Written Information Security Program

Effective Date April 1, 2024 Policy Owner Information Technology Services (ITS)
Last Reviewed Date May 3, 2024 Approved By Vice President for Information Technology and CIO/CISO
Review Cycle Annual Policy Contact Information Security & Compliance Analyst

1. OBJECTIVE

The objective of New York Tech, in the development, maintenance and implementation of this comprehensive written information security program ("WISP"), is to create effective administrative, technical, and physical safeguards for the protection of confidential and restricted information of New York Tech employees, students, and affiliated entities, as defined by New York Tech's Data Security and Access Management Policy. This WISP sets forth New York Tech's procedures for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.

2. PURPOSE

The purpose of this WISP is to:

3. SCOPE

This WISP applies to all New York Tech students, faculty, staff, affiliates, contractors, and authorized third parties. It also applies to all New York Tech computing, network, and information systems and services. The data covered by this information security program includes any information stored, accessed or collected at New York Tech or for New York Tech operations, whether in paper, electronic, or other form.

4. ROLES AND RESPONSIBILITIES

New York Tech has designated a Chief Information Security Officer (CISO), with assistance from Information Technology Services and the Office of General Counsel, to serve as a qualified individual responsible to implement, coordinate, and maintain this WISP.

The CISO is required to periodically, but at least annually, report to New York Tech's management and the Board of Trustees regarding New York Tech's information security safeguards to protect confidential and restricted information, including the program's overall status, compliance with applicable laws and regulations, material matters related to the program, such as risk assessment, risk management and control decisions, service provider arrangements, testing results, cyber incidents or policy violations and management's responses, and recommendations for program changes.

5. IDENTIFICATION, ASSESSMENT AND MITIGATION OF RISKS

New York Tech will conduct a documented risk assessment on a regular basis, or whenever there is a material change in university business practices that may involve the security, confidentiality, integrity, or availability of data containing confidential or restricted information.

a) Internal Risk Mitigation Policies

To guard against internal risks to the security, confidentiality, integrity and/or availability of any electronic, paper or other records containing confidential or restricted data, the following measures are mandatory:

b) External Risk Mitigation Policies

To combat external risks to the security, confidentiality, availability and/or integrity of any electronic, paper or other records containing confidential or restricted information, New York Tech has implemented the following safeguards for limiting such risks:

6. INFORMATION SECURITY POLICIES AND PROCEDURES

New York Tech maintains a comprehensive list of information security policies. The policies are reviewed and updated on a regular schedule to ensure they are accurate and address the current safeguards available to protect New York Tech's information systems. For a complete list of the policies, please visit our ITS Policies, Guidelines, and Forms page.

As part of this WISP, New York Tech develops, maintains, and distributes information security policies and procedures in accordance with applicable laws and standards to relevant employees, students, and affiliated entities.

7. SAFEGUARDS

New York Tech has developed, implemented, and maintains reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, availability, and integrity of personal information that the university owns or maintains on behalf of others. Safeguards are appropriate to the size, scope, and business case.

Physical Safeguards

An important step in protecting confidential and restricted information is to implement reasonable and appropriate physical safeguards for information systems and related equipment and facilities. Physical safeguards are defined as physical measures, policies, and procedures to protect an entity's electronic information systems and related facilities and equipment from natural and environmental hazards, and unauthorized intrusion. The standards below are another line of defense for protecting confidential and restricted data:

a) Facility Access Controls

b) Workstation Use

c) Device and Media Controls

Technical Safeguards

Technical safeguards are defined as, the technology and the policy and procedures for its use that protect electronic data and control access to it. Below is a list of the technical safeguards that are implemented to protect New York Tech's data and the systems and networks that provide access to New York Tech data.

Access Control
Authentication
Administrative Safeguards

Administrative safeguards are defined as administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of New York Tech's workforce in relation to the protection of that information.

Administrative Controls
Data Safeguards

New York Tech will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of confidential and restricted information that New York Tech owns, or maintains on behalf of others.

8. SERVICE PROVIDER OVERSIGHT

Reasonable steps will be taken to select, retain and oversee each third-party service provider that may have access to or otherwise create, collect, use, or maintain confidential or restricted information on its behalf by:

9. MONITORING

Regular testing and monitoring of the implementation and effectiveness of the information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information. Reasonably and appropriately address any identified gaps.

10. INCIDENT RESPONSE AND RECOVERY

New York Tech has established a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Incidents that raise concerns about the privacy or security of confidential or restricted data must be reported promptly upon discovery to the ITS Information Security Team. The Information Security Team shall investigate all reported security incidents.

The Information Security Team is responsible for:

11. ENFORCEMENT

Violations of this WISP may result in disciplinary action, in accordance with information security policies and procedures, and human resources policies. Please see New York Tech's Employee and Faculty Handbooks for details regarding the university's disciplinary process.

12. PROGRAM REVIEW AND CHANGE MANAGEMENT

New York Tech will review this WISP and the security measures defined herein at least annually, or whenever there is a material change in the university's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of institutional assets and data.