University at Buffalo Information Security Program

Category: Data Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Data Officer (VPCIO)

Date Established: March 26, 2024

The University at Buffalo Data Technology Office (UBIT)’s Information Security Program identifies and describes goals, expectations, roles, and responsibilities with respect to information security incident preparation, detection, activation/response, containment, notification, remediation, resolution, and after-action analysis. the plan establishes a comprehensive response that focuses goals, organization, roles, responsibilities, expected outcomes, and procedures.

The University at Buffalo (UB, university) is committed to ensuring the confidentiality, integrity, and availability of university data. This information security program is established as a framework to protect critical university assets, data, and IT infrastructure. The purpose of this Program is to comply with applicable laws and to:

1. Provide a framework for comprehensive stewardship of university data.
2. Increase awareness of the confidential nature of university data.
3. Eliminate unnecessary collection and use of university data.
4. Protect against anticipated threats or hazards to the security or integrity of university data.
5. Protect against unauthorized access to or use of university data in a manner which creates a substantial risk of identity theft, fraud, or other misuse.

Data entrusted to the University at Buffalo must be protected against accidental disclosure and inappropriate use. All data, regardless of the form or format, which is created, acquired, or used in support of UB activities, must be used only for its intended purpose. Data must be protected throughout its lifetime, from its creation through disposal. Data collected must be classified and protected based on its importance to the business activities, risks, and security best practices, as outlined in the Data Risk Classification Policy.

All individuals authorized to access UB data must preserve and protect it in a consistent and reliable manner  and are expected to recognize their individual responsibility and accountability. Every individual is responsible to protect against unauthorized activities associated with their UBID and must not share their UBID and passwords.

Access to data must be limited to ensure data integrity and accountability. Individuals who create sensitive systems and repositories of data must assure that unique UBIDs and password govern the access and use of the system. Unique passwords must:

• Have 8 to 32 characters
• Have both upper and lower case letters
• Have at least one special character (such as !?#$%&’()*+,-/:;@)
• Have at least one number
• Not be a variation of your UBIT or legal name
• Contain only characters available on a standard English (US) keyboard
• Not be a password used during the last 365 days

Two-factor authentication must be used where data sensitivity is of particular concern. Activity must be logged at a level which assures that access and alteration of data can be traced to the responsible individual.

Managers of sensitive systems and data repositories must assure that access to that data is limited based on role and business need to ensure data integrity and accountability. Two-factor authentication must be implemented for access to restricted or confidential data.  Users must access only the data which they are authorized to use and view.

 The data owner will classify and secure data within their jurisdiction based on the data’s value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.

The information security function of UB is overseen by the Information Security Office (ISO), including the Chief Information Security Officer (CISO). The overall responsibilities of the ISO are as follows:

• Ensuring the implementation, enhancement, monitoring, and enforcement of UB’s information security policies.
• Coordinating the development and implementation of information security policies, standards, procedures, and other control processes which meet the business needs of the university.
• Develop, deploy, and maintain an information security architecture which meets the current and future needs of the university.
• Provide consultation services to computing and business operations and recommend methods to mitigate security risks.
• Coordinate the development and implementation of a training and awareness program to educate UB students, employees, contractors, vendors, and volunteers regarding the university’s security requirements.
• Investigate all potential breaches of security controls and implement additional compensating controls when necessary.
• Supervise and coordinate with security administrators to ensure the security measures implemented meet the requirements of the security policy.
• Manage security incidents and file mandatory reports to SUNY System Administration, New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), and other agencies as required by the incident.
• Ensure that appropriate follow-up is conducted for all security violations.
• Maintain awareness of applicable laws and regulations which could affect the security controls and classification requirements of the university’s data.

All data which is created, acquired, or used in support of the UB’s mission, regardless of the form or format must be used for university business only. Data is a university asset and must be protected throughout its lifecycle from creation, to authorized disposal. All data must be maintained in a secure, accurate, and reliable manner and be available for authorized use.

Data must be classified based on regulatory and legal requirements, its importance to business activities, risks, and information security best practices as defined in the university Data Risk Classification Policy.

Data is one of the University's most valuable assets and UB relies upon that data to support its mission. Therefore, the security of UB data, technologies, and systems which support it, is the responsibility of all members of the university community. Each authorized user of university data has an obligation to preserve and protect UB’s data assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical, and procedural safeguards to accomplish those goals.

Information security management enables data to be shared while ensuring protection of that data and its associated computer assets including the networks over which the data travels. University designated staff are responsible for ensuring that appropriate physical, logical, and procedural controls are in place on these assets to preserve the information security properties of confidentiality, integrity, availability, and privacy of university data.

Individual accountability is the cornerstone of any information security program. Without it, there can be no information security. Individual accountability is required when accessing all university resources, and includes:

1. Access to university computer systems and networks.
   1. This access is provided by assigned unique computer identifiers, known as UBIDs.
2. Individuals who use UB devices, such as computers, must only access data assets to which they are authorized.
3. Authentication tokens associated with each UBID, such as a password, must be used to authenticate the person accessing the data, system, or network.
   1. Passwords, tokens, or similar technology must be treated as confidential data and must not be disclosed.
   2. Transmission of such authentication data must be made only over secure mechanisms.
4. Individuals are responsible to protect against unauthorized activities performed under their UBID.
5. UBIDs and passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared. In certain circumstances, where there is a clear requirement or system limitation, the use of a shared UBID for a group of users or a specific job can be used.
   1. Additional compensating controls must be implemented to ensure accountability is maintained.
6. Multi-Factor Authentication is required for specific systems and is recommended to be used when available on other systems.

All University data must be protected from unauthorized access to help ensure the data's confidentiality and maintain its integrity. Data stewards must secure data within their jurisdiction based on the data's value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery. UB maintains policies and procedures to guide data stewards in securing their data assets.

Data must be available for authorized use when it is needed by users in the normal performance of their duties. UBIT maintains a documented Disaster Recovery Plan to restore/recover data that is lost, damaged, or corrupted in the event of a disaster or other emergency. The Disaster Recovery Plan ensures that each area can restore or recover any loss of information and the systems needed to make that information available in a timely manner.

1. User Training:
   1. All faculty, staff and students must receive general information security awareness training to ensure they are knowledgeable of information security procedures, their roles, and responsibilities regarding the protection of university data, and the proper use of data processing facilities to minimize information security risks.
   2. Departments which process or maintain restricted, sensitive, or internal data are responsible for conducting specific information security awareness training for employees who handle such data in the course of their job duties.
      1. Employees must complete the Handling Data Safely course to learn about the appropriate methods of physical handling and disposition of non-electronic documents containing restricted, sensitive, or internal data as well as proper procedures to follow in processing and storing electronic data and documents.
   3. Log-on banners must be implemented on all systems where that feature exists to inform all users that the system is for university business or other approved use consistent with UB’s mission.
   4. Central authentication and authorization services must be implemented on all required systems to centralize access control and auditing.

1. Responding to Information Security Incidents and Malfunctions:
   1. Incidents affecting information security must be reported immediately to the Information Security Office via sec-office@buffalo.edu.
   2. Formal incident reporting procedures which define the actions to be taken when an incident occurs can be found in the Protection of University Data Policy and the Information Security Incident Response Plan.
2. Incident Management Process and Procedures:
   The logging of information security incidents is used by UB to identify recurring or high impact incidents and to record lessons learned. Review of this data may indicate the need for additional controls to limit the frequency, damage, and cost of future incidents.
   1. All users who utilize university data systems must be made aware of the procedure for reporting information security incidents, threats, weaknesses, or malfunctions that may have an impact on the security of university data.
   2. All UB employees, contractors or volunteers are required to immediately report any observed or suspected incidents to the appropriate manager and the University CISO.
   3. Incident management responsibilities must be documented, and procedures must be clearly defined to ensure a quick, effective, and orderly response to information security incidents. At a minimum, these procedures must address:
      1. Data system failures and loss of service.
      2. Denial of service.
      3. Errors resulting from incomplete or inaccurate data.
      4. Breaches of confidentiality.
      5. Loss of integrity of the software or other system component.
   4. In addition to normal contingency plans designed to recover applications, systems or services, the incident response procedures must also cover:
      1. Analysis and identification of the cause of the incident.
      2. Planning and implementation of corrective actions to prevent reoccurrence.
      3. Collection of audit log data.
      4. Communication with those affected by or involved in the recovery from the incident.
   5. University administration and the University CISO will investigate all information security incidents and implement corrective actions to reduce the risk of recurrence.

Risk Management is a proactive program of identifying and assessing risk, evaluating alternative strategies for risk mitigation, and making decisions about what is acceptable risk versus compensating controls. The process of Risk Management at UB is broken down into three unique and clearly defined steps: Risk Assessment, Risk Mitigation, and Risk Evaluation.

Methods used to conduct a risk assessment include:

• Conducting security reviews of new and existing systems.
• Conducting departmental reviews.
• Using a SUNY-administered Security Self-Assessment Questionnaire to identify controls and program elements which could be enhanced.
• Doing a self-administered risk assessment of key assets.
• Reviewing pending contracts for IT and data services.
• Contracting with a Managed Security Service to monitor systems logs and network traffic for anomalous events.
• Vulnerability scans.
• Risk acceptance form.
• Risk assessment template.

UB’s risk mitigation process involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.

Risk evaluation is an ongoing and ever evolving process. Evaluation emphasizes the good practice to develop an effective risk management program within the university’s Information Security Program. Not only should the risk management program engage changes to existing systems, but should also integrate into the university’s operational functions, as well as a System Development Life Cycle (SDLC) for new systems and applications.

1. To preserve the properties of integrity, confidentiality, and availability, UB’s data assets are protected by logical and physical access control mechanisms which commensurate with the value, sensitivity, consequences of loss or compromise, legal requirements, and ease of recovery of these assets.
2. Data Stewards are responsible for determining who should have access to data assets within their jurisdiction, and what those access privileges are (read, update, etc.). These access privileges are granted in accordance with the user's job responsibilities.
3. Identity and Access Management:
   1. A process shall be established by the University to outline and identify all functions of user management, to include the generation, distribution, modification, and deletion of user accounts for access to resources. The purpose of this process is to ensure that only authorized users have access to university applications and data and that these users only have access to the resources required for authorized purposes.
   2. The User Management Process will include the following sub-processes:
      1. Provisioning new user accounts.
      2. Disabling/deactivating accounts.
      3. Granting "privileged accounts" to a user.
      4. Removing "privileged accounts" from a user.
      5. Periodic reviewing "privileged accounts" of users.
      6. Periodic reviewing of users enrolled to any system; and
      7. Assigning a new authentication token (e.g. password reset processing).
   3. The appropriate data steward or supervisor will make requests for the registration and granting of access rights for employees. In some cases, access can be automatically granted or taken away based on employment status.
   4. For applications that interact with users that are not employed by UB, the data steward is responsible for ensuring an appropriate user management process is implemented. Standards for the registration of such external users must be defined, to include the credentials that must be provided to prove the identity of the user requesting registration, validation of the request and the scope of access that may be provided.
4. User Password Management:
   1. Passwords are a common means of authenticating a user's identity to access a data system or service. Password standards are implemented by UBIT to ensure all authorized users accessing UB resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.
   2. To ensure best practice in password management, systems shall implement standards based on NIST Special Publication 800-63 where feasible.
   3. A user who needs a password reset must be authenticated before their request is granted.
   4. Password must comply with UB password complexity standards.
   5. Automated logins must not include the password unless other special conditions are met.
   6. Password management must be consistent across all platforms operated by the campus where possible.

The campus Identity Management system was modified to require very long passwords, referred to as passphrases:

• Password length:  8-32 characters
• Have both upper, lower, special character and at least one number
• Lockout Policy:
  • Number of failed logon attempts allowed:  4
  • Reset failed logon attempts count after (mins):  1
  • Account will be locked out for a duration of (mins):  10

1. Compliance with this Information Security Program policy is mandatory. Everyone must understand their roles and responsibilities regarding information security and protecting UB’s data assets. The failure to comply with this or any other information security program policy that results in the compromise of university data confidentiality, integrity, privacy, and/or availability may result in appropriate action as permitted by law, rule, regulation or negotiated agreement. UB will take every reasonable step necessary, including legal and administrative measures, to protect its data assets.
2. The Information Security and Privacy Advisory Committee (ISPAC) will review this document annually. If changes are needed the committee shall propose the changes to the CISO who will delegate, the proposed changes to the appropriate member of the ISO team.
3. UB managers and supervisors will ensure that all information security processes and procedures within their areas of responsibility are followed. In addition, all units within the University are subject to regular reviews to ensure compliance with information security policies and standards. Areas where compliance with the Information Security Program requirements is not met will be documented and reported to the CISO. For each area of non-compliance, a plan will be developed to address the identified deficiencies.

Category 1 Data: Restricted Data as classified by the University's Data Risk Classification Policy.

Category 2 Data: Private Data as classified by the University's Data Risk Classification Policy.

Endpoint device: Desktop computer, laptop computer, or other mobile device used to access University at Buffalo data or data. Use cases include interactive user sessions using standard applications or desktop tools including email, web browsing, desktop publishing, etc.

Server: Any physical or virtual computer, appliance, or device that is connected to a UB network and is configured to listen on at least one port for the intended purpose of providing a service to two or more users.

The responsibility for application of policy and controls set out in this information security program rests with individual departments within the university. Roles and Responsibilities for Guardians of Data are as follows:

Assistant Vice President CIO: manages the risk assessment program and coordinates the development and maintenance of program policies, procedures, standards, and reports.

Data Administration: The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the VPCIO.

Data Manager: University officials and their staff with operational-level responsibility for data management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.

Data Owner: The University at Buffalo is the data owner of all university data; individual units or departments have stewardship responsibilities for portions of the data.

Data Steward: Assigned by Data Trustees.

• Responsible for planning and policy-level responsibilities for data in their functional areas.
• Have supervisory responsibilities for defined elements of institutional data.
• May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
• Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
• Prevent unauthorized access to Category 1 Restricted Data and Category 2 Private Data.
• Ensure that training and awareness of the terms of this procedure are provided.
• Monitor compliance with this procedure.

Data Trustee: Senior leaders of the university (vice-presidents, vice-provosts, and deans) who have responsibility for areas that have systems of record.

• Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
• Classify university data in accordance with the Data Risk Classification Policy.
• Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
• Assign Data Stewards who function as described above.
• Data Trustees may work directly with Data Stewards, Data Managers, and/or Data Users.

Data Users: Individual with data access as granted by a Data Trustee or Data Steward.

• Successfully complete Handling Data Safely, prior to receiving data access.
• Access, retrieve, update, process, analyze, store, distribute, or in other manners use university data for the legitimate and documented conduct of university business.
• Use data for the purposes in which access is granted.
• Data Users who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies. Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements.
• Comply with the Data Risk Classification Policy and secure Category 1-Restricted Data and Category 2 Private Data.

Information Security and Privacy Advisory Committee (ISPAC): Responsible for evaluating, developing, and recommending information security and privacy policies, procedures, and operations vital to protecting and sustaining the university's mission.

Information Security Officer (ISO): Responsible for development and delivery of enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the ISO.

Information Security Office (ISO): Performs periodic information security risk assessments to determine vulnerabilities and initiate appropriate remediation.

Senior Management: Designated as the president, provost, vice provosts, executive vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data.

• Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.

Vice President and Chief Data Officer
Phone: 716-645-7979
Email: cio@buffalo.edu

Information Security Office - Privacy Contact
Phone: 716-645-6997
Email: privacy@buffalo.edu

Computing and Network Use Policy
Data Risk Classification Policy
Disaster Recovery Plan
Protection of University Data Policy
UB Emergency Management’s Comprehensive Emergency Management Plan (CEMP)

European Union’s General Data Protection Regulation
FERPA
FTC Red Flags Rule
Gramm-Leach-Bliley Act
HIPAA
Microsoft Password Complexity Requirements
Payment Card Industry Information Security Standards