Document Owner: Vice President for Administration
Effective Date: November 6, 2008
Objective: Define the primary standard of guidance for implementing the Binghamton University Information Security Program; define campus's responsibility for information security; and establish a hierarchy of related policy and procedures.
Audience: University workforce and students.
INFORMATION SECURITY GOVERNENCE
1. Pursuant to federal and state laws and State University of New York (SUNY) policy and procedures, Binghamton University must maintain an effective, comprehensive information security program (Program) that addresses the full range of information security issues that affect the University and that align the University’s practices with applicable laws, regulations, policies, and standards of practice.
2. The Program implements the structures and engages the actions defined in the SUNY Procedure #6608, Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality. The Program must:
a. lead and assist the University workforce and students in preserving the confidentiality, integrity, and availability of all forms of information declared sensitive by SUNY and the University, herein referred to as sensitive information (see Information Security Program Definitions document).
b. give special attention to preserving the confidentiality of information that bears directly on the privacy, health, and property rights of persons with whom SUNY and the University has business transactions, including workforce, students, alumni, applicants, contractors, vendors, and customers.
c. lead and assist the University workforce and students in protecting the physical and digital components that shelter, store, process, or transmit sensitive information, herein referred to as sensitive systems. These assets include both technical and physical containers, such as computers, networks, databases, applications, buildings, rooms, safes, cabinets, closets, and other components of the infrastructure.
d. engage all workforce and students, as appropriate to their roles, in actively anticipating and addressing threats and hazards to the security of sensitive information and sensitive systems.
RESPONSBILITY FOR INFORMATION SECURITY
1. The Vice President for Administration is primarily responsible for assuring an effective Information Security Program.
2. The Vice President for Administration is primarily responsible for enforcement. This responsibility may be delegated.
3. All supervisors must implement and monitor procedures, as appropriate to their business unit’s work, to support and encourage the proper treatment of sensitive information or sensitive systems.
4. All workforce and students, as appropriate to their jobs, must treat sensitive information and sensitive systems in accordance with the principles and procedures established by the Program.
5. Responsibility for developing, deploying, and managing the Program lies with the Information Security Council and Information Security Officer (ISO) who will work in conjunction with the Internal Control Officer, the Office of University Counsel, and the Office of Internal Audit.
6. The ISO will work with the relevant stakeholders to formulate specific policies, guidelines, standards, and procedures in support of various risk management strategies. The Vice President for Administration may further establish advisory or working groups to assist in implementing this policy.
7. Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines and procedures.
8. Compliance is determined via periodic audits, scans, and reviews and is measured against published policies, procedures, and standards. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations.
9. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented and written notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.
10. Nothing in this section will be construed as an impediment to responding to a security incident.
HIERARCHY OF INFORMATION SECURITY POLICY AND PROCEDURE
1. The University must maintain a comprehensive set of policies that address the full scope of issues required of the Program.
2. The information security policies must be maintained in a formal library governed by the Program.
3. The Program must promulgate to appropriate audiences each of the policies in this set and assist the University training workforce in educating audiences regarding the content and intent of the policies.
SUNY Compliance Procedure: Information Security Guidelines, Part 1, Document #6608