User login


Registration And Protection Of Systems Policy

Published: October 2013 

Revised: November 2014, September 2016, October 2017 


 I. Introduction


This Policy describes the requirements for security controls to protect Systems that process, transmit and/or store Data (as each is defined in the Columbia University Information Security Charter (the “Charter”) Such requirements differ depending on whether such Data is Sensitive Data, Confidential Data, Internal Data or Public Data (as each is defined in the Charter).


Any System that processes, transmits and/or stores Data must be registered in accordance with Section III(A) and have the minimum protections set forth in Section III(B) and, if applicable, Sections III(C), (D), (E), (F), (G) and/or (H), in each case for the most restricted class of Data that is processed, transmitted or stored on such System.


Capitalized terms used in this Policy without definition are defined in the Charter.


II. Policy History:


The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace the following University Policies:


  • CUIT Publishing Policy
  • Desktop and Laptop Security Policy, dated November 1, 2007
  • E-Commerce: Electronic Protection of Credit Card Holder Information Policy, dated June 2008, as amended in August 2009
  • Electronic Information Server Administrative Policy, dated March 1, 2007
  • Encryption Policy, dated December 1, 2007
  • Peer-to-Peer (P2P) File Sharing Policy, dated October 2008


and the following CUMC Policies:


  • General Information Security Policy, dated November 15, 2007
  • Information Security: Audit and Evaluation Policy, dated November 15, 2007
  • Information Security: Media, Backup and Controls, dated November, 2012.
  • System Registration and Certification Policy, dated May 13, 2011.


III. Policy Text

To see the full text of this policy, please use the link on the right.