Data and Computer Security Policy
Security and compliance are ongoing, mission-critical business processes of the University and should be viewed as an integral part of the obligations of all members of the University community. Because no computer system is completely immune from exploitation, applying layered security controls will better safeguard University computers and NYU's ever-expanding body of sensitive data/information. Within the framework for describing the importance of information technology systems, classifications are outlined that represent how severe the impact could be to the University if a given system were compromised or unavailable to perform its function. Systems with a higher classification must meet a more strict system security standard in order to achieve compliance. In order to apply proper security controls, it is the responsibility of all individuals utilizing University computer and data resources to:
- Know the classification of the system they are using: For most laptops and desktops, the classification will be "Low Criticality," but full instructions on how to classify a system can be found in the Reference for Data and System Classification.
- Know the type of data they are using: Data is classified into one of four categories: Public, Confidential, Protected, and Restricted, described in the Reference for Data and System Classification, and based on the risk to the University of their unauthorized release.
- Follow the appropriate security measures contained in the Data and System Security Measures. These Measures outline NYU’s multi-layer security strategy for defense against unauthorized access to University systems and appropriate data handling.
Alternate Forms of Compliance
In some cases, a system may be incapable of implementing a control required by this policy. In such cases, the exception should be documented and approved by the appropriate chain of authority. For high criticality systems managed by NYU IT, this involves the Risk Review Process. Information about the Risk Review Process is available from the NYU IT Office of Technology Security (contact firstname.lastname@example.org).
Purpose of this Policy
With the prevalence of personal computing in the University, there is the risk that if computing systems are left unsecured, then the information and data stored in personal computers are susceptible to theft and/or exploitation. This policy defines various computing safeguards for desktops and laptops (see Related Policies).
Scope of this Policy
The computer and data resources referred to in this policy must be properly safeguarded regardless of the location of those computer and data resources. This policy applies to anyone who accesses, uses, or controls University computer and data resources, including, but not limited to faculty, administrators, staff, students, those working on behalf of the University, guests, tenants, contractors, consultants, visitors and/or individuals authorized by affiliated institutions and organizations.
For assistance with applying this Policy to particular systems, see Security Guidelines for Desktop and Laptop Computers or Security Guidelines for System Administrators, as appropriate, and the Reference for Data and System Classification and Data and System Security Measures. Send questions or comments to: email@example.com.