Security of Information Technology Resources
University IT Policy 5.4.1
Every information technology (IT) device connected to the Cornell University network must have at least one individual who is responsible for the security of that device. Depending on your relationship to Cornell, you will fall into at least one of these five categories:
- IT Security Director*
- Unit head*
- Unit Security Liaison*
- Local Support Provider
- User
People across Cornell who fit into the first three categories know who they are and the responsibilities that come with their position. The majority of people at Cornell fall into the local support provider group or the user group. These groups are distinguished from each other by determining who has administrative privileges for each computer. At work, you are the end user, because your department provides a local support provider. At home, however, you are the local support provider because you have administrative privileges for your own computer.
Reason for Policy
The university must preserve its information technology resources, comply with applicable laws and regulations, and comply with other university or unit policy regarding protection and preservation of data. Toward these ends, faculty, staff, and students must share in the responsibility for the security of information technology devices.
Frequently Asked Questions
- Why does this policy exist?
- When responding to security incidents, there must be someone identified who can correct the incident.
- How do I tell if I'm a local support provider or an end user?
- If no formally identified local support provider exists, and if you have administrative access, apply security patches, and install programs on your computer, you are the local support provider.
- Can I fall into more than one category?
- Yes, you can be an end user at Cornell, and you can be a local support provider for your home computer that is used to access the Cornell network.
- How can I identify my local support provider?
- Ask the administrative staff in your department who provides computer support.
Violations
Legitimate use of a computer or network system does not extend to whatever an individual is capable of doing with it. Each person of the community is responsible for his actions, whether rules are built in, and whether they can be circumvented.
Violations of this policy include
- intentionally maintaining insecure passwords on IT devices attached to the network
- intentionally attaching misconfigured IT devices to the network
- intentionally compromising an IT device attached to the network or using an application or computing system with a known compromise.
- Intentionally transmitting any computer virus or other form of malicious software
- Intentionally accessing or exploiting resources for which you do not have authorization
- Intentionally performing network or system scans on resources not authorized by the IT security director, unit head, unit security liaison, or local support provider
How is this policy enforced?
All violations must be reported to the IT security director, who will contact the following offices:
Faculty violations will be sent to the Provost.
Staff violations will be sent to the Office of Human Resources.
Student violations will be sent to the Judicial Administrator.
To read the policy, visit http://www.policy.cornell.edu/vol5_4_1.cfm. If questions arise concerning specific issues regarding this policy, call the following offices:
Initial contact for questions and local reporting: Local support provider
Policy Clarification: OIT, Director of IT Policy; (607) 254-3584; it-policies@cornell.edu; http://www.cit.cornell.edu/policy
Computers and Network Systems: Vice President for Information Technologies: (607) 255-7145; https://confluence.cornell.edu/display/OIT/Home
Legal Issues: Office of University Cousel: (607) 255-5125 http://counsel.cornell.edu
Security of Network Systems: OIT, Security; (607) 255-8825; security@cornell.edu; https://confluence.cornell.edu/display/OIT/IT+Security+Office
Best practices for configuring and securing IT devices: Director IT Security; (607) 255-8825; http://www.cit.cornell.edu/security/secure.html