Cybersecurity and Data Security
Cybersecurity Program
Stony Brook University's Information Security Program (ISP) brings people, process and technology together to manage cyber risk to SBU's mission, and to protect all members of our community. The Information Security Program Council (ISPC) acts to set information security program priorities, responds to input from the working groups, and acts to formally adopt policies and procedures. In addition to working group team leads, it consists of a core group of senior leaders and others who have a vested interest in assuring the success of the information security program.
Related Policies
- SBU Cybersecurity Policies
- Sensitive Information Classification Policy
- Data Classification Security Standards
SBU Training Requirement
The Division of Information Technology (DoIT) is responsible for the oversight of cybersecurity training. All faculty and staff are required to take annual Cybersecurity Awareness Training.
Incident Response/Reporting
Notify the cybersecurity team if you aware of a potential cybersecurity incident. How to report an incident.
Cybersecurity and Data Security Standards
- Faculty, staff, and students are required to comply with SBU cybersecurity and data security policies.
- Researchers (both funded and unfunded) may have additional laws and/or regulations that oversee the data security requirements of a category of data.
- Researchers may have additional cybersecurity laws and/or regulations that are required for the conduct of their projects.
Cybersecurity Standards
Secure Computing
Secure computing are services that provide a secure computing environment for users. Secure computing includes network security, system security and application security.
The ISP provides Secure Computing Guides (tip sheet and guides) for students and faculty/staff. These guides are in a concise format to assist students and faculty/staff on how to keep their computing environment secure.
Even though most research on campus is conducted with the intent to publicly disseminate there may be data or even types of research that warrant enhanced security.
More information is available on the Secure Computing page.
Security Consulting
ISP provides consultative services, training, education and awareness resources to assist students and faculty/staff in safe and secure computing.
Review the Security Consulting page for further assistance.
Federal Awards and Standards
Some federal sponsor awards, notably contracts and subcontracts may include enhanced IT (information technology) security requirements or include prohibitions on the purchase or use of certain products/services.
More information is available on the Federal Awards and Data Protection Standards page.
Data Security Standards
Data that must be secured in accordance with SBU policies and procedures:
- Data that is intended for public dissemination where the project had no foreign national restrictions, no publication restrictions (or prior approvals), or acceptance of increased security requirements from a federal sponsor (direct or flowed down through a subcontract).
Data that must be secured in accordance with SBU policies and procedures AND requires some enhanced security:
- Data that is intended for public dissemination where the project accepted any of the following: foreign national restrictions, publication (including prior approval) restrictions, increased security requirements from a federal sponsor (direct or flowed down through a subcontract).
- Data related to intellectual property
- SBU proprietary data
- Export-controlled data
Data that must be secured in accordance with laws/regulations and/or contractual requirements:
- Protected Health Information (PHI)
- Controlled Unclassified Information (CUI) - SBU cannot accept CUI
- Data subject to General Data Protection Regulation (GDPR) - SBU cannot accept data subject to GDPR or similar laws.
- Data protected by a Non-Disclosure Agreement
- Data protected by a Data-Use Agreement