Peer-to-Peer (P2P) File Sharing Policy
Peer-to-Peer (P2P) File Sharing Policy
Effective Date: [October 2008]
Policy Statement
This policy defines the requirements for the responsible use of Peer-to-Peer (P2P) file sharing programs for the University. Peer-to-peer file sharing is not permitted on computer systems containing highly sensitive data. Where peer-to-peer file sharing is essential, Columbia University requirements defined in this policy must be met to avoid exposure of confidential/sensitive data.
Reason for the Policy
P2P applications (e.g., KaZaa, iMesh, Morpheus, limewire, Gnutella, BitTorrent and others) allow any computer operating this software and connected to the internet to share and make available files stored on the system to any machine with similar software and protocol. If the computer is part of the peer-to-peer network, then sharable files are visible to the world; and if there are confidential / sensitive files and data in the share directory, this information also becomes available for download.
Primary Guidance to Which This Policy Responds
This policy responds to the Acceptable Use of IT Resources (Network and Computing) Policy, the Desktop and Laptop Security Policy, and Data Classification Policy.
Responsible University Office & Officer
The office of Columbia University Information Technology Security is responsible for the maintenance of this policy, and for responding to questions regarding this policy. The Chief Information Security Officer (CISO) is the responsible officer.
Revision History
This policy was established in October 2008.
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control University electronic information resources. Those individuals covered include employees and those working on behalf of the University (e.g., consultants).
Who Should Know This Policy
All individuals governed by this policy should be familiar with it.
Exclusions & Special Situations
None
Policy Text
Peer-to-peer file sharing is not allowed on computer systems containing highly sensitive data. Highly Sensitive Data is information protected by statutes, regulations, Columbia University policies or contractual language (e.g., medical records, student records and other non-public student data, Social Security Numbers, financial, personnel and/or payroll or records, research and research related materials, and any data identified by government regulation to be treated as confidential). Confidential / Sensitive Data may be disclosed to individuals only on a need-to-know basis. View the link below for a complete text of the Data Classification policy.
http://policylibrary.columbia.edu/data-classification-policy
If a business process requires peer-to-peer functionality, and does not have any alternate options, and there is no sensitive data, the user needs to contact IT support and ensure that the peer-to-peer applications are configured correctly. Computer with peer-to-peer connectivity should not be set up to perform ‘auto-discovery' type network searches and to act like a file server. Only allow those files that are required to be shared. Do not place other non-sharable files in the shared folder or directory.
Responsibilities
User is responsible to ensure that his/her machine is compliant with the policy. Failure to abide by this policy may be subject to disciplinary action and/or sanctions up to, and including discharge or dismissal in accordance to Columbia University policy and procedures.
Violations of the policy may result in the immediate suspension of computer account and network access pending investigation of circumstances and may lead to termination.
Contacts
For questions or comments:
Columbia University Information Technology
Web: http://www.columbia.edu/cuit/support/
Email: security@columbia.edu
Telephone: 212-854-1919
Cross References to Related Policies
For CUIT Security Policies, see the University Administrative Policy Library, Information Technology (CUIT) section:
http://policylibrary.columbia.edu/by-responsible-office
See the "Acceptable Use of IT Resources (Network and Computing)" Policy, the "Desktop and Laptop Security" Policy, the "Data Classification" Policy for related information.
