Information Security Risk Management Program

The University’s “Information Security Risk Management Policy”  establishes the Information Security Risk Management Program to perform risk analyses of information resources that store or process University Data. The Information Security Risk Management Program is charged with ensuring that the University is operating at an acceptable level of risk with regards to the confidentiality, integrity, and availability of its Information Resources.

An important part of the Risk Management program is the risk assessment process. This includes registering the following systems in compliance with Columbia University's Registration and Protection of Systems Policy

  • All Systems located on Columbia University’s Morningside Heights or Manhattanville Campuses that process, transmit and/or store Sensitive Data must be registered with the CU Information Security Office.
  • All Systems located at CUMC must be registered with the CUMC Information Security Office

The Columbia University’s Data Classification Policy defines Sensitive Data as: any information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI).   

Currently the above systems need to be registered in the risk asssessment application RSAM.

Please see our FAQ for any questions you may have, or if you have having trouble with RSAM, check out our RSAM User Documentation. If you have any other questions about the Program at all, please feel free to contact us.