Defines the principles and terms of the College’s Information Security Management Program and the responsibilities of the members of the College community in carrying out the Information Security Program.
In the course of carrying out Teachers College academic, research, and service missions, Teachers College’s faculty, staff, and students collect many different types of information, including financial, academic, medical, human resources, and other personal information. The College values the ability to communicate and share information appropriately. Federal and state laws and regulations, as well as industry standards, impose obligations on the College and individual members of the TC community to protect the confidentiality, integrity, and availability of information relating to individuals including faculty, staff, students, research subjects, patients, contractors, and donors. Such information is an important resource of the College and any person who uses information collected by the College has a responsibility to maintain and protect this resource. In addition, certain contracts and policies require appropriate safeguarding of information.
This Charter and the College’s more specific information security policies (collectively, the “Information Security Policies”) define the principles and terms of the College’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of the College community in carrying out the Information Security Program. The current Information Security Policies are listed in Section 4 – Related Policies.
The “Information Resources” included in the scope of the Information Security Policies are:
This policy applies to all students, staff, faculty members, officers, employees, external users, and affiliates of Teachers College, Columbia University, including extended learning sites, guests, tenants, visitors, contractors, consultants, vendors, individuals authorized by affiliated institutions and organizations, and all others granted use of and/or access to Teachers College, Columbia University technology resources and data.
Because many of the information technology resources of the College are part of the Columbia University network, all College users must be familiar with and adhere to applicable University policies, and to the University's Acceptable Usage of Information Resources Policy.
Use of College information technology resources must also comply with College policies, regardless of whether they make explicit reference to electronic or other media. Relevant policies, including those related to professional conduct and protection from harassment, are available in the College’s Policy Library.
1.1 General Statement
The mission of the Information Security Program is to protect the confidentiality, integrity, and availability of Data. We strive to maintain:
1.2 Specific Requirements
The Information Security Charter establishes the various functions within the Information Security Program and authorizes the persons described under each function to carry out the terms of the Information Security Policies. The functions are:
1.2.1 Vice President for Administration and Provost
The Teachers College Vice President for Administration (VPA) and Provost are responsible for oversight and compliance with all Information Security Policies. Such responsibilities include, but are not limited to:
1.2.2 Security, Policy and Compliance Governance
It is the College’s goal to govern security, policy and compliance issues relating to the Information Security Program at the organizational level, through establishment of the Teachers College Information Security Advisory Committee (TC-ISAC). This committee will include two permanent members: the Chief Information Officer (CIO) and Executive Director of Information Security.
1.2.3 Security Management
The Executive Director of Information Security is responsible for the day to day management of the Information Security Program which includes
1.2.4 Data Ownership and Stewards
Teachers College is the Data Owner of all its Enterprise Data and system assets and is the Security Authority of data classified according to Teachers College Security Classifications. Ownership and rights are governed by Teachers College policies on Intellectual Property.
Data Stewards are College faculty and staff assigned by the Provost and the VPA to define the appropriate level of security for the data and systems under their control in coordination with the Executive Director. This is primarily performed by informing the IT Custodians of the sensitivity of the data using the Data Classification schema so that it can be effectively protected. If the IT Custodian is a vendor, this requires involving the Executive Director in the contract negotiation to establish the appropriate security terms and conditions. Final implementation will be based on a risk assessment of the system and/or processes performed in conjunction with the Executive Director. Such responsibilities are summarized to include, but are not limited to:
1.2.5 System Ownership
System Owners are College faculty and staff who are responsible for requesting or determining computing needs and applicable system hardware and software, to support their respective areas of responsibility and ensuring the functionality of each such system. System ownership is established during the TCIT New Application Assessment process. Such responsibilities include, but are not limited to:
1.2.6 Technical Responsibility
IT Custodians are College staff or third-party service providers who are responsible for providing a secure infrastructure in support of Data and Systems, including, but not limited to, providing and/or ensuring physical security, backup and recovery processes, granting access privileges as authorized by Data Stewards or System Owners and implementing and administering controls over Data in their respective areas of responsibility. Such responsibilities include, but are not limited to:
1.2.7 System or Data Usage
Users are persons who use Information Resources. Users are responsible for using such Resources properly in compliance with Teachers College policies and procedures including, but not limited to, the Teachers College Acceptable Use of Information Technology policy. Users should not make information available to unauthorized persons, and should ensure appropriate security controls are in place.
1.2.8 IT Security Incident Response Team
Roles and responsibilities for IT Security Incident Response are documented in the “IT Security Incident Response Team Roles and Responsibilities” protocol document.
2 Related Policies
Related Policies
Acceptable Use of Information Technology
Electronic Data Security Breach Reporting and Response
Network and Communications Equipment Installation and Maintenance
Use of Social Security Numbers (SSNs), CU UPNs and TC ID Numbers
3 Enforcement
Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access, and (b) mandatory attendance at additional training as a condition of continued use of computer accounts and network access. Subject to the College’s other rules of conduct and disciplinary procedures, significant violations may also result in (c) a letter to the individual’s personnel or student file; (d) administrative leave without pay; (e) other sanctions, up to and including termination or non-renewal of employment, faculty appointment or student status. Violations of the Information Security Policies may also result in civil or criminal liability under state, federal, or international laws.
4 Contact Information
TCIT Service Desk - servicedesk@tc.columbia.edu 212.678.3300
Executive Director of Information Security, Infosec@tc.columbia.edu
CIO, CIO@tc.columbia.edu
5 Definitions
As used in the Information Security Policies, the following terms are defined as follows:
Term |
Definition |
AES |
The Advanced Encryption Standard adopted by the U.S. government. |
Approved OHCA Email System |
As defined in the Teachers College Email Use Policy |
Teachers College, the College or TC |
Teachers College, Columbia University |
Confidential Data |
Any information that is contractually protected as confidential information and any other information that is considered by the College appropriate for confidential treatment. See the Teachers College Data Classification Policy for examples of Confidential Data. |
Covered Entity |
As defined in HIPAA (45 CFR 160.163). |
TCIT |
Teachers College Information Technology |
Data |
All items of information that are created, used, stored, or transmitted by the College community for the purpose of carrying out the institutional mission of teaching, research, and educational service and all data used in the execution of the College’s business functions. |
Data Owner |
Teachers College is the owner of all its Enterprise Data and system assets and is the Security Authority of data classified according to Teachers College Security Classifications. Ownership and rights are governed by Teachers College policies on Intellectual Property. |
Data Steward |
College faculty and staff assigned by the Provost and the VPA to define the appropriate level of security for the data and systems under their control in coordination with the Executive Director. |
Email System |
A System that transmits, stores, and receives emails. |
Endpoint |
Any desktop or laptop computer (i.e., Windows, Mac, Linux/Unix), Mobile Device or other portable device used to connect to the College wireless or wired Network, access TC or Columbia email from any local or remote location or access any institutional (College, departmental or individual) System either owned by the College or by an individual and used for College purposes. This would include personal computers such as home computers. |
Enterprise Data |
Data that is collected and created through Teachers College’s normal operations. |
EPHI |
Electronic Personal Health Information. |
FERPA |
The Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 CFR Part 99 |
GDPR |
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). |
HIPAA |
The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 |
HITECH |
The Health Information Technology for Economic and Clinical Health Act |
IDEA |
The International Data Encryption Algorithm. |
Information Resources |
All data; computing hardware and software systems that process, transmit, and store data; and networks that transport data. |
Information Security Office |
The information security resources assigned to support the Information Security Program. |
Information Security Program |
The TCIT policies, procedures, and resources put in place to protect the confidentiality, integrity, and availability of Data. |
Internet of Things (IoT) Devices |
Computing devices embedded in everyday objects, such as voice-activated smart speakers. |
MAC |
Media Access Control. |
Mobile Device |
A smart/cell phone (i.e., iPhone, Android, Windows phone), tablet (i.e., iPad, Windows, or Android based tablet) laptop or USB/removable drive. |
Network |
Electronic Information Resources that are implemented to permit the transport of Data between interconnected endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs and wireless access points. |
OHCA |
An Organized Health Care Arrangement, which is an arrangement or relationship, recognized in the HIPAA privacy rules, that allows two or more Covered Entities who participate in joint activities to share PHI about their patients in order to manage and benefit their joint operations. |
Payment Card |
For purposes of PCI-DSS, any payment card/device that bears the logo of the founding members of PCI SSC (American Express, Discover, JCB International, MasterCard and Visa). |
PCI |
Payment card industry. |
PCI-DSS |
The PCI Data Security Standard produced by the PCI–SSC, which mandates compliance requirements for enhancing the security of payment card data. |
PCI-SSC |
The PCI Security Standards Council, which is an open global forum of payment brands, such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., that are responsible for developing the PCI-DSS. |
Peer |
A network participant that makes a portion of its resources, such as processing power, disk storage or network bandwidth, directly available to other network participants, without the need for central coordination by servers or stable hosts. |
Peer-to-Peer File Sharing Program |
A program that allows any computer operating the program to share and make available files stored on the computer to any machine with similar software and protocol. |
PHI |
Personal Health Information as defined in the Teachers College Data Classification Policy |
PII |
Personal Identifiable Information as defined in the Teachers College Data Classification Policy |
Public Data |
Generally available information as defined in the Teachers College Data Classification Policy |
Removable Media |
CDs, DVDs, USB flash drives, external hard drives, Zip disks, diskettes, tapes, medical instrumentation devices, and copiers. |
Risk Analysis |
The process of identifying, estimating, and prioritizing risks to organizational operations, assets, and individuals. “Risk Assessment” is synonymous with “Risk Analysis”. |
Risk Management Program |
The combined processes of Risk Analysis, Risk Remediation and Risk Monitoring. |
Risk Monitoring |
The process of maintaining ongoing awareness of an organization’s information security risks via the risk management program. |
Risk Remediation |
The process of prioritizing, evaluating, and implementing the appropriate risk-reducing security controls and countermeasures recommended from the risk management process. “Risk Mitigation” or “Corrective Action Planning” is synonymous with “Risk Remediation”. |
RSA |
The Rivest-Shamir-Adleman Internet encryption and authentication system. |
Security Authority |
The entity accountable for establishing the policies, standards, and guidelines for the protection of information created by and/or managed by TC and setting the means by which these are enforced. |
Sensitive Data |
Any information protected by federal, state, and local laws and regulations and industry standards, such as HIPAA, HITECH, FERPA, the New York State Information Security Breach and Notification Act, NYS Shield Act, similar state laws and PCI-DSS. See the Teachers College Data Classification Policy for examples of Sensitive Data. |
Server |
Any computing device that provides computing services, such as Systems and Applications, to Endpoints over a Network. |
SMTP |
Simple Mail Transfer Protocol, an internet transportation protocol designed to ensure the reliable and efficient transfer of emails and is used by Email Systems to deliver messages between email providers. |
SSL |
The Secure Sockets Layer security protocol that encapsulates other network protocols in an encrypted tunnel. |
Student Education Records |
As defined in the Teachers College Data Classification Policy |
System |
Server-based software that resides on a single Server or multiple Servers and is used for College purposes. “Application” or “Information System” is synonymous with “System”. |
System Owner |
College faculty and staff who are responsible for requesting or determining computing needs and applicable system hardware and software, to support their respective areas of responsibility and ensuring the functionality of each such system. |
UPS |
Uninterruptible Power Supply. |
User |
Person who uses Information Resources. |
User ID |
A User Identifier or account name |
VPN |
Virtual Private Network |
Responsible Office: Teachers College Information Technology
Effective Date: February 1, 2021
Last Updated: October 13, 2023