CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, June 25, 2014, Brian
Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures – Data
Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
Campus and/or Department: _____________________________________________________________________
Policy – Policy on Acceptable Use of
Computer Resources
(The paragraph number below refers to the same
paragraph number in the Acceptable Use policy. An
excerpt or summary is provided below. Refer to the
Policy for the complete paragraph)
11. Filtering. CUNY reserves the right to install spam, virus
and spyware filters and similar devices if necessary in the
judgment of CUNY’s Office of Information Technology or a
college IT director to protect the security and integrity of
CUNY computer resources. Notwithstanding the foregoing,
CUNY will not install filters that restrict access to e-mail,
instant messaging, chat rooms or websites based solely on
content.
12. Confidential Research Information. Principal
investigators and others who use CUNY computer resources
to store or transmit research information that is required by
law or regulation to be held confidential or for which a
promise of confidentiality has been given, are responsible
for taking steps to protect confidential research information
from unauthorized access or modification. In general, this
means storing the information on a computer that provides
strong access controls (passwords) and encrypting files,
documents, and messages for protection against inadvertent
or unauthorized disclosure while in storage or in transit over
data networks.
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Include here (or as an attachment) a description of any
filters that are being used to restrict access to e-mail,
instant messaging, chat rooms or websites based solely on
content:
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – General
June 25, 2014
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
General. An excerpt or summary is provided below.
Refer to the Procedures for the complete paragraph)
1. Introduction - It is the responsibility of each University
entity (i.e., a College or a Central Office department) to
maintain the integrity and privacy of University information.
2. Non-Public University Information. Non-public
University information should be treated confidentially.
3. Access to University Information. Access to University
information available in University files and systems,
whether in electronic or hard copy form, must be limited to
individuals with a strict need to know, consistent with the
individual’s job responsibilities. This section provides the
requirements for employee, student, and adjunct faculty
access including the provisions of a waiver procedure and
acknowledgement of receiving University information
security policies and procedures.
4. Review of Access to University Files and Systems – Each
University entity must review, at least once during each of
the fall and spring semesters, individuals having any type of
access to non-public University data and must remove user
IDs and access capabilities that are no longer current. This
review includes, but is not limited to, access to networks,
applications, sensitive transactions, databases, and
specialized data access utilities.
Page 2 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – General
June 25, 2014
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
General. An excerpt or summary is provided below.
Refer to the Procedures for the complete paragraph)
5. Severance of Access upon Termination or Transfer of
Employment – Access to computerized systems must be
removed no later than an individual’s last date of
employment. User IDs must not be re-used or re-assigned to
another individual at any time in the future.
For job transfers, access to computerized systems must be
removed no later than the last date in the old position and
established no sooner than the first date in the new position.
6. Authentication – Users of University files and systems
must use an individually assigned user ID to gain access to
any University network or application.
7. User IDs – Users of University files and systems other
than technical employees within Information Technology
departments at a College or in the Central Office must have
no more than one individually assigned user ID per system.
8. Passwords – All passwords must be treated as non-public
University data and, as such, are not to be shared with
anyone. Users must manually enter their passwords when
prompted, and passwords must not be scripted or stored.
All passwords must be changed at least every 180 days.
Accounts which have special access privileges must be
changed at least every 60 days.
Page 3 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – General
June 25, 2014
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
General. An excerpt or summary is provided below.
Refer to the Procedures for the complete paragraph)
9. Remote Access – Access to administrative and academic
support systems from non-University locations is allowed
only through secure remote connections (e.g., VPN) that
provide for unique user authentication and encrypted
communications.
10. Disclosure of Non-Public University Information – (a)
Unless otherwise required by law, users of University files
and systems must not disclose any Non-Public University
Information to the general public or any unauthorized users.
(c) Special Rules for Social Security Numbers - Refer to the
IT Security Procedures.
11. Web Accessible Data – Non-public University data must
not be made accessible to the general public. All web pages
must be programmed with a parameter to prevent the
caching of data by Internet search engines.
12. Security Incident Response and Reporting – An
acknowledgment of or response to any security incident
must be given to the University Chief Information Officer
and the University Information Security Officer within 24
hours of notice of the incident, and a report of such incident,
is due within 72 hours.
Page 4 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – General
June 25, 2014
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
General. An excerpt or summary is provided below.
Refer to the Procedures for the complete paragraph)
13. Portable Devices/Encryption – The Non-Public
University Information listed in section 12(b) in the IT
Security Procedures must not be stored, transported, or taken
home on portable devices (e.g., laptops, flash drives) of any
type without specific approval of both the Vice President of
Administration or the equivalent at the College or in the
Central Office department and the University Information
Security Officer. Where approval is granted, additional
password protection and encryption of data are required. In
addition, the Non-Public University Information listed in
section 12(b) stored on non-portable devices or transmitted
between devices (e.g., servers, workstations) must be
encrypted. The University has made encryption tools
available to staff and faculty to comply with the
requirements of this procedure.
14. Safeguarding and Disposal of Devices and Records
Containing Non-Public University Information – Whenever
records containing Non-Public University Information are
subject to destruction under the CUNY Records Retention
and Disposition Schedule (available at
http://policy.cuny.edu/text/toc/rrs), the storage devices such
as hard disk drives and other media (e.g. tape, diskette, CDs,
DVDs, cell phones, digital copiers, or other devices) and
hard copy documents that contain such information must be
securely overwritten or physically destroyed in a manner that
prevents unauthorized disclosure. While in use, such
devices and documents must not be left open or unattended
on desks or elsewhere for extended periods of time.
Page 5 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Please explain the encryption tools used by your College
and the number of users of each tool:
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – General
June 25, 2014
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
General. An excerpt or summary is provided below.
Refer to the Procedures for the complete paragraph)
15. Change of Data in Records – Individuals within
Information Technology departments may be allowed
privileged access to non-public University data to support
the ongoing operations of administrative systems. When
updates are not part of normal business processing,
individuals must not alter any University data unless given
specific approval by the Vice President of Administration or
the equivalent at the College or in the Central Office
department.
Any direct changes to data in administrative systems must be
done from a College or Central Office location. No form of
remote access to alter student or employee data is allowed.
16. Centralized Data Management – Data that are acquired
or managed by Central Office departments (e.g., CPE, skill
scores) shall be loaded into University systems and may not
be modified by Colleges at the local level.
17. Grade Changes – Any system that allows for grade
changes will have multiple security levels enabled, including
the maintenance of a separate password that is administered
and changed regularly for the purpose of authenticating
individual users to the grade change function. Grade change
functions must be able to create an audit trail from which
edit reports will be regularly prepared for review by a
management designee.
18. Changes in Information Files and Systems – Existing and
new information systems must comply with these
Information Technology Security Procedures. Modifications
to existing information systems will be required to maintain
compliance. Additional criteria regarding ghost systems are
in the IT Security Procedures.
Page 6 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – General
June 25, 2014
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
General. An excerpt or summary is provided below.
Refer to the Procedures for the complete paragraph)
19. Vulnerability Assessments – Each University entity must
establish a routine program to test, monitor, and remediate
technical and data vulnerabilities on its network. The
program should include a combination of continuous
monitoring and on-demand testing tools.
20. Device Management – All devices that are allowed to
connect to University networks and systems that support
administrative, business, and academic activities and
operations must be maintained at current antivirus/malicious code protection at all times. In addition,
security updates to operating systems must be applied on a
timely basis after appropriate testing. Although the
University does not manage student computers, procedures
should be implemented to minimize the risk to University
files and systems.
21. Management Responsibility – College and Central
Office management are responsible for maintaining and
overseeing compliance with these Information Technology
Security Procedures within their line responsibilities.
22. Information Technology Security Procedure Governance
– Any proposed exception to these Information Technology
Security Procedures must be communicated in writing to the
University Information Security Officer prior to any action
introducing a non-compliance situation.
Page 7 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – Wireless Network
Security, November 20, 2009
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
Wireless Network Security. An excerpt or summary is
provided below. Refer to the Procedures for the
complete paragraph)
1. Wireless Network Installation/Changes - Requests to
install new wireless networks or change existing wireless
networks must be in writing and will be subject to approval
by the College CIO. The College CIO will routinely monitor
for unauthorized (rogue) wireless networks and such rogue
networks must be disconnected when discovered.
2. Risk Assessment - New wireless networks or
modifications to existing wireless networks will be subject to
a risk assessment to determine if such wireless networks
comply with all IT Security Policies and Procedures.
3. Intrusion Detection - All wireless networks must require
the use of routine monitoring and preventative techniques to
minimize risks of unauthorized intrusion attempts.
4. End-point Integrity - Wireless visitor access and devices
failing an end-point integrity redirected to the Internet over a
private virtual LAN that does not subnet(s) of the University
or College network infrastructure.
5. Encrypted Transmission - University and College web
applications, if non-public University data is transmitted,
must use the secure and encrypted protocol https.
6. Wireless Usage Logs - Wireless usage logs must be
retained consistent with the University Records Retention
and Disposition Schedule
(www.cuny.edu/policy/text/toc/rrs)
Page 8 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – Wireless Network
Security, November 20, 2009
(The paragraph number below refers to the same
paragraph number in the IT Security Procedures –
Wireless Network Security. An excerpt or summary is
provided below. Refer to the Procedures for the
complete paragraph)
7. Signal Strength - Signal strength and containment of the
wireless signal must be engineered to minimize the wireless
signal accessibility outside the bounds of the College's
business and community mission.
Page 9 of 12
Is your Campus in compliance?
If not, please describe the non-compliance
situation and the plan / timeframe for coming
into compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY Information Security Policy and Procedures Attestation Response Form
The following Policies and Procedures serve as the basis of this attestation and should be referred to in their entirety when responding to
each item on this form: 1) Policy on Acceptable Use of Computer Resources; 2) IT Security Procedures - General, March 26, 2009,
Brian Cohen; 3) IT Security Procedures – Wireless Network Security, November 20, 2009, Brian Cohen; 4) IT Security Procedures –
Data Center Security & Environment Support, November 20, 2009, Brian Cohen; all located under Security Policies & Procedures at
security.cuny.edu
Spring Semester 2015 (v1)
IT Security Procedures – Data Center
Security & Environment Supports, November
Is your Campus in compliance?
20, 2009
If not, please describe the non-compliance
(The paragraph number below refers to the same
situation and the plan / timeframe for coming
paragraph number in the IT Security Procedures –
into compliance.
Data Center Security & Environment Supports. An
excerpt or summary is provided below. Refer to the
Procedures for the complete paragraph)
1. Minimum Protections – Minimum protections are
implemented as defined by sub-paragraphs a. through h.
2. Annual Risk Assessment - An annual risk assessment to
evaluate the adequacy of data center protection levels must
be completed and documented.
Page 10 of 12
Other comments describing the
environment and/or compensating
controls.
CUNY IT Disaster Recovery/Business Continuity Attestation Response Form
The following Recommendations serve as the basis of this portion of the attestation and should be referred to in their entirety when
responding to each item on this form: IT Disaster Recovery/Business Continuity Recommendations, adopted October 18, 2010, located
under Business Continuity/Disaster Recovery Planning at security.cuny.edu
Fall Semester 2014
Campus and/or Department: _____________________________________________________________________
IT Disaster Recovery/Business Continuity
Recommendations, October 18, 2010
(Please refer to the full Recommendations document
when answering the questions below.)
1. Governance - Is there a coordinator(s) designated
for IT BC/DR efforts?
2. Disaster Recovery Planning - Does the unit have a
formal written IT DR plan including systems and
functions to be recovered, and is there a procedure in
place to “activate” the plan on short notice?
3. Periodic Data Backup 3a. Does the unit back up data using tools that meet the
minimum requirements as recommended?
3b. Does the unit follow an appropriate schedule for
data backup?
3c. Does the unit store backup media in an
environmentally secured enclosure in a secure,
protected facility within the unit?
3d. Does the unit use any off-site, third-party storage
facility that is secure, environmentally controlled, and
off-campus? (Please include the name of the vendor.)
Page 11 of 12
Is your Campus in compliance?
If yes, please explain.
If not, please describe the non-compliance
situation and the plan / timeframe for coming into
compliance.
Other comments describing the
environment and/or compensating
controls.
CUNY IT Disaster Recovery/Business Continuity Attestation Response Form
The following Recommendations serve as the basis of this portion of the attestation and should be referred to in their entirety when
responding to each item on this form: IT Disaster Recovery/Business Continuity Recommendations, adopted October 18, 2010, located
under Business Continuity/Disaster Recovery Planning at security.cuny.edu
Fall Semester 2014
Campus and/or Department: _____________________________________________________________________
IT Disaster Recovery/Business Continuity
Recommendations, October 18, 2010
(Please refer to the full Recommendations document
when answering the questions below.)
Is your Campus in compliance?
If yes, please explain.
If not, please describe the non-compliance
situation and the plan / timeframe for coming into
compliance.
Other comments describing the
environment and/or compensating
controls.
3e. Does the unit have a suitable Service Level
Agreement (SLA) with the off-site facility?
3f. Are the stored backup sets sent off-site at least
weekly?
4. Proactive Loss Prevention - Does the unit have
“Proactive Loss Prevention” capability for its critical
systems?
5. DR Testing and Validation
5a. Does the unit conduct restoration and validation of
data periodically?
5b. Does the unit test the IT DR plan periodically?
Signature of College Vice President of Administration or equivalent:
Print:
_________________________________________________________
Signature:
_________________________________________________________
Date:
_________________
Page 12 of 12