Scope of these Guidelines
NYU is entrusted with a large amount of important data, such as Social Security numbers, credit card numbers, student data, and financial data. There are laws and regulations that restrict the use of this type of data, with significant legal and monetary penalties for exposure to unauthorized parties. The University has implemented policies and standards to help you protect the data that is in your care.
Statement/Description of these Guidelines
The following are guidelines to assist you in securing your systems and data. If you are a system administrator for a server providing access to account holders, please consult the Security Guidelines for System Administrators (www.nyu.edu/its/policies/sec_admin.html).
- Secure Computers
Regardless of the sensitive nature of the data you are storing, every computer accessing NYU's network and data, including laptops and home computers, should comply with the Basic System Security Measures (www.nyu.edu/its/policies/sec_datasys.html), which require that all systems:
- Be protected by a strong password
- Have antivirus software installed
- Receive automatic notification about updates to operating system software and antivirus software
- Be protected by a firewall that denies all unnecessary incoming network connection attempts
To the extent possible, smart phones (such as iPhones and BlackBerries) should be secured using the above steps.
- Classify Data
Once you have taken basic security measures for any and all computers that access NYU resources, you must now begin the process of securing the data that resides on those computers. Review the Reference for Data and System Classification (www.nyu.edu/its/policies/sec_ref.html) to understand the different categories of sensitive data and what is contained in each. Several examples of each type of data are listed below (for more information please refer to the Reference for Data and System Classification):
- Restricted: Social Security numbers, driver's license numbers, bank account numbers, medical records, and NetID passwords
- Protected: Course grades, salary and benefits information, patent-pending research
- Confidential: NetIDs, University IDs, other non-public data
- Public: Information intended for public release like unauthenticated websites or press releases
If you need assistance classifying your data, please contact firstname.lastname@example.org.
- Protect Data
All access to data is granted to you as part of your role at New York University and that data should be protected appropriately. Access to any data should be provided on a least-privilege basis and no person or system should be given access to the data unless required by business process. Data should be released publicly only according to well-defined business processes, and with the permission of the Data Steward.
If you are storing Restricted Data, determine whether that data is necessary to perform a business, research or academic function. If you do have Restricted Data, but it is not necessary for business purposes to retain it, you should delete it. If it is necessary to perform a business function, then you must follow the appropriate steps outlined in the Data and System Security Measures (www.nyu.edu/its/policies/sec_datasys.html) to protect the data. In addition, the University Data Management Policy (www.nyu.edu/its/policies/datamgmt.html) covers access and use of University data. Please be sure to consult all appropriate documents when determining the appropriate measure to safeguard your data.
For all questions or comments pertaining to data classification, system security measures or restricted data handling, please contact ITS Technology Security Services at email@example.com.
Related Policies and Additional Information
- Policy on Responsible Use of NYU Computers and Data (www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/responsible-use-of-nyu-computers-and-data-policy-on.html)
- University Data Management Policy
- Data and Computer Security Policy (www.nyu.edu/its/policies/sec_compdata.html)
- Data and System Security Measures (www.nyu.edu/its/policies/sec_datasys.html)
- Security Guidelines for System Administrators (www.nyu.edu/its/policies/sec_admin.html)
- Reference for Data and System Classification (www.nyu.edu/its/policies/sec_datasys.html)
- Personally Identifiable Information Policy (www.nyu.edu/its/policies/pii.html)
November 1, 2010
Page last reviewed: November 1, 2010