IT Policy Summaries

­Columbia University IT Policies

This summary table provides high-level information about the IT policies which are published in the Columbia University Administrative Policy Library.

( ).


Policy Name

Policy description / purpose

Information Security Charter

Establishes the personnel responsibilities and functions within the Information Security Program and defines key terms and definitions used and referenced by the twelve IT policies


Acceptable Usage of Information Resources Policy

Provides guidance for the appropriate access and use of University information resources, proper conduct when using those resources and privacy expectations

Email Usage Policy

Provides guidance for: proper use of email, necessary actions for sending sensitive data via email and privacy expectation

Registration and Protection of Endpoints Policy

Provides general protection requirements for desktop and laptop computers, mobile devices and any endpoints that contain university data

Data Classification Policy

Classifies University information/data into four categories: Sensitive Data, Confidential Data, Internal Data, and Public Data


Social Security Number (SSN) Usage Policy

Provides guidance for SSN usage and how to eliminate unnecessary storage and use of SSNs as the primary identifier at the University, where possible

Electronic Data Security Breach Reporting and Response Policy

Establishes the responsibilities of the University Response Team (URT) for handling all aspects of a data breach incident and also provides an incident response checklist to triage the data breach


Sanitization and Disposal of Information Resources Policy

Defines the requirements for appropriate data deletion and proper disposal methods to be used when discontinuing use of University devices


Network Protection Policy

Defines the requirements that all network, communications and telecommunications-related equipment and devices, including cabling, be installed and maintained by authorized Columbia University’s network and technology support groups


Registration and Protection of Systems Policy

Describes the requirements for the security controls that protect systems that process, transmit and/or store University data

Information Resource Access Control and Log Management Policy

Describes the process of establishing, documenting and reviewing appropriate access to Columbia University information resources

Information Security Risk Management Policy

Provides guidance for the information security risk management program process

Business Continuity and Disaster Recovery Policy

Defines acceptable methods for business continuity and disaster recovery planning for the University’s business following the loss of systems that are critical to the operations of a business unit
External Hosting Policy


Describes the requirements for appropriate and approved use of externally hosted Columbia University Systems and/or Data.

Electronic Signature PolicyEstablishes requirements for the use of electronic signatures in lieu of handwritten signatures in connection with official University activities, in order to ensure that electronic signatures are used consistently with University’s Policies.