User login


Information Security Risk Management Policy

Effective Date: October, 2013

Revised: November 2014, July 2019


I.     Introduction

As provided in the Columbia University Information Security Charter (the “Charter”), the University is charged with protecting the confidentiality, integrity and availability of its Information Resources (as defined in the Charter). To accomplish this task, a formal Information Security Risk Management Program has been established as a component of the University’s Information Security Program (as defined in the Charter) to ensure that the University is operating with an acceptable level of risk. The Information Security Risk Management Program is described in this Policy.


Capitalized terms used herein without definition are defined in the Charter.


II.     Policy History

The effective date of this Policy is November 1, 2013.  This policy replaces the CUIMC Policy, EPHI1- Information Security Management Process, dated November 2007. 



III.    Policy Text



To see the full text of this policy, please use the link on the right.