Office of the Chief Information Security Officer

Our mission is to protect the CUIMC community – our patients, students, faculty, and staff – from those who would exploit information technology to do us harm. 

Primary Goal 

The overall goal of the ISO is to ensure that CUIMC is operating at an acceptable level of risk with regard to external and internal information security threats and compliance issues, balancing those issues against our organizational goals and requirements.  

We strive to act effectively, efficiently, and above all with the utmost integrity in the fulfillment of our mission and achievement of this goal. 

Responsibilities 

CUIMC ISO’s responsibilities, in support of our Mission and overall Goal, include: 

  • Identifying and assessing changes in the threat and compliance landscape that affect CUIMC; 
  • Consulting with clinical, research, and educational partners to ensure the security posture of their systems, services, and processes are strong; 
  • Identifying and responding to malicious activity on CUIMC systems and infrastructure;  
  • Educating our community regarding information security risk;  
  • Providing a set of efficient, cost-effective services that improve the security posture of the Medical Center; 
  • Creating awareness on roles and responsibilities on IT governance  

The Information Security Office (ISO), part of CUIMC IT, facilitates all aspects of information security risk management at CUIMC, with a particular focus on threat management and HIPAA compliance. This includes administration and enforcement of information security policies on campus. ISO also provides guidance to CUIMC Schools and Departments regarding any information security concerns they may have. 

The ISO collaborates with the entire CUIMC community to protect the confidentiality, integrity, and availability of our critical information and computer resources. The ISO strives to implement secure computing infrastructure and practices with sensitivity to CUIMC's educational and research environment. 

See the Columbia University Information Security Charter

Organization Structure 

Reporting to the Chief Information Security Officer (CISO), the department is organized along the following areas of responsibility: 

IT Security Operations

Enforces CUIMC IT Security policies, standards, and guidelines. Executes proactive management and monitoring of security controls designed to protect CUIMC data and technology, including data loss prevention, vulnerability scanning, threat identification, and incident response. Also manages IT security training and awareness programs. 

Information Security Risk Management

Manages the IT risk governance process, including the system registration and certification program, IT group certification program, IT risk assessment process, and risk remediation management. 

Program Management

Communicates decisions, priorities, and relevant project information regarding ISO requests, projects, and initiatives. Serves as the strategic interface between the Information Security Office and CUIMC's IT groups and associated functional areas, and manages the delivery of a portfolio of projects where ISO has been tasked with project leadership.  

Need help from Security?

As a CUIMC IT group, Information Security enlists the CUIMC IT Service Desk to provide initial technical support 7 days a week; please contact extension 5-Help (212-305-4357), option 5 or email 5help@cumc.columbia.edu for immediate assistance with any technical questions or problems, including emergencies.