At Cornell a wide range of university policies include information relating to computer security and data protection. These policies apply to all faculty, staff, and students.
“Cornell's policies connect the university's mission to the everyday actions of its community, clarify the institution's expectations of its individual members, mitigate institutional risk, enhance efficiency, and support the university's compliance with laws and regulations.” – University Policy Office
The university has requirements for maintaining the security of computers and the information they store. Detailed technical information is available in the Security Requirements.
This section includes policies that are specific to the use of information technologies (IT) resources at Cornell. Each policy statement is listed with a pointer to the specific policy for more detailed information.
Data Stewardship and Custodianship (4.12) – The university expects all stewards and custodians of its administrative data to manage, access, and utilize this data in a manner that is consistent with the university's need for security and confidentiality. Cornell University administrative functional areas must develop and maintain clear and consistent procedures for access to university administrative data, as appropriate.
Responsible Use of Electronic Communications (5.1) – Cornell University expects all members of its community to use electronic communications in a responsible manner. The university may restrict the use of its computers and network systems for electronic communications, in response to complaints presenting evidence of violations of other university policies or codes, or state or federal laws. Specifically, the university reserves the right to limit access to its networks through university-owned or other computers, and to remove or limit access to material posted on university-owned computers.
Security of IT Resources (5.4.1) – Cornell University expects all individuals using information technology devices connected to the Cornell network to take appropriate measures to manage the security of those devices.
Reporting Electronic Security Incidents (5.4.2) – Users of information technology devices connected to the Cornell network must report all electronic security incidents promptly and to the appropriate party or office.
Network Registry (5.7) – Cornell University requires network administrators or users to register all devices (including wireless hubs and switches) connected to the network in a continuously updated central CIT network registry service. At a minimum, the required information maintained in this registry must include MAC address and IP address, if static, as well as the network electronic identifier (netid) of the primary user or the person responsible for the administration of the device.
Authentication of IT Resources (5.8) – Cornell University owns and manages university electronic identifiers. In the course of its business and missions, it provides its community with access to information technology (IT) resources, such as email, Internet, and network devices through these identifiers. To protect these resources from unauthorized use, Cornell requires IT users to obtain electronic identifiers (specifically, Cornell electronic identifiers, as defined herein) to gain access to these resources, and follow specific rules for their use, as well as obtaining, changing, and terminating these identifiers. In addition, to avoid unauthorized access to IT resources, holders of Cornell electronic identifiers must follow specific rules for creating and using, and for reporting the suspected compromise of complex passwords that correspond to a Cornell electronic identifier.
Privacy of the Network (5.9) – Cornell University recognizes users' reasonable expectations of privacy in information technology (IT) data generated automatically by computer systems and by voice and data network devices. Therefore, the Vice President for IT will disclose IT data only under the following circumstances: (1) in response to a court order or other legal papers, (2) in the investigation of a legal or policy violation, (3) in the event of a health or safety emergency, (4) in specific instances of reasonable requests in the interests of the university, such as collaborative research with other institutions, and (5) to maintain the operation and security of the IT network.
Security of Electronic Administrative Information (5.10) – Cornell University expects all custodians who have access to and responsibilities for electronic administrative information to manage that information according to the rules regarding storage, disclosure, access, classification of information and their associated minimum information security and privacy standards as set forth in this policy.
