For Epic Cheers go-live support, please contact NYP IS at
nypres.service-now.com/nyp-portal
or 212-746-4357
Effective Date: September 12, 2023
Last Reviewed: May 6, 2025
Last Approved: September 23, 2025
By mandating a minimum set of security requirements, Weill Cornell Medicine (WCM) can reduce the risk of an adverse event. In the event that a security requirement cannot be met, WCM must still ensure that networks, applications, and data is protected. Variances will be evaluated in extenuating circumstances and may be approved with adequate business justification and appropriate compensating controls.
This policy applies to all WCM Workforce Members who utilize WCM information technology resources as well as those responsible for managing and safeguarding WCM data.
All WCM Workforce Members are responsible for protecting the confidentiality, integrity, and availability of information created, received, stored, transmitted, or otherwise used by WCM activities performed by authorized parties (hereinafter referred to as “data”). All devices used for WCM purposes, regardless of ownership, must meet the minimum security and system requirements defined in ITS policies. In the event that compliance with ITS policies cannot be achieved, a variance request must be submitted to ITS along with the appropriate business justification and compensating controls.
High Risk Data: Refer to WCM Policy ITS-500.03 – Data Classification.
Variance: A formal, documented exception to an established information security policy or standard that is approved by WCM ITS.
Workforce Members: Any Faculty; Staff; Students; Volunteers; Trainees; and other persons whose conduct, in the performance of work for WCM, is under the direction and control of WCM, whether or not they are paid by WCM.
Variances to ITS policies may increase the risk of an adverse event or loss of WCM’s networks, applications, and data. Requests for approval of variances shall be considered in relatively limited circumstances only when certain criteria are met. Variances are temporary and must be renewed at least annually, must have adequate business justification, and must have demonstrated compensating controls to manage the risk of an adverse event to an acceptable level. Variance requests must be submitted to ITS with approval from the Workforce Member’s Department Administrator.
Pursuant to WCM Policy ITS 500.06 – Device Encryption, all Workforce Members must take care to protect High Risk Data (as defined in WCM Policy ITS 500.03 – Data Classification) on their devices, including laptops, desktops, smartphones, and tablets. All devices owned by WCM must be encrypted, and devices not owned by WCM but used for WCM purposes must adhere to the appropriate safeguards (as defined in ITS 500.06 - Device Encryption).
Variances to device encryption shall be considered only when the following conditions are met:
There is significant risk in not encrypting devices used to access WCM High Risk Data, and a breach may result in regulatory sanctions and fines for WCM and the individual responsible for the data.
Pursuant to WCM Policies ITS 500.10 – Device Minimum Security Requirements (ITS-500.10) and ITS 500.11 – Requirements for Securing Systems (ITS-500.11), devices used for WCM purposes must use a modern operating system that regularly receives security updates from the manufacturer.
ITS management software ensures operating systems are kept up to date by regularly deploying upgrades and updates. Variances to operating system upgrades or updates (or installation of management software) shall be considered only when either of the following conditions are met:
Devices which are able to receive operating system upgrades and updates from ITS but require a different deployment schedule do not require a variance. A request for a different deployment schedule may be submitted to ITS.
Pursuant to WCM Policies ITS-500.10 and ITS-500.11, devices used for WCM purposes must be configured to regularly or automatically install security updates from application developers.
ITS management software ensures applications are kept up to date by regularly deploying upgrades and updates. Variances to application upgrades or updates (or installation of management software) shall be considered only when either of the following conditions are met:
Pursuant to WCM Policies ITS-500.10 and ITS-500.11, devices used for WCM purposes must have endpoint detection and response (EDR), anti-virus (AV), or anti-malware (AM) software that is installed, enabled, and regularly updated.
There is no variance for this EDR/AV/AM requirement. If the software is conflicting with another application or process, specific exclusions can be created so as to mitigate or eliminate any issues. To request such an exclusion, users must submit a General IT request and be available to work with ITS personnel to troubleshoot the issue. Exclusions will not be created if the issues are not attributable to the EDR/AV/AM software or not otherwise avoidable. ITS management software ensures EDR/AV/AM software is installed, enabled, and regularly updated. If ITS management software is not utilized, then the owner or administrator of the device is solely responsible for this requirement.
All WCM Workforce Members are responsible for adhering to this policy. Failure to comply will be evaluated on a case-by-case basis and could lead to corrective action, up to and including termination, consistent with other relevant WCM and University Policies. Instances of non-compliance that potentially involve a lapse of professionalism may lead to engagement of the Office of Professionalism for evaluation and intervention.
Direct any questions about this policy, ITS-500.20 – Variances, to the Chief Information Security Officer, using one of the methods below:
This policy was reviewed and approved by:
