Device and Media Controls Policy
Approved by Executive Council on June 7, 2011
|Policy Number||Policy Owner|
|10007.1||Library and Information Technology Services|
To protect the confidentiality, integrity and availability of sensitive information at SUNY Plattsburgh by controlling hardware and electronic media as they are moved into, out of and within its offices.
2.0 Revision History
3.0 Units and Persons Affected
SUNY Plattsburgh system administrators who manage servers that contain, access, or serve sensitive information.
In order to protect its hardware and electronic media against damage, theft and unauthorized access, SUNY Plattsburgh consistently controls and protects its hardware and electronic media through the entire lifecycle, from initial receipt to final removal. When feasible, SUNY Plattsburgh will encrypt portable devices.
Types of hardware and electronic media to which this policy applies include:
- Computers (desktops, laptops, tablets)
- Floppy disks
- Backup media
- Zip drives
- Hard drives
- Portable hard drives
- Flash memory
- Personal Digital Assistant (PDA)
- Removable media
- As a rule software and hardware purchased or leased through state or IFR accounts, should follow campus standards with respect to manufacturer, vendor, and version. Campus standards will be posted on the SUNY Plattsburgh Technology Services webpage.
- When upgrading media devices, separate system backups should be made prior to the upgrade. Such backups should be stored in a safe place and can be recycled after the next installation cycle.
- Administrator passwords should be recorded in a secure place.
- A secondary or backup system administrator should be identified who would have access to the administrator password in case of emergency. If appropriate, work schedules coordinated to provide the best chance that at least one would be available in an emergency.
- Software for personal use should never be installed on sensitive information systems.
- SUNY Plattsburgh campus personnel who move hardware or electronic media on which sensitive information is stored into, out of, and within SUNY Plattsburgh’s facilities are required to take reasonable steps to ensure that the sensitive information is protected against damage, theft and unauthorized access.
- SUNY Plattsburgh logs and tracks the final disposal of all sensitive information and
hardware and electronic media on which sensitive information is stored. This logging
and tracking provides the following information:
- Date and time of disposal
- Who administered the disposal
- Description of the hardware and electronic media on which sensitive information is stored being disposed of
- Description of how the disposal was accomplished (i.e., method used)
Data Backup and Storage
- SUNY Plattsburgh makes exact, retrievable backup copies of sensitive information on an ongoing basis.
- SUNY Plattsburgh periodically compares the restoration of the system from backups to the original, to corroborate that sensitive information has not been destroyed in an unauthorized manner.
- SUNY Plattsburgh takes reasonable steps to ensure that sensitive information that is backed up in connection with movement of equipment into, out of, and within its offices can be recovered following a disaster or other emergency, or a failure of the equipment, during movement.
- SUNY Plattsburgh stores its backup copies of sensitive information and its records of the backup copies and restoration procedures in a secure remote location.
- SUNY Plattsburgh makes the backup copies of sensitive information stored at the remote location accessible to authorized staff members for retrieval when needed in the event of a disaster or other emergency, or a failure of the equipment, during movement.
- SUNY Plattsburgh provides appropriate physical and environmental protection to the backup copies of sensitive information stored at the remote location.
- SUNY Plattsburgh tests the backup and restoration procedures for equipment on which sensitive information is stored. SUNY Plattsburgh takes reasonable steps to ensure that the procedures are effective and can be completed within a reasonable amount of time.
- SUNY Plattsburgh defines and documents an appropriate retention period for the copies of sensitive information backed up in connection with movement of equipment into, out of, and within its facilities.
- Access – The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
- Authorize – To grant authority or permission based on an authenticated identity.
- Availability – The property that data or information is accessible and useable upon demand by an authorized person.
- Backup – Creating a retrievable, exact copy of data.
- Confidentiality – The property that data or information is not made available or disclosed to unauthorized persons or processes.
- Disaster – An event that causes harm or damage to information systems.
- Electronic Media – Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Example: the internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
- Emergency – A crisis situation.
- Encryption – The conversion of data into secret, unreadable code.
- Integrity – The property that data or information have not been altered or destroyed in an unauthorized manner.
- Facility – The physical premises and the interior and exterior of a building(s).
- Password – Confidential authentication information composed of a string of characters.
- Portable devices – Portable equipment that store sensitive information.
- Restoration – Establishing previously backed up files to the condition they were in at the time of backup.
- Sensitive information – Sensitive Information means information that, in the reasonable judgment of anyone charged by the organization to protect the organization's information, belongs to one of the classes of information that the organization has officially designated as requiring special handling.
- Staff member – Employees, volunteers, trainees, students, consultants, contractors, subcontractors and other persons under the direct control of SUNY Plattsburgh, whether or not they are paid by SUNY Plattsburgh.
All SUNY Plattsburgh staff members will comply with this policy and all procedures based on this policy.