Security Procedures for Staff and Consultants
This article applies to: Managing Vendors and Consultants
These security procedures apply to both Cornell University staff and consultants serving CIT Commercial Applications. Also see: Operational Procedures for Confidential Data for Central IT Employees.
Restricted administrative use – Commercial Applications allows for authorized general user access but restricts administrative use to access only from within secure environments and by verifying administrative identity through two-factor authentication.
- RSA two-factor authentication to remote data – Administrators of applications within the framework are required to use two-factor authentication for accessing the systems within the framework. The same applies to any external administrators or consultant-required access.
Dedicated devices – Commercial Applications has deployed Remote Desktop Protocol (RDP) servers in the extra tier, and enforces access only via two-factor authentication. All application support, development and system administration are done via these RDP servers. These dedicated devices are the only systems that may hold confidential data per Commercial Applications defined procedures.
Device management – Commercial Applications has deployed an RDP solution access via two-factor authentication. All application support, development and system administration are done via the RDP server.
Encryption - If confidential or sensitive data must be temporarily saved on a desktop system, it must be a secure RDP server desktop, and it must be saved in a True Crypt container per Commercial Applications defined procedures.
- Screen locks - Screen savers should be configured to activate in no more than 15 minutes, and must require a password to unlock per Commercial Applications defined procedures.