...
- Annual certification acknowledging requirements and responsibilities
- A description of data use and application purpose must be included in the request for the Application Integration ID. The Central Data Stewards must approve data access as well as specified use of the data prior to the Application Integration account creation.
- Application Integration IDs must be tied to only one specific service and must never be reused or shared.
- The Application Integration ID owner must ensure that there are no confidential data stored or delivered through the developed application.
- If Student data are retrieved, FERPA protection requirements set forth by the University Registrar must be met. Please review FERPA policy and related FAQ documents at (http://www.policy.cornell.edu/vol4_5.cfm)
- End user authentication must be performed by the application using the Cornell central authentication infrastructure where possible. If integration into the central authentication infrastructure is not possible, local authentication is permissible provided a unique user ID and password are provisioned for each user.
- Service owners must ensure access is granted to data only which the user is authorized
- The application or database infrastructure must meet the security requirements specified in University Policy 5.10 Information Security of Institutional Data (http://www.cit.cornell.edu/security/requirements/secreqs-baseline.html)
- Local audit logs must be retained for six months
- Audit logs must contain:
- Date and time of access
- NetID of end user accessing the database
- IP address of end user accessing the database
- The application The Application Integraion ID Owner must request termination of the ID when use of the ID is no longer needed.
- If access needs change and additional tables are needed, the ID owner must obtain appropriate Data Steward approval for the new table access.