Effective Date Supersedes N/A Issuing Authority Executive Vice President; Vice President, Information Technology and Chief Information Officer Responsible Officer Vice President, Information Technology and Chief Information Officer
Data Classification Table: Classifies data-types which are commonly used at NYU according to the impact to the University if they are disclosed without authorization.
Data Steward: Data Stewards are typically operational managers in a functional area with day-to-day responsibilities for managing business processes and establishing the business rules for the production transaction systems and are appointed by the respective Data Trustees. The Data Steward will be responsible for developing an overall data access plan following the categorization in the Reference for Data and System Classification. See definition and explanation in the Administrative Data Management Policy.
Personal Workstations: Personal workstations are typically accessed by a single person at a time, and do not offer services to multiple account holders. These may be laptops, desktops, or other portable computing devices, such as PDAs or smart phones.
Server: Servers are systems typically accessed by many remote users concurrently, via the network services they provide, such as an email server.
System: An information technology resource that can be classified and to which security controls listed in a Security Measure may be applied. A system may be a workstation, laptop, server, web-application, database, or similar.
System Classification: A framework for classifying the relative importance of NYU systems based on their data processing and availability requirements.
These Measures apply to anyone who accesses, uses, or controls University computer and data resources, including, but not limited to faculty, administrators, staff, students, those working on behalf of the University, guests, tenants, contractors, consultants, visitors and/or individuals authorized by affiliated institutions and organizations.
These Measures are applicable to a wide variety of IT resources which are connected to NYU-NET or are used for any NYU business purpose. A system may be any IT resource to which the safeguards outlined in Security Measures may be applied. Examples of systems include, but are not limited to:
All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations which must be managed, and each of them are considered a compliance object to be protected.
The following sections describe the Basic System Security Measures, the Intermediate System Security Measures, the Advanced System Security Measures, and the Data Security Measures.
In some cases, a system may be incapable of implementing a control required by these Measures. In such cases, the exception should be documented and approved by the individual’s relevant chain of authority. For high criticality systems managed by NYU IT, this involves the Risk Review Process (contact email@example.com). Information about the Risk Review Process is available from the NYU IT Office of Information Security.
The Basic System Security Measures apply to all systems at NYU, regardless of the level of their System Classification. It is a baseline, which all systems must meet. Note that for most personal workstations, these are the only Measures that apply. The requirements are:
The Intermediate System Security Measures define the Security Measures that must be applied to medium criticality and high criticality systems. Note that except under special circumstances, they do not apply to desktop and laptop computers. The requirements are:
The Advanced System Security Measures define the Security Measures that must be applied to high criticality systems. The requirements are:
These Data Security Measures define the minimum security requirements that must be applied to the data types defined in the Reference for Data and System Classification. Some data elements, such as credit card numbers and patient health records, have additional security requirements defined in external standards. In addition, access and use of University Data is covered by the Administrative Data Management Policy. Please be sure to consult all appropriate documents when determining the appropriate measure to safeguard your data.
The best way to safeguard sensitive data is not to handle it at all, and business processes that can be amended to reduce or eliminate dependence on restricted data should be corrected. For example, the University ID number can often be substituted for a social security number and poses much less risk if accidentally disclosed.
For assistance with applying these Measures appropriately, see Security Guide for Desktop and Laptop Computers or Security Guidelines for System Administrators. Send questions or comments to: firstname.lastname@example.org.