Home > Policies > Procedures Manual > Business > 04-010 Information Security Policy

04-010 Information Security Policy

Last Update: November 4, 2025

Approved: November 4, 2025 by President Zvi Szafran

Policy Contact: Chief Information Officer

Supersedes:


I. SCOPE

This policy applies to all individuals with SUNY Canton employee-level permission to use network and electronic resources (i.e., faculty, staff, and campus-affiliated individuals and organizations) and service providers who have access to or utilize institutional technology resources.

II. POLICY STATEMENT

The mission of SUNY Canton’s Information Security Program is to preserve the confidentiality, integrity, and availability of SUNY Canton information assets, in accordance with this policy. The Information Security Program serves as the institution’s mechanism to appropriately identify, select, maintain, and improve information security controls.

The Security Program is framed on National Institute of Standards and Technology (NIST) and controls implemented based on the Center for Internet Security (CIS) Critical Security Controls priorities. SUNY Canton is therefore implementing appropriate control standards and procedures required to support the organization’s Information Security Policy. This policy is further defined by control standards, procedures, control metrics, and control tests to assure function.

III. POLICY

This policy framework consists of nineteen (19) separate policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-171. SUNY Canton will:

  1. Access Control
    Limit information system access to third parties unless there is a legitimate institutional need to provide such access. SUNY Canton may share your personal information with the following recipients:
    • SUNY System Administration and other campuses within the SUNY System to govern, administer, and improve the SUNY system.
    • SUNY Canton's affiliated entities including, but not limited to, the Research Foundation for the State University of New York, SUNY Canton College Foundation, and the College Association to provide ancillary services.
    • SUNY Canton's service providers that need access to your personal information to provide SUNY Canton with services necessary to fulfill SUNY Canton's mission or improve the SUNY Canton student or employee experience.
    • Accrediting agencies to obtain or maintain accreditations for SUNY Canton's and its affiliates various programs.
    • Federal, State, and local governments or regulatory authorities as required by law or as necessary to fulfill the mission of SUNY Canton.
    • Anonymized data developed from personal information to third parties, such as government entities and research collaborators.
  2. Audit and Accountability
    • Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum.
    • Ensure that the actions of individual information system users can be uniquely traced for all restricted systems.
  3. Awareness and Training
    • Ensure that supervisors and users of information systems complete annual training of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information systems.
    • Ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
  4. Configuration Management
    • Establish and maintain baseline configurations and inventories of organizational information systems throughout the respective system development life cycles.
    • Establish and enforce security configuration settings for information technology products employed in organizational information systems.
  1. Contingency Planning
    • Establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
  2. Identification and Authentication
    • Identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to SUNY Canton information systems.
  3. Incident Response
    • Establish an operational incident handling capability for organization information systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response activities.
    • Track, document, and report incidents to appropriate organization officials and/or authorities.
  4. Governance Plan
    • Establish a governance plan wherein the Information Security Program is led by an Information Security Officer (ISO) and governed by the Information Security Working Group.
  5. Maintenance
    • Perform periodic and timely maintenance on organization information systems.
    • Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
  6. Media Protection
    • Protect information system media, both paper and digital.
    • Limit access to information-on-information system media to authorized users.
    • Use encryption, where applicable and appropriate.
    • Sanitize or destroy information system media before disposal or release for reuse.
  7. Personnel Security
    • Ensure that individuals who occupy positions of responsibility within the organization are trustworthy.
    • Ensure that organization information and information systems are protected during and after personnel actions such as terminations and transfers.
    • Employ formal sanctions for personnel failing to comply with SUNY Canton security policies and procedures.
  8. Physical and Environmental Protection
    • Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.
    • Protect and support physical infrastructure for information systems.
    • Provide supporting utilities for information systems.
    • Protect information systems against environmental hazards.
    • Provide appropriate environmental controls in facilities containing information systems.
  9. Planning
    • Develop, document, periodically update, and implement security plans for organization information systems that describe the security controls in place or planned for the information systems.
    • Establish rules of behavior for individuals accessing the information systems.
  10. Program Management
    • Implement security program management controls to provide a foundation for the organizational Information Security Program.
  11. Risk Assessment
    • Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
  12. Security Assessment and Authorization
    • Periodically assess the security controls in the organization’s information systems to determine if the controls are effective in their application.
    • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organization information systems.
    • Authorize the operation of the organization’s information systems and any associated information system connections.
    • Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
  13. System and Communications Protection
    • Monitor, control, and protect the organization’s communications (i.e., information transmitted or received by the organization’s information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions.
    • Employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within the organization’s information systems.
  14. System and Services Acquisition
    • Allocate sufficient resources to adequately protect organization information systems.
    • Employ system development life-cycle processes that incorporate information security considerations.
    • Employ software usage and installation restrictions.
    • Ensure that third-party providers employ adequate security measures, as defined by federal and state law and contract, to protect information, applications, and/or services outsourced from SUNY Canton.
  15. System and Information Integrity
    • Identify, report, and correct information and information system flaws in a timely manner.
    • Provide protection from malicious code at appropriate locations within the organization’s information systems.
    • Monitor information system security alerts and advisories and take appropriate actions in response.

Enforcement of Policy

Enforcement is the responsibility of SUNY Canton’s Chief Information Officer (CIO). Users who violate this policy may be subject to discipline up to and including termination consistent with the terms and conditions of any applicable Collective Bargaining Agreement, if any. The institution may temporarily suspend an account when it reasonably appears necessary to do so to protect the integrity, security, or functionality of the institution or other computing resources or to protect SUNY Canton from liability.

Exceptions to the policy may be granted by the Chief Information Officer (CIO), or by their designee. All exceptions must be reviewed annually.

IV. DEFINITIONS

Information Technology Resources: Refers to the College’s information assets (i.e. hardware, software, or data) used by employees, students, and affiliates for college business.

Enclave: A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.

Affiliated Individuals and Organizations: External organizations, and their employees and volunteers, whose activities significantly assist SUNY Canton in advancing and achieving its strategic goals. Examples include, but are not limited to, College Association, the College Foundation, the Research Foundation of New York, and the Cornell Cooperative Extension and its partners.

V. OTHER RELATED INFORMATION

VI. PROCEDURES

None

VII. FORMS

None

VIII. AUTHORITY

NYS and SUNY Mandated Policy, Regulatory Compliance

IX. APPENDICES

None

X. FREQUENCY OF REVIEW AND UPDATE

Policies will have a normal review period of every three (3) years unless required otherwise.