Published: October 2013
Latest Revision: July 2016
Revised: April 2016, November 2014
In the course of carrying out its academic, research and clinical missions, faculty, staff and students at Columbia University (“Columbia” or the “University”) collect many different types of information, including financial, academic, medical, human resources and other personal information. The University values the ability to communicate and share information appropriately. Such information is an important resource of the University and any person who uses information collected by the University has a responsibility to maintain and protect this resource. Federal and state laws and regulations, as well as industry standards, also impose obligations on the University to protect the confidentiality, integrity and availability of information relating to faculty, staff, students, research subjects and patients. In addition, terms of certain contracts and University policy require appropriate safeguarding of information.
This Charter and the information security policies adopted by the University hereunder (collectively, the “Information Security Policies”) define the principles and terms of the University’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of the University community in carrying out the Information Security Program. The current Information Security Policies are listed in Appendix A hereto.
The information resources (the “Information Resources”) included in the scope of the Information Security Policies are:
• All Data (as defined in Section IV below) regardless of the storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, CD, DVD, external drive, copier hard drive, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.);
• The computing hardware and software Systems (as defined in Section IV below) that process, transmit and store Data; and
• The Networks (as defined in Section IV below) that transport Data.
The Information Security Policies are University-wide policies that apply to all individuals who access, use or control Information Resources at the University, including faculty, staff and students, as well as contractors, consultants and other agents of the University and/or individuals authorized to access Information Resources by affiliated institutions and organizations.
Capitalized terms used herein without definition are defined in Section IV below.
II. Charter History
The effective date of this Charter is November 1, 2013. This Charter and the other Information Security Policies replace (A) the following University Policies:
• Information Security Charter, dated July 1, 2007
• Information Security Policy Statement
and (B) the following CUMC Policy:
• Information Security Charter, dated December 1, 2010
To see the full text of this policy, please use the link on the right.