Resources

Policies, Standards and Guidelines

The NYS Enterprise Information Security Office is responsible for developing and distributing policies, standards and guidelines regarding cyber security. 

Please visit the NYS Office of Information Technology Services Policies, Standards, and Best Practice Guidelines for a complete listing.

GIS Policies

GIS Data Sharing 97-6* - (July 17, 1997)

Computerized geographic data that is created, collected, processed, disseminated, and stored by public agencies in New York State is a valuable information resource. This policy will facilitate the sharing of Geographic Information System (GIS) data and improve access to computerized geographic data across all levels of government.

Statewide Geographic Information Systems - 96-18* - (September 17, 1996)

The purpose of this bulletin is to establish a framework for the development of a Statewide GIS Program.

NYS GIS Strategic Plan - (August, 2008)

The intent of this plan was to evaluate New York's statewide GIS environment, and then to establish strategies that will help encourage intergovernmental cooperation and coordination in maintaining the data layers most commonly needed. The overall aim was to improve GIS data quality, currency, and accessibility through data sharing.

*These policies were issued by the New York State Office for Technology.

Reports

2014 National Institute for Science and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security, economy, and public safety and health at risk. To better address these risks the President issued Executive Order 13636 calling for the development of a voluntary risk-based Cybersecurity Framework. The resulting Framework, is a set of industry standards and best practices to help organizations manage cybersecurity risks. 

 

 

 

Verizon Business Data Breach Investigations Report

The 2014 Verizon Business Data Breach Investigations Report (DBIR) covers over 63,000 security incidents from 95 countries, including 1,367 confirmed data breaches.  Given the complexity and diversity of the threat landscape, the DBIR clearly identifies nine patterns that cover 92% of the security incidents that have been analyzed over the last ten years.

 

 

 

 

2011 Internet Crime Report

The Internet Crime Complaint Center (IC3) 2011 Internet Crime Report is an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime.

 

 

 

Blueprint for a Secure Cyber Future

The Blueprint for a Secure Cyber Future builds on the Department of Homeland Security Quadrennial Homeland Security Review Report's strategic framework by providing a clear path to create a safe, secure, and resilient cyber environment for the homeland security enterprise. With this guide, stakeholders at all levels of government, the private sector, and our international partners can work together to develop the cybersecurity capabilities that are key to our economy, national security, and public health and safety. The Blueprint describes two areas of action: Protecting our Critical Information Infrastructure Today and Building a Stronger Cyber Ecosystem for Tomorrow. The Blueprint is designed to protect our most vital systems and assets and, over time, drive fundamental change in the way people and devices work together to secure cyberspace. The integration of privacy and civil liberties protections into the Department's cybersecurity activities is fundamental to safeguarding and securing cyberspace.

Symantec Global Internet Security Threat Report

The Symantec Global Internet Security Threat Report provides an annual overview and analysis of worldwide Internet threat activity, a review of emerging trends in attacks, malicious code activity, phishing, and spam. The Symantec Internet Security Threat Report gives organizations, enterprises and consumers the essential information to secure their systems effectively now and into the future.

 

 

 

McAfee

McAfee/Center for Strategic and International Studies (CSIS) Report

The report is a follow up to a report released in 2010 called "In the Crossfire: Critical Infrastructure in the Age of Cyberwar," that found that many of the world's critical infrastructures lacked protection of their computer networks, and revealed the staggering cost and impact of cyberattacks on these networks. More than 200 IT executives in the energy, oil/gas and water sectors, responsible for information technology security, general security and industrial control systems in 14 countries were surveyed for the report. CSIS then analyzed the quantitative results, conducted additional research and authored the report.

 

 

national strategy to secure cyberspace

Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers

A research team at the University of Kansas conducted a study concerning state-level Chief Information Security Officers, Chief Information Officers and their collaborations, particularly in the area of cyber and information security.

 

 

 

 

 

national strategy to secure cyberspace

Sixty-Day Cyberspace Policy Review

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. The 60-day cyberspace policy review, ordered by President Obama and led by Melissa Hathaway summarizes conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future.

 

 

 

 

national strategy to secure cyberspace

Securing Cyberspace for the 44th Presidency

In December 2008, the Center for Strategic & International Studies' Commission on Cybersecurity for the 44th Presidency released its final report, "Securing Cyberspace for the 44th Presidency." The Commission was co-chaired by Representative James R. Langevin, Representative Michael T. McCaul, Mr. Scott Charney, Microsoft, and Lt. General Harry Raduege, USAF (Ret). Mr. James A. Lewis was Project Director. The Commission comprised more than thirty cyber security experts from government and industry to identify recommendations for the next administration in improving the nation's cyber security.

 

 

2014 National Institute for Science and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security, economy, and public safety and health at risk. To better address these risks the President issued Executive Order 13636 calling for the development of a voluntary risk-based Cybersecurity Framework. The resulting Framework, is a set of industry standards and best practices to help organizations manage cybersecurity risks. 

Relevant Laws, Guidelines, Regulations and Cyber Security Policies

The following is a list of various sources of laws, regulations, and guidelines intended to assist State agencies.

New York State Laws

  • NYS Information Security Breach and Notification Act
  • Public Officers Law
    (After the page loads click PBO from list)
    Personal Privacy Protection Law, Article 6-A,
    §92(9) - definition of "record"
    §95(b) - denial of access to records
  • Penal Law §156
    (After the page loads click PEN from list; then click Article 156- "Offenses involving computers; definition of terms.")
  • NYS Electronic Equipment Recycling and Reuse Act

    The NYS Electronic Equipment Recycling and Reuse Act (Article 27, Title 26 of the Environmental Conservation Law) was signed into law on May 28, 2010 with the bulk of the Act being effective as of April 1, 2011. The Act, among other things, addresses a very important data privacy and security issue related to the storage of "personal or confidential information" on certain "covered electronic equipment" as defined by the Act.

    Many of our networked multifunctional devices such as printers, faxes and copiers actually contain hard drives or internal memory capable of storing data about the document being printed, copied and/or faxed. If we do not take precautions to wipe or delete the information from this internal memory when the devices are sold, repaired, recycled or surplused, there is potential for the information to fall into the wrong hands which could lead to identity theft or fraud. The Act requires manufacturers of these covered devices to make information on how to delete the information from this memory available to consumers.

    General information on Erasing Information and Disposal of Electronic Media.

State Archives and Records Administration

Health and Human Services: Health Insurance Portability and Accountability Act of 1996

Federal Laws

 

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS