The New School Information Security Policy (the "Policy") is organized as a collection of separate documents to provide an extensible framework that can be updated easily. The document set includes detail appropriate for various audiences, and allows document ownership and approval to match authority and knowledge. The Policy comprises three types of documents: Policies, Standards, Procedures.
Information security policies are, generally, classified as "Unrestricted," and are therefore available to the public. This includes the Information Security Policy and the Information Resource Acceptable Use Policy. Information security standards are, in most cases, classiied as "Restricted," and are therefore access is limited to members of The New School community and others with a business need to know. Other access may be approved on a case-by-case basis; contact the Director of Information Security (see below) to make a request.
Information security procedures are, with few exceptions, classified as "Confiedential," and access is limited to the staff of the Office of Information Technology and others with a business need to know. Other access may be approved on a case-by-case basis; contact the Director of Information Security (see below) to make a request.
References to "The New School Information Security Policy" are inclusive of all the policies, standards, and procedures published by the Information Security Office.
Policies specify the information security intentions of the university's senior leadership, grant authority, define roles and responsibilities, and establish high-level requirements for protecting the university's information resources.
Standards define the mandatory settings, controls, and requirements that must be implemented to achieve policy objectives. Compliance with standards is measurable, allowing risks to be identified, quantified, and managed at various organizational levels within the university.
Procedures help to ensure that security policies and standards are applied in a consistent and repeatable manner. A procedure is a systematic set of interrelated steps, tasks, or activities to be accomplished in order to implement a policy or standard.
Failure to comply with this Policy, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in actions including (but not limited to) disciplinary action, dismissal, and civil and/or criminal proceedings.
David A. Curry, CISSP
Director of Information Security
55 West 13th Street, 7th Floor New York, NY 10011
(212) 229-5300 x4728
Policies and procedures maintained by other offices of the university that have information security implications: