Security and compliance are ongoing, mission-critical business processes of the University and should be viewed as an integral part of the obligations of all members of the University community. Because no computer system is completely immune from exploitation, applying layered security controls will better safeguard University computers and NYU's ever-expanding body of sensitive data/information. Within the framework for describing the importance of information technology systems, classifications are outlined that represent how severe the impact could be to the University if a given system were compromised or unavailable to perform its function. Systems with a higher classification must meet a more strict system security standard in order to achieve compliance. In order to apply proper security controls, it is the responsibility of all individuals utilizing University computer and data resources to:
In some cases, a system may be incapable of implementing a control required by this policy. In such cases, the exception should be documented and approved by the appropriate chain of authority. For high criticality systems managed by NYU IT, this involves the Risk Review Process. Information about the Risk Review Process is available from the NYU IT Office of Technology Security (contact firstname.lastname@example.org).
With the prevalence of personal computing in the University, there is the risk that if computing systems are left unsecured, then the information and data stored in personal computers are susceptible to theft and/or exploitation. This policy defines various computing safeguards for desktops and laptops (see Related Policies).
The computer and data resources referred to in this policy must be properly safeguarded regardless of the location of those computer and data resources. This policy applies to anyone who accesses, uses, or controls University computer and data resources, including, but not limited to faculty, administrators, staff, students, those working on behalf of the University, guests, tenants, contractors, consultants, visitors and/or individuals authorized by affiliated institutions and organizations.
For assistance with applying this Policy to particular systems, see Security Guidelines for Desktop and Laptop Computers or Security Guidelines for System Administrators, as appropriate, and the Reference for Data and System Classification and Data and System Security Measures. Send questions or comments to: email@example.com.
Effective Date Supersedes N/A Issuing Authority Executive Vice President; Vice President, Information Technology and Chief Information Officer Responsible Officer Vice President, Information Technology and Chief Information Officer