Skip to Navigation | Skip to Content

Data and Computer Security Policy

Title: Data and Computer Security Policy
Effective Date: August 1, 2010
Supersedes: N/A
Issuing Authority: Executive Vice President for Finance and Information Technology; Vice President, Information Technology & Chief Information Technology Officer
Responsible Officer: Executive Vice President for Finance and Information Technology; Vice President, Information Technology & Chief Information Technology Officer


Security and compliance are ongoing, mission-critical business processes of the University and should be viewed as an integral part of everyone's obligations. Because no computer system is completely immune from exploitation, applying layered security controls will better safeguard University computers and NYU's ever-expanding body of sensitive data/information. Within the framework for describing the importance of information technology systems, classifications are outlined that represent how severe the impact would be to the University if a given system were compromised or unavailable to perform its function. Systems with a higher classification must meet a more strict system security standard in order to achieve compliance. In order to apply proper security controls, it is the responsibility of all individuals utilizing University computer and data resources to:

  • Know the classification of the system they are using: For most laptops and desktops, the classification will be Low Criticality, but full instructions on how to classify a system can be found in the Reference for Data and System Classification (
  • Know the type of data they are using: Data is classified into one of four categories: Restricted, Protected, Confidential, and Public, described in theReference for Data and System Classification (, and based on the risk to the University of their unauthorized release.
  • Follow the appropriate security measures contained in the Data and System Security Measures ( These Measures outline NYU's multi-layer security strategy for defense against unauthorized access to University systems and appropriate data handling.

Alternate Forms of Compliance

In some cases, a system may be incapable of implementing a security control required by this policy on a system. In such cases, the exception should be documented and approved by the appropriate chain of authority. For High Criticality systems managed by ITS, this involves the Risk Review Process. Information about the Risk Review Process is available from ITS Technology Security Services:

Purpose of this Policy

With the prevalence of personal computing in the University, there is the risk that if computing systems are left unsecured, then the information and data stored in personal computers are susceptible to theft and/or exploitation. This policy defines various computing safeguards for desktops and laptops.

Scope of this Policy

The computer and data resources referred to in this policy must be properly safeguarded regardless of the location of those computer and data resources. This policy applies to anyone who accesses, uses, or controls University computer and data resources, including, but not limited to faculty, administrators, staff, students, those working on behalf of the University, guests, tenants, contractors, consultants, visitors, and/or individuals authorized by affiliated institutions and organizations.

Related Policies and Additional Information

For assistance with applying this policy to particular systems, see the related documents and policies listed below, or send e-mail to:

Page last reviewed: August 1, 2010