Effective Date | April 1, 2024 | Policy Owner | Information Technology Services (ITS) |
---|---|---|---|
Last Reviewed Date | May 3, 2024 | Approved By | Vice President for Information Technology and CIO/CISO |
Review Cycle | Annual | Policy Contact | Information Security & Compliance Analyst |
1. OBJECTIVE
The objective of New York Tech, in the development, maintenance and implementation of this comprehensive written information security program ("WISP"), is to create effective administrative, technical, and physical safeguards for the protection of confidential and restricted information of New York Tech employees, students, and affiliated entities, as defined by New York Tech's Data Security and Access Management Policy. This WISP sets forth New York Tech's procedures for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.
2. PURPOSE
The purpose of this WISP is to:
- Ensure the security, confidentiality, integrity, and availability of personal information New York Tech collects, creates, uses, and maintains.
- Protect against any reasonably anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.
- Protect against unauthorized access to, or use of, personal information maintained by New York Tech in a manner that could result in substantial harm or inconvenience to any customer or employee.
- Define an information security program that is appropriate to New York Tech's size, scope, and business; its available resources; and the amount of personal information that New York Tech owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
3. SCOPE
This WISP applies to all New York Tech students, faculty, staff, affiliates, contractors, and authorized third parties. It also applies to all New York Tech computing, network, and information systems and services. The data covered by this information security program includes any information stored, accessed or collected at New York Tech or for New York Tech operations, whether in paper, electronic, or other form.
4. ROLES AND RESPONSIBILITIES
New York Tech has designated a Chief Information Security Officer (CISO), with assistance from Information Technology Services and the Office of General Counsel, to serve as a qualified individual responsible to implement, coordinate, and maintain this WISP.
The CISO is required to periodically, but at least annually, report to New York Tech's management and the Board of Trustees regarding New York Tech's information security safeguards to protect confidential and restricted information, including the program's overall status, compliance with applicable laws and regulations, material matters related to the program, such as risk assessment, risk management and control decisions, service provider arrangements, testing results, cyber incidents or policy violations and management's responses, and recommendations for program changes.
5. IDENTIFICATION, ASSESSMENT AND MITIGATION OF RISKS
New York Tech will conduct a documented risk assessment on a regular basis, or whenever there is a material change in university business practices that may involve the security, confidentiality, integrity, or availability of data containing confidential or restricted information.
a) Internal Risk Mitigation Policies
To guard against internal risks to the security, confidentiality, integrity and/or availability of any electronic, paper or other records containing confidential or restricted data, the following measures are mandatory:
- New York Tech will only collect personal information of clients, customers or employees that is necessary to accomplish legitimate business transactions or to comply with any and all federal, state or local regulations.
- Access to records containing confidential or restricted information shall be limited to those employees whose duties, relevant to their job description, have a legitimate need to access said records, and only for this legitimate job-related purpose.
- Access to an electronic version of this WISP is available to all current faculty and staff, as well as each new member at the beginning of their employment.
- All faculty, staff and students are required to annually attest to reviewing and abiding by New York Tech's Acceptable Use Policy. The Acceptable Use Policy defines the acceptable ways in which computing resources, network, and systems may and may not be used.
- Terminated employees must return all records containing confidential or restricted data, in any form, in their possession at the time of termination. This includes all data stored on any portable device and any device owned directly by the terminated employee.
- A terminated employee's physical and electronic access to records containing confidential or restricted information shall be restricted at the time of termination. This shall include remote electronic access to personal records, voicemail, internet, and email access. All keys, keycards, access devices, badges, company IDs, and the like shall be surrendered at the time of termination.
- All security measures, including the WISP, shall be reviewed at least annually to ensure that the policies contained in the WISP are adequate to meet all applicable federal and state regulations.
- The Information Security Analyst or his/her designee shall be responsible for the review and modifications of the WISP and shall fully consult and apprise management of all reviews including any recommendations for improved security arising from the review.
- Information Technology Services will conduct periodic reviews to ensure that access to confidential and restricted information is restricted to approved and active user accounts.
- Current employees' user IDs and passwords shall conform to accepted password complexity standards. All passwords shall be changed at least annually. Employees are required to report security incidents and suspicious or unauthorized use of confidential or restricted information, New York Tech devices and/or network resources to the Information Security Team via email to infosec@nyit.edu.
b) External Risk Mitigation Policies
To combat external risks to the security, confidentiality, availability and/or integrity of any electronic, paper or other records containing confidential or restricted information, New York Tech has implemented the following safeguards for limiting such risks:
- Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes confidential or restricted information.
- Confidential or restricted information shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures.
- All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on all New York Tech owned computing devices as well as all personal devices that connect to New York Tech's network.
- All computer systems are monitored for unauthorized use or access to confidential or restricted information.
- Secure authentication protocols are in place, where applicable and available, including single sign-on (SSO) multi-factor authentication (MFA) with number challenge enabled, password complexity and reset requirements, and protocols for control of user IDs.
- Contractually requiring all third-party providers/vendors comply with all applicable federal and state regulations in addition to New York Tech security procedures and protocols.
6. INFORMATION SECURITY POLICIES AND PROCEDURES
New York Tech maintains a comprehensive list of information security policies. The policies are reviewed and updated on a regular schedule to ensure they are accurate and address the current safeguards available to protect New York Tech's information systems. For a complete list of the policies, please visit our ITS Policies, Guidelines, and Forms page.
As part of this WISP, New York Tech develops, maintains, and distributes information security policies and procedures in accordance with applicable laws and standards to relevant employees, students, and affiliated entities.
7. SAFEGUARDS
New York Tech has developed, implemented, and maintains reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, availability, and integrity of personal information that the university owns or maintains on behalf of others. Safeguards are appropriate to the size, scope, and business case.
Physical Safeguards
An important step in protecting confidential and restricted information is to implement reasonable and appropriate physical safeguards for information systems and related equipment and facilities. Physical safeguards are defined as physical measures, policies, and procedures to protect an entity's electronic information systems and related facilities and equipment from natural and environmental hazards, and unauthorized intrusion. The standards below are another line of defense for protecting confidential and restricted data:
a) Facility Access Controls
- Physical access to storage rooms, file cabinets, or any other place where confidential and/or restricted information is stored is limited to authorized personnel only.
- Access to storage rooms is controlled by New York Tech ID cards or a physical key, and doors must be locked at all times when not in use.
- File cabinets in high traffic areas must be locked at all times.
b) Workstation Use
- All devices accessing New York Tech electronic resources, whether personal or New York Tech owned, must be used in accordance with the Acceptable Use Policy.
- All workstations in high traffic and/or public areas must have a privacy screen and be angled away from public viewing to prevent unauthorized viewing of confidential and/or restricted information.
- All workstations must be locked when unattended.
c) Device and Media Controls
- Confidential or restricted information stored on any device or New York Tech system, should never be transferred to a portable media storage device or removed from campus.
- New York Tech issued devices must be returned to ITS at the end of its useful life to ensure proper disposal procedures are followed.
Technical Safeguards
Technical safeguards are defined as, the technology and the policy and procedures for its use that protect electronic data and control access to it. Below is a list of the technical safeguards that are implemented to protect New York Tech's data and the systems and networks that provide access to New York Tech data.
Access Control
- Each individual granted access to New York Tech information resources will be given a unique User ID.
- Access to individual systems and applications will be governed by the procedures for each respective system. Access request forms can be found here.
- Inactivity logoff is configured on all critical systems that support the functionality.
- Automatic lockout is configured on workstations after a defined period of inactivity.
Authentication
- Multi-factor authentication (MFA) with number challenge enabled is activated to confirm the identity of individuals attempting to access New York Tech's electronic systems.
Administrative Safeguards
Administrative safeguards are defined as administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of New York Tech's workforce in relation to the protection of that information.
Administrative Controls
- All employees are required to sign a statement of adherence to security policy and procedures upon hire.
- Employees must complete information security awareness training when hired and at least once per year. Additional training may be assigned based on job function, evolving threats, or regulatory requirements. Students may be required to attend training if employed in certain student worker positions at the hiring manager's discretion.
- ITS must be informed of all devices, including medical devices, that connect to the New York Tech network to ensure all proper security applications and patches are installed and up to date and data is properly protected.
- New York Tech maintains strict procedures to terminate access to electronic systems once an individual's relationship with the university has ended.
- Visitors must be escorted in all areas that process and/or store PII or PHI.
Data Safeguards
New York Tech will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of confidential and restricted information that New York Tech owns, or maintains on behalf of others.
- Data Classification – New York Tech employs a comprehensive data classification matrix that leverages three levels of classification as part of the Data Security and Access Management Policy. Each category denotes a unique level of sensitivity. Data classification is as follows; confidential, restricted, and public. Once data is classified, departments must ensure that the appropriate levels of security controls are applied to the data.
- Encryption – New York Tech requires that all users employ ITS approved encryption solutions to all confidential and restricted New York Tech data to preserve the confidentiality and integrity of, and control the accessibility to, where this data is processed, stored or transmitted.
- Access and Storage – Access to New York Tech data and systems is granted through authorized access controls established by New York Tech. Access is reviewed on a periodic basis to ensure its relevancy and appropriateness.
- Data Destruction – Records containing confidential or restricted information are destroyed once the information is no longer fit for business needs, unless federal guidelines require that information be destroyed by a particular timeframe. Data is destroyed in such a way that cannot be recovered after the process is complete.
8. SERVICE PROVIDER OVERSIGHT
Reasonable steps will be taken to select, retain and oversee each third-party service provider that may have access to or otherwise create, collect, use, or maintain confidential or restricted information on its behalf by:
- Evaluating the service provider's ability to implement and maintain appropriate security measures, consistent with this WISP and all applicable laws, regulations, mandates and institutional policy and obligation.
- Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws, regulations, mandates and institutional policy and obligations, including BAA Agreements for services that pertain to the storing, processing, transmitting of PHI or ePHI.
- Monitoring and auditing the service provider's performance to verify compliance with this WISP and all applicable laws, regulations, mandates and institutional policy and obligations.
- Data owners/stewards are responsible for confirming third-party service providers are maintaining appropriate security measures and data handling procedures to protect New York Tech data consistent with this program.
9. MONITORING
Regular testing and monitoring of the implementation and effectiveness of the information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information. Reasonably and appropriately address any identified gaps.
10. INCIDENT RESPONSE AND RECOVERY
New York Tech has established a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Incidents that raise concerns about the privacy or security of confidential or restricted data must be reported promptly upon discovery to the ITS Information Security Team. The Information Security Team shall investigate all reported security incidents.
The Information Security Team is responsible for:
- Development and maintenance of the New York Tech Critical Incident Recovery and Response Plan (CIRR).
- Coordination and response to incidents in accordance with the requirements of federal, state, and local laws and other regulations.
- Minimizing the potential negative impact to New York Tech, clients, and third parties as a result of such incidents.
- Restoration of services to a normalized and secure state of operation.
- Providing clear and timely communication to all interested parties.
11. ENFORCEMENT
Violations of this WISP may result in disciplinary action, in accordance with information security policies and procedures, and human resources policies. Please see New York Tech's Employee and Faculty Handbooks for details regarding the university's disciplinary process.
12. PROGRAM REVIEW AND CHANGE MANAGEMENT
New York Tech will review this WISP and the security measures defined herein at least annually, or whenever there is a material change in the university's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of institutional assets and data.