Policies, Standards and Guidelines
The NYS Office of Cyber Security (OCS) is responsible for developing and distributing policies, standards and guidelines regarding cyber security, critical infrastructure and geographic information systems coordination.
Cyber Incident Reporting Policy
- P03-001 - V3.1 - May 3, 2011
This Policy defines a process and procedure for New York State governmental entities to report cyber security incidents to the New York State Office of Cyber Security.
Information Security Policy
- P03-002V3.4 - July 30, 2010
This Policy sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. This Policy documents many of the security practices already in place in some State entities.
Publically Available Standards for the Information Security Policy:
- Role and Responsibilities of the State Entity Information Security Officer Standard (P03-002, Part 4. Organizational Security Policy)-
S10-001 - V1.1 - July 30, 2010
This Standard defines the annual Continuing Professional Education (CPE) credit requirements for Information Security Officers in the State.
- Monitoring System Access and Use Standard (P03-002, Part 10. Access Control Policy) - S10-005 - V1.1 - July 30, 2010
This Standard defines audit log requirements for State systems and applications
- Cryptographic Controls Standard (P03-002, Part 11. Systems Development and Maintenance Policy)- S10-006 - V1.1 - July 30, 2010
This Standard defines the requirements for encryption of data at rest and data in transit. Included in the Appendix of this Standard is guidance in selecting FIPS 140 validated products.
- Key Management Standard (P03-002, Part 11. Systems Development and Maintenance Policy)S10-007 - V1.1 - July 30, 2010
This Standard defines the requirements for management of encryption.
Information Classification and Control Policy and Standard (with Appendices)
- PS08-001 - V1.2 - February 7, 2012
This Policy and Standard defines a classification scheme for information, provides procedures for classifying information and supplies baseline controls to protect the confidentiality, integrity and availability of information.
- Exemption Request Form PS08-001 - Appendix A - V1.2 - February 7, 2012
This form is for use in limited situations where a State entity determines that a particular control can not be implemented due to technical constraints or business limitations.
- Information Asset Classification Worksheet - PS08-001 - Appendix C - V1.2 - February 7, 2012
This worksheet is provided as a tool to assist State entities in inventorying and classifying their information.
- Information Control Charts and Glossary - PS08-001 Appendices D & E - V1.2 - February 7, 2012
The information control charts contain the baseline controls for the protection of the confidentiality, integrity and availability (CIA) of information. The charts are arranged by CIA classification rating. The glossary provides clarification on each control.
- Exemption Request Form PS08-001 - Appendix A - V1.2 - February 7, 2012
Cyber Security Policies, Standards and Guidelines - Definitions & Acronyms - V1.2 - September 24, 2010
This document includes definitions and acronyms for the above listed cyber security policies, standards and guidelines. Defined terms appear in italics.
This guideline is designed to educate State government entities on the risks associated with social media and provide best practices for the secure use of social media in New York State government.
GIS Data Sharing 97-6* - (July 17, 1997)
Computerized geographic data that is created, collected, processed, disseminated, and stored by public agencies in New York State is a valuable information resource. This policy will facilitate the sharing of Geographic Information System (GIS) data and improve access to computerized geographic data across all levels of government.
Statewide Geographic Information Systems - 96-18* - (September 17, 1996)
The purpose of this bulletin is to establish a framework for the development of a Statewide GIS Program.
NYS GIS Strategic Plan - (August, 2008)
The intent of this plan was to evaluate New York's statewide GIS environment, and then to establish strategies that will help encourage intergovernmental cooperation and coordination in maintaining the data layers most commonly needed. The overall aim was to improve GIS data quality, currency, and accessibility through data sharing.
*These policies were issued by the New York State Office for Technology.
The Internet Crime Complaint Center (IC3) 2011 Internet Crime Report is an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime.
The 2012 Verizon Business Data Breach Investigations Report (DBIR) series, conducted by the Verizon RISK Team with cooperation from the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit (PCeU) of the London Metropolitan Police.
With the addition of Verizon's 2011 caseload and data contributed from the organizations listed above, the DBIR series now spans eight years, well over 2000 breaches, and greater than one billion compromised records.
The Blueprint for a Secure Cyber Future builds on the Department of Homeland Security Quadrennial Homeland Security Review Report's strategic framework by providing a clear path to create a safe, secure, and resilient cyber environment for the homeland security enterprise. With this guide, stakeholders at all levels of government, the private sector, and our international partners can work together to develop the cybersecurity capabilities that are key to our economy, national security, and public health and safety. The Blueprint describes two areas of action: Protecting our Critical Information Infrastructure Today and Building a Stronger Cyber Ecosystem for Tomorrow. The Blueprint is designed to protect our most vital systems and assets and, over time, drive fundamental change in the way people and devices work together to secure cyberspace. The integration of privacy and civil liberties protections into the Department's cybersecurity activities is fundamental to safeguarding and securing cyberspace.
The Symantec Global Internet Security Threat Report provides an annual overview and analysis of worldwide Internet threat activity, a review of emerging trends in attacks, malicious code activity, phishing, and spam. The Symantec Internet Security Threat Report gives organizations, enterprises and consumers the essential information to secure their systems effectively now and into the future.
The report is a follow up to a report released in 2010 called "In the Crossfire: Critical Infrastructure in the Age of Cyberwar," that found that many of the world's critical infrastructures lacked protection of their computer networks, and revealed the staggering cost and impact of cyberattacks on these networks. More than 200 IT executives in the energy, oil/gas and water sectors, responsible for information technology security, general security and industrial control systems in 14 countries were surveyed for the report. CSIS then analyzed the quantitative results, conducted additional research and authored the report.
A research team at the University of Kansas conducted a study concerning state-level Chief Information Security Officers, Chief Information Officers and their collaborations, particularly in the area of cyber and information security.
Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. The 60-day cyberspace policy review, ordered by President Obama and led by Melissa Hathaway summarizes conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future.
In December 2008, the Center for Strategic & International Studies' Commission on Cybersecurity for the 44th Presidency released its final report, "Securing Cyberspace for the 44th Presidency." The Commission was co-chaired by Representative James R. Langevin, Representative Michael T. McCaul, Mr. Scott Charney, Microsoft, and Lt. General Harry Raduege, USAF (Ret). Mr. James A. Lewis was Project Director. The Commission comprised more than thirty cyber security experts from government and industry to identify recommendations for the next administration in improving the nation's cyber security.
Relevant Laws, Guidelines, Regulations and Cyber Security Policies
The following is a list of various sources of laws, regulations, and guidelines intended to assist State agencies.
New York State Laws
- NYS Information Security Breach and Notification Act
(After the page loads click PBO from list)
Personal Privacy Protection Law, Article 6-A,
§92(9) - definition of "record"
§95(b) - denial of access to records
(After the page loads click PEN from list; then click Article 156- "Offenses involving computers; definition of terms.")
NYS Electronic Equipment Recycling and Reuse Act
The NYS Electronic Equipment Recycling and Reuse Act (Article 27, Title 26 of the Environmental Conservation Law) was signed into law on May 28, 2010 with the bulk of the Act being effective as of April 1, 2011. The Act, among other things, addresses a very important data privacy and security issue related to the storage of "personal or confidential information" on certain "covered electronic equipment" as defined by the Act.
Many of our networked multifunctional devices such as printers, faxes and copiers actually contain hard drives or internal memory capable of storing data about the document being printed, copied and/or faxed. If we do not take precautions to wipe or delete the information from this internal memory when the devices are sold, repaired, recycled or surplused, there is potential for the information to fall into the wrong hands which could lead to identity theft or fraud. The Act requires manufacturers of these covered devices to make information on how to delete the information from this memory available to consumers.
General information on Erasing Information and Disposal of Electronic Media.
State Archives and Records Administration
of the Arts and Cultural Affairs Law (ACAL)
"Archives and Records Management Law for the Records of New York State Government."
Health and Human Services: Health Insurance Portability and Accountability Act of 1996
- Requirements for Governmental Access
17 U.S.C. §506
The No Electronic Theft ("NET") Act § 506 Criminal Offense, (a) Criminal Infringement
18 U.S.C. §1029,
Fraud and related activity in connection with access devices; computers; and interception and disclosure of wire, oral or electronic communications prohibited, respectively
18 U.S.C. §1030 Fraud and Related Activity in Connection with Computers
18 U.S.C. §2701 Criminal infringement of a copyright
Unlawful Access to Stored Communications
- USA Patriot Act
Web site for the U.S. Department of Justice Computer Crime and Intellectual Property Division.
- Cyber Security Home
- Incident Reporting
- Breach Notification
- Cyber Advisories
- NYS Digital Forensics
- Cyber Tips Newsletter
- Keeping Kids Safe Online
- Local Government
- Policies and Resources
- NY-ISAC Secure Portal