User login


Information Security Charter


Published: October 2013

Revised: November 2014, April 2016, July 2016, September 2016, October 2017, April 2018, July 2019, February 2020


 I. Introduction


In the course of carrying out its academic, research and clinical missions, faculty, staff and students at Columbia University (“Columbia” or the “University”) collect many different types of information, including financial, academic, medical, human resources and other personal information. The University values the ability to communicate and share information appropriately. Such information is an important resource of the University and any person who uses information collected by the University has a responsibility to maintain and protect this resource. Federal and state laws and regulations, as well as industry standards, also impose obligations on the University to protect the confidentiality, integrity and availability of information relating to faculty, staff, students, research subjects and patients. In addition, terms of certain contracts and University policy require appropriate safeguarding of information.


This Charter and the information security policies adopted by the University hereunder (collectively, the “Information Security Policies”) define the principles and terms of the University’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of the University community in carrying out the Information Security Program. The current Information Security Policies are listed in Appendix A hereto.


The information resources (the “Information Resources”) included in the scope of the Information Security Policies are:


  •  All University Data (as defined in Section IV below) regardless of the storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, CD, DVD, external drive, copier hard drive, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.);
  • The computing hardware and software Systems (as defined in Section IV below) that process, transmit and store Data; and
  • The Networks (as defined in Section IV below) that transport Data.


The Information Security Policies are University-wide policies that apply to all individuals who access, use or control Information Resources at the University, including faculty, staff and students, as well as contractors, consultants and other agents of the University and/or individuals authorized to access Information Resources by affiliated institutions and organizations.


Capitalized terms used herein without definition are defined in Section IV below.



To see the full text of this policy, please use the link on the right.