Skip to main content

Policy 5.10: Information Security

This article applies to: Policy


University Policy 5.10, Information Security, outlines two sets of requirements for protecting the university’s information and IT resources.

  • Baseline requirements apply to all computers used to conduct university business.  
  • Supplementary, more stringent requirements cover the handling of data classified as confidential. 

These requirements were developed by the IT Security Office in conjunction with the IT Security Council, composed of Security Liaisons from the campus units.

Baseline Requirements

The baseline requirements embody basic good practices for securing your computer, such as:

  • Keeping the computer’s software up-to-date.
  • Running antivirus and firewall programs.
  • Requiring a strong password for any access to the computer.
  • Configuring the screen saver so the system password is needed to unlock the screen after the computer had been idle for 15 minutes.

Confidential Data Requirements

The policy classifies as confidential any of the following data elements when they appear in conjunction with an individual’s name or other identifier:

  • Social Security numbers.
  • Credit card numbers.
  • Driver’s license numbers.
  • Bank account numbers.
  • Protected health information as defined under HIPAA, the U.S. Health Insurance Portability and Accountability Act.  

In the future, the university may classify more types of data as confidential, including information not explicitly protected by law.

Note: Policy 5.10 is concerned with confidential data that is under the custodianship of the university. An employee’s access to or handling of his or her own personal information is not at issue.

Some of the requirements for securing confidential data are:

  • Restricting the privileges of the computer account used for daily operations.
  • Encrypting confidential data on portable devices like laptops.
  • Removing confidential data when it is no longer needed.
  • Never sending confidential data in an email message or attachment unless encrypted.
  • Limiting network access to a system storing confidential data.
  • Allowing off-campus access only when transmission is encrypted.

Policy 5.10 also requires a unit to implement some ongoing data security measures, such as establishing practices for disposal of confidential data that is not longer needed and maintaining an inventory of where confidential data is stored.

More Information

CIT’s security website includes an explanation for general readers of what employees must do to safeguard confidential data in the course of their work at Cornell, including how to appropriately secure their computers. For more information, visit:

Chapters Four and Five of the Computer Security at Cornell handbook cover the same topics.

For the full technical details of security requirements and a link to the complete policy text, visit the Cornell IT Security Requirements page.

Was this page helpful?

Your feedback helps improve the site.

Comments?