Information Security Policies and Regulations
The purpose of this policy is to ensure the protection of The Graduate Center information resources from accidental or intentional access or damage.
This policy is applicable to all students, faculty, and staff and to all others granted use of Graduate Center information resources. Every user of The Graduate Center information resources has a general responsibility to protect those assets, while some offices and individuals have specific responsibilities.
- CUNY Graduate Center Email Policy
- IT Incident Management Plan
- IT CUNYfirst Security Attestation Procedure
- IT Provisioning for Business Continuity & Disaster Recovery
Additionally, review cyber security best practices:
Cyber security is the shared responsibility of every agency employee and business unit. YOU play a key role in properly safeguarding and using private, sensitive information and state resources. The following Dos and Don’ts help remind us all of actions we must take to remain vigilant.
- DO use hard-to-guess passwords or passphrases. A password should have a minimum of 10 characters using uppercase letters, lowercase letters, numbers and special characters. To make it easy for you to remember but hard for an attacker to guess, create an acronym. For example, pick a phrase that is meaningful to you, such as “My son's birthday is 12 December, 2004.” Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
- DO use different passwords for different accounts. If one password gets hacked, your other accounts are not compromised.
- DO keep your passwords or passphrases confidential. DON’T share them with others or write them down. You are responsible for all activities associated with your credentials.
- DON’T leave sensitive information lying around the office. DON’T leave printouts or portable media containing private information on your desk. Lock them in a drawer to reduce the risk of unauthorized disclosure.
- DON’T post any private or sensitive information, such as credit card numbers, passwords or other private information, on public sites, including social media sites, and DON’T send it through email unless authorized to do so. DO use privacy settings on social media sites to restrict access to your personal information.
- DO pay attention to phishing traps in email and watch for telltale signs of a scam. DON’T open mail or attachments from an untrusted source. If you receive a suspicious email, the best thing to do is to delete the message, and report it to your manager and Information Security Officer (ISO)/designated security representative.
- DON’T click on links from an unknown or untrusted source. Cyber attackers often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.
- DON’T be tricked into giving away confidential information. It’s easy for an unauthorized person to call and pretend to be an employee or business partner. DON’T respond to phone calls or emails requesting confidential data.
- DO destroy information properly when it is no longer needed. Place paper in designated confidential destruction bins throughout the office or use a crosscut shredder. For all electronic storage media, consult with IT.
- DO be aware of your surroundings when printing, copying, faxing or discussing sensitive information. Pick up information from printers, copiers or faxes in a timely manner.
- DON’T install unauthorized programs on your work computer. Malicious applications often pose as legitimate software. Contact your IT support staff to verify if an application may be installed.
- DON’T plug in portable devices without permission from your agency management. These devices may be compromised with code just waiting to launch as soon as you plug them into a computer.
- DO lock your computer and mobile phone when not in use. This protects data from unauthorized access and use.
- DON’T leave devices unattended. Keep all mobile devices, such as laptops and cell phones physically secured. If a device is lost or stolen, report it immediately to your manager and ISO/designated security representative.
- DO remember that wireless is inherently insecure. Avoid using public Wi-Fi hotspots. When you must, use agency provided virtual private network software to protect the data and the device.
- DON’T leave wireless or Bluetooth turned on when not in use. Only do so when planning to use and only in a safe environment.
- DO familiarize yourself with your responsibilities under the NYS Acceptable Use of IT Resources Policy (http://www.its.ny.gov/document/acceptable-use-information-technology-it-resources-policy). Review and follow NYS Information Security Policies and related standards (http://its.ny.gov/eiso/policies/security).
- DO report all suspicious activity and cyber incidents to your manager and ISO/designated security representative. Challenge strangers whom you may encounter in the office. Keep all areas containing sensitive information physically secured, and allow access by authorized individuals only. Part of your job is making sure NYS data is properly safeguarded, and is not damaged, lost or stolen.
The New York State Office of Information Technology Services Enterprise Information Security Office is dedicated to protecting privacy; safeguarding the State’s information assets and infrastructure; identifying and mitigating vulnerabilities; detecting, responding and recovering from cyber incidents; and promoting cyber awareness and education. We stand ready to assist and support you in your cyber security risk management efforts.
Remember - cyber security is everyone’s responsibility!
Phishing is a cunning attempt by hackers to solicit, steal and mishandle users’ personal information (e.g. username and password, credit/debit card information, home address, social security number, date of birth, etc.) for criminal activities. Typically, phishing is achieved through emails disguised as legitimate messages from people you’re familiar with, reputable banks/financial institutions and well-established companies with official-looking logos. Links are included in these bogus types of emails that direct users to a webpage to enter personal data. After users willingly supply the requested data, hackers gain access to their accounts and then engage in malicious and criminal activities.
IT Staff and legitimate organizations will never ask users to supply a password or any other personal information via an email message. Whenever you’re in doubt about the legitimacy of an email message, contact IT Services for assistance at ITServices@gc.cuny.edu.
Read the CUNY Phishing Advisory as well as related resources posted on the CUNY CIS website at security.cuny.edu. In addition, we suggest you complete the 30-minute information security awareness program also located at security.cuny.edu on the home page. Click on the padlock.
Adhere to the following security practices when using the Internet:
- Never reply to any email that asks you for your personal information regardless of how official it appears. CUNY will not and should not be asking for personal information via email. If you disclosed your user ID and password then you must change your password immediately on any and all systems where the password issued.
- Avoid clicking on any web links from within an email. These embedded links may direct your Internet browser session to illegitimate web sites asking for personal information and could also download malicious code, such as viruses or spy ware, onto your machine. Instead, start a new Internet browser session and enter the legitimate web site address into the address bar of the browser.
- The content of many phishing e-mails can be very threatening (e.g., account closure, account verification, account updates, account is limited) and can be convincing to entice the user to follow through with the provided instructions. By far, most institutions will use non-Internet methods, such as the U.S. Postal Service, to send these types of notices and then will only send them to your official address of record. If in doubt about the legitimacy of these threatening e-mails, call the institution using the phone number on your last statement or on the back of your credit card.
- Similarly, financial institutions generally require some form of an initial setup to be completed prior to allowing electronic banking services. An online relationship is usually not established automatically or only through an exchange of e-mails. Become familiar with your financial institution's online registration process and how the electronic relationship may change from time to time. If in doubt, call the institution using the phone number on your last statement or on the back of your credit card.
- Update your computer's operating and Internet browser software on a regular basis. These updates routinely include security enhancements.
- Maintain anti-virus programs to the current level of protection.
- Select and maintain passwords that are difficult to guess and change them regularly.