Cornell IT Security Requirements
The IT Security Office, in conjunction with the IT Security Council, has developed requirements for securing university systems and data. These requirements are mandated in Policy 5.10 Information Security of Institutional Data, which is currently in draft:
The IT Security Council will review and, as needed, revise the requirements on an annual basis. Please send any comments or questions to security-services@cornell.edu
The policy provides for two sets of requirements:
Baseline IT Security Requirements
- Version 1.0 of November 1, 2007: web page or Adobe Acrobat (PDF) file
These requirements are intended to ensure a reasonable yet effective level of security for most campus systems and networks. Adhering to this set of basic good practices should not prove difficult for individuals and departments.
These requirements will be effective starting six months after the release of Policy 5.10.
IT Security Requirements for Confidential Data
- Version 1.0 of November 1, 2007: web page or Adobe Acrobat (PDF) file
This set of additional, more stringent requirements applies to the storage and handling of information classified as Confidential Data. This classification currently comprises Social Security, credit card, driver's license and bank account numbers, and patient treatment information. In the future, the appropriate senior officers of the university may decide to add other data elements.
Since some departments may face additional costs in meeting these supplementary requirements, they will be not effective until the second quarter of the fiscal year following promulgation of the policy.
Additional material
As the target audience for these requirements is IT support personnel they are couched in fairly technical language. We will be producing both an overview for non-technical readers and material for end-users who need to secure their individual computers.