CIT Operational Procedures for Information Security ("9 Points")
Central IT Departmental Policy Statement
The central IT organization (see organizational charts), comprised of CIT Enterprise Applications, CIT Infrastructure, Customer Service and Support, IT Administration, IT Communication and Documentation, the IT Security Office, the Office of the CIO, and the Project Management Office, has developed specific requirements for all personal productivity workstations (desktops and laptops). These requirements extend to any desktop or laptop used to process or store university data. These requirements do not apply to servers, databases, or infrastructure components.
Follow the process and procedures in this guide as they are requirements for protecting confidential data.
All operational procedures for information security are based on University Policy 5.10.
Cornell University Policy 5.10, "Information Security" defines confidential data as the following elements, when appearing in conjunction with an individual’s name or another identifier:
- Social Security numbers
- Credit card numbers
- Driver's license numbers
- Bank account numbers
- Visa or Passport numbers
- Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)
- Protected health information, as defined in the Health Insurance Portability and Accountability Act (HIPAA)
- Dedicated Devices: Any device that holds confidential data, regardless of the duration of retention, must be used exclusively for those tasks that require access to the confidential data. All other activities, including workplace productivity tasks like checking email, must occur on a separate device. The dedicated device may be physical or virtual. Personal use of a dedicated physical device, no matter how brief, is not allowed.
- Device Management: Any device that holds confidential data, regardless of the duration of retention, must be fully managed by the central IT Certified Desktop service in partnership with the Central IT Service Group (CITSG). Sole administrative access must rest with the service group; staff members cannot hold administrative privileges on devices that store confidential data. If a staff member must hold administrative privileges on a device, or if the device is used in some testing and "sandbox" scenarios, then the device cannot be used to hold or to access systems that hold confidential data.
- Encryption: As of December 1, 2015, all university-owned desktops, laptops, tablets, cell phones, and removable media must employ whole-disk encryption. Any device that holds confidential data, regardless of the duration of retention, must employ whole-disk encryption. For devices that regularly store confidential data, the use of encrypted containers or folders that are only mounted when necessary is recommended. Encryption technologies and key recovery processes must be approved by the Central IT Service Group (CITSG) and the IT Security Office.
- Network and Remote Access: Any device connecting to the WiFi network that stores or processes confidential data must use eduroam to encrypt data in transit. If a staff member must access a remote device that houses confidential data from an off-campus location, use of the CU VPN service is required to encrypt the data in transit. The CU VPN connection must use Two-Step Login multi-factor authentication.
- Screen Locks: Any device that displays confidential data, regardless of whether the data is resident on the device or presented on the device by a remote system, must use a screen saver. The screen saver must be configured to lock after an idle period of no more than 30 minutes and must require a password to unlock.
- Two-Factor Authentication to Remote Data: Staff members must use IT Security Office-approved two-factor authentication and hopper servers (i.e., bastion hosts or secure gateways) when connecting to remote systems that have direct access to, or house, confidential data. This requirement applies to any remote access to systems holding confidential data, regardless of the staff member’s reason for connecting to the system. Options for meeting this requirement include CU VPN with Two-Step Login or using a hopper server. Connection methods that avoid the two-factor requirement, such as connection mastering or port forwarding, are not allowed.
- Scans for Confidential Data: Any device that displays confidential data, regardless of whether the data is resident on the device or only presented on the device by a remote system, must be scanned monthly with Spirion. The centrally managed Spirion configuration and schedule provided by the Central IT Service Group (CITSG) is recommended; if a different configuration, it must be approved by the IT Security Office. Devices that do not process or store confidential data must be scanned no less often than every six months. If university-owned confidential data is found, the staff member must discuss the disposition of that data with their supervisor. If the confidential data is not necessary for an ongoing university business process, erasure or secure disposal of the data is recommended. Copies of an individual’s own confidential data, which is to say that of the staff member and their dependents, is not in scope.
Use of Central Backup Service: All university-owned systems must be backed up by the central IT backup, archive, and recovery service (Code42). This requirement exists in addition to the encryption requirement. Backups serve to validate the contents of a device in the event one is lost or stolen.
Staff Participation in Awareness, Attestation, and Device Reviews: All staff members must participate in annual awareness training and complete an annual attestation.
Copies you store of your own personal information do not fall within the scope of this policy.
Originally Issued as CIT Policy: 2013
Most Recent Revision: June 14, 2019
Responsible Central IT Division and Director: Information Technology Security Office, Interim Director of IT Security, Tom Horton