Security Program

Purpose


The University at Buffalo covers a diverse range of activities and services, with individual departments having varying technical and operational requirements in terms of information security controls. This Standard enunciates the institutional requirements for departments when establishing, implementing and maintaining information security within their organization.

This standard provides a starting point for the development of individual department information security management. The Information Security Office (ISO), in cooperation with individual departments will assess specific risks and help each department take reasonable steps to protect information from misuse and loss and from unauthorized access, modification or disclosure.

The requirements of this Standard are based on the three elements of information security (44 U.S.C., § 3542):

  • Confidentiality - Ensuring that information is accessible only to those authorized to have access;
  • Integrity - Safeguarding the accuracy and completeness of information and processing methods; and
  • Availability - Ensuring that authorized users have access to information and associated assets when required.

Policy statement


The University has responsibility for a significant amount of information. The University's Information Security Office must develop, document, implement and review appropriate security controls to protect this information from unauthorized use or accidental modification, loss and release by:

  • establishing an appropriate information security culture;
  • implementing security measures commensurate with the information’s value, business significance and sensitivity; and
  • adhering to all legal and legislative requirements.

Issue & review


This Standard (v2007.01) was issued by the ISO in 2008. Review of this Standard will occur on an annual basis by the Information Security Office.

 

Implementation


The authority for the implementation of the principles of the Information Standards is derived from the Security Office charter.

 

Implementation advice and toolboxes


Implementation advice and toolboxes are provided to assist departments in implementing the principles of each Information Standard.