Last Reviewed: July 11, 2024
Approval Date: March 24, 2026
Purpose
Information Technology Resources and data constitute valuable Weill Cornell Medicine (WCM) assets. The use of these assets is constantly changing and evolving, and it is important that WCM articulate a clear statement regarding their appropriate use. This policy provides requirements for the responsible use of Information Technology Resources and data.
Scope
This policy applies to all WCM Workforce Members who utilize WCM Information Technology Resources as well as those responsible for managing and safeguarding WCM data.
Policy
All members of the Weill Cornell Medicine community are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the college, or for college activities by authorized parties regardless of the medium on which the data resides and regardless of the format (e.g., electronic, paper, fax, or other physical form).
Departments are responsible for implementing administrative, operational, physical, and technical controls for access, use, transmission, and disposal of Weill Cornell Medicine data in compliance with all Weill Cornell Medicine policies, standards, procedures, and guidelines.
Weill Cornell Medicine expects community members, including but not limited to faculty, staff, and students, to use all Weill Cornell Medicine information technology resources and data in a manner that is legal, ethical, and consistent with the mission of education, research, and patient care.
Purpose
All WCM Workforce Members are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the college, or for college activities by authorized parties regardless of the medium on which the data resides and regardless of the format (e.g., electronic, paper, fax, or other physical form).
Departments are responsible for implementing administrative, operational, physical, and technical controls for access, use, transmission, and disposal of WCM data in compliance with all WCM policies, standards, procedures, and guidelines.
WCM expects Workforce Members to use all WCM Information Technology Resources and data in a manner that is legal, ethical, and consistent with the mission of education, research, and patient care.
Definitions
Information Technology (IT) Resources are the computing systems, networks, software, data, and related services owned, managed, or provided by WCM to support clinical, research, educational, and administrative activities. This includes institutional devices, applications, accounts, and infrastructure used to access, process, store, or transmit institutional information.
Workforce Members: Faculty; Non-Faculty Academics; Staff; Students; Volunteers; and other persons whose conduct, in the performance of work for WCM, is under the direction and control of WCM, whether or not they are paid by WCM.
Procedure
1.01 Acceptable Use
Acceptable use of WCM IT resources and data includes, but is not limited to, Workforce Members:
- Respecting system security mechanisms, and not taking measures to circumvent, ignore, or break these mechanisms,
- Showing consideration for the consumption and utilization of ITS resources,
- Understanding and complying with policies, standards, procedures, and guidelines concerning the security of the WCM information technology and data, and,
- Assisting in the performance of investigation and remediation steps in a suspected or detected security incident.
1.02 Unacceptable Use
Unacceptable use of IT resources and data includes, but is not limited to, accessing or using WCM ITS resources without proper authorization, and/or any of the following:
- Use of ITS resources in violation of any WCM policy, NYP policy, or applicable law, regulation, or license;
- Any activity designed to hinder another person's or institution's use of its own Information Technology Resources or data;
- Downloading, executing, installing, distributing, or using unlicensed, suspicious, or malicious software (e.g., key generators, pirated software, spyware, viruses, etc.);
- Security breaches, intentional or otherwise, including negligent management of data, servers, workstations, other devices or peripherals, or applications resulting in unauthorized use or compromise; and
- Password use inconsistent with WCM Policy ITS-500.15 - Password Policy.
Compliance with this Policy
All WCM Workforce Members are responsible for adhering to this policy. Failure to comply will be evaluated on a case-by-case basis and could lead to corrective action, up to and including termination, consistent with other relevant WCM and University Policies. Instances of non-compliance that potentially involve a lapse of professionalism may lead to engagement of the Office of Professionalism for evaluation and intervention.
Contact Information
Direct any questions about this policy, 500.01 – Responsible Use of Information Technology Resources, to the Chief Information Security Officer, using one of the methods below:
- Office: (646) 962-3609
- Email: ciso@med.cornell.edu
References
- WCM Policy ITS-500.15 - Password Policy
- Cornell University Policy 4.6 – Standards of Ethical Conduct
Policy Approval
This policy was reviewed and approved by:
- Information Security and Privacy Advisory Committee (ISPAC) on March 19, 2026; and WCM-Executive Policy Review Group (WCM-EPRG) on March 24, 2026.
