Policies and Procedures
Information Security Policy

The purpose of this policy is to assist the organization in its efforts to fulfill its fiduciary responsibilities relating to the protection of information assets and comply with regulatory and contractual requirements involving information security and privacy. This framework consists of nineteen (19) separate policy statements based on National Institute of Standards and Technology (NIST) Special Publication 800-171 requirements and SUNY Information Security Policy 6900.  

Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity, and availability of the organization’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing organizational change.

Reason for Policy

The purpose of this Information Security Policy is to clearly establish State University of New York College of Environmental Science and Forestry’s (SUNY ESF) role in protecting its information assets and communicate minimum expectations for meeting these requirements.  Fulfilling these objectives enables SUNY ESF to implement a comprehensive system-wide Information Security Program.

References

Policy Office: Executive Director for Administration 
Contact: [email protected]

• Gramm-Leach-Bliley Act (GLBA, 314.4)
• Family Educational Rights and Privacy Act (FERPA)
• NYS Information Security Breach and Notification Act (Section 208 of the State Technology Law)
• NIST 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations
• Payment Card Industry Data Security Standard (PCI DSS) v4.x
• ESF Acceptable Use of Information Technology Resources Policy #402
• ESF Data Governance Policy #403
• ESF Cyber Security Awareness and Education Policy #404
• SUNY Policy 6900 – Information Security Policy
• SUNY Procedure 6608 – Information Security Guidelines

Contacts

Specific questions should be directed to the following:

Policy Clarification and General Information Policy Development
Chief Information Security Officer
(315) 470-6642
[email protected]

Definitions

• Authorized Users - Any individual or third party with legitimate institutional need granted credentials to access ESF’s information assets.
• Information Asset - Any application, system or solution used by ESF that creates, receives, maintains, or transmits restricted or private data, such as protected health information, personally identifiable information, payment card data, etc.
• Information Security Program (ISP) - A collection of initiatives that form the basis for any cyber security plan involving confidential data.
• Written Information Security Program (WISP) - A document detailing a description of the complete manner in which a company implements the administrative, technical, or physical safeguards in place to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle member information.
• National Institute of Standards and Technology (NIST) 800-171 - NIST 800-171 is the federal government's framework for ensuring the security of Controlled Unclassified Information (CUI) and standardizing how agencies handle that information. It is composed of 110 controls divided among 17 standards, each covering a different aspect of protecting CUI. It is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit CUI or provide security protection for such systems.
• Gramm-Leach-Bliley Act of 1999 (GLBA) - US law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data. This law applies to how higher education institutions collect, store, and use student financial records, records regarding tuition payments and/or financial aid, containing personally identifiable information.
• Family Educational Rights and Privacy Act  of 1974 (FERPA) - FERPA was designed primarily to ensure that educational records would be maintained in confidence and available to eligible students for inspection and correction when appropriate and that any such recorded information would not be made freely available to individuals outside the school without consent or as otherwise allowed by law.
• Security Event - An event which an unauthorized party impacts the confidentiality, integrity, or availability of information systems, processes, or operations.

Policy Details

1. IMPLEMENTATION
   SUNY ESF needs to protect the availability, integrity and confidentiality of data while providing information resources to fulfill the organization’s mission. The Information Security Program must be risk-based and implementation decisions must be made based on addressing the highest risk first.
   
   SUNY ESF’s administration recognizes that fully implementing all controls within the NIST Standards is not possible due to organizational limitations and resource constraints. Administration must implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable.
   
   SUNY ESF has implemented an Information Security Committee (ISC). Committee Members support the College's mission by providing oversight and prioritization of information security issues, risk mitigation efforts, and resource investments through the review and development of information security policies, procedures, and guidelines. The ISC will assist with aligning information security objectives with those contained in the College’s Strategic Plan. It will advise and provide guidance in order to reduce operational risk, identify emerging risks within the organization, and potential solutions to address these risks as well as serve as a consultative body to Senior Management. Roles and responsibilities will be established to ensure the maintenance and a continual improvement of SUNY ESF’s Information Security Program. Operating areas will assist in implemented documented controls and ensure compliance with the Information Security Program.
   
   
2. ROLES AND RESPONSIBILITIES
   SUNY ESF has assigned the following roles and responsibilities: 

1. 1. President: SUNY Information Security Policy 6900 has designated Campus Presidents as the responsible office for implementation.
   2. Chief of Staff: Provides oversight and serves as the executive sponsor for the College’s Information Security Program.
   3. Chief Information Officer (CIO): The Chief Information Officer has operational accountability for the implementation of SUNY ESF’s Information Security Program including policies, procedures, standards, and related managerial, administrative, and technical controls.
   4. Information Security Officer (ISO): Responsible for the development, implementation, and maintenance of a comprehensive Information Security Program for SUNY ESF. This includes security policies, procedures, and standards which reflect best practices in information security.
   5. Information Security Committee (ISC): This is a cross-functional advisory group responsible for supporting the CIO and ISO in the development and management of ESF’s Information Security Program. The team is comprised of selected directors and senior staff who will meet quarterly, or as needed, to provide feedback and guidance on various security-related initiatives.
   6. End Users:
      1. Understand and conform with applicable policies, procedures, and standards;
      2. Protect and properly use all company assets made available to the End User; and
      3. Immediately communicate any detected potential security event or anomaly through the respective channels and in accordance with the internal policies and procedures.

3. INFORMATION AND SYSTEM CLASSIFICATION
   SUNY ESF will establish and maintain security categories for both information assets and information systems.  For more information, reference the Data Classification Policy.
   
   
4. PROVISIONS FOR INFORMATION SECURITY STANDARDS
   The SUNY ESF Information Security Program is framed on National Institute of Standards and Technology (NIST) requirements. SUNY ESF must develop appropriate policies and procedures required to support the College’s Information Security Policy which is based specifically on NIST Special Publication 800-171 and subsumed within SUNY Information Security Policy 6900. The standards contained in NIST-171 are described by the following control families:
   1. Access Control (AC)
      SUNY ESF must limit information system access to authorized users with appropriate privileges, third parties acting on behalf of authorized users or devices (including other information systems), and to the types of transactions and functions that authorized users are permitted to exercise.
   2. Awareness and Training (AT)
      SUNY ESF must: (i) ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information systems; and (ii) ensure that users are adequately trained to carry out their assigned information security-related duties and responsibilities.
   3. Audit and Accountability (AU)
      SUNY ESF must: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and (ii) ensure that the actions of individual information system users can be uniquely traced for all restricted systems.
   4. Assessment and Authorization (AA)
      SUNY ESF must: (i) periodically assess the security controls in organization information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organization information systems; (iii) authorize the operation of the organization’s information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the control.
   5. Configuration Management (CM)
      SUNY ESF must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
   6. Contingency Planning (CP)
      SUNY ESF must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
   7. Identification and Authentication (IA)
      SUNY ESF must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to SUNY ESF information systems.
   8. Incident Response (IR)
      SUNY ESF must: (i) establish an operational incident handling capability for organization information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organization officials and/or authorities.
   9. Maintenance (MA)
      SUNY ESF must: (i) perform periodic and timely maintenance on organization information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
   10. Media Protection (MP)
       SUNY ESF must: (i) protect information system media, both paper and digital; (ii) limit access to information-on-information system media to authorized users; and (iii) encryption, where applicable, (iv) sanitize or destroy information system media before disposal or release for reuse.
   11. Physical Protection (PE)
       SUNY ESF must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
   12. Planning (PL)
       SUNY ESF must develop, document, periodically update and implement security plans for organization information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.
   13. Personnel Security (PS)
       SUNY ESF must: (i) ensure that individuals occupying positions of responsibility within our organization are trustworthy and meet established security criteria for those positions; (ii) ensure that our organization information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with SUNY ESF security policies and procedures.
   14. Risk Assessment (RA)
       SUNY ESF must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the   operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
   15. System and Services Acquisition (SA)
       SUNY ESF must: (i) allocate sufficient resources to adequately protect organization information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third- party providers employ adequate security measures, through federal and state law and contract, to protect information, applications and/or services outsourced from the organization.
   16. System and Communications Protection (SC)
       SUNY ESF must: (i) monitor, control and protect organization communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within organization information systems.
   17. System and Information Integrity (SI)
       SUNY ESF must: (i) identify, report and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organization information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
   18. Supply Chain Risk Management (VM)
       SUNY ESF must establish a process for assessing and managing the risks associated with third-party vendors who process, transmit, handle, or store institutional information.
   19. Program Management (PM)
       SUNY ESF must implement security program management and technical controls to provide a foundation for the organizational Information Security Program.
       
       
5. ENFORCEMENT
   SUNY ESF may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of the organization and computer resources.
   
   Any personnel found to have violated this policy or any related procedures may be subject to disciplinary action, up to and including termination of employment consistent with the terms and conditions of any applicable Collective Bargaining Agreement, if applicable.
   
   
6. PRIVACY
   SUNY ESF must make every reasonable effort to respect a user's privacy. However, users do not have a right to privacy for communications transmitted or stored on organization resources.
   
   Additionally, in response to a judicial order or any other action required by law or permitted by official organization policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the Chief Information Officer, or an authorized agent, may access, review, monitor and/or disclose computer files associated with an individual's account.
   
   
7. EXCEPTIONS
   To request an exception, submit a request to SUNY ESF’s Computing Network Service’s Helpdesk. Requests must be based on a risk-based approach and contain the following information:
   • Why the exception is needed
   • The duration of the exception
   • Compensating controls that are in place to mitigate risks associated with the exception.

   Policy exceptions require approval by the Chief Information Officer, or their designee, and a member of executive leadership. They must be retained for record keeping.

History

Procedure Revision Record

02/05/2026  Implementation Date

Policy Revision Record

02/05/2026  Policy Implementation