To: All Faculty & Staff
In recent months, we have experienced an increased number of information security incidents, some of which could have lead to disruption of systems, loss of privacy, and disclosure of confidential data. These events were caught with an early alarm system contracted by CUNY at NYS Office of Cyber Security & Critical Infrastructure Coordination (CSCIC) and the infractions were quickly identified and mitigated. Although these events do not necessarily represent data breaches they are the result of contacts with known hacker sites by the infected systems. We are confident that we will be able to identify, isolate and investigate infected systems quickly. We also need your help in preventing data breaches.
The University administration has taken steps to protect personal information residing in central systems and to restrict access only to those individuals who require such information to perform their duties. Most campus IT professionals take similar precautions. However, our campus is not immune from attack, especially those that may result from personal missteps and hacks into insecure computers.
The most common sources of the security infractions are:
- Not updating system (Windows/MacOS/Linux) and
virus protection software regularly;
- Visiting suspicious web sites;
- Downloading and sharing music/video/software files;
- Transporting confidential data in an unprotected manner.
Watch The Information Security Awareness Video
CUNY has contracted with Enterprise Training Solutions to provide an online information security awareness course. It is approximately 30 minutes in length, covering the basics of why information security is important and best practices. Everyone who handles confidential data will be required to enroll and complete this training. All others are strongly urged to do the same. We are working with the vendor to create a customized login for our staff preloaded. We will notify you as soon as this site is ready with the appropriate access information.
Acknowledgment of CCNY/CUNY User Contracts:
Also, please note that the following documents must be read, understood, and accepted by everyone who uses CUNY or CCNY systems. These documents can also be found by visiting http://security.cuny.edu
and clicking on "Info Security Policies" and reading the documents titled "Computer User Responsibilities" and "IT Security Procedures (Brian Cohen, March 26, 2009)".
Direct links are provided below:
1. CUNY Policy on Acceptable Use of Computer Resources
2. Information Technology Security Procedures
Additional Security Measurements
In addition to these general guidelines supervisors must also understand the need for and implement additional security measures for staff who handle confidential student, faculty and staff information. At a minimum, use of a college workstation for personal purposes must be prohibited if confidential data is present on that workstation. Supervisors are advised to state this fact in writing to each employee who will be using such a workstation. Reading email which may be unrelated to work or visiting confirmed safe web sites is usually acceptable. A similar procedure should be followed for casual employees and contractors, be it college assistants or employees of the Research Foundation.
Transportation of Confidential Data
Confidential data should not be transported on laptops or USB keys. If this is required and approved by a senior officer of the College, the data must be encrypted with strong passwords. Note that it is necessary but not sufficient to have a laptop login password to prevent data breach if a laptop is lost. Data encryption should also be considered for all computers which maintain Personally Identifiable Information (PII), such as the SSN. If possible, these PIIs should be eliminated or truncated to reduce the possibility of data breaches. Access to workstations that contain confidential data from off campus locations, for example, via Virtual Private Networking (VPN) is also not advised: This type of access must be approved by a senior officer and is allowed only from CUNY owned secured computers. Email may not be used to transport or maintain confidential data files.
Communication with the IT Department
Unit directors should feel free to contact my office (X5665) or Mike Yemane, Manager of User Services and IT Security, who is the newly appointed campus Information Security Officer, if they have any questions about IT security or would like to invite an IT representative to discuss these issues with their staff. Mike can be reached through the IT help desk at 212-650-7878. After a general security health check procedure is prepared, we plan to visit every unit that the College Administration deems critical in terms of information security, as well as those who request it.
Mandatory Registration of Your Wireless Access Point
Also note that a set of wireless network policies were established several months ago. I urge you to review them and ask for consultation if you have any questions. Information related to wireless networking can be found at: http://www1.ccny.cuny.edu/facultystaff/it/security/Wireless-Hub-Deployment-Policy.cfm
Information security is an extremely serious topic. Please take special care to
protect the information with which our students and staff trusts us as well as
your own, and the integrity of the systems we operate.
Assistant VP for IT & Chief Information Officer
Broadcast on May 18, 2009