October is National Cybersecurity Awareness Month, a nationwide collaboration between government and industry to raise awareness about the importance of cybersecurity. This year the overarching theme, set forth by the Cybersecurity and Infrastructure Security Agency (CISA), is Secure Our World. The theme promotes behavioral change across the nation with a particular focus on how individuals, families, and small- to medium-sized institutions can “secure our world” by focusing on the four critical actions. Use strong passwords. Use multifactor authentication. Recognize and report phishing. Update software to the most secure version.
I am pleased to announce that FIT is doing an excellent job in these four areas and is fully engaged with our policies, campaigns, messaging, and programs. But there are many other positive things happening behind the scenes that also help to keep our college safe from security incidents.
Governor Kathy Hochul and SUNY Chancellor John B. King, Jr.’s Digital Transformation Budget Provides Needed Funding for Centralized Cybersecurity Initiatives
FIT should benefit from the new SUNY budget, which “includes the resources to implement … upgrades to improve cybersecurity … ” [SUNY 2023 Policy Agenda, p. 7] Cyber Incident Security Response Plan (CIRP) and Execution Playbooks
The Information Security Office has been working steadily with the Office of Planning, Assessment, and Compliance on the development of a SUNY-approved CIRP for use during cybersecurity incidents that occur at FIT. Once the CIRP is completed, we will then begin to develop our official execution playbooks.
Playbooks usually take the form of a series of procedures or checklists that should be followed in the event of a major cybersecurity attack. Attacks occur in different ways, called attack vectors, and depending on the attack vector, playbooks may have to vary and/or be executed in different sequences. Annual Penetration Testing by SUNY Security Operations Center (SOC)
A penetration test is a simulation to see if our cyberdefenses can be compromised. We give the testers access to a standard workstation as if they have broken the defenses on that workstation, and then they proceed to try to infiltrate the rest of our network, systems, and data. It’s an important test that every organization should perform, and we are now doing them annually. CISO Review of Third-Party Vendors
At the end of last year we became one of the first SUNY campuses to institutionalize cybersecurity reviews of third-party vendors. While FIT has been vigilant in protecting our own environment, we, like many organizations, can still be impacted by third-party cyber risk. Every college has hundreds of third-party contracts, and many of them are long-standing renewals—contracts signed with companies before the rampant growth of the cyber threat landscape.
Recognizing that a third party could therefore be a weak link as a side door into our own security environment, we implemented a four-step cyber review process with a mandatory vendor questionnaire, a full documentation review, a qualitative assessment of the vendor’s program, and a joint recommendation from the IT division and the Internal Controls unit. Security Configurations Initiative
Use of secure configuration settings has proliferated in the last two years. Today most devices, systems, operating systems, and software services and products have their own cybersecurity settings. While these settings default to a best practice selection at installation, we have launched this initiative to regularly review these settings with our vendors.
As with the review of third-party vendors, these periodic reviews of cyber settings will help to ensure our infrastructure elements always have the best configurations to provide the strongest cybersecurity protection.
Thank you, and remember to stay cybersafe! 
Don’t Assume an email, mobile text, or attachment is safe. Don’t Open any email, text, attachment or link from unsolicited or unknown sources. Don’t Download any file from unsolicited or unknown emails, texts, websites, or domain names. Don’t Provide your credentials, passwords, or personally identifiable information to anyone who has initiated contact with you (rather than the other way around).
Best regards,
Larry Baach
Vice President for Information Technology, CIO, and Interim CISO
|
|
