University at Buffalo Information Security Program

Category: Data Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Data Officer (VPCIO)
Date Established: March 26, 2024
Date Last Reviewed: November 25, 2025

The University at Buffalo Information Technology Office (UBIT)’s Information Security Program addresses the full range of information security issues that affect the university, and establishes a comprehensive response which focuses on goals, procedures, plans, and expected outcomes, as well as organizational roles and responsibilities. The security program is a holistic approach to the university’s cybersecurity posture, and as such is approached from a broad perspective. This program will be audited and evaluated annually, according to the strategic vision of the university.

The University at Buffalo (UB, university) is committed to ensuring the confidentiality, integrity, and availability of university data. This information security program is established as a framework to protect critical university assets, data, and IT infrastructure. The goals of this Information Security Program are to:

1. User awareness and training: Increase awareness of the confidential nature of university data, and educate the campus community about security policies, procedures, and best practices.
2. Vulnerability Management: Protect against anticipated threats or hazards to the security or integrity of university data.
3. Provide Governance: Maintain compliance with relevant laws, regulations, and standards.
4. Audit and self-review: Regularly review and update security measures to adapt to new threats and vulnerabilities.
5. Minimize Risks and Liability: Adequate coverage for the institution must be paramount and evaluated on a regular basis.
6. Document and Maintain: Update and maintain this information security program to reflect changes in technology, the sensitivity of covered data and information, and internal or external information security threats.

All data, regardless of the form or format, which is created, acquired, or used in support of UB activities, must be used only for its intended purpose. Data must be protected throughout its lifecycle, from creation through disposal. All data created or collected must be classified in accordance with legal or regulatory requirements, UB policies, and/or information security best practices, as outlined in the Data Risk Classification Policy.

The information security function of UB is overseen by the Information Security Office (ISO), led by the Chief Information Security Officer (CISO). The CISO is the qualified individual responsible for the oversight and implementation of UB’s Information Security Program, and provides an annual written report on program status, effectiveness, and material risks to UB’s executive leadership. The ISO implements security controls to provide the necessary physical, logical, and procedural safeguards to accomplish those goals. The CISO is also the primary contact for SUNY relating to cybersecurity events. The ISO maintains an enterprise security plan addressing the following:

• Auditing and Governance: Ensures data confidentiality, integrity, and availability through rigorous access control mechanisms and disaster recovery protocols.
• Documentation, Liability & Risk: Outlines procedures for handling information security incidents to mitigate their frequency, damage, and cost.
• User Awareness, Training & Notification: Ensures that the campus community is aware of information security procedures, roles, and responsibilities, and includes information regarding mandatory security awareness training for UB faculty, staff and students.

Incidents affecting information security must be reported immediately to the Information Security Office this can be done by submitting an IT Support Ticket. Formal incident reporting procedures which define the actions to be taken when an incident occurs can be found in the Protection of University Data Policy, and the universities Information Security Incident Response Plan.

Compliance with this Information Security Program is mandatory. This information security program encompasses all university data including administrative, teaching and learning, clinical and research data. Enforcement and further definitions via the UB Enterprise Information Security Plan. All members of the university community must understand their roles and responsibilities regarding information security and protecting UB’s data assets. The failure to comply with this or any other information security policy may result in punitive action as permitted by law, rule, regulation or collective bargaining agreement. UB takes every reasonable step necessary, including legal and administrative measures, to protect its data assets.

UB managers and supervisors must ensure that all information security processes and procedures within their areas of responsibility are followed. All distributed IT units within the University are subject to regular reviews to ensure compliance with information security policies and standards. Areas where compliance with the Information Security Program requirements are not met will be documented and reported to the CISO. For each area of non-compliance, a plan will be developed to address and remediate the identified deficiencies. .

Any waiver of requirements set forth in this program must be established through formal procedures, documenting in detail the justification for the waiver based on risk and business value and define either an acceptable period for expiration of the waiver or process for renewal consideration.

Category 1 Data: Restricted Data as classified by the University's Data Risk Classification Policy.

Category 2 Data: Private Data as classified by the University's Data Risk Classification Policy.

Information Criticality: Describes how valuable and important the information is in relation to the purpose and ongoing operations of SUNY. Criticality evaluates how data loss, corruption, or inaccessibility will affect SUNY's operations, standing, adherence to the law, and general functionality. SUNY criticality levels of information (Non-critical, Critical, and Mission-Critical)—are used to categorize it.

Information Sensitivity: Is the level of protection required for information because it is private or confidential. Sensitive information can include financial records, staff details, research data, and student records. Information sensitivity is classified into levels (Public, Private, Restricted) based on the possible consequences of unapproved disclosure, modification, or destruction.

Institution: Refers to a state operated campus, statutory college, or community college and all affiliates for which the campus assumes operational responsibility, as it relates to information security.

Institutional Data: Any data owned, licensed by or under the direct control of the University at Buffalo, whether stored locally or within a cloud partner.

Qualified Individual: The qualified individual can be an employee of the institution, its affiliate, or a service provider. In many cases, the institution's qualified individual will be its chief information security officer, chief compliance officer, or someone in a similar role. More important than the qualified individual's specific institutional role is that the qualified individual has the appropriate experience and authority to oversee the institution's security program, make necessary changes to that program, and report candidly to the board of directors or other governing bodies about the institution's security compliance and risks.

Risk Management: a proactive program of identifying and assessing risk, evaluating alternative strategies for risk mitigation, and making decisions about what is acceptable risk versus compensating controls.

Risk Profile: Refers to the comprehensive vulnerability of the institution information assets to potential attacks. The risk profile encompasses the identification and evaluation of diverse risks, taking into consideration variables such as the probability of security breaches and the possible repercussions on the functioning, standing, and regulatory responsibilities of the institution. It includes cyber threats, data breaches, loss of data integrity, and system delays, among other potential hazards. Constant reevaluation is necessary to account for developments in technology, threat environments, and institution operations that impact the risk profile.

Risk Tolerance: The institution's preparedness to tolerate the potential adverse repercussions of security threats in the absence of substantial measures to alleviate them. To ascertain risk tolerance, one must weigh the potential consequences of security incidents against the expense of implementing security measures. The institution 's strategic objectives, financial resources, regulatory obligations, and cultural perspectives on risk all exert an impact on it. To safeguard its information assets, a university with a low risk tolerance will allocate a greater budget towards security measures. Conversely, a university with a higher risk tolerance might be willing to take improved operational flexibility or reduced costs in return for increased risk exposure.

Sensitive Information: common term for data classified as Restricted (High Impact) or Private (Moderate Impact) security classification used by the Institution to name in aggregate the formally declared set of standards-level categories of information, such as Social Security Number, being addressed, i.e., protected, by the Program.

The implementation and application of policy and controls set out in this information security program are the responsibility of each individual department within the university. Roles and Responsibilities for Guardians of Data are as follows:

Chief Information Security Officer (CISO):

• The CISO is responsible for the development and delivery of enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the CISO.
• The CISO is the qualified individual responsible for the oversight and implementation of UB’s Information Security Program, and provides an annual written report on program status, effectiveness, and material risks to UB’s executive leadership.

Data Administration: The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the VPCIO.

Data Governance Council: Members of senior leadership who oversee institutional data systems and guide the campus data governance efforts.

• Recommends overall policy and guidelines for management and access to the institutional data of the university
• Provides review, resolution, and recommendations for institutional data definitions as per guiding principles
• Appoints the membership of the Data Stewardship Committee and names a Chair or co-Chairs who will also serve on the Data Governance Council
• Reviews and reports on the performance of the overall data governance initiative on an annual basis and provides a full briefing to the provost.

Data Manager: University officials and their staff with operational-level responsibility for data management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.

Data Owner: The University at Buffalo is the data owner of all university data; individual units or departments have stewardship responsibilities for portions of the data.

Data Steward: Assigned by Data Trustees.

• Responsible for planning and policy-level responsibilities for data in their functional areas.
• Have supervisory responsibilities for defined elements of institutional data.
• May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
• Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
• Prevent unauthorized access to Category 1 Restricted Data and Category 2 Private Data.
• Ensure that training and awareness of the terms of this procedure are provided.
• Monitor compliance with this procedure.

Data Trustee: Senior leaders of the university (vice-presidents, vice-provosts, and deans) who have responsibility for areas that have systems of record.

• Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
• Classify university data in accordance with the Data Risk Classification Policy.
• Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
• Assign Data Stewards who function as described above.
• Data Trustees may work directly with Data Stewards, Data Managers, and/or Data Users.

Data Users: Individual with data access as granted by a Data Trustee or Data Steward.

• Successfully complete Handling Data Safely, prior to receiving access to Category 1 or Category 2 data.
• Access, retrieve, update, process, analyze, store, distribute, or in other manners use university data for the legitimate and documented conduct of university business.
• Use data solely for the purposes for which access is granted.
• Data Users who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies. Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements.
• Comply with the Data Risk Classification Policy to secure Category 1 and Category 2 data.

Information Security and Privacy Advisory Committee (ISPAC):

• Are responsible for evaluating and recommending information security and privacy policies, procedures, and operations vital to protecting and sustaining the university's mission.
• ISPAC must review the Information Security Program at least annually.
• The proposed changes recommended by ISPAC will be sent to the CISO, who will delegate the proposed changes to the appropriate member of the ISO team.

Information Security Office (ISO): performs periodic information security risk assessments to determine vulnerabilities and initiate appropriate remediation. Responsibilities of the ISO include, but are not limited to:

• ·Ensuring the development, implementation, enhancement, monitoring, and enforcement of UB’s information security policies.
• Provide consultation services to computing and business operations and recommend methods to mitigate security risks.
• Coordinate the development and implementation of a training and awareness program to educate UB students, employees, contractors, vendors, and volunteers regarding the university’s security requirements.
• Investigate all potential breaches of security controls and implement additional compensating controls when necessary.
• Supervise and coordinate with security administrators to ensure the security measures implemented meet the requirements of the security policy.
• Manages security incidents and file mandatory reports to SUNY System Administration, New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), and other agencies as required by relevant laws, regulations, contractual requirements, and UB policies.
• Ensure that appropriate follow-up is conducted for all security violations, consistent with UB’s Incident Response and Mitigation plan.
• Maintain awareness of applicable laws and regulations which could affect the security controls and classification requirements of the university’s data.
• Manages the information security program and coordinates the development and maintenance of program policies, procedures, standards, and reports.

Senior Management: Consisting of the university president, provost, vice provosts, senior vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data.

•  Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.

Vice President and Chief Information Officer (VPCIO): provides leadership for development and delivery of data technology (IT) services to the university. The VPCIO oversees an enterprise IT services organization, Computing, and Data Technology (CIT), and works in partnership with UB's schools, colleges, and administrative IT units to enable a unified and productive IT experience for students, faculty, and staff.

Vice President and Chief Data Officer
Phone: 716-645-7979
Email: cio@buffalo.edu

Information Security Office - Privacy Contact
Phone: 716-645-6997
Email: privacy@buffalo.edu

Computing, Network and Telecommunications Usage Policy
Data Risk Classification Policy
Disaster Recovery Plan
Protection of University Data Policy
UB Emergency Management’s Comprehensive Emergency Management Plan (CEMP)

FERPA
FTC Red Flags Rule
Gramm-Leach-Bliley Act
HIPAA
Microsoft Password Complexity Requirements
SUNY 6900
Payment Card Industry Information Security Standards