SUBOA – SUNY CIO UPDATE

Dave Powalyk April 6-7, 2016 1

AGENDA

Cyber Security: Information Security Policy Cyber Security: Individual Cyber Insurance Degree Works Implementation Status SUNY Security Operation Center (SOC) Utilization Update

2

Information Security Policy

Purpose • Ensure University’s academic information and information assets are safeguarded • Ensure confidentiality of its non-public information, while ensuring integrity and availability • Ensure the protection of University information from unauthorized access, loss or damage • Clarifies the responsibility of University campuses and System Administration regarding existing security policies and procedures

3

Information Security Policy

Accountability: Who the policy applies to • Authorized users (includes students) at System Administration, state-operated campuses and community colleges • Entities, affiliates and third-party service providers that rely upon the University’s data • Any users of System Administration, state-operated campuses and community colleges services and data • All University information and records that are transmitted or stored by a campus or System Administration 4

Information Security Policy

Requirements • Adhere to all University-related policies and procedures regarding information assets and systems • Policy No. 6609 – SUNY Policy, Record Retention and Disposition • Procedure No. 6608 – Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality • Procedure No. 6610 – Legal Proceeding Preparation (E-Discovery) Procedure

• Designate an Information Security Officer • Ensure notification to campus President and System Administration officials in the event of a suspected or actual breach or cybersecurity incident • Complete the annual Self-Assessment Questionnaire • Ensure adequate encryption of University Information and information systems • Provide regular training to all individuals who access University information assets and systems • Require that any third parties, who will store data on behalf of the University will agree to adhere to information security policies and procedures and have insurance to cover information breaches 5

Cyber Security: Individual Cyber Insurance

6

History of Cyber Insurance

1990s

2014

Today

• Cyber insurance has been in existence

• New York court ruled that Sony’s general liability policy would not cover the $2B in costs the company incurred from the huge data breach in 2011 involving the online network for its game console

• General liability policy won’t cut it for cyber security and breach losses

7

Community College Insurance Structure Not covered under the State Court of Claims fund

Receive some form of insurance through their county or through purchasing policies on their own

8

Breach

Breach

Cyber Attacks

Other Breaches

•An attempt by hackers to damage or destroy a computer network or system •Examples: socially engineered Trojans, unpatched software, phishing attacks, network-traveling worms and advanced persistent threats

•Breaches caused by human error or theft not perpetrated through computer hacking techniques •Examples: Lost or stolen laptop, unauthorized access to device, unauthorized viewing or sharing of information or information that is accidentally made public via web or IT system

9

Coverage Qualifications Underlying Insurance/Self-Insurance •For campuses with less than 5000 FTE - $5,000,000 underlying policy limit for cyber insurance •For campuses greater than 4,999 FTE - $10,000,000 underlying policy limit for cyber insurance •Retention may vary based upon campuses financial ability to cover loss. Recommended retention not less than $100,000. •Additional specific limits for regulatory, notification, business income must also be determined and maintained beyond recommended coverages stated above. Coverage Consistency •A copy of all underlying Terms & Conditions must be provided to SUNY System Administration initially and upon renewal. Each community college must comply with SUNY Information Security Policies to protect the information maintained in support of the SUNY academic mission. Claims Reporting •All breaches must be reported whether or not they are required to be reported to the underlying Insurance Cyber Policy (ICP) providers Coverage Placement •To minimize inconsistencies, all coverage will be placed in coordination with SUNY Counsel. It may be best to determine a panel of carriers of which ICPs all will be placed, without exception.

10

Coverage Qualifications continued Risk Management •maintain an information security risk assessment methodology as part of the Insured Campus Information Security Program and SUNY Policy that appropriately and securely preserves the confidentiality, integrity and availability of information by applying a baseline risk management system such as ISO27001:2013 or subsequent versions such that information security is embedded within the design and implementation of processes, information systems, and controls. SUNY Policy and risk assessment model •incorporates an information security risk treatment remediation process for information security controls, human resources security, physical and environmental security controls taking account of risk assessment results. This remediation process may incorporate additional requirements of the ICP provider Insured Organizations •must ensure adoption and adherence to the SUNY policies for information security, privacy, business continuity/disaster recovery, for any third party service providers the campus contracts; Administrative Workforce Controls •employ appropriately qualified information technology and network security representatives and/or staff who implement and maintain campus information technology, physical and network security in compliance with the Insured Organization’s policies for information security

11

Coverage Qualifications continued Data Protection Controls •portable, mobile and Data storage devices must be encrypted when used to store Personally Identifiable Information (PII) and Protected Health Information (PHI), as should PII and PHI ‘data at rest’ on servers, backup devices or those used for data storage. For the purposes of this requirement portable, mobile and data storage devices will include laptops, tablets, smart phones, portable media devices and any device removed from the Insured Organization premise. Monitoring and Assurance Controls •monitor the Insured Organization’s information systems for information security events. Regularly carry out assessments of and reporting on the implementation of technical and operational controls, including automated scanning of Internet facing systems. This requirement may be met as a participating member of the SUNY Security Operations Center (SUNY SOC) or individually by the Insured Organization. Information Loss •ICP should encompass information loss in all forms. (I.e. human, physical, environmental, technical breakdown or failure, and/or transmission issues). ICP must provide coverage for, among other things, wrongful acts stemming from the use of electronic data or other technology, coverage for claims that implicate electronic data misuse include intentional or willful acts and errors, omission and negligence. Documentation •Documentation should be maintained to demonstrate the insured risk assessment methodology, audits, results and controls or actions taken as well as the assurance gained from the Campus Information Security Officer role specifically designated by the Insured Organization.

12

Elements that SUNY Campuses Cyber Insurance Should Cover Coverage:

Amount or Req.

A. Information and Security Privacy Liability B. Privacy Breach Response Services C. Regulatory Defense and Penalties D. Website Media Content Liability E. PCI Fines and Costs F. Cyber Extortion Loss G. Data Protection & Business Interuption

Yes Yes Yes Yes Yes Yes Yes

Limits of Liability for Coverages shown above: Policy Aggregate Limit (FTE < 5000 = $5,000,000 OR > 4999 = $10,000,000 (modify cell B12) A. Information and Security Privacy Liability (subject to Policy Aggregate Limit) B. Privacy Breach Response Services* (subject to separate Aggregate limit of $10,000,000) Computer Expert Services/Legal Services/PR & Crisis Management - Sublimit Notification Services/Call Center Services/Credit & ID Monitoring (individuals notified basis) C. Regulatory Defense and Penalties (Subject to Policy Aggregate Limit) D. Website Media Content Liability (Subject to Policy Aggregate Limit) E. PCI Fines and Costs (subject to Policy Aggregate Limit) F. Cyber Extortion Loss (Subject to Policy Aggregate Limit) G. Data Protection & Business Interuption (Subject to Policy Aggregate Limit)

Retentions (Deductible) for Limits of Liability shown above:

A. Information and Security Privacy Liability (Min amount $100,000 - adjusted up campus) B. Privacy Breach Response Services* Computer Expert Services/Legal Services/PR & Crisis Management Notification Services/Call Center Services/Credit & ID Monitoring (individuals notified basis) C. Regulatory Defense and Penalties D. Website Media Content Liability E. PCI Fines and Costs F. Cyber Extortion Loss G. Data Protection & Business Interuption

$ $

5,000,000 5,000,000

$

3,000,000

$ $ $ $ $

2,500,000 5,000,000 5,000,000 2,500,000 5,000,000 5,000,000

$

100,000

$

10,000

$ $ $ $ $

100,000 100,000 100,000 100,000 100,000

*Coverage B (Privacy Breach Response Services) is OUTSIDE (in other words, in addition to) the Policy Aggregate Limit. *All coverages provided under Coverage part B (Privacy Breach Response Coverages) are subject to a maximum limit of $10,000,000.

13

Campus Implementation Categories •

Definitions: 1.

Implemented. Degree Audit system running successfully on campus. Faculty, staff, and students have access.

2.

Movers: Standard Support. The campus is actively moving forward. It is anticipated that standard levels of support will successfully support full implementation.

3.

Movers: Enhanced Support. The campus is actively moving forward, but will need additional campus or system level supports to achieve full implementation.

4.

Non-movers. The campuses are not actively moving toward implementation.

Degree Works Implementation Status by Campus •

Considering the full implementation goal, what percentage of students have access to degree audit services relative to campus implementation status?

Percentage of Degree Works Student Access by Campus Implementation Status 6,529, 2% Implemented (38 Campuses)

38,481, 9%

Movers Standard Support (8 Campuses)

99,191, 25% 259,509, 64%

Movers Enhanced Support (8 Campuses) Non-movers (3 Campuses)

Implementation Status Overview •

Implemented. Degree Audit system running successfully on campus. Faculty, staff, and students have access. o

38 Campuses: Adirondack Alfred Binghamton University Brockport Broome Buffalo State College Buffalo University Canton Cobleskill Cortland Delhi Dutchess Community College Farmingdale State Fredonia Fulton-Montgomery Community College Genesee CC Geneseo Herkimer County HVCC

Jamestown Maritime Mohawk Valley Community College Monroe Community College Morrisville New Paltz Niagara Oneonta Orange County Community College Oswego Plattsburgh Polytechnic Institute Potsdam Purchase Schenectady County Community College Stony Brook Tompkins Cortland Community College Ulster County Community College Westchester Community College

Implementation Status Update •

Movers: Standard Support. The campus is actively moving forward. It is anticipated that standard levels of support will successfully support full implementation. o

8 Campuses: Campus Albany Empire State College Erie Community College Fashion Institute of Technology Jefferson Community College Nassau Community College Suffolk County Community College Upstate

Anticipated Implementation Date Spring 2017 Fall 2016 Fall 2016 Fall 2016 Summer 2016 Fall 2016 Fall 2016 Fall 2016

17

Implementation Status Update •

Movers: Enhanced Support. The campus is actively moving forward, but will need additional campus or system level supports to achieve full implementation. o

8 Campuses: Campus Columbia Greene Corning Finger Lakes Onondaga Community College Rockland Community College Sullivan ESF

Issues Campus resources Campus resources Campus resources Campus resources Campus resources Campus resources Campus Technology. Currently unable to federate students through SU SIS.

Actions Needed Message to campus leadership Message to campus leadership Message to campus leadership Message to campus leadership Message to campus leadership Message to campus leadership ?

North Country

Has not committed yet to full implemementation (has committed to transfer finder).

Calls with SICAs and Sys Admin. Will revaluate after these meetings (April/May 2016)

18

Implementation Status Update •

Non-movers. The campuses are not actively moving toward implementation. o

3 Campuses: Campus Clinton Community College Downstate Old Westbury

Issues Campus resources. Frequent staff turnover Non-responsive Non-responsive

Actions Needed Message to campus leadership. Training. Shared services? Message to campus leadership. Message to campus leadership.

SUNY SOC Utilization Update SUNY SOC STATUS Member Campuses Fashion Institute of Technology Brockport Dutchess Community College New Paltz Geneseo Old Westbury Oneonta SUNY Polytechnic Institute Corning Community College Nassau Community College Maritime College Mohawk Valley Community College Upstate Medical University Oswego Plattsburgh Orange County Community College Binghamton University Farmingdale State College Onondaga Community College Buffalo State Cortland ESF Adirondack Community College Broome Community College Fredonia Herkimer College Alfred State College Niagara County Community College Purchase College Potsdam Stony Brook Canton Morrisville Optometry Suffolk Community College

Vulnerability Management Service

Usage *Efficiency Scan Engines Percentage Percentage 1 100% 78% 78% 1 100% 1 100% 78% 100% 67% 1 100% 1 67% 67% 1 100% 56% 1 100% 1 100% 56% 1 100% 56% 1 100% 56% 1 100% 56% 1 100% 56% 1 100% 44% 1 100% 44% 1 100% 44% 1 100% 44% 100% 44% 1 1 100% 44% 1 100% 33% 1 100% 33% 1 100% 11% 1 100% 11% 0% 1 100% 1 100% 0% 1 100% 0% 1 100% 0% 1 100% 0% 100% 0% 1 1 100% 0% 1 100% 0% 1 100% 0% No Site 0% 0% No Site 0% 0% No Site 0% 0% No Site 0% 0%

Penetration Testing

Budgeted PenTests 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

Actual PenTests 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Cost for equivalent services outside SUNY SOC Nexpose $25,000 * $25,000 $25,000 $25,000 * $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000 $25,000

* Efficiency percentage is based on average scores (0-3) from 3 criteria: - Number of assets scanned - campus is scanning the number of assets (proportional to their size) that matches their secure computing environment - Frequency of scans - campus is scanning assets at consistant intervals - Remediated asset improvement trend - the number of vulnerabiites detect at each scan is trending down, showing remediation efforts are occurring

Training Deployment Remediation $5,000 $2,000 $7,500 $7,500 $2,000 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $7,500 $5,000 $2,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $5,000 $2,000 $7,500 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $5,000 $2,000 $7,500 $7,500 $5,000 $2,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $7,500 $5,000 $2,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000 $2,000 $7,500 $5,000

PenTests $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000 $24,000

SOC VALUE

Potetial $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500 $63,500

Realized-to- Value to date Potential 60% $38,389 $38,389 60% $38,389 60% $37,833 60% 60% $37,833 $37,833 60% $37,278 59% $37,278 59% $37,278 59% $37,278 59% 59% $37,278 $37,278 59% $36,722 58% $36,722 58% $36,722 58% $36,722 58% $36,722 58% $36,722 58% $36,167 57% $36,167 57% $35,056 55% $35,056 55% $34,500 54% $34,500 54% $34,500 54% $34,500 54% $34,500 54% $34,500 54% $34,500 54% $34,500 54% $34,500 54% $0 0% $0 0% $0 0% $0 0%

Value to Cost 346% 346% 346% 341% 341% 341% 336% 336% 336% 336% 336% 336% 331% 331% 331% 331% 331% 331% 326% 326% 316% 316% 311% 311% 311% 311% 311% 311% 311% 311% 311% 0% 0% 0% 0%

Asset Count 3 3 3 3 3 3 2 1 3 3 2 3 2 2 2 2 2 2 2 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0

Efficiency Rating 0-3 Scan Improvement Frequency Trend 3 1 2 2 2 2 2 1 0 3 3 0 3 0 2 2 0 2 2 0 3 0 2 0 2 0 0 2 2 0 2 0 2 0 2 0 1 0 0 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Score 7 7 7 6 6 6 5 5 5 5 5 5 4 4 4 4 4 4 3 3 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0