Information Security Policy Statement
Information Resources
Information resources are vital Columbia University and Presbyterian Hospital assets in the same way that physical facilities and equipment are assets. Any person/organization who uses or provides information resources has a responsibility to maintain and safeguard these assets. Because computing systems and networks are shared facilities, their misuse can affect others.
Each individual student, staff, and faculty member in the community is expected to use these shared resources with consideration for others. Individuals are also expected to be informed and responsible for protecting their own information resources in any environment. It is unacceptable for anyone to use University or Hospital information resources to perform unethical or unlawful academic or business acts or to violate any law
The resources included in the scope of this security policy statement are:
- Information, data, in any medium or form such as printed paper, digital, video, and audio representations
- The computing hardware and software systems which access and manipulate information
- The network systems which transport information.
The resources may reside in many different settings and environments and may be used for any academic or administrative purpose. Legal constraints directly affect the use of some of these resources. University/Hospital policy may also affect the use of information resources.
The multiplicity of needs involving information uses, locations, and protection dictates that a broad spectrum of possible security procedures is necessary. Security risks must be evaluated, and appropriate procedures must be selected and implemented by the individuals responsible for such assets.
Users of Information Resources
In the University and Hospital a natural tension arises between protecting the confidentiality of information and encouraging the sharing of information and ideas. While the need for security and the vulnerability of information resources must be recognized, it is also important to assess the value of the resources and the need to share them. The effort and cost of providing protection must be balanced against the value or sensitivity of the resources.
However, at a minimum, this statement says that tampering with data, deliberately introducing inaccuracies or causing loss of data, using information resources to violate any law, committing a breach of confidentiality, committing theft of equipment or software or other information resources, compromising the performance of computing systems, damaging software, physical devices or networks, or otherwise sabotaging University or Hospital computing systems or networks is prohibited and shall be cause for discipline up to and including dismissal and for possible legal action.
University students, staff and faculty and Hospital staff who commit such prohibited acts with regard to external information resources to which they have access by reason of their University or Hospital activity shall also be subject to discipline, up to and including dismissal.
The University and Hospital shall take appropriate action in response to any misuse of University or Hospital information resources by persons unaffiliated with the University or Hospital, including the commencement of legal action.
Providers of Information Resources
Providers of information resources are responsible for ensuring that appropriate efforts are expended to maintain the integrity, confidentiality, and availability of these resources by:
- Protecting the assets from destruction, unauthorized use, or unauthorized change
- Ensuring that processes are in place for correcting damaged systems to enable continuation of operations with minimal disruption
- Balancing the need for security with the need for minimizing the complexity of information access
- Educating each of their communities about its responsibilities for information and the disciplinary actions for inappropriate use of information resources.