Farmingdale Information Security Policy
Purpose
Farmingdale State College has adopted the following Information Security Policy as
a measure to protect the confidentiality, integrity and availability of Institutional
Data as well as any Information Systems that store, process or transmit Institutional
Data in direct support of the College's strategic mission and goals.
Policy Statement
It is the policy of the College to comply with legal and regulatory requirements governing
the collection, retention, dissemination, protection, and appropriate destruction
of sensitive information. This requires the University to maintain a vigorous and
comprehensive Information Security Program designed to satisfy its statutory obligations,
enable and assure core services, and fully support academic activities.
The Information Security Program will include the administrative, technical and physical
safeguards appropriate to the size and complexity of the College and the sensitivity
of its information. The program will be based on established risk management practices.
The program will implement the standards set out in SUNY's Information Security Guidelines,
Part 1: Campus Programs & Preserving Confidentiality, Document #6608.
Scope
This Policy applies to all faculty, staff and third-party Agents of the College as well as any other College affiliates who are authorized to access Institutional Data.
Roles and Responsibilities
Oversight
The Director of Information Technology and the Vice President for Administration & Finance are primarily responsible for assuring an effective Information Security Program. Responsibility for developing, deploying, and managing the Information Security program lies internally within IT.
Governance
The Director of Information Technology will work with the relevant stakeholders from departments across campus to develop appropriate controls while facilitating the operations of the College.
Operations
Campus information technology staff is primarily responsible for the implementation of technical/operational controls. Members of the College community at-large are responsible for implementing and adhering to relevant policies, standards, procedures, guidelines and security awareness training. The information security awareness training program has been developed for Farmingdale State College by SecuringTheHuman.org, from the SANS Institute.
Compliance
The Director of Information Technology and the Vice President for Administration and
Finance are primarily responsible for enforcement. This responsibility may be delegated.
Vice Presidents are responsible for the compliance of their divisions with this policy,
related policies, and their applicable standards, guidelines and procedures.
Compliance is determined via periodic audits, scans, and reviews and is measured against
this policy and all published related documents. The frequency and nature of these
reviews are based on the risk and criticality of the resource, major changes, or new
State or Federal regulations.
Instances of non-compliance will be addressed on a case-by-case basis. All cases will
be documented and notifications sent to responsible parties. These notices will include
recommendations for corrective action. A reasonable period of time, depending on the
level of exposure and criticality of the resource, will be stipulated for implementing
corrective action. Follow up review(s) will determine the subsequent degree of compliance.
Failure to meet compliance requirements may result in sanctions.
Nothing in this section will be construed as an impediment to responding to a security
breach incident.
Review
This policy will be reviewed and updated as needed. The policy review will occur no less than once every five years.