There are three types of safeguards to consider when securing university assets and records:
- Administrative security: Establish departmental and university processes, including authorizing; monitoring; and reconciling, to protect assets and records.
- Physical security: Protect physical records and assets from loss by theft or damage (e.g., door locks).
- Technical security: Protect electronic records from loss by theft, damage, or loss in transport. Examples include two-factor authentication and data encryption.
Purpose
Assets and records should always be kept secure to prevent unauthorized access, loss, or damage. The security of assets and records is essential for ongoing operations, information accuracy, privacy of personal information included in some records, and, in many cases, is required under various state or federal laws. For information about securing information, see University Policy 5.10, Information Security.
Key Concepts and Control Examples
Designate a Point Person:
Control Example: Designate a point person for all areas or individually for the three types of security to provide an established responsibility and accountability for proper security procedures.
Maintain Accurate Administrative Organization Charts:
Control Example: Maintain a current organizational chart that defines the reporting relationships and responsibilities, including back-up responsibilities, regarding internal controls within the unit. Document such processes as opening and distributing mail, administration of keys, access to documents and other administrative controls.
Limit Access to Electronic Records:
Limit access to records and assets to those who have been authorized and have a business need for them.
Control Examples:
- Establish and communicate unit standards for screensavers and password-protected screens.
- Set up password-protected access to electronic records, particularly for confidential, sensitive, or regulated information.
Limit Physical Access to Records:
Limit access to records and assets to those who have been authorized and have a business need for them.
Control Examples:
- Do not allow sensitive or confidential electronic records to be downloaded to mobile workstations and transported outside of the office.
- Keep important records in lockable, fireproof storage.
- Do not allow unauthorized access to a laptop computer or other mobile work device.
Remove Unneeded Access:
Remove access to records and assets upon separation or when there is not an ongoing business need for access.
Control Examples:
- Develop a checklist for removing access to records when an employee separates from the university or transfers out of the unit.
- Develop a process for and assign a point person with the responsibility of administering the process for deleting access to records.
Establish Password Standards:
Control Example: Develop a prescribed standard for departmental passwords. Strong, complex passwords should be used, and passwords should not be shared.
Use Other Technical Safeguards:
Encrypt all endpoint devices, employ two-factor authentication and other technical safeguards outlined in University Policy 5.10, Information Security.
Control Examples:
- Ensure all endpoint devices are encrypted to prevent unauthorized access to data.
- Implement two-factor authentication for all sensitive or confidential university data and related systems.
- Apply patches and security updates regularly, as soon as available.
- Use secure data transmission and storage mechanisms such as encrypted email, virtual private network (VPN), and Cornell Secure Data Transfer (see CIT's Regulated Data Chart).