UB Computer Security for Administrators, Department Heads, PIs

Critical Alerts
& Advisories

• University at Buffalo Emergency Web Site

• Microsoft Security Bulletin for June 2008

• Apple Security Updates Through June 2008

• Security Updates for Adobe Reader and Acrobat 8 - February, 2008

• Mozilla/Firefox browser: Download Latest Version

• Windows Vista Security Features
• Microsoft Windows Vista: When Should I Upgrade?
• Microsoft Windows Vista Web Site
• Microsoft Web: Security Enhancements in Windows Vista

• Upgrade to Adobe Reader 8.0 to protect your computer from cross-site scripting flaw in previous versions

• US-CERT: Risks of Peer-to-Peer File Sharing Technology

• Latest Threats & Advisories (Symantec)

• Latest Vulnerabilities & Alerts (US-Cert)

• Are hackers using your PC to spew spam & steal? (USA Today)

• SANS OUCH! Archive - Monthly Security Awareness Alert for End Users

Important Links
• UB IT Policies

• Find your support provider

• Symantec Virus & Worm Removal Tools

• Microsoft: Protect Your PC Steps

• Mac Security: SecureMac.com site

• Symantec Security Check

• Glossary of Security Terms (WhatIs.com)

Did you know?
You can use a public computer more securely if you follow these 5 safety tips. (Microsoft)

Also: Follow the links for protecting your laptop on the road and using public wireless networks more securely.

For Administrators, Department Heads, or Principal Investigators (PIs)

Deans, department heads, PIs, data owners, and others in leadership positions with control of resources can play a critical role in the implementation of computer and information security in their areas. They can

Make computer and information security a priority, providing staffing and funding to ensure the security of computer systems in their units. PIs can specify security costs as a direct cost in grant proposals.
Make staff members aware of UB computer and information security policies
Communicate to staff members that they are responsible and accountable for the security of their computer systems and for following the standards and best practices outlined in the information security policies
Ensure that their staff and system/network administrators take action when systems in their area become compromised

University at Buffalo IT Security Policies and Procedures

Information Security Policy Process

Description of Process:
1. Information Security Policies are developed by an Information Security Policy Advisory Group, which includes UB executive leadership and faculty, staff, and student representation.
2. Draft policies are then vetted/reviewed by key stakeholders and the UB Institutional Policy Committee.
3. Draft and approved policies are placed on the http://www.itpolicies.buffalo.edu web site with notes on their status.

Policy Flow Chart
- Under development

IT and Computing Policies

UB Computer and Network Usage Policy

Guidelines and user responsibilities for the use of UB computer and network resources

UB Identification and Authentication Systems Policies

UB IT Account Policies

Security Policy for Network Connected Devices
- University network and Internet connectivity can be jeopardized by computers/workstations, servers, and other devices that are not adequately secured and protected from attack by hackers and malicious software. This policy defines responsibilities and the process by which compromised machines may be temporarily disconnected from the network if there is a risk to the network.
DMCA Policies

Distribution of copyrighted material, including music, games, and movies, for which you do not have the owner's permission is a violation of federal law (DMCA) and University policy. The DMCA policies provide information on notifying the campus DMCA agent about violations, how UB responds to DMCA notices, and an FAQ which answers questions about the use of the UB network for peer-to-peer file sharing and downloading copyrighted materials.

NY State Information Security Policy
- This umbrella information security policy is based on ISO 17799 information secu rity standards. The policy sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment. Although this policy is mandatory for state entities, it is not mandatory for SUNY institutions.
NYS Cyber Incident Reporting Procedure
Policy on Email Servers Connected to the Network
NYS Web Accessibility Policy

New York State has issued a policy, June 21, 2004, mandating that all state agencies make their web-based information accessible to persons with disabilities.

NYS Electronic Signatures and Records Act Guidelines
UB Electronic Commerce Policy (TBD)
UB Domain Name System Policy (TBD)

UB Data Access and Protection
UB institutional data that supports the University mission is a vital asset and subject to many federal and state regulations. UB is committed to compliance with privacy and security regulations and the protection of confidential data.

Data Security, Access, and Acceptable Use Policy

The University requires all users of University administrative data to utilize the data in a manner consistent with the University's requirements for security and confidentiality, as well as with state and federal legal protections and laws. Access to University administrative data is granted by data custodians and trustees who are required to develop and maintain clear and consistent procedures for access and use of the data, prevent unauthorized access, and protect restricted, non-public data. Data custodians and trustees also classify University data by level of sensitivity and risk, taking into account federal and state legal protections, contractual agreements, ethical considerations, and strategic worth to the institution.
- Access to Information Form

Social Security Number Protection Policy

Social Security Numbers are highly confidential and legally-protected data. UB is committed to maintaining the privacy and confidentiality of an individual's SSN as mandated by law. It is the policy of UB that the use of SSN as a common identifier and primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions. Disclosure statements will be provided whenever a SSN is requested, in compliance with the Federal Privacy Act of 1974. Sample disclosure statements are available for use. As a university we must work to reduce or eliminate the use of SSNs for identification purposes and to ensure the SSNs are secured in all university databases and applications.
- Requesting Access to Infosource Data Containing SSNs
- Standards for Securing Private and Regulated Information (Such As SSNs and Debit/Credit Card Numbers)

Legal Requirements

UB Data Protection and Classification

Data Protection: General Principles
- Federal and state laws regulate the level of protection UB is required to provide, as do UB's contractual obligations.
- As creators and owners of intellectual property, UB faculty and staff work to protect information assets from premature disclosure and tampering.
- There are financial costs in protecting information assets as well as in the repair of damage to compromised information resources. Damage control is especially costly both financially and in terms of the damage to the reputation to the University.
Data Classification
Information resources are considered to be assets of the University. They are classified according to the compromise risks associated with the data being stored or processed. Data with the highest risk need the greatest amo unt of protection to prevent compromise; data at lower risk can be given proportionately less protection. This approach allows UB to apply more appropria te levels of resources to the protection of the assets based upon need.
- Draft Data Classification Policy

For further assistance please contact your local IT Support Provider. For questions about this Web page, please contact the UB IT Security Advisory Group.
Last Updated: Thursday, 15-May-2008 15:10:06 EDT.
Copyright 2004, University at Buffalo. All rights reserved.