These security procedures apply to both Cornell University staff and consultants.. Also see: Operational Procedures for Confidential Data for Central IT Employees.

1. Restricted administrative use – Authorized general user access is permitted, but administrative use is restricted to secure environments and requires verification of administrative identity through two-factor authentication. Duo is Cornell's current two-factor authentication solution.
2. RSA two-factor authentication to remote data – Administrators of applications within the framework must use two-factor authentication (Duo) to access systems. This requirement also applies to external administrators and consultants.
3. Dedicated devices – Remote Desktop Protocol (RDP) servers have been deployed in the extra tier, with access enforced via two-factor authentication. All application support, development, and system administration must be conducted through these RDP servers. These dedicated devices are the only systems permitted to store confidential data, in accordance with defined procedures.
4. Device management – Access to the RDP solution is secured via two-factor authentication (Duo). All application support, development, and system administration must be performed through the RDP server.
5. Encryption – If confidential or sensitive data must be temporarily stored on a desktop system, it must be on a secure RDP server desktop and follow defined procedures.
6. Screen locks – Screen savers should be configured to activate within 15 minutes and must require a password to unlock, in accordance with defined procedures.