Skip to main content
more options.

Impact Statement
for Proposed Revision to Policy:
 University Policy 5.1, Responsible Use of Electronic Communications
Proposed New Name: Responsible Use of Information Technology Resources

Printable version of this impact statement (PDF)

Submitted: December 20, 2005
Responsible Executive: Vice President for Information Technologies
Representing Office: Office of Information Technologies

I. Background

Responding to the "computer worm" incident in 1988, Cornell University led the effort in higher education to establish a robust policy framework for information technology. "Abuse of Computers and Network Systems" laid down essential requirements for achieving appropriate use of information technology resources. In 1995, these principles guided the development and promulgation of University Policy 5.1, Responsible Use of Electronic Communications, which includes special rules for network administrators.

Since 1995, the Office of Information Technologies (OIT) has sponsored a number of information Technology (IT) policies, each expanding on different aspects of the original "Responsible Use" policy. Also since that time, the university revised its "Code of Conduct" to address IT-related harassment, several new federal and state IT-related laws were enacted, and in 2001, Cornell developed a plan to protect and preserve administrative data on IT systems ("The IT Policy Framework").

OIT proposes that this policy now be revised to complete Cornell's IT policy framework and achieve conformity with new legal requirements and the latest IT standards. OIT also proposed that this policy be renamed to incorporate management of all aspects of information technology resources, including data, and to be consistent with companion University Policy 5.4.1, Security of Information Technology Resources.

II. Policy Statement

Cornell University expects all individuals using information technology resources to take appropriate measures to manage the data on their devices.

III. Reason for Policy

Cornell must preserve and protect administrative data transmitted and stored on its systems and comply with applicable federal and state legislation.

IV. Overview of Policy Content

This policy establishes categories of users, comprising stewards, unit heads, custodians, and individuals, and governs the varying authority and responsibilities of these users with regard to managing administrative data on Cornell's IT resources. Such responsibilities include categorizing and inventorying data, as well as implementing technical procedures to safeguard federally protected data. For details on responsibilities by user category, see Appendix A. For details on the technical procedures, see Appendix B.

V. Consistency with Cornell University's Mission and Goals, Other Policies and Related External Documents

This policy helps bring the university into compliance with the following legislation:

  • Digital Millennium Copyright Act (DMCA)
  • Family Education Rights Privacy Act
  • Health Insurance Portability and Accountability Act
  • Financial Services Modernization Act
  • New York State Security Breach and Notification Act (effective December 8, 2005)
  • Various other state data breach notification laws

Related existing university policies are:

VI. Entities, Offices, and Other Cornell Community Members Affected by this Policy

All units of the university

VII. Impact on the University

Implementing this policy could create costs with regard to education, training, and system changes that may be required. However, there are several benefits for the university in promulgating this policy, namely:

  • increased security of all administrative data
  • improved efficiency in transmitting and storing administrative data across the university's IT networks and systems
  • significant reduction in liability and damage to Cornell's reputation by complying with relevant laws

VIII. Stakeholders to Be Consulted in Developing this Policy

  • IT Policy Advisory Group
  • IT Manager's Council
  • IT Security Council
  • University Audit
  • University Counsel
  • Office of Risk Management and Insurance
  • College Business Officers/Business Service Center Directors
  • Office of Human Resources
  • Dean of the Faculty
  • Faculty Advisory Board for Information Technology (FABIT)
  • Administrative Systems Planning Group (ASP)
  • Cornell Computing Directors (CCD)
  • Weill Medical College, James R. Kahn, Deputy University Counsel

IX. Systems Changes Required

Custodians may have to make system changes to implement technical procedures for applying minimum security standards for managing administrative data. For details regarding technical procedures, see Appendix B.

X. Communications and Training Activities to Be Conducted and to Build Awareness and Enable Implementation

The OIT Policy and Security Offices will oversee this policy and provide documentation and training to the university community.

XI. Compliance Mechanisms Existing or to Be Created

University Audit and University Counsel will oversee compliance with legal standards. OIT Policy, seat of the Digital Millennium Copyright Act (DMCA) Registered Agent, will oversee education, training, and DMCA compliance.

XII. Timing Requirements for this Policy

This policy should be promulgated as soon as possible to comply with governing legislation.

 

 

Appendix A
Responsibilities for Use of IT Resources by User Category

User Category Responsibilities
Data Steward
(Vice President)
  • Inventory data under his/her jurisdiction
  • Categorize data into one of three categories:
    • Federally protected
    • Cornell University confidential
    • Public
  • Establish rules for disclosing and authorizing access to administrative data
  • Conduct annual risk assessments of security and privacy practices
Unit Head
(Administrators)
  • Assume responsibility for data under his/her control
  • Deploy procedures to comply with steward's rules for disclosing, categorizing, and authorizing access to administrative data
  • Deploy procedures for meeting minimum standards for data security according to data classification (see Appendix B)
  • Negotiate with stewards in cases of disclosing mixed data sets (i.e., more than one data category or steward)
Custodian (Local
Support Provider)
  • Execute unit's procedures for disclosing, categorizing, and authorizing access to administrative data
  • Execute unit's procedures for meeting minimum standards for data security according to data classification (see Appendix B)
  • Report all data breach incidents
General User
(Individuals)
  • Do not allow illegal or otherwise damaging data on the device(s) to which he/she is assigned (e.g., obscene or copyright infringing material, viruses)

Note: Every user assumes the role of a general user, even if that individual also assumes the obligations of other categories by virtue of their role at the university.

 

 

Appendix B
Technical Procedures for Applying Minimum Security Standards by Classification of Data

Note: The Director of IT Security, in consultation with the IT Security Council, IT Managers' Council, and other stakeholders, determines technical procedures and reviews them annually, at a minimum. Specific procedures will not be included in the final policy draft, but will be maintained separately on a Web page and linked to from within the policy document.

The link to the Draft Minimum Security Standards are at http://www.cit.cornell.edu/computer/security/prop-baseline.html.