Information Security Charter

Skip to content Skip to main navigation
Teachers College, Columbia University
Printer-friendly Version
Teachers College, Columbia University Logo
Policy Library

Teachers College Policy Library

Information Security Charter

Owner: Computing & Information Services

URL: http://www.tc.columbia.edu/policylibrary/Information Security Charter

Preface:

The following policy has been reviewed and vetted by the Teachers College Information Security Advisory Committee (TC-ISAC) and approved jointly by Thomas James, Provost and Harvey Spector, Vice President Finance and Administration.  It represents the environment that Teachers College strives to maintain and is being initially implemented in a transition phase.  During this phase, the TC community is expected to seek assistance from and cooperate with the Director of Information Security, the Chief Information Security Officer, in developing the understanding and processes for your area in support of this objective.

Revision History

Day

Month

Year

by

Purpose

01

September

2014

Dr. Vincent Orrico

Initial Policy

1          Purpose

In the course of carrying out Teachers College academic, research and service missions, its faculty, staff and students collect many different types of information, including financial, academic, medical, human resources and other personal information. The College values the ability to communicate and share information appropriately. Federal and state laws and regulations, as well as industry standards, impose obligations on the College and individual members of the TC community to protect the confidentiality, integrity and availability of information relating to individuals including faculty, staff, students, research subjects, patients, contractors and donors. Such information is an important resource of the College and any person who uses information collected by the College has a responsibility to maintain and protect this resource.  In addition, certain contracts and policies require appropriate safeguarding of information.

 

This Charter and the College’s more specific information security policies (collectively, the “Information Security Policies”) define the principles and terms of the College’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of the College community in carrying out the Information Security Program. The current Information Security Policies are listed in Section 4 – Related Policies.

2          Scope

The “Information Resources” included in the scope of the Information Security Policies are:

  • All Data (as defined in Section 3 below) regardless of the storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, CD, DVD, external drive, copier hard drive, cloud-based storage) and regardless of form (e.g., text, graphic, video, audio);
  • The computing hardware and software Systems (as defined in Section 3 below) that process, transmit and store Data; and
  • The Networks (as defined in Section 9 below) that transport Data.

 

The Information Security Policies are College-wide policies that apply to all individuals who access, use or control Information Resources at the College, including faculty, staff and students, as well as project participants, contractors, consultants, volunteers and other agents of the College and/or individuals authorized to access Information Resources by affiliated institutions and organizations.

 

Because many of the information technology resources of the College are part of the Columbia University network, all College users must be familiar with and adhere to applicable University policies found at www.columbia.edu/cu/policy, and to the University's Acceptable Usage of Information Resources Policy at policylibrary.columbia.edu/acceptable-use-it-resources-network-and-computing-policy.

 

Use of College information technology resources must also comply with College policies, regardless of whether they make explicit reference to electronic or other media. Relevant policies, including those related to professional conduct and protection from harassment, are available in the College’s Policy Library, www.tc.edu/policylibrary .

3          Policy

3.1        General Statement

The mission of the Information Security Program is to protect the confidentiality, integrity and availability of Data. Confidentiality means that information is only accessible to authorized users for authorized purposes. Integrity means safeguarding the accuracy and completeness of Data and processing methods. Availability means ensuring that authorized users have access to Data and associated Information Resources when required.

3.2        Specific Requirements

The Information Security Charter establishes the various functions within the Information Security Program and authorizes the persons described under each function to carry out the terms of the Information Security Policies.  The functions are:

3.2.1        The Provost and the Vice President for Finance and Administration

The Teachers College Vice President for Finance and Administration (VPFA), and the College’s Provost are responsible for oversight and compliance with all Information Security Policies.  Such responsibilities include, but are not limited to:

    • Assigning Data Stewards
    • Ensuring that each System Owner and Data Steward appropriately identifies and classifies Data in accordance with the Teachers College Data Classification Policy
    • Ensuring that each such System Owner and Data Steward receives training on how to handle Sensitive Data and Confidential Data; and
    • Ensuring that each IT Custodian in his/her area of responsibility provide periodic reports with respect to the inventory of Information Resources used in such area to the Chief Information Security Officer.

3.2.2        Security, Policy and Compliance Governance

The following committee has been established to govern security, policy and compliance issues relating to the Information Security Program at the organizational level:

    • Teachers College Information Security Advisory Committee (TC-ISAC).

3.2.3        Security Management

Chief Information Security Officer (CISO) is responsible for the day to day management of the Information Security Program which includes

    • Developing, documenting and disseminating Information Security Policies, in consultation with affected members of TC community;
    • Work with departments, faculty and staff to inform them of acceptable solution and resolve discrepancies between Information Security Obectives and Priorities of the departments, faculty and staff to determine workable solutions and if at an impasse refer decision to VPFA and Provost for resolution based on risk tolerance vs. cost.
    • Educating and advising College personnel in information security matters
    • Communicating information regarding the Information Security Policies
    • Developing and executing the Risk Management Program for Information Security; 
    • Collaborating with the College on any responsibility that may arise concerning information that needs to remain confidential.
    • Collaborating with the College’s Registrar on the Family Educational Rights and Privacy Act (FERPA);
    • Collaborating with the College's Controller's office on Gramm-Leach-Bliley Act (GLBA);
    • Consulting with the College's Office of General Counsel on legal and regulatory issues
    • Translating with the Information Security Policies into technical requirements, standards and procedures;
    • Working with the Office of General Counsel and other invovled parties on litigation holds and other legally-required exceptions to the document retention plan.
    • Collaborating with Data Stewards, Custodians, and System Owners to determine the appropriate means of using Information Resources and
    • Authoriing any required exceptions to any Information Security Policy or any associated technical standards or pocedures and recording such exceptions for remediation. In addition to the responsibilities listed above, the Executive Managers have granted the authority to the Director of Information Security to conduct the following activities:

o   Monitoring communications and Data that use the College Network or Systems for transmission or storage;

o   Monitoring use of the College’s Information Resources;

o   Conducting vulnerability scans of any Information Resources connected to the College Network;

o   Conducting security assessments of Systems, and Data centers;

o   Disconnecting Information Resources that present a security risk from the College Network;

o   Erasing all Data stored on personal Endpoints previously used for College business, as requested or required; and

    • Supporting the College’s Emergency Response Team, led by the VPFA in connection with any breach or compromise of sensitive data, to the extent provided for in the Teachers College Electronic Data Security Breach Reporting and Response policy (Electronic Data Security Breach Reporting and Response)
    • The College’s Director of Information Security is the Security Manager responsible as the Chief Information Security Officer (CISO).

 

Appendix A lists the currently identified Applicable Laws, Regulations and Industry Standards

3.2.4        Data Ownership and Stewards

Data Owners, Teachers College is the owner of all its Enterprise Data and system assets and is the Security Authority of data classified according to Teachers College Security Classifications.  Ownership and rights are governed by Teachers College policies on Intellectual Property. 

 

Data Stewards are College faculty and staff assigned by the Provost and the VPFA to coordinate with the CISO, the appropriate level of security for the data and systems under their control.    This is primarily performed by informing the IT Custodians of the sensitivity of the data using the Data Classification schema (www.tc.edu/policylibrary/DataClass) so that it could be effectively protected.  Where the IT Custodian is a vendor this requires involving the CISO in the contract negotiation to establish the appropriate security terms and conditions.  Final implementation will be based on a risk assessment of the system and or processes performed in conjunction with the CISO.  Such responsibilities are summarized to include, but are not limited to:

    • Maintaining the Data and the integrity of the information which supports the functions of their organization by managing data generation, access privileges and confirmation of the resultant stored information
    • Appropriately identifying and classifying Data in their respective areas of responsibilities in accordance with the Teachers College Data Classification Policy
    • Establishing and implementing security requirements for such Data in consultation with the Director of Information Security;
    • Where possible, clearly labeling Sensitive Data and Confidential Data;
    • Approving appropriate access to Data and Systems; and
    • Ensuring information in all forms e.g. paper, cloud hosted data, and TC hosted data, is disposed of according to TC policy and procedure.

3.2.5        System Ownership

System Owners are College faculty and staff who are responsible for requesting or determining computing needs and applicable system hardware and software, to support their respective areas of responsibility and ensuring the functionality of each such system. Such responsibilities include, but are not limited to:

    • Identifying the functional requirements of the systems needed to support their area
    • Classifying each System in their respective areas of responsibility based on the identification and classification of Data by the applicable Data Steward;
    • Ensuring that each such System that contains Sensitive Data or Confidential Data is scheduled for risk assessment by the CISO in accordance with the Teachers College Information Security Risk Management Policy
    • Establishing and implementing security requirements for each such critical system in consultation with the CISO, e.g. encryption of data in transmission and storage, Establishing and testing contingency plans for when systems are not available;
    • Under guidance from the CISO, coordinate with vendors and/or CIS to assure that audit and logging mechanism are in place for sensitive data, with respect to access to the systems or unauthorized changes.
    • Maintaining an inventory of such Systems;
    • Ensuring that the IT Custodians follow the Teachers College Computer Disposal Procedure and the Secure Computing and Information Management Guidelines are followed with electronic files and the department follows the guidelines for paper retention and disposal.

3.2.6        Technical Responsibility

IT Custodians are College personnel or service providers who are responsible for providing a secure infrastructure in support of Data and Systems, including, but not limited to, providing and/or assuring physical security, backup and recovery processes, granting access privileges as authorized by Data Stewards or System Owners and implementing and administering controls over Data in their respective areas of responsibility. Such responsibilities include, but are not limited to:

    • Maintaining an inventory of all Endpoints used in their respective areas of responsibility;
    • Conducting periodic security checks of Systems and Networks, including password checks, in their respective areas of responsibility;
    • Documenting and implementing audit mechanisms, timing of log reviews and log retention periods;
    • Performing self-audits and reporting metrics to the Information Security Officer and monitoring assessments and appropriate corrective actions; and
    • Ensuring that the Teachers College Computer Disposal Procedure TC at Computer Disposal Procedure and the Secure Computing and Information Management Guidelines at Secure Computing and Information Management Guidelines are followed.

3.2.7        System or Data Usage

Users are persons who use Information Resources. Users are responsible for using such Resources properly in compliance with Teachers College policies and procedures including, but not limited to the Teachers College Acceptable Use of Information Technology Policy at

Acceptable Use of Information Technology. Information is not made available to unauthorized persons, and appropriatesecurity controls are in place.

4          Related Policies

 

Appendix A contains the major categories of the hierarchy of policies and procedures to facilitate reference, program review and assuring program integrity.

 

Related Policies

Acceptable Use of Information Technology

Data Classification

Electronic Data Security Breach Reporting and Response

Email Use

Network and Communications Equipment

Use of Social Security Numbers (SSNs), CU UPNs and TC ID Numbers

Related Procedures.

Computer Disposal Procedure

Secure Computing and Information Management Guidelines

Network and Email Account Provisioning Procedure

Evacuation Procedures (for Business Continuity)

http://tc.edu/Evacuation

5          Ownership and Responsibilities

The ownership of this policy and the maintenance of its revisions rest with Computing and Information Services (CIS). 

 

It is the responsibility of all the users of Teachers College systems, organizations or individuals with access to Teachers College networks, to establish and conform to the security measures outlined in this policy.

6          Enforcement

 

Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access and (b) mandatory attendance at additional training as a condition of continued use of computer accounts and network access.   Subject to the College’s other rules of conduct and disciplinary procedures, significant violations may also result in (c) a letter to the individual’s personnel or student file; (d) administrative leave without pay; (e) other sanctions, up to and including termination or non-renewal of employment, faculty appointment or student status.   Violations of the Information Security Policies may also result in civil or criminal liability under state, federal or international laws.  

7          Definitions

 

As used in the Information Security Policies, the following terms are defined as follows:

 

Term

Definition

AES

The Advanced Encryption Standard adopted by the U.S. government.

Approved OHCA Email System

As defined in the Teachers College Email Usage Policy

Teachers College, the College or TC

Teachers College, Columbia University

Confidential Data

Any information that is contractually protected as confidential information and any other information that is considered by the College appropriate for confidential treatment.  See the Teachers College Data Classification Policy for examples of Confidential Data.

Covered Entity

As defined in HIPAA (45 CFR 160.163).

CIS

Teachers College Computing and Information Services

Data

All items of information that are created, used, stored or transmitted by the College community for the purpose of carrying out the institutional mission of teaching, research and educational service and all data used in the execution of the College’s business functions.

Data Owner

As defined in Section 3.2.4 of this Charter.

Data Steward

As defined in Section 3.2.4 of this Charter.

Email System

A System that transmits, stores, and receives emails.

Endpoint

Any desktop or laptop computer (i.e., Windows, Mac, Linux/Unix), Mobile Device or other portable device used to connect to the College wireless or wired Network, access TC or Columbia email from any local or remote location or access any institutional (College, departmental or individual) System either owned by the College or by an individual and used for College purposes.  This would include personal computers such as home computers.

Enterprise Data

Data that is collected and created through Teachers College’s normal operations.

EPHI

Electronic Personal Health Information.

FERPA

The Family Educational Rights and Privacy Act , 20 U.S.C. § 1232g; 34 CFR Part 99

HIPAA

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191

HITECH

The Health Information Technology for Economic and Clinical Health Act

IDEA

The International Data Encryption Algorithm.

Information Resources

As defined in Section I of this Charter.

Information Security Office

The information security resources assigned to support the Information Security Program.

Information Security Policies

As defined in Section 1 of this Charter.

Information Security Program

As defined in Section 1 of this Charter.

MAC

Media Access Control.

Mobile Device

A smart/cell phone (i.e., iPhone, Blackberry, Android, Windows phone), tablet (i.e., iPad, Nexus, Galaxy Tab and other Android based tablet) or USB/removable drive.

Network

Electronic Information Resources that are implemented to permit the transport of Data between interconnected endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs and wireless access points.

OHCA

An Organized Health Care Arrangement, which is an arrangement or relationship, recognized in the HIPAA privacy rules, that allows two or more Covered Entities who participate in joint activities to share PHI about their patients in order to manage and benefit their joint operations.

Payment Card

For purposes of PCI-DSS, any payment card/device that bears the logo of the founding members of PCI SSC (American Express, Discover, JCB International, MasterCard and Visa).

PCI

Payment card industry.

PCI-DSS

The PCI Data Security Standard produced by the PCI–SSC, which mandates compliance requirements for enhancing the security of payment card data.

PCI-SSC

The PCI Security Standards Council, which is an open global forum of payment brands, such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., that are responsible for developing the PCI-DSS.

Peer

A network participant that makes a portion of its resources, such as processing power, disk storage or network bandwidth, directly available to other network participants, without the need for central coordination by Servers or stable hosts. Examples include KaZaa, BitTorrent, Limewire and Bearshare.

Peer-to-Peer File Sharing Program

A program that allows any computer operating the program to share and make available files stored on the computer to any machine with similar software and protocol.

PHI

Personal Health Information as defined in the Teachers College Data Classification Policy

PII

Personal Identifiable Information as defined in the Teachers College Data Classification Policy

Public Data

Generally available information as defined in the Teachers College Data Classification Policy

Removable Media

CDs, DVDs, USB flash drives, external hard drives, Zip disks, diskettes, tapes, smart cards, medical instrumentation devices and copiers.

Risk Analysis

The process of identifying, estimating and prioritizing risks to organizational operations, assets and individuals. “Risk Assessment” is synonymous with “Risk Analysis”.

Risk Management Program

The combined processes of Risk Analysis, Risk Remediation and

Risk Monitoring.

Risk Monitoring

The process of maintaining ongoing awareness of an organization’s information security risks via the risk management program.

Risk Remediation

The process of prioritizing, evaluating and implementing the appropriate risk-reducing security controls and countermeasures recommended from the risk management process. “Risk Mitigation” or “Corrective Action Planning” is synonymous with “Risk

Remediation”.

RSA

The Rivest-Shamir-Adleman Internet encryption and authentication system.

Security Authority

The entity accountable for establishing the policies, standards, and guidelines for the protection of information created by and/or managed by TC and setting the means by which these are enforced.

Sensitive Data

Any information protected by federal, state and local laws and regulations and industry standards, such as HIPAA, HITECH, FERPA, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS. See the Teachers College Data Classification Policy for examples of Sensitive Data.

Server

Any computing device that provides computing services, such as Systems and Applications, to Endpoints over a Network.

SMTP

Simple Mail Transfer Protocol, an internet transportation protocol designed to ensure the reliable and efficient transfer of emails and is used by Email Systems to deliver messages between email providers.

SSL

The Secure Sockets Layer security protocol that encapsulates other network protocols in an encrypted tunnel.

Student Education Records

As defined in the Teachers College Data Classification Policy

System

Server based software that resides on a single Server or multiple Servers and is used for College purposes. “Application” or “Information System” is synonymous with “System”.

System Owner

As defined in Section 3.2.5 of this Charter.

UPS

Uninterruptible Power Supply.

User

As defined in Section 3.2.7 of this Charter.

User ID

A User Identifier or account name

VPN

Virtual Private Network

  

Appendix A - Applicable Laws, Regulations and Industry Standards

The federal and New York State laws and regulations and industry standards that are applicable to information security at the College include those listed below.  Other sources of confidentiality that may apply include the privileges belonging to the patients or clients of psychologists, counselors, and other providers, the clients of attorneys (attorney-client privilege), etc.   .

Federal

  • The Digital Millennium Copyright Act

o   http://www.copyright.gov/legislation/dmca.pdf

  • The Family Educational Rights and Privacy Act (FERPA),  

o   http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

  • The Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999)

o   http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

  • The Health Information Technology for Economic and Clinical Health Act (HITECH)

o   http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

New York State

  • New York State Information Security Breach and Notification Act
  • Social Security Number Protection Law, 309-DDD and 309-DDD*2

 

Industry Standard 

  • Payment Card Industry/Data Security Standard 

o   https://www.pcisecuritystandards.org/tech/

 

Published: September 1, 2014