01-010 Information Security Awareness Policy

Last Update: April 24, 2024

Approved: April 24, 2024 by Dr. Zvi Szafran

Policy Contact: Chief Information Officer

Supersedes:


I. SCOPE

This policy applies to all individuals with SUNY Canton employee-level permission to use network and electronic resources (i.e., faculty, staff, and campus affiliated individuals and organizations).

II. POLICY STATEMENT

SUNY Canton recognizes the importance of our employees as the first line of defense against cyberattacks and their valuable role in protecting the data we are entrusted with by our students, faculty, staff, alumni, donors, and community.

Training and education needs to be ongoing due to the ever-increasing variety and sophistication of cyber threats. These include, but are not limited to, spam, phishing, spoofing, malware, and ransomware, which can result in identity theft, data corruption, loss of intellectual property, disruption of academic and business operations, and damage to the reputation of the institution. SUNY Canton may be liable for losses, fines, and penalties caused by data breaches, on top of the internal costs for incident investigation and remediation. Moreover, loss of trust in the College’s ability to protect the personal information of stakeholders could result in reductions in donations, grant funding, and student enrollment.

This policy is meant to ensure that our faculty, staff, and affiliates are made aware of the threats that we face from cyberattacks, as well as inadvertent disclosure of sensitive information and their consequences.  It also helps ensure compliance with New York State Law, SUNY Information Security Policy, and various regulatory requirements.

III. POLICY

To meet the compliance requirements stated above, SUNY Canton requires a baseline level of awareness through participating in annual Information Security Awareness Training for all employees, regardless of their level of access to college resources.  This training must be completed:

  • Within 30 days of employment for new employees.
  • When required by information system changes, and
  • Annually thereafter.

Role-based training may be required based on an employee’s assigned security role and level of access within the College, as determined by the Chief Information Officer (CIO) or designee, the individual’s area Vice President (VP) or designee, and New York State and/or SUNY Policy. These training courses may include information related to HIPAA, FERPA, PCI DSS, GDPR, and GLBA.

Additional awareness materials will be made available to the campus community regularly. These may include posters and signage, email communications, events or activities, and optional training modules for specialized topics.

In addition to assigned training and informational materials, the CIO or designee will occasionally conduct simulated-phishing exercises. The goal of these is to both reinforce the training and reduce the likelihood of people falling for real phishing attacks. These attacks will involve similar tactics to those used by real cybercriminals but will be carried out in a safe environment.

IV. DEFINITIONS

Affiliated Individuals and Organizations:  External organizations, and their employees and volunteers, whose activities significantly assist SUNY Canton in advancing and achieving its strategic goals. Examples include, but are not limited to, College Auxiliary Services, the College Foundation, the Research Foundation of New York, and the Cornell Cooperative Extension and its partners.

HIPPA: The Health Insurance Portability and Accountability Act of 1996 is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

FERPA: The Family Educational Rights and Privacy Act is a federal law enacted in 1974 that protects the privacy of student education records.

PCI DSS: The Payment Card Industry Data Security Standard is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

GDPR: The European Union general data protection regulation is the strongest privacy and security law in the world. This regulation updated and modernized the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on 25 May 2018.

GLBA: Privacy of Consumer Financial Information. Title V, Subtitle A of the Gramm-Leach-Bliley Act governs the treatment of nonpublic personal information about consumers by financial institutions.

V. OTHER RELATED INFORMATION

VI. PROCEDURES

  1. All employees are automatically enrolled in the baseline training when they are activated as employees. Additional training assignments may be given later based on roles and job duties of the employee and to comply with policy changes and updates.
  2. Employees should be given time to complete that training during their regular work hours and access to a computer to complete it. If no computer is available in their regular work location, they should be allowed to complete training in an open computer lab.
  3. New employees are assigned training soon after their employment start date and will receive notice of that training via their college email. They will have one month from when it is assigned to complete the training(s).
  4. Existing employees are assigned training annually each fall semester and will receive notice of that training via their college email. They will have one month from when it is assigned to complete the training(s).

Non-compliance

  1. Individuals who do not complete the training by the due date may have the following actions taken:
    • Access to systems and services the College has deemed high risk may be restricted until training is complete.
    • Supervisor, division VP, and/or Human Resources will also receive notification of non-compliant individuals.
  2. Individuals who fail phishing campaigns may be assigned additional training modules that are assigned for topic specific education.

VII. FORMS

N/A

VIII. AUTHORITY

NYS and SUNY Mandated Policy

IX. HISTORY

N/A

X. APPENDICES

N/A

XI. FREQUENCY OF REVIEW AND UPDATE

This policy will be reviewed on an annual basis, unless specified otherwise.