POLICY 5.9 CORNELL UNIVERSITY POLICY LIBRARY. Information technology data will be disclosed only according to the procedures outlined in this policy.



Similar documents
Contact: Henry Torres, (870)

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

COMPUTER USE POLICY. 1.0 Purpose and Summary

Information Resources Security Guidelines

13.19 ETHICS REPORTING POLICY AND PROCEDURE

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

PRIVACY POLICY. Last updated February 2, 2009 INTRODUCTION

Marist College. Information Security Policy

UNIVERSITY GUIDEBOOK. Title of Policy: Acceptable Use of University Technology Resources

Policy for the Acceptable Use of Information Technology Resources

MCOLES Information and Tracking Network. Security Policy. Version 2.0

IT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data

M&T BANK CANADIAN PRIVACY POLICY

Information Technology Acceptable Use Policy

BUSINESS ASSOCIATE AGREEMENT

R345, Information Technology Resource Security 1

3Degrees Group, Inc. Privacy Policy

Troy Cablevision, Inc. Subscriber Privacy Policy

WidePoint Solutions Corp. SAFE HARBOR PRIVACY POLICY

LINCOLN UNIVERSITY. Approved by President and Active. 1. Purpose of Policy

Sample Business Associate Agreement Provisions

California State University, Sacramento INFORMATION SECURITY PROGRAM

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Network Security Policy

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Information Security Policy

BERKELEY COLLEGE DATA SECURITY POLICY

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

933 COMPUTER NETWORK/SERVER SECURITY POLICY

SAN FRANCISCO ADMINISTRATIVE CODE CHAPTER 96: COORDINATION BETWEEN THE POLICE DEPARTMENT AND THE OFFICE OF CITIZEN COMPLAINTS

OLYMPIC COLLEGE POLICY

Utica College. Information Security Plan

Disclaimer: Template Business Associate Agreement (45 C.F.R )

BUSINESS ASSOCIATE AGREEMENT ( BAA )

University Healthcare Physicians Compliance and Privacy Policy

PRIVACY NOTICE. Last Updated: March 24, 2015

Right to Financial Privacy Act

VICTOR VALLEY COMMUNITY COLLEGE DISTRICT ADMINISTRATIVE PROCEDURE. Computer Use - Computer and Electronic Communication Systems.

Data Management Standard

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Bates Technical College. Information Technology Acceptable Use Policy

Information Security Program Management Standard

ESI Incident Response Procedures 1

Delaware State University Policy

Introduction PriorFX LTD Right to Privacy Information

Standard: Information Security Incident Management

UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014

RESPONDING TO SUBPOENAS AND REQUESTS FOR EXPERT WITNESS SERVICES. I. Purpose 1. II. Scope

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

1.2 This license shall be subject to the provisions herein stated, the Telecommunications Law and any regulations issued thereunder.

Responsible Access and Use of Information Technology Resources and Services Policy

Information Security Policy

Federal Trade Commission Privacy Impact Assessment

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Information Technology Services Guidelines

HIPAA BUSINESS ASSOCIATE AGREEMENT

Rowan University Data Governance Policy

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

ELECTRONIC COMMUNICATION & INFORMATION SYSTEMS POLICY

EEOC and CRT share authority for the enforcement of Title VII with respect to state and local governmental employers.

Legislative Language

RezScore SM Privacy Policy

Advanced Eye Care & Optical 499 E Winchester Blvd., Suite 101 Collierville, TN Phone: Fax:

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

Prohibition Against Commingling and Misappropriation of Client Funds or. Property.

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Use & Disclosure of Protected Health Information by Business Associates

Legislative Language

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Appendix : Business Associate Agreement

POLICY NUMBER B JULY 8, 2014

PRIVACY POLICY. Last Revised: June 23, About this Privacy Policy.

Transcription:

CORNELL UNIVERSITY POLICY LIBRARY Chapter: 9, Access to Information Data and Monitoring Network Policy/WCMC Information technology data will be disclosed only according to the procedures outlined in this policy. Cornell University does not monitor the content of network traffic except for legal, policy, or contractual compliance; in the case of a health or safety emergency; or for the maintenance and technical security of the network. The university reserves the right to restrict the use of its information technology resources and to remove or limit access to information technology resources. The university maintains its network and computer systems in a manner that supports its missions in teaching, research, and outreach, while complying with legal, policy, and contractual obligations. All units of the university All members of the university community This policy: www.dfa.cornell.edu/treasurer/policyoffice/policies/volumes/ informationtech/itdata.cfm University Policy Office: www.policy.cornell.edu 1

Policy/WCMC Access to Information Data and Monitoring Network Policy Statement 1 Reason for Policy 1 Entities Affected by this Policy 1 Who Should Read this Policy 1 Web Site Address for this Policy 1 Related Resources 3 Contacts, Ithaca Campus Units 4 Contacts, Weill Cornell Campus Units 4 Definitions 5 Responsibilities, Ithaca Campus Units 6 Responsibilities, Weill Cornell Campus Units 6 Principles 7 General Provisions 7 Procedures, Ithaca Campus Units 8 Access to Information Data 8 Requests for Information Data 9 Procedures, Weill Cornell Campus Units 10 Overview 10 Index 11 2

Policy/WCMC Access to Information Data and Monitoring Network University Policies and Documentation Applicable to All Units University Policy 5.1, Responsible Use of Information Resources Educational and Implementation Resources on the CIT Web site University Policies and Documentation Applicable to Ithaca Campus Units University Policy 4.12, Data Stewardship and Custodianship University Policy 4.13, Acceptance of Legal Papers University Policy 5.5, Stewardship and Custodianship of Electronic Mail External Documentation Electronic Communications Act, 1986 Federal Rules of Civil Procedure 16, 26, 33 and 34 U.S. Patriot Act of 2001 3

Policy/WCMC Access to Information Data and Monitoring Network Direct any general questions about this policy to your college or unit s administrative office. Direct questions about specific issues to the following offices. Contacts, Ithaca Campus Units Subject Contact Telephone E-mail/Web Address Policy Interpretation Requests for Information Data IT Policy Office, Cornell Information Technologies Chief Information Officer and Vice (607) 255-3584 it-policies@cornell.edu www.cit.cornell.edu/policies/ (607) 255-8054 www.cit.cornell.edu/oit/ Direct any general questions about this policy to your college or unit s administrative office. Direct questions about specific issues to the following offices. Contacts, Weill Cornell Campus Units Subject Contact Telephone E-mail/Web Address Policy Clarification and Interpretation Reporting Security Violations Reporting Violations of Rules and Regulations, Including Loss or Theft of Confidential Data WCMC Officer (212) 746-1121 Frank Maurer: fmaurer@med.cornell.edu Office of Academic Computing support@med.cornell.edu (monitored 24 hours a day) WCMC Officer (212) 746-1121 Frank Maurer: fmaurer@med.cornell.edu 4

Policy/WCMC Access to Information Data and Monitoring Network These definitions apply to these terms as they are used in this policy. Content Information (IT) Data Information (IT) Resource Legal Papers Monitoring Network Transmission User-generated information contained in applications or programs running on information technology systems, such as text in an e-mail or voice message, a telephone conversation, a spreadsheet, word document, etc. Data produced by computer systems or by voice and data network devices, such as routers, switches, private branch exchanges (PBXs), and firewalls. Examples of computer system data include records of a user s logins and logouts, services used, and file names created or modified. Examples of network device data include visited Internet addresses, and sizes and types of files sent or received. Note: IT data does not include the content of any voice or data communications. The full set of information technology devices (personal computers, printers, servers, networking devices, etc.) involved in the processing, storage, and transmission of information. Documents issued by a court, officer of the court, attorney, government agency, or administrative agency requiring the university or any unit of the university to appear in court, provide testimony, documents, records, or property, or to take or refrain from taking some action. Examples of legal papers include subpoenas, court pleadings (summonses, complaints, court orders, interrogatories, notices of deposition, requests for production of documents, notices to admit, and all other forms of demands for disclosure), restraining orders, garnishments, and mechanics liens. Automated or manual observation. Cornell University s system of interconnected IT components (e.g., switches, routers, optical fibers, and wires) used to support transmission of electronic data between attachable endpoints. An electronic signal, while it is moving from an origin to a destination point. 5

Policy/WCMC Access to Information Data and Monitoring Network Chief Information Officer and Vice Information Technologies (IT) Policy Director Network Administrators Requestors of IT Data Accept and review requests for information technology (IT) data, and approve, if appropriate. Notify IT Policy and Security directors of the outcome of the request for IT data. Provide clarification on University Policy 5.9, Access to Information Data and Monitoring Network. Disclose IT data only for the purposes of security, maintenance, or billing, or as approved by the Chief. Request IT data from the Chief, as appropriate. Note: For requests for IT data from law enforcement, proceed as directed in University Policy 4.13, Acceptance of Legal Papers. Information Technologies and Services Department (ITS) Receive and evaluate requests for access, review, and/or release of stored or transmitted electronic information. Allow access, review, and/or release of stored or transmitted electronic information in accordance with this policy. 6

Policy/WCMC Access to Information Data and Monitoring Network General Provisions Cornell University owns, manages, and maintains its data and telecommunications services as a private network. Under certain conditions, for reasons of legal and policy compliance, contractual obligations, or for maintenance or security, the university will monitor its network transmissions for content and reserves the right to remove or limit access to information technology resources. This policy enables the safeguarding of the privacy of the university s information technology data by establishing controls over access to such data, including limiting conditions under which that data may be disclosed. 7

Policy/WCMC Access to Information Data and Monitoring Network Access to Information Data Under the authority of University Policy 4.12, Data Stewardship and Custodianship, the Chief is responsible to establish rules for such disclosure in a way that promotes collaboration among data stewards and other university officials in an environment of trust within the Cornell community. Note: In accordance with University Policy 4.12, this policy concerns only administrative data and does not apply to information technology (IT) data used for research purposes. The Chief may approve disclosure of IT data only in the following limited circumstances: 1. When requested by the Office of University Counsel, a court order, or other entity with legal authority to do so 2. When requested by an appropriate university official, including, but not limited to, the Office of University Counsel, Division of Human Resources, or the Chief 3. When fulfilling the legal, regulatory, or other applicable duties of the college 4. When responding to an electronic or physical security issue or incident 5. In the event of a health or safety concern 6. To ensure the security, confidentiality, integrity, and availability of data stored or transmitted by WCMC information technology resources Notes: 1. Nothing in this policy is intended to prohibit or inhibit data custodians who handle IT data from performing their duties in the normal course of business. 2. The Chief has delegated to IT professionals the authority to disclose IT data for the purposes of security, maintenance, or billing. 3. Any data under this policy disclosed in response to reasonable requests to assist IT-related research will be anonymous. 4. For rules regarding the disclosure of institutional information stored on university-owned devices, please refer to University Policy 4.12, Data Stewardship and Custodianship. 5. For rules regarding the disclosure of electronic mail, see University Policy 5.5, Stewardship and Custodianship of Electronic Mail. 8

Policy/WCMC Access to Information Data and Monitoring Network Requests for Information Data All requests for IT data must be submitted to the Chief. Requests must include all of the following: 1. Reason for the request, which must correspond to the disclosure rules provided by this policy 2. Who requests receipt of the data 3. Intended use of the received data Note: In the event of requests for IT data from law enforcement, University Policy 4.13, Acceptance of Legal Papers applies. 9

Policy/WCMC Access to Information Data and Monitoring Network Overview Weill Cornell Medical College (WCMC) provides computer, e-mail, network, Internet, and telephone access to faculty, staff, and students for the purpose of furthering the mission of education, research, and patient care and for conducting general college business. While incidental and occasional personal use of such systems is permissible, personal communications and data transmitted or stored on WCMC information technology resources are treated as business communications, and are subject to automated surveillance by security systems managed by the Information Technologies and Services Department (ITS). WCMC community members should not expect that personal communications will remain private and/or confidential. While the college permits generally unhindered use of its information technology resources, those who use WCMC information technology resources do not acquire, and should not expect, a right of privacy. WCMC reserves the right to access, review, and release electronic information that is stored or transmitted using WCMC information technology resources. WCMC will initiate this access, review, or release only under one or more of the following circumstances: 1. When requested by the Office of University Counsel, a court order, or other entity with legal authority to do so 2. When requested by an appropriate WCMC official, including, but not limited to, the Office of University Counsel, Human Resources, the WCMC Officer, or the WCMC Security Officer 3. When fulfilling the legal, regulatory, or other applicable duties of the college 4. When responding to an electronic or physical security issue or incident 5. In the event of a health or safety concern 6. To ensure the security, confidentiality, integrity, and availability of data stored or transmitted by WCMC information technology resources In cases where more stringent controls, such as state regulations for psychiatric data, maintain a higher standard for authorized access, review, or release of data, the more stringent control will always take precedent. Whenever access, review, or release of WCMC data is necessary, care will be taken to treat the event with sensitivity and respect. 10

Policy/WCMC Access to Information Data and Monitoring Network Business communication... 10 Chief.. 4, 6, 8, 9 Confidential... 10 Confidential data... 4 Confidentiality... 8, 10 Controls... 7, 10 Data communication... 5 Data stewards... 8 Disclose... 1, 7, 8 Disclosure... 5, 8, 9 Electronic Communications Act, 1986... 3 E-mail... 5, 8, 10 Emergencies... 1 Faculty... 10 Federal Rules of Civil Procedure... 3 Health or safety concern... 8, 10 Human Resources... 8, 10 Information Technologies (IT) Policy Director... 6 Information Technologies and Services Department (ITS) (WCMC)... 6, 10 Information Policy Office... 4 Information technology resources... 1, 5, 7, 8, 10 Institutional information... 8 IT data... 1, 5, 6, 7, 8, 9, 10 access... 8, 10 requesting... 4, 6, 9 Law... 6 Law enforcement... 6, 9 Legal Papers... 5 Monitoring... 1, 5, 7 Network... 1, 5, 7, 10 Network administrator... 6 Normal course of business... 8 Office of Academic Computing (WCMC)... 4 Office of University Counsel... 8, 10 Personal communication... 10 Personal use... 10... 4, 7 Psychiatric data... 10 Respect... 10 Right of privacy... 10 Security... 1, 6, 7, 8, 10 Staff... 10 Student... 10 Theft... 4 Transmission... 5 Transmitted... 6, 8, 10 U.S. Patriot Act... 3 University policies 4.12, Data Stewardship and Custodianship... 3, 8 4.13, Acceptance of Legal Papers... 3, 6, 9 5.1, Responsible Use of Information Resources... 3 5.5, Stewardship and Custodianship of Electronic Mail... 3, 8 5.9, Access to Information Data and Monitoring Network... 6 University-owned device... 8 User... 5 Violation... 4 reporting... 4 Voice communication... 5 WCMC Officer... 4, 10 WCMC Security Officer... 10 Weill Cornell Medical College (WCMC)... 8, 10 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information