System Compliance

Policy Central

As members of the University Community and the School of Public Health, faculty and staff are obligated to abide by the guidelines and policies of the University. Below are links to those that are IT-related. (You are encouraged to review these periodically for updates, as policies change frequently.)

Acceptable Use of IT Resources
Full University Computing & Technology Policy Library
Medical Center Data Security Policies & Guidelines
- HIPAA Compliance
- Most recent HIPAA Privacy and Information Security Briefing
- CUMC System Registration & Certification (VPN required for off campus)
- Device Encryption
- Additional CUIMC Guidelines

Data Security & Me

Understanding the De-Identified Data Standard
What are the policies related to encryption?
What do I do if I have data that needs to be protected? Email Elizabeth Tashiro at es2222@cumc.columbia.edu
Where can I learn more about data security?

What Training Is Required?

CUIMC's Offices of HIPAA Compliance and Information Security team up to provide HIPAA training and security essentials annually. This is REQUIRED training for anyone doing work at CUIMC, with sanctions for noncompliers. Learn more.

Principle of Least Privilege

School data security guidelines and practices are based on the Principle of Least Privilege. The principle states:

That an individual, program, or system process is not granted any more access privileges than are necessary to perform the task.

What Are We Worried About

Data Classification Policy

	Category HS Highest Sensitivity (Confidential / Sensitive Data)	Category MS Moderate Sensitivity (Internal / Official Use Only Data)	Category NS Non- Sensitive (Public Data)
Protection requirement	Protection of data is required by acts, laws, regulations, Columbia University policy or contract	Columbia University has an obligation to protect the data	No regulatory requirement
Examples (not an exhaustive list)	• Credit card numbers • SSN • Passwords • Medical records • Genetic data • Student records • Prospective student info • Personnel record • Donor or prospect info • Financial info • Research materials • Contract • Confidential agreements • Other data not listed here but identified within HIPAA, GLBA, FERPA, PCI DSS or other privacy acts, regulations, laws.	• Financial transactions which do not include Category A data (e.g., telephone billing) • Physical plant detail • Certain management information	• Publicly posted press releases • Publicly posted schedules of cla

Considerations Prior to a Server Purchase

What Do I Have To Think About Before I Purchase a Server To Support My Project?

Before making any server purchase at the Mailman School, contact Elizabeth Tashiro. There are policies that govern data system creation and management that you must know before you decide to commit funds. For example:

All data systems must have a designated system custodian/system administrator who has completed the School training requirement;
All data systems must be certified annually by the Office of IT Security at CUMC;
All data systems must be housed in an IT-approved facility.

Elizabeth will help you navigate the process by informing you of relevant policies, getting you to the right people, and providing useful resources. You can get started yourself by checking out CUIMC's System Registration pages. She can be reached at (212) 342-3021 or es2222@cumc.columbia.edu.