CIT Operational Procedures for Information Security ("9 Points")
Central IT Departmental Policy Statement
The central IT organization (see organizational charts), comprised of CIT Enterprise Services, CIT Infrastructure, Customer Experience, IT Administration, the IT Security Office, the Office of the CIO, and the Project Management Office, has specific requirements for all personal productivity endpoints (laptop, desktop, or virtual desktop). These requirements extend to any endpoint used to process or store university data. These requirements do not apply to servers, databases, or infrastructure components.
Follow the process and procedures in this guide as they are requirements for protecting high-risk (confidential) data.
All operational procedures for information security are based on Cornell University Policy 5.10, Information Security.
As described in University Policy 5.10, any information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or other identifier (for example, email address), is considered to be high-risk (confidential) university data:
- Social Security number
- Credit or debit card number
- Driver’s license (or non-driver identification) number
- Bank account number
- Visa or passport number
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)
- Dedicated Devices: Any device that holds high-risk data, regardless of the duration of retention, must be used exclusively for those tasks that require access to the high-risk data. All other activities, including workplace productivity tasks like checking email, must occur on a separate device. The dedicated device may be physical or virtual. Personal use of a dedicated physical device, no matter how brief, is not allowed.
- Device Management: Any device that holds high-risk data, regardless of the duration of retention, must be fully managed by the central IT Certified Desktop service in partnership with the Central IT Service Group (CITSG). Sole administrative access must rest with the service group; staff members cannot hold administrative privileges on devices that store high-risk data. If a staff member must hold administrative privileges on a device, or if the device is used in some testing and "sandbox" scenarios, then the device cannot be used to hold or to access systems that hold high-risk data.
- Encryption: As of December 1, 2015, all university-owned desktops, laptops, tablets, cell phones, and removable media must employ whole-disk encryption. Any device that holds high-risk data, regardless of the duration of retention, must employ whole-disk encryption. For devices that regularly store high-risk data, the use of encrypted containers or folders that are only mounted when necessary is recommended. Encryption technologies and key recovery processes must be approved by the Central IT Service Group (CITSG) and the IT Security Office.
- Network and Remote Access: Any device connecting to the WiFi network that stores or processes high-risk (confidential)data must use eduroam to encrypt data in transit. If a staff member must access a remote device that houses high-risk data from an off-campus location, use of the CU VPN service is required to encrypt the data in transit. The CU VPN connection must use Two-Step Login multi-factor authentication.
- Screen Locks: Any device that displays high-risk data, regardless of whether the data is resident on the device or presented on the device by a remote system, must use a screen saver. The screen saver must be configured to lock after an idle period of no more than 30 minutes and must require a password to unlock.
- Two-Factor Authentication to Remote Data: Staff members must use IT Security Office-approved two-factor authentication and hopper servers (i.e., bastion hosts or secure gateways) when connecting to remote systems that have direct access to, or house, high-risk data. This requirement applies to any remote access to systems holding high-risk data, regardless of the staff member’s reason for connecting to the system. Options for meeting this requirement include CU VPN with Two-Step Login or using a hopper server. Connection methods that avoid the two-factor requirement, such as connection mastering or port forwarding, are not allowed.
- Scans for Confidential Data: Any device that displays high-risk data, regardless of whether the data is resident on the device or only presented on the device by a remote system, must be scanned monthly with Spirion. The centrally managed Spirion configuration and schedule provided by the Central IT Service Group (CITSG) is recommended; if a different configuration, it must be approved by the IT Security Office. Devices that do not process or store high-risk data must be scanned no less often than every six months. If university-owned high-risk data is found, the staff member must discuss the disposition of that data with their supervisor. If the high-risk data is not necessary for an ongoing university business process, erasure or secure disposal of the data is recommended. Copies of an individual’s own high-risk data, which is to say that of the staff member and their dependents, is not in scope.
Use of Central Backup Service: All university-owned systems must be backed up by the central IT backup, archive, and recovery service (CrashPlan). This requirement exists in addition to the encryption requirement. Backups serve to validate the contents of a device in the event one is lost or stolen.
Staff Participation in Awareness, Attestation, and Device Reviews: All staff members must participate in annual awareness training and complete an annual attestation.
Copies you store of your own personal information do not fall within the scope of this policy.
Originally Issued as CIT Policy: 2013
Most Recent Revision: March 24, 2023
Responsible Central IT Division and Director: Information Technology Security Office, Chief Information Security Officer