This document serves as a guide to help you understand the obligations set forth in the security Measures.
NYU is entrusted with a large amount of important data, such as Social Security Numbers, Credit Card Numbers, student data and financial data. There are laws and regulations that restrict the use of this type of data, with significant legal and monetary penalties for exposure to unauthorized parties. The University has implemented policies and standards to help you protect the data that is in your care.
The following are guidelines to assist you in securing your systems and data. If you are a system administrator for a server providing access to account holders, please consult the Security Guidelines for System Administrators.
Regardless of the sensitive nature of the data you are storing, every computer accessing NYU's network and data, including laptops and home computers, should comply with the Basic System Security Measures, which require that all systems:
To the extent possible, SmartPhones (such as iPhones and Blackberries) should be secured using the above steps.
Once you have taken basic security measures for any and all computers that access NYU resources, you must now begin the process of securing the data that resides on those computers. Review the Data Classification table to understand the different categories of sensitive data and what is contained in each. Several examples of each type of data are listed below (for more information please refer to the Data Classification table):
If you need assistance classifying your data, please contact email@example.com.
All access to data is granted to you as part of your role at New York University and that data should be protected appropriately. Access to any data should be provided on a least-privilege basis and no person or system should be given access to the data unless required by business process. Data should be released publicly only according to well-defined business processes, and with the permission of the data steward.
If you are storing Restricted Data, determine whether that data is necessary to perform a business, research or academic function. If you do have Restricted Data, but it is not necessary for business purposes to retain it, you should delete it. If it is necessary to perform a business function, then you must follow the appropriate steps outlined in the Data and System Security Measures to protect the data. In addition, the Administrative Data Management Policy covers access and use of University Data. Please be sure to consult all appropriate documents when determining the appropriate measure to safeguard your data.
For all questions or comments pertaining to data classification, system security measures or restricted data handling, please contact the NYU IT Office of Information Security at firstname.lastname@example.org.
Effective Date Supersedes N/A Issuing Authority Executive Vice President; Vice President, Information Technology and Chief Information Officer Responsible Officer Vice President, Information Technology and Chief Information Officer