NYS Security Compromise Policy
To all Faculty, staff, and administrators:
What does this mean to me? Identity theft has become a major problem over the last few years. Over 51 million Americans have had their personal information compromised since February 2005 (including more than 3 million NYS residents - see the CSCIC list at the end). Criminals - and organized crime in particular - have found it to be a very lucrative business. With a few key pieces of personal information – a name, SSN, birth date and address – they can use your identity to open new credit card and financial accounts, take out a mortgage on your house, and generally plunder your financial accounts for huge amounts of money before you even realize it is happening. Repairing the damage to your credit rating takes years, and is difficult if not impossible. On a personal level, we all understand and support this legislation since we all would want to know if our personal information has fallen into the wrong hands.
What does this mean for
What is the College doing to protect our systems and data? Campus Technology Services (CTS), the central technology and support organization serving the campus, provides centralized administrative systems that serve faculty, staff, and students. CTS also supports and maintains all College-owned faculty and staff workstations. The most common way that systems are compromised is through known exploits on machines that are not properly patched.
What should you do? Review practices regarding use of computer systems within your unit – particularly those systems that are not stored, managed and maintained by CTS. If you have a local MS Access database on a machine in your office, or any locally stored database of students, clients, constituents or employees, you should contact CTS to discuss options for securing that data.
Data should never be stored on local workstations – not only is that data not part of any backup and recovery process, but local workstations can be (and are) stolen. The College provides file servers accessible through the network that provide secure storage for all of your data files.
Any stolen or lost computers (desktops or laptops) should be reported to University Police immediately. You should keep a record of all of your unit’s computer hardware (make, model, serial number and MAC address) in the event that it is stolen or lost.
The proliferation of external USB/Firewire disk drives and USB memory keys is another threat. These portable devices can also store large amounts of data that is easily lost or stolen. Again, data should only be stored on centralized College servers.
If your unit is not already using a centralized file share on a CTS server, chances are your employees are using local or removable storage that is not secure. Please call CTS at x6465 to set up a file share for your office.
It is critical that when an employee leaves your unit, please notify CTS so that their access to College systems can be terminated. Former employees can retain e-mail privileges where necessary, but should not have access to other College systems after they leave.
Take stock of physical security within your unit. Are the offices and cabinets where sensitive paper records are stored secure and accessible to authorized personnel only? Are there alarm systems covering these areas?
Most importantly, you need to raise awareness among everyone within your unit about the seriousness of cyber security threats. Understanding the issues and the ramifications of a compromise – personally and institutionally – is the only thing that will make someone think twice about downloading that data file onto their laptop or USB key. Have your people check the contents of their computers and storage devices and eliminate anything that doesn’t need to be there. Remind everyone not to e-mail confidential data files or SSNs.
If a compromise is suspected: If you suspect that a computer system in your unit has been compromised, or if any laptop or College-owned desktop computer is lost or stolen, please notify CTS and University Police immediately. We will work with you to determine whether or not a compromise has occurred, and what actions need to be taken.
If a compromise occurs: The law requires us to notify three NYS offices:
The summary and text of the Assembly bill signed Aug 9 by the Governor:
The Privacy Rights Clearinghouse Web site at http://www.privacyrights.org
(basement of Social Sciences Bldg)
Tel (914) 251-6465
New! Equipment Loans Page