Effective Date: March 1, 2007
Any electronic information server containing University data must be configured using appropriate and necessary measures to ensure the security, integrity, and protection of the server and the data it contains against such threats as unauthorized access, inappropriate disclosure, malicious use, theft, disruption, or other compromise.
Reasons for the Policy
The University embraces an open information technology environment to encourage the use of technology in pursuit of the University's teaching, learning, research, and clinical missions and supporting administrative functions. However, within this open environment, the University must also preserve and safeguard its electronic information resources and comply with applicable laws and regulations, while facilitating activities that support the University's missions. In a highly distributed technological environment, responsibility for protecting the integrity of electronic information resources is broadly distributed. This policy assigns responsibility to server administrators throughout the University and defines the necessary security and control measures to protect the University's electronic information resources.
Primary Guidance to Which This Policy Responds
This policy responds to the need to protect University information resources and comply with applicable laws and regulations.
Responsible University Office & Officer
The Office of the Vice President, Columbia University Information Technology, is responsible for the maintenance of this policy, and for responding to questions posed regarding this policy. The Vice President, Information Technology is the Responsible Officer.
This policy was established in September 2006.
Who Is Governed by This Policy
This policy applies to all individuals who control, directly or indirectly, a University electronic information server.
Who Should Know This Policy
All individuals described above and all business and academic administrators.
Exclusions & Special Situations
Servers or services created after the effective date above must adhere to this policy. Existing systems covered by this policy must be brought into compliance no later than June 30, 2007.
Those with special requirements may define stricter policies or may apply for an exception if implementation of this policy is not technically feasible. Requests must be accompanied by a written plan stating why the exception is necessary, the duration for the exception, and alternative, interim measures that will be taken to protect the resources in question. The request and acceptance of the associated risk must be approved by the appropriate senior level business owner and forwarded to email@example.com.