Legal and Compliance
Information Security Policy
September 14, 2016
This policy item applies to:
Responsible System Office: Chief Information Officer
Responsible Campus Office: Campus President
The State University of New York (“SUNY” or “State University”) is committed to securing and protecting the information within its possession. As an institution of higher education operating in New York State, SUNY must comply with federal and state confidentiality and information safeguarding laws, as well as meet data protection requirements imposed by its accrediting agency, the Middle States Commission on Higher Education (“MSCHE”). SUNY’s core academic mission and strategic goals require policies, procedures, controls, monitoring and verifications to protect the information it possesses or transmits through the normal course of operations. In an increasingly digital environment, the broad range of information central to the facilitation of academic programs, student services, and overall business operations in the State University’s possession has made such information one of SUNY’s most important assets, requiring increased vigilance with respect to storing, sharing, and using data that builds on existing SUNY policy and practice.
The scope of SUNY’s academic programs and mission requires secure information sharing between its State-operated campuses, statutory colleges, and community colleges as well as with System Administration, for the facilitation of academic programs and student services, ongoing improvement, and oversight.
SUNY’s policies on assessment and institutional effectiveness including, most recently, the Data Transparency and Reporting Policy adopted by the SUNY Board of Trustees in 2013 (Resolution No. 2013-025) affirmed principles for data integrity and use of data to strengthen and report on progress of the academic programs at each institution. The Data Transparency and Reporting Policy directed each SUNY campus to develop and implement plans for the regular assessment and review of programs. Such plans are to contain elements to preserve and protect data, not only for the purpose of addressing confidentiality concerns, but also to ensure integrity and accuracy in reporting for program quality and success in meeting and exceeding applicable standards placed upon SUNY by state and federal law, the New York State Education Department, and MSCHE.
Finally, the legal and reputational risks involved in the potential breach of security of data require campuses to evaluate the need to pursue insurance to protect against loss in the event of a security breach which can result not only from legal fees, but also the losses that go beyond litigation, including breach incident response costs, breach notification procedures, mitigation measures to protect those whose information was affected, crisis management teams, and damage to the institution’s reputation.
In order to obtain breach insurance coverage, campuses are required to verify that they have, and comply with, a robust information security policy. For these reasons, it is imperative for SUNY to maintain a system-wide Information Security Policy.
The objective of this policy is to ensure that the State University’s information assets, including academic, health, research, financial, and other information deemed non-public, are adequately safeguarded. It is the responsibility of the State University to ensure the confidentiality of its non-public information, while preserving the integrity and availability of the public information that is stored, processed, and/or transmitted on SUNY’s campuses and System Administration. Additionally, the State University must be diligent in its efforts to protect the academic, research, financial, health and personal information of its faculty, staff, students, and all persons interacting with SUNY’s institutions. This policy will help protect SUNY’s information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our academic culture. Furthermore, this policy clarifies the responsibility of SUNY campuses and System Administration regarding existing security policies and procedures. All members of the State University community and users of SUNY data are expected to adhere to this policy and take the necessary measures to protect and secure data they possess and transmit.
The Information Security Policy is a SUNY system-wide policy that applies to:
In accordance with this policy, campuses and System Administration are responsible for:
There are no definitions relevant to this policy.
Records Schedules governing retention and disposition of information at SUNY campuses:
Federal Educational Rights and Privacy Act (FERPA) - Information available on the SUNY Compliance FERPA webpage
Health Insurance Portability and Accountability Act (HIPAA) - Information available on the SUNY Compliance HIPAA webpage
Gramm- Leach- Bliley Act - Information available on the SUNY Compliance GLBA webpage
Payment Card Industry Data Security Standard (PCI DSS)
NYS Information Security Breach & Notification Law
NYS Business Law and Technology Law
NYS Governmental Accountability, Audit & Internal Control Act
NYS Information Security Policy P03-003
NYS Education Law, including, but not limited to, §6304(12), relating to electronic transactions at the community colleges
Community Rights & Responsibilities
SUNY Document No. 6601 - Compliance with Freedom of Information Law (FOIL).
SUNY Policy Document No. 6609 - Records Retention and Disposition Policy, with Introduction to the SUNY Records Retention and Disposition Schedule.
There are no forms relevant to this policy.
In case of questions, readers are advised to refer to the New York State Legislature site for the menu of the Laws of New York State.
September 14, 2016, Board of Trustee Resolution No. 2016-51, Information Security Policy.
There are no appendices relevant to this policy.