Skip to main content
more options.

CORNELL UNIVERSITY INFORMATION TECHNOLOGY POLICY FRAMEWORK

prepared by Tracy Mitrano, Ph.D., J.D.
February 2004

Copyright Cornell University 2004

I. Introduction

A comprehensive information technology (IT) policy framework provides a coherent picture of both the university responsibilities and user obligations for the maintenance, security, legal and appropriate use of the Cornell University network in keeping with the university's educational, research and outreach missions. Ten to fifteen years ago, in the early years of data networking on college campuses, first-generation IT policies tended to be broad documents that covered a wide range of concerns, mainly privacy, security and appropriate use of resources. Typically, multiple topics were addressed in a single policy. As campus networking became more detailed, and as the missions of higher education became more dependent on networking services, these broad networking policies have given way to a set of policy statements on discrete aspects of networking (e.g. Cornell University shall maintain a network registry, or, users may not share network passwords) and their attendant procedures and protocols (e.g. network administrators must deploy CIT-developed technologies for registering all devices to the network , or, users who wish to change their passwords must do so in person at the CIT Contact Center).

Historically, Cornell University has held an auspicious position in the development of IT policy. In response to the 1988 "Computer Worm" incident, Cornell became one of the first campuses to promulgate a first-generation IT policy. In fact, the 1990 Abuse of Computers and Network Systems represents perhaps the most notable example of that generation of IT policy, and, as an example of pioneer work in the field, that document has been widely quoted and expansively adopted throughout higher education. In 1995 Cornell University, through its newly established University Policy Office, issued Responsible Use of Electronic Communications. A broadly conceived policy that nonetheless includes both specific university policy statements (e.g. as a practice no monitoring the network for content) as well as detailed user obligations (e.g. no e-mail bombing) and reporting procedures (e.g. the Office of Judicial Administration should be contacted in the case of potential violations), Responsible Use of Electronic Communications represents an intermediate stage of IT policy development. In response to the passage of the Digital Millennium Copyright Act of 1998, the University Policy Office, in conjunction with University Counsel, updated the policy, and it, too, has provided a model for IT policy for many campuses around the country. 1

Beginning in 2001, the Office of Information Technologies undertook a re-evaluation of its IT policies and embarked on a program to update Volume 5, "Information Technology," of the University Policy Office Library. This effort was undertaken with an eye toward the development of IT policies on other campuses, notably the University of Michigan, University of California (Office of the President and the UCLA and Berkeley campuses), and Indiana University. Over the last ten years, these universities moved their IT policy programs away from the use of single, broad documents toward policies on discrete topics such as security, domain naming and access to e-mail. A more sophisticated understanding of the use, maintenance and security of network systems has resulted in discrete policy statements that align with relevant obligations, behaviors, procedures and protocols. This proliferation presents its own unique challenge: how to maintain a comprehensive understanding of the relationships between and among IT policies, as well as how all of these policies, individually and together, serve the mission of the university.

II. IT Policies Offered by the Office of Information Technologies (OIT)

As of mid-January, 2004, the University Policy Office (UPO) lists three official OIT-sponsored policies in Volume 5:

  1. University Policy 5.1, Responsible Use of Electronic Communications;

  2. University Policy 5.2, Mass Electronic Mailing2; and

  3. University Policy 5.3, Use of Encryption Escrow Keys.3

    4. The UPO has identified a fourth policy:

  4. University Policy 5.4.2, Reporting Security Incidents,

    5. which has been serving as an interim policy since February of 2003. It is slated to become official university policy on March 1, 2004. OIT expects at least two other policies to become official on the same date:

  5. University Policy 5.4.1, Security of Information Technology Resources
    and
  6. University Policy 5.6, Recording and Registration of Domain Names.4

    7. Another policy has thus far passed the Policy Advisory Group (PAG) and is expected to be presented before the Executive Policy Advisory Group (EPRG) at its next quarterly meeting:

  7. University Policy 5.7, Network Registry

    8. An eighth policy:

  8. University Policy 5.x, Authentication and Authorization,

    9. has EPRG approval as an impact statement and is currently undergoing review by the IT Policy Advisory and Communications Committees.5 In December 2003, OIT submitted an impact statement for a new university IT policy:

  9. University Policy 5.x, Privacy of the Network and Network Flow Logs.

At the same time, OIT submitted a request to revise Responsible Use of Electronic Communications, in keeping with UPO recommendations for five-year revisions of existing policy. OIT submitted the request in the form of an impact statement, rather than the minimum letter of intent; given the extensive policy development that preceded this revision, OIT expects a significant revamping of the policy, including a new name for the policy: Responsible Use of Information Technology Resources. As a revision of the first policy in this list, Responsible Use of Information Technology Resources is not separately enumerated.6 Thus, at the end of this current IT policy initiative to update Volume 5 of the UPO Library, OIT will be the responsible office for ten university level policies.7

III. Two Themes of the IT Policy Framework: Privacy/Security and Regulation of the University's Property and Interests

Perhaps the most accurate, general statement about university IT policies is that they exist to maintain, secure, and ensure legal and appropriate use of a campus' information technology infrastructure. Any attempt to corral all contemporary IT policies within the confines of a pithy single theme that reflects these purposes runs the risk of a conflating and over simplifying complicated policy. This axiom holds true for IT policy at Cornell University, even as this paper advances two main themes by which to organize discrete policies into concepts: (1) privacy and security and (2) the regulation of the university's property and interests. Cornell University IT policy seeks to place security and privacy policy specifics in service of each other in order to provide the campus community with a high quality, trusted and secure campus computing environment, and as a means of protecting and securing its property interests, data and intellectual property.

IV. The Security/Privacy Conundrum of IT Policy: Background Information for a Discussion of Specific IT Policies

In the last few years, security has become the single most important issue in data networking. It wasn't always that way. Early IT policies consistently paid their due to security, notably with the prohibition against sharing network passwords that remains a cornerstone of IT policies, but they did so within a larger general culture that prized privacy. The 1960's and 1970's witnessed a plethora of legal statements that gave legal definition to the term "privacy:" Supreme Court decisions in criminal procedure (e.g. the Katz decision, which stated that law enforcement could not tap a phone line for content without a warrant), substantive due process (Roe, overruling criminal sanction for family planning by abortion) and a series of public privacy laws such as the Privacy Act or Data Reporting Acts of 1972 and 1974 respectively are some of the more prominent examples.

The Family Education Rights Privacy Act (FERPA), which protects educational records, comes out of this era and founded the need for privacy considerations in campus computing policies. Thus, insofar as security was a distinct policy principle in early IT policy, it existed as a compliment to privacy, not unlike the role that "security" plays as one of the seven "fair information practices" in privacy law, together with transparency of records, ability to challenge and change mistakes, and the right to be notified of a disclosure. In short, fair information practices make effective the adage that data cannot be private if it is not secured. Perhaps one of the main failings of the Electronic Communications Privacy Act of 1986, the "wiretapping act for the Internet" is that as it attempted to bring electronic communications up to the level of legal protection of telephony, it neglected to take into consideration firm technological security standards that would underscore and reinforce its privacy principles.

Three principal factors have dramatically shifted the focus from privacy to security in network computing. The first is national security legislation, with sweeping law enforcement surveillance provisions, which arose as a result of the events of September 11, 2001. The second is the exponential rise in network security incidents (denial of service attacks, computer compromises, "viruses," "worms" or other "malware" that has the effect of damaging systems or their data8) that rose sharply that same year and continue virtually unabated throughout the Internet, especially on campus network systems that accommodate different constituencies in an open network system. The third factor is a second generation of federal privacy laws, such as the Financial Services Modernization Act (FSMA) and the Health Insurance Portability Accountability Act (HIPAA), which have introduced into regulations, for the first time, specific electronic security policy provisions.

While popular political culture has had the tendency to bifurcate and pit "privacy" and "security" against each other as if they were distinct qualities existing at different poles of a single political continuum in a "zero-sum game" formulation, a more refined analysis of the these policy principles, at least insofar as they relate to data networking, suggests a different perspective.9 This perspective begins by distinguishing national security from network security and then goes on to recognize the interdependent, complementary role that "privacy" and "security" play together in a scheme for protecting data transmitted and stored on university-owned infrastructure. They also form the foundation for understanding the need and efficacy of campus-wide IT policy. Whereas any entity operating in compliance with federal law will strive to meet its legal obligations, it is fitting and proper that a campus community, devoted foremost to the educative enterprise, will, through policy, sets expectations for the members of its community in order to model citizenship as well as compliance. The Cornell University IT policy performs two functions; it establishes the rules by which the university strives to meet its legal obligations in the IT arena and it sets a clear set of expectations for the community-that it will employ those resources in a manner that preserves both the integrity of systems as well as the dignity of its users. This approach, in which security and privacy policy principles are joined in service to the overall mission of the university, is relatively unique within higher education

V. Cornell University Security and Privacy IT Policy Specifics

A. Security of Information Technology Resources/Responsible Use of Information Technology Resources

Appendix 2, labeled "Cornell University IT Policy Framework," represents the privacy/security theme of IT policy. User obligations for security and appropriate behavior form the centerpiece of this matrix and attempt to convey the critical role that those responsibilities play in maintaining the integrity, security and availability of the campus network These policies are placed in the center because of the foundational technology of the Internet known as "end to end." The Internet was purposefully designed around an open, and consequently insecure, set of protocols for the free and indiscriminate transmission of data across a relatively simple and non-proprietary set of network protocols. "Intelligence," or programs and applications, including those that foster security such as desktop virus or firewall protection, exists at the "end" of the protocols, in other words on the computing devices themselves and not within the networking architecture. While distinctions exist between "security policies" (such as patching systems and deploying updated virus software) that apply specifically to the devices and "appropriate use" policies that speak to personal behavior (such as no e-mail bombing or fraudulent spamming), it is critical to remember that it is always people, and not the technology per se, that bear responsibility for maintenance of the infrastructure. Thus, the boxes in the chart designed to represent these policies are joined, of equal size (representational of their significance to the overall scheme) and purposefully placed in the center of the matrix.

B. The "Security-Related Policies:" Reporting Security Incidents, Use of Encryption Keys and Network Registry

Many of the policies on offer can be understood as fitting within a security-privacy. All the policies in the "security" half of the chart, Reporting Security Incidents, Use of Encryption Escrow Keys, and Network Registry, abet Security of Information Technology Resources by reinforcing user obligations with specific rules and procedures for the reporting of security incidents, the creation of protocols for the escrow of encryption keys, and for the establishment of a network registry which will assist detection and remedy of affected or compromised devices attached to the network. Given new federal regulations for electronic security under FSMA, in place since May of 2003, and similar regulations under HIPAA that go into effect in 2005, the first of these supporting policies, Reporting Security Incidents, represents perhaps the most important one of all. It covers the one explicit policy requirement under these regulations, a policy that addresses intrusion detection and the ability to stem expeditiously the leaching of data from an infected device or machine. Encryption key escrow proactively prevents against the common but grave mistake of misplaced de-encryption passwords. Network registry creates a database for the inventory, audit and control of the more than 45,000 devices currently connected to the university network.

C. The "Privacy-Related" Policies: Privacy of Network and Network Flow Logs, Access to Electronic Mail and Mass Mail Messaging

The "privacy" side of the ledger, the Privacy of the Network and Network Flow Logs speaks most explicitly to the principle that the university as a practice does not monitor the network for content. This statement represents one of the most cherished values for Cornell and for higher education: dedication to free speech and open inquiry. This statement has long been a sterling feature of Cornell University IT policy, framed originally in the 1995 Responsible Use of Electronic C ommunications. Subsequent policy development has separated it from that policy for three reasons: (1) to highlight its valued position, especially in light of recent attempted encroachment of this principle by the entertainment industry, (which has sought to have data networks act in an enforcement capacity of its alleged intellectual property rights); (2) to detach, from the broadly-construed Responsible Use of Electronic Communications, user obligations from university policy statements on monitoring and content; and (3) to bring those university policy statements into a single policy that articulates the protocols and procedures for the disclosure of network flow data.10

Similarly, Access to Electronic Mail details the rules regarding the forwarding, routing and disclosure of electronic mail. As such, it functions as a kind of "privacy" policy. By regulating and providing internal checks to disclosure, it contributes significantly to university-wide compliance with FERPA, FSMA and HIPAA. By the same token, this policy makes clear that the university does not offer employees a privacy right in electronic mail, even while acknowledging an employee's de minimus use of university resources. Because Data Stewardship and Custodianship does not cover electronic mail, and because of the unique qualities of e-mail, OIT formulated a policy specifically tailored to electronic mail.11 It should go a long way in advancing positive supervisor-employee relations in the workplace as well as fostering trust of IT systems and personnel throughout the university community.12

Finally, Mass Electronic Messaging combines pieces of all of these "privacy" policy principles. By distinguishing between emergency messaging and non-emergency bulk mailing, it sets thresholds, rules and procedures for mass messaging that operate to maintain the integrity of the network systems, respect the authority of administrative officials with purview for specific constituencies and protect users from unregulated proliferation of unsolicited university-generated mail messages. The proliferation of unsolicited, commercial mail messages, popularly known as "spam," further contributes to the need for regulation when and where possible within the university network. Additionally, these internal regulations are in keeping with new federal legislation that attempts to address the larger social, technical and financial burdens of spam.

VI. Regulation of the University's Property and Interests

Recording and Registration of Domain Names and Authentication and Authorization protect the university's property interests generally, and, in the area of data and intellectual property interests, specifically. The domain name cornell.edu in itself is an intellectual property interest, very much akin to trade or service mark protection that the university exercises over its "Cornell" name. Domain naming conventions perform an essential function on the Internet by organizing network protocol address and web page names in a coherent, manageable order. These conventions serve the mission of the university when used to properly identify Cornell to the Internet world though an appropriate hierarchical naming construction that mirrors the structure of the university. Furthermore, this policy provides for the recording of all names, cornell.edu and non-cornell.edu names, purchased with university funds as a kind of inventory and auditing mechanism. Registration of all names, including non-cornell.edu names housed on a university-owned machine, require permission from unit, college or department heads. This provision protects the university from frivolous or inappropriate use of university resources. Altogether this policy affords the university protection of the intellectual property invested in its name, identification on the Internet, and preservation of university data and information technology resources.

Sound authentication and authorization practices protect the transmission and storage of university data. Authentication practices do so by seeking to determine "who you are," while authorization seeks assurance that "who you are" has the proper credentials to access a specific program, piece or collection of data. The validity of these processes is only as firm as the practices and technology used to effectuate them. For example, establishing good practices to determine that a student or employee is who they say they are when they enter the university, through a thorough admission's process or immigration check on employees, go a long way in assuring that the person who receives a network identifier (NetID) and password for "John Doe" really is John Doe. Likewise, when a "John Doe" claims he wants to change his password, it is expected that the proper assurances be in place to establish the individual's identity as such before allowing him the access key to privileged information. Cornell's Kerberos, or central password program, never transmits passwords in clear text (which can be readily intercepted, interpreted and stolen by bad actors on the network). It provides a significant technical layer of protection of data.

Similarly, purported widespread violation of the prohibition against sharing passwords challenges the outreach and educational components of Cornell Information Technologies. These allegations, if true, indicate CIT has not done enough to educate users about the risk they pose to themselves as employees, to the data with which they work and to the university overall. A university-level policy that places the already existing prohibition of sharing passwords into the bold relief of protecting data may help the university community, and users of administrative data in particular, take a fresh look at current practices and may spur compliance programs in this area.

Authorization policies and protocols further refine the protection process. Units establish the rules for access to their data and have the responsibility of attempting to ensure that the right users have the right degree of access to the right amount of data. Perhaps one way to envision this policy is as the technical component of University Policy 4.12 Data Stewardship and Custodianship. That policy, which divides administrative data into seven functional areas, establishes the authority of data stewards to write and promulgate policies for the protection and use of the data under their control. Because data is increasingly created, transmitted and stored in an electronic form, stewards must rely on technical mechanisms to effectuate proper electronic security and credentialing processes that protect the privacy of and provide access to data.

VII. Conclusion

Information technologies contribute to higher education by providing communication, computing, and data transmission storage tools that in turn can be used in myriad ways to nourish the mission of the university. IT policy explains the relationship between those technologies and its users within the institutional setting. An IT policy framework articulates that vision as a coherent whole by placing individual and discrete policies, their procedures and protocols, in the context of this broad context.

This framework began with a brief history of the development of IT policy both from the national and Cornell perspective. It, too, is a time-bound document, however. Its main purpose is a description of the current OIT initiative to update Volume 5, Information Technologies, of the Cornell University Policy Library. Two interlocking themes give conceptual context to these policies: privacy and security of information technology resources and the regulation of the university propriety interests. Together, these themes organize a comprehensive understanding of discrete policies, their relationship to and among each other and, finally, the specific ways in which they operate to further the mission of Cornell University.

Notes

  1. Readers may also be familiar with another notable Cornell University IT document: Rights and Responsibilities of IT Resources. CIT prepared and issued this document as a reader-friendly interpretation of university IT policy in the mid-1990's. Also widely cited, it still receives over 10,000 Internet "hits" a year, mostly from Internet users from outside of Cornell University.
  2. Administration, Finance and Facilities is a co-sponsor of this policy.
  3. OIT and the Office of University Counsel co-sponsored this policy.
  4. The Offices of University Counsel and Media and Communications partnered with OIT to promulgate this policy.
  5. The IT Policy Office established these committees in 2001 as a means to prepare IT policies for the university policy process. An outgrowth of the Office of Finance and Administration, the UPO historically has favored middle-level business administrators as representatives to its PAG. IT policy, necessarily drawing on expertise in computer use, systems and networking, requires significant input from computer specialists, network engineers, network and system administrators as well as users from the entire campus community. Thus, the IT Policy Office created these two committees as a means to foster an open, vibrant discussion about IT policy development and deployment, and as such, it acts an a prelude to the official university policy process. For more information on these committees, please see: http://www.cit.cornell.edu/oit/policy/drafts/.
  6. The UPO "grandfathered" Abuse of Computers and Network Systems, the 1990 IT policy, into its university policy library, but it has never been through the university policy process nor set into the university policy office official format. At the end of the current OIT policy initiative to update Volume 5, it is expected that either this policy will remain as a legacy IT policy or, if its principles are properly covered in the course of the initiative, it will be retired.
  7. OIT assisted in the development of University Policy 4.12, Data Stewardship and Custodianship, sponsored by partnership between Budget and Planning and University Counsel, and is working in conjunction with Student Academic Services (SAS) on a Disability Web Access Policy, for which SAS will be the responsible office.
  8. "Malware" is a term for any software with a malevolent effect on systems or data.
  9. Tracy Mitrano, "Civil Privacy and National Security Legislation: A Three Dimensional View, EDUCAUSE Review, November/December 2003.
  10. Under University Policy 4.12, Data Stewardship and Custodianship, responsibility for the articulation of those rules falls to the functional data steward, the Vice President for Information Technologies. Nonetheless, because those rules have wide application for the university, University Policy 4.1, Formulation and Issuance of University Policy regulates promulgation.
  11. Unique qualities include multiple "correspondents" and the fact that the nature of it is not certain until disclosed.
  12. Other universities have chosen different policy formats. For example the University of California system, though its Office of the President, has an Electronic Communications Policy, http://www.ucop.edu/ucophome/policies/ec/html/welcome.htm, which includes e-mail; its procedures are very similar to those set out in the Cornell's draft policy.

APPENDIX 1

A CURRENT ROSTER OF THE POLICY STATEMENTS AND REASONS FOR POLICY FOR THE TEN OIT-SPONSORED IT POLICIES PROMULGATED OR ON OFFER THROUGH THE UNIVERSITY POLICY OFFICE
2004

1. University Policy 5.1, Responsible Use of Electronic Communications (1996, revised 1998)

Policy Statement

Cornell University expects all members of its community to use electronic communications in a responsible manner. The university may restrict the use of its computers and network systems for electronic communications, in response to complaints presenting evidence of violations of other university policies or codes, or state or federal laws. Specifically, the university reserves the right to limit access to its networks through university-owned or other computers, and to remove or limit access to material posted on university-owned computers.

Reason for Policy

The university seeks to enforce its policies regarding harassment and the safety of individuals; to protect the university against seriously damaging or legal consequences; to prevent the posting of proprietary software or the posting of electronic copies of literary works in disregard of copyright restrictions or contractual obligations; to safeguard the integrity of computers, networks, and data, either at Cornell or elsewhere; and to ensure that use of electronic communications complies with the provisions of the Campus Code of Conduct for maintaining public order or the educational environment.

**Impact Statement for Revision of Responsible Use of Electronic Communications, including a name change to Responsible Use of Information Technology Resources

Policy Statement

Cornell University expects all individuals using information technology devices connected to the Cornell network to use those resources responsibly.

Reason for Policy

Cornell University promulgates this policy to preserve the integrity of its information technology resources, to educate users about appropriate use of those resources and to further users' sense of responsibility in an academic community.

2. University Policy 5.2, Mass Electronic Mailing

Policy Statement

Cornell University employs consistent procedures for notification and processing mass electronic mailings to the following constituencies: faculty, staff (academic and non-academic), students, and alumni. The university expects anyone sending mass electronic mailings to any or all of these constituencies to do so in accordance with the procedures outlined in this document.

Reason for Policy

The university must exercise appropriate control over electronic communications so that it may properly maintain network performance and limit the number of unsolicited mail messages.

3. University Policy 5.3, Use of Escrow Encryption Keys

Policy Statement

Cornell University expects stewards, custodians, and users of institutional administrative data who deploy software or algorithmic programs for encryption to establish procedures ensuring that the university has access to all such records and data.

Reason for Policy

In furtherance of its missions and to comply with federal, state, and local regulation and law, the university must maintain access to all institutional administrative data transmitted or stored on computers owned by the university or used for university business.

4. University Policy 5.4.1, Reporting Security Incidents

Policy Statement
Users of information technology devices connected to the Cornell network must report all electronic security incidents promptly and to the appropriate party or office.
Reason for Policy
The network constitutes a substantial university resource, and the university's missions rely significantly on a secure electronic communication network. Prompt and consistent reporting of electronic security incidents protects and preserves these resources and aids the university's compliance with applicable law.

5. University Policy 5.5, Security of Information Technology Resources

Policy Statement

Cornell University expects all individuals using information technology devices connected to the Cornell network to take appropriate measures to manage the security of those devices.

Reason for Policy

The university must preserve its information technology resources, comply with applicable laws and regulations, comply with other university or unit policies regarding protection and preservation of data, and fulfill its missions. Toward these ends, faculty, staff, and students must share in the responsibility for the security of information technology devices.

6. University Policy 5.6, Recording and Registration of Domain Names

Policy Statement

Cornell University requires the central recording of all domain names purchased with Cornell funds and the registration of those names within the cornell.edu domain or hosted on Cornell domain name servers.

Reason for Policy

As owner of the Domain Name System (DNS) domain "cornell.edu," and in order to provide a coherent process for the assignment of domain names, the university must maintain a record of its domain name assets and register those names within the cornell.edu domain or hosted on Cornell domain name servers.

7. University Policy 5.7, Network Registry

Policy Statement

Cornell University requires network administrators or users to register all devices (including wireless hubs and switches) connected the network in a continuously updated central CIT network registry service. At a minimum, the required information maintained in this registry must include MAC address and IP address, if static, as well as the network electronic identifier (NetID) of the primary user or the person responsible for the administration of the device.

Reason for Policy

To enhance the maintenance and security of the university network, and to alleviate potential legal liability, the university supports the creation of a central registry of devices connected to the university network.

8. University Policy 5.5, Access to Electronic Mail

Policy Statement

Cornell University prohibits custodians of email from intercepting, accessing, forwarding, routing, or disclosing email in which they are not correspondents, except in certain situations as outlined in this document. Furthermore, while the university permits limited personal use of Cornell-owned or controlled information technology resources, faculty and staff members (including student employees) do not acquire a right of privacy for communications transmitted or stored on university information technology resources.

Reason for Policy

The university strives to protect electronic mail from inappropriate disclosure in order to contribute to the trust of university information technology systems and comply with relevant laws regarding the protection of certain types of data.

9. University Policy 5.x, Authentication and Authorization

Policy Statement

The university will establish standards, best practices, processes, and an infrastructure to govern access to electronic data and resources. The Information Technologies Authentication and Authorization Policy sets forth the structure and processes for defining and enforcing standards for the university's authentication and authorization infrastructure. Its purview includes: 1) authentication regulations, 2) password requirements and management, 3) authorization standards, 4) a framework for handling policy exceptions, and 5) audit requirements. This policy also directs the IT Security Director and the Identity Management Program Director to establish the Advisory Group for Identity Management. The Advisory Group will steer the development, implementation, and maintenance of standards and best practices for authentication/authorization.

Reason for Policy

The university has the responsibility to control access to its information technology resources to facilitate and make more efficient use of its business practices, to increase security within the authentication and authorization processes, and to comply with federal, state, and local regulations. Failure to control access appropriately may have deleterious operational, financial and legal consequences. Centralized oversight of IT authentication and authorization also makes more efficient use of campus-wide IT resources and serves to protect administrative data.

10. University Policy 5. x, Privacy of Network and Network Flow Logs

Policy Statement

The university reserves the right to limit access to its networks when applicable university policies or codes, contractual obligations, or state or federal laws are violated, but does not monitor or generally restrict the content of material transported across those networks.

The university reserves the right to remove or limit access to material posted on university-owned computers when applicable university policies or codes, contractual obligations, or state or federal laws are violated, but does not monitor the content of material posted on university-owned computers.

The university does not monitor or generally restrict material residing on university computers housed within a private domain or on non-university computers, whether or not such computers are attached to campus networks.

Disclosure of network flow log data to third parties requires the permission of the Vice President of Information Technologies according the following criteria: (1) as a response to a court order or other compulsory legal process; (2) when an appropriate university official has determined that there is a legitimate need to examine network flow log data in connection with an investigation involving a human resources matter or a legal or policy violation; (3) in health and safety emergencies.

Reason for Policy

To maintain the confidentiality, integrity and security of the university network and its network flow log data, as well as to create trust within the university community about the privacy of its data network.

APPENDIX 2,
CORNELL UNIVERSITY IT POLICY FRAMEWORK CHART