Secure computing and information management guidelines are required to mitigate the risk from threats to information confidentiality, integrity, and accessibility. No computer system is immune to attack, so a multi-layered approach is required, with best practices applied at all levels, including computer configuration, physical security, and personal awareness. These requirements describe the College’s expectations for computing and information handling practices.
This policy applies to all students, staff, faculty members, officers, employees, and affiliates of Teachers College, Columbia University, including extended learning sites, guests, tenants, visitors, contractors, consultants, vendors, individuals authorized by affiliated institutions and organizations, and all others granted use of and/or access to Teachers College, Columbia University technology resources and data.
This policy applies to all College-owned computers as well as to personally-owned computers used to access College information or other resources via the TC or Columbia wired or wireless networks. Everyone is responsible for maintaining awareness of information security recommendations and following them.
Virus Protection
TCIT configures College-owned computers for automatic upgrades on campus; users must specify if a computer will be used off-campus for weeks at a time. On your personally owned computers, you must implement reputable anti-virus software and keep it up-to-date, configured with access scanning and email scanning. Most computers come with at least a trial subscription. Continuing to purchase a renewal is usually the best option because uninstalling anti-virus software does not always work. If a student does not have an active subscription to anti-virus software with updates for your personally-owned computer, they may download and use the antivirus software licensed by Teachers College. Downloads for personal PCs and Macs are available through the myTC portal.
Email Protection
Email attachments are a common source of viruses and spyware, so you should not click on an email attachment to open it unless you were expecting it.
The email address in the sender field can be spoofed, so you should not rely solely on who apparently sent it to assess its authenticity.
If you doubt the authenticity of an email, contact the sender via phone and/or notify the Service Desk.
TCIT offers in-person and application-based computer and email security training. For more information, please contact the Service Desk.
Spyware Protection
Spyware is a class of software that self-installs on a computer, enabling access to a person’s internet use, passwords, and other sensitive information. To guard against spyware, do not install an application or click on a link in an email unless you fully understand what it will do and that it is from a trusted source. In addition to providing virus protection, current anti-virus software for Windows and Macs are licensed by Teachers College and protect against the most prevalent spyware programs. If you download virus protection (per above) for your personally-owned computers, you should select the spyware protection on the configuration.
Software Updates
Periodically, security weaknesses in an operating system and/or applications are discovered, and vendors provide security updates to remediate such exposures. Configure your personal computer to automatically check for, install vendor security updates and reboot your computer on a regular basis to ensure that updates are installed properly.
For TC Managed workstations, operating system updates are managed by the Service Desk. For managed workstations, the College may periodically force reboots during defined windows.
Passwords
A password is used to “prove” one’s identity (known as authentication) to an application and/or computer system. Strong passwords should be used on all computer systems, including all mobile devices, to protect them in accordance with Teachers College policy. If you suspect that someone has your password, change it immediately. Refrain from using the “save password” feature of applications because those who have access to your computer will also have access to your accounts. It is wise to use different passwords across different accounts.
The College offers a password management solution to help generate and store unique, complex passwords in an encrypted database. For information about how to obtain and use it, please visit the TCIT website.
Account Use and Oversight
One Person/One Account
Each person must use his/her own account. Sharing a password is a violation of TC and Columbia policies. Supervisors should provide sufficient access privileges to employees, but no more than is required for their work. If you need to designate a “delegate” for your email or calendar, email the TCIT Service Desk or call them at x3300. Shared account access is available for workgroups based on access requested by the designated account owner. If your office needs a shared account for access to departmental email or calendar, contact the TCIT Service Desk. If you supervise people, be sure that you inform Human Resources when anyone on your staff leaves, or the TCIT Service Desk if they change responsibilities, so that his/her network, email, and/or Banner access will be discontinued or adjusted to meet the needs of the new role. Do not ask people to pass along passwords when they leave.
Protecting an Unattended Computer
When you must step away from your work station during the day, lock your computer. Password-protected screensavers engage automatically to protect information from being changed or seen by others. The best practice is to log out and close the browser after being logged into an application, and to shut down your computer at the end of the workday.
Multi-Factor Authentication
The college requires use of multi-factor authentication (MFA) to access sensitive College information. This means users will need to enter a password in addition to verifying login using a second device. For information about how to set up and use MFA, please visit the TCIT website.
Data Location and Backup
Computers can and will fail, resulting in data that is corrupt or unrecoverable. Laptops, smartphones, mobile devices, and flash drives are particularly susceptible to loss and theft; therefore, these devices must be encrypted. Employees who choose to synchronize their TC email or other information with a mobile device must promptly report any loss or theft to the Teachers College ServiceDesk via email to or by telephone to 212-678-3300, or by contacting the cellular carrier to request that all content be cleared from the device. Students are encouraged to contact their cellular carriers to do the same.
TC Servers are backed up and securely administered according to best practices, so store information about individuals and other sensitive data on servers rather than on your desktop machines or portable storage devices. Refrain from storing non-public personal information altogether when it is not necessary or appropriate, particularly information such as social security numbers, credit card, bank account or driver's license numbers. When possible, access Banner information directly from the central system. Use an individual’s TC ID number (in the format of T12345678) for TC forms and stored data. If your department has a local database, application, or server, set up a meeting with TCIT to review database and server security practices. The TCIT Service Desk can assist you with accessing network file shares from home. Locally-stored data requires regular backups. Calendar and contact information on your smartphone should be synched to your TC Gmail account or to a computer. Contact the TCIT Service Desk by email or call at x3300 for assistance in configuring backups.
Websites
Use the Teachers College content management system to maintain websites; it does not require web development skills and conforms to best security practices. Contact the Office of Digital Communications for assistance. Departments who wish to use an external provider for development and/or hosting services must have the agreement vetted by the contracts manager in the Office of the General Counsel.
Accessing Sensitive Information
Never access sensitive data from or enter your password on a computer that is not owned by you or TC or known by you to be maintained with updated security patches and anti-virus software. Do not access sensitive or confidential data from open wireless networks unless there is a secure encrypted connection to the source of the data (you will see https:// instead of http:// in the address bar). Do not use email for personally identifiable information (PII) such as social security numbers, credit card numbers, grades or other personal, academic, health or counseling information.
Academic Material Created by Student and Faculty
Do not distribute material posted by students and instructors on course management systems or websites without permission of the author. Do not forward emails with such material without permission. See Family Educational Rights and Privacy Act (FERPA) policy at Student Records and Family Education Rights and Privacy Act (FERPA) Statement.
Physical Security
If you must keep personal information on a desktop or portable device (e.g., laptop, CD, flash drive), physically secure the device (e.g., a computer lock or store it in a locked drawer) and preferably encrypt the data. Do not leave papers with confidential information on your desk where others will see them. Retrieve copies, faxes, and printouts immediately. When the area is unattended, lock filing cabinets and lock office doors to protect confidential hard-copy records.
Social Interaction
Never discuss non-public personal info about anyone (student, faculty, staff, alumnus, vendor, trustee, etc.) with your family or friends nor with any coworker who lacks a specific work-related reason to need the information. Be aware of information-stealing methods such as social engineering (e.g., someone falsely presenting themselves as authorized to access private information), phishing scams, and shoulder surfing to obtain personal and sensitive information about you or others.
Disposing of Computers and Data Records
Email the TCIT ServiceDesk or call x3300 when you wish to dispose of college-owned computers. According to the Computer Lifecycle Policy the Service Desk will remove and erase the hard drive, and move the computer to the staging area for donation or disposal. Use a shredder to dispose of paper records with personal information; the Purchasing Office can recommend different models depending on your requirements. If you have file cabinets full of old information, contact Facilities about large-scale shredding and disposal. Do not keep old records on your desktop, laptop, PDA, flash drive, or paper file folders if you can delete them completely or archive them and store them more securely elsewhere.
Training Requirements
Staff and students are responsible for reviewing, understanding, and complying with the College's information security guidance and training materials. All new employees and students are required to take security awareness training. Additional training may be required for those that handle PII, PHI, RHI data, and PCI use should have additional assessment and training on a yearly basis as required.
Suspicion of Compromised Information
If you believe that a computer system has been compromised, shut it down and contact the TCIT Service Desk at x3300 immediately.
If your smartphone or mobile device is lost, call your mobile carrier to request that your information be wiped from the device. Note: TC’s Email Use Policy requires that employees do this promptly when a device is lost or stolen.
If your laptop is lost, please call the TCIT Service Desk.
If you believe that non-public personal information may have been exposed, contact the TCIT Service Desk.
Responsible Office: Teachers College Information Technology
Effective Date: February 1, 2021
Last Updated: January 15, 2021