Effective Date: October, 2013
This Policy describes the requirements for security controls
to protect Endpoints that process, transmit and/or store Data
(as each is defined in the Columbia University Information Security
Charter (the “Charter”)) [http://policylibrary.columbia.edu/information-security-charter]. Such requirements differ depending on whether such Data is Sensitive Data, Confidential Data, Internal Data or Public Data (as each is defined in the Charter). No distinction is made in this Policy between an Endpoint owned by the University or personally owned. All Information Security Policies (as defined in the Charter) will apply to a personally owned Endpoint used for University business.
Any Endpoint that processes, transmits and/or stores Data must be registered in accordance with Section III(A) and have the minimum protection requirements set forth in Section III(B) or (C) and, if applicable, Sections III(D), (E) and/or (F), in each case for the most restricted class of Data that is processed, transmitted or stored on such Endpoint.
A PDF of this policy is also available to the right.
Capitalized terms used in this Policy without definition are defined in the Charter.
II. Policy History:
The effective date of this
Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:
III. Policy Text
A. Registration of Certain Endpoints
All Endpoints that process, transmit and/or store PHI and all Endpoints that are used for CUMC purposes must be registered with the IT Custodian or other person in a School, Department or business unit who is responsible for maintaining an inventory of Endpoints in his/her area of responsibility. All inventories of registered Endpoints must be provided to the CUMC Information Security Office. Registration will be carried out in accordance with the procedures established by each such IT Custodian or other person.
B. General Protection Requirements for Desktop and Laptop Computers
Each User shall ensure that the following protections, at a minimum, are implemented for each Endpoint that is a desktop or laptop computer:
C. General Protection Requirements for Mobile Devices
Each User shall ensure that the following protections, at a minimum, are implemented for each Endpoint that is a Mobile Device:
In addition, it is recommended, but not required, that the Endpoint contain a device recovery mechanism through the use of a GPS tracking system and if the Endpoint is a mobile phone not issued or financially subsidized by the University, it is enrolled in the University’s Emergency Text Message Notification System.
D. Additional Protection Requirements for Endpoints Containing Sensitive Data or Confidential Data
Each User shall ensure that, in addition to the protections described in Section B or C above, a record of what Sensitive Data or Confidential Data is stored on each Endpoint is maintained separately from the Endpoint.
In addition, it is recommended but not required, that Confidential Data be protected with password while in transit and in storage.
E. Additional Protection Requirements for Endpoints Containing Sensitive Data
Each User shall ensure that, in addition to the protections described in Section B or C and Section D above, the following protections are implemented for any Endpoint that processes, transmits and/or stores Sensitive Data:
Any Endpoint that exists on the Effective Date of this Policy and contains PHI, but cannot use encryption because of technology limitations, may be granted a special waiver by the applicable Information Security Office if such Office determines that there are compensating controls in place to address all major information security risks.
F. Additional Protection Requirements for Endpoints Containing PHI.
Each User shall ensure that, in addition to the protections described in Sections B or C and Section D and E above, the following protections are implemented for any Endpoint that processes, transmits and/or stores PHI:
G. Supplemental Requirements
The requirements lists set forth in this Policy are not comprehensive and supplemental controls may be required by the University to enhance security as necessary.
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix A hereto.
Information Resources Access Control and Log Management Policy http://policylibrary.columbia.edu/information-resource-access-control-and-log-management-policy
Information Security Charter http://policylibrary.columbia.edu/information-security-charter
Sanitization and Disposal of Information Resources Policy http://policylibrary.columbia.edu/sanitization-and-disposal-information-resources-policy