Cornell Information Technologies and the 9-Point Security Policy
Why CIT devised a 9-point security policy.
In 2012 there was a security incident on a desktop computer in CIT that involved confidential data. The potential breach brought up the need for a security review in the desktop environment. The review prompted the IT Security Office to implement operational procedures in 2013, based on university policy, for all staff members who work with confidential data. Before the new policy rolled out, CIT experienced 5-10 desktop security incidents per year on approximately 300-400 computers. Since then, no security breaches have been made.
There were a number of challenges in implementing the 9-Point Security Policy across all of CIT. The IT Security Office had to make sure all desktop and laptop environments were configured correctly and that confidential data was removed from older systems.
Perhaps the biggest challenge is that it made people change how they work. For example, points 1 and 2 in the policy say that anyone in CIT who works with confidential data must use a dedicated device just for that purpose, and may not use that device for anything else. Also, all devices for using confidential data must be managed by CIT desktop support in partnership with the CIT/DFA service group. Staff members who use devices to access confidential data may not have administrator roles on that device.
Additionally, one of the new requirements is two-factor authentication. Anyone who remotely accesses devices that house confidential data must use two-factor authentication.
The CIT Operational Procedures for Information Security ("9 Points") policy was developed for central IT staff. It outlines specific requirements to protect confidential data, and includes an annual attestation.
CIT was its own client for this policy, in partnership with DFA. The departments that played a role in developing it were the IT Security Office; Planning and Program Management; IT Service Desk; and Academic Technologies.
The Collaborative Relationship
CIT will work with any college or unit across campus to assist in implementing this policy.
“We recognize that it’s hard to change work habits and behaviors, but the effort that everyone put into making small changes in their day-to-day work has paid off: since the rollout in CIT in 2013, we haven’t had any laptop or desktop security incidents.” – Celisa Manly, Deputy Director for Operations