Effective Date Supersedes N/A Issuing Authority Executive Vice President; Vice President, Information Technology and Chief Information Officer Responsible Officer Vice President, Information Technology and Chief Information Officer
This document serves as a guide for IT personnel to help them understand the obligations set forth in the security Measures.
The Policy on Computer and Data Security requires that computers and data be protected in a manner appropriate to their level of importance. The Basic, Intermediate, Advanced, and Data Security Measures provide guidance on what safeguards are considered reasonable and appropriate for computer and data resources of each level of criticality.
The Security Measures are designed to provide resiliency against the current and rapidly changing threat landscape, and includes complex and targeted attacks that are often focused on theft of data. They are also designed to provide a sound foundation from which to address external compliance regulations, both legal and contractual, the number and complexity of which continue to grow at a rapid pace. The Measures have been created with consideration of industry best practices, external compliance requirements, and existing NYU policy. This document serves as a guide for IT personnel, to help them understand the obligations laid out in the Security Measures. Questions regarding this document should be sent to the NYU IT Office of Information Security at firstname.lastname@example.org.
These Measures are applicable to a wide variety of IT resources which are connected to NYU-NET or are used for any NYU business purpose. A system may be any IT resource to which the safeguards outlined in Security Measures may be applied. Examples of systems include, but are not limited to:
All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations which must be managed, and each of them are a considered a compliance object to be protected.
In order to minimize IT security risk, it is recommended that you integrate compliance auditing into your existing inventory management and auditing framework. Auditing requirements for external standards, such as HIPAA or PCI, are not affected by this document.
In some cases, a system may be incapable of implementing a control required by this policy. In such cases, the exception should be documented and approved by the appropriate chain of authority. For high criticality systems managed by NYU IT, this involves the Risk Review Process. Information about the Risk Review Process is available from the NYU IT Office of Information Security.
This section outlines how the various security policies and Measures fit together from the perspective of a system administrator attempting to determine the compliance requirements for a system that they manage.
The measures are additive, meaning that a low criticality system must implement only the Basic Security Measures, while a high criticality system must implement the Basic, Intermediate, and Advanced Security Measures in order to be compliant. Whenever requirements for different Measures conflict, the requirements in the stricter Measures take precedence.
Send questions or comments to: email@example.com.