Information Security

Adopted Policy 5.3

Policy Purpose

To set forth the University’s principles to protect the confidentiality, integrity, and availability of the University’s information assets in direct support of the University's strategic mission and goals.

Responsible Office

Information Technology Services, Division for Finance and Administration

Responsible Executive

Chief Information Officer

Policy History

  • Date of Permanent Approval:
  • Date of Amendments:

Policy Statement

Information is integral to the operations of the University at Albany. The core services of teaching, learning, and research cannot be realized without a robust, reliable, and secure information technology infrastructure. Business operations and academic inquiry are dependent on the availability and integrity of information (both in transit and at rest).

This requires the University to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable and assure core services, and fully support academic inquiry.

Persons Affected

Students, Faculty, Staff, Third Parties

Definitions

University is the University at Albany.

Policy

The University will establish an information security program to facilitate compliance with legal and regulatory requirements governing the collection, retention, dissemination, protection, and destruction of information.

  1. Information security program
    1. The University’s information security program will include the administrative, technical and physical safeguards appropriate to the size and complexity of the University and the sensitivity of its information.
    2. The program will be based on established risk management practices and applied to a set of information security domains.
    3. Each domain will establish protocols that provide a direction and framework for related standards, procedures and other companion documents establishing the compliance requirements for each set of controls.
    4. Each member of the University community shares a measure of responsibility for the implementation and effectiveness of this program.
  2. Roles and responsibilities
    1. Oversight
      1. Information Technology Services is primarily responsible for assuring an effective Information Security program.
      2. Responsibility for developing, deploying, and managing the information security program is under the direction of the Chief Information Security Officer (CISO) who will work in conjunction with the Office of Enterprise Risk Management, the University’s Office of General Counsel, and Internal Audit.
    2. Governance
      1. Information Technology Services will work with the relevant stakeholders to formulate specific standards, procedures and guidelines in support of various risk management strategies, and may establish advisory or working groups to assist in implementing this policy.
    3. Operations
      1. Campus information technology service providers are primarily responsible for the implementation of operational controls. Members of the University community at-large are responsible for implementing and adhering to relevant standards, procedures, and guidelines.
    4. Compliance
      1. The CISO is primarily responsible for enforcement.
      2. Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines and procedures.
      3. Compliance is determined via periodic audits, scans, and reviews and is measured against this policy and all published, related documents. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new industry, State, Federal, or international regulations.
      4. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented and written notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.
      5. Nothing in this section will be construed as an impediment to responding to a security breach incident.
  3. This policy is effective immediately.