Carnegie Mellon University

Guidelines for Data Protection


The purpose of these Guidelines is to define baseline security controls for protecting Institutional Data, in support of the University’s Information Security Policy.

Applies To

This Policy applies to all faculty, staff and third-party Agents of the University as well as any other University affiliate who is authorized to access Institutional Data.  In particular, this Guideline applies to those who are responsible for protecting Institutional Data, as defined by the Information Security Roles and Responsibilities.


Electronic Media is defined as media that records and/or stores data using an electronic process. This includes but is not limited to internal and external hard drives, CDs, DVDs, Floppy Disks, USB drives, ZIP disks, magnetic tapes and SD cards.

Information System is defined as any electronic system that can be used to store, process or transmit data.  This includes but is not limited to servers, desktop computers, laptops, multi-function printers, PDAs, smart phones and tablet devices.

Institutional Data is defined as any data that is owned or licensed by the University.

Least Privilege is an information security principle whereby a user or service is provisioned the minimum amount of access necessary to perform a defined set of tasks.

Media is defined as any materials that can be used to record and/or store data. This includes but is not limited to electronic media (see definition above), paper-based media and other written media (e.g. white boards).

Multi-factor Authentication is the process by which more than one factor of authentication is used to verify the identity of a user requesting access to resources.  There are three common factors of authentication: something you know (e.g. password, pin, etc.), something you have (e.g. smart card, digital certificate, etc.) and something you are (e.g. fingerprint, retinal pattern, etc.).  Use of username and password combination is considered single-factor authentication, even if multiple passwords are required.  Username and password used in conjunction with a smartcard is two-factor authentication.  Multi-factor authentication represents the use of two or three factors.

Privileged Access is defined as a level of access above that of a normal user.  This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms.  In a traditional Microsoft Windows environment, members of the Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have privileged access.  In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have privileged access.  In an application environment, users with ‘super-user’ or system administrator roles and responsibilities would be considered to have privileged access.