Workstation Use and Security Policy
Approved by Executive Council on June 7, 2011
To maximize the security of sensitive information at SUNY Plattsburgh, to protect users and the College from criminal and civil liability, to prevent unnecessary expense, and to protect and to preserve the work product of authorized users.
2.0 Revision History
3.0 Units and Persons Affected
SUNY Plattsburgh staff members with access to sensitive information.
- SUNY Plattsburgh will define the authorized purposes of each workstation or class of workstations to support the research, education, clinical, administrative and other functions of SUNY Plattsburgh.
- SUNY Plattsburgh takes reasonable steps to ensure that staff members understand the purposes and functions authorized on their workstations and do not use workstations for unauthorized purposes or to perform unauthorized functions.
- SUNY Plattsburgh takes reasonable steps to ensure staff members do not perform the following activities, as they are considered examples of unauthorized uses of workstations.
- Violating any of SUNY Plattsburgh’s security policies and procedures.
- Violating the privacy rights of any individual whose sensitive information is maintained by SUNY Plattsburgh.
- Violating the rights of any person or company protected by copyright, trade secret, patent or other intellectual property or similar laws or regulations. (e.g., installation or distributed of ‘pirated’ or other inappropriately licensed software).
- Unauthorized copying of copyrighted material (e.g., digitization and distribution of photographs from magazines, books or other copyrighted sources)
- Intentional introduction of malicious software onto a workstation or network.
- Procuring or transmitting material that is in violation with SUNY Plattsburgh’s security harassment or hostile workplace policies.
- Making offers of products, items or services that are fraudulent.
- Intentionally causing a security incident. (e.g., accessing electronic data that he/she is not authorized to access or logging into an account that he/she is not authorized to access).
- Performing network monitoring that will intercept data not intended for him/her.
- Attempting to avoid the user authentication or security of SUNY Plattsburgh workstations or accounts.
- SUNY Plattsburgh takes reasonable steps to ensure that access to its workstations are authenticated via a process that includes:
- Unique user identification (NetID) that enables the required identification of a user.
- A secure method for the creation of required user passwords.
- Immediate removal of workstation access privileges for staff members when employment or contracted services have ended in accordance with SUNY Plattsburgh’s Device and Media Control policy.
- Staff members will not disclose or release to other persons any item or process that is used to verify their authority to access or amend sensitive information, including but not limited to, any password, token or access card, or electronic signature. Staff members will be liable for all activity occurring under their account, password, and/or electronic signature. These activities may be monitored. If staff members suspect misuse of NetIDs or passwords, they are required to promptly report that misuse to the SUNY Plattsburgh Security Officer.
- Password-based access control systems on SUNY Plattsburgh’s workstations will mask or obscure passwords so that unauthorized persons are not able to view them. SUNY Plattsburgh takes reasonable steps to ensure that workstations accessing sensitive information are physically located in such a manner as to minimize the of access by unauthorized individuals.
- SUNY Plattsburgh places workstations accessing sensitive information in physically secure locations and display screens are positioned or protected to prevent unauthorized viewing of sensitive information.
- SUNY Plattsburgh staff members are instructed to exit confidential databases or computerized data programs and activate their workstation locking software when they leave their workstation unattended. SUNY Plattsburgh staff members are instructed to log off their workstations when their shift is complete. SUNY Plattsburgh’s public workstations have an automatic logoff mechanism installed to ensure the workstation is secured.
- SUNY Plattsburgh takes reasonable steps to ensure that workstations removed from SUNY Plattsburgh facilities are protected with security controls equivalent to on-site workstations.
- SUNY Plattsburgh implements additional precautions for portable devices. The following guidelines are followed for such devices:
- Staff members must obtain supervisor approval prior to storing sensitive information on portable devices. The sensitive information must be protected by an approved method and the supervisor must validate that it has been implemented properly.
- Staff members are instructed to lock software on unattended portable devices.
- Staff members are instructed to take reasonable steps to ensure that portable devices are carried as carry-on baggage when using public transportation.
- Staff members are instructed to take reasonable steps to ensure that portable devices are concealed and locked when using private transportation (e.g., in the trunk of a car).
- Staff members are instructed to immediately report the loss or theft of any portable device to their supervisor.
- When feasible, SUNY Plattsburgh will encrypt portable devices.
- SUNY Plattsburgh takes reasonable steps to prevent unauthorized access to workstations that can access sensitive information while maintaining the access of authorized staff members.
- SUNY Plattsburgh requires staff members to immediately report to their supervisor the loss or theft of any device that allows them access to physical areas housing devices that provide access to sensitive data and systems.
Authentication - The corroboration that a person or entity is the one claimed.
NetID – A unique user identification used for SUNY Plattsburgh account access.
Password - Confidential authentication information composed of a string of characters.
Risk - The likelihood that a specific threat will exploit certain vulnerability, and the resulting impact of that event.
Sensitive Information - Sensitive Information means information that, in the reasonable judgment of anyone charged by the organization to protect the organization's information, belongs to one of the classes of information that the organization has officially designated as requiring special handling.
Staff member - Employees, volunteers, trainees, students, consultants, contractors, subcontractors and other persons under the direct control of SUNY Plattsburgh whether or not they are paid by SUNY Plattsburgh.
User - SUNY Plattsburgh staff members who are users of data processing services, such as application software, networks and operating systems.
Workstation - An non-portable electronic computing device
All SUNY Plattsburgh staff members with access to sensitive information will comply with this policy.
Device and Media Control Policy
For more information about Administrative Policies approved by Executive Council, please contact:
Sean Brian Dermody
Assistant to the Vice President for Administration
Management Services Office
Office: Kehoe 710-11
Phone: (518) 564-2539
Fax: (518) 564-2540