Device and Media Controls Policy
Expresses the campus' commitment to securing sensitive information in hardware and electronic media.
|Policy Number||Policy Owner|
|10007.1||Information Technology Services|
- 1.0 Purpose
- 2.0 Revision History
- 3.0 Units and Persons Affected
In order to protect its hardware and electronic media against damage, theft and unauthorized access, SUNY Plattsburgh consistently controls and protects its hardware and electronic media through the entire lifecycle, from initial receipt to final removal. When feasible, SUNY Plattsburgh will encrypt portable devices.
Types of hardware and electronic media to which this policy applies include:
- Computers (desktops, laptops, tablets)
- Floppy disks
- Backup media
- Zip drives
- Hard drives
- Portable hard drives
- Flash memory
- Personal Digital Assistant (PDA)
- Removable media
- As a rule software and hardware purchased or leased through state or IFR accounts, should follow campus standards with respect to manufacturer, vendor, and version. Campus standards will be posted on the SUNY Plattsburgh Technology Services webpage.
- When upgrading media devices, separate system backups should be made prior to the upgrade. Such backups should be stored in a safe place and can be recycled after the next installation cycle.
- Administrator passwords should be recorded in a secure place.
- A secondary or backup system administrator should be identified who would have access to the administrator password in case of emergency. If appropriate, work schedules coordinated to provide the best chance that at least one would be available in an emergency.
- Software for personal use should never be installed on sensitive information systems.
- SUNY Plattsburgh campus personnel who move hardware or electronic media on which sensitive information is stored into, out of, and within SUNY Plattsburgh’s facilities are required to take reasonable steps to ensure that the sensitive information is protected against damage, theft and unauthorized access.
- SUNY Plattsburgh logs and tracks the final disposal of all sensitive information and
hardware and electronic media on which sensitive information is stored. This logging
and tracking provides the following information:
- Date and time of disposal
- Who administered the disposal
- Description of the hardware and electronic media on which sensitive information is stored being disposed of
- Description of how the disposal was accomplished (i.e., method used)
Data Backup and Storage
- SUNY Plattsburgh makes exact, retrievable backup copies of sensitive information on an ongoing basis.
- SUNY Plattsburgh periodically compares the restoration of the system from backups to the original, to corroborate that sensitive information has not been destroyed in an unauthorized manner.
- SUNY Plattsburgh takes reasonable steps to ensure that sensitive information that is backed up in connection with movement of equipment into, out of, and within its offices can be recovered following a disaster or other emergency, or a failure of the equipment, during movement.
- SUNY Plattsburgh stores its backup copies of sensitive information and its records of the backup copies and restoration procedures in a secure remote location.
- SUNY Plattsburgh makes the backup copies of sensitive information stored at the remote location accessible to authorized staff members for retrieval when needed in the event of a disaster or other emergency, or a failure of the equipment, during movement.
- SUNY Plattsburgh provides appropriate physical and environmental protection to the backup copies of sensitive information stored at the remote location.
- SUNY Plattsburgh tests the backup and restoration procedures for equipment on which sensitive information is stored. SUNY Plattsburgh takes reasonable steps to ensure that the procedures are effective and can be completed within a reasonable amount of time.
- SUNY Plattsburgh defines and documents an appropriate retention period for the copies of sensitive information backed up in connection with movement of equipment into, out of, and within its facilities.
- 5.0 Definitions
- 6.0 Responsibilities
- 7.0 Procedures
- 8.0 Forms
- 9.0 Appendix
- 10.0 Distribution and Training
For additional information about this policy, please contact the Policy Owner listed above.