Information Security Program Council
Security Program activities will be divided into those of the Information Security Program Council (ISPC) and ISPC Working Groups.
The Information Security Program Council (ISPC) has been identified and authorized by senior leadership to implement the Program and publish related policy, procedure and standards. This broad-based group represents stakeholders for business, academic, and instructional activities for the campus. It also includes the chairs of each established working group.
The ISPC acts to set information security program priorities, responds to input from the working groups, helps to assure appropriate allocation of resources, and acts to formally adopt policies and procedures. In addition to working group team leads, it consists of a core group of senior leaders and others who have a vested interest in assuring the success of the information security program.
The Information Security Program Council (ISPC) actively assesses risks, threats, and mechanisms for responding to the threats to form a comprehensive information security program.
The Information Security Program Council may, in turn, establish domain specific working groups as necessary and coordinate their activities; these working groups will either be established as Standing or Ad Hoc. Working groups consists of persons with expertise in information security and/or University business, persons representing areas having considerable information assets, and persons with knowledge and / or authority of key information technology infrastructure components.
Senior Leadership. The university’s employee(s) with the duties, authority and ultimate responsibility to oversee the Information Security Program’s implementation referred to in Policy P300.
An Information Security Program Council Member. A person with named responsibility and area of expertise participating in the Information Security Program Council. Some people may be formal members yet only participate when needed; some may participate on more than one ISPC domain specific working group; and some may not be university employees. The DoIT Information Security Department and ISPC Working Group Chair(s) will be permanent members of the ISPC.
An Information Security Working Group (ISWG) Member. A person with named responsibility and area of expertise participating in an Information Security Working Group (Working Group). Some people may be formal members yet only participate when needed; some may participate on more than one ISPC domain specific working group; and some may not be university employees.
Information Security Officer. An Information Security Program Council member authorized to manage the Program for a domain of the university.
Security Administrator. A person with named responsibility in an area of expertise and/or operations with significant effect on the university’s security posture. Some Security Administrators may be ISPC members or Working Group members. Those that are not Members still have the duty and right to present issues and alerts to the Information Security Program. They participate as needed in Program functions, such as presentation of information and issues, investigating, studying, and reporting.
Information Security Working Group Chair. A Working Group Member that leads, organizes, facilitates, etc., a domain-specific working group. All Working Group chairs are members of the Information Security Program Council.
- Governance Chart
Name Title Jed Shivers Senior Vice President, Finance & Administration Lyle Gomes Vice President for Finance and Chief Budget Officer Lawrence Zacarese Vice President for Enterprise Risk Management Braden Hosch Vice President for Educational and Insititutional Effectiveness
Information Security Officers
Name Title Supervisor Domain Matthew Nappi (ISPC Chair) AVP & Chief Information Security Officer Jed Shviers Stony Brook University business functions, especially all engaged in "Sensitive Information," as defined in the university's policy. Andrew Hoffman (ISPC Chair) Associate CISO & HIPAA Security OFficer Gerald Kelly, Matthew Nappi Stony Brook Medicine business functions, especially all engaged in “Sensitive Information,” as defined in the university’s policy.
Working Group Chairs
Name Working Group Susan Gasparo Research Compliance John Gianmugnai Security Training and Awareness Jeff Mackey Business Compliance
EDUsec and MEDsec Individual Members
Victor Montanez (DoIT)
Ken Myung (DoIT)
Jim Gonzales (DoIT)
David Cyrille (DoIT)
Henry Joseph (DoIT)
Diana Voss (DoIT)
Daniel Scott (ELIH)
Mike Gillen (SBSH)
Angela Demmer (Veteran's Home)
Kevin Kenny (SBMIT)
John Hennessey (SBMIT)
Dennis Gallagher (SBMIT)
Peter Gazsy (SBMIT)
John Hiney (SBMIT)
Stephen Fabrizio (SBMIT)
DoIT Information Security
Name Eric Johnfelt Mark Velazquez Sean Burrowes Sanjay Kapur John Gianmugnai
Name Title Jennifer Sinatra Senior Manager & Ethics Officer, State Payroll & Employee Records Michael Mooney Senior Associate Registrar Diane Bello University Registrar Marrisa Trachtenberg Assistant to the President for Policy, Compliance and Presidential Initiatives Douglas Panico Assistant Vice President, Audit & Management Advisory Services