Farmingdale Information Security Policy

Purpose

Farmingdale State College has adopted the following Information Security Policy as a measure to protect the confidentiality, integrity and availability of Institutional Data as well as any Information Systems that store, process or transmit Institutional Data in direct support of the College's strategic mission and goals.

Policy Statement

It is the policy of the College to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and appropriate destruction of sensitive information. This requires the University to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable and assure core services, and fully support academic activities.
The Information Security Program will include the administrative, technical and physical safeguards appropriate to the size and complexity of the College and the sensitivity of its information. The program will be based on established risk management practices. The program will implement the standards set out in SUNY's Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Document #6608.

Scope

This Policy applies to all faculty, staff and third-party Agents of the College as well as any other College affiliates who are authorized to access Institutional Data.

Roles and Responsibilities

Oversight

The Director of Information Technology and the Vice President for Administration & Finance are primarily responsible for assuring an effective Information Security Program. Responsibility for developing, deploying, and managing the Information Security program lies internally within IT.

Governance

The Director of Information Technology will work with the relevant stakeholders from departments across campus to develop appropriate controls while facilitating the operations of the College.

Operations

Campus information technology staff is primarily responsible for the implementation of technical/operational controls. Members of the College community at-large are responsible for implementing and adhering to relevant policies, standards, procedures, guidelines and security awareness training. The information security awareness training program has been developed for Farmingdale State College by SecuringTheHuman.org, from the SANS Institute.

Compliance

The Director of Information Technology and the Vice President for Administration and Finance are primarily responsible for enforcement. This responsibility may be delegated.
Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines and procedures.
Compliance is determined via periodic audits, scans, and reviews and is measured against this policy and all published related documents. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations.
Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented and notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.
Nothing in this section will be construed as an impediment to responding to a security breach incident.

Review

This policy will be reviewed and updated as needed. The policy review will occur no less than once every five years.