Information Security Office (ISO)

The Information Security Office (ISO) reduces cybersecurity risks by preventing, detecting and correcting threats  to UB’s systems, data, assets, and community members. The ISO manages IT risk, security policies,  promotes a culture of security awareness,  and applies various guiding principles. Such principles enacted and enforced are security as a culture, defense in depth, trust but verify, least privilege, and others.

• Students, faculty, staff, volunteers, and other constituents who rely on UB systems and data and assets.
• Units that design, deploy and operate applications, systems, and data stores across UB.

• Information security governance and risk management in alignment with institutional and regulatory requirements.
• Security policies, standards and awareness efforts for the campus community.
• Prevention, detection and response activities for cybersecurity incidents.
• Guidance on applying security principles such as default secure configurations, least privilege and minimum necessary access.
• Use of standard frameworks including SUNY 6900 Information Security Policy, HIPAA Security Safeguards, CIS Critical Controls, NIST Guidance,  and PCI DSS where appropriate. Specific control family information can be found below.

• You are planning or operating a system that handles sensitive or regulated information.
• You need advice on security controls, policy requirements, specific compliance requirements,  or risk mitigations for an IT service or function.
• You suspect a security incident, or event is affecting systems or data.
• You’re planning a new project or initiative, and are looking for Information Security guidance and input to ensure success.
• You and/or your department are looking to participate in or learn more about Security Awareness Training. The ISO aims to promote a culture of active security at the university, as keeping UB safe is everyone’s responsibility.

The Information Security Office leverages standardization and common controls where possible to maximize efficiencies and effectiveness.

• SUNY information security policy (11 requirements)
• HIPAA security (administrative, physical, technical and general safeguards)
• CIS critical controls (20)
• NIST (CMMC, 800-171: 14 control families)
• PCI DSS (Payment Card Industry Data Security Standards)

• Submit a ticket to the Information Security Office

716-645-2699
kbenoodt@buffalo.edu

Kristin Benoodt serves as Deputy Chief Information Security Officer at the University at Buffalo, where she supports the university’s Information Security Office and affiliated programs through strategic planning, governance, and campus-wide security initiatives. She brings more than 20 years of experience in information technology and cybersecurity, with a focus on program development, operational leadership, and security awareness.

Kristin joined UB in 2025 as Assistant Director, Cybersecurity Program Manager, where she helped formalize the Information Security Program and advance initiatives to strengthen the university’s cybersecurity posture. Prior to joining UB, she served as Manager of IT Network Services/Deputy CIO at D’Youville University, leading infrastructure and security operations, and has held roles with the State of Vermont Agency of Digital Services, the Seneca Nation of Indians, and private-sector organizations.