System Protection and Registration

A. Reason for Procedure

To ensure the security of the Lamont network, all Systems that process, transmit and / or store University Data must meet a minimum level of protection and be registered to document that protection. That level of protection differs depending on the most protected Data Type the System processes, transmits and / or stores.

Systems are defined as server based software that resides on a single Server or multiple Servers and is used for University purposes.  “Application” or “Information System” is synonymous with “System”.

B. Responsible Office and / or Officer

The Project Owner / Project IT Custodian is responsible for ensuring all Systems that process, transmit and / or store the project's Data have at least the minimum protections operating and that they are registered with the CU IT Department.

The Lamont IT Department is responsible for maintenance of this procedure, and for responding to questions regarding it.

C. Procedure

All Systems must be registered with the CU RSAM application here http://rsam.cumc.columbia.edu/ (to access, you must be on the CU network or connected to the CU VPN - see https://vpn.cc.columbia.edu).  The registration procedure starts with entering information about the System into a form and submitting it to be reviewed - documentation is here https://cuit.columbia.edu/itrm/rsam-guides.  and an FAQ here https://cuit.columbia.edu/itrm/rsam-guides/faq.  After review by the Risk Management team, further information may be requested based on their analysis.

Notes:

  • The CU VPN https://vpn.cc.columbia.edu is different from the LDEO VPN used to access the Lamont network.  After you have logged in to the CU VPN website with your UNI, you have the option to download their VPN client or connect to the RSAM site through the VPN webpage.
  • The first stage of the registration process is essentially a questionnaire to gather basic facts about the system: who owns it, what it does, how many people have access, etc.
  • CU ISO will review the registration to assess the potential security issues with the system, then ask for more details if necessary.
  • The Data Classification for a system is the most senstive Data type processed, stored or transmitted by the system, so you may want to group systems based on this classification.  NOTE: data from unpublished research is considered Confidential Data by CU Policy - see /content/data-classification for more details.

Specific Notes about the Registration Form:

  • When creating a new Registration, select "Columbia University: EIL Lamont (LDEO)" for the "Organizational Business Unit".  IMPORTANT: you won't be able to edit either the name or the Business Unit after creation, so be sure it's correct.

The "System Info" section:

  • The System's Data Classification is the most sensitive type of University Data processed, transmitted or stored by the System.
  • The most confusing question is "How many records does this system hold?, which only make sense for database Systems.  For other Systems, we suggest you choose a metric and be consistent between your registrations.  For example, you can say one "record" is equivalent to one gigabyte of data stored or one concurrent process able to be run.

The "System Stakeholders" section:

  • The "System Owner" and "IT Custodian" answers are limited to entries in the CUIT databases. If you can't find someone in the "System Owner / IT Custodian" database, you can press the "Domains" button and add domains to widen the search.
  • The best results are using their UNI and adding "columbia.edu" to the search list - if you don't know someone's UNI, you can search for them here https://directory.columbia.edu/people/search.
  • "Certified IT Group" should be "CU - Other"

The "System Environment" section:

  • They ask for a description of how this System connects to other Systems - remember this is an application-level question, not a physical network question.  If you have a connectivity diagram, you can upload it here, although it is not required.

The next three sections "Security Posture", "Billing" and "ISO use only" have no user questions and can be skipped.

In the next set of sections, you should check as many answers that apply.

The "Data: Business Function" section:

  • Most are going to answer "Research" here.

The "Data: Information Classification" section:

  • Most are going to answer "Publication of Research" and / or "Unpublished research data or other intellectual property".

The "Data: Individual Identifiers" section:

  • Most are going to answer "None of the above" unless you are involved in medical research.

The "University System" section questions are self-explanatory.

D. References

Data classifications are listed here: LDEO Data Classifcation

Refer to the CU Registration and Protection of Systems Policy here: https://universitypolicies.columbia.edu/content/registration-and-protection-systems-policy