Identity Theft & Cyber Security

What is identity theft?

Identity theft is a crime in which an imposter obtains such key pieces of information as a Social Security number, driver's license number, or credit card number to obtain merchandise and services, credit, and loans in the name of the victim. For more information, including a link to an informative 30 minute Information Security Awareness Presentation, please visit:

• Information Technology Security Awareness Training for Faculty and Staff Employees
• CUNY Information Security Website
• Recommended Security Practices
• CUNY Security Training Course 
• OUCH Free Security Awareness Newsletter

Introduction

A security policy is necessary to maintain a protected network and prevent malicious attacks against software and hardware connected to CSI’s network. CSI is a part of CUNY's network.  Network connections to compromised systems are disabled when they are identified and not reconnected until they are secured. This security policy is framed to assist in maintaining a secure network and addresses many issues dealing with computer use including but not limited to the following issues:

• Who can connect a computer workstation to CSI's LAN and what are the computer user's responsibilities?
• Who can connect a server to CSI's LAN and what are the server administrator and other user's responsibilities?
• Who can access campus based servers from off campus and how this connection is established?
• What are Internet users responsibilities, i.e.: What can the Internet and e-mail be used for?

Internet / Intranet Security Policy

The resources, services and interconnectivity available via the Internet, and Intranet, all introduce opportunities and risks. In response to the risks, this policy describes College of Staten Island official policy regarding Internet and Intranet security. 

Although this policy document addresses many of the security issues that are likely to be encountered, it is not possible to catalogue every conceivable security risk. The threats to information assets are continually changing. For additional information or clarification on information security issues, you are encouraged to contact the Office of Information Technology. 

Preventing security breaches is where this policy comes to the forefront. The most important function of the policy is to make all aware of Internet security issues and College Internet policies and to secure our equipment to prevent security breaches. Students, staff and faculty must be instructed to report any security weaknesses that they become aware of, either internally or from external sources. 

Scope

This policy applies to all students, staff, faculty, contractors, temporaries who use the Internet or Intranet with College of Staten Island computing or networking resources, as well as those who represent themselves as being connected -- in one way or another -- with College of Staten Island. All Internet and Intranet users are expected to be familiar with and comply with these security policies as well as the CUNY Computer User's Responsibilities. Questions should be directed to the Office of Information Technology. Violations of these policies will be subject to penalties as outlined in the CUNY Computer Users Responsibilities which can lead to revocation of system privileges, disciplinary action including dismissal, termination and criminal prosecution. This policy defines acceptable use, user responsibilities and procedures for using existing network devices and installing new devices requiring network access. The vigorous enforcement of this policy is essential to ensure reliable, secure network access to CSI's shared resources. Since a network is a shared resource that permits distributed interaction amongst disparate users, the activities of one user affects others.

General

Section 1: Network Access
Section 2: College User Resources and Responsibilities
Section 3: Network Server Access Policy
Section 4: External Access to Campus Services
Section 5: Campus Access to External Services

Section 1: Network Access
Any device that requires network access must be connected to CSI's LAN directly with a category 5 cable that runs from the device to the closet where a switch is housed. It is a violation to use hubs or any other device that shares network access amongst devices unless installed by the Office of Information Technology. This may require the installation of cabling and telecommunications equipment to terminate as per category 5 specifications. All such installation of cables and network equipment is to be directed by the Office of Information Technology and funded by the department housing the device. The Office of Information Technology reserves the right to disable any unauthorized hubs or other devices on its LAN at the network switch or port as appropriate to ensure the orderly administration and security of the LAN.

The following are procedural requirements for acquisition of new runs for network connectivity:

• The Office of Information Technology must approve requests for new or additional network connections. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Information Technology Services.
• Any purchase of equipment that requires network connection must have approval from the Office of Information Technology. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Information Technology Services.
• A network port (jack) must exist in the room for any device requiring network access. If no port exists in the room, the device cannot be purchased without authorization from the Office of Information Technology. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Information Technology Services.
• Hubs and/or switches will not be permitted to connect more than one device per jack. If a hub or switch is used, the Office of Information Technology reserves the right to immediately disconnect the device from the network. Each device must have its own port to connect to the network. This requirement is essential for effective network administration to ensure a secure network environment for authorized users.
• If a department's space is changed whether by expanding, renovating or relocating, the Office of Information Technology and the Director of Telecommunications must be consulted in the early stages of the design phase of the project. A survey of the space must be conducted for telephone and data connections required ensuring continued access to campus telephones and network resources. The Office of Information Technology will coordinate any network-related work. The department doing the project is responsible for covering all the cost associated with the network configuration including but not limited to network switches, network media connectors and other devices, jacks, and cable runs. 

Back To The Top

Section 2: College User Resources and Responsibilities Account Information 

• User account information must not be written down and left in a place where unauthorized persons might discover it. 
• User account information must not be shared, distributed or exchanged to anyone other than the person to whom the information was assigned. This includes College of Staten Island usernames or userids, passwords, assigned IP addresses, or any other information that may jeopardize the security of the College of Staten Island network.
• The Office of Information Technology will assign all IP addresses. Staff and faculty are prohibited from modifying their assigned IP address, without explicit written authorization from The Office of Information Technology.
• Staff working for vendors and system developers are responsible for providing systems, which prevent the distribution of College of Staten Island user account information to the Internet community.
• Staff must not modify user accounts without authorization from Office of Information Technology. This includes, but is not limited to: adding new accounts, modifying existing accounts, and disabling or deleting accounts. This policy does not apply to staff who are assigned the responsibility by The Office of Information Technology to make such changes.
• Faculty and staff will not use hubs to connect multiple devices to the network. All ports will be secured and only one device will be permitted per port.

Modification of Software
Staff must not alter, modify or delete data files, executable code, source code, or system files that can be accessed on or through the Internet or Intranet unless the staff member is the explicit owner of the file.

Special Software Tools
Unless specifically authorized by the Office of Information Technology Services, College of Staten Island staff members must not possess or use software or hardware tools that can be used to break security mechanisms. Examples of such tools are those that facilitate illegal copying of copy-protected software, unintended discovery of secret passwords, unauthorized packet capturing/sniffing, or unauthorized decryption of encrypted data.

Software Transfers and Licenses
Software owned by College of Staten Island must not be up-loaded to any other non-College of Staten Island site, through the Internet/Intranet unless such up-loading is consistent with relevant license agreements and either: (a) Office of Information Technology Services has previously approved of such up-loading, or (b) up-loaded copies are being made for contingency planning purposes.

Downloaded software must be scanned for virus or malicious code prior to execution or access.

Faculty and staff are expected to understand, and abide by all software license agreements. Software must not be copied, distributed, or shared, unless specifically allowed for in the software license agreement.

Back To The Top

Section 3: Network Server Access Policy
Only computer servers authorized by the Office of Information Technology Services will be permitted access to CSI's LAN.

Administrators of servers connected to CSI's LAN are responsible for maintaining a secure server environment; this includes but is not limited to maintaining the most recent version of all security patches for the operating system running on the server as well as installing the KACE agent.

The Office of Information Technology and the CUNY Instructional Technology and Information Services reserve the right to immediately disable network accesses to any unauthorized server as well as any server that has been compromised.

Access to servers from off campus through any method other than Secure Shell Telnet and Secure FTP through CSI's VPN is strictly prohibited as described below. Only access to servers for HTTP for connections to a web page is permitted from the Internet.

CSI maintains email for the College Community through the CSI mail server, mail.csi.cuny.edu. The College does not support in any way other email servers and indeed asks the college community's cooperation in not running any email servers on its LAN.

For special or extenuating circumstances, the Office of Information Technology will consider authorizing email servers on CSI's LAN. Such requests must be made in writing by the appropriate Vice Present to the Vice President of the Office of Information Technology Services with a copy to the Network Manager. Without written confirmation from the Office of Information Technology permitting running an email server, the server will not be permitted on the LAN.

Written requests for authorization for connecting a server to CSI's LAN should be made by an appropriate Vice President and sent to the Vice President for the Office of Information Technology Services with a copy to the network administrator.

To obtain authorization the following information must be included in the request to the Office Information Technology Services' network administrator:

Name of server administrator:

Server name:

Server IP address:

Server MAC address:

Server Operating system:

List of patches and security patches installed:

Who will access server from off campus?

When do you access server from off campus?

How do you access the Internet from off campus, e.g. ISP or remote LAN?

By submitting this request, I agree to IT policies and if IT discovers policies are not being followed then equipment will be subject to removal from the network.

Back To The Top

Section 4: External Access to Campus Services
Confidential Information
All College of Staten Island confidential information, including student specific information, that is accessible from an external site should be transmitted using a secure Internet protocol (e.g.: SSL, VPN) or be encrypted prior to being transmitted.

Back To The Top

Section 5: Campus Access to External Services
Confidential Information
All College of Staten Island confidential information that is transmitted to one or more external sites must be transmitted using a secure Internet protocol (e.g.: SSL, PCT, SET, S/MIME) or be encrypted prior to being transmitted.

Information communicated via newsgroups or electronic mail must not conflict with the level of confidentiality assigned to that information or violate the CUNY Computer Users Responsibilities.

External Site Access and "Blocking"
A site will be blocked if the site promotes mass distribution of unsolicited material, also known as "spamming" or is used in a way that is not consistent with the CUNY Computer User's Responsibilities.

A site will be un-blocked if the following two conditions are met: 1) it becomes necessary in the best interest of College of Staten Island; and 2) the Office of Information Technology grants approval.

Internet Services Provided
The only services that will be allowed to the College of Staten Island from the Internet will be those for which Application Protocol Gateways are available. These services include FTP (get only), HTTP, HTTPS, and Electronic Mail (E-mail). Other services such as SecureFTP (put) and Secure Telnet through a VPN will be provided to individual users on an "as needed" basis. The requestor's Chairperson and Office of Information Technology must approve all requests for additional services. Services provided are limited to specific port configurations.

Staff members must not interfere with, or disrupt the normal operation of the Internet/Intranet services located on College of Staten Island computers, or accessible through the Internet.

The Office of Information Technology is responsible for revising this policy on an annual basis, or as the need arises. In addition, the Office of Information Technology is responsible for working with the necessary organizations to ensure that there is a global consistency of implementation of this policy.

The Office of Information Technology is responsible for daily maintenance and maintaining the security of the systems they operate. They are further responsible for notifying users of their security policies and any changes to these policies. All security policies must be reviewed and approved by the Office of Information Technology.

In the event of an Internet or Intranet Security Breach requiring interruption or denial of service between a subnet and the Internet or Intranet, the Vice President of the Office of Information Technology Services must be informed prior to the separation.

Back To The Top

Definitions / Terms / Acronyms

Term Definition

Application Protocol Gateway Program or device that passes information between networks or applications.

Category 5 Cabling standard used for Ethernet LANs

Decrypt The process of taking encrypted text, or ciphertext, and converting it to plaintext.

Encrypt The process of altering characters, based on an encryption key, so that the characters appear to be nothing but random, garbage characters.

Firewall Any system or element that provides a function of filtering or blocking services, protocols, or packets between systems and/or networks.

FTP A service that supports file transfers between local and remote computers.

IP Address A unique address that is assigned to an individual machine. The address is used as a means of identifying each machine.

LAN Local Area Network.

Network This covers all public networks, such as PSTN, Internet, or carrier networks.

Packet Filter A device that examines individual IP packets and determines whether or not the packet is allowed to proceed to its destination address.

Plaintext Refers to any group of characters that are not encrypted.

Secure Shell SSH lets you establish secure terminal sessions between machines using cryptographic authentication and automatic session encryption.

Telnet Allows users to access computers and their data at thousands of places around the world, most often at libraries, universities, and government agencies.

Worker Refers to employees, contractors, temporaries, etc.

World Wide Web The accessible information available on many computers attached to the Internet. The Web has a body of software, a set of protocols and a set of defined conventions for getting at the information on the Web.

Constraints / Waivers

Appeals for an exception to this policy should be submitted to the Office of Information Technology for approval.

Compliance

It is essential that any violation of this policy be reported immediately to the Office of Information Technology Network Director, his immediate staff, so that appropriate action can be taken to ensure the security of other resources on CSI's LAN.

Violations will result in appropriate disciplinary actions as outlined in the CUNY Computer Users Responsibilities and including, dismissal and prosecution.

Back To The Top

Policy

Mobile devices may be provided to certain employees to conduct activities connected to their employment. Employees who request a mobile device include Executive management staff (ECP and Director level staff) as well as Staff of departments who have been approved for the need of these devices.

A Mobile Device includes: iPad, Laptop, tablet, or smartphone

All requests for mobile devices, services, and upgrades require appropriate management and budget approvals. These devices will be issued only to employees having a valid need as outlined in the criteria section of this document. Furthermore, when selecting mobile devices, the least expensive approved model will be provided unless enhanced functionality is warranted. Accessories will only be approved when needed.

Criteria

The criteria to be used when determining an employee’s need to receive a mobile device includes:

• More than 60% of work is conducted away from the employee’s work station and the employee is required to be contacted on a regular basis, or 
• Employee is on-call outside of normal work hours, or
• Employee monitors and administers mission critical information systems during non-business hours, or 
• The job requires the employee to be immediately accessible to receive and/or make frequent business calls outside of working hours, or
• Employee requires access to an application that runs only on this device

Personal Use:

Eligible Staff must pay $10 per month fee for personal use of the mobile phone, collected yearly at the beginning of January. Fees for any partial month are collected for the full month. This fee is waived for non-management staff members who are required to carry a College issued mobile device for emergency contact. 
 

Standard Ownership and Responsibilities 

The cost of purchasing the approved device for eligible staff, if any, is borne by the Telecommunications Office. Only approved models will be purchased (see appendix for list of approved models). If a non-standard device is requested, the purchase cost of the device must be paid by the requesting department.
If at any time a mobile device has to be replaced due to breakage or loss, the staff member's department must pay the replacement charges, if any, using departmental funds. Free upgrades are available at the discretion of the Office of Technology Services. 

Department managers are responsible for educating users about their mobile communication device procedures and monitoring usage. CSI issued mobile communication devices are subject to audit by the University.

Virtual Private Network
To ensure the integrity and privacy of personal information, CSI uses a Virtual Private Network (VPN) for its intranet and its access to CUNY Systems. This encrypts all data and uses the best available technology to guarantee security and privacy. In order to apply for VPN access a form needs to be completed with required approval. 

Virtual Private Network (VPN) Policy

• Application for VPN Service

Purpose
The purpose of this policy is to provide guidelines for Remote Access using a Virtual Private Network (VPN) connection to the College of Staten Island network.

Scope
This policy applies to all College of Staten Island employees, temporaries, consultants, and other workers including all personnel affiliated with third parties utilizing VPNs to access the College of Staten Island network.  Students are not allowed VPN access to the College of Staten Island network.

Policy
Approved College of Staten Island employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service.  This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and all costs associated with network access from off-campus.

A VPN account will require annual re-authorization at the beginning of the Fall semester by the employee’s supervisor.  A VPN account holder’s access to the system will automatically expire if they no longer have an affiliation with the College

Additionally:

• It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to the College of Staten Island’s internal networks
• All computers connected to the College of Staten Island’s internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (www.cuny.edu); this includes personal computers
• It is the responsibility of supervisors and department heads to:
  • Determine which of their office/department’s college business activities can and cannot be performed via the VPN from off-campus
  • Determine under what circumstances it is appropriate for an employee to use the VPN to conduct College business
  • Communicate the above to their employees
• VPN users will be automatically disconnected from the College of Staten Island’s networks after thirty minutes if inactivity.  The user must then logon again to reconnect to the network.  Artificial network processes are not to be used to keep the connection open

Enforcement
This policy regulates the use of all VPN services to the College of Staten Island network and users must comply with the CUNY Acceptable Use of Computer Resources policy.  To maintain security, VPN services will be terminated immediately if any suspicious activity is found.  Service may also be disabled until the issue has been identified and resolved.  Any employee found to have violated this policy may be subject to disciplinary action.

CUNY has mandated the use of Cortex XDR on all devices connecting to the College’s network.  Cortex XDR, which is security for a new generation of ransomware and cybersecurity threats, is an advanced protection software which accurately detects threats with behavioral analytics. It reveals the root cause to speed up investigations, enabling attacks to be stopped before damage to the device or sensitive data is compromised.

Wireless Network Access Policy

Welcome to the CSI Wireless Network

• The computing resources of the university shall be used only for purposes directly related to, or in support of, the academic, research, or administrative activities of the university.
• You must have a valid authorized account to use computer resources that require one and may use only those computer resources that are specifically authorized. You may use your account only in accordance with its authorized purposes and may not use an unauthorized account for any purpose.
• Computers on the Wireless Network should not store or transmit data of a sensitive nature such as credit card numbers, private student information, legal or attorney privileged data.
• You are responsible for the safeguarding of your computer account. You should take all necessary precautions in protecting the account, no matter what type of computer resources you are using.
• You may not circumvent system protection facilities. 
• You may not knowingly use any system to produce system failure or degraded performance. 
• You may not use computer resources for private purposes, including, but not limited to, the use of computer resources for profit making or illegal purposes.

The University reserves the right to monitor, under appropriate conditions, all data contained in the system to protect the integrity of the system and to insure compliance with regulations. Any user who is found to be in violation of these rules shall be subject to the following:

• Suspension and/or termination of computer privileges;
• Disciplinary action by appropriate college and/or University officials; 
• Referral to law enforcement authorities for criminal prosecution; 
• Other legal action, including action to recover civil damages and penalties.

By logging on you have agreed to the above terms and conditions.

For technical support please contact helpdesk@csi.cuny.edu or 718.982.HELP (4357) 

Please use your CSI computer lab login authentication ID for network access. 

***WARNING ***
***UNAUTHORIZED USE IS PROHIBITED ***