The University Policy Office announces the issuance of a revised University Policy 5.10, Information Security. This revision does not change the substantive philosophy of this important policy, but adjusts certain procedures to adapt to the changing security landscape. Below is a list of the major revisions to this policy:
- A new requirement for whole-disk encryption for all university-owned desktops, laptops, tablets, and smartphones (our best defense against a data breach caused by a stolen device);
- An encryption requirement for removable media on systems that store or process Level 1 data (sharper clarification of an existing requirement);
- The requirement for custom-developed web applications to scan free of vulnerabilities before going live (this is also a request from an old Audit finding);
- The requirement for 2-factor authentication for access to Level 1 data (an old recommendation in the policy now changes to a requirement);
- The recommendation of application whitelisting instead of antivirus on servers hosting confidential data;
- The strengthening of opening statements of Baseline requirements to accommodate growing university use of outsourced solutions.
Please familiarize yourself with this revised policy as it pertains to you, and direct any questions about this policy to it-policies@cornell.edu.