University Policies and Guidelines
University Policy Database
As a central repository for existing, new and revised policies and guidelines, the NYU Policy Database serves to standardize policy format, eliminate redundancies, improve organization, accessibility, search and navigation functions.
The policies are organized in categories as noted in the menus below. Some policies may be listed in multiple categories. University policies, procedures and guidelines are retained and maintained in this database to guide and inform the University community, including faculty, staff, administration and students.
This database does not contain an exhaustive list of university policies. For additional information or assistance on how to locate policies, develop new policies, update existing policies, or any other policy related matter, please contact the Office of Compliance and Risk Management at email@example.com or at 212-998-2265.
COVID-19 Vaccination Leave Policy – New York - March 12, 2021
Policy on Principal Investigator/Project Director Status - March 12, 2021
Bulk Messaging Policy - November 9, 2020
Lactation Policy for Students - October 7, 2020
University Student Conduct Policy - August 12, 2020
Telecommuting Policy - New York Jan 2, 2020
Revised University Policies
Important COVID-19 Policy Updates
VP of Human Resources Sabrina Ellis offered guidance for faculty and staff on matters including remote work and COVID-19-related leave and time off. Click here for updated HR Policies
Promotion and Tenure Guidelines - March 10, 2021
Retention and Destruction of Records July 28, 2020
IT Policies Updated March 2020
Beginning with the Electronic Data and System Risk Classification Policy, NYU IT has been developing a group of University policies that undergird NYU’s security posture and enhance the NYU community’s ability to work safely and effectively. This group of policies includes new policies in areas not before addressed, updated policies that enable older ones to be retired, and in one case a policy required by New York State regulation.
(1) Policy on Compliance with Cybersecurity Requirements of NYS Department of Financial Services
This new policy was written to comply with the New York State Cybersecurity Requirements for Financial Services Companies (23NYCRR 500) and specifies the current NYU units involved.
(2) Policy Concerning Collection, Access, Analysis, Retention, and Destruction of NYU Log Data
This policy replaces “Practices Concerning the Retention and Destruction of NYU IT Log Data.” The most important change is the retention period from 30 days to 90 days as standard (both to accommodate actual practice and to balance investigations, operations, privacy and discoverability). This policy has a substantial role for the Global CISO, including overseeing compliance with this policy; collaborating and coordinating with University units to develop and implement unit-level log procedures; coordinating with unit technology staff to examine or collect log data; consulting with OGC to coordinate and review log data across NYU and for law enforcement agencies; granting on a case-by-case basis exceptions to shorter or longer retention periods; approving permission to access logs; and, when legally required, consulting with OGC to access logs “with PII contained in security, wireless, authentication or email logs.”
(3) Policy on Accounts (NetIDs, Special-purpose NetIDs, Privileged Access Accounts) and Access (MFA, Passwords)
This policy both includes updates to information (e.g., “Procedure on the Handling of Special Purpose NYU NetIDs,” “Guidelines for Account Access and Management at NYU”) and addresses some areas (e.g., Multi-Factor Authentication) that were not included elsewhere in NYU IT policies. Rather than create separate policies, the intention is to include items of similar concern (i.e., accounts and access) in a single document. The Global CISO is responsible for “the governance, oversight, and monitoring of the Privileged Access Account Management process” (see Accounts, II, C, 3, c) and for the MFA exceptions process (see Access, III, A, 5).
(4) Policy on Security Vulnerability Management
This new policy fills a gap in the security policy hierarchy and points to the Global Office of Information Security’s responsibilities in performing authenticated and unauthenticated network, systems, database, and application scans and web application security scanning, and discussing remediation options and alternatives.
(5) Data and System Security Policy
This policy aligns with the Electronic Data and System Risk Classification Policy which provides definitions and examples of data and system risk and criticality. It replaces several polices that had become a complex set of interlacing policies that made locating information difficult. (The replaced polices are: “Data and Computer Security Policy,” “Data and System Security Measures,” “Security Guidelines for Desktop and Laptop Computers,” and “Security Guidelines for System Administrators.”) Instead, this updated policy provides clarity and simplification. It includes information regarding how to apply data classification to security measures and defines specific basic, intermediate, and advanced controls. A new section details Requirements for Handling Research Data (see Data Handling Security Measures, section 4). Although oversight of the former, now-replaced policies has been the responsibility of the Global Office of Information Security (GOIS), this policy clarifies that role especially in the areas of providing alternative forms of compliance; receiving incident notifications; conducting Security Consultations, Security Risk Assessments, and vulnerability assessments; disconnecting, disabling and/or blocking disruptive systems from NYU-NET access and approving access restoration; and reviewing and approving phased (not automatic) software updates.
(6) NYU IT Security Information Breach Notification Policy
This NYU IT Security Information Breach Notification Policy was posted initially on June 19, 2006 and has been updated consistently to comply as new regulations (e.g., HIPAA, GDPR) were issued. This current amended version is written in compliance with the New York State Breach Notification Law’s SHIELD amendments. In addition, we are taking advantage of our update to note in this policy (Introduction, paragraph 9) that “In the United States, state legislatures increasingly have imposed significant privacy-security obligations, especially regarding computerized data. Although the particulars (e.g., type, timing, and target) vary from state-to-state, all 50 states and the District of Columbia require disclosure of a breach.” This statement will enable us to deal with breach requirements nationally without specifying state-by-state requirements.