Established in 2006, the Information Security Office (ISO) is responsible for the overall direction of information security functions related to the University at Buffalo, including: IT risk management, security policies and security awareness.
ISO staff are located in the Computing Center.
UB’s Information Security Office is charged with reducing cybersecurity risks to acceptable levels by preventing, detecting and correcting for reasonably anticipated threats to (and attacks on) the confidentiality, integrity, and availability of the university’s systems, data and community members.
The Information Security Office protects, responds to incidents, mitigates for harmful effects, and helps the university meet regulatory and compliance requirements, while promoting good information security practices and awareness.
The Information Security Office pursues these goals by deploying people, processes and tools to uphold the following principles:
The following principles apply to applications, systems and data and generally reflect a broad-to-narrow (or wide-to-specific) implementation. They all apply at all times and reinforce or rely upon each other, but some can be applied to specific systems or points of data (least privilege and minimum necessary) while others are more general (security as a culture).
These principles fundamentally support a broad information security program, implementations and activities in order to effectively detect, respond to and prevent security threats and challenges.
1. Security as a culture (mindfulness)
Security considerations play a continuous part in the way people interact with information applications, systems, and data. Security is everyone's job and responsibility, and a culture of security keeps it top-of-mind.
2. Demonstrated control (intentionality)
Organization, documentation, change management and authorization all demonstrate control of the information ecosystem. Applications, systems and data should demonstrate control in all lifecycle phases, including development, implementation, use, maintenance and disposal. Everything being done should be as intended.
3. Trust but verify (activity/behavior)
Information systems are meant to be used as intended, and by those authorized and able to access them, but use and functions can change over time, as well as the permissions and roles of customers.
'Trust but verify' requires monitoring to ensure against unintended use and misuse, and periodic re-authorization to ensure trusts extended are still merited. Separation of duties is a related, proactive principle for high risk activities and environments. Regular auditing can likewise be used to verify trust.
4. Defense in depth (design)
Security controls should be implemented in layers, in case one or more fails or is defeated. Additional layers slow down attacks and require sophistication to defeat. Multiple layers also generate monitoring alerts or "early warnings" before a final failure or breach can occur.
Network and systems architecture should include multiple safeguards, including direct and/or compensating controls where direct controls are not feasible.
5. Default secure (configuration)
Applications and systems should be designed to prevent misuse in addition to permitting authorized use. Systems and architectures must default to a secure or unusable/unreachable state in order to enforce authorization requirements for use, and to protect against accidental access or unintended use during malfunction and/or power loss.
Applications, systems and data not intended for use by others should not be available to them. Applications and systems should "fail closed" or "fail secure" from a use perspective, unless the failure threatens physical harm or danger. Systems that can "fail open" or "fail unsecure" should not contain lasting or permanent data.
6. Least privilege (access)
Access to applications, systems, and data must be limited to the least amount of privilege required to perform the authorized or necessary, intended tasks. Authorized administrative access should be limited to only times and accounts requiring administrative access. Accounts requiring read-only privileged access to data should not be able to alter, create or delete the data.
7. Minimum necessary (data)
Only the minimum necessary amount(s) of data should be accessible to customers. Up-to-date role-based access helps limit scope of access to the type necessary to do the job, based upon role, and removes those rights if the person's role changes.
Also, to minimize risk when using, transferring or sharing data, only share that data needed for that purpose, not all data or unnecessary data along with it (breaches often happen because an entire spreadsheet or data store is shared or used instead of the few records actually needed).
The Information Security Office leverages standardization and common controls where possible to maximize efficiencies and effectiveness.