Information Security Program Charter

Defines the principles and terms of the College’s Information Security Management Program and the responsibilities of the members of the College community in carrying out the Information Security Program.

Owner: Information Technology

Short Description

Purpose

In the course of carrying out Teachers College academic, research, and service missions, Teachers College’s faculty, staff, and students collect many different types of information, including financial, academic, medical, human resources, and other personal information. The College values the ability to communicate and share information appropriately. Federal and state laws and regulations, as well as industry standards, impose obligations on the College and individual members of the TC community to protect the confidentiality, integrity, and availability of information relating to individuals including faculty, staff, students, research subjects, patients, contractors, and donors. Such information is an important resource of the College and any person who uses information collected by the College has a responsibility to maintain and protect this resource. In addition, certain contracts and policies require appropriate safeguarding of information.

This Charter and the College’s more specific information security policies (collectively, the “Information Security Policies”) define the principles and terms of the College’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of the College community in carrying out the Information Security Program. The current Information Security Policies are listed in Section 4 – Related Policies.

Scope

The “Information Resources” included in the scope of the Information Security Policies are:

All Data (as defined in Section 3 below) regardless of the storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, CD, DVD, external drive, copier hard drive, cloud-based storage) and regardless of form (e.g., text, graphic, video, audio);
The computing hardware and software Systems (as defined in Section 3 below) that process, transmit and store data; and
The Networks (as defined in Section 9 below) that transport Data.

This policy applies to all students, staff, faculty members, officers, employees, external users, and affiliates of Teachers College, Columbia University, including extended learning sites, guests, tenants, visitors, contractors, consultants, vendors, individuals authorized by affiliated institutions and organizations, and all others granted use of and/or access to Teachers College, Columbia University technology resources and data.

Because many of the information technology resources of the College are part of the Columbia University network, all College users must be familiar with and adhere to applicable University policies, and to the University's Acceptable Usage of Information Resources Policy.

Use of College information technology resources must also comply with College policies, regardless of whether they make explicit reference to electronic or other media. Relevant policies, including those related to professional conduct and protection from harassment, are available in the College’s Policy Library.

Policy

1.1 General Statement

The mission of the Information Security Program is to protect the confidentiality, integrity, and availability of Data. We strive to maintain:

Confidentiality - information is only accessible to authorized users for authorized purposes.
Integrity - safeguard the accuracy and completeness of data and processing methods.
Availability - ensure that authorized users have access to Data and associated Information Resources when required.

1.2 Specific Requirements

The Information Security Charter establishes the various functions within the Information Security Program and authorizes the persons described under each function to carry out the terms of the Information Security Policies. The functions are:

1.2.1 Vice President for Administration and Provost

The Teachers College Vice President for Administration (VPA) and Provost are responsible for oversight and compliance with all Information Security Policies. Such responsibilities include, but are not limited to:

Assigning Data Stewards and Data Owners;
Ensuring that each System Owner, Data Steward, and Data Owner appropriately identifies and classifies data in accordance with the Teachers College Data Classification Policy;
Ensuring that each such System Owner, Data Steward, and Data Owner receives training on how to handle Sensitive Data and Confidential Data; and
Ensuring that each IT Custodian in his/her area of responsibility provides periodic reports with respect to the inventory of Information Resources used in such areas to the Executive Director of Information Security.

1.2.2 Security, Policy and Compliance Governance

It is the College’s goal to govern security, policy and compliance issues relating to the Information Security Program at the organizational level, through establishment of the Teachers College Information Security Advisory Committee (TC-ISAC). This committee will include two permanent members: the Chief Information Officer (CIO) and Executive Director of Information Security.

1.2.3 Security Management

The Executive Director of Information Security is responsible for the day to day management of the Information Security Program which includes

Developing, documenting and disseminating Information Security Policies, in consultation with affected members of the TC community;
Working with departments, faculty, and staff to inform them of the acceptable solutions and resolve discrepancies between Information Security objectives and priorities of the departments, faculty, and staff to determine workable solutions and if at an impasse refer the decision to VPA and Provost for resolution based on risk tolerance vs. cost;
Educating and advising College personnel in information security matters;
Communicating information regarding Information Security Policies;
Developing and executing the Risk Management Program for Information Security;
Collaborating with Data Stewards on any responsibility that may arise concerning information that needs to remain confidential;
Collaborating with the College’s Executive Director for Academic Affairs Compliance on the Family Educational Rights and Privacy Act (FERPA);
Collaborating with the Office of General Counsel on the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
Collaborating with the College's Controller's office on Gramm-Leach-Bliley Act (GLBA);
Consulting with the College's Office of General Counsel on legal and regulatory issues;
Translating the Information Security Policies into technical requirements, standards, and procedures;
Working with the Office of General Counsel and other involved parties on litigation holds and other legally required exceptions to the document retention plan;
Collaborating with Data Stewards, Custodians, and System Owners to determine the appropriate means of using Information Resources; and
Authorizing any required exceptions to any Information Security Policy or any associated technical standards or procedures and recording such exceptions for remediation. In addition to the responsibilities listed above, the Executive Staff have granted the authority to the Executive Director to conduct the following activities:

Monitoring communications and Data that use the College Network or Systems for transmission or storage;
Monitoring use of the College’s Digital Information Resources;
Conducting vulnerability scans of any Information Resources connected to the College Network;
Conducting security assessments of Systems and Data Centers;
Disconnecting Information Resources that present a security risk from the College Network;
Erasing all Data stored on personal Endpoints previously used for College business, as requested or required; and

Supporting the College’s Emergency Response Team, led by the VPA in connection with any breach or compromise of sensitive data, to the extent provided for in the Teachers College Electronic Data Security Breach Reporting and Response policy (Electronic Data Security Breach Reporting and Response).

1.2.4 Data Ownership and Stewards

Teachers College is the Data Owner of all its Enterprise Data and system assets and is the Security Authority of data classified according to Teachers College Security Classifications. Ownership and rights are governed by Teachers College policies on Intellectual Property.

Data Stewards are College faculty and staff assigned by the Provost and the VPA to define the appropriate level of security for the data and systems under their control in coordination with the Executive Director. This is primarily performed by informing the IT Custodians of the sensitivity of the data using the Data Classification schema so that it can be effectively protected. If the IT Custodian is a vendor, this requires involving the Executive Director in the contract negotiation to establish the appropriate security terms and conditions. Final implementation will be based on a risk assessment of the system and/or processes performed in conjunction with the Executive Director. Such responsibilities are summarized to include, but are not limited to:

Maintaining the Data and the integrity of the information which supports the functions of their organization by managing data generation, access privileges and confirmation of the resultant stored information;
Appropriately identifying and classifying Data in their respective areas of responsibilities in accordance with the Teachers College Data Classification Policy;
Establishing and implementing security requirements for such Data in consultation with the Executive Director;
Where possible, clearly labeling Sensitive Data and Confidential Data;
Approving appropriate access to Data and Systems; and
Ensuring information in all forms (e.g., paper, cloud-hosted data, and TC hosted data) is disposed of according to TC policy and procedure.

1.2.5 System Ownership

System Owners are College faculty and staff who are responsible for requesting or determining computing needs and applicable system hardware and software, to support their respective areas of responsibility and ensuring the functionality of each such system. System ownership is established during the TCIT New Application Assessment process. Such responsibilities include, but are not limited to:

Identifying the functional requirements of the systems needed to support their area;
Classifying each System in their respective areas of responsibility based on the identification and classification of Data by the applicable Data Steward;
Ensuring that each such System that contains Sensitive Data or Confidential Data is scheduled for risk assessment by the Executive Director in accordance with the procedures mandated by the Registration of Systems policy;
Establishing and implementing security requirements for each such critical system in consultation with the Executive Director, (e.g., encryption of data in transmission and storage, establishing and testing contingency plans for when systems are not available);
Under guidance from the Executive Director, coordinating with vendors and/or TCIT to ensure that audit and logging mechanisms are in place for sensitive data, with respect to access to the systems or unauthorized changes;
Maintaining an inventory of such Systems; and
Ensuring that the IT Custodians follow the Teachers College Computer Lifecycle procedures and the Secure Computing and Information Management Guidelines are followed with electronic files and the department follows the guidelines for paper retention and disposal.

1.2.6 Technical Responsibility

IT Custodians are College staff or third-party service providers who are responsible for providing a secure infrastructure in support of Data and Systems, including, but not limited to, providing and/or ensuring physical security, backup and recovery processes, granting access privileges as authorized by Data Stewards or System Owners and implementing and administering controls over Data in their respective areas of responsibility. Such responsibilities include, but are not limited to:

Maintaining an inventory of all Endpoints used in their respective areas of responsibility;
Conducting periodic security checks of Systems and Networks, including password checks, in their respective areas of responsibility;
Documenting and implementing audit mechanisms, the timing of log reviews and log retention periods;
Performing self-audits and reporting metrics to the Executive Director and monitoring assessments and appropriate corrective actions; and
Ensuring that the Teachers College Computer Lifecycle procedures and the Secure Computing and Information Management Guidelines are followed.

1.2.7 System or Data Usage

Users are persons who use Information Resources. Users are responsible for using such Resources properly in compliance with Teachers College policies and procedures including, but not limited to, the Teachers College Acceptable Use of Information Technology policy. Users should not make information available to unauthorized persons, and should ensure appropriate security controls are in place.

1.2.8 IT Security Incident Response Team

Roles and responsibilities for IT Security Incident Response are documented in the “IT Security Incident Response Team Roles and Responsibilities” protocol document.

2 Related Policies

Related Policies

Acceptable Use of Information Technology

Data Classification

Electronic Data Security Breach Reporting and Response

Email Use

Network and Communications Equipment Installation and Maintenance

Use of Social Security Numbers (SSNs), CU UPNs and TC ID Numbers

Computer Lifecycle

Network and Email Accounts

Evacuation Procedures

3 Enforcement

Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access, and (b) mandatory attendance at additional training as a condition of continued use of computer accounts and network access. Subject to the College’s other rules of conduct and disciplinary procedures, significant violations may also result in (c) a letter to the individual’s personnel or student file; (d) administrative leave without pay; (e) other sanctions, up to and including termination or non-renewal of employment, faculty appointment or student status. Violations of the Information Security Policies may also result in civil or criminal liability under state, federal, or international laws.

4 Contact Information

TCIT Service Desk - servicedesk@tc.columbia.edu 212.678.3300

Executive Director of Information Security, Infosec@tc.columbia.edu

CIO, CIO@tc.columbia.edu

5 Definitions

As used in the Information Security Policies, the following terms are defined as follows:

Term	Definition
AES	The Advanced Encryption Standard adopted by the U.S. government.
Approved OHCA Email System	As defined in the Teachers College Email Use Policy
Teachers College, the College or TC	Teachers College, Columbia University
Confidential Data	Any information that is contractually protected as confidential information and any other information that is considered by the College appropriate for confidential treatment. See the Teachers College Data Classification Policy for examples of Confidential Data.
Covered Entity	As defined in HIPAA (45 CFR 160.163).
TCIT	Teachers College Information Technology
Data	All items of information that are created, used, stored, or transmitted by the College community for the purpose of carrying out the institutional mission of teaching, research, and educational service and all data used in the execution of the College’s business functions.
Data Owner	Teachers College is the owner of all its Enterprise Data and system assets and is the Security Authority of data classified according to Teachers College Security Classifications. Ownership and rights are governed by Teachers College policies on Intellectual Property.
Data Steward	College faculty and staff assigned by the Provost and the VPA to define the appropriate level of security for the data and systems under their control in coordination with the Executive Director.
Email System	A System that transmits, stores, and receives emails.
Endpoint	Any desktop or laptop computer (i.e., Windows, Mac, Linux/Unix), Mobile Device or other portable device used to connect to the College wireless or wired Network, access TC or Columbia email from any local or remote location or access any institutional (College, departmental or individual) System either owned by the College or by an individual and used for College purposes. This would include personal computers such as home computers.
Enterprise Data	Data that is collected and created through Teachers College’s normal operations.
EPHI	Electronic Personal Health Information.
FERPA	The Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 CFR Part 99
GDPR	The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
HIPAA	The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
HITECH	The Health Information Technology for Economic and Clinical Health Act
IDEA	The International Data Encryption Algorithm.
Information Resources	All data; computing hardware and software systems that process, transmit, and store data; and networks that transport data.
Information Security Office	The information security resources assigned to support the Information Security Program.
Information Security Program	The TCIT policies, procedures, and resources put in place to protect the confidentiality, integrity, and availability of Data.
Internet of Things (IoT) Devices	Computing devices embedded in everyday objects, such as voice-activated smart speakers.
MAC	Media Access Control.
Mobile Device	A smart/cell phone (i.e., iPhone, Android, Windows phone), tablet (i.e., iPad, Windows, or Android based tablet) laptop or USB/removable drive.
Network	Electronic Information Resources that are implemented to permit the transport of Data between interconnected endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs and wireless access points.
OHCA	An Organized Health Care Arrangement, which is an arrangement or relationship, recognized in the HIPAA privacy rules, that allows two or more Covered Entities who participate in joint activities to share PHI about their patients in order to manage and benefit their joint operations.
Payment Card	For purposes of PCI-DSS, any payment card/device that bears the logo of the founding members of PCI SSC (American Express, Discover, JCB International, MasterCard and Visa).
PCI	Payment card industry.
PCI-DSS	The PCI Data Security Standard produced by the PCI–SSC, which mandates compliance requirements for enhancing the security of payment card data.
PCI-SSC	The PCI Security Standards Council, which is an open global forum of payment brands, such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., that are responsible for developing the PCI-DSS.
Peer	A network participant that makes a portion of its resources, such as processing power, disk storage or network bandwidth, directly available to other network participants, without the need for central coordination by servers or stable hosts.
Peer-to-Peer File Sharing Program	A program that allows any computer operating the program to share and make available files stored on the computer to any machine with similar software and protocol.
PHI	Personal Health Information as defined in the Teachers College Data Classification Policy
PII	Personal Identifiable Information as defined in the Teachers College Data Classification Policy
Public Data	Generally available information as defined in the Teachers College Data Classification Policy
Removable Media	CDs, DVDs, USB flash drives, external hard drives, Zip disks, diskettes, tapes, medical instrumentation devices, and copiers.
Risk Analysis	The process of identifying, estimating, and prioritizing risks to organizational operations, assets, and individuals. “Risk Assessment” is synonymous with “Risk Analysis”.
Risk Management Program	The combined processes of Risk Analysis, Risk Remediation and Risk Monitoring.
Risk Monitoring	The process of maintaining ongoing awareness of an organization’s information security risks via the risk management program.
Risk Remediation	The process of prioritizing, evaluating, and implementing the appropriate risk-reducing security controls and countermeasures recommended from the risk management process. “Risk Mitigation” or “Corrective Action Planning” is synonymous with “Risk Remediation”.
RSA	The Rivest-Shamir-Adleman Internet encryption and authentication system.
Security Authority	The entity accountable for establishing the policies, standards, and guidelines for the protection of information created by and/or managed by TC and setting the means by which these are enforced.
Sensitive Data	Any information protected by federal, state, and local laws and regulations and industry standards, such as HIPAA, HITECH, FERPA, the New York State Information Security Breach and Notification Act, NYS Shield Act, similar state laws and PCI-DSS. See the Teachers College Data Classification Policy for examples of Sensitive Data.
Server	Any computing device that provides computing services, such as Systems and Applications, to Endpoints over a Network.
SMTP	Simple Mail Transfer Protocol, an internet transportation protocol designed to ensure the reliable and efficient transfer of emails and is used by Email Systems to deliver messages between email providers.
SSL	The Secure Sockets Layer security protocol that encapsulates other network protocols in an encrypted tunnel.
Student Education Records	As defined in the Teachers College Data Classification Policy
System	Server-based software that resides on a single Server or multiple Servers and is used for College purposes. “Application” or “Information System” is synonymous with “System”.
System Owner	College faculty and staff who are responsible for requesting or determining computing needs and applicable system hardware and software, to support their respective areas of responsibility and ensuring the functionality of each such system.
UPS	Uninterruptible Power Supply.
User	Person who uses Information Resources.
User ID	A User Identifier or account name
VPN	Virtual Private Network

Responsible Office: Teachers College Information Technology

Effective Date: February 1, 2021

Last Updated: October 13, 2023