Social Engineering Security Policy

• Bylaws
• Policy Document
• Procedures
• Guidelines
• Form

June 2, 2004

June 2, 2004

PURPOSE

The purpose of this policy is to emphasize that information security (the protection of confidentiality and the integrity of confidential student and employee information) is the responsibility of each and every SUNY employee.  “Social Engineering” is the term that describes non-technical ways by which hackers obtain information, usually by fooling people into giving up their own security.

POLICY

It is the policy of SUNY Fredonia to ensure confidential physical information is protected.  

PROCEDURE

The following guidelines should be followed:

• Include the review of FERPA regulation and the SUNY Fredonia Information Security Program and Policies during new employee orientation, with the policies included in orientation packets.

• Require completion of the Confidentiality Agreement Form, appendix E of the SUNY Fredonia Information Security Program.

• During annual evaluations, supervisor and employee shall review information security confidentiality requirements and procedures.

• The Office of Human Resources will annually remind employees of information security and FERPA regulations.

• Eliminate use of social security number for customer identification in campus-wide office procedures.  Use the Your Connection ID when verifying customer identification.

• Practice vigilance in how and where each employee shares information.  Hackers can overhear conversations and build up information over time that can then be used to obtain confidential information.

• Never write passwords down, or share with anyone (even system administrators, account managers, or friends).  Most cases of unauthorized access to information is through the use of compromised passwords. Use of strong passwords following the guidelines in appendix G. is recommended.