Policies

Welcome to Farmingdale State College’s Policy Library. This library is the official repository for all institutional policies and procedures and is intended to be a resource for faculty, staff and students seeking information related to the policies that govern the institution. This library does not contain department-specific policies and procedures. Please contact the department for specific departmental policies and procedures.

Please direct all questions regarding policy content to the Responsible Office listed on the respective policy.

If you wish to propose or amend an institutional policy, please review the Policy for Developing Institutional Policies and complete the Policy Proposal Form.

For assistance with drafting and amending policies, please refer to the Policy Writing Guidance and/or contact the Risk and Compliance Office at 934-420-5365.

Cyber Security Awareness and Education Policy

Policy Purpose

Computer security is not just about keeping systems and networks secure. It is also about the people who use those systems and how their behaviors can lead to cyber exploitation. Proper training can reduce the number of people who do careless things that cause a security incident or breach.

Training and education must be ongoing due to the ever-increasing variety and sophistication of cyber threats. These include but are not limited to spam, phishing, spoofing, malware, and ransomware, which can result in identity theft, data corruption, loss of intellectual property, operational disruption, and damage to the reputation of the institution. By law, Farmingdale State College is liable for losses, fines and penalties caused by data breaches, on top of the internal costs for incident investigation and remediation. Moreover, loss of trust in the College’s ability to protect the personal information of stakeholders could result in reductions in donations, grant funding, and student enrollment.

Persons Affected

All employee user account holders

Policy Statement

In accordance with SUNY policy and the National Insistutue of Standards and Technology (NIST), all employee users will be required to complete regular training. In addition to annual training, College-wide awareness campaigns will be ongoing, via newsletters, video bulletin boards, and other means. The awareness and education program will include the following:

  • Ongoing assessment of user compliance with cyber security standards
  • Remedial training for those found not practicing good cybersecurity defenses

Training completion results will be maintained by the Director of Information Technology.

Procedures

  • Training Program:
    1. Prior to fall semester, the training system’s online training modules are reviewed and selected by the Director of Information Technology for the upcoming academic year.
    2. The annual training is rolled out in October, which is Cyber Security Awareness Month.
      1. Users are instructed by an automated email to take the designated annual training, which is securely accessed through a link via the Farmingdale IT webpage. Once this training is successfully completed, the user has fulfilled their annual training requirement, unless they click on a test phishing email.
      2. Periodic simulated phishing emails are sent from the system to employees to gauge their skill level. Employees ‘clicking’ on links or opening attachments in the simulated phishing tests are assigned additional refresher training.
  • Communications:
    1. Director of Information Technology informs the Executive Vice President via email about the upcoming rollout of the annual cyber security training program in advance of employee communications.
    2. An email from the President or designee will be sent out informing employees about the cyber security training program and its upcoming launch prior to the annual rollout of Cyber Security Training.
    3. A welcome message is sent from the Director of Information Technology informing each user that they have been enrolled in annual cyber security awareness training. This message is sent via an email originating from the training system. Existing users receive the welcome email when the annual training campaign starts in October.
    4. New employees are required to complete cyber security awareness training within 30 days of account creation.
    5. Information regarding cyber security is disseminated using newsletters throughout the academic year by the Director of Information Technology. The newsletter articles include updates, scam alerts, tips, thanks, reminders, and notifications of deadlines for completion of training and consequences of non-compliance.
    6. Reminder messages are sent out periodically via the training system to individuals who have not started or have not completed their training.
  • Required training system users:
    1. Users accounts are sourced from our directory service.
    2. All users with active employee accounts will be included the training.
      • Examples of an employee account are those that have an active job (for faculty, staff, and administrators), are assigned a course (for adjuncts), or are non-employees who have been granted an employee level account.
  • Compliance:
    1. The user is reported to their supervisor if they have not completed the annual training by the deadline.
    2. This will be further escalated to the Area VP if the training has not been completed after two weeks after reporting it to their supervisor.
  • Review:
    1. The Training Program will be reviewed at least annually.
    2. Any event such as a policy or requirement change will trigger a review.

Definitions

Users – Any person who has a Farmingdale State College User Account with employee level permission to use network resources.

Related Documents

SUNY Information Security Policy 6900

SUNY Information Security Guidelines: Campus Programs & Preserving Confidentiality

Responsible Office

Information Technology

Policy History

Revised Date: 5/8/2024

Categories