in written documentation or

through computer networks. Information is also stored and retrieved in several formats.

The formats can include but are not limited to: computer databases or transmissions,

tapes, CD ROMS, diskettes, computer generated reports, hard copy documentation, email

messages, voice mail, etc.

This program must be communicated to all faculty, staff, students and all others who

have access to or manage College information. This IT security program is not specific

to any type of hardware, communications method, network topology, or software

applications. As such, it is designed to be implemented across campus.

PROGRAM Section 1. Preface

The President’s Cabinet is fully committed to IT security and agrees that every person in

the College community has an important responsibility to continuously maintain the

security and privacy of College data. This IT Security Program is a statement of the

minimum requirements, ethics, responsibilities and accepted behaviors required to

establish and maintain a secure environment, and achieve the College’s IT security

objectives. This IT Security Program sets the direction, gives broad guidance and

defines requirements for IT security related processes and actions across the College.

This program follows the framework of the International Standards Organization’s ISO

27002 - The Information Security Standard.

Section 2. Organizational and Functional Responsibilities

A. The College: The President will designate an Information Security Officer (ISO). The

ISO will ensure that an organization structure is in place for:

• coordinating and implementing information security policies, standard, and

procedures;

• assigning information security responsibilities;

• implementing an IT security awareness program;

• monitoring significant changes in the exposure of IT assets to major threats, legal

or regulatory requirements;

• responding to IT security incidents;

• leading major initiatives to enhance IT Security;

• leading disaster preparedness planning to ensure continuity of College business.

B. College Designated Staff: College designated staff will be responsible for the

implementation of this and other IT Security policies and the compliance of College

employees to this program. The designated staff must educate College employees with

regard to IT Security issues, explain the issues, why the policies have been established,

and what role(s) individuals have in safeguarding IT assets. Consequences of noncompliance

will also be explained.

C. Information Owners: Information owners are responsible for determining who

should have access to protected resources within their jurisdiction, and what those

access privileges should be (read, update, etc.). These access privileges must be in

accordance with the user’s job responsibilities. Information owners also communicate to

the College ISO the legal requirements for access and disclosure of their data.

Information owners must be identified for all College information assets and assigned

responsibility for the maintenance of appropriate information security measures such as

assigning and maintaining asset classification and controls, managing user access to

their resources, etc. Responsibility for implementing information security measures may

be delegated, though accountability remains with the identified owner of the asset.

D. College Information Security Officer: The College Information Security Officer has

overall responsibility for ensuring the implementation, enhancement, monitoring and

enforcement of this program. The College Information Security Officer is responsible for

providing direction and leadership to the College through the recommendation of IT

security policies, standards, processes and education and awareness programs to

ensure that appropriate safeguards are implemented, and to facilitate compliance with

those policies, standards and processes. The College Information Security Officer is

responsible for investigating all alleged IT security violations. In this role, the College

Information Security Officer may refer the investigation to other investigatory entities,

including law enforcement. The College Information Security Officer will coordinate and

oversee IT security program activities and reporting processes in support of this

program and other IT security initiatives.

E. IT Security Administrator: This individual will report to the College Information

Security Officer and be responsible for administering IT security tools, auditing IT

security practices, identifying and analyzing IT security threats and solutions, and

responding to IT security violations.

F.Departments or Individuals with Direct Responsibility for Technology Support: :

These areas have responsibility for the data processing infrastructure and computing

networks which support the information owners. It is their responsibility t to support the

IT Security Program and provide resources needed to enhance and maintain a level of

IT Security control consistent with the College’s IT Security Program.

These departments have the following responsibilities in relation to the IT security:

• ensuring processes, policies and requirements are identified and implemented

relative to IT security requirements defined by the College;

• ensuring the proper controls of IT are implemented for which the College has

assigned ownership responsibility, based on the College’s classification

designations;

• ensuring the participation of the College Information Security Officer and

technical staff in identifying and selecting appropriate and cost-effective IT

security controls and procedures, and in protecting IT assets;

• ensuring that appropriate IT security requirements for user access to automated

information are defined for files, databases, and physical devices assigned to

their areas of responsibility;

• ensuring that critical data and recovery plans are backed up and kept at a

secured off-site storage facility and that recovery of backed-up media will work

if and when needed.

G. College Employees: It is the responsibility of all employees to protect College

information and resources, including passwords, and to report suspected IT security

incidents to one or more of the following: the information owner, the IT Help Desk, or the

Information Security administrator as appropriate.

H. Non-College Employees: Oneonta Auxiliary Services (OAS), Research Foundation

(RF), Retirees, Contractors, Consultants, Vendors and other persons including

students, to the extent of their present or past access to the College IT assets, are also

covered by this IT Security Program.

Section 3. Information Technology Security

All stored or transmitted electronic information which is created, acquired or used in

support of the College’s mission, regardless of the form or format, must be used for

College business only. This information is an asset and must be protected from its

creation, through its useful life, and to its authorized disposal. It must be maintained in a

secure, accurate, and reliable manner and be readily available for authorized use.

Information must be classified and protected based on its importance to business

activities, risks, and information security best practices as defined in International

Standards Organization’s ISO 27002 - The Information Security Standard.A.

Information is one of the College’s most valuable assets and the College relies upon

that information to support our mission. The quality and availability of that information is

key to the College's ability to carry out its mission. Therefore, the security of the

College’s information, and of the technologies and systems that support it, is the

responsibility of everyone concerned. Each authorized user of College information has

an obligation to preserve and protect College information assets in a consistent and

reliable manner. Information security controls provide the necessary physical, logical

and procedural safeguards to accomplish those goals.

B. Information security management enables information to be shared while ensuring

protection of that information and its associated computer assets including the networks

over which the information travels. College designated staff are responsible for ensuring

that appropriate physical, logical and procedural controls are in place on these assets to

preserve the information security properties of confidentiality, integrity, availability and

privacy of College information.

Individual Accountability

Individual accountability is the cornerstone of any information security program. Without

it, there can be no information security. Individual accountability is required when

accessing all College resources.

• Access to College computer systems and networks must be provided through the

use of individually assigned unique computer identifiers, known as user-IDs.

• Individuals who use College computers must only access information assets to

which he or she is authorized.

• Associated with each user-ID is an authentication token, such as a password,

which must be used to authenticate the person accessing the data, system or

network. Passwords, tokens or similar technology must be treated as

confidential information, and must not be disclosed. Transmission of such

authentication information must be made only over secure mechanisms.

• Each individual is responsible to reasonably protect against unauthorized

activities performed under his or her user-ID.

• For the user’s protection, and for the protection of College resources, user-Ids

and passwords (or other tokens or mechanisms used to uniquely identify an

individual) must not be shared. In certain circumstances, where there is a clear

requirement or system limitation, the use of a shared user-id for a group of

users or a specific job can be used. Additional compensatory controls must be

implemented to ensure accountability is maintained.

Confidentiality / Integrity / Availability

A. All College information must be protected from unauthorized access to help ensure

the information’s confidentiality and maintain its integrity. Information owners will secure

information within their jurisdiction based on the information’s value, sensitivity to

disclosure, consequences of loss or compromise, and ease of recovery. The College

will adopt policies and procedures to guide information owners in securing their

information assets.

B. Information will be readily available for authorized use when it is needed by users in

the normal performance of their duties. Appropriate processes will be defined and

implemented to ensure the reasonable and timely recovery of all the College

information, applications and systems, regardless of computing platform, should that

information become corrupted, destroyed, or unavailable for a defined period (ref to

Section 8 - Operations Management Program, Information Backup section).

Section 4. Asset Classification and Control

A. Information must be properly managed from its creation, through authorized use, to

proper disposal and requires different levels of protection. Information will be classified

based on its value, sensitivity, consequences of loss or compromise, and/or legal and

retention requirements. Criteria for determining the sensitivity of information will include

consideration of confidentiality, integrity, availability, privacy, safety, legal and retention

compliance requirements.

B. All information will have an information owner established within the College’s lines of

business who will be responsible for assigning the initial information classification, and

make all decisions regarding controls, access privileges of users, and daily decisions

regarding information management.

C. Each classification will have a set or range of controls, designed to provide the

appropriate level of protection of the information and its associated application software

commensurate with the value of the information in that classification. Protective

measures will address the above considerations with control categories that include:

identification & authentication, access control, confidentiality, network security, host

security, integrity, non-repudiation, monitoring and compliance.

Privacy and Handling of Private Information

Privacy of personally identifiable information must be maintained consistent with laws,

rules and regulations. The College’s systems hold personal information (i.e., any

information that is unique to any individual) to carry out the mission of the College. The

protection of the privacy of personal information is of utmost importance and the College

must protect the rights of privacy of all members of the College community. All College

employees with access to personal information are required to respect the

confidentiality of that personal information to the full extent of the law. Personal data,

including information about employees, students, members of the public, organizations

and business partners, collected and maintained by the College must:

• be consistent with the provisions of the Internet Security and Privacy Act, the

Freedom of Information Law, FERPA, and the Personal Privacy Protection

Law;

• be used as authorized by law;

• be gathered in lawful manner;

• be kept in a manner as required by law or regulations;

• not be disclosed unless authorized or required by law;

• be available for review by authorized individuals;

• be corrected if errors are known to exist or if the individual identifies errors;

• be erased where appropriate if the individual requests consistent with applicable

laws; and

• be protected using system access controls.

Section 5. Personnel Security

The intent of this section is to reduce the risk of human error and misuse of College

information and facilities.

Including Information Security in Job Responsibilities

Information security roles and responsibilities must be documented. These roles and

responsibilities will include general responsibilities for all College employees, as well as

specific responsibilities for protecting specific information assets and performing tasks

related to information security procedures or processes.

User Training

A. All faculty, staff and students must receive general information security awareness

training to ensure they are knowledgeable of information security procedures, their roles

and responsibilities regarding the protection of the College information assets, and the

proper use of information processing facilities to minimize information security risks.

B. Departments that process or maintain sensitive information are responsible for

conducting specific information security awareness training for employees who handle

such information in the course of their job duties. This training should include physical

handling and disposition of non electronic documents containing sensitive information

as well as proper procedures to follow in processing and storing electronic information

and documents.

C. Logon banners will be implemented on all systems where that feature exists to inform

all users that the system is for the College business or other approved use consistent

with College mission.

Responding to Information Security Incidents and Malfunctions

A. Incidents affecting information security must be reported as quickly as possible to

one or more of the following: the information owner, the Information Technology (IT)

Help Desk or the IT Security Administrator as appropriate.

B. Formal incident reporting procedures that define the actions to be taken when an

incident occurs must be established. Feedback mechanisms must be implemented to

ensure that individuals reporting incidents are notified of the results after the incident

has been resolved and closed.

Reporting Information Security Weaknesses

Users of information technologies shall report any observed or suspected information

security weaknesses or threats to the appropriate manager and the IT Security

Administrator. They must report these weaknesses as soon as possible. Users must not

attempt to prove a suspected weakness unless authorized by the College ISO to do so.

Testing weaknesses could have unintended consequences.

Reporting Information Security Software Malfunctions

Users are required to report software malfunctions such as a virus not being detected,

password change not accepted, etc. Users should report such malfunctions by calling

the IT Help Desk. After the IT Help Desk is notified of the problem the following actions

will be taken:

• the symptoms of the problem and any messages appearing on the screen will be

documented;

• the computer will be isolated, if possible, and use of it stopped until the problem

has been resolved;

• the incident will be reported immediately to the appropriate manager and the IT

Security Administrator.

Incident Management Process

The logging of information security incidents will be used by the College to identify

recurring or high impact incidents and to record lessons learned. Review of this

information may indicate the need for additional controls to limit the frequency, damage

and cost of future incidents.

Section 6. Physical and Environmental Information Security

Physical Security Barriers

A. Breaching physical security can cause a loss of or damage to College information

assets. Physical security will be achieved by creating physical barriers around the

assets being protected. These barriers could be in the form of an entry point with card

key access, a locked door, a staff member, or other physical barrier.

B. College environments where servers are stored or operational, wiring closets for

networks and telephony, printers where confidential or sensitive information may be

printed, and any other areas that contain and or process critical or sensitive information

must be secured against unauthorized access.

C. The College will perform periodic threat and risk analysis to determine where

additional physical security measures are necessary, and implement these measures to

mitigate the risks.

Secure Disposal or Re-use of Equipment

There is risk of disclosure of sensitive information through careless disposal or re-use of

equipment. Storage devices such as hard disk drives and other magnetic media such as

tape, containing sensitive information will be physically destroyed or securely

overwritten to prevent the unauthorized disclosure of sensitive College information.

Clear Screen

Desktop, laptop and PDA computers connected to a network and/or containing sensitive

or confidential College information must be automatically logged off or the screen

locked within 30 minutes of inactivity.

Inventory Control

All College owned computer equipment will be tagged to identify the College as the

owner. An equipment inventory will be conducted annually by the Office of Property

Management.

Section 7. Communications and Network Management

Network Management

The College must implement a range of network controls to maintain security in its

internal networks, and ensure the protection of connected services and networks. These

controls help prevent unauthorized access and use of the College networks. The

following controls, at a minimum, should be implemented:

• Operational responsibility for networks will be separate from computer operations

when possible;

• Responsibilities and procedures for remote use must be established (refer to

Section 9. Access Control section of this document);

• When necessary, special controls will be implemented to safeguard data integrity

and confidentiality of data passing over public networks (Internet).

Host Scanning

Any devices connected to a network will be scanned periodically to ensure that no major

vulnerabilities have been introduced into the environment. The frequency of scans will

be determined by the College ISO.

Network Security Checking

A. Network vulnerability scanning will be conducted periodically at the discretion of the

IT Security Administrator. The output of the scans will be reviewed in a timely manner,

and any vulnerability detected will be evaluated for risk and mitigated. The tools used to

scan for vulnerabilities will be updated periodically to ensure that recently discovered

vulnerabilities are included in any scans.

B. A process to perform the scanning will be defined by the College, tested and followed

at all times to minimize the possibility of disruption to the College networks by such

reviews. Reports of exposures to vulnerabilities will be forwarded to the College ISO

and IT Security Administrator.

C. All connections to College networks must be authenticated.

D. The use of any network vulnerability scanning tools, whether internal or external, by

individuals who are not part of the formal test process described above is prohibited.

Any vulnerability scanning from the Internet must be conducted exclusively by the

College’s authorized, qualified staff or qualified third party.

Internet and Electronic Mail Acceptable Use

When College faculty, staff and students connect to the Internet using any College

Internet address designation or send electronic mail using the College designation, it

should be consistent with the College’s mission. College equipment, systems, facilities

and supplies must be used only for conducting activities consistent with the College’s

mission. Users are visible representatives of the College and must use the Internet and

College e-mail system in a legal, professional and responsible manner. The following is

not an all-inclusive list, and provides only examples of behavior that is not acceptable.

Specifically, the Internet and electronic mail will not be used:

• for personal gain or profit;

• to represent yourself as someone else (i.e.“spoofing”);

• for spamming;

• for unauthorized attempts to break into any computing system whether the

College’s or another organization’s (i.e., cracking or hacking);

• for theft or unauthorized copying of electronic files;

• for posting sensitive College information without authorization from the College

and without protective measures such as encryption

• for mass distribution without the College’s authorization, such as “chain letters”;

• for non-business communication using “instant messaging” or similar technology;

• for “sniffing” (i.e., monitoring network traffic), except for those authorized to do so

as part of their job responsibilities.

External Internet and VPN Connections

A. A computer that is connected to a College network cannot also be connected to a

non-College network via dial-up access using a modem unless specifically authorized

by the College ISO. For example, users that subscribe to third party Internet service

providers like AOL cannot connect to AOL via a modem at the same time they are

connected to a College network.

B. Any connection over a public network (i.e. Internet) that involves sensitive information

must use a Virtual Private Network (VPN) or other equivalent encryption technology to

ensure the privacy and integrity of the data passing over the public network.

Portable Computers

A. All portable computing resources and information media must be secured to prevent

compromise of confidentiality or integrity. No computer device may store or transmit

sensitive information without suitable protective measures being implemented and

approved by the College ISO.

B. When using mobile computing facilities such as notebooks, palmtops, laptops and

mobile phones, special care must be taken to ensure that information is not

compromised. Users of mobile computing are responsible for physical protection,

access controls, cryptographic techniques, back-ups, virus protection and the rules

associated with connecting mobile facilities to networks and guidance on the use of

these facilities in public places. In cases where sensitive information is concerned:

• Care must be taken when using mobile computing facilities in public places,

meeting rooms and other unprotected areas outside of the College's premises.

Protection must be in place to avoid the unauthorized access to or disclosure

of the information stored and processed by these facilities, e.g. using

cryptographic techniques.

• It is important that when such facilities are used in public places care must be

taken to avoid the risk of unauthorized persons viewing information on-screen.

• Equipment carrying important and/or sensitive information must not be left

unattended and, where possible, must be physically locked away, or special

locks must be used to secure the equipment.

• Training must be provided to staff using mobile computing resources to raise

their awareness of the additional risks resulting from this way of working and

the controls that will be implemented.

• Employees in the possession of portable, laptop, notebook, palmtop, and other

transportable computers must not check these computers in airline luggage

systems. These computers must remain in the possession of the traveler as

hand luggage unless other arrangements are required by Federal or State

authorities.

• For all portable computers such as laptops, notebooks, etc, the use of a “bootup”

or power-on password must be implemented. For those computers containing

sensitive information, data encryption techniques may also be employed.

Telephones and Fax Equipment

The use of telephones outside the College for business reasons is sometimes

necessary, but it can create security exposures. Examples of best practices:

• take care that they are not overheard when discussing confidential matters;

• avoid use of any wireless or cellular phones when discussing sensitive or

confidential information;

• avoid leaving sensitive or confidential messages on non-College voicemail

systems;

• if sending sensitive or confidential documents via fax, verify the phone number of

the destination fax. Contact the recipient to ensure protection of the fax, either

by having it picked up quickly or by ensuring that the fax output is in a secure

area;

• avoid using Internet fax services to send or receive sensitive or confidential

information;

• not use third party fax services to send or receive sensitive or confidential

information;

• not send sensitive or confidential documents via wireless fax devices;

• when chairing a sensitive or confidential teleconference, confirm that all

participants are authorized to participate, before starting any discussion.

Wireless Networks

A. Wireless technology and pervasive devices create opportunities for new and

innovative uses. College information systems can be exposed to compromise or to a

loss of service if security risks are not addressed correctly.

B. Wireless technology is a shared medium. Everything that is transmitted over the

radio waves can be intercepted if the interceptor is within the coverage area of the radio

transmitters. This represents a potential security issue in the wireless Local Area

Networks (LANs). The security exposure is more evident in public areas, such as the

Library, Residence Halls, and the Student Union.

C. Suitable controls such as authentication and encryption will be implemented by

Telecommunications to reduce the possibility that a wireless network or access point

can be exploited to disrupt College information services or to gain unauthorized access

to College information.

D. A Wireless Communications Policy will be established to address these issues.

Modem Usage

A. Using modems to connect to a network can create security risks. When using a

modem and a computer that contains sensitive college information the following best

practices apply:

1. For Outbound Service (Configured for outgoing calls only):

• modems must not be left connected to computers in auto-answer mode, such

that they are able to receive incoming dial-up calls;

• communications systems must not be established that accept incoming dial-up

calls;

• under no circumstances will a user attempt to add a remote access server to a

college network.

2. For Inbound Service (Configured for modem to accept incoming calls only):

• all dial-up modem phone numbers are confidential and must be made available

only to authorized users;

• only under extreme conditions should a computer have remote control software

and dial-in capability;

• dial-up modems must be configured to answer calls on the fourth ring;

• system configuration will be set to disconnect after three unsuccessful password

attempts;

• session limits of three hours and inactivity timeouts of 30 minutes will be placed

on all sessions.

Public Websites

A. The World Wide Web provides an opportunity for the College both to disseminate

information and to provide interactive services quickly and effectively. Because anything

posted on a public web server is globally available and each web presence is a potential

connection path to the College networks, care will be exercised in the deployment of

publicly accessible servers. There is also potential for an insecure server to be used or

exploited to assist in an unauthorized or illegal activity, such as an attack on another

web site.

B. Sensitive or confidential information will not be made available through a server that

is available to a public network without appropriate safeguards approved by the College

ISO. The College ISO will implement safeguards to ensure user authentication, data

confidentiality and integrity, access control, data protection, and logging mechanisms.

C. The implementation of any web site or software that interacts with the user, requires

registration, collects or processes information from users is considered to be application

development and, therefore, must be audited and approved by the College ISO to

ensure that the collection and processing of information meets College information

security and privacy requirements. The review will ensure that the information is

adequately protected while in transit over public and College networks, while in storage,

and while being processed.

D. All official web sites will comply with Federal and state legal requirements.

Electronic Signatures

Electronic signatures including digital signatures provide a means of protecting the

authenticity and integrity of electronic documents. They can be used in electronic

transactions where there is a need for a signature. New York State's Electronic

Signatures and Records Act (ESRA) provides that electronic signatures are equivalent

to hand-written signatures. The College will comply with the Electronic Signatures and

Records Act (ESRA), FERPA, and any other State or Federal regulations regarding

electronic signatures.

Section 8. Operations Management

Incident Management Procedures

A. All users of College information systems must be made aware of the procedure for

reporting information security incidents, threats, weaknesses, or malfunctions that may

have an impact on the security of College information. All College staff and contractors

are required to report any observed or suspected incidents to the appropriate manager

and the College ISO as quickly as possible.

B. Incident management responsibilities must be documented and procedures must be

clearly defined to ensure a quick, effective and orderly response to information security

incidents. At a minimum, these procedures must address:

• information system failures and loss of service;

• denial of service;

• errors resulting from incomplete or inaccurate data;

• breaches of confidentiality;

• loss of integrity of the software or other system component.

C. In addition to normal contingency plans designed to recover applications, systems or

services, the incident response procedures must also cover:

• analysis and identification of the cause of the incident;

• planning and implementation of corrective actions to prevent reoccurrence;

• collection of audit log information;

• communication with those affected by or involved in the recovery from the

incident.

D. College management and the College ISO will investigate all information security

incidents and implement corrective actions to reduce the risk of reoccurrence.

Segregation of Duties

To reduce the risk of accidental or deliberate system misuse, separation of duties or

areas of responsibility must be implemented where practical. Where appropriate,

including where the separation of duties is not practical, other compensatory controls

such as monitoring of activities, audit trails and management supervision must be

implemented.

Separation of Test and Operational Facilities

A. Separation of the development, test and operational environments will be

implemented, either logically or physically, when feasible. Processes must be

documented and implemented to govern the transfer of software from the development

environment to the operational platform.

B. Separation must also be implemented between development and test functions. The

College must consider the use of a stable quality assurance environment where user

testing can be conducted and changes cannot be made to the programs being tested.

The following controls must be considered:

• development and operational software must, where possible, run on different

computer processors, or in different domains or directories;

• development and testing activities must be separated;

• compilers, editors and other system utilities must not be accessible from

operational systems when not required;

• different log-on procedures should be used for operational, test and development

systems, to reduce the risk of error. Users will be encouraged to use different

passwords for these systems, and menus should display appropriate

identification messages;

• programming staff will only have access to operational passwords where controls

are in place for issuing passwords for the support of operational systems.

Protection Against Malicious Software

Software and associated controls must be implemented across College systems to

prevent and detect the introduction of malicious software. The introduction of malicious

software such as computer viruses, network worms and Trojan horses can cause

serious damage to networks, workstations, and data. Users must be made aware of the

dangers of unauthorized or malicious software. Anti-virus software will be installed on all

computers connected to a College network. At a minimum, the virus signature files for

this software must be updated weekly. On host systems or servers, the signature files

will be updated daily or when the virus software vendor’s signature files are updated

and published.

Software Maintenance

All purchased applications and systems software must be maintained at a vendorsupported

level to ensure software accuracy and integrity. Maintenance of Collegedeveloped

software will be logged to ensure changes are authorized, tested and

accepted by College management. Also, all known information security patches must be

reviewed and applied in a timely manner to reduce the risk of security incidents that

could affect the confidentiality, integrity and availability of data or software integrity.

Information Backup

The scope of this program is limited to the IT infrastructure, and the data and

applications of the local College environment. To ensure interruptions to normal College

operations are minimized, and critical College applications and processes are protected

from the effects of major failures, each College unit, in cooperation with the College IT

organization, must develop plans that can meet the backup requirements of the College.

Backups of critical College data and software must be performed regularly.

System Security Checking

A. Systems and services that process or store sensitive or confidential information or

provide support for critical processes must undergo technical security reviews to ensure

compliance with implementation standards and to assess vulnerabilities to subsequently

discovered threats. Reviews of systems and services that are essential to supporting a

critical College function must be conducted at least once every year. Reviews of a

representative sample of all other systems and services must be conducted periodically.

B. Any deviations from expected or required results that are detected by the technical

security review process must be reported to the College ISO and corrected immediately.

In addition, the College application owner should be advised of the deviations and must

initiate investigation of the deviations (including the review of system activity log records

if necessary).

Disposal of Media

Sensitive information could be leaked to outside persons through careless disposal of

media. Formal processes must be established to minimize this risk. Media such as

tapes, diskettes, servers, mainframe and PC hard drives, and mobile devices such as

phones, PDAs or USB drives containing sensitive College data must be destroyed by

incineration, shredding, or electronic erasure of data before disposal, consistent with

applicable record retention and disposition laws.

Section 9. Access Control

A. To preserve the properties of integrity, confidentiality and availability, the College’s

information assets will be protected by logical and physical access control mechanisms

commensurate with the value, sensitivity, consequences of loss or compromise, legal

requirements and ease of recovery of these assets.

B. Information owners are responsible for determining who should have access to

information assets within their jurisdiction, and what those access privileges will be

(read, update, etc.). These access privileges will be granted in accordance with the

user’s job responsibilities.

User Registration and Management

A. A process shall be established by the College to outline and identify all functions of

user management, to include the generation, distribution, modification and deletion of

user accounts for access to resources. The purpose of this process is to ensure that

only authorized individuals have access to College applications and information and that

these users only have access to the resources required for authorized purposes.

B. The User Management Process should include the following sub-processes:

• enrolling new users;

• removing user-ids;

• granting “privileged accounts” to a user;

• removing “privileged accounts” from a user;

• periodic reviewing “privileged accounts” of users;

• periodic reviewing of users enrolled to any system; and

• assigning a new authentication token (e.g. password reset processing).

C. In most cases the appropriate information owner or supervisor will make requests for

the registration and granting of access rights for employees. In some cases access can

be automatically granted or taken away based on employment status.

D. For applications that interact with individuals that are not employed by the College,

the information owner is responsible for ensuring an appropriate user management

process is implemented. Standards for the registration of such external users must be

defined, to include the credentials that must be provided to prove the identity of the user

requesting registration, validation of the request and the scope of access that may be

provided.

Privileged Account Management

A. The issuance and use of privileged accounts will be restricted to only those

individuals necessary in the normal performance of their job responsibilities. All

individuals (systems programmers, database administrators, network and information

security administrators, etc.) will have a unique privileged account (user-ID) for their

personal and sole use so that activities can be traced to the responsible person. Userids

must not give any indication of the user’s privilege level, e.g., supervisor, manager,

administrator. These individuals should also have a second user-ID when performing

normal transactions, such as when accessing the College e-mail system.

B. In certain circumstances, where there is a clear requirement or system limitation, the

use of a shared user-id for a group of users or a specific job can be used. Additional

compensatory controls must be implemented to ensure accountability is maintained.

C. Passwords of privileged accounts should be changed at least every 90 days.

User Password Management

A. Passwords are a common means of authenticating a user’s identity to access an

information system or service. Password standards will be implemented to ensure all

authorized individuals accessing College resources follow proven password

management practices. These password rules must be mandated by automated system

controls whenever possible.

B. To ensure good password management, the following password standards will be

implemented where feasible:

• Password cannot not be the same as user-id;

• password length minimum of 8 characters;

• strong passwords including alpha and numeric characters;

• maximum password age 180 days;

• minimum password age 7 days;

• password uniqueness equal to five (5);

• lock out account after an appropriate number of failed logon attempts;

• password lockout duration – 60 minutes, or until reset by authorized person;

• passwords should not be written down;

• passwords must be kept confidential – they must not be shared with another

user;

• temporary passwords must be changed at the first logon;

C. A user who needs a password reset must be authenticated before the request is

granted.

Network Access Control

Access to the College’s internal networks must require all authorized users to

authenticate themselves through use of an individually assigned user-id and an

authentication mechanism, e.g., password, token or smart card, or digital certificate.

Network controls must be developed and implemented that ensure that an authorized

user can access only those network resources and services necessary to perform their

assigned job responsibilities.

User Authentication for External Connections (Remote Access Control)

A. To maintain information security, the College requires that individual accountability

be maintained at all times, including during remote access. For the purposes of this

program, “remote access” is defined as any access coming into a College network from

a non-College network. This includes, but is not limited to:

• dialing in from another location over public lines by an employee or other

authorized individual for the purpose of telecommuting or working from home;

• connecting a third party network via dial or other temporary access technology to

the College networks;

B. Connection to the College’s networks must be done in a secure manner to preserve

the integrity of the networks, data transmitted over those networks, and the availability

of those networks. Security mechanisms must be in place to control access to College

systems and networks remotely from fixed or mobile locations.

C. Because of the level of risk inherent with remote access, use of a strong password or

another comparable method is required prior to connecting to a College network.

D. When accessing the College networks remotely, identification and authentication of

the entity requesting access must be performed in such a manner as to not disclose the

password or other authentication information that could be intercepted and used by a

third party.

E. Use of a common access point is required. This means that all remote connections to

a computer must be made through managed central points-of-entry. Using this type of

entry system to access the College computer provides many benefits, including

simplified and cost effective information security, maintenance, and support.

F. For a vendor to access College computers or software, individual accountability is

also required. For those systems (hardware or software) for which there is a built-in

user-id for the vendor to perform maintenance, the account must be disabled until the

user-id is needed. The activity performed while this vendor user-id is in use must be

logged. When the vendor has completed his work, the vendor user-id should be

disabled, or the password changed to prevent unauthorized use of this privileged

account. Vendor user-ids will be named to be easily identifiable.

G. In the special case where servers, storage devices or other computer equipment has

the capability to automatically connect to a vendor to report problems or suspected

problems, the College Information Security Administrator must review any such

connection to ensure that connectivity does not compromise the College networks.

H. Employees working from a remote location must ensure that the work environment at

the remote location provides adequate information security for College data and

computing resources. Appropriate protection mechanisms must be in place at the

remote location to protect against theft of the equipment, unauthorized disclosure of

College information, misuse of College equipment or unauthorized access to the

College internal networks or other facilities. To ensure the proper information security

controls are in place and all College information security standards are followed, the

following must be considered:

• the existing physical security of the remote location, considering the physical

security of the building and the local environment;

• the communications security requirements, considering the need for remote

access to the College's internal systems, the sensitivity of the information that

will be accessed and transmitted over the communication link and the

sensitivity of the internal system;

• the threat of unauthorized access to information or resources from other people

using the accommodation, e.g. family and friends.

I. The following controls must be considered but are not limited to:

• the provision of suitable communication equipment, including methods for

securing remote access and authentication tokens;

• anti-virus software and method for maintaining current signature files;

• implementation of suitable network boundary controls to prevent unauthorized

information exchange between College networks connected to remote

computers and externally connected networks, such as the Internet. Such

measures include firewalls, VPN’s and intrusion detection techniques;

• encryption of sensitive information in transit and on the local computer

workstation;

• physical security;

• rules and guidance on family and visitor access to equipment and information;

• the provision of hardware and software support and maintenance;

• the procedures for back-up;

• audit and information security monitoring;

• revocation of authority, access rights and the return of equipment when the

remote access activities cease.

Segregation of Networks

Routers, Firewalls, VPN’s or other technologies should be implemented to control

access to secured resources on the College networks.

Monitoring System Access and Use

Systems and applications must be monitored and analyzed to detect deviation from the

access control program and record events to provide evidence and to reconstruct lost or

damaged data. Audit logs recording exceptions and other information security-relevant

events must be produced and kept consistent with record retention schedules

developed in cooperation with the State Archives and Records Administration (SARA)

and College requirements to assist in future investigations and access control

monitoring. Audit logs will include but are not limited to:

• user-ids;

• dates and times for logon and logoff;

• terminal identity or location if possible; and

• records of successful and rejected system access attempts.

Section 10. Systems Development and Maintenance

A. Software applications are developed or acquired to provide efficient solutions to

College problems. These applications generally store, manipulate, retrieve and display

information used to conduct College business. The College units become dependent on

these applications, and it is essential the data processed by these applications be

accurate, and readily available for authorized use. It is also critical that the software that

performs these activities be protected from unauthorized access or tampering.

B. To ensure that information security is built into all College information systems, all

security requirements, including the need for rollback arrangements, must be

documented.

C. Information security requirements and controls must reflect the value of the

information assets involved, and the potential damage that might result from a failure or

absence of information security measures. This is especially critical for online

applications. The framework for analyzing the information security requirements and

identifying controls to meet them is associated with threat assessment and risk

management which must be performed by the College ISO and the information owner.

Control of Internal Processing

Data which have been entered correctly can be corrupted by processing errors or

through deliberate acts. Application design must ensure that controls are implemented

to minimize the risk of processing failures leading to a loss of data or system integrity.

Specific areas to consider include:

• the use and location in programs of add and delete functions to implement

changes to data;

• the procedures to prevent programs running in the wrong order or running after

failure of prior processing;

• the use of correction programs to recover from failures to ensure the correct

processing of data.

Cryptographic Controls

Use of cryptography for protection of high-risk information must be considered when

other controls do not provide adequate protection. Encryption is a technique that can be

used to protect the confidentiality of information. It must be considered for the protection

of sensitive or critical information. Based on a risk assessment, the required level of

protection will be identified taking into account the type and quality of the encryption

algorithm used and the length of cryptographic keys employed.

Change Control Procedures

A. To minimize the possibility of corruption of information systems, strict controls over

changes to information systems must be implemented. Formal change control

procedures for applications must be developed, implemented and enforced. They must

ensure that information security and control procedures are not compromised, that

support programmers are given access only to those parts of a system necessary to

perform their jobs, and that formal agreement and approval processes for changes are

implemented. These change control procedures will apply to College applications as

well as systems software used to maintain operating systems, network software,

hardware changes, etc.

B. In addition, access to source code libraries for both College applications and

operating systems must be tightly controlled to ensure that only authorized individuals

have access to these libraries and that access is logged to ensure all access can be

monitored.

Section 11. Compliance

The designs, operation, use and management of information systems are subject to

legal and vendor contractual information security requirements.

Gramm-Leach-Bliley Act

A. The Gramm-Leach-Bliley Act (GLBA) requires “financial institutions” as defined by

the Federal Trade Commission (FTC), to protect and secure customer information such

as names, Social Security numbers, addresses, account and credit card information.

The GLBA sets forth extensive privacy rules which the College is deemed to be in

compliance with because of its adherence to the provisions of the Family Education

Rights and Privacy Act (FERPA). The GLBA also establishes a Safeguards Rule, from

which the College is not exempt, that requires the College to protect and safeguard

customer information.

Payment Card Industry Data Security Standard

A. The Payment Card Industry Data Security Standard (PCI DSS) requires any entity

that collects credit card data to protect customer data and card numbers.through

security management, policies, procedures, network architecture, software design and

other critical protective measures. The College will comply with the PCI DSS.

Safeguarding of College Records

A. College records must be protected from loss, destruction or unauthorized

modification. Some records may need to be retained in a secure manner for extended

periods to meet state and Federal legal retention requirements, as well as to support

essential operations.

B. The General Retention and Disposition Schedule for New York State Government

Records contains guidelines for complying with legal, fiscal, and administrative

requirements for records retention and provides advice on management of records. The

College will develop procedures to dispose of any records in accordance with the

provisions of Section 57.05 of Arts and Cultural Affairs Law. New York State Archives

and Records Administration (SARA) issues general schedules to authorize the retention

and disposition of records.

C. Safeguards that will be taken to protect customer information include the following:

• Computer access will be limited by user ID’s and passwords

• Customer information stored in file cabinets will be accessible only to staff in

offices who need access and will be locked when not in use

• Offices that have access to customer information will be locked after hours

• Customer data will be backed up routinely

• Passwords will expire periodically and employees must then reset them

• Passwords will not be posted in publicly viewable places

• Intrusion detection systems will monitor the College networks to allow the prompt

detection of attacks and intrusions

• Vulnerability scanning of systems containing customer information will be

conducted periodically

• Antivirus protection will be maintained on all computer systems

• Designated staff members will supervise the disposal of records containing

customer information

• Erase all data when disposing of computers, diskettes, magnetic tapes, hard

drives or any other electronic media that contains customer information

• Inventories of all computer systems will be maintained

• Reduce paper forms and documents through increased electronic access to this

information

• Implement measures to ensure unauthorized persons cannot access College

computer systems when left unattended

• Avoid using Social Security numbers as a primary identification number

Prevention of Misuse of Information Technology Resources

The information technology resources and the data processed by these resources are

provided for College purposes. Management should authorize their use. Any use of IT

facilities or data for non-College or unauthorized purposes, without management’s

consent, should be considered a misuse of College facilities.

Compliance

A. Compliance with this IT Security program is mandatory. Each user must understand

his/her role and responsibilities regarding information security issues and protecting the

College’s information assets. The failure to comply with this or any other information

security program that results in the compromise of College information confidentiality,

integrity, privacy, and/or availability may result in appropriate action as permitted by law,

rule, regulation or negotiated agreement. The College will take every reasonable step

necessary, including legal and administrative measures, to protect its information

assets.

B. The College Information Security Officer shall review this document annually. If

significant changes are needed the ISO shall propose the changes to the President’s

Cabinet.

C. The College managers and supervisors will ensure that all information security

processes and procedures within their areas of responsibility are followed. In addition,

all units within the College may be subject to regular reviews to ensure compliance with

information security policies and standards. Areas where compliance with the program

requirements is not met will be documented and reported to the College’s Information

Security Officer. For each area of non-compliance, a plan will be developed to address

the deficiencies.

DEFINITIONS

Authenticity:

This is the exchange of security information to verify the claimed identity of a

communications partner. In security terms it is particularly to counter attempts to

masquerade as an authorized user to enable new connections or associations.

Authorization:

The granting of rights, which includes the granting of access based on an authenticated

identity.

Availability:

This is the ‘property’ of being available and usable upon demand by an authorized

entity, e.g. a system or user.

Classification:

The designation given to information or a document from a defined category on the

basis of its sensitivity to disclosure, modification or destruction.

Computer:

All physical, electronic and other components, types and uses of computers, including

but not limited to hardware, software, central processing units, electronic

communications and systems, databases, memory, Internet service, information

systems, laptops, Personal Digital Assistants and accompanying equipment used to

support the use of computers, such as printers, fax machines and copiers, and any

updates, revisions, upgrades or replacements thereto.

Confidentiality:

The property that information is not made available or disclosed to unauthorized

individuals, entities, or processes.

Controls:

Countermeasures or safeguards that are the devices or mechanisms that are needed to

meet the requirements of program.

Cracking or Hacking:

Attempting to break into another system in which you have no account, and is treated

as malicious intent.

Critical:

A condition, vulnerability or threat that could cause danger to data, a system, network,

or a component thereof.

Customer:

Faculty, staff, students and others conducting business with the College.

Data:

The collection of information assets complied, generated or maintained to support the

College.

Denial of Service:

An attack that takes up so much of the College’s resources that it results in degradation

of performance or loss of access to the company’s business services or resources.

Disaster:

A condition in which an information asset is unavailable, as a result of a natural or manmade

occurrence, that is of sufficient duration to cause significant disruption in the

accomplishment of the College’s objectives as determined by College management.

Encryption:

The cryptographic transformation of data to render it unintelligible through an

algorithmic process using a cryptographic key.

Firewall:

A security mechanism that creates a barrier between an internal network and an

external network.

GLBA:

The Gramm-Leach-Bliley Act was passed by Congress in 1999 to protect the privacy

and security of customer financial information.

Host:

A system or computer that contains business and/or operational software and/or data.

Incident Response: The manual and automated procedures used to respond to reported

network intrusions (real or suspected); network failures and errors; and other

undesirable events.

Information:

Information is defined as the representation of facts, concepts, or instructions in a

formalized manner suitable for communication, interpretation, or processing by human

or automated means.

Information Assets:

(1) All categories of automated information, including but not limited to: records, files,

and databases, and (2) information technology facilities, equipment (including

microcomputer systems), and software owned or leased by the State.

Information Owner:

An individual or organizational unit having responsibility for making classification and

control decisions regarding use of information.

Information Security:

The protection of automated information from accidental or intentional unauthorized

access, modification, destruction, or disclosure.

Instant Messaging (IM):

The ability to exchange short messages online with co-workers or others. IM solutions

can take several forms. They can use an existing Internet based service, or they can be

an Intranet only solution implemented and controlled within an IT department. The latter

is significantly more secure than the former, but lacks access to business partners.

Integrity:

The property that data has not been altered or destroyed from its intended form or

content in an unintentional or an unauthorized manner.

Internet:

This shall mean a system of linked computer networks, international in scope, that

facilitate data transmission and exchange, which all use the standard Internet protocol,

TCP/IP, to communicate and share data among each other.

Intranet:

The Intranet is an internal (i.e., non-public) network that uses the same technology and

protocols as the Internet.

Intrusion Detection:

The monitoring of network activities, primarily through automated measures, to detect,

log and report upon actual or suspected authorized access and events for investigation

and resolution.

ISO: Information Security Officer

Non-Repudiation: un-forgeable evidence that a specific action occurred. This action

could be the transmission of an electronic message, the competition of a transaction, or

some other action.

PCI DSS:

The Payment Card Industry Data Security Standard was adopted to assure the

protection of customer data and credit card numbers.

Physical Security:

The protection of information processing equipment from damage, destruction or theft;

information processing facilities from damage, destruction or unauthorized entry; and

personnel from potentially harmful situations.

Privacy:

The right of individuals and organizations to control the collection, storage, and

dissemination of information about themselves.

Privileged Account:

The user-ID or account of an individual whose job responsibilities require special

system authorization, such as a network administrator, security administrator, etc.

Special authorizations are allocated to this account such as RACF Administrator,

auditor, Special or UNIX root.

Procedures:

Specific operational steps that individuals must take to achieve goals stated in this

program.

Remote Access Server (RAS):

A server that allows users to gain access to a LAN from a remote location. Once a user

has authenticated he can access network resources as if he were physically connected

to the LAN.

Risk:

The likelihood or probability that a loss of information assets or breach of security will

occur.

Risk Assessment:

The process of identifying threats to information or information systems, determining the

likelihood of occurrence of the threat, and identifying system vulnerabilities that could be

exploited by the threat.

Risk Management:

The process of taking actions to assess risks and avoid or reduce risk to acceptable

levels.

Security Management:

The responsibility and actions required to manage the security environment including

the security policies and mechanisms.

Security Program:

The set of criteria for the provision of security services based on global rules imposed

for all users. These rules usually rely on a comparison of the sensitivity of the resources

being accessed and the possession of corresponding attributes of users, a group of

users, or entities acting on behalf of users.

Sensitivity:

This, in terms of confidentiality, would cause a negative impact to the organization if the

information were leaked or disclosed.

Sniffing:

Monitoring network traffic.

Spamming:

Blindly posting something to a large number of groups.

Spoofing:

Representing yourself as someone else.

Standard:

Sets of rules for implementing program. Standards make specific mention of

technologies, methodologies, implementation procedures and other detail factors.

State:

Shall mean the State of New York.

Technical Security Review:

A technical security review would consist of reviewing the controls built into a system or

application to ensure they still perform as designed. It would also include reviewing

security patches to ensure they have been installed and are operational, review of

security rules such as access control lists for currency, testing of firewall rules, etc.

The College:

The State University of New York, College at Oneonta

Third Party:

Any non-College entity such as a contractor, vendor, consultant, another College, etc.

Threat:

A threat is a force, organization or person, which seeks to gain access to, or

compromise, information. A threat can be assessed in terms of the probability of an

attack. Looking at the nature of the threat, its apability and resources, one can assess it,

and then determine the likelihood of occurrence, as in risk assessment.

Trojan Horse:

Illegal code hidden in a legitimate program that when executed performs some

unauthorized activity or function.

Unauthorized Access Or Privileges:

Insider or outsider who gains access to network or computer resources without

permission.

USENET News group:

A USENET news group is a bulletin board where people can read or post Netnews

messages on specific topics. There are many specialized business news groups. Many

news groups are subscribed to by experts in the given topic and these individuals can

provide valuable information and will sometimes respond to direct queries.

User:

One who has authorized access to information on a computer. The authorization may

include the ability to add or update information as well as access.

Virus:

Any security threat that executes in a manner so that computer resources are damaged,

lost or otherwise occupied so they are unavailable.

VPN:

Virtual Private Network. Internet protocol (IP) virtual private networks (VPNs) are a

collection of technologies that ensure the privacy of data over a shared unsecured IP

network infrastructure. The two key points as to what constitutes an IP VPN are privacy

and an IP network.

Vulnerability:

A weakness of a system or facility holding information which can be exploited to gain

access. Vulnerability can be assessed in terms of the means by which the attack would

be successful.

World Wide Web (WWW):

The World Wide Web is a hypertext-based system designed to allow access to

information in such a way that the information, may physically reside on locally or

geographically different servers. This access was greatly improved through the

introduction of a graphical interface to the World Wide Web called a web browser.

Netscape and Internet Explorer are two of the most popular web browsers.

Worm:

A program similar to a virus that can consume large quantities of network bandwidth

and spread from one network to another.

Effective Dates

• Approved by the President on 3/27/2005

• Revised on 9/25/2010

Information Technology Security Program

Oneonta's Information Technology Security Program

“A strategic plan to ensure confidentiality, integrity, and accessibility of Oneonta’s information assets.”

PURPOSE  SCOPE PROGRAM

• SECTION 1. PREFACE

• SECTION 2. ORGANIZATIONAL AND FUNCTIONAL RESPONSIBILITIES

• SECTION 3. INFORMATION SECURITY

• Individual Accountability

• Confidentiality / Integrity / Availability

• SECTION 4. ASSET CLASSIFICATION AND CONTROL

• Privacy and Handling of Private Information

• SECTION 5. PERSONNEL SECURITY

• Including Security in Job Responsibilities

• User Training

• Responding to Security Incidents and Malfunctions

• Reporting Security Weaknesses

• Reporting Security Software Malfunctions

• Incident Management Process

• SECTION 6. PHYSICAL AND ENVIRONMENTAL SECURITY

• Physical Security Barrier 9 Secure Disposal or Re-use of Equipment

• Clear Screen

• SECTION 7. COMMUNICATIONS AND NETWORK MANAGEMENT

• Network Management

• Host Scanning

• Network Security Checking

• Internet and Electronic Mail Acceptable Use

• External Internet and VPN Connections

• Security of Electronic Mail

• Portable Computers

• Telephones and Fax Equipment

• Wireless Networks

• Modem Usage

• Public Websites

• Electronic Signatures

• SECTION 8. OPERATIONS MANAGEMENT

• Incident Management Procedures

• Segregation of Duties

• Separation of Test and Operational Facilities

• Protection against Malicious Software

• Software Maintenance

• Information Back-up

• System Security Checking

• Disposal of Media

• SECTION 9. ACCESS CONTROL

• User Registration and Management

• Privileged Account Management

• User Password Management

• Network Access Control

• User Authentication for External Connections (Remote Access Control)

• Segregation of Networks

• Operating System Access Control

• Monitoring System Access and Use

• SECTION 10. SYSTEMS DEVELOPMENT AND MAINTENANCE

• Control of Internal Processing

• Cryptographic Controls

• Change Control Procedures

• SECTION 11. COMPLIANCE

• Gramm-Leach-Bliley Act

• Safeguarding of College Records

• Prevention of Misuse of Information Technology Resources

• Compliance

• Enforcement and Violation Handling

• DEFINITIONS PURPOSE

The purpose of this document is to define a set of minimum information technology (IT)

security requirements that the College must meet to comply with State and Federal

directives. The College may, based on its individual business needs and specific legal

requirements such as FERPA or the GLBA, exceed any or all of the information security

requirements put forth in this document, but must, at a minimum, achieve the

information security levels defined in this document.

The primary objectives of the IT Security Program are:

• effectively manage the risk of IT security exposure or compromise within College

systems;

• communicate within the College community the responsibilities for the protection

of College information;

• comply with the Family Educational Rights and Privacy Act of 1974 (FERPA - the

Buckley Amendment), the Gramm-Leach-Bliley Act (GLBA), the Payment Card

Industry Data Security Standard (PCI DSS) and other statutes, policies and

standards protecting the rights of individuals.

• consistently maintain data integrity and accuracy.

• assure that authorized individuals have timely and reliable access to necessary

data.

• deny with reasonable assurance unauthorized individuals access to computing

resources or other means to retrieve, modify or transfer data.

SCOPE

This program applies to all faculty, staff and students of the College, or others (e.g.,

Research Foundation employees, OAS employees, vendors, contractors, etc) who may

utilize the College’s technology and related facilities.

This program encompasses all computer systems, for which the College has

responsibility, including systems managed or hosted by third parties on behalf of the

College. It addresses all electronic information, regardless of the form or format, which

is created or used in support of the College mission.

IT security refers to the protection of information from unauthorized access, destruction,

modification or disclosure. For the purposes of this document, information is defined as

the representation of facts, concepts, or instructions in an electronic manner suitable for

communication, interpretation, or processing by human or automated means.

Information is relayed in a variety of methods such as in written documentation or

through computer networks. Information is also stored and retrieved in several formats.

The formats can include but are not limited to: computer databases or transmissions,

tapes, CD ROMS, diskettes, computer generated reports, hard copy documentation, email

messages, voice mail, etc.

This program must be communicated to all faculty, staff, students and all others who

have access to or manage College information. This IT security program is not specific

to any type of hardware, communications method, network topology, or software

applications. As such, it is designed to be implemented across campus.

PROGRAM Section 1. Preface

The President’s Cabinet is fully committed to IT security and agrees that every person in

the College community has an important responsibility to continuously maintain the

security and privacy of College data. This IT Security Program is a statement of the

minimum requirements, ethics, responsibilities and accepted behaviors required to

establish and maintain a secure environment, and achieve the College’s IT security

objectives. This IT Security Program sets the direction, gives broad guidance and

defines requirements for IT security related processes and actions across the College.

This program follows the framework of the International Standards Organization’s ISO

27002 - The Information Security Standard.

Section 2. Organizational and Functional Responsibilities

A. The College: The President will designate an Information Security Officer (ISO). The

ISO will ensure that an organization structure is in place for:

• coordinating and implementing information security policies, standard, and

procedures;

• assigning information security responsibilities;

• implementing an IT security awareness program;

• monitoring significant changes in the exposure of IT assets to major threats, legal

or regulatory requirements;

• responding to IT security incidents;

• leading major initiatives to enhance IT Security;

• leading disaster preparedness planning to ensure continuity of College business.

B. College Designated Staff: College designated staff will be responsible for the

implementation of this and other IT Security policies and the compliance of College

employees to this program. The designated staff must educate College employees with

regard to IT Security issues, explain the issues, why the policies have been established,

and what role(s) individuals have in safeguarding IT assets. Consequences of noncompliance

will also be explained.

C. Information Owners: Information owners are responsible for determining who

should have access to protected resources within their jurisdiction, and what those

access privileges should be (read, update, etc.). These access privileges must be in

accordance with the user’s job responsibilities. Information owners also communicate to

the College ISO the legal requirements for access and disclosure of their data.

Information owners must be identified for all College information assets and assigned

responsibility for the maintenance of appropriate information security measures such as

assigning and maintaining asset classification and controls, managing user access to

their resources, etc. Responsibility for implementing information security measures may

be delegated, though accountability remains with the identified owner of the asset.

D. College Information Security Officer: The College Information Security Officer has

overall responsibility for ensuring the implementation, enhancement, monitoring and

enforcement of this program. The College Information Security Officer is responsible for

providing direction and leadership to the College through the recommendation of IT

security policies, standards, processes and education and awareness programs to

ensure that appropriate safeguards are implemented, and to facilitate compliance with

those policies, standards and processes. The College Information Security Officer is

responsible for investigating all alleged IT security violations. In this role, the College

Information Security Officer may refer the investigation to other investigatory entities,

including law enforcement. The College Information Security Officer will coordinate and

oversee IT security program activities and reporting processes in support of this

program and other IT security initiatives.

E. IT Security Administrator: This individual will report to the College Information

Security Officer and be responsible for administering IT security tools, auditing IT

security practices, identifying and analyzing IT security threats and solutions, and

responding to IT security violations.

F.Departments or Individuals with Direct Responsibility for Technology Support: :

These areas have responsibility for the data processing infrastructure and computing

networks which support the information owners. It is their responsibility t to support the

IT Security Program and provide resources needed to enhance and maintain a level of

IT Security control consistent with the College’s IT Security Program.

These departments have the following responsibilities in relation to the IT security:

• ensuring processes, policies and requirements are identified and implemented

relative to IT security requirements defined by the College;

• ensuring the proper controls of IT are implemented for which the College has

assigned ownership responsibility, based on the College’s classification

designations;

• ensuring the participation of the College Information Security Officer and

technical staff in identifying and selecting appropriate and cost-effective IT

security controls and procedures, and in protecting IT assets;

• ensuring that appropriate IT security requirements for user access to automated

information are defined for files, databases, and physical devices assigned to

their areas of responsibility;

• ensuring that critical data and recovery plans are backed up and kept at a

secured off-site storage facility and that recovery of backed-up media will work

if and when needed.

G. College Employees: It is the responsibility of all employees to protect College

information and resources, including passwords, and to report suspected IT security

incidents to one or more of the following: the information owner, the IT Help Desk, or the

Information Security administrator as appropriate.

H. Non-College Employees: Oneonta Auxiliary Services (OAS), Research Foundation

(RF), Retirees, Contractors, Consultants, Vendors and other persons including

students, to the extent of their present or past access to the College IT assets, are also

covered by this IT Security Program.

Section 3. Information Technology Security

All stored or transmitted electronic information which is created, acquired or used in

support of the College’s mission, regardless of the form or format, must be used for

College business only. This information is an asset and must be protected from its

creation, through its useful life, and to its authorized disposal. It must be maintained in a

secure, accurate, and reliable manner and be readily available for authorized use.

Information must be classified and protected based on its importance to business

activities, risks, and information security best practices as defined in International

Standards Organization’s ISO 27002 - The Information Security Standard.A.

Information is one of the College’s most valuable assets and the College relies upon

that information to support our mission. The quality and availability of that information is

key to the College's ability to carry out its mission. Therefore, the security of the

College’s information, and of the technologies and systems that support it, is the

responsibility of everyone concerned. Each authorized user of College information has

an obligation to preserve and protect College information assets in a consistent and

reliable manner. Information security controls provide the necessary physical, logical

and procedural safeguards to accomplish those goals.

B. Information security management enables information to be shared while ensuring

protection of that information and its associated computer assets including the networks

over which the information travels. College designated staff are responsible for ensuring

that appropriate physical, logical and procedural controls are in place on these assets to

preserve the information security properties of confidentiality, integrity, availability and

privacy of College information.

Individual Accountability

Individual accountability is the cornerstone of any information security program. Without

it, there can be no information security. Individual accountability is required when

accessing all College resources.

• Access to College computer systems and networks must be provided through the

use of individually assigned unique computer identifiers, known as user-IDs.

• Individuals who use College computers must only access information assets to

which he or she is authorized.

• Associated with each user-ID is an authentication token, such as a password,

which must be used to authenticate the person accessing the data, system or

network. Passwords, tokens or similar technology must be treated as

confidential information, and must not be disclosed. Transmission of such

authentication information must be made only over secure mechanisms.

• Each individual is responsible to reasonably protect against unauthorized

activities performed under his or her user-ID.

• For the user’s protection, and for the protection of College resources, user-Ids

and passwords (or other tokens or mechanisms used to uniquely identify an

individual) must not be shared. In certain circumstances, where there is a clear

requirement or system limitation, the use of a shared user-id for a group of

users or a specific job can be used. Additional compensatory controls must be

implemented to ensure accountability is maintained.

Confidentiality / Integrity / Availability

A. All College information must be protected from unauthorized access to help ensure

the information’s confidentiality and maintain its integrity. Information owners will secure

information within their jurisdiction based on the information’s value, sensitivity to

disclosure, consequences of loss or compromise, and ease of recovery. The College

will adopt policies and procedures to guide information owners in securing their

information assets.

B. Information will be readily available for authorized use when it is needed by users in

the normal performance of their duties. Appropriate processes will be defined and

implemented to ensure the reasonable and timely recovery of all the College

information, applications and systems, regardless of computing platform, should that

information become corrupted, destroyed, or unavailable for a defined period (ref to

Section 8 - Operations Management Program, Information Backup section).

Section 4. Asset Classification and Control

A. Information must be properly managed from its creation, through authorized use, to

proper disposal and requires different levels of protection. Information will be classified

based on its value, sensitivity, consequences of loss or compromise, and/or legal and

retention requirements. Criteria for determining the sensitivity of information will include

consideration of confidentiality, integrity, availability, privacy, safety, legal and retention

compliance requirements.

B. All information will have an information owner established within the College’s lines of

business who will be responsible for assigning the initial information classification, and

make all decisions regarding controls, access privileges of users, and daily decisions

regarding information management.

C. Each classification will have a set or range of controls, designed to provide the

appropriate level of protection of the information and its associated application software

commensurate with the value of the information in that classification. Protective

measures will address the above considerations with control categories that include:

identification & authentication, access control, confidentiality, network security, host

security, integrity, non-repudiation, monitoring and compliance.

Privacy and Handling of Private Information

Privacy of personally identifiable information must be maintained consistent with laws,

rules and regulations. The College’s systems hold personal information (i.e., any

information that is unique to any individual) to carry out the mission of the College. The

protection of the privacy of personal information is of utmost importance and the College

must protect the rights of privacy of all members of the College community. All College

employees with access to personal information are required to respect the

confidentiality of that personal information to the full extent of the law. Personal data,

including information about employees, students, members of the public, organizations

and business partners, collected and maintained by the College must:

• be consistent with the provisions of the Internet Security and Privacy Act, the

Freedom of Information Law, FERPA, and the Personal Privacy Protection

Law;

• be used as authorized by law;

• be gathered in lawful manner;

• be kept in a manner as required by law or regulations;

• not be disclosed unless authorized or required by law;

• be available for review by authorized individuals;

• be corrected if errors are known to exist or if the individual identifies errors;

• be erased where appropriate if the individual requests consistent with applicable

laws; and

• be protected using system access controls.

Section 5. Personnel Security

The intent of this section is to reduce the risk of human error and misuse of College

information and facilities.

Including Information Security in Job Responsibilities

Information security roles and responsibilities must be documented. These roles and

responsibilities will include general responsibilities for all College employees, as well as

specific responsibilities for protecting specific information assets and performing tasks

related to information security procedures or processes.

User Training

A. All faculty, staff and students must receive general information security awareness

training to ensure they are knowledgeable of information security procedures, their roles

and responsibilities regarding the protection of the College information assets, and the

proper use of information processing facilities to minimize information security risks.

B. Departments that process or maintain sensitive information are responsible for

conducting specific information security awareness training for employees who handle

such information in the course of their job duties. This training should include physical

handling and disposition of non electronic documents containing sensitive information

as well as proper procedures to follow in processing and storing electronic information

and documents.

C. Logon banners will be implemented on all systems where that feature exists to inform

all users that the system is for the College business or other approved use consistent

with College mission.

Responding to Information Security Incidents and Malfunctions

A. Incidents affecting information security must be reported as quickly as possible to

one or more of the following: the information owner, the Information Technology (IT)

Help Desk or the IT Security Administrator as appropriate.

B. Formal incident reporting procedures that define the actions to be taken when an

incident occurs must be established. Feedback mechanisms must be implemented to

ensure that individuals reporting incidents are notified of the results after the incident

has been resolved and closed.

Reporting Information Security Weaknesses

Users of information technologies shall report any observed or suspected information

security weaknesses or threats to the appropriate manager and the IT Security

Administrator. They must report these weaknesses as soon as possible. Users must not

attempt to prove a suspected weakness unless authorized by the College ISO to do so.

Testing weaknesses could have unintended consequences.

Reporting Information Security Software Malfunctions

Users are required to report software malfunctions such as a virus not being detected,

password change not accepted, etc. Users should report such malfunctions by calling

the IT Help Desk. After the IT Help Desk is notified of the problem the following actions

will be taken:

• the symptoms of the problem and any messages appearing on the screen will be

documented;

• the computer will be isolated, if possible, and use of it stopped until the problem

has been resolved;

• the incident will be reported immediately to the appropriate manager and the IT

Security Administrator.

Incident Management Process

The logging of information security incidents will be used by the College to identify

recurring or high impact incidents and to record lessons learned. Review of this

information may indicate the need for additional controls to limit the frequency, damage

and cost of future incidents.

Section 6. Physical and Environmental Information Security

Physical Security Barriers

A. Breaching physical security can cause a loss of or damage to College information

assets. Physical security will be achieved by creating physical barriers around the

assets being protected. These barriers could be in the form of an entry point with card

key access, a locked door, a staff member, or other physical barrier.

B. College environments where servers are stored or operational, wiring closets for

networks and telephony, printers where confidential or sensitive information may be

printed, and any other areas that contain and or process critical or sensitive information

must be secured against unauthorized access.

C. The College will perform periodic threat and risk analysis to determine where

additional physical security measures are necessary, and implement these measures to

mitigate the risks.

Secure Disposal or Re-use of Equipment

There is risk of disclosure of sensitive information through careless disposal or re-use of

equipment. Storage devices such as hard disk drives and other magnetic media such as

tape, containing sensitive information will be physically destroyed or securely

overwritten to prevent the unauthorized disclosure of sensitive College information.

Clear Screen

Desktop, laptop and PDA computers connected to a network and/or containing sensitive

or confidential College information must be automatically logged off or the screen

locked within 30 minutes of inactivity.

Inventory Control

All College owned computer equipment will be tagged to identify the College as the

owner. An equipment inventory will be conducted annually by the Office of Property

Management.

Section 7. Communications and Network Management

Network Management

The College must implement a range of network controls to maintain security in its

internal networks, and ensure the protection of connected services and networks. These

controls help prevent unauthorized access and use of the College networks. The

following controls, at a minimum, should be implemented:

• Operational responsibility for networks will be separate from computer operations

when possible;

• Responsibilities and procedures for remote use must be established (refer to

Section 9. Access Control section of this document);

• When necessary, special controls will be implemented to safeguard data integrity

and confidentiality of data passing over public networks (Internet).

Host Scanning

Any devices connected to a network will be scanned periodically to ensure that no major

vulnerabilities have been introduced into the environment. The frequency of scans will

be determined by the College ISO.

Network Security Checking

A. Network vulnerability scanning will be conducted periodically at the discretion of the

IT Security Administrator. The output of the scans will be reviewed in a timely manner,

and any vulnerability detected will be evaluated for risk and mitigated. The tools used to

scan for vulnerabilities will be updated periodically to ensure that recently discovered

vulnerabilities are included in any scans.

B. A process to perform the scanning will be defined by the College, tested and followed

at all times to minimize the possibility of disruption to the College networks by such

reviews. Reports of exposures to vulnerabilities will be forwarded to the College ISO

and IT Security Administrator.

C. All connections to College networks must be authenticated.

D. The use of any network vulnerability scanning tools, whether internal or external, by

individuals who are not part of the formal test process described above is prohibited.

Any vulnerability scanning from the Internet must be conducted exclusively by the

College’s authorized, qualified staff or qualified third party.

Internet and Electronic Mail Acceptable Use

When College faculty, staff and students connect to the Internet using any College

Internet address designation or send electronic mail using the College designation, it

should be consistent with the College’s mission. College equipment, systems, facilities

and supplies must be used only for conducting activities consistent with the College’s

mission. Users are visible representatives of the College and must use the Internet and

College e-mail system in a legal, professional and responsible manner. The following is

not an all-inclusive list, and provides only examples of behavior that is not acceptable.

Specifically, the Internet and electronic mail will not be used:

• for personal gain or profit;

• to represent yourself as someone else (i.e.“spoofing”);

• for spamming;

• for unauthorized attempts to break into any computing system whether the

College’s or another organization’s (i.e., cracking or hacking);

• for theft or unauthorized copying of electronic files;

• for posting sensitive College information without authorization from the College

and without protective measures such as encryption

• for mass distribution without the College’s authorization, such as “chain letters”;

• for non-business communication using “instant messaging” or similar technology;

• for “sniffing” (i.e., monitoring network traffic), except for those authorized to do so

as part of their job responsibilities.

External Internet and VPN Connections

A. A computer that is connected to a College network cannot also be connected to a

non-College network via dial-up access using a modem unless specifically authorized

by the College ISO. For example, users that subscribe to third party Internet service

providers like AOL cannot connect to AOL via a modem at the same time they are

connected to a College network.

B. Any connection over a public network (i.e. Internet) that involves sensitive information

must use a Virtual Private Network (VPN) or other equivalent encryption technology to

ensure the privacy and integrity of the data passing over the public network.

Portable Computers

A. All portable computing resources and information media must be secured to prevent

compromise of confidentiality or integrity. No computer device may store or transmit

sensitive information without suitable protective measures being implemented and

approved by the College ISO.

B. When using mobile computing facilities such as notebooks, palmtops, laptops and

mobile phones, special care must be taken to ensure that information is not

compromised. Users of mobile computing are responsible for physical protection,

access controls, cryptographic techniques, back-ups, virus protection and the rules

associated with connecting mobile facilities to networks and guidance on the use of

these facilities in public places. In cases where sensitive information is concerned:

• Care must be taken when using mobile computing facilities in public places,

meeting rooms and other unprotected areas outside of the College's premises.

Protection must be in place to avoid the unauthorized access to or disclosure

of the information stored and processed by these facilities, e.g. using

cryptographic techniques.

• It is important that when such facilities are used in public places care must be

taken to avoid the risk of unauthorized persons viewing information on-screen.

• Equipment carrying important and/or sensitive information must not be left

unattended and, where possible, must be physically locked away, or special

locks must be used to secure the equipment.

• Training must be provided to staff using mobile computing resources to raise

their awareness of the additional risks resulting from this way of working and

the controls that will be implemented.

• Employees in the possession of portable, laptop, notebook, palmtop, and other

transportable computers must not check these computers in airline luggage

systems. These computers must remain in the possession of the traveler as

hand luggage unless other arrangements are required by Federal or State

authorities.

• For all portable computers such as laptops, notebooks, etc, the use of a “bootup”

or power-on password must be implemented. For those computers containing

sensitive information, data encryption techniques may also be employed.

Telephones and Fax Equipment

The use of telephones outside the College for business reasons is sometimes

necessary, but it can create security exposures. Examples of best practices:

• take care that they are not overheard when discussing confidential matters;

• avoid use of any wireless or cellular phones when discussing sensitive or

confidential information;

• avoid leaving sensitive or confidential messages on non-College voicemail

systems;

• if sending sensitive or confidential documents via fax, verify the phone number of

the destination fax. Contact the recipient to ensure protection of the fax, either

by having it picked up quickly or by ensuring that the fax output is in a secure

area;

• avoid using Internet fax services to send or receive sensitive or confidential

information;

• not use third party fax services to send or receive sensitive or confidential

information;

• not send sensitive or confidential documents via wireless fax devices;

• when chairing a sensitive or confidential teleconference, confirm that all

participants are authorized to participate, before starting any discussion.

Wireless Networks

A. Wireless technology and pervasive devices create opportunities for new and

innovative uses. College information systems can be exposed to compromise or to a

loss of service if security risks are not addressed correctly.

B. Wireless technology is a shared medium. Everything that is transmitted over the

radio waves can be intercepted if the interceptor is within the coverage area of the radio

transmitters. This represents a potential security issue in the wireless Local Area

Networks (LANs). The security exposure is more evident in public areas, such as the

Library, Residence Halls, and the Student Union.

C. Suitable controls such as authentication and encryption will be implemented by

Telecommunications to reduce the possibility that a wireless network or access point

can be exploited to disrupt College information services or to gain unauthorized access

to College information.

D. A Wireless Communications Policy will be established to address these issues.

Modem Usage

A. Using modems to connect to a network can create security risks. When using a

modem and a computer that contains sensitive college information the following best

practices apply:

1. For Outbound Service (Configured for outgoing calls only):

• modems must not be left connected to computers in auto-answer mode, such

that they are able to receive incoming dial-up calls;

• communications systems must not be established that accept incoming dial-up

calls;

• under no circumstances will a user attempt to add a remote access server to a

college network.

2. For Inbound Service (Configured for modem to accept incoming calls only):

• all dial-up modem phone numbers are confidential and must be made available

only to authorized users;

• only under extreme conditions should a computer have remote control software

and dial-in capability;

• dial-up modems must be configured to answer calls on the fourth ring;

• system configuration will be set to disconnect after three unsuccessful password

attempts;

• session limits of three hours and inactivity timeouts of 30 minutes will be placed

on all sessions.

Public Websites

A. The World Wide Web provides an opportunity for the College both to disseminate

information and to provide interactive services quickly and effectively. Because anything

posted on a public web server is globally available and each web presence is a potential

connection path to the College networks, care will be exercised in the deployment of

publicly accessible servers. There is also potential for an insecure server to be used or

exploited to assist in an unauthorized or illegal activity, such as an attack on another

web site.

B. Sensitive or confidential information will not be made available through a server that

is available to a public network without appropriate safeguards approved by the College

ISO. The College ISO will implement safeguards to ensure user authentication, data

confidentiality and integrity, access control, data protection, and logging mechanisms.

C. The implementation of any web site or software that interacts with the user, requires

registration, collects or processes information from users is considered to be application

development and, therefore, must be audited and approved by the College ISO to

ensure that the collection and processing of information meets College information

security and privacy requirements. The review will ensure that the information is

adequately protected while in transit over public and College networks, while in storage,

and while being processed.

D. All official web sites will comply with Federal and state legal requirements.

Electronic Signatures

Electronic signatures including digital signatures provide a means of protecting the

authenticity and integrity of electronic documents. They can be used in electronic

transactions where there is a need for a signature. New York State's Electronic

Signatures and Records Act (ESRA) provides that electronic signatures are equivalent

to hand-written signatures. The College will comply with the Electronic Signatures and

Records Act (ESRA), FERPA, and any other State or Federal regulations regarding

electronic signatures.

Section 8. Operations Management

Incident Management Procedures

A. All users of College information systems must be made aware of the procedure for

reporting information security incidents, threats, weaknesses, or malfunctions that may

have an impact on the security of College information. All College staff and contractors

are required to report any observed or suspected incidents to the appropriate manager

and the College ISO as quickly as possible.

B. Incident management responsibilities must be documented and procedures must be

clearly defined to ensure a quick, effective and orderly response to information security

incidents. At a minimum, these procedures must address:

• information system failures and loss of service;

• denial of service;

• errors resulting from incomplete or inaccurate data;

• breaches of confidentiality;

• loss of integrity of the software or other system component.

C. In addition to normal contingency plans designed to recover applications, systems or

services, the incident response procedures must also cover:

• analysis and identification of the cause of the incident;

• planning and implementation of corrective actions to prevent reoccurrence;

• collection of audit log information;

• communication with those affected by or involved in the recovery from the

incident.

D. College management and the College ISO will investigate all information security

incidents and implement corrective actions to reduce the risk of reoccurrence.

Segregation of Duties

To reduce the risk of accidental or deliberate system misuse, separation of duties or

areas of responsibility must be implemented where practical. Where appropriate,

including where the separation of duties is not practical, other compensatory controls

such as monitoring of activities, audit trails and management supervision must be

implemented.

Separation of Test and Operational Facilities

A. Separation of the development, test and operational environments will be

implemented, either logically or physically, when feasible. Processes must be

documented and implemented to govern the transfer of software from the development

environment to the operational platform.

B. Separation must also be implemented between development and test functions. The

College must consider the use of a stable quality assurance environment where user

testing can be conducted and changes cannot be made to the programs being tested.

The following controls must be considered:

• development and operational software must, where possible, run on different

computer processors, or in different domains or directories;

• development and testing activities must be separated;

• compilers, editors and other system utilities must not be accessible from

operational systems when not required;

• different log-on procedures should be used for operational, test and development

systems, to reduce the risk of error. Users will be encouraged to use different

passwords for these systems, and menus should display appropriate

identification messages;

• programming staff will only have access to operational passwords where controls

are in place for issuing passwords for the support of operational systems.

Protection Against Malicious Software

Software and associated controls must be implemented across College systems to

prevent and detect the introduction of malicious software. The introduction of malicious

software such as computer viruses, network worms and Trojan horses can cause

serious damage to networks, workstations, and data. Users must be made aware of the

dangers of unauthorized or malicious software. Anti-virus software will be installed on all

computers connected to a College network. At a minimum, the virus signature files for

this software must be updated weekly. On host systems or servers, the signature files

will be updated daily or when the virus software vendor’s signature files are updated

and published.

Software Maintenance

All purchased applications and systems software must be maintained at a vendorsupported

level to ensure software accuracy and integrity. Maintenance of Collegedeveloped

software will be logged to ensure changes are authorized, tested and

accepted by College management. Also, all known information security patches must be

reviewed and applied in a timely manner to reduce the risk of security incidents that

could affect the confidentiality, integrity and availability of data or software integrity.

Information Backup

The scope of this program is limited to the IT infrastructure, and the data and

applications of the local College environment. To ensure interruptions to normal College

operations are minimized, and critical College applications and processes are protected

from the effects of major failures, each College unit, in cooperation with the College IT

organization, must develop plans that can meet the backup requirements of the College.

Backups of critical College data and software must be performed regularly.

System Security Checking

A. Systems and services that process or store sensitive or confidential information or

provide support for critical processes must undergo technical security reviews to ensure

compliance with implementation standards and to assess vulnerabilities to subsequently

discovered threats. Reviews of systems and services that are essential to supporting a

critical College function must be conducted at least once every year. Reviews of a

representative sample of all other systems and services must be conducted periodically.

B. Any deviations from expected or required results that are detected by the technical

security review process must be reported to the College ISO and corrected immediately.

In addition, the College application owner should be advised of the deviations and must

initiate investigation of the deviations (including the review of system activity log records

if necessary).

Disposal of Media

Sensitive information could be leaked to outside persons through careless disposal of

media. Formal processes must be established to minimize this risk. Media such as

tapes, diskettes, servers, mainframe and PC hard drives, and mobile devices such as

phones, PDAs or USB drives containing sensitive College data must be destroyed by

incineration, shredding, or electronic erasure of data before disposal, consistent with

applicable record retention and disposition laws.

Section 9. Access Control

A. To preserve the properties of integrity, confidentiality and availability, the College’s

information assets will be protected by logical and physical access control mechanisms

commensurate with the value, sensitivity, consequences of loss or compromise, legal

requirements and ease of recovery of these assets.

B. Information owners are responsible for determining who should have access to

information assets within their jurisdiction, and what those access privileges will be

(read, update, etc.). These access privileges will be granted in accordance with the

user’s job responsibilities.

User Registration and Management

A. A process shall be established by the College to outline and identify all functions of

user management, to include the generation, distribution, modification and deletion of

user accounts for access to resources. The purpose of this process is to ensure that

only authorized individuals have access to College applications and information and that

these users only have access to the resources required for authorized purposes.

B. The User Management Process should include the following sub-processes:

• enrolling new users;

• removing user-ids;

• granting “privileged accounts” to a user;

• removing “privileged accounts” from a user;

• periodic reviewing “privileged accounts” of users;

• periodic reviewing of users enrolled to any system; and

• assigning a new authentication token (e.g. password reset processing).

C. In most cases the appropriate information owner or supervisor will make requests for

the registration and granting of access rights for employees. In some cases access can

be automatically granted or taken away based on employment status.

D. For applications that interact with individuals that are not employed by the College,

the information owner is responsible for ensuring an appropriate user management

process is implemented. Standards for the registration of such external users must be

defined, to include the credentials that must be provided to prove the identity of the user

requesting registration, validation of the request and the scope of access that may be

provided.

Privileged Account Management

A. The issuance and use of privileged accounts will be restricted to only those

individuals necessary in the normal performance of their job responsibilities. All

individuals (systems programmers, database administrators, network and information

security administrators, etc.) will have a unique privileged account (user-ID) for their

personal and sole use so that activities can be traced to the responsible person. Userids

must not give any indication of the user’s privilege level, e.g., supervisor, manager,

administrator. These individuals should also have a second user-ID when performing

normal transactions, such as when accessing the College e-mail system.

B. In certain circumstances, where there is a clear requirement or system limitation, the

use of a shared user-id for a group of users or a specific job can be used. Additional

compensatory controls must be implemented to ensure accountability is maintained.

C. Passwords of privileged accounts should be changed at least every 90 days.

User Password Management

A. Passwords are a common means of authenticating a user’s identity to access an

information system or service. Password standards will be implemented to ensure all

authorized individuals accessing College resources follow proven password

management practices. These password rules must be mandated by automated system

controls whenever possible.

B. To ensure good password management, the following password standards will be

implemented where feasible:

• Password cannot not be the same as user-id;

• password length minimum of 8 characters;

• strong passwords including alpha and numeric characters;

• maximum password age 180 days;

• minimum password age 7 days;

• password uniqueness equal to five (5);

• lock out account after an appropriate number of failed logon attempts;

• password lockout duration – 60 minutes, or until reset by authorized person;

• passwords should not be written down;

• passwords must be kept confidential – they must not be shared with another

user;

• temporary passwords must be changed at the first logon;

C. A user who needs a password reset must be authenticated before the request is

granted.

Network Access Control

Access to the College’s internal networks must require all authorized users to

authenticate themselves through use of an individually assigned user-id and an

authentication mechanism, e.g., password, token or smart card, or digital certificate.

Network controls must be developed and implemented that ensure that an authorized

user can access only those network resources and services necessary to perform their

assigned job responsibilities.

User Authentication for External Connections (Remote Access Control)

A. To maintain information security, the College requires that individual accountability

be maintained at all times, including during remote access. For the purposes of this

program, “remote access” is defined as any access coming into a College network from

a non-College network. This includes, but is not limited to:

• dialing in from another location over public lines by an employee or other

authorized individual for the purpose of telecommuting or working from home;

• connecting a third party network via dial or other temporary access technology to

the College networks;

B. Connection to the College’s networks must be done in a secure manner to preserve

the integrity of the networks, data transmitted over those networks, and the availability

of those networks. Security mechanisms must be in place to control access to College

systems and networks remotely from fixed or mobile locations.

C. Because of the level of risk inherent with remote access, use of a strong password or

another comparable method is required prior to connecting to a College network.

D. When accessing the College networks remotely, identification and authentication of

the entity requesting access must be performed in such a manner as to not disclose the

password or other authentication information that could be intercepted and used by a

third party.

E. Use of a common access point is required. This means that all remote connections to

a computer must be made through managed central points-of-entry. Using this type of

entry system to access the College computer provides many benefits, including

simplified and cost effective information security, maintenance, and support.

F. For a vendor to access College computers or software, individual accountability is

also required. For those systems (hardware or software) for which there is a built-in

user-id for the vendor to perform maintenance, the account must be disabled until the

user-id is needed. The activity performed while this vendor user-id is in use must be

logged. When the vendor has completed his work, the vendor user-id should be

disabled, or the password changed to prevent unauthorized use of this privileged

account. Vendor user-ids will be named to be easily identifiable.

G. In the special case where servers, storage devices or other computer equipment has

the capability to automatically connect to a vendor to report problems or suspected

problems, the College Information Security Administrator must review any such

connection to ensure that connectivity does not compromise the College networks.

H. Employees working from a remote location must ensure that the work environment at

the remote location provides adequate information security for College data and

computing resources. Appropriate protection mechanisms must be in place at the

remote location to protect against theft of the equipment, unauthorized disclosure of

College information, misuse of College equipment or unauthorized access to the

College internal networks or other facilities. To ensure the proper information security

controls are in place and all College information security standards are followed, the

following must be considered:

• the existing physical security of the remote location, considering the physical

security of the building and the local environment;

• the communications security requirements, considering the need for remote

access to the College's internal systems, the sensitivity of the information that

will be accessed and transmitted over the communication link and the

sensitivity of the internal system;

• the threat of unauthorized access to information or resources from other people

using the accommodation, e.g. family and friends.

I. The following controls must be considered but are not limited to:

• the provision of suitable communication equipment, including methods for

securing remote access and authentication tokens;

• anti-virus software and method for maintaining current signature files;

• implementation of suitable network boundary controls to prevent unauthorized

information exchange between College networks connected to remote

computers and externally connected networks, such as the Internet. Such

measures include firewalls, VPN’s and intrusion detection techniques;

• encryption of sensitive information in transit and on the local computer

workstation;

• physical security;

• rules and guidance on family and visitor access to equipment and information;

• the provision of hardware and software support and maintenance;

• the procedures for back-up;

• audit and information security monitoring;

• revocation of authority, access rights and the return of equipment when the

remote access activities cease.

Segregation of Networks

Routers, Firewalls, VPN’s or other technologies should be implemented to control

access to secured resources on the College networks.

Monitoring System Access and Use

Systems and applications must be monitored and analyzed to detect deviation from the

access control program and record events to provide evidence and to reconstruct lost or

damaged data. Audit logs recording exceptions and other information security-relevant

events must be produced and kept consistent with record retention schedules

developed in cooperation with the State Archives and Records Administration (SARA)

and College requirements to assist in future investigations and access control

monitoring. Audit logs will include but are not limited to:

• user-ids;

• dates and times for logon and logoff;

• terminal identity or location if possible; and

• records of successful and rejected system access attempts.

Section 10. Systems Development and Maintenance

A. Software applications are developed or acquired to provide efficient solutions to

College problems. These applications generally store, manipulate, retrieve and display

information used to conduct College business. The College units become dependent on

these applications, and it is essential the data processed by these applications be

accurate, and readily available for authorized use. It is also critical that the software that

performs these activities be protected from unauthorized access or tampering.

B. To ensure that information security is built into all College information systems, all

security requirements, including the need for rollback arrangements, must be

documented.

C. Information security requirements and controls must reflect the value of the

information assets involved, and the potential damage that might result from a failure or

absence of information security measures. This is especially critical for online

applications. The framework for analyzing the information security requirements and

identifying controls to meet them is associated with threat assessment and risk

management which must be performed by the College ISO and the information owner.

Control of Internal Processing

Data which have been entered correctly can be corrupted by processing errors or

through deliberate acts. Application design must ensure that controls are implemented

to minimize the risk of processing failures leading to a loss of data or system integrity.

Specific areas to consider include:

• the use and location in programs of add and delete functions to implement

changes to data;

• the procedures to prevent programs running in the wrong order or running after

failure of prior processing;

• the use of correction programs to recover from failures to ensure the correct

processing of data.

Cryptographic Controls

Use of cryptography for protection of high-risk information must be considered when

other controls do not provide adequate protection. Encryption is a technique that can be

used to protect the confidentiality of information. It must be considered for the protection

of sensitive or critical information. Based on a risk assessment, the required level of

protection will be identified taking into account the type and quality of the encryption

algorithm used and the length of cryptographic keys employed.

Change Control Procedures

A. To minimize the possibility of corruption of information systems, strict controls over

changes to information systems must be implemented. Formal change control

procedures for applications must be developed, implemented and enforced. They must

ensure that information security and control procedures are not compromised, that

support programmers are given access only to those parts of a system necessary to

perform their jobs, and that formal agreement and approval processes for changes are

implemented. These change control procedures will apply to College applications as

well as systems software used to maintain operating systems, network software,

hardware changes, etc.

B. In addition, access to source code libraries for both College applications and

operating systems must be tightly controlled to ensure that only authorized individuals

have access to these libraries and that access is logged to ensure all access can be

monitored.

Section 11. Compliance

The designs, operation, use and management of information systems are subject to

legal and vendor contractual information security requirements.

Gramm-Leach-Bliley Act

A. The Gramm-Leach-Bliley Act (GLBA) requires “financial institutions” as defined by

the Federal Trade Commission (FTC), to protect and secure customer information such

as names, Social Security numbers, addresses, account and credit card information.

The GLBA sets forth extensive privacy rules which the College is deemed to be in

compliance with because of its adherence to the provisions of the Family Education

Rights and Privacy Act (FERPA). The GLBA also establishes a Safeguards Rule, from

which the College is not exempt, that requires the College to protect and safeguard

customer information.

Payment Card Industry Data Security Standard

A. The Payment Card Industry Data Security Standard (PCI DSS) requires any entity

that collects credit card data to protect customer data and card numbers.through

security management, policies, procedures, network architecture, software design and

other critical protective measures. The College will comply with the PCI DSS.

Safeguarding of College Records

A. College records must be protected from loss, destruction or unauthorized

modification. Some records may need to be retained in a secure manner for extended

periods to meet state and Federal legal retention requirements, as well as to support

essential operations.

B. The General Retention and Disposition Schedule for New York State Government

Records contains guidelines for complying with legal, fiscal, and administrative

requirements for records retention and provides advice on management of records. The

College will develop procedures to dispose of any records in accordance with the

provisions of Section 57.05 of Arts and Cultural Affairs Law. New York State Archives

and Records Administration (SARA) issues general schedules to authorize the retention

and disposition of records.

C. Safeguards that will be taken to protect customer information include the following:

• Computer access will be limited by user ID’s and passwords

• Customer information stored in file cabinets will be accessible only to staff in

offices who need access and will be locked when not in use

• Offices that have access to customer information will be locked after hours

• Customer data will be backed up routinely

• Passwords will expire periodically and employees must then reset them

• Passwords will not be posted in publicly viewable places

• Intrusion detection systems will monitor the College networks to allow the prompt

detection of attacks and intrusions

• Vulnerability scanning of systems containing customer information will be

conducted periodically

• Antivirus protection will be maintained on all computer systems

• Designated staff members will supervise the disposal of records containing

customer information

• Erase all data when disposing of computers, diskettes, magnetic tapes, hard

drives or any other electronic media that contains customer information

• Inventories of all computer systems will be maintained

• Reduce paper forms and documents through increased electronic access to this

information

• Implement measures to ensure unauthorized persons cannot access College

computer systems when left unattended

• Avoid using Social Security numbers as a primary identification number

Prevention of Misuse of Information Technology Resources

The information technology resources and the data processed by these resources are

provided for College purposes. Management should authorize their use. Any use of IT

facilities or data for non-College or unauthorized purposes, without management’s

consent, should be considered a misuse of College facilities.

Compliance

A. Compliance with this IT Security program is mandatory. Each user must understand

his/her role and responsibilities regarding information security issues and protecting the

College’s information assets. The failure to comply with this or any other information

security program that results in the compromise of College information confidentiality,

integrity, privacy, and/or availability may result in appropriate action as permitted by law,

rule, regulation or negotiated agreement. The College will take every reasonable step

necessary, including legal and administrative measures, to protect its information

assets.

B. The College Information Security Officer shall review this document annually. If

significant changes are needed the ISO shall propose the changes to the President’s

Cabinet.

C. The College managers and supervisors will ensure that all information security

processes and procedures within their areas of responsibility are followed. In addition,

all units within the College may be subject to regular reviews to ensure compliance with

information security policies and standards. Areas where compliance with the program

requirements is not met will be documented and reported to the College’s Information

Security Officer. For each area of non-compliance, a plan will be developed to address

the deficiencies.

DEFINITIONS

Authenticity:

This is the exchange of security information to verify the claimed identity of a

communications partner. In security terms it is particularly to counter attempts to

masquerade as an authorized user to enable new connections or associations.

Authorization:

The granting of rights, which includes the granting of access based on an authenticated

identity.

Availability:

This is the ‘property’ of being available and usable upon demand by an authorized

entity, e.g. a system or user.

Classification:

The designation given to information or a document from a defined category on the

basis of its sensitivity to disclosure, modification or destruction.

Computer:

All physical, electronic and other components, types and uses of computers, including

but not limited to hardware, software, central processing units, electronic

communications and systems, databases, memory, Internet service, information

systems, laptops, Personal Digital Assistants and accompanying equipment used to

support the use of computers, such as printers, fax machines and copiers, and any

updates, revisions, upgrades or replacements thereto.

Confidentiality:

The property that information is not made available or disclosed to unauthorized

individuals, entities, or processes.

Controls:

Countermeasures or safeguards that are the devices or mechanisms that are needed to

meet the requirements of program.

Cracking or Hacking:

Attempting to break into another system in which you have no account, and is treated

as malicious intent.

Critical:

A condition, vulnerability or threat that could cause danger to data, a system, network,

or a component thereof.

Customer:

Faculty, staff, students and others conducting business with the College.

Data:

The collection of information assets complied, generated or maintained to support the

College.

Denial of Service:

An attack that takes up so much of the College’s resources that it results in degradation

of performance or loss of access to the company’s business services or resources.

Disaster:

A condition in which an information asset is unavailable, as a result of a natural or manmade

occurrence, that is of sufficient duration to cause significant disruption in the

accomplishment of the College’s objectives as determined by College management.

Encryption:

The cryptographic transformation of data to render it unintelligible through an

algorithmic process using a cryptographic key.

Firewall:

A security mechanism that creates a barrier between an internal network and an

external network.

GLBA:

The Gramm-Leach-Bliley Act was passed by Congress in 1999 to protect the privacy

and security of customer financial information.

Host:

A system or computer that contains business and/or operational software and/or data.

Incident Response: The manual and automated procedures used to respond to reported

network intrusions (real or suspected); network failures and errors; and other

undesirable events.

Information:

Information is defined as the representation of facts, concepts, or instructions in a

formalized manner suitable for communication, interpretation, or processing by human

or automated means.

Information Assets:

(1) All categories of automated information, including but not limited to: records, files,

and databases, and (2) information technology facilities, equipment (including

microcomputer systems), and software owned or leased by the State.

Information Owner:

An individual or organizational unit having responsibility for making classification and

control decisions regarding use of information.

Information Security:

The protection of automated information from accidental or intentional unauthorized

access, modification, destruction, or disclosure.

Instant Messaging (IM):

The ability to exchange short messages online with co-workers or others. IM solutions

can take several forms. They can use an existing Internet based service, or they can be

an Intranet only solution implemented and controlled within an IT department. The latter

is significantly more secure than the former, but lacks access to business partners.

Integrity:

The property that data has not been altered or destroyed from its intended form or

content in an unintentional or an unauthorized manner.

Internet:

This shall mean a system of linked computer networks, international in scope, that

facilitate data transmission and exchange, which all use the standard Internet protocol,

TCP/IP, to communicate and share data among each other.

Intranet:

The Intranet is an internal (i.e., non-public) network that uses the same technology and

protocols as the Internet.

Intrusion Detection:

The monitoring of network activities, primarily through automated measures, to detect,

log and report upon actual or suspected authorized access and events for investigation

and resolution.

ISO: Information Security Officer

Non-Repudiation: un-forgeable evidence that a specific action occurred. This action

could be the transmission of an electronic message, the competition of a transaction, or

some other action.

PCI DSS:

The Payment Card Industry Data Security Standard was adopted to assure the

protection of customer data and credit card numbers.

Physical Security:

The protection of information processing equipment from damage, destruction or theft;

information processing facilities from damage, destruction or unauthorized entry; and

personnel from potentially harmful situations.

Privacy:

The right of individuals and organizations to control the collection, storage, and

dissemination of information about themselves.

Privileged Account:

The user-ID or account of an individual whose job responsibilities require special

system authorization, such as a network administrator, security administrator, etc.

Special authorizations are allocated to this account such as RACF Administrator,

auditor, Special or UNIX root.

Procedures:

Specific operational steps that individuals must take to achieve goals stated in this

program.

Remote Access Server (RAS):

A server that allows users to gain access to a LAN from a remote location. Once a user

has authenticated he can access network resources as if he were physically connected

to the LAN.

Risk:

The likelihood or probability that a loss of information assets or breach of security will

occur.

Risk Assessment:

The process of identifying threats to information or information systems, determining the

likelihood of occurrence of the threat, and identifying system vulnerabilities that could be

exploited by the threat.

Risk Management:

The process of taking actions to assess risks and avoid or reduce risk to acceptable

levels.

Security Management:

The responsibility and actions required to manage the security environment including

the security policies and mechanisms.

Security Program:

The set of criteria for the provision of security services based on global rules imposed

for all users. These rules usually rely on a comparison of the sensitivity of the resources

being accessed and the possession of corresponding attributes of users, a group of

users, or entities acting on behalf of users.

Sensitivity:

This, in terms of confidentiality, would cause a negative impact to the organization if the

information were leaked or disclosed.

Sniffing:

Monitoring network traffic.

Spamming:

Blindly posting something to a large number of groups.

Spoofing:

Representing yourself as someone else.

Standard:

Sets of rules for implementing program. Standards make specific mention of

technologies, methodologies, implementation procedures and other detail factors.

State:

Shall mean the State of New York.

Technical Security Review:

A technical security review would consist of reviewing the controls built into a system or

application to ensure they still perform as designed. It would also include reviewing

security patches to ensure they have been installed and are operational, review of

security rules such as access control lists for currency, testing of firewall rules, etc.

The College:

The State University of New York, College at Oneonta

Third Party:

Any non-College entity such as a contractor, vendor, consultant, another College, etc.

Threat:

A threat is a force, organization or person, which seeks to gain access to, or

compromise, information. A threat can be assessed in terms of the probability of an

attack. Looking at the nature of the threat, its apability and resources, one can assess it,

and then determine the likelihood of occurrence, as in risk assessment.

Trojan Horse:

Illegal code hidden in a legitimate program that when executed performs some

unauthorized activity or function.

Unauthorized Access Or Privileges:

Insider or outsider who gains access to network or computer resources without

permission.

USENET News group:

A USENET news group is a bulletin board where people can read or post Netnews

messages on specific topics. There are many specialized business news groups. Many

news groups are subscribed to by experts in the given topic and these individuals can

provide valuable information and will sometimes respond to direct queries.

User:

One who has authorized access to information on a computer. The authorization may

include the ability to add or update information as well as access.

Virus:

Any security threat that executes in a manner so that computer resources are damaged,

lost or otherwise occupied so they are unavailable.

VPN:

Virtual Private Network. Internet protocol (IP) virtual private networks (VPNs) are a

collection of technologies that ensure the privacy of data over a shared unsecured IP

network infrastructure. The two key points as to what constitutes an IP VPN are privacy

and an IP network.

Vulnerability:

A weakness of a system or facility holding information which can be exploited to gain

access. Vulnerability can be assessed in terms of the means by which the attack would

be successful.

World Wide Web (WWW):

The World Wide Web is a hypertext-based system designed to allow access to

information in such a way that the information, may physically reside on locally or

geographically different servers. This access was greatly improved through the

introduction of a graphical interface to the World Wide Web called a web browser.

Netscape and Internet Explorer are two of the most popular web browsers.

Worm:

A program similar to a virus that can consume large quantities of network bandwidth

and spread from one network to another.

Effective Dates

• Approved by the President on 3/27/2005

• Revised on 9/25/2010

Some text to replace

×