Registration And Protection Of Endpoints Policy

Provides general protection requirements for desktop and laptop computers, mobile devices and any endpoints that contain university data

I. Introduction

This Policy describes the requirements for security controls to protect Endpoints that process, transmit and/or store University Data (as each is defined in the Columbia University Information Security Charter (the “Charter”)). Such requirements differ depending on whether such Data is Sensitive Data, Confidential Data, Internal Data or Public Data (as each is defined in the Charter).

No distinction is made in this Policy between an Endpoint owned by the University or one personally owned. All Information Security Policies will apply to a personally owned Endpoint used for University business.

Any Endpoint that processes, transmits and/or stores University Data must be registered in accordance with Section III(A) and have the minimum protection requirements set forth in Section III(B) or

(C) and, if applicable, Sections III(D) and/or (E), in each case for the most restricted class of University Data that is processed, transmitted or stored on such Endpoint.

Capitalized terms used in this Policy without definition are defined in the Charter.

II. Policy History

The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:

CUIT Security Policy
Desktop and Laptop Security Policy, dated November 1, 2007
Desktop /Laptop/Mobile Devices Security Requirements When Storing Sensitive Data
Electronic Information Resources Security Policy, dated March 1, 2007
Encryption Policy, dated December 1, 2007
Peer to Peer (P2P) File Sharing Policy, dated October 2008
University Mobile Phone Registration and Password Policy, dated March 1, 2013 and (B) the following CUIMC Policies:
- General Information Security Policy, dated November 15, 2007
- Information Security: Media, Backup and Controls, dated November 2012
- Workstation Use and Security Policy, dated November 2012

III. Policy Text

A. Registration of Certain Endpoints

The following Endpoints must be registered with the IT Custodian or other person in a School, Department or business unit who is responsible for maintaining an inventory of Endpoints in his/her area of responsibility:

Any Endpoint that processes, transmits and/or stores PHI;
Any Endpoint that processes, transmit and/or stores University Data whose Data Owner or any related Executive Manager, Security Manager, IT Custodian or IT Group is primarily affiliated with CUIMC or included in Columbia Health Care Component;
Any Endpoint that is used within the Columbia Health Care Component.

All inventories of registered Endpoints must be provided to the CUIMC Information Security Office. Registration will be carried out in accordance with the CUIMC Information Security Procedures.

B. General Protection Requirements for Desktop and Laptop Computers

Each User shall ensure that the following protections, at a minimum, are implemented for each Endpoint that is a desktop or laptop computer:

Access to the Endpoint is password protected and conforms to the Columbia University Information Resource Access Control and Log Management Policy.
The Endpoint is running vendor-supported operating systems that are automatically updated and has up-to-date security patches installed.
A firewall is activated and configured on the Endpoint.
Anti-virus, anti-spyware and monitoring programs are installed to perform continuous and/or scheduled scanning to detect and/or prohibit unauthorized access. The virus definition list is updated at least once daily.
The Endpoint is configured to lock after 15 minutes of inactivity.
All University Data files used for University purposes are backed up regularly.
The Endpoint is physically protected and not shared with unauthorized persons.
Each Endpoint that stores University Data is disposed of in accordance with the Columbia University Sanitization and Disposal of Information Resources Policy.

C. General Protection Requirements for Mobile Devices

Each User shall ensure that the following protections, at a minimum, are implemented for each Endpoint that is a Mobile Device:

Access to the Endpoint is password protected in accordance with the Columbia University Information Resource Access Control and Log Management Policy.
The Endpoint contains a mechanism to encrypt all University Data stored on the device.
The Endpoint is configured to lock after 5 minutes of inactivity.
The Endpoint has a mechanism for a secure remote wipe if it is lost or stolen.
The Endpoint erases data after 10 failed password or log in attempts.
Each Endpoint that stores University Data is disposed of in accordance with the Columbia University Sanitization and Disposal of Information Resources Policy.
If the Endpoint is a mobile phone issued or financially subsidized by the University to support its administrative or academic operations, it is the responsibility of departmental administrators (or school or department equivalents) to enter the mobile phone number into People@Columbia (“PAC”), so that the mobile phone is enrolled in the University’s Emergency Text Message Notification System. Please note the following additional points:

If the Endpoint is a mobile phone not issued or financially subsidized by the University, it is recommended, but not required, that the Endpoint be enrolled in the University’s Emergency Text Message Notification System.
If any faculty or staff wish to receive emergency messaging on a different device than their Columbia-issued or subsidized mobile phone, they may log into PAC and change the mobile phone number via PAC Self-Service.

In addition, it is recommended, but not required, that the Endpoint contain a device recovery mechanism through the use of a GPS tracking system.

D. Additional Protection Requirements for Endpoints Containing Sensitive Data

Each User shall ensure that, in addition to the protections described in Section B or C above, the following protections are implemented for any Endpoint that processes, transmits and/or stores Sensitive Data:

A record of what Sensitive Data is stored on the Endpoint is maintained separately from the Endpoint.
Sensitive Data are encrypted while in transit and in storage, including such Data stored on Removable Media.
Only encryption technologies that are based on standard algorithms that have no inherent security flaws (e.g., AES, RSA, IDEA, etc.) are used.
At a minimum, a 256 bit encryption cipher key is used.
If the Endpoint is a desktop or laptop computer, it is encrypted leveraging full disk encryption.
The Endpoint does not use Peer-to-Peer Programs unless such use and the configuration of the Program are approved by the applicable Information Security Office.

It is recommended, but not required, that any Confidential Data stored on an Endpoint be accounted for and be password protected while in transit or in storage.

E. Additional Protections for Registered Endpoints.

Each User of an Endpoint registered in accordance with Section III (A) above must follow the specific provisions relating to Endpoints in the CUIMC Information Security Procedures.

F. Waivers and Exceptions

Any Security Manager may request that an Endpoint that contains Sensitive Data, but cannot use encryption because of technology or business limitations be granted a waiver of the provisions of this Policy by the applicable Information Security Office. Such a waiver may only be granted if such Office determines that there are compensating controls in place to address all major information security risks.

G. Supplemental Requirements

The requirements list set forth in this Policy are not comprehensive and supplemental controls may be required by the University to enhance security as necessary.

IV. Cross References to Related Policies

The Information Security Policies referred to in this Policy are listed in Appendix A hereto.