CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to each item on this form:1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009, Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures – Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at security.cuny.edu
Spring Semester 2015 (v1)
Policy – Policy on Acceptable Use of Computer Resources(The paragraph number below refers to the same paragraph number in the Acceptable Use policy. An excerpt or summary is provided below. Refer to the Policy for the complete paragraph) / Is your Campus in compliance?
If not, please describe the non-compliance situation and the plan / timeframe for coming into compliance. / Other comments describing the environment and/or compensating controls.
11. Filtering.CUNY reserves the right to install spam, virus and spyware filters and similar devices if necessary in the judgment of CUNY’s Office of Information Technology or a college IT director to protect the security and integrity of CUNY computer resources. Notwithstanding the foregoing, CUNY will not install filters that restrict access to e-mail, instant messaging, chat rooms or websites basedsolely on content. / Include here (or as an attachment) a description of any filters that are being used to restrict access to e-mail, instant messaging, chat rooms or websites based solely on content:
12. Confidential Research Information. Principal investigators and others who use CUNY computer resources to store or transmit research information that is required by law or regulation to be held confidential or for which a promise of confidentiality has been given, are responsible for taking steps to protect confidential research information from unauthorized access or modification. In general, this means storing the information on a computer that provides strongaccess controls (passwords) and encrypting files, documents, and messages for protection against inadvertent or unauthorized disclosure while in storage or in transit over data networks.
Page1 of 12
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to each item on this form:1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009, Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures – Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – GeneralJune 25, 2014
(The paragraph number below refers to the same paragraph number in the IT Security Procedures – General. An excerpt or summary is provided below. Refer to the Procedures for the complete paragraph) / Is your Campus in compliance?
If not, please describe the non-compliance situation and the plan / timeframe for coming into compliance. / Other comments describing the environment and/or compensating controls.
1. Introduction - It is the responsibility of each University entity (i.e., a College or a Central Office department) to maintain the integrity and privacy of University information.
2. Non-PublicUniversity Information.Non-publicUniversity information should be treated confidentially.
3. Access to University Information. Access to University information available in University files and systems, whether in electronic or hard copy form, must be limited to individuals with a strict need to know, consistent with the individual’s job responsibilities. This section provides the requirements for employee, student, and adjunct faculty access including the provisions of a waiver procedure and acknowledgement of receiving University information security policies and procedures.
4. Review of Access to University Files and Systems– Each University entity must review, at least once during each of the fall and spring semesters, individuals having any type of access to non-public University data and must remove user IDs and access capabilities that are no longer current. This review includes, but is not limited to, access to networks, applications, sensitive transactions, databases, and specialized data access utilities.
5.Severance of Access upon Termination or Transfer of Employment– Access to computerized systems must be removed no later than an individual’s last date of employment. User IDs must not be re-used or re-assigned to another individual at any time in the future.
For job transfers, access to computerized systems must be removed no later than the last date in the old position and established no sooner than the first date in the new position.
6.Authentication–Users of University files and systems must use an individually assigned user ID to gain access to any University network or application.
7.User IDs– Users of University files and systems other than technical employees within Information Technology departments at a College or in the Central Office must have no more than one individually assigned user ID per system.
8. Passwords– All passwords must be treated as non-public University data and, as such, are not to be shared with anyone. Users must manually enter their passwords when prompted, and passwords must not be scripted or stored.
All passwords must be changed at least every 180 days. Accounts which have special access privileges must be changed at least every 60 days.
9. Remote Access – Access to administrative and academic support systems from non-University locations is allowed only through secure remote connections (e.g., VPN) that provide for unique user authentication and encrypted communications.
10. Disclosure of Non-Public University Information – (a) Unless otherwise required by law, users of University files and systems must not disclose any Non-Public University Information to the general public or any unauthorized users. (c) Special Rules for Social Security Numbers - Refer to the IT Security Procedures.
11. Web Accessible Data– Non-publicUniversity data must not be made accessible to the general public. All web pages must be programmed with a parameter to prevent the caching of data by Internet search engines.
12. Security Incident Response and Reporting– An acknowledgment of or response to any security incident must be given to the University Chief Information Officer and the University Information Security Officer within 24 hours of notice of the incident, and a report of such incident, is due within 72 hours.
13. Portable Devices/Encryption – The Non-Public University Information listed in section 12(b) in the IT Security Proceduresmust not be stored, transported, or taken home on portable devices (e.g., laptops, flash drives) of any type without specific approval of both the Vice President of Administration or the equivalent at the College or in the Central Office department and the University Information Security Officer. Where approval is granted, additional password protection and encryption of data are required. In addition, the Non-Public University Information listed in section 12(b) stored on non-portable devices or transmitted between devices (e.g., servers, workstations) must be encrypted. The University has made encryption tools available to staff and faculty to comply with the requirements of this procedure. / Please explain the encryption tools used by your College and the number of users of each tool:
14. Safeguarding and Disposal of Devices and Records Containing Non-Public University Information – Whenever records containing Non-Public University Information are subject to destruction under the CUNY Records Retention and Disposition Schedule (available at the storage devices such as hard disk drives and other media (e.g. tape, diskette, CDs, DVDs, cell phones, digital copiers, or other devices) and hard copy documents that contain such information must be securely overwritten or physically destroyed in a manner that prevents unauthorized disclosure. While in use, such devices and documents must not be left open or unattended on desks or elsewhere for extended periods of time.
15. Change of Data in Records – Individuals within Information Technology departments may be allowed privileged access to non-public University data to support the ongoing operations of administrative systems. When updates are not part of normal business processing, individuals must not alter any University data unless given specific approval by the Vice President of Administration or the equivalent at the College or in the Central Office department.
Any direct changes to data in administrative systems must be done from a College or Central Office location. No form of remote access to alter student or employee data is allowed.
16. Centralized Data Management– Data that are acquired or managed by Central Office departments (e.g., CPE, skill scores) shall be loaded into University systems and may not be modified by Colleges at the local level.
17. Grade Changes– Any system that allows for grade changes will have multiple security levels enabled, including the maintenance of a separate password that is administered and changed regularly for the purpose of authenticating individual users to the grade change function. Grade change functions must be able to create an audit trail from which edit reports will be regularly prepared for review by a management designee.
18. Changes in Information Files and Systems– Existing and new information systems must comply with these Information Technology Security Procedures. Modifications to existing information systems will be required to maintain compliance. Additional criteria regarding ghost systems are in the IT Security Procedures.
19. Vulnerability Assessments– Each University entity must establish a routine program to test, monitor, and remediate technical and data vulnerabilities on its network. The program should include a combination of continuous monitoring and on-demand testing tools.
20. Device Management – All devices that are allowed to connect to University networks and systems that support administrative, business, and academic activities and operations must be maintained at current anti-virus/malicious code protection at all times. In addition, security updates to operating systems must be applied on a timely basis after appropriate testing. Although the University does not manage student computers, procedures should be implemented to minimize the risk to University files and systems.
21. Management Responsibility– College and Central Office management are responsible for maintaining and overseeing compliance with these Information Technology Security Procedures within their line responsibilities.
22. Information Technology Security Procedure Governance– Any proposed exception to these Information Technology Security Procedures must be communicated in writing to the University Information Security Officer prior to any action introducing a non-compliance situation.
IT Security Procedures – Wireless Network Security, November 20, 2009
(The paragraph number below refers to the same paragraph number in the IT Security Procedures – Wireless Network Security. An excerpt or summary is provided below. Refer to the Procedures for the complete paragraph) / Is your Campus in compliance?
If not, please describe the non-compliance situation and the plan / timeframe for coming into compliance. / Other comments describing the environment and/or compensating controls.
1. Wireless Network Installation/Changes - Requests to install new wireless networks or change existing wireless networks must be in writing and will be subject to approval by the College CIO. The College CIO will routinely monitor for unauthorized (rogue) wireless networks and such rogue networks must be disconnected when discovered.
2. Risk Assessment - New wireless networks or modifications to existing wireless networks will be subject to a risk assessment to determine if such wireless networks comply with allIT Security Policies and Procedures.
3. Intrusion Detection - All wireless networks must require the use of routine monitoring and preventative techniques to minimize risks of unauthorized intrusion attempts.
4. End-point Integrity - Wireless visitor access and devices failing an end-point integrity redirected to the Internet over a private virtual LAN that does not subnet(s) of the University or College network infrastructure.
5. Encrypted Transmission - University and College web applications, if non-public University data is transmitted, must use the secure and encrypted protocol https.
6.Wireless Usage Logs - Wireless usage logs must be retained consistent with the University Records Retention and Disposition Schedule (
7. Signal Strength - Signal strength and containment of the wireless signal must be engineered to minimize the wireless signal accessibility outside the bounds of the College's business and community mission.
IT Security Procedures – DataCenter Security & Environment Supports, November 20, 2009
(The paragraph number below refers to the same paragraph number in the IT Security Procedures – DataCenter Security & Environment Supports. An excerpt or summary is provided below. Refer to the Procedures for the complete paragraph) / Is your Campus in compliance?
If not, please describe the non-compliance situation and the plan / timeframe for coming into compliance. / Other comments describing the environment and/or compensating controls.
1. Minimum Protections – Minimum protections are implemented as defined by sub-paragraphs a. through h.
2. Annual Risk Assessment - An annual risk assessment to evaluate the adequacy of data center protection levels must be completed and documented.
Page1 of 12
CUNY IT Disaster Recovery/Business Continuity Attestation Response Form
The following Recommendations serve as the basis of this portion of the attestation and should be referred to in their entirety when responding to each item on this form:IT Disaster Recovery/Business Continuity Recommendations, adopted October 18, 2010,located under Business Continuity/Disaster Recovery Planning at security.cuny.edu
Fall Semester 2014
Campus and/or Department: ______
IT Disaster Recovery/Business Continuity Recommendations, October 18, 2010(Please refer to the full Recommendations document when answering the questions below.) / Is your Campus in compliance?
If yes, please explain.
If not, please describe the non-compliance situation and the plan / timeframe for coming into compliance. / Other comments describing the environment and/or compensating controls.
1. Governance- Is there a coordinator(s) designated for IT BC/DR efforts?
2. Disaster Recovery Planning- Does the unit have a formal written IT DR plan including systems and functions to be recovered, and is there a procedure in place to “activate” the plan on short notice?
3. Periodic Data Backup-
3a. Does the unit back up data using tools that meet the minimum requirements as recommended?
3b. Does the unit follow an appropriate schedule for data backup?
3c. Does the unit store backup media in an environmentally secured enclosure in a secure, protected facility within the unit?
3d. Does the unit use any off-site, third-party storage facility that is secure, environmentally controlled, and off-campus? (Please include the name of the vendor.)
3e. Does the unit have a suitable Service Level Agreement (SLA) with the off-site facility?
3f. Are the stored backup sets sent off-site at least weekly?
4. Proactive Loss Prevention - Does the unit have “Proactive Loss Prevention” capability for its critical systems?
5. DR Testing and Validation
5a. Does the unit conduct restoration and validation of data periodically?
5b. Does the unit test the IT DR plan periodically?
Signature of College Vice President of Administration or equivalent:
Print:______
Signature:______
Date:______
Page1 of 12