Direct Connect (non-person)IDs
Apllication Integration IDs Accessing Restricted Data
Context:
...
- Annual certification acknowledging requirements and responsibilities
- A description of data use and application purpose must be included in the request for the Direct Connect ID. The Central Data Stewards must approve data access as well as specified use of the data prior to the Direct Connect account creation.
- Direct Connect IDs must be tied to only one specific service and must never be reused or shared.
- The Direct Connect ID owner must ensure that there are no confidential data stored or delivered through the developed application.
- If Student data are retrieved, FERPA protection requirements set forth by the University Registrar must be met. Please review FERPA policy and related FAQ documents at (http://www.policy.cornell.edu/vol4_5.cfm
) - End user authentication must be performed by the application using the Cornell central authentication infrastructure where possible. If integration into the central authentication infrastructure is not possible, local authentication is permissible provided a unique user ID and password are provisioned for each user.
- Service owners MUST ensure access is granted to data only which the user is authorized
- Service owners must provide quarterly reports detailing service users to the appropriate Data Steward
- The application or database infrastructure must meet the security requirements specified in University Policy 5.10 Information Security of Institutional Data (http://www.cit.cornell.edu/security/requirements/secreqs-baseline.html)
- Local audit logs must be retained for six months
- Audit logs must contain
- Date and time of access
- NetID of end user accessing the database
- IP address of end user accessing the database
- The Direct Connect ID Owner must request termination of the ID when use of the ID is no longer needed.
- If access needs change and additional tables are needed, the ID owner must obtain appropriate Data Steward approval for the new table access.