For the Campus Community For IT Partners Information Security

Evolving Our Cybersecurity Standards

Published: May 4, 2026
Estimated Read Time: 1 minutes

Stony Brook University is taking a major step forward in its commitment to digital safety. On June 30, 2026, the University will officially adopt a revised Minimum Security Standard designed to strengthen our collective defense against increasingly sophisticated cyber threats.

While Stony Brook has long maintained rigorous security standards, this update ensures our practices remain up-to-date and aligned with the latest SUNY 6900 requirements as well as the globally recognized Center for Internet Security (CIS) Critical Security Controls.

What is Changing?

In simple terms, we are moving from a general checklist to a more tailored, risk-based approach. The new standard organizes security protections based on the sensitivity of the data being handled—categorizing it as Low, Moderate, or High Risk.

One of the most helpful features of this update is the clear allocation of responsibility. It outlines exactly who manages which security controls:

  • DoIT-Managed: Protections handled automatically by central IT.
  • Local: Responsibilities managed within your specific college or department.
  • Shared: Areas where your department and DoIT work together to ensure safety.

Why This Matters

Cybersecurity is no longer just "an IT issue"—it is essential for protecting the research, academic records, and personal information of every student, faculty, and staff member.

  • For Faculty and Staff: This new framework provides a clear roadmap for protecting your department's unique assets. It removes guesswork by defining which safeguards are mandatory for your specific role and data access.
  • For Students: These updates help ensure that your personal and financial data remain secure, and that the digital tools you use for learning are resilient against outages or attacks.
  • For SBU: By adopting a "cyber-resilient" posture, we are better prepared to not only prevent attacks but also to recover quickly if they do occur, keeping operations running smoothly.

This Isn’t The End of the Story

It is important to note that this is an evolution, not a beginning. Stony Brook has always prioritized data security; this revision simply updates our "manual" to reflect the 2026 landscape—one involving remote work, cloud computing, and advanced AI-driven threats.

With less than 60 days remaining until official adoption, we encourage IT leaders or designated IT representatives to review our assessment template to ensure your department is fully prepared for the June 30 deadline. This critical tool for success provides a tailored roadmap for your specific implementation leads and will help our staff identify any gaps that remain prior to implementation. 

For More Information Contact

Information Security