Welcome to Farmingdale State College’s Policy Library. This library is the official repository for all institutional policies and procedures and is intended to be a resource for faculty, staff and students seeking information related to the policies that govern the institution. This library does not contain department-specific policies and procedures. Please contact the department for specific departmental policies and procedures.

Please direct all questions regarding policy content to the Responsible Office listed on the respective policy.

If you wish to propose or amend an institutional policy, please review the Policy for Developing Institutional Policies and complete the Policy Proposal Form.

For assistance with drafting and amending policies, please refer to the Policy Writing Guidance and/or contact the Risk and Compliance Office at 934-420-5365.

Farmingdale Information Security Policy

Policy Purpose

Farmingdale State College has adopted the following Information Security Policy as a measure to protect the confidentiality, integrity and availability of Institutional Data as well as any Information Systems that store, process or transmit Institutional Data in direct support of the College's strategic mission and goals.

Persons Affected

Faculty, Staff, Students, Third Parties

Policy Statement

It is the policy of the College to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and appropriate destruction of sensitive information. This requires the University to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable and assure core services, and fully support academic activities. The Information Security Program will include the administrative, technical and physical safeguards appropriate to the size and complexity of the College and the sensitivity of its information. The program will be based on established risk management practices. The program will implement the standards set out in SUNY's Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Document #6608.

Roles and Responsibilities

The Director of Information Technology and the Vice President for Administration & Finance are primarily responsible for assuring an effective Information Security Program. Responsibility for developing, deploying, and managing the Information Security program lies internally within IT.

The Director of Information Technology will work with the relevant stakeholders from departments across campus to develop appropriate controls while facilitating the operations of the College.

Campus information technology staff is primarily responsible for the implementation of technical/operational controls. Members of the College community at-large are responsible for implementing and adhering to relevant policies, standards, procedures, guidelines and security awareness training. The information security awareness training program has been developed for Farmingdale State College, using Knowbe4.


The Director of Information Technology and the Vice President for Administration and Finance are primarily responsible for enforcement. This responsibility may be delegated. Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines and procedures. Compliance is determined via periodic audits, scans, and reviews and is measured against this policy and all published related documents. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented and notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.
Nothing in this section will be construed as an impediment to responding to a security breach incident.


This policy will be reviewed and updated as needed. The policy review will occur no less than once every five years.

Responsible Office

Information Technology