|
For Administrators, Department Heads, or Principal Investigators (PIs)
Deans, department heads, PIs, data owners, and others in leadership positions with
control of resources can play a critical role in the
implementation of computer and information security in their areas. They can
- Make computer and information security a priority, providing staffing and funding
to ensure the security of computer systems in their units.
PIs can specify security costs as a direct cost in grant proposals.
- Make staff members aware of UB computer and information security policies
- Communicate to staff members that they are responsible and
accountable for the security of their computer systems and for following
the standards and best practices outlined in the information security
policies
- Ensure that their staff and system/network administrators take action
when systems in their area become compromised
University at Buffalo IT Security Policies and Procedures
-
Information Security Policy Process
-
Description of Process:
- Information Security Policies are developed by an Information Security Policy Advisory Group, which includes UB executive leadership and faculty, staff, and student representation.
- Draft policies are then vetted/reviewed by key stakeholders and the UB
Institutional Policy Committee.
- Draft and approved policies are placed on the
http://www.itpolicies.buffalo.edu web site with notes on their status.
-
Policy Flow Chart
IT and Computing Policies
-
UB Computer and Network Usage Policy
-
Guidelines and user responsibilities for the use of UB computer and network resources
-
UB Identification and Authentication Systems Policies
-
Security Policy for Network Connected Devices
- University network and Internet connectivity can be jeopardized by computers/workstations, servers, and other devices that are not adequately
secured
and protected from attack by hackers and malicious software. This policy
defines responsibilities and the process by which compromised machines
may be temporarily disconnected from the network if there is a risk to
the network.
-
DMCA Policies
- Distribution of copyrighted material, including
music, games, and movies, for which you do not have the owner's permission
is a violation of federal law (DMCA) and University policy. The DMCA policies
provide information on notifying the campus DMCA agent about violations, how UB
responds to DMCA notices, and an FAQ which answers questions about the use
of the UB network for peer-to-peer file sharing and downloading copyrighted
materials.
-
NY State Information Security Policy
-
This umbrella information security policy is based on ISO 17799 information secu
rity standards. The policy
sets forth the minimum requirements, responsibilities and
accepted behaviors to establish and maintain a secure environment.
Although this policy is mandatory for state entities, it is not mandatory
for SUNY institutions.
-
NYS Cyber Incident Reporting Procedure
-
Policy on Email Servers Connected to the Network
-
NYS Web Accessibility Policy
- New York State has issued a policy, June 21, 2004, mandating that all
state agencies make their web-based information accessible to persons with
disabilities.
-
NYS Electronic Signatures and Records Act Guidelines
-
UB Electronic Commerce Policy (TBD)
-
UB Domain Name System Policy (TBD)
UB Data Access and Protection
UB institutional data that supports the University mission is a vital asset
and subject to many federal and state regulations. UB is committed to
compliance with privacy and security regulations and the protection of confidential data.
-
Data Security, Access, and Acceptable Use Policy
-
The University requires all users of University administrative data to utilize
the data in a manner consistent with the University's requirements for
security and confidentiality, as well as with state and federal legal
protections and laws. Access to University administrative data is granted
by data custodians and trustees who are required to develop and maintain
clear and consistent procedures for access and use of the data,
prevent unauthorized access, and protect restricted, non-public data.
Data custodians and trustees also
classify University data by level of sensitivity and risk, taking into
account federal and state legal protections, contractual agreements,
ethical considerations, and strategic worth to the institution.
-
Social Security Number Protection Policy
-
Social Security Numbers are highly confidential and legally-protected data.
UB is committed to maintaining the privacy and confidentiality of
an individual's SSN as mandated by law.
It is the policy of UB that the use of SSN as a common identifier and
primary key to databases be discontinued, except where required for employment,
financial aid, and a limited number of other business transactions.
Disclosure statements will be provided whenever a SSN is requested, in
compliance with the Federal Privacy Act of 1974.
Sample disclosure statements are available for use.
As a university we must work to reduce or eliminate the use of SSNs for
identification purposes and to ensure the SSNs are secured in all
university databases and applications.
-
Legal Requirements
-
UB Data Protection and Classification
-
Data Protection: General Principles
-
Federal and state laws regulate the level of protection UB is required to
provide, as do UB's contractual obligations.
-
As creators and owners of intellectual property, UB faculty and staff work
to protect information assets from premature disclosure and
tampering.
-
There are financial costs in protecting information assets as well as
in the repair of damage to compromised information resources. Damage control is
especially
costly both financially and in terms of the damage to the reputation
to the University.
-
Data Classification
Information resources are considered to be assets of
the University. They are classified according to the compromise risks
associated with the
data being stored or processed. Data with the highest risk need the greatest amo
unt of protection to prevent compromise; data at lower risk can be given
proportionately less protection. This approach allows UB to apply more appropria
te levels of resources to the protection of the assets based upon need.
For further assistance please contact
your local
IT Support Provider. For questions about this Web page,
please contact the
UB IT Security Advisory
Group. Last Updated: Thursday, 15-May-2008 15:10:06 EDT.
Copyright 2004, University
at Buffalo. All rights reserved. |
|