Ken Ihrer
Dear Faculty and Staff,
CUNY-Wide Enforcement of Information Security Policies and Procedures
Background
Recent incidents at a couple of our sister campuses resulted in Ransomware attacks and the possibility that CUNY would have to pay the ransom in order to have access to our information fully restored. Here at City College, we are in the process of mitigating our risks so that we can better protect our environment and the digital assets that we are responsible for.
Information Security practices at the campus level have been more relaxed than policy requires and that industry safe practices would dictate. Our recently performed vulnerability assessments of the CCNY environment found numerous vulnerabilities, which we are now in the process of addressing. We have started a task force to remediate these problems and will be reaching out to all areas of the campus to work with us toward compliance. This includes areas that are managed under the Office of Information Technology (OIT) and those areas that are supported locally or by researchers. All systems connected to the CUNY/CCNY network must adhere to policy or receive a special exemption based on approved alternative controls.
Policy Statements
The following policy documents in their entirety are located on the CUNY website at https://www.cuny.edu/about/administration/offices/cis/information-security/security-policies-procedures/ for your reference. The primary policy statements of concern are from the Anti-Virus Software Standards and the IT Security Procedures – General.
Anti-Virus
A CUNY Standard for virus protection must meet minimum requirements for technical specifications and features. It should:
- be recognized throughout the IT industry as a leader in virus protection
- be schedulable for automatic virus definition updates and scanning
- provide auto protect features for viruses including e-mail viruses
- provide timely updated virus definitions in line with the best available in the IT industry
- seamlessly integrate with a server-based virus protection product (managed centrally).
Vulnerability Assessments
Each University entity must establish a routine program to test, monitor, and remediate technical and data vulnerabilities on its network. The program should include a combination of continuous monitoring and on-demand testing tools. Monitoring and testing should report on operating system configuration, software patch-level vulnerabilities, and unprotected data. The Central Office may initiate vulnerability testing at its discretion. Regular reporting of test results must be made available to the University Information Security Officer.
Device Management
All devices that are allowed to connect to University networks and systems that support administrative, business, and academic activities and operations must be maintained at current anti-virus/malicious code protection at all times. In addition, security updates to operating systems must be applied on a timely basis after appropriate testing. Although the University does not manage student computers, procedures should be implemented to minimize the risk to University files and systems.
The City College Response
We will comply with the Information Security Policies and Procedures in order to best protect our resources. We are currently running vulnerability scans and working to remediate problems based on the level or risk the vulnerabilities impose. Current practices, some of which have been in place for many years and do not comply with policy, will no longer be acceptable and solutions will be implemented to meet compliance. The OIT will work on systems under their control and will work with others who are responsible for systems maintained outside of OIT. For details on the plan, please visit this link https://portal.ccny.cuny.edu/depts/oit/systemPlan/, or contact our IT Security Office at itsecurity@ccny.cuny.edu if you have any questions.
We look for full cooperation and if we do not meet the compliance objectives, we will be required to remove devices from the network that pose a risk to the University, City College, and the people whose data we are entrusted to protect. Thank you for your cooperation in the matter.
Ken Ihrer
Vice President of Operations
Chief Information Officer
The City College of New York
160 Convent Avenue
New York, NY 10031