Electronic Information Security Policy


Document TitleElectronic Information Security Policy
Document Type
  • Bylaws
  • Policy Document
  • Procedures
  • Guidelines
  • Form
Office/UnitInformation Technology Services
Document Owner
Contact Information
Office Name Phone Email

Approval Date

June 2, 2004

Approved byPresident's Cabinet
Effective Date

June 2, 2004

Review Date/Schedule
Revision History



The purpose of the policy/procedure is to protect the security of electronic information and to protect the confidentiality and integrity of confidential information.  All individuals who are authorized to use the e-mail systems of SUNY Fredonia must be familiar and compliant with this policy.



SUNY Fredonia encourages the business use of e-mail for the efficiency of operations.  The e-mail system and all the messages generated by e-mail, including backup copies, are part of the business infrastructure of SUNY Fredonia, are owned by SUNY Fredonia, and are not the property of the individuals who use the system.

Right to Monitor, Audit, Read

In keeping with provisions outlined in the SUNY Fredonia Computer and Network Usage Policy, SUNY Fredonia reserves the right to monitor, audit, and read e-mail messages.

Request for Confidential Information

The transmission of an individual’s own personal information via electronic mail (e-mail) to an external network is permitted only when the requester has been advised of the campus e-mail policy stating “SUNY Fredonia cannot guarantee that electronic communications will be private.”  If, after advisement, the requester agrees, the personal information may be e-mailed.

The transmission of confidential information requested by another individual (other than self) via electronic mail is not permitted to off-campus locations.

On-campus electronic mail transmission are reasonably secure, due to the higher level of security provided by switched network interfaces and the dual-level anti-virus security built into the SUNY Fredonia e-mail gateway and managed anti-virus desktop systems, as well as user compliance with the Physical Information Security Policy.

The transmission of confidential health information via electronic mail (e-mail) is not permitted.


Sites, such as Banner, that accept confidential information input must be password protected and allow for encryption/secure communications.  The servers hosting confidential information must be protected with SSL (Secure Sockets Layer) certificates, such as Verisign.

Confidentiality and Information Security

  • All provisions of the SUNY Fredonia Computer and Network Usage Policy must be observed with regard to access, use, modification, creation, disclosure, storage, copying, transmission, or destruction of information in any way related to online communications or interactions.

  • Access to and disclosure of online confidential information is subject to the same restrictions that apply to non-electronic campus records.  

File Transfer Protocol (FTP)

Transferring information to an external third party such as New York State Higher Education Services Corporation, the Federal Government, M&T Bank, and Standard Register, among others, will always utilize an encrypted and secure transmission method either outlined by Information Technology Services (ITS) or specified by the provider and approved by ITS.


Passwords are access keys, help to prove you are who you say you are, and help to ensure your privacy.  Compromised passwords provide access to systems for unauthorized personnel. For that reason, SUNY Fredonia computer users are encouraged to create and use strong passwords in accordance with the following password integrity guidelines:

  • Initial password is randomly generated and displayed for each user in the secured “Your Connection” web interface.  This interface is secured with a PIN that is specific to each new user.

  • Your Connection PIN change is forced after initial login.  User may change initial password if desired following the guidelines below.

  • Use at least seven characters whenever possible.

  • NOT ALLOWED to use any portion of user’s first name, last name, or userid.

  • A mixture of three of the following is required: English uppercase characters, English lowercase characters, base 10 digits (0-9), non-alphanumeric characters (!,$,#,%)

  • Make password easy to remember but difficult for someone to guess.  Do not reveal yourself in developing a password (don’t use social security number, birth date for yourself or a significant individual in your life, address or telephone number).  Using a “pass phrase” is  a good way to develop a password.  This example of using the pass phrase “Do you know the way to San Jose?” to develop the password D!Y!KtwTSJ? comes from the Duke University guidelines.

  • Never share your password (this includes system administrators, account managers, and friends). Never provide access to systems for other individuals using your logon identity.

  • Never write your password down.  

  • Change your password if you have shared it with anyone else or if you wrote it anywhere.  It is also advisable to change the password if you logged into the Fredonia system from a remote location without using an encrypted login program.

  • Password aging is the act of changing a password on a regular basis and is required for users logging into the Campus Information System (CIS) forms or Dec Alpha hardware due to the confidential nature of data stored in this system. (As recommended by the Banner Steering Committee following review of state audit guidelines.)  Password aging is recommended but not forced for all other access to Fredonia electronic resources.


  • Academic Affairs
  • Advancement
  • Financial
  • Governance
  • ITS
  • Operational
  • Personnel
  • School/College
  • Student Life