GLBA Information Security Program

The Chief Information Security Officer (CISO), or designee, shall: 

1. Coordinate the Program

2. Identify internal and external risks to the security and confidentiality of Covered Data and evaluate current safeguards

3. Design and implement safeguards to control the identified risks and regularly test and monitor the effectiveness of these safeguards

4. Oversee the assessment of security provided by contracted Service Providers

5. Evaluate the effectiveness of the Program

The CISO or designee shall also designate an appropriate individual(s) to serve as the University Program Coordinator, who will administer this Information Security Program for the University and serve as the primary resource and liaison with the University at Albany Divisions, departments, units, Service Providers and Related Entities for addressing issues related to the GLBA Safeguards Rule and disseminating relevant information and updates.

As part of the GLBA Information Security program, the University maintains an information security risk assessment process. The process seeks to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of information and the sufficiency of safeguards in place to control these risks. Specifically, the University recognizes that internal and external information security risks include but are not limited to:

• Unauthorized access of Covered Data and information by someone other than the owner of the Covered Data
• Compromised system security as a result of system access by an unauthorized person of data during transmission
• Loss of data integrity
• Errors introduced into the system
• Corruption of data or systems
• Management of account users in systems maintained by the University and SaaS providers
• Unauthorized access to or requests for Covered Data by employees
• Unauthorized access through hardcopy files or reports
• Unauthorized transfer of Covered Data through third parties

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data, and that new risks are created regularly, CISO, along with assistance from other departments, will actively monitor appropriate cybersecurity advisory literature for identification of risks in the future and ensure that information security risk assessments are performed periodically in the future.

The following are a list of current safeguards implemented, monitored and maintained by the University which are reasonable and sufficient to provide security and confidentiality to Covered Data. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.

1. Employee Management and Training

The University provides training to all employees on Internal Controls, cybersecurity and FERPA among other mandated training topics. Cybersecurity awareness training includes controls and procedures to detect and identify ransomware, phishing and social engineering tactics. These trainings minimize risk and safeguard covered data and information. In addition, unit specific training is provided to all new employees regarding internal control and information access.

2. Physical Security

The University has physical security controls in place to protect access to covered data by limiting access to only those employees who have a legitimate business reason to handle such information.

3. Information Systems

Access to systems that included covered data and information is limited to those employees who have a legitimate business reason to access such information. The University has an Identity and Access Management policy that details the principles for the issuance of electronic identifiers and utilizes the principle of “least privilege” to assign access. In addition, the University’s Information Technology Services maintains standards for Privileged Access.

4. Management of System Failures

The University’s Information Security program is designed to detect any actual or attempted attacks on University’s on campus IT systems and enact measures to prevent successful attacks. The University maintains data breach insurance as required by SUNY policy and maintains a written data breach response protocol. All contracts for third party services obtained via the regular University procurement processes include a requirement for the third party services to comply with the requirements of the Gramm Leach Bliley Act.

5. Standardized Contracting System

GLBA requires the University at Albany to take reasonable steps to select and retain Service Providers who maintain appropriate safeguards for Covered Data by contractually requiring Service Providers to implement and maintain such safeguards. University at Albany Security Official reviews. University at Albany security officials review information security documentation from vendors upon procurement prompts. This documentation may encompass assessments such as SOC 2 Audits. The University utilizes a standardized contracting system that includes Exhibit S for vendor agreements, acknowledging the necessity for updates to cover cloud services and other pertinent areas. Moreover, they review Vendor Risk Management policies, data classification policies, and procedures within contracts and agreements. The Contractor is obligated to maintain the security, nondisclosure, and confidentiality of all information in accordance with Security Procedures, Nondisclosure and Confidentiality requirements, Federal or State regulations, the Information Security Breach and Notification Act, and Data Protection/GDPR Clauses as stated in Exhibit S. Purchasing units are responsible for managing the Service Provider’s contract and account management by removing users when their access to Covered Data is terminated. The University Program Coordinator shall periodically reassess the continued adequacy of safeguards provided by Service Providers to Covered Data based upon the risks presented.

6. Detection and Testing

The Designated Individual or designee shall ensure that University IT systems that collect, store and process Covered Data shall:

1. Be designed to monitor and log the activity of authorized users and detect unauthorized access or use of or tampering with Covered Data by such users

2. Be regularly or continually tested or monitored to evaluate the effectiveness of key controls, systems, and procedures, including those that detect actual and attempted attacks on or intrusions

3. No less than annually be subject to penetration testing based upon the above identified risks in accordance with a risk assessment

4. No less than every 6 months or whenever circumstances present a reason to determine the potential for a material impact upon the University’s IT systems, perform a vulnerability assessment that includes system scans or reviews of IT systems reasonably designed to identify publicly known security vulnerabilities

In compliance with GLBA and information security best practices, this program will continuously be updated to reflect the overall objectives of the program.