At Cornell a wide range of university policies address the important issues surrounding computer security and data protection. These policies apply to all faculty, staff, and students.
“Cornell's policies connect the university's mission to the everyday actions of its community, clarify the institution's expectations of its individual members, mitigate institutional risk, enhance efficiency, and support the university's compliance with laws and regulations.”
University Policy Office
The university has requirements for maintaining the security of computers and the information they store. Detailed technical information is available in the Security Requirements.
There are a number of policies that are important to, and inform our use of, information technologies (IT) resources at Cornell. This section outlines the set of policies that are specific to IT.
Data Stewardship and Custodianship (4.12) – Cornell University expects all stewards and custodians of its administrative data to manage, access, and use this data in a manner that is consistent with the university’s need for security and confidentiality. Cornell University administrative functional areas must develop and maintain clear and consistent procedures for access to university administrative data, as appropriate.
Responsible Use of Electronic Communications (5.1) – Cornell University expects all members of its community to use electronic communications in a responsible manner. The university may restrict the use of its computers and network systems for electronic communications, in response to complaints presenting evidence of violations of other university policies or codes, or state or federal laws. Specifically, the university reserves the right to limit access to its networks through university-owned or other computers, and to remove or limit access to material posted on university-owned computers.
Security of IT Resources (5.4.1) – Cornell University expects all individuals using IT devices connected to the Cornell network to take appropriate measures to manage the security of those devices.
Electronic Security Incidents (5.4.2) – Cornell University requires that users of IT devices connected to the University network report all electronic security incidents promptly and to the appropriate party or office.
Network Registry (5.7) – Cornell University requires network administrators or users to register all devices (including wireless hubs and switches) connected to the university network using a continuously updated central CIT network registry service. At a minimum, the required information maintained in this registry must include the MAC address and IP address, if static, as well as the network electronic identifier (NetID) of the primary user or the person responsible for the administration of the device.
Authentication of IT Resources (5.8) – Cornell University owns and manages university electronic identifiers.In the course of its business and missions, it provides its community with access to IT resources, such as email, Internet, and network devices, through these identifiers. To protect these resources from unauthorized use, Cornell requires IT users to obtain electronic identifiers (specifically, Cornell electronic identifiers, as defined herein) to gain access to these resources, and follow specific rules for their use, as well as obtaining,using, changing, and terminating these identifiers. In addition, to avoid unauthorized access to IT resources, holders of Cornell electronic identifiers must follow specific rules for creating and using, and for reporting the suspected compromise of, complex passwords that correspond to a Cornell electronic identifier.
Privacy of the Network (5.9) – Cornell University recognizes users’ reasonable expectations of privacy in information technology (IT) data generated automatically by computer systems and by voice and data network devices. Therefore, the Vice President for IT will disclose IT data only under the following circumstances: (1) in response to a court order or other legal papers, (2) in the investigation of a legal or policy violation, (3) in the event of a health or safety emergency, (4) in specific instances of reasonable requests in the interests of the university, such as collaborative research with other institutions, and (5) to maintain the operation and security of the IT network.
Security of Electronic Administrative Information (5.10) – Cornell University expects all custodians who have access to and responsibilities for electronic administrative information to manage that information according to the rules regarding storage, disclosure, access, classification of information, and their associated minimum information security and privacy standards, as set forth in this policy.
