Skip to main content
more options

Security of Electronic Administrative Information

Draft University IT Policy 5.10

I. Policy Statement (required)

Cornell University expects all custodians who have access to and responsibilities for electronic administrative information to manage that information according to the rules regarding storage, disclosure, access, classification of information and their associated minimum information security and privacy standards as set forth in this policy.

II. Reason For Policy (required)

Cornell must preserve and protect administrative information transmitted and stored on its systems in order to maintain and preserve its institutional assets and to comply with applicable federal and state legislation.

III. Entities Affected By This Policy (required)

All Units of the University including the Weill Cornell Medical College

IV. Who Should Read This Policy (required)

All stewards and custodians of electronic administrative information.

V. Website Address For This Policy (required)

www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/admininfo.cfm

VI. Related Documents (required)

University Documents Other Documents
4.12 Data Stewardship and Custodianship
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/governance/data.cfm

5.1 Responsible Use of Electronic Communications
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/communications.cfm

5.3 Use of Escrowed Encryption Keys
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/encryption.cfm

5.4.1 Security of Information Technology Resources
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/resources.cfm

5.4.2 Reporting Electronic Security Incidents
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/incidents.cfm

5.7 Network Registry
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/network.cfm

5.8, Authentication of Information Technology Resources
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/authentication.cfm

 New York Security and Notification Act of 2005

VII. Contacts

Subject Office Telephone Email/URL
Policy Interpretation and Clarification Director of IT Policy and Computer Policy and Law Program (607) 254-3584 www.cit.cornell.edu/policies
Security of Network Resources Office of the CIO and Vice President for IT, Security (607) 255-8825 www.cit.cornell.edu/security

VIII. Definitions (required)

[Interim definitions are identical to those in University Policy 4.12]

Insert Term Definition.
Custodian Personnel who have access and/or responsibilities for electronic administrative information.
Functional Area The administrative functional areas included in this policy are: Alumni Affairs and Development, Facilities, Finance, Human Resources, Information Technologies, Planning and Budget, Sponsored Programs, Student Academic Services, Risk Management and Public Safety, University Librarian, and Weill Medical College for unique information sets.
Legitimate Interest A need for administrative functional area information that arises within the scope of university employment and/or in the performance of authorized duties.
Steward University office(s) with executive responsibility over administrative information sets.
Unit Head For this policy, a unit head is any office in the first four levels of the university organizational chart (which include the following offices: President and Provost, Executive Vice Presidents, Associate Provosts, Vice Presidents, and Deans); see Appendix.
University Administrative Information Administrative functional area information, in any form, including that stored centrally as well as in colleges and departments.

IX. Responsibilities (required)

Party List of Responsibilities
Institutional Data Steward
  • Categorize information into one of three categories:
    _ Confidential
    _ Restricted
    _ Public
  • Establish rules for disclosing and authorizing access to administrative information
  • Conduct annual risk assessments of security practices
Unit Head
  • Assume responsibility for policy compliance for the information under his/her control
  • Deploy procedures to comply with steward's rules for disclosing, categorizing, and authorizing access to administrative information
  • Deploy procedures for meeting minimum standards for information security according to information classification (see Cornell IT Security Requirements)
  • Notify stewards in cases of disclosing mixed information sets (i.e., more than one information category or steward)
Custodian
  • Implement procedures for policy compliance
    • Execute unit's procedures for meeting minimum standards for information security according to information classification (see Cornell IT Security Requirements)
  • Report all information breach incidents
IT Security Office
  • In consultation with the IT Security Council, IT Managers' Council, and other stakeholders, determine technical procedures and reviews them annually, at a minimum. Specific procedures will not be included in the final policy draft, but will be maintained separately on a Web page and linked to from within the policy document.

X. Principle (required)

Privacy standards and security procedures provided serve to preserve and protect institutional information. This policy sets out the appropriate roles and responsibilities for both stewards and custodians of institutional information to meet those ends, including an inventory of institutional information, classification according to its legal, reputational and ethical standards and minimum technical standards to be applied to each level of information.

XI. Procedures (required)

XII. Timeline for Implementation

  1. Baseline Minimum Data Security Standards:
    6 months after policy promulgation
  2. Minimum Security Standards for Data Classified as Confidential:
    One quarter after start of fiscal year following implementation
  3. Requirements maintenance
    Yearly review by Security Council
    Completed by first quarter of calendar year