System Compliance

Policy Central

As members of the University Community and the School of Public Health, faculty and staff are obligated to abide by the guidelines and policies of the University. Below are links to those that are IT-related. (You are encouraged to review these periodically for updates, as policies change frequently.)

Data Security & Me

What Training Is Required?

CUIMC's Offices of HIPAA Compliance and Information Security team up to provide HIPAA training and security essentials annually. This is REQUIRED training for anyone doing work at CUIMC, with sanctions for noncompliers. Learn more.  


Principle of Least Privilege

School data security guidelines and practices are based on the Principle of Least Privilege. The principle states:

That an individual, program or system process is not granted any more access privileges than are necessary to perform the task.


What Are We Worried About

Data Classification Policy


Category HS 
Highest Sensitivity 
(Confidential / Sensitive Data)

Category MS 
(Internal / Official Use Only Data)

Category NS 
(Public Data)

Protection requirement

Protection of data is required by acts, laws, regulations, Columbia University policy or contract

Columbia University has an obligation to protect the data

No regulatory requirement

(not an 

• Credit card numbers 
• SSN 
• Passwords 
• Medical records 
• Genetic data 
• Student records 
• Prospective student info 
• Personnel record 
• Donor or prospect info 
• Financial info 
• Research materials 
• Contract 
• Confidential agreements 
• Other data not listed here but identified within HIPAA, GLBA, FERPA, PCI DSS or other privacy acts, regulations, laws.

• Financial transactions which do not include 
Category A data (e.g., telephone billing) 
• Physical plant detail
• Certain management 

• Publicly posted press releases 
• Publicly posted schedules of cla

Considerations Prior to a Server Purchase

What do I have to think about before I purchase a server to support my project?

Before making any server purchase at the Mailman School, contact es2222 [at] (Elizabeth Tashiro). There are policies that govern data system creation and management that you must know before you decide to commit funds. For example:

1. All data systems must have a designated system custodian/system administrator who has completed the School training requirement;

2. All data systems must be certified annually by the Office of IT Security at CUMC;

3. All data systems must be housed in an IT approved facility.

Elizabeth will help you navigate the process by informing you of relevant policies, getting you to the right people, and providing useful resources. You can get started yourself by checking out CUIMC's System Registration pages. She can be reached at (212) 342-3021 or es2222 [at]