Policy 5.10: Information Security
This article applies to: Policy
University Policy 5.10, Information Security, outlines two sets of requirements for protecting the university’s information and IT resources.
- Baseline requirements apply to all computers used to conduct university business.
- Supplementary, more stringent requirements cover the handling of data classified as confidential.
These requirements were developed by the IT Security Office in conjunction with the IT Security Council, composed of Security Liaisons from the campus units.
The baseline requirements embody basic good practices for securing your computer, such as:
- Keeping the computer’s software up-to-date.
- Running anti-virus and firewall programs.
- Requiring a strong password for any access to the computer.
- Configuring the screen saver so the system password is needed to unlock the screen after the computer had been idle for fifteen minutes.
Confidential Data Requirements
The policy classifies as confidential any of the following data elements, when they appear in conjunction with an individual’s name or other identifier:
- Social Security numbers
- Credit card numbers
- Driver’s license numbers
- Bank account numbers
- Protected health information as defined under HIPAA, the U.S. Health Insurance Portability and Accountability Act.
In the future, the university may classify more types of data as confidential, including information not explicitly protected by law.
Some of the requirements for securing confidential data are:
- Restricting the privileges of the computer account used for daily operations.
- Encrypting confidential data on portable devices, like laptops.
- Removing confidential data when it is no longer needed.
- Never sending confidential data in an email message or attachment, unless encrypted.
- Limiting network access to a system storing confidential data.
- Allowing off-campus access only when transmission is encrypted.
Policy 5.10 also requires a unit to implement some ongoing data security measures, such as establishing practices for disposal of confidential data that is not longer needed and maintaining an inventory of where confidential data is stored.
CIT’s security website includes an explanation, for general readers, of what employees must do to safeguard confidential data in the course of their work at Cornell, including how to appropriately secure their computers. For more information, see:
Chapters Four and Five of the Computer Security at Cornell handbook cover the same topics.
For the full, technical details of the security requirements and a link to the complete policy text, see the Cornell IT Security Requirements page.