The IT Security Office, in conjunction with the IT Security Council, has developed requirements for securing university systems and data. These requirements are mandated in Policy 5.10 Information Security of Institutional Data:
The IT Security Council will review and, as needed, revise the requirements on an annual basis. Please send any comments or questions to security-services@cornell.edu
The policy provides for two sets of requirements:
These requirements are intended to ensure a reasonable yet effective level of security for most campus systems and networks. Adhering to this set of basic good practices should not prove difficult for individuals and departments.
These requirements will be effective starting January 1, 2009.
This set of additional, more stringent requirements applies to the storage and handling of information classified as Confidential Data. The current set of Confidential data elements is included in the requirements.
Since some departments may face additional costs in meeting these supplementary requirements, they will be not effective until the second quarter of the fiscal year following promulgation of the policy.
Summary of changes to both sets of requirements since Version 1.0 of November 1, 2007.
As the target audience for these requirements is IT support personnel they are couched in fairly technical language. We will be producing both an overview for non-technical readers and material for end-users who need to secure their individual computers.
