CORNELL UNIVERSITY POLICY LIBRARY Security f Infrmatin Technlgy Resurces Technlgies Chapter: 4, Security and Vice President fr Infrmatin Technlgies Originally Issued: June 1, 2004 Last Full Review: December 13, POLICY STATEMENT Crnell University expects all individuals using infrmatin technlgy resurces t take apprpriate measures t manage the security f thse resurces. In additin, the university establishes rles and respnsibilities surrunding the prcedures required fr the security f these resurces. REASON FOR POLICY The university must preserve its infrmatin technlgy resurces, cmply with applicable laws and regulatins, and cmply with ther university r unit plicy regarding prtectin and preservatin f data. Given the distributed nature f infrmatin technlgies and cmplexity f managing the security f infrmatin technlgy devices, the university wishes t set frth a fundatin fr the alignment f rles and respnsibilities with regard t specific prcedures. ENTITIES AFFECTED BY THIS POLICY Ithaca-based lcatins Crnell Tech campus Weill Crnell Medicine campuses WHO SHOULD READ THIS POLICY All university cmmunity members MOST CURRENT VERSION OF THIS POLICY https://www.dfa.crnell.edu/plicy/plicies/security-infrmatin-technlgyresurces 1
CONTENTS Plicy Statement 1 Reasn fr Plicy 1 Entities Affected by this Plicy 1 Wh Shuld Read this Plicy 1 Mst Current Versin f this Plicy 1 Cntents 2 Related Resurces 3 Cntacts Ithaca-Based Lcatins and Crnell Tech 4 Definitins 5 Respnsibilities Ithaca-Based Lcatins and Crnell Tech 6 Principles 8 Intrductin 8 Prcedures Ithaca-Based Lcatins and Crnell Tech 9 Obligatins f the User 9 Obligatins f a Lcal Supprt Prvider 10 Obligatins f the Unit Security Liaisn 11 Obligatins f the Operating Unit Head 12 Limits f Operating Unit Head Delegatin f Respnsibility 13 Obligatins f the Chief Infrmatin Security Officer (CISO) 14 Vilatins 14 Enfrcement 15 Index 1 2
RELATED RESOURCES University Plicies and Dcuments University Plicy 4.2, Transactin Authrity and Payment Apprval University Plicy 4.6, Standards f Ethical Cnduct University Plicy 4.12, Data Stewardship and Custdianship University Plicy 5.1, Respnsible Use f Infrmatin Technlgy Resurces University Plicy 5.4.2, Reprting Electrnic Security Incidents University Plicy 5.8. Authenticatin t Infrmatin Technlgy Resurces University Plicy 6.11.3, Emplyee Discipline Campus Cde f Cnduct Cde f Academic Integrity Crnell University s Plicy n Abuse f Cmputers and Netwrk Systems Data Privacy Incident Respnse Team (DPIRT) Ithaca Infrmatin Security and Privacy Advisry Cmmittee (ISPAC) Securing yur Cmputer External Dcumentatin Financial Services Mdernizatin Act Health Insurance Prtability Accuntability Act (HIPAA) New Yrk State Penal Law Article 156 Offenses Invlving Cmputers 3
CONTACTS ITHACA-BASED LOCATIONS AND CORNELL TECH Direct any general questins abut this plicy t yur cllege r unit administrative ffice. If yu have questins abut specific issues, cntact the fllwing ffices. Cntacts, Ithaca Campus Units Subject Cntact Telephne Email/Web Address Initial Cntact fr Questins Lcal supprt prvider Unit-specific Plicy Clarificatin IT Security Office (607) 255-8421 security@crnell.edu Best Practices fr Cnfiguring and Securing IT Devices Cmputers and Netwrk Systems www.it.crnell.edu/security/ IT Security Office (607) 255-8421 security@crnell.edu Chief Infrmatin Officer and Vice President fr Infrmatin Technlgies www.it.crnell.edu/security/ (607) 255-8054 www.ci.crnell.edu Legal Issues Office f University Cunsel (607) 255-5125 cunsel.crnell.edu Security f Netwrk Systems IT Security Office (607) 255-8421 security@crnell.edu www.it.crnell.edu/security/ 4
DEFINITIONS These definitins apply t terms as they are used in this plicy. Critical Security Ntice Data Privacy Incident Respnse Team (DPIRT) Electrnic Security Incident Infrmatin Technlgy (IT) Device Infrmatin Technlgy (IT) Resurces Lcal Supprt Prvider A mem that identifies peratinal r systemic infrmatin technlgy (IT) deficiencies r missins that have the ptential t pse risk t the university. A cmmittee that determines and guides the institutin's respnse t the lss r expsure f university data. It is cmpsed f representatives f University Cunsel, Risk Management and Insurance, University Cmmunicatins, Audit, IT Security, IT Plicy, and is chaired by the chief infrmatin fficer. Electrnic activities that result in the damage t r misuse f the Crnell netwrk r a device cnnected t it. Any device invlved with the prcessing, strage, r frwarding f infrmatin making use f the Crnell IT infrastructure r attached t the Crnell netwrk. These devices include, but are nt limited t, laptp cmputers, desktp cmputers, persnal digital assistants, servers, and netwrk devices such as ruters r switches, and printers. The full set f IT devices (persnal cmputers, printers, servers, netwrking devices, etc.) invlved in the prcessing, strage, and transmissin f infrmatin. An individual with principal respnsibility fr the installatin, cnfiguratin, security, and nging maintenance f an IT device (e.g., system administratr r netwrk administratr). Operating Unit An perating unit f the university, as defined in University Plicy 4.2, Transactin Authrity and Payment Apprval. Operating Unit Head Sftware Patch Unit Security Liaisn User Virus The dean r vice president with respnsibility fr an perating unit. Sftware that is distributed t fix a specific set f prblems r vulnerabilities in such things as cmputer prgrams r perating systems. A cmputer vendr will usually distribute a patch as a replacement fr r an insertin in cmpiled cde within cmputer perating systems r applicatins. The persn whm the perating unit head designates as the primary cntact fr the chief infrmatin security fficer (CISO). Any individual wh uses an IT device, such as a cmputer. A cmputer prgram that typically hides in the backgrund and replicates itself frm ne IT device t anther by attaching itself t existing prgrams r parts f the perating system. A virus ften autmatically spreads t ther IT devices via the sharing f cmputer media, mail attachments, r website transfers. 5
RESPONSIBILITIES ITHACA-BASED LOCATIONS AND CORNELL TECH The majr respnsibilities each party has in cnnectin with this plicy are as fllws: Chief Infrmatin Security Officer (CISO) Ithaca Infrmatin Security and Privacy Advisry Cmmittee (ISPAC) Lcal Supprt Prvider Operating Unit Head Unit IT Manager Unit Security Liaisn Develp a cmprehensive security prgram that includes risk assessment, best practices, educatin, and training. Identify, analyze, reslve, and reprt Crnell electrnic security incidents. Assist r lead electrnic security incident reslutin fr the university and individual units, and specifically in the Data Privacy Incident Respnse Team (DPIRT) prcess. Issue critical security ntices t unit heads and security liaisns. Develp, implement, and supprt university-level security mnitring and analysis. Supprt and verify cmpliance with federal, state, and lcal legislatin. Advise the chief infrmatin fficer n infrmatin technlgy security, privacy, and related plicy and cmpliance matters. Maintain knwledge f IT devices under his r her cntrl thrugh identificatin and understanding f their usage. Fllw safe security practices when administering IT devices under his r her cntrl. Fllw electrnic security incident reprting requirements in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. Assume respnsibility fr the security f IT resurces within the perating unit. Understand and accept the nature f risk fr the perating unit that may be created as a result f the use f IT resurces. Identify a unit security liaisn. Implement unit security prgrams cnsistent with this plicy. Prvides peratinal versight fr perating unit s IT resurces. Cnsults with CIT regarding campus IT issues. Act as the unit pint f cntact with chief infrmatin security fficer. Implement and dcument an infrmatin security prgram cnsistent with (a) requirements f this plicy (fr example, the implementatin f risk assessment, best practices, educatin, and training), (b) the recmmendatins and guidelines supplied by the IT Security Office, and (c) the specific IT security needs f the perating unit. Act as the security crdinatr fr the lcal supprt prviders (in perating units where the unit security liaisn is nt the lcal supprt prvider). Implement unit prcedures and prtcls fr the reprting f electrnic security incidents in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. 6
Draft Date: December 13, RESPONSIBILITIES ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued Wrk with the perating unit head, IT manager, directr, and ther relevant persnnel t address critical security ntices issued by the IT Security Office. User Cmply with the current plicies, requirements, guidelines, prcedures, and prtcls cncerning the security f the university s electrnic netwrks and devices. Prtect IT resurces under his r her cntrl with measures such as the respnsible use f secure passwrds, apprpriately establishing an administratr passwrd, and timely antivirus updates. Assist in the perfrmance f remediatin steps in the event f a detected vulnerability r cmprmise. Cmply with directives f university fficials, such as the security fficer and his r her delegates, t maintain secure devices attached t the netwrk regarding sftware patches and/r virus prtectin. Take nte f circumstances in which he r she may assume the respnsibilities f a lcal supprt prvider, e.g., by attaching a persnal cmputer t the Crnell netwrk r wrking remtely frm hme. Fllw electrnic security incident reprting requirements in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. 7
PRINCIPLES Intrductin In rder t manage infrmatin technlgy (IT) security cmprehensively, this plicy serves six majr purpses. 1. It establishes the principle that every IT device cnnected t the Crnell netwrk and/r which prcesses Crnell data, must have at least ne individual managing the security f that device. 2. It establishes that the perating unit head is respnsible fr the secure use f IT resurces by the perating unit. This includes adptin f Crnell IT plicy and, with guidance frm the chief infrmatin security fficer, adptin f ther IT security practices as apprpriate fr the perating unit s missin. 3. It requires units t designate unit security liaisns (see the Obligatins f the Unit Security Liaisn segment f prcedures). 4. It creates the fllwing five categries f individuals, each with specific bligatins regarding the security f IT devices: User Lcal supprt prvider Unit security liaisn Operating unit head Chief infrmatin security fficer. 5. It delineates specific respnsibilities fr each categry f user. 6. It creates the fundatin fr the university s administrative appraches t IT security by aligning rles and respnsibilities with technical prcedures. Nte: All users f IT devices must fllw the prcedures utlined in the Obligatins f Users sectin f the prcedures. Nte: The fcus f this plicy is n the security f IT devices and resurces, and nt n specifics fr the management f data r any particular class f data. Fr infrmatin cncerning data, please cnsult University Plicy 4.12, Data Stewardship and Custdianship, which prvides the authrity fr and guidance twards the develpment f plicy fr the preservatin and prper management f data in specific functinal areas. Nte: As a fundatinal plicy, this plicy relies n ther university plicies; see Related Resurces fr mre infrmatin abut thse plicies. 8
PROCEDURES ITHACA-BASED LOCATIONS AND CORNELL TECH Obligatins f the User Any individual wh uses an infrmatin technlgy (IT) device (see Definitins) is a user. Each f these devices may r may nt have a lcal supprt prvider assigned t it. Users have different bligatins, based upn whether a lcal supprt prvider has been assigned t a particular device. Typically, university-wned IT devices lcated in campus wrkspaces have lcal supprt prviders assigned t them. On the ther hand, persnally wned cmputers used t cnnect t the Crnell netwrk frm any lcatin (hme, ff campus, residence hall, r ther n-campus lcatin) usually d nt. Nte: If yu cannt perfrm r d nt understand any f the bligatins assigned t users, cntact the IT Service Desk, at itservicedesk@crnell.edu. Obligatins f a User Whse Device Des Have a Lcal Supprt Prvider 1. Understand and cmply with current plicies, requirements, guidelines, prcedures, and prtcls cncerning the security f the university s electrnic netwrks and devices (see Related Resurces). 2. Cmply with guidelines and practices established by the lcal supprt prvider fr the IT device. 3. Cntact yur lcal supprt prvider whenever a questinable situatin arises regarding the security f yur IT device. 4. Reprt all electrnic security incidents t yur lcal supprt prvider immediately, as detailed in University Plicy 5.4.2, Reprting Electrnic Security Incidents. Obligatins f a User Whse Device Des Nt Have a Lcal Supprt Prvider (If yu cannt perfrm r d nt understand any f the bligatins belw, cntact the IT Service Desk, at itservicedesk@crnell.edu) 1. Understand and cmply with current plicies, requirements, guidelines, prcedures, and prtcls cncerning the security f the university s electrnic netwrks and IT devices (see Related Resurces). 2. Update campus-wide security applicatins, including antivirus sftware and perating system updates, in a timely fashin. 3. Prtect the resurces under yur cntrl with the respnsible use f secure passwrds and by apprpriately establishing an administratr passwrd. 4. Assist in the perfrmance f remediatin steps in the event f a detected vulnerability r cmprmise. 9
PROCEDURES, ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued 5. Cmply with directives f university fficials, such as the chief infrmatin security fficer (CISO), unit security liaisn, r lcal supprt prvider(s), t maintain secure devices attached t the netwrk. 6. Fllw electrnic security incident reprting requirements in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. Obligatins f a Lcal Supprt Prvider A lcal supprt prvider is the individual with principal respnsibility fr the installatin, cnfiguratin, and nging maintenance f an IT device (e.g., system administratr r netwrk administratr). A lcal supprt prvider seeking guidance r clarificatin shuld cntact his r her unit security liaisn r the CISO. The lcal supprt prvider is respnsible t d the fllwing: 1. Be knwledgeable and cmply with the current plicies, requirements, guidelines, prcedures, and prtcls cncerning the security f the university s IT resurces. 2. Fllw apprpriate best practices guidelines fr cnfiguring and securing IT devices. See https://it.crnell.edu/device-security. 3. Understand and dcument the specific cnfiguratins and characteristics f the IT devices he r she supprts t be able t respnd t emerging IT threats and t supprt security event mitigatin effrts apprpriately. 4. Understand and recmmend the apprpriate measures t prvide security t the resurces under his r her cntrl, including, but nt limited t the fllwing: Physical security t prtect resurces such as keys, drs, and/r rms maintained t the level f security cmmensurate with the value f the resurces stred in thse lcatins. Administrative security t prtect resurces such as: Full implementatin f the mst current authenticatin and authrizatin technlgies utilized by the architecture f the university netwrk and/r its technlgy resurces. The mst recently tested and apprved sftware patches available. The mst cntemprary and available security cnfiguratins. The mst cntemprary and available virus prtectin. Cnfiguratin f secure passwrds n all IT devices (eliminating all default r administrative passwrds). 10
PROCEDURES, ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued 5. Fllw electrnic security incident reprting requirements in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. Nte: Lcal supprt prviders shuld be mindful f ptential respnsibilities they may have as custdians f administrative data transmitted r stred n IT devices under their cntrl. Fr further guidance, cnsult University Plicy 4.12, Data Stewardship and Custdianship. Obligatins f the Unit Security Liaisn The unit security liaisn is the persn designated by the perating unit head as the primary cntact fr the CISO. Fr further guidance r clarificatin, cntact the CISO. The unit security liaisn is respnsible t d the fllwing: 1. Act as the perating unit pint f cntact with the CISO. 2. Implement and dcument an infrmatin security prgram cnsistent with the requirements f this plicy (fr example, the implementatin f security assessment, best practices, educatin and training), requirements and guidelines set frth by the IT Security Office, and cnsistent with university guidelines and practices and in keeping with the specific IT security needs f the perating unit. This will include the fllwing: a. Develp a written infrmatin security plan in accrd with templates, guidance, and recmmendatins given by the IT Security Office. Update this plan n less frequently than annually. b. Identify the IT resurces under his r her cntrl. c. Oversee cmpliance with all IT security regulatins under federal, state, and lcal law. d. Prvide prper infrmatin and dcumentatin abut thse resurces. e. Participate in and supprt security risk assessments f his r her IT resurces, including the fllwing: The degree f sensitivity r imprtance f the data transmitted r stred n thse resurces. The criticality f its cnnectin t the netwrk and a cntinuity plan in the event that it must be discnnected r blcked fr security reasns. The vulnerability f a particular resurce t be used fr illegal r destructive acts. 11
PROCEDURES, ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued The vulnerability f a particular resurce t be cmprmised. The plan t be fllwed in the event f disaster fr recvery. The measures rutinely taken t ensure security fr each device. 3. Act as the security crdinatr fr the lcal supprt prvider(s) within the perating unit (in perating units where the unit security liaisn is nt the lcal supprt prvider), including the fllwing: a. Develping intermediate and harmnizing prcesses between university and unit plicy and prcedure. b. Assisting the IT Security Office in the investigatin f security issues and incidents, and, in the case f a lss r breach f institutinal data and infrmatin, representing the unit in the Data Privacy Incident Respnse Team (DPIRT) prcess. Fr mre infrmatin, see Related Resurces. c. Disseminating infrmatin and cmmunicatins abut security plicy, prcedures, and ther infrmatin frm the IT Security Office t users within the unit. 4. Implement unit prcedures and prtcls fr the reprting f electrnic security incidents in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. 5. Wrk with the perating unit head, the unit IT manager, directr and/r ther relevant persnnel t address critical security ntices issued by the CISO r his r her staff. Nte: The unit security liaisn may want t take specific measures tward the prtectin f data stred r transmitted n the IT devices under his r her management and/r be mindful f any ptential respnsibilities as custdians f administrative data. Please cnsult with University Plicy 4.12, Data Stewardship and Custdianship, fr guidance. Obligatins f the Operating Unit Head Operating unit heads (i.e., vice presidents r deans) have verall, lcal respnsibility fr the security f IT resurces under their cntrl. Fr further guidance, cntact yur unit security liaisn r the CISO. The perating unit head's versight respnsibilities in relatin t security IT resurces include, but are nt limited t, the fllwing: 12
PROCEDURES, ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued 1. Identify a unit security liaisn t the CISO, wh may in sme cases als be the lcal supprt prvider (depending upn the size f the perating unit and discretin f the unit head). 2. Ensure that, thrugh the unit security liaisn, a security prgram is implemented fr the perating unit cnsistent with requirements f this plicy (fr example, the implementatin f security assessment, best practices, educatin and training), cnsistent with university guidelines and practices and in keeping with the specific IT security needs f the perating unit. 3. Prvide administrative cntrl ver cntinuity f supprt ver all the IT devices in the perating unit such that, fr example, a change in emplyment f an individual lcal supprt prvider des nt result in the abandnment f respnsibility ver IT devices attached t the netwrk. 4. Oversee the creatin and implementatin f prcedures fr the reprting f electrnic security incidents in accrdance with University Plicy 5.4.2, Reprting Electrnic Security Incidents. Nte: Operating unit heads may want t take specific measures tward the prtectin f data stred r transmitted n the IT devices under their management. Please cnsult with University Plicy 4.12, Data Stewardship and Custdianship, fr guidance. Limits f Operating Unit Head Delegatin f Respnsibility Delegatin is limited t: Direct reprts, and/r A signed service-level agreement (SLA) with CIT, and/r A signed SLA with an external IT peratins and security agency apprved by the Office f the Vice President fr. Nte: Delegatin des nt remve Operating Unit Head s respnsibility fr the effective versight and security f the perating unit s IT resurces. Nte: All SLAs must be signed by the perating unit head and the CIO and vice president fr infrmatin technlgies. Nte: All delegatins f respnsibilities must be reprted t and recrded by the IT Security Office. 13
PROCEDURES, ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued Obligatins f the Chief Infrmatin Security Officer (CISO) The CISO is the university fficer with the authrity t crdinate campus IT security. The fllwing are bligatins f the CISO: 1. Develp a cmprehensive security prgram that includes risk assessment, best practices, educatin, and training. 2. Strive fr prper identificatin, analysis, reslutin, and reprting f Crnell electrnic security incidents; assist r lead electrnic security incident reslutin fr the university and individual units, specifically in the DPIRT prcess. 3. Issue critical security ntices (risk ntificatins) t unit heads and security liaisns. 4. Develp, implement, and supprt university-level security mnitring and analysis. 5. Supprt and verify cmpliance with federal, state, and lcal legislatin. 6. Regularly cnvene and lead ISPAC (see Related Resurces). Vilatins Legitimate use f a cmputer r netwrk system des nt extend t whatever an individual is capable f ding with it. Althugh sme rules are built int the system itself, these restrictins cannt limit cmpletely what an individual can d r can see. In any event, each member f the cmmunity is respnsible fr his r her actins, whether r nt rules are built in, and whether r nt they can be circumvented. It is an explicit vilatin f this plicy t d any f the fllwing: 1. Knwingly r intentinally maintain insecure passwrds n IT devices attached t the netwrk (e.g., absence f administrative passwrd, passwrd written and stred in insecure lcatin, shared passwrds, etc.). 2. Knwingly r intentinally attach miscnfigured IT devices t the netwrk. 3. Knwingly r intentinally cmprmise an IT device attached t the netwrk r intentinally use an applicatin r cmputing system with a knwn cmprmise. 4. Knwingly r intentinally, (r negligently after receiving ntice frm an IT fficer r prfessinal), transmit any cmputer virus r ther frm f malicius sftware. 5. Knwingly r intentinally access r explit resurces fr which yu d nt have authrizatin. 14
PROCEDURES, ITHACA-BASED LOCATIONS AND CORNELL TECH, cntinued 6. Knwingly r intentinally perfrm netwrk r system scans n resurces nt authrized by the IT Security Office, unit head, unit security liaisn, r lcal supprt prvider. Enfrcement Suspected vilatins will be investigated by the apprpriate ffice, and disciplinary actins may be taken in accrdance with the Campus Cde f Cnduct, applicable regulatins, r ther university plicy. Reprting Suspected Vilatins All vilatins f this plicy must be reprted t the CISO. The CISO will refer these cases fr disciplinary actin t the fllwing fficers: If the alleged vilatr is a student, the judicial administratr If the alleged vilatr is a nn-academic emplyee, the Office f Human Resurces, Wrkfrce Plicy and Labr Relatins If the alleged vilatr is an academic emplyee, the assciated dean f the cllege, directr f the library, r directr f the research center Nn-cmpliance by unit head, the CIO. 15
INDEX Abuse f Cmputers and Netwrk Systems... 3 Access... 14 Administratr... 5, 7, 9, 10, 15 Chief Infrmatin Officer... 4,5 Chief Infrmatin Security Officer... 5, 6, 14 Custdian... 11, 12 Data Steward... 11, 12 Data Stewardship and Custdianship, University Plicy 4.12... 3, 8, 11, 12, 13 Data Privacy Incident Respnse Team (DPIRT) 5, 6, 12 Dean... 15 Directr... 7, 11, 12, 14, 15 Distributin... 5 Financial Services Mdernizatin Act... 3 Health Insurance Prtability and Accuntability Act (HIPAA)... 3 Human Resurces... 15 IT device...5, 6, 8, 9, 10, 11, 12, 13, 14 Lcal Supprt Prvider.4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15 Passwrd... 7, 9, 10, 14 Sftware patch... 5 Standards f Ethical Cnduct, University Plicy 4.6... 3 System administratr... 5, 10 Unit... 1, 4, 6, 8, 10, 15 Unit head...5, 6, 7, 8, 11, 12, 13, 14, 15 Unit security liaisn... 5 University Cunsel... 4, 5 Updates... 7, 9 Vilatins... 14, 15 Virus... 5 16