Effective Date: October, 2013
This Policy describes the process of authorizing, establishing, documenting, reviewing and modifying appropriate access to Columbia University Information Resources that process, transmit and/or store Data (as each term is defined in the University’s Information Security Charter (the “Charter”) [http://policylibrary.columbia.edu/information-security-charter]. Such access is limited to faculty, staff, students and contractors of the University who have been properly authorized to carry out legitimate business or academic tasks.
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:
and (B) the following CUMC Policies:
III. Policy Text
A. Requirements for System Owners and IT Custodians
Each System Owner and IT Custodian must ensure that the following access controls are implemented for any Information Resource:
1. Procedures for (a) establishing and describing different levels of User access, (b) authorizing User access and (c) granting, revising and terminating User access are documented and periodically reviewed and revised as required so that access is granted only to Users who are necessary to accomplish the intended and approved purpose of the use.
2. The Information Resource is protected by authorization (access control) technology that employs unique User IDs and secret passwords unique to each User and password management procedures include the protections described in Section B below. Use of a generic group identifier is not recommended and is prohibited for access to a System that contains Sensitive Data or Confidential Data.
3. Each Information Resource has a different administrative account and password and access to the password is restricted to as few people as possible. No unnecessary accounts are created on the Information Resource beyond those needed for administration and operation.
4. Access to the Information Resource locks after no more than 15 minutes of inactivity through an automatic locking mechanism, such as the use of a password protected screen saver or an equivalent alternative mechanism, unless the immediate area
surrounding the Information Resource is physically secured or a waiver has been granted by the applicable Information Security Office.
5. All unnecessary or unused accounts are disabled and removed.
6. User access to any System that uses, stores or transmits Sensitive Data is reviewed on an annual basis.
B. Password Requirements
Each System Owner and IT Custodian must ensure that the following password protections are implemented for each Information Resource that processes, transmits or stores Sensitive Data:
1. Passwords are changed every 45-180 days.
2. Passwords may not be reused until two additional passwords have been used.
3. Users select and change their own passwords.
4. Passwords meet good password criteria, including:
5. Passwords are not displayed in clear text when being input into the System.
6. Default vendor or other pre-installed passwords are changed immediately following installation of a System.
7. The System “save password” feature is disabled.
8. Users are trained on good password practices.
It is recommended, but not required, that the foregoing password procedures be implemented for Information Resources other than those that process, transmit or store Sensitive Data.
C. Log-In Requirements
Each System Owner and IT Custodian must ensure that the following log-in protections are implemented for each Information Resource:
1. After a maximum of 6 unsuccessful attempts to enter a password, the User ID is either suspended until reset by an IT Custodian or temporarily disabled for no less than 3 minutes unless a waiver has been granted by the applicable Information Security Office.
2. System identifying information is minimized prior to successfully completing the log-in process.
3. The log-in process can (a) record failed log-in attempts and (b) upon completion of a successful log-in, record the date and time of the previous successful log-in.
4. Each CUMC System that processes, transmits or stores Sensitive Data or Confidential Data has a login banner that states the following:
“The information in University Systems at Columbia University is private and confidential and may be used only on a need-to-know basis. All access is logged. Unauthorized or improper use of a University System or the data in it may result in dismissal and/or civil or criminal penalties.”
D. Log Management
Each System Owner and IT Custodian must ensure that the following protections are implemented for each Information Resource that processes, transmits or stores Sensitive Data:
1. Logging is activated on each Server.
2. Logging is configured to keep track of access to Systems, Data and the Server itself.
3. Logs are retained for as long as it is operationally necessary; 29 days is recommended.
4. A Syslog or similar function is used to store logs on a separate System.
5. Logs are reviewed by the IT Custodian on a regular basis for unusual activity.
6. A process is established so that Log monitoring software is installed where available.
7. Logs generate the following Data:
8. Logs have audit mechanisms that generate reports of auditable events such as:
It is recommended, but not required, that the foregoing protections be implemented for Information Resources other than those that process, transmit or store Sensitive Data.
E. Remote Access
Each User must ensure that the following controls are implemented to remotely connect to the University’s Information Resources:
1. The controls meet or exceed the controls described in the Columbia University Registration and Protection of Endpoints Policy http://policylibrary.columbia.edu/registration-and-protection-endpoints-policy.
2. The University’s approved VPN is used, or the Information Resource is configured for remote access in a manner approved by the applicable Information Security
F. CUMC Emergency Access
In a clinical emergency (reasonably determined) at CUMC, if a health care professional who is treating the patient does not have access to a System storing EPHI relating to such patient, another health care professional who is able to access such EPHI from the System may do so on behalf of the treating health care professional.
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix A hereto.
Information Security Charter
Registration and Protection of Endpoints Policy