Contact Us
logo foxpointe
Contact Us

FoxPointe Security Hub

Topics

SUNY’s New Information Security Policy Framework

FxP Group young students working 800x350 Jan 25

This article was written by James Farr, Consulting Manager.

The State University of New York (SUNY) has introduced an updated Information Security Policy (ISP) aimed at creating a cohesive cybersecurity framework across all its campuses. With the rise in cyber threats and increasing regulatory demands, this policy provides a structured approach to protect SUNY’s critical data and digital infrastructure while emphasizing leadership responsibility in cybersecurity.

Purpose of the Updated Information Security Policy

The revised policy addresses the growing sophistication of cyber threats and the need for a unified strategy across the system. It sets minimum security requirements for all campuses while allowing flexibility to address institution-specific needs. The policy encourages campuses to integrate cybersecurity into their operational and strategic priorities, making it a core leadership concern.

Key Requirements of the Information Security Program

At the heart of the policy is the requirement for each institution to develop and implement a comprehensive ISP. This program must include:

  • Defined Goals and Documentation: Articulate the objectives of the program and document major changes as they occur.
  • Compliance with Requirements: Address all internal and external legal, regulatory, and policy obligations.
  • Risk Identification: Perform iterative risk assessments to identify threats and vulnerabilities.
  • Security Controls: Deploy and document measures to mitigate identified risks.
  • Annual Review: The incident response plan must be reviewed and tested annually to ensure its effectiveness.
  • Evaluation and Testing: Regularly assess the effectiveness of implemented controls.

Topics Covered by the Policy

The updated policy encompasses a wide range of critical cybersecurity areas to ensure robust coverage, including:

  • Applicability across SUNY institutions.
  • Governance through an Information Security Management Program.
  • Processes for Risk Management and Incident Notification.
  • Controls for Access Management, Data Backups, and Encryption.
  • Standards for Firewalls, Network Infrastructure, and Endpoint Security.
  • Vulnerability Management and Incident Response procedures.

Implementation Timeline & Leadership Responsibility

Campuses have a 12-month window to comply with the policy, with a final deadline of September 2025. Campus presidents are assigned as the responsible office for implementation, underscoring the role of leadership in ensuring cybersecurity readiness.

While the policy establishes rigorous baseline requirements, it also allows exceptions under certain circumstances. These must be documented and justified using a risk-based approach, ensuring that alternative controls are in place to address associated risks.

Opportunities for Support

Implementing the new policy may present challenges, including resource allocation, technology upgrades, and staff training. A trusted advisor can provide invaluable assistance as campuses work to implement the new policy. Areas for support may include:

  • Conducting Risk Assessments: Helping to identify vulnerabilities and assess potential threats to ensure robust compliance.
  • Developing Tailored Security Programs: Creating customized security strategies that align with the specific needs and goals of the campus.
  • Offering Training on Incident Response and Security Protocols: Providing expert-led training to enhance preparedness and response capabilities for security incidents.

Looking Ahead

SUNY’s updated Information Security Policy reflects a proactive approach to safeguarding its digital assets in an increasingly complex threat landscape. By requiring campuses to establish robust ISPs, the policy aims to protect sensitive information and promote resilience across the system.

This policy not only ensures compliance with legal and regulatory standards but also sets the stage for SUNY to lead by example in higher education cybersecurity.

If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.