CUNY Information Security Policy and Procedures Attestation Response Form

ovenforksqueeSecurity

Nov 3, 2013 (3 years and 11 months ago)

71 views

CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

1

of
13

P
olicy


m潬icy 潮 Acce灴a扬e rse 潦
C潭灵ter oes潵rces

(
The paragraph number below refers to the same
paragraph number in the Acceptable Use policy. An
excerpt or summary is provided below. Refer to the
Policy for the complete paragraph)

Is
your

Campus in compliance?

If not, please d
escribe the non
-
compliance
situation

and the plan / timeframe for coming
into compliance
.

Other comments describing the
environment and/or compensating
controls.

11.
Filtering.

CUNY reserves the right to install spam
, virus
and spyware filters and similar devices if necessary in the
judgment of CUNY’s Office of Information Technology or a
college IT director to protect the security and integrity of
CUNY computer resources. Notwithstanding the foregoing,
CUNY will not

install filters that restrict access to e
-
mail,
instant messaging, chat rooms or websites based

solely on content.

Include here (or as an attachment) a description of any
filters

that are being used to restrict access to e
-
mail,
instant messaging, chat rooms or websites based solely on
content:


12.
Confidential Research Information.

Principal
i
nvestigators and others who use CUNY computer resources
to store or transmit research
information that is required by
law or regulation to be held confidential or for which a
promise of confidentiality has been given, are responsible for
taking steps to protect confidential research information from
unauthorized access or modification. In g
eneral, this means
storing the information on a computer that provides strong

access controls (passwords) and encrypting files, documents,
and messages for protection against inadvertent or
unauthorized disclosure while in storage or in transit over
data n
etworks.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

2

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

1.
Introduction

-

It is the responsibility of each University
entity (i.e., a College or a Central Office department) to
maintain the integrity and privacy of

University information.



2.
Non
-
Public University Information.

Non
-
public
University information
should be
treated confidentially.



3.
Access to University Information.

Access to University
information available in University files and systems,
whether in electronic or hard copy form, must be limited to
individuals with a strict need to know, consistent with the
individual’s job responsibilities. This section provides
the
requirements for employee, student, and adjunct faculty
access including the provisions of a waiver procedure

and
acknowledgement of receiving University information
security policies and procedures.



4.
Review of
Access to University Files and
Systems



Each
University entity must review, at least once during each of
the fall and spring semesters, individuals having any type of
access to non
-
public University data and must remove user
IDs and access capabilities that are no longer current. This
review includes, but is not limited to, access to networks,
applications, sensitive transactions, databases, and
specialized data access utilities.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

3

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

5.

Severance of
Access

upon Termination or Transfer of
Employment



Access to computerized systems must b
e
removed no later than an individual’s last date of
employment. User IDs must not be re
-
used or re
-
assigned to
another individual at any time in the future.


For job transfers, access to computerized systems must be
removed no later than the last date in

the old position and
established no sooner than the first date in the new position.



6
.

Authentication



Users of University files and systems
must use an individually assigned user ID to gain access to
any University network or application.



7
.

User
IDs



Users of University files and systems other
than technical employees within Information Technology
departments at a College or in the Central Office must have
no more than one individually assigned user ID per system.



8.
Passwords



All passwords must be treated as non
-
public
University data and, as such, are not to be shared with
anyone. Users must manually enter their passwords when
prompted, and passwords must not be scripted or stored.


All passwords must be changed at least ev
ery 90 days.
Accounts which have special access privileges must be
changed at least every 60 days.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

4

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

9.
Remote Access



Access to administrative and academic
support systems from non
-
University locations is allowed
only through secure remote connections (e.g., VPN) that
provide for unique user authentication and encrypted
communications.



10.
Disclosure of Non
-
Public

University Information



(a)
Unless otherwise required by law, users of University files
and systems must not disclose any Non
-
Public University
Information to the general public or any unauthorized users.
(c)
Special Rules for Social Security Numbers

-

Refer to
the
IT Security Procedures.



11.
Web Accessible Data



Non
-
public University data must
not be made accessible to the general public. All web pages
must be programmed with a parameter to prevent the caching
of data by Internet search engines.



12.
Security Incident Response and Reporting



An
acknowledgment of or response to any security incident must
be given to the University Chief Information Officer and the
University Information Security Officer within 24 hours of
notice of the incident,

and a report of such incident, is due
within 72 hours.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

5

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

13.
Portable Devices/Encryption



The Non
-
Public
University Information listed in section 12(b)

in the IT
Security Procedures

above must not be stored, transported,
or taken home on portable devices (e.g., laptops, flash
drives) of any type without specific approval of both the
Vice President of Administration or the equivalent at the
College or in the Central Office department
and the
University Information Security Officer. Where approval is
granted, additional password protection and encryption of
data are required. In addition, the Non
-
Public University
Information listed in section 12(b) stored on non
-
portable
devices or t
ransmitted between devices (e.g., servers,
workstations) must be encrypted. The University has made
encryption tools available to staff and faculty to comply with
the requirements of this procedure.


Please explain the encryption tools used by your Colleg
e
and the number of users of each tool:


14.
Safeguarding and Disposal of Devices and Records
Containing Non
-
Public University Information



Whenever
records containing Non
-
Public University Information are
subject to destruction under the CUNY Records Retention
and Disposition Schedule (available at
http://policy.cuny.edu/text/toc/rrs
), the storage devices such
as hard disk drives and other

media (e.g. tape, diskette, CDs,
DVDs, cell phones, digital copiers, or other devices) and
hard copy documents that contain such information must be
securely overwritten or physically destroyed in a manner that
prevents unauthorized disclosure. While in
use, such devices
and documents must not be left open or unattended on desks
or elsewhere for extended periods of time.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

6

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

15.
Change of Data in Records



Individuals within
Information Technology departments may be allowed
privileged access to non
-
public

University data to support
the ongoing operations of administrative systems. When
updates are not part of normal business processing,
individuals must not alter any University data unless given
specific approval by the Vice President of Administration or
the equivalent at the College or in the Central Office
department.


Any direct changes to data in administrative systems must be
done from a College or Central Office location. No form of
remote access to alter student or employee data is allowed.



16.
Centralized Data Management



Data that are acquired
or managed by Central Office departments (e.g., CPE, skill
scores) shall be loaded into University systems and may not
be modified by Colleges at the local level.



1
7
.
Grade Changes



Any system that
allows for grade
changes will have multiple security levels enabled, including
the maintenance of a separate password that is administered
and changed regularly for the purpose of authenticating
individual users to the grade change function. Grade change
f
unctions must be able to create an audit trail from which
edit reports will be regularly prepared for review by a
management designee.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

7

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

1
8
.
Changes in Information
Files and
Systems



Existing and
new information systems must comply with these
Information

Technology Security Procedures. Modifications
to existing
information systems will be required to maintain
compliance. Additional criteria regarding ghost systems are
in the IT Security Procedures.



1
9
.
Vulnerability Assessments



Each University entity must
establish a routine program to test, monitor, and remediate
technical and data vulnerabilities on its network. The
program should include a combination of continuous
monitoring and on
-
demand testing tools.



20.
Device
Management



All devices that are allowed to
connect to University networks and systems that support
administrative, business, and academic activities and
operations must be maintained at current anti
-
virus/malicious
code protection at all times. In addit
ion, security updates to
operating systems must be applied on a timely basis after
appropriate testing. Although the University does not
manage student computers, procedures should be
implemented to minimize the risk to University files and
systems.



21
.
Management Responsibility



College and Central Office
management are responsible for maintaining and overseeing
compliance with these Information Technology Security
Procedures within their line responsibilities.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

8

of
13

IT Security
Procedure
s


deneral

jarch ㈶Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph numb
er in the IT Security Procedures


General
. An excerpt or summary is provided below.
Refer to the Procedures for the
complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

22
.
Information Technology Security
Procedure Governance



Any proposed exception to these Information Technology
Security Procedures must be communicated in writing to the
University Information Security Officer prior to any action
introducing a non
-
compliance situation.







CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

9

of
13

IT Security
Procedures


tireless Netw潲欠
pecurityⰠ N潶em扥r ㈰Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph number in the IT Security Procedure
s


Wireless Network Security
. An excerpt or summary is
provided below. Refer to the Procedures for the

complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

1.
Wireless Network Instal
lation/Changes

-

Requests to
install new wireless networks or change existing wireless
networks must be in writing and will be subject to approval
by the College CIO. The College CIO will routinely monitor
for unauthorized (rogue) wireless networks and suc
h rogue
networks must b
e disconnected when discovered.



2.
Risk Assessment

-

New wireless networks or
modifications to existing wireless networks will be subject to
a risk assessment to determine if such wireless networks
comply with

all

IT Security
Policies and Procedures.




3.
Intrusion Detection

-

All wireless networks must require
the use of routine monitoring and preventative techniques to
minimize risks of unauthorized intrusion attempts.



4.
End
-
point Integrity

-

Wireless visitor access and

devices
failing an end
-
point integrity redirected to the Internet over a
private virtual LAN that does not subnet(s) of the University
or College network infrastructure.




5
.
Encrypted Transmission

-

University and College web
applications, if non
-
public University data is transmitted,
must use the secure and encrypted protocol https.



CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

10

of
13

IT Security
Procedures


tireless Netw潲欠
pecurityⰠ N潶em扥r ㈰Ⱐ㈰O9


(
The paragraph number below refers to the same
paragraph number in the IT Security Procedure
s


Wireless Network Security
. An excerpt or summary is
provided below. Refer to the Procedures for the

complete paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

6.

Wireless Usage Logs

-

Wireless usage logs must be
retained consistent with the University Records Retention
and
Disposition Schedule
(
www.cuny.edu/policy/text/toc/rrs
)



7
.

Signal Strength

-

Signal strength and containment of the
wireless signal must be engineered to minimize the wireless
signal accessibility outside the bounds of the College's
business and community mission.







CUNY Information Security
Policy and Procedures

Attestation Response Form

The following
Policies

and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form
:

1) Policy on Acceptable Use of Computer Resources; 2) I
T Security Procedur
es
-

General, March 26, 2009,
Brian Cohe
n; 3) IT Security Procedures


Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures


Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under
Security Policies & Procedures

at

security.
cuny.edu

Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

11

of
13

IT Security Procedures


aata Center
pecurity C bnvir潮oent
pu灰prt
s
ⰠN潶em扥r
㈰Ⱐ㈰〹


(
The paragraph number below refers to the same
paragraph number in the IT Security Procedures



Data Center Security & Environment Supports
. An
excerpt or summary is provided below. Refer to the
Procedures for the complete
paragraph)

Is your Campus in compliance?

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming
into compliance.

Other comments describing the
environment and/or compensating
controls.

1.
Minimum Protections



Minimum protection
s are

implemented as defined by sub
-
paragraphs a. through h.



2
.
Annual Risk Assessment

-

An annual risk assessment to
evaluate the adequacy of data center protection levels must
be completed and documented.



CUNY
IT Disaster Recovery/Business Continuity
Attestation Response Form

The following Recommendations serve as the basis of this portion of the attestation and should be referred to in thei
r entirety when
responding to each item on this form:

IT Disaster Recovery/Business Continuity Recommendations
, adopted October 18, 2010,

located
unde
r Business Continuity/Disaster Recovery Planning at
security.cuny.edu


Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

12

of
13



IT
Disaster Recovery/Business Continuity
Recommendations,
October 18, 2010

(Please refer to the full
Recommendations document
when
answering the questions below.)

Is your Campu
s in compliance?

If yes, please explain.

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming into
compliance.

Other comments describing the
environment and/or compensating
controls.

1.

Governance

-

Is there a
coordinator(s) designated
for IT BC/DR efforts?



2.

Disaster Recovery Planning

-

Does the unit have a
formal written IT DR plan including systems and
functions to be recovered, and is there a procedure in
place to “activate” the plan on short notice?



3.

Periodic Data Backup

-



3
a. Does the unit back up data using tools that meet the
minimum requirements as recommended?



3b. Does the unit follow an approp
riate schedule for
data backup?



3c. Does the unit store backup media in an
environmentally

secured enclosure in a secure,
prot
ected facility within the unit?



3
d.
Does the unit use any off
-
site, third
-
party storage
facility that is secure, environmentally controlled, and
off
-
campus? (Please include the name of the vendor.)



CUNY
IT Disaster Recovery/Business Continuity
Attestation Response Form

The following Recommendations serve as the basis of this portion of the attestation and should be referred to in thei
r entirety when
responding to each item on this form:

IT Disaster Recovery/Business Continuity Recommendations
, adopted October 18, 2010,

located
unde
r Business Continuity/Disaster Recovery Planning at
security.cuny.edu


Spring

Semester,
May 2013



Campus

and/or Department
: _____________________________________________________________________



Page

13

of
13

IT
Disaster Recovery/Business Continuity
Recommendations,
October 18, 2010

(Please refer to the full
Recommendations document
when
answering the questions below.)

Is your Campu
s in compliance?

If yes, please explain.

If not, please describe the non
-
compliance
situation and the plan / timeframe for coming into
compliance.

Other comments describing the
environment and/or compensating
controls.

3e. Does the
unit have a suitable Service Level
Agreement (SLA) with the off
-
site facility?



3
f.
Are the stored backup sets sent off
-
site at least
weekly?



4.
Proactive Loss Prevention

-

Does the unit have
“Proactive Loss Prevention” capability for its critical
systems?



5.
DR Testing and Validation



5
a.
Does the unit conduct restoration and validation of
data periodically?



5b. Does the unit test the IT DR plan periodically?






Signature of College Vice President of Administration

or equivalent
:

___
__________________________
____
__


Date:

___________
__