Registration And Protection Of Systems Policy

Describes the requirements for the security controls that protect systems that process, transmit and/or store University data

I. Introduction

This Policy describes the requirements for security controls to protect Systems that process, transmit and/or store University Data (as each is defined in the Columbia University Information Security Charter (the “Charter”)). Such requirements differ depending on whether such Data is Sensitive Data, Confidential Data, Internal Data or Public Data (as each is defined in the Charter).

Any System that processes, transmits and/or stores University Data must be registered in accordance with Section III(A), risk assessed and certified in accordance with Section III(B) and have the minimum protections set forth in Section III(C) and, if applicable, Sections III(D), (E), (F), (G), (H) and/or (I), in each case for the most restricted class of University Data that is processed, transmitted or stored on such System.

Capitalized terms used in this Policy without definition are defined in the Charter.

 

II. Policy History

The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:

  • CUIT Publishing Policy
  • Desktop and Laptop Security Policy, dated November 1, 2007
  • E-Commerce: Electronic Protection of Credit Card Holder Information Policy, dated June 2008, as amended in August 2009
  • Electronic Information Server Administrative Policy, dated March 1, 2007  
  • Encryption Policy, dated December 1, 2007
  • Peer-to-Peer (P2P) File Sharing Policy, dated October 2008

and (B) the following CUIMC Policies:

  • General Information Security Policy, dated November 15, 2007
  • Information Security: Audit and Evaluation Policy, dated November 15, 2007
  •  Information Security: Media, Backup and Controls, dated November, 2012.
  • System Registration and Certification Policy, dated May 13, 2011.

 

III. Policy Text

A. Registration of Systems

Systems at the University other than those registered with the CUIMC Information Security office must be registered with the Risk Management Group of the CU Information Security Office.

The following Systems must be registered with the CUIMC Information Security Office:

  • Any System that processes, transmits and/or stores PHI, regardless of location;
  • Any System that processes, transmits and/or stores University Data whose Data Owner or any related Executive Manager, Security Manager, System Owner, IT Custodian or IT Group is primarily affiliated with CUIMC or is included in the Columbia Health Care Component; and
  • Any System physically located at CUIMC or within the CUIMC IT operating environment or the Columbia Health Care Component.

Registration will be carried out in accordance with the procedures established by each such Office.

B. Risk Assessment and Certification Requirements for Systems

If required by the applicable Information Security Office, each System is subject to risk assessment by such Information Security Office, remediation, if necessary by the System Owner  and certification by such Information Security Office in accordance with procedures established by such Information Security Office.   Each certified System shall be recertified on a periodic basis, as determined by the level of risk, by the applicable Information Security Office.

C. General Protection Requirements for Systems

Each System Owner will ensure that the following protections, at a minimum, are implemented for each System:

  1. An IT Custodian has been appointed for the System by the System Owner. Contact information for Systems should be provided to [email protected] or [email protected], as applicable.
  2. The facility that houses the System’s Servers, including primary and backup equipment, is environmentally controlled and physically secured from unauthorized access.
  3. Each Server is physically labeled with a name or other identification.
  4. All University Data files on a Server are backed up regularly in accordance with the Columbia University Business Continuity and Disaster Recovery Policy. 
  5. Each of the System’s production Servers has a UPS that can provide emergency power and shut the Server down in case of a power outage.
  6. Standard configurations, as defined by the applicable Information Security Office, are used to establish a secure configuration baseline.
  7. Access to the System’s Servers and the University Data residing on the System is restricted and is maintained in accordance with the Columbia University Information Resource Access Control and Log Management Policy
  8. The System’s Servers are not used for general desktop functions, such as web browsing, conducting personal email or other Columbia business or non-business functions.
  9. The System’s Servers are running vendor-supported operating systems and have up-to- date security patches installed.
  10. The System’s Servers are accessible only for the services provided and only to as much of the Network as is required to provide such services, and firewalls or equivalent protections prevent unauthorized access. To the extent practicable, anti-virus, anti- spyware and System monitoring programs are installed to protect and/or prohibit unauthorized access.
  11. Any Peer-to-Peer Program is used only for University purposes, is configured properly as directed by the applicable Information Security Office and does not permit general purpose file sharing over the Internet.
  12. Only required services that run on the System’s Servers are enabled. Unneeded services are disabled.
  13. Each System used for University purposes is disposed of in accordance with the Columbia University Sanitization and Disposal of Information Resources Policy.
D. Additional Protection Requirements for Systems Containing Sensitive Data

Each System Owner shall ensure that, in addition to the protections described in Section C above, the following protections are implemented for each System that processes, transmits and/or stores Sensitive Data:

  1. A record is kept of what type of Sensitive Data are stored on the System’s Servers and of all changes to the configuration of the Server, and such documentation is kept in a secure, locked location away from the Server.
  2. In web-based Systems that are exposed to the Internet, protection mechanisms are implemented to prevent common web-based attacks. Examples of protection elements include web-based firewalls and/or source code security reviews. All such Systems are protected according to the Web Application Security Standard Operating Environment. 
  3. Sensitive Data are encrypted while in transit and in storage, except that Users within CUIMC may internally transmit unencrypted EPHI if it is sent to an Approved OHCA Email System.
  4. Removable Media containing Sensitive Data are encrypted.
  5. In Relational Database Management Systems, Sensitive Data are encrypted in a way that permits database administrators to perform their management functions without access to such Data in a readable format.
  6. The System’s Servers are maintained in appropriate Data centers, Server closets or Data closets that meet or exceed the following physical requirements:
  • Video camera surveillance;
  • Badge reader (rather than key) access;
  • Use of a visitor log to document all visitors who accompany an authorized User, which is posted by the main ingress/egress point of the secure facility;
  • Alarms on the door that alert University Public Safety if (x) the door is left ajar, (y) the door is forced open or (z) the security lock malfunctions; and
  • An emergency power shut off button that can cut off power to all circuits in the case of a fire or other physical threat.

It is recommended, but not required, that Confidential Data be protected with a password while in transit or in storage.

E. Additional Protection Requirements for Registered Systems

Each System Owner of any System that is registered in accordance with Section III (A) must follow the specific procedures relating to Systems in the CUIMC Information Security Procedures https://secure.cumc.columbia.edu/cumcit/secure/policy/procedures.html.

F. Additional Protections for Email Systems

Each email System Owner shall ensure that, in addition to the protections described in Section C and, if applicable, Sections D and E above, the following protections are implemented for such System:

  1. Virus, spam and phishing protection for inbound and outbound messages is implemented through the use of mail filtering software that includes features such as content analysis and real time blacklists.
  2. SMTP relay is performed only for authenticated Users or Systems.
  3. Monitoring to detect compromised email accounts is implemented and such accounts are disabled on a timely basis.
  4. Data loss prevention is implemented to ensure that unencrypted Sensitive Data are transmitted only within the University Network or the CUIMC/Hospital OHCA.
  5. Detection or prevention mechanisms are implemented to monitor the use of automatic forwarding, redirection or other automated delivery of email as required by the Columbia University Email Usage Policy. 
G. Additional Protections for Credit Card Information

Each System Owner shall ensure that, in addition to the protections described in Sections C and, if applicable, D, E and F above, the following protections are implemented for such System:

  1. The requirements of the Columbia University Credit Card Acceptance and Processing Policy (the “Credit Card Policy”) are complied with.
  2. Cardholder Data (“CHD”) and Sensitive Authentication Data are not captured, stored, processed or transmitted on University Servers or the University Network other than encrypted CHD through a PCI-validated Point-to-Point-Encryption (P2PE) Solution. Credit cards may not be processed via WiFi.
  3. All local IT support groups comply with the requirements of the Merchant Security Review Form referred to in the Credit Card Policy prior to the implementation of or changes to any credit card related services in the merchant environment.
  4. All merchant environments are approved by CUIT’s PCI Security Group ([email protected]).
H. Waivers and Exceptions

Any System Owner may request that a System that contains Sensitive Data, but cannot use encryption because of technology or business limitations be granted a waiver of the provisions of this Policy by the applicable Information Security Office.  Such a waiver may only be granted if such Office determines that there are compensating controls in place to address all major information security risks.

I. Supplemental Requirements

The requirements lists set forth in this Policy are not comprehensive and supplemental controls may be required by the University to enhance security as necessary.

IV.  Cross References to Related Policies and Other Documentation

The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.