Security of Electronic Administrative Information Draft Policy

Security of Electronic Administrative Information
(formerly Information Security of Institutional Data)
Draft University IT Policy 5.10

I. Policy Statement (required)

Cornell University expects all custodians who have access to and responsbilities for electronic administrative information to manage that information according to the rules regarding storage, disclosure, access, classification of information and their associated minimum information security and privacy standards as set forth in this policy.

II. Reason For Policy (required)

Cornell must preserve and protect administrative information transmitted and stored on its systems in order to maintain and preserve its institutional assets and to comply with applicable federal and state legislation.

III. Entities Affected By This Policy (required)

All Units of the University including the Weill Cornell Medical College

IV. Who Should Read This Policy (required)

All stewards and custodians of electronic administrative information.

V. Website Address For This Policy (required)

http://www.policy.cornell.edu/vol5_10.cfm

VI. Related Documents (required)

University Documents

VII. Contacts

Subject	Office	Telephone	Email/URL
Policy Interpretation and Clarification	Office of Information Technologies, Director of IT Policy and Computer Policy and Law Program	(607) 254-3584	https://confluence.cornell.edu/ display/OIT/IT+Policy+Office
Security of Network Resources	Office of Information Technologies, Security	(607) 255-8825	https://confluence.cornell.edu/ display/OIT/IT+Security+Office

VIII. Definitions (required)

[Interim definitions are identical to those in University Policy 4.12]

Insert Term	Definition.
Custodian	Personnel who have access and/or responsibilities for electronic administrative information.
Functional Area	The administrative functional areas included in this policy are: Alumni Affairs and Development, Facilities, Finance, Human Resources, Information Technologies, Planning and Budget, Sponsored Programs, Student Academic Services, Risk Management and Public Safety, University Librarian, and Weill Medical College for unique information sets.
Legitimate Interest	A need for administrative functional area information that arises within the scope of university employment and/or in the performance of authorized duties.
Steward	University office(s) with executive responsibility over administrative information sets.
Unit Head	For this policy, a unit head is any office in the first four levels of the university organizational chart (which include the following offices: President and Provost, Executive Vice Presidents, Associate Provosts, Vice Presidents, and Deans); see Appendix.
University Administrative Information	Administrative functional area information, in any form, including that stored centrally as well as in colleges and departments.

IX. Responsibilities (required)

Party	List of Responsibilities
Institutional Data Steward	Categorize information into one of three categories: _ Confidential _ Restricted _ Public Establish rules for disclosing and authorizing access to administrative information Conduct annual risk assessments of security practices
Unit Head	Assume responsibility for policy compliance for the information under his/her control Deploy procedures to comply with steward's rules for disclosing, categorizing, and authorizing access to administrative information Deploy procedures for meeting minimum standards for information security according to information classification (see Proposed Minimum Baseline Computer Security Practices) Notify stewards in cases of disclosing mixed information sets (i.e., more than one information category or steward)
Custodian	Implement procedures for policy compliance Execute unit's procedures for meeting minimum standards for information security according to information classification (see Proposed Minimum Baseline Computer Security Practices) Report all information breach incidents
IT Security Office	In consultation with the IT Security Council, IT Managers' Council, and other stakeholders, determine technical procedures and reviews them annually, at a minimum. Specific procedures will not be included in the final policy draft, but will be maintained separately on a Web page and linked to from within the policy document.

X. Principle (required)

Privacy standards and security procedures provided serve to preserve and protect institutional information. This policy sets out the appropriate roles and responsibilties for both stewards and custodians of institutional information to meet those ends, including an inventory of institutional information, classification according to its legal, reputational and ethical standards and minimum technical standards to be applied to each level of information.

XI. Procedures (required)

Proposed Minimum Baseline Computer Security Practices
http://www.cit.cornell.edu/security/requirements

XII. Timeline for Implementation

Baseline Minimum Data Security Standards:
6 months after policy promulgation

Minimum Security Standards for Data Classified as Confidential:
One quarter after start of fiscal year following implementation

Requirements maintenance
Yearly review by Security Council
Completed by first quarter of calendar year

IT Policy Office

Security of Electronic Administrative Information
(formerly Information Security of Institutional Data)
Draft University IT Policy 5.10

I. Policy Statement (required)

II. Reason For Policy (required)

III. Entities Affected By This Policy (required)

IV. Who Should Read This Policy (required)

V. Website Address For This Policy (required)

VI. Related Documents (required)

VII. Contacts

VIII. Definitions (required)

IX. Responsibilities (required)

X. Principle (required)

XI. Procedures (required)

XII. Timeline for Implementation

All IT policies

IT Policy Office

Security of Electronic Administrative Information (formerly Information Security of Institutional Data) Draft University IT Policy 5.10

I. Policy Statement (required)

II. Reason For Policy (required)

III. Entities Affected By This Policy (required)

IV. Who Should Read This Policy (required)

V. Website Address For This Policy (required)

VI. Related Documents (required)

VII. Contacts

VIII. Definitions (required)

IX. Responsibilities (required)

X. Principle (required)

XI. Procedures (required)

XII. Timeline for Implementation

All IT policies

Security of Electronic Administrative Information
(formerly Information Security of Institutional Data)
Draft University IT Policy 5.10