Security Guidelines for Desktop and Laptop Computers
Purpose of these Guidelines
This document serves as a guide to help you understand the obligations set forth in the security Measures.
Scope of these Guidelines
NYU is entrusted with a large amount of important data, such as Social Security Numbers, Credit Card Numbers, student data and financial data. There are laws and regulations that restrict the use of this type of data, with significant legal and monetary penalties for exposure to unauthorized parties. The University has implemented policies and standards to help you protect the data that is in your care.
Statement/Description of these Guidelines
The following are guidelines to assist you in securing your systems and data. If you are a system administrator for a server providing access to account holders, please consult the Security Guidelines for System Administrators.
1. Secure Computers
Regardless of the sensitive nature of the data you are storing, every computer accessing NYU's network and data, including laptops and home computers, should comply with the Basic System Security Measures, which require that all systems:
- Be protected by a strong password
- Have anti-virus software installed
- Receive automatic notification about updates to operating-system software and anti-virus software
- Be protected by a firewall that denies all unnecessary incoming network connection attempts
To the extent possible, SmartPhones (such as iPhones and Blackberries) should be secured using the above steps.
2. Classify Data
Once you have taken basic security measures for any and all computers that access NYU resources, you must now begin the process of securing the data that resides on those computers. Review the Data Classification table to understand the different categories of sensitive data and what is contained in each. Several examples of each type of data are listed below (for more information please refer to the Data Classification table):
- Restricted: social security numbers, driver’s license numbers, bank account numbers, medical records, and NetID passwords.
- Protected: course grades, salary and benefits information, patent-pending research.
- Confidential: NetID’s, University ID’s, other non-public data.
- Public: Information intended for public release like unauthenticated websites or press releases.
If you need assistance classifying your data, please contact email@example.com.
3. Protect Data
All access to data is granted to you as part of your role at New York University and that data should be protected appropriately. Access to any data should be provided on a least-privilege basis and no person or system should be given access to the data unless required by business process. Data should be released publicly only according to well-defined business processes, and with the permission of the data steward.
If you are storing Restricted Data, determine whether that data is necessary to perform a business, research or academic function. If you do have Restricted Data, but it is not necessary for business purposes to retain it, you should delete it. If it is necessary to perform a business function, then you must follow the appropriate steps outlined in the Data and System Security Measures to protect the data. In addition, the Administrative Data Management Policy covers access and use of University Data. Please be sure to consult all appropriate documents when determining the appropriate measure to safeguard your data.
For all questions or comments pertaining to data classification, system security measures or restricted data handling, please contact the NYU IT Office of Information Security at firstname.lastname@example.org.