You are here:
Columbia University maintains certain policies with regards to the use and security of its computer systems, networks and information resources.
Related Information
All users of these facilities are required to adhere to these policies. These policies are meant to protect the University’s computer systems, networks, data and other information resources.
Columbia University’s IT Policies apply to the entire Columbia community, including faculty, staff, and students.
Policy Name
Policy description / purpose
Establishes the personnel responsibilities and functions within the Information Security Program and defines key terms and definitions used and referenced by the twelve IT policies
Policy Name
Acceptable Usage of Information Resources Policy
Policy description / purpose
Provides guidance for the appropriate access and use of University information resources, proper conduct when using those resources and privacy expectations
Policy Name
Policy description / purpose
Provides guidance for: proper use of email, necessary actions for sending sensitive data via email and privacy expectation
Policy Name
Registration And Protection Of Endpoints Policy
Policy description / purpose
Provides general protection requirements for desktop and laptop computers, mobile devices and any endpoints that contain University data.
Policy Name
Policy description / purpose
Classifies University information/data into four categories: Sensitive Data, Confidential Data, Internal Data, and Public Data
Policy Name
Social Security Number (SSN) Usage Policy
Policy description / purpose
Provides guidance for SSN usage and how to eliminate unnecessary storage and use of SSNs as the primary identifier at the University, where possible
Policy Name
Electronic Data Security Breach Reporting and Response Policy
Policy description / purpose
Establishes the responsibilities of the University Response Team (URT) for handling all aspects of a data breach incident and also provides an incident response checklist to triage the data breach
Policy Name
Sanitization And Disposal Of Information Resources Policy
Policy description / purpose
Defines the requirements for appropriate data deletion and proper disposal methods to be used when discontinuing use of University devices
Policy Name
Policy description / purpose
Defines the requirements that all network, communications and telecommunications-related equipment and devices, including cabling, be installed and maintained by authorized Columbia University’s network and technology support groups
Policy Name
Registration And Protection Of Systems Policy
Policy description / purpose
Describes the requirements for the security controls that protect systems that process, transmit and/or store University data
Policy Name
Information Resource Access Control And Log Management Policy
Policy description / purpose
Describes the process of establishing, documenting and reviewing appropriate access to Columbia University information resources
Policy Name
Information Security Risk Management Policy
Policy description / purpose
Provides guidance for the information security risk management program process
Policy Name
Business Continuity And Disaster Recovery Policy
Policy description / purpose
Defines acceptable methods for business continuity and disaster recovery planning for the University’s business following the loss of systems that are critical to the operations of a business unit
Policy Name
Policy description / purpose
Describes the requirements for appropriate and approved use of externally hosted Columbia University Systems and/or Data.
Policy Name
Policy description / purpose
Establishes requirements for the use of electronic signatures in lieu of handwritten signatures in connection with official University activities, in order to ensure that electronic signatures are used consistently with University’s Policies.
| Policy Name | Policy description / purpose | |
|---|---|---|
| Information Security Charter | Establishes the personnel responsibilities and functions within the Information Security Program and defines key terms and definitions used and referenced by the twelve IT policies | |
| Acceptable Usage of Information Resources Policy | Provides guidance for the appropriate access and use of University information resources, proper conduct when using those resources and privacy expectations | |
| Email Usage Policy | Provides guidance for: proper use of email, necessary actions for sending sensitive data via email and privacy expectation | |
| Registration And Protection Of Endpoints Policy | Provides general protection requirements for desktop and laptop computers, mobile devices and any endpoints that contain University data. | |
| Data Classification Policy | Classifies University information/data into four categories: Sensitive Data, Confidential Data, Internal Data, and Public Data | |
| Social Security Number (SSN) Usage Policy | Provides guidance for SSN usage and how to eliminate unnecessary storage and use of SSNs as the primary identifier at the University, where possible | |
| Electronic Data Security Breach Reporting and Response Policy | Establishes the responsibilities of the University Response Team (URT) for handling all aspects of a data breach incident and also provides an incident response checklist to triage the data breach | |
| Sanitization And Disposal Of Information Resources Policy | Defines the requirements for appropriate data deletion and proper disposal methods to be used when discontinuing use of University devices | |
| Network Protection Policy | Defines the requirements that all network, communications and telecommunications-related equipment and devices, including cabling, be installed and maintained by authorized Columbia University’s network and technology support groups | |
| Registration And Protection Of Systems Policy | Describes the requirements for the security controls that protect systems that process, transmit and/or store University data | |
| Information Resource Access Control And Log Management Policy | Describes the process of establishing, documenting and reviewing appropriate access to Columbia University information resources | |
| Information Security Risk Management Policy | Provides guidance for the information security risk management program process | |
| Business Continuity And Disaster Recovery Policy | Defines acceptable methods for business continuity and disaster recovery planning for the University’s business following the loss of systems that are critical to the operations of a business unit | |
| External Hosting Policy | Describes the requirements for appropriate and approved use of externally hosted Columbia University Systems and/or Data. | |
| Electronic Signature Policy | Establishes requirements for the use of electronic signatures in lieu of handwritten signatures in connection with official University activities, in order to ensure that electronic signatures are used consistently with University’s Policies. |
-
Acceptable Use of Columbia’s Network & Computing Resources
-
User Guides to Safer Computing
-
Please also read the Columbia University Information Security Charter
-
Electronic Data Security Breach Reporting and Response Policy
-
Desktop / Laptop / Mobile Device Security Requirements When Accessing Sensitive Data
Columbia University’s IT Strategies
Developed in partnership with Columbia’s localized IT groups to guide University-wide strategy.
- API Strategy: This API strategy for Columbia explains our motivation and approach to building an API ecosystem for the benefit of our faculty, students, staff, peers and others.
- Cloud Strategy: Explanation of why the use of cloud services is important to Columbia and how to benefit from them in a way that is optimal across the CU enterprise and comports to the University’s security and business requirements.
- People Data Model: A comprehensive and consolidated approach to standardize data types and enable effective sharing of information about Columbia University’s people: students, faculty, staff, alumni, clients, patients, etc.