Use Workday to Complete Your Annual Attestation

By clicking “I Agree” in Workday, you are acknowledging that you are bound by university policies as well as applicable federal, state, and local laws. You understand that a violation of these policies or laws could result in disciplinary action up to and including termination. Questions or concerns can be discussed with the Office of Human Resources (Tammy Dibble).

In addition, central IT employees must follow 9 specific requirements for all personal productivity endpoints (desktops, laptops, or virtual desktops). These requirements extend to any endpoint used to process or store university data. They do not apply to servers, databases, or infrastructure components.

Review These University Policies Annually

Ethical Business and Financial Policies in Support of the Sarbanes-Oxley Act

Sarbanes-Oxley was passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations.

• University Policy 4.12, Data Stewardship and Custodianship
• University Policy 4.6, Standards of Ethical Conduct
• University Policy 4.14, Conflicts of Interest and Commitment – If you have any concerns that one of your relationships may conflict with this policy, please discuss with your supervisor or someone from Human Resources, such as Tammy Dibble, td13@cornell.edu.
• University Policy 3.6, Financial Irregularities

University IT Policies

• University Policy 5.1, Responsible Use of Information Technology Resources
• University Policy 5.2, Mass Email Approval
• University Policy 5.3, Use of Escrowed Encryption Keys
• University Policy 5.4.1, Security of Information Technology Resources
• University Policy 5.4.2, Reporting Electronic Security Incidents
• University Policy 5.5, Stewardship and Custodianship of Electronic Mail
• University Policy 5.6, Recording and Registration of Domain Names
• University Policy 5.7, Network Registry
• University Policy 5.8, Authentication to IT Resources
• University Policy 5.9, Access to Information Technology Data and Monitoring Network Transmissions
• University Policy 5.10, Information Security
• University Policy 5.11, Administrative Data Store Registry
• University Policy 5.12, Web Accessibility Standards

Follow Operational Procedures for Handling High-Risk Data

As described in University Policy 5.10, any information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or other identifier (for example, email address), is considered to be high-risk (confidential) university data:

1. Social Security number
2. Credit or debit card number
3. Driver’s license (or non-driver identification) number
4. Bank account number
5. Visa or passport number
6. Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
7. Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)

Everyone interacting with high-risk data is obligated to take reasonable measures to secure high-risk information, including data stored on both personal and university-owned equipment.

Spirion or another data discovery tool approved by the IT Security Office must be regularly used to scan for high-risk data on any university-owned computers and other storage spaces assigned for your use. You understand that:

• Data discovery tools, like Spirion, cannot find all instances of all types of high-risk data. They can only assist in determining whether high-risk data is present.
• Because of the limitations of data discovery software, you will maintain awareness of data stored on your system and periodically review your files, including electronic mail, for high-risk data.
• If you have high-risk data and have a business need to continue to store and/or access this data, you are required to contact either Central IT Technical Support or the IT Security Office for further assistance and instruction.