Information Security Policy

Policy Number	Policy Owner
10006.1	Information Technology Services

1.0 Purpose

2.0 Revision History

Date	Version Number	Change Description	Referenced Section
12/4/12	1.0	New Document	Entire Document
10/7/15	1.1	Minor Revisions
1/11/17	1.2	Minor Revisions
12/13/18	1.3	Minor Revisions
2/1/22	1.4	Minor Revisions	Owner Name

Date

Version Number

Change Description

Referenced Section

12/4/12

1.0

New Document

Entire Document

10/7/15

1.1

Minor Revisions

1/11/17

1.2

Minor Revisions

12/13/18

1.3

Minor Revisions

2/1/22

1.4

Minor Revisions

Owner Name

Review Process / Approval

Action:	Units	Date
Policy Review	Information Technology Services Management Services
Policy Approval	Executive Council	12/4/12

Action:

Units

Date

Policy Review

Information Technology Services
Management Services

Policy Approval

Executive Council

12/4/12

3.0 Units and Persons Affected

4.0 Policy

4.1 Following the procedures outlined in SUNY document, Information Security Guidelines, Part 1, SUNY Plattsburgh will take reasonable measures to protect:

4.1.1 The confidentiality, integrity and availability of the sensitive information that it creates, receives, modifies, maintains or transmits

4.1.2 The security of the equipment and physical locations where the information is processed, maintained, and transmitted

4.1.3 The privacy rights of SUNY Plattsburgh students and staff members concerning this information

4.2 SUNY Plattsburgh will inform its staff members about the policies and procedures that apply to SUNY Plattsburgh generally and to staff members in their individual roles.

4.3 SUNY Plattsburgh will require all staff members upon employment, to sign a confidentiality agreement.

4.4 SUNY Plattsburgh will provide all staff members with general information security training and any additional security training specific to their area.

4.5 Revisions

4.5.1 SUNY Plattsburgh will perform periodic reviews of its information security policies and procedures and revise them as necessary.

4.5.2 Whenever SUNY Plattsburgh becomes aware of a change in law, regulations, or operating environment that necessitates a change to these policies and procedures, the revised policies and procedures will be documented and implemented.

4.6 Implementation & Enforcement

4.6.1 The Information Security Oversight Committee (ISOC) is charged with: understanding the College’s information security risk; understanding the Program and the University System’s information security standards; presenting professionally and legally sound and timely advice to executive management regarding appropriate action; ensuring the Program is exposed to outside, professional perspective, especially that of the University System’s Office of Information Security; and collaborating with key managers of the major business functions of the College to maintain the Program with comprehensive scope. Members of the ISOC are listed in Information Security Program Assignments.

4.6.2 The Information Security Committee (ISC) involves the College’s business functions in major risk decisions regarding the information for which those functions are owners or designated as responsible and involves each subsidiary of the College in the Program in appropriate ways. The ISC has the duty and authority to monitor, document, and assess the security of information and information systems, both digital and physical, within any function in the College, and to plan, design and recommend security-related projects and changes within any functions they have assessed. The ISC conducts ongoing information security assessments, especially assessments of the Program’s effectiveness, and reports these assessments in writing to senior management. Members of the ISC are listed in Information Security Program Assignments.

4.6.3 All supervisors and staff members of the College have the duty and responsibility to assist the ISOC and the ISC in meeting the Program’s mission

5.0 Definitions

Availability - The property that data or information is accessible and usable upon demand by an authorized person.

Classification - The designation given to information from a defined category on the basis of its sensitivity.

Confidentiality - The property that data or information is not made available or disclosed to unauthorized persons or processes.

Integrity - The property that data or information have not been altered or destroyed in an unauthorized manner.

Sensitive Information - Sensitive Information is information that belongs to one of the classes of information that the organization has officially designated as requiring special handling.

Staff Member - Employees, volunteers, trainees, students, consultants, contractors, subcontractors and other persons under the direct control of SUNY Plattsburgh, whether or not they are paid by SUNY Plattsburgh.

Steward - An individual that has responsibility for making classification and access decisions regarding use of information.

6.0 Responsibilities

6.1 The Information Security Officer (as the President’s designee) will oversee the Program’s implementation, ensure individual managers are assigned stewardship and custodianship responsibilities for critical information assets, and respond on behalf of the College to the advice received from the Program.

6.2 Stewards will be responsible for making classification and access decisions for the sensitive information in their area.

6.3 Each staff member having authorized access to information owned and deemed sensitive by the information steward is individually responsible for handling such information in accordance with the policies and procedures established by the Program.

7.0 Procedures

8.0 Forms

9.0 Appendix

10.0 Distribution and Training