NYIT Information Security Policy and Incident Response Procedures

Definition and Introduction

The purpose of this policy is to protect New York Institute of Technology (NYIT) information resources from accidental or unapproved disclosure, modification, or damage and comply with applicable state and federal regulations.

NYIT faculty and staff are expected to be familiar this policy and procedures. If you need assistance in understanding or implementing this policy and incident response procedures, the Information Technology staff can assist you. You can request assistance by emailing servicecentral@nyit.edu or by calling 516-686-1400.

Purpose

The objectives of this policy are:

  • To establish a general approach to information security that balances security, confidentiality and integrity of NYIT data and information assets while providing utility, flexibility and accessibility to the systems when needed
  • To protect the reputation of NYIT with respect to its ethical and legal responsibilities associated with its information and data
  • To establish and maintain the integrity and confidentiality of the Data, Information systems applications and NYIT-owned networks or held by third party vendors on behalf of NYIT
  • To ensure continuous access to business-critical data and documents under atypical circumstances such as staff turnover, system failure, accident or disaster
  • To detect and avoid the compromise of personal identifiable information and other secure data
  • To provide effective and efficient procedure to respond to complaints and questions concerning non- compliance to this or other NYIT information technology policies
  • To comply with applicable provisions of the Gramm-Leach-Bliley Act (GLB) and the Federal Trade Commission Safeguards Rule

Scope

This policy applies to all information, information systems, networks, applications, locations and users of New York Institute of Technology Data or information systems or supplied under contract to it.

Authority and Access Control Policy

  • Access to information shall be restricted to authorized users who have a business need to access the information.
  • The Information Technology department maintains a list of restricted applications and databases and their corresponding business owners.
  • Authorization for access to restricted business application and databases must be granted by the designated business owner.
  • Individual business applications typically have specific policies and procedures for requesting and granting access to information. Where no such procedure exists, an electronic mail message from the data owner to the Information Technology Service Central support desk shall constitute authorization. All correspondence must be memorialized in the support desk ticketing system.

Classification of Data – Data Sensitivity Levels

Data captured, stored, processed or transmitted by the New York Institute of Technology (NYIT) is classified into the following three sensitivity levels:

  • Legally Protected: Data Protection Act, HIPAA, FERPA as well as financial, payroll, and personnel (privacy requirements) are included here.
  • Restricted/Confidential/Need to Know: The data in this class does not enjoy the privilege of being under the wing of law, but the data owner judges that it should be protected against unauthorized disclosure. Examples include: financial and contractual records; any information which is likely to adversely or disadvantage affect the reputation or negotiations of NYIT; make it more difficult to maintain the operational effectiveness; cause financial loss or earning potential; facilitate the commission of crime.
  • Public: This information can be freely distributed.

Legally Protected

A variety of state and federal laws impose requirements with respect to the protection of certain types of information. The following laws apply to New York Institute of Technology:

HIPAA – Health Insurance Portability and Accountability Act of 1996

FERPA – Family Educational Rights and Privacy Act

The Gramm-Leach-Bliley Act ("GLB"), together with the Federal Trade Commission ("FTC") "Safeguards Rule," regulates the security and confidentiality of customer information collected or maintained by or on behalf of financial institutions or their affiliates.

New York State Information Security Breach and Notification Act

Personal Information Protection Act (PIPA), which applies to students attending NYIT's Vancouver campus in British Columbia, Canada.

NYS Information Security Breach and Notification Act

Personal Information Definition. Information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

Private Information Definition. Personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:

  • Social Security Number;
  • Driver license number or non-driver identification card number; or
  • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
  • "Private information" does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.

New York State (NYS) Identity Theft Laws defines "personally identifiable information" or PII as Name in conjunction with any of the following:

  • Social Security number
  • Bank Account number
  • Credit or Debit Card number
  • Driver's License number or other state issued ID number

This law imposes strict requirements for maintaining the confidentiality of personally identifiable information (PII), and triggers significant requirements in the event of a possible breach of personal information. In addition to the information legally protected by NYS Identify Theft laws, NYIT also classifies the following information as legally protected:

  • Mother's maiden name
  • Bank account numbers
  • Income tax records

This additional information should not be collected, stored or used except in situations where there is legitimate business need and no reasonable alternative.

Managers must ensure that their employees understand the need to safeguard this information, and that adequate procedures are in place to minimize the risk of loss or theft of this information. Access to such information may only be granted to authorize individuals on a need to know basis by an Information Custodian (see chart below).

Data Support and Operations

Basic systems mechanisms for data protection include:

  • Up-to-date malware protection and application and operating system patches
  • Firewall and intrusion detection systems
  • Backups of data are in line with industry best practices and hosted onsite in an area of physical security to protect against the loss of in scope data and off-site for data recovery.
  • The audit and approval of security controls is independent and segregated from the implementation of IT security controls.
  • All NYIT Information Technology hardware, software and hardware assets are assigned to an individual employee or designated business unit.
  • All NYIT computer resources for employees have a secure configuration standard image.
  • All NYIT owned printers have an immediate hard drive erase feature for all scanned documents, thus no scanned images are stored.
  • NYIT provides annual online data security training for all employees, "Data Security & Privacy."

Responsibility and Accountability

Chief Information Technology Officer

The college's Chief Information Technology Officer (CITO) has overall responsibility for the security of the college's information technologies. Implementation of security policies is delegated throughout the college to various college services, departments and other units; and to individual users of campus information resources.

Departments and Other Units

Departments and other units are responsible for the security of any information they create, manage, or store, and for any information they acquire or access from other college systems (i.e. student records, personnel records, business information).

Note: The security of applications and data administered by departments and individuals outside of the Information Technology is the responsibility of the administering department. Information Technology staff will provide advice and support for implementing security measures when requested.

Information Custodian Contact Information

Information Set Department or Office
Employee information, current and job applicants Human Resources
Payroll information Finance Office
Admissions applicant information Enrollment Management
Student academic information Registrar's Office
Financial information Finance Office
Student loan information Financial Aid
Physical building security Facilities
Technology infrastructure and system security Information Technology
Student biographic/demographic information Registrar
Immunization and health information Counseling and Wellness
Alumni information Development
Legal issues General Counsel

Responsibility of Administrative Department Heads

Each department head is responsible for ensuring the appropriate protection of information within his or her office. These responsibilities include:

  • Ensure that everyone in the office is aware of the Data Sensitivity Level of the information they have access to and how that information should be secured.
  • Ensure that all business-critical documents and data are continuously accessible to appropriate staff members. This is typically accomplished through the use of departmental file shares and, where permitted, Google Team Drive. It is important to understand that the IT employee separation process will make files stored in personal network locations, such as the Z: drive and Google 'My Drive', inaccessible to other employees upon separation. As such, these personal storage locations should only be used for non-critical items.
  • Annually review who needs access to what information and only authorize access to information when the job responsibilities require it. Work with Information Custodians to audit and grant access accordingly in administrative information systems (e.g., PeopleSoft, Oracle e-business).
  • Maintain an inventory of all confidential information that is collected and maintained by the department, including digital storage, paper storage, and workflows.
  • Securely delete or redact all confidential information that is not necessary for the department to collect, maintain, or use and that is not required to be maintained by law.
  • Have all contracts reviewed by the Office of General Counsel who will ensure that vendors are also compliant with our policies.
  • Instruct employees to report possible information breaches, including lost or stolen computing or mobile devices to the department head who in turn will report it to the General Counsel and the Chief Information Technology Officer.

Responsibility of All Employees

  • Employees shall comply with the information security procedures including the maintenance of data confidentiality and data integrity of any information collected or used, both electronic and on paper.
  • Understanding what information is Legally Protected and how such information should be secured.
  • Employees shall be responsible for the operational security of the Data and information systems they use.
  • Personally owned computers and devices used to access Legally Protected or Restricted information are subject to the same rules and security requirements that apply to University-owned computers.
  • Employees are to ensure that no Legally Protected or Restricted information is on a USB flash drive, laptop or other mobile or portable storage device unless it serves a specific business purpose and is encrypted. The Information Technology department can help determine if such information is present and how to encrypt high risk or restricted Data.
  • Do not store Legally Protected or Restricted information in unauthorized cloud storage facilities such as Dropbox, Google Drive, Microsoft OneDrive, and Amazon Drive.
  • Where specifically permitted under this policy, storage of data or documents in a cloud storage facility is limited to authorized cloud storage facilities. Use of similar services including, but not limited to Dropbox, Google 'My Drive', Microsoft OneDrive, Amazon Drive is prohibited.
  • Employees are responsible to delete or redact all confidential information that is not necessary to collect, maintain, use, or archive.
  • Employees are to review all research projects, whether grant funded or not, to make sure required confidential information is secure. The only approved product for research involving Legally Protected or Restricted data is REDCap.

Access to the NYIT computing systems, including its hardware, software data and any other information obtained from it in whatever form, is subject to the following rules:

  • The institution has entered into non-disclosure agreements and/or confidentiality agreements with numerous vendors of various computer software. User will not view, print, copy, update, or disclose to any person any such proprietary, confidential, and/or protected information in violation of any such agreements.
  • All personally identifiable information is confidential and the user will not reveal such information except to the extent required by his/her job responsibilities. In addition, user acknowledges reading and adhering to institution's privacy statement.
  • All information is to be used only for institutional purposes. The user must not, without proper authorization, utilize computer equipment or programs to gain access to, copy or obtain for personal use or information, records or information owned or possessed by the college.
  • User will use this account only for duties assigned by user's supervisor and will not access information or data unrelated to his/her job duties.
  • The user must take care not to alter, damage, or destroy a computer system or computer network or the software program or data contained in a computer, computer system or computer network, and must not gain access to or alter a computer system, network program or data without proper authorization.
  • The user must at all times utilize the college computing system in accordance with established policies, standards and procedures.
  • The user must not reveal his/her password to any other person. The user must change his/her personal password at least every six (6) months as an aid in maintaining security. The user's personal password must not be the same as the departmental password. User agrees that he/she will use only this account and will not share access to it with anyone else.
  • User acknowledges that he/she is responsible for securing their NYIT accounts against unauthorized access and use, and for all activity in this account.

Employee Privacy and NYIT Property and Facilities

Employees should have no expectation of privacy with respect to NYIT property such as computers, Data, email, NYIT-owned software applications, NYIT-contracted application / storage, etc. even if under their exclusive uses and used for personal matters. As set forth in the Telecommunications and Information Technology section of the NYIT Employee Handbook, employees should have no expectation of privacy with respect to the use of NYIT telecommunications, IT equipment, application, services, accounts and networks.

Information Security Incident Response

All suspected or known security breaches must be reported immediately. Breaches involving student data must be reported within 24 hours to FSASchoolCyberSafety@ed.gov.

Reporting all possible data breaches including lost or stolen computing or mobile devices to supervisor or academic dean who in turn will report it to the Vice President for Finance or Controller or the Chief Information Technology Officer.

Incident Response Process Workflow

REPORT: Report all possible suspected data breaches including lost or stolen computing or mobile devices to servicecentral@nyit.edu and supervisor or academic dean.

NOTIFY: Service Central will immediately notify the Privacy Officer, and IT Networks and Systems group to investigate and diagnose the scope of the attempted breach/breach. If the security breach is severe, the Director of Client Services will report the attempted breach/breach to the General Counsel or the Chief Information Technology Officer.

IDENTIFICATION: Involves review of the attributes if the incident to determine whether and incident has occurred and if one has occurred, the nature and extent of the incident. Using technical resources and non-technical sources, to classify and identify the incident and appropriate level of escalation, high, medium and low.

Incident categories:

  • Unauthorized access
  • Denial of Service
  • Malicious code
  • Improper usage
  • Scan/probes
  • Attempted access

SCOPING: Networks team will determine the potential targets, the external touch point and prioritizing the likely threats.

CONTAINMENT AND ERADICATION: Once the scope has been determined, the appropriate remediation actions will be implemented to remove the elements of the threat. The appropriate stakeholder's contacts will be notified.

RECOVERY: Once the root cause of an incident has been eradicated, the recovery phase can begin. The goals of this step are to: (1) remediate any vulnerabilities contributing to the incident (and thus prevent future incidents) and (2) recover by restoring operations to normal. A phased approach is often used to return systems to normal operation, harden them to prevent similar future incidents and heighten monitoring for an appropriate period of time. Typical recovery activities include rebuilding systems from trusted images/gold standards, restoring systems from clean backups and replacing compromised files with clean versions.

INCIDENT TRACKING AND REPORTING: Under section 899-aa of the General Business Law- Security Breach Definition. Unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of PI maintained by a business.

In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, Entities may consider the following factors, among others:

  • Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information;
  • Indications that the information has been downloaded or copied; or
  • Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.

Notification Obligation. See https://its.ny.gov/breach-notification for the procedures to disclose any breach of data to NYS residents.

Any Entity to which the statute applies shall disclose any breach of the security following discovery or notification of the breach in the security of the system to any resident of NY whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.

Notice Required. Notice shall include:

  • Contact information for the Entity making the notification; and
  • A description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of PI and private information were, or are reasonably believed to have been, so acquired.

The notice required shall be directly provided to the affected persons by one of the following methods:

  • Written notice;
  • Telephonic notice, provided that a log of each such notification is kept by the Entity; or
  • Electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the Entity who notifies affected persons in such form; provided further, however, that in no case shall any Entity require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction.
  • Substitute Notice Available. If the Entity demonstrates to the state AG that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
    • Email notice when the Entity has email addresses for the subject persons
    • Conspicuous posting of the notice on the Entity's website if the Entity maintains one
    • And notification to major statewide media.

Definitions

Employee refers to faculty, staff, students, independent contractors and other persons whose conduct in the performance of work at New York Institute of Technology is under the direct control of New York Institute of Technology whether or not they are paid by New York Institute of Technology.

User – All persons and/or organizations that have access to New York Institute of Technology Data.

Sensitive Information – Any electronic or physical Data which, if compromised with respect to confidentiality, integrity, and/or availability, could violate the privacy to which individuals are entitled or could have an adverse effect on NYIT interests or the conduct of university programs. Examples of such Data include, but are not limited to, the following: Data protected by the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), or other laws governing the use of Data, as well as Data that has been deemed by the university as requiring protective measures.

Business Information – Any Data created and/or managed by: 1) New York Institute of Technology Information Technology department, and/or 2) NYIT employees within the scope of the employees' work responsibilities and not including information used solely for classroom instruction purposes.

FERPA is the Family Educational Rights and Privacy Act. This is federal law protecting the privacy of student education records and applies to any school that receives funds under an application program of the U.S. Department of Education.

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It requires privacy and security for individually identifiable health information.

Cloud Storage – A model of networked online storage where Data is stored in virtualized storage pools generally hosted by third parties and in locations not owned by the university.

Cloud Application – A computer program that has some characteristics of both a desktop application and a web application. It is able to access NYIT Data from multiple sources. For example, a cloud application may access NYIT Data that is stored directly on a user's computer or Data that is housed in cloud storage. A cloud application may also access NYIT Data from other NYIT physical storage media which may be located either on or off premise.

Data – Information contained in either New York Institute of Technology computer systems, cloud storage, or as a physical copy that is utilized for NYIT purposes.

Network is defined to be all New York Institute of Technology owned or managed internal infrastructure for converged services, including but not limited to, data, video and voice, to facilitate resource sharing and communication.

University Systems/Information Systems – Computing devices and their related software created, owned, and/or licensed to New York Institute of Technology that are used to store or process Data.

Applicable Policies and Standards

*Print Only