Effective Date: July 1, 2007
Revised: October, 2013
In the course of carrying out its academic, research and clinical missions, faculty, staff and students at Columbia University (“Columbia” or the “University”), including Columbia University Medical Center (“CUMC”), collect many different types of information, including financial, academic, medical, human resources and other personal information. The University values the ability to communicate and share information appropriately. Such information is an important resource of the University and any person who uses information collected by the University has a responsibility to maintain and protect this resource. Federal and state laws and regulations, as well as industry standards, also impose obligations on the University to protect the confidentiality, integrity and availability of information relating to faculty, staff, students,research subjects and patients. In addition, terms of certain contracts and University policy require appropriate safeguarding of information. This Charter and the information security policies adopted by the University hereunder (collectively, the “Information Security Policies”) define the principles and terms of the University’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of the University community in carrying out the Information Security Program.
A PDF of this policy is also available to the right.
The current Information Security
Policies are listed in Appendix A hereto.
The information resources (the “Information Resources”) included in the scope of the Information Security Policies are:
The Information Security Policies are University-wide policies that apply to all individuals who access, use or control Information Resources at the University, including faculty, staff and students, as well as contractors, consultants and other agents of the University and/or individuals authorized to access Information Resources by affiliated institutions and organizations.
Capitalized terms used herein without definition are defined in Section IV below.
II. Charter History
The effective date of this Charter is November 1, 2013. This Charter and the other Information Security Policies replace (A) the following University Policies:
and (B) the following CUMC Policy:
III. Charter Text
The mission of the Information Security Program is to protect the confidentiality, integrity and availability of Data. Confidentiality means that information is only accessible to authorized users. Integrity means safeguarding the accuracy and completeness of Data and processing methods. Availability means ensuring that authorized users have access to Data and associated Information Resources when required.
This Charter establishes the various functions within the Information Security Program and authorizes the persons described under each function to carry out the terms of the Information Security Policies.
The functions are:
A. Executive Management
Executive Managers are senior University officials, including the Provost, Deans, Executive Vice Presidents, Vice Presidents, Department Chairs, Institute or Center Directors and Senior Business Officers, who are responsible for overseeing information security for their respective areas of responsibility and ensuring compliance with all Information Security Policies. Such responsibilities include, but are not limited to:
B. Security, Policy and Compliance Governance
The following committees have been established to govern security, policy and compliance issues relating to the Information Security Program at the organizational level:
C. Security Management
Security Managers are Managers in the Columbia University Information Security Office (the “CU Information Security Office”) and the Columbia University Medical Center Information Security Office (the “CUMC Information Security Office”; the CU Information Security Office and the CUMC Information Security Office being individually referred to as an “Information Security Office”). Security Managers are responsible for the day to day management of the Information Security Program, including:
In addition to the responsibilities listed above, the Executive Managers have granted the authority to the Information Security Office to conduct the following activities:
The University’s Information Security Officer and CUMC’s Information Security Officer are the Security Management responsible officers.
D. Data Ownership
Data Owners are University officials, including Directors, Officers of Instruction and Officers of Research, who are responsible for determining Data classifications, working with the applicable Information Security Office in performing risk assessments and developing the appropriate procedures to implement the Information Security Policies in their respective areas of responsibility. Such responsibilities include, but are not limited to:
E. System Ownership
System Owners are University officials, including Directors, Officers of Instruction and Officers of Research, who are responsible for determining computing needs, and applicable System hardware and software, in their respective areas of responsibility and ensuring the
functionality of each such System. Such responsibilities include, but are not limited to:
F. Technical Ownership
IT Custodians are University personnel who are responsible for providing a secure infrastructure in support of Data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges as authorized by Data Owners or System
Owners and implementing and administering controls over Data in their respective areas of responsibility. Such
responsibilities include, but are not limited to:
G. System or Data Usage
Users are persons who use Information Resources. Users are responsible for ensuring that such Resources are used properly in compliance with the Columbia University
Acceptable Usage of Information Resources Policy http://policylibrary.columbia.edu/acceptable-usage-information-resources-policy,
information is not made available to unauthorized persons and appropriate security controls are in place.
As used in the Information Security Policies, the following terms are defined as follows:
AES: the Advanced Encryption Standard adopted by the U.S. government.
Approved OHCA Email System: as defined in the Columbia University Email Usage Policy http://policylibrary.columbia.edu/email-usage-policy-1.
Columbia or the University: as defined in Section I of this Charter.
Columbia Covered Entity: as defined in the Columbia University Email Usage Policy http://policylibrary.columbia.edu/email-usage-policy-1.
Confidential Data: any information that is contractually protected as confidential information and any other information that is considered by the University appropriate for confidential treatment. See the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy for examples of Confidential Data.
Covered Entity: as defined in HIPAA (45 CFR 160.163).
CU/Hospital OHCA: The OHCA of which Columbia, NewYork-Presbyterian Hospital and Weill Cornell Medical Center are members.
CU Information Security Office: as defined in Section III(C) of this Charter.
CUIT: Columbia University Information Technology.
CUMC: as defined in Section I of this Charter.
CUMC Information Security Office:
as defined in Section III(C) of this Charter.
CUMC IT: Columbia University Medical Center Information Technology.
Data: all items of information that are created, used, stored or transmitted by the University community for the purpose of carrying out the institutional mission of teaching, research and clinical care and all data used in the execution of the University’s required business functions.
Data Owner: as defined in Section III(D) of this Charter.
Email System: a System that transmits, stores and receives emails.
any desktop or laptop computer (i.e., Windows, Mac, Linux/Unix), Mobile Device or other portable device used to connect to the University wireless or wired Network, access Columbia email from any local or remote location or access any institutional (University, NewYork-Presbyterian Hospital, departmental or individual) System either owned by the University or
by an individual and used for University purposes.
EPHI: Electronic Personal Health Information.
FERPA: the Family Educational Rights and Privacy Act
HIPAA: the Health Insurance Portability and Accountability Act
HITECH: the Health Information Technology for Economic and Clinical Health Act
IDEA: the International Data Encryption Algorithm.
Information Resources: as defined in Section I of this Charter.
Information Security Office: as defined in Section III(C) of this Charter.
Information Security Policies: as defined in Section I of this Charter.
Information Security Program: as defined in Section I of this Charter.
Internal Data: as defined in the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy.
IP: Internet Protocol.
IT Custodian: as defined in Section III(F) of this Charter.
Key Business System: as defined in the Columbia University Business
Continuity and Disaster Recovery Policy http://policylibrary.columbia.edu/business-continuity-and-disaster-recovery-policy
MAC: Media Access Control.
Mobile Device: a smart/cell phone (i.e., iPhone, Blackberry, Android, Windows phone), tablet (i.e., iPad, Nexus, Galaxy Tab and other Android based tablet) or USB/removable drive.
Network: electronic Information Resources that are implemented to permit the transport of Data between interconnected endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs and wireless access points.
OHCA: an Organized Health Care Arrangement, which is an arrangement or relationship, recognized in the HIPAA privacy rules, that allows two or more Covered Entities who participate in joint activities to share PHI about their patients in order to manage and benefit their joint operations.
Payment Card: for purposes of PCI-DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.
PCI: Payment card industry.
PCI-DSS: the PCI Data Security Standard produced by the PCI–SSC, which mandates compliance requirements for enhancing the security of payment card data.
PCI-SSC: the PCI Security Standards Council, which is an open global forum of payment brands, such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc, that are responsible for developing the PCI-DSS.
Peer: a network participant that makes a portion of its resources, such as processing power, disk storage or network bandwidth, directly available to other network participants, without the need for central coordination by Servers or stable hosts. Examples include KaZaa, BitTorrent, Limewire and Bearshare.
Peer-to-Peer File Sharing Program:
a program that allows any computer operating the program to share and make available files stored on the computer to any machine with similar software and protocol.
PHI: as defined in the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy.
PII: as defined in the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy.
Public Data: as defined in the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy.
Removable Media: CDs, DVDs, USB flash drives, external hard drives, Zip disks, diskettes, tapes, smart cards, medical instrumentation devices and copiers.
Risk Analysis: The process of identifying, estimating and prioritizing risks to organizational operations, assets and individuals. “Risk Assessment” is synonymous with “Risk Analysis”.
Risk Management Program: The combined processes of Risk Analysis, Risk Remediation and Risk Monitoring.
Risk Monitoring: The process of maintaining ongoing awareness of an organization’s information security risks via the risk management program.
Risk Remediation: The process of prioritizing, evaluating and implementing the appropriate risk-reducing security controls and countermeasures recommended from the risk management process. “Risk Mitigation” or “Corrective Action Planning” is synonymous with “Risk Remediation”.
RSA: the Rivest-Shamir-Adleman Internet encryption and authentication system.
Sensitive Data: any information protected by federal, state and local laws and regulations and industry standards, such as HIPAA, HITECH, FERPA, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS. See the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy for examples of Sensitive Data.
Server: any computing device that provides computing services, such as Systems and Applications, to Endpoints over a Network.
SMTP: Simple Mail Transfer Protocol, which is an internet transportation protocol designed to ensure the reliable and efficient transfer of emails and is used by Email Systems to deliver messages between email providers.
SSL: the Secure Sockets Layer security protocol that encapsulates other network protocols in an encrypted tunnel.
Student Education Records: as defined in the Columbia University Data Classification Policy http://policylibrary.columbia.edu/data-classification-policy.
System: Server based software that resides on a single Server or multiple Servers and is used for University purposes. “Application” or “Information System” is synonymous with “System”.
System Owner: as defined in Section III(E) of this Charter.
UPS: Uninterruptible Power Supply.
User: as defined in Section III(G) of this Charter.
User ID: a User Identifier.
VPN: Virtual Private Network.
Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access; (b) mandatory attendance at additional training; (c) a letter to the individual’s personnel or student file; (d) administrative leave without pay; (e) termination of employment or non-renewal of faculty appointment or student status; or (f) civil or criminal prosecution.
VI. Applicable Laws, Regulations and Industry Standards
The federal and New York State laws and regulations and industry standards that are applicable to information security at the University are listed in Appendix B hereto.
Information Security Policies
Information Security Charter
Acceptable Usage of Information Resources Policy
Business Continuity and Disaster Recovery Policy http://policylibrary.columbia.edu/business-continuity-and-disaster-recovery-policy
Data Classification Policy
Electronic Data Security Breach Reporting and Response Policy http://policylibrary.columbia.edu/electronic-data-security-breach-reporting-and-response-policy
Email Usage Policy
Information Resource Access Control and Log Management Policy http://policylibrary.columbia.edu/information-resource-access-control-and-log-management-policy
Information Security Risk Management Policy http://policylibrary.columbia.edu/information-security-risk-management-policy
Network Protection Policy
Registration and Protection of Systems Policy
Registration and Protection of Endpoints Policy http://policylibrary.columbia.edu/registration-and-protection-endpoints-policy
Sanitization and Disposal of Information Resources Policy http://policylibrary.columbia.edu/sanitization-and-disposal-information-resources-policy
Social Security Number (SSN) Usage Policy
Applicable Federal and New York State Laws and Regulations
The Digital Millennium Copyright Act
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
The Gramm-Leach-Bliley Act
(Financial Services Modernization Act of 1999)
The Health Insurance Portability and Accountability Act (HIPAA)The Health Information Technology for Economic and Clinical Health Act (HITECH)
New York State
New York State Information Security Breach and Notification Act
Social Security Number Protection Law, 309-DDD and 309-DDD*2
Payment Card Industry/Data Security Standard