INFORMATION TECHNOLOGY USAGE POLICY
|
1:762
|
Introduction
As a part of its educational mission, Andrews University provides information technology services to students, faculty, administration and staff. The following policies and guidelines are established to maximize the educational benefit realized from the resources necessary to operate and maintain these facilities. Non-compliance with these policies and guidelines may result in penalties of varying degree.
General Expectations |
1:762:1 |
University-owned information technology resources are to be used for university business. In computing laboratories, academic work of students, faculty, and staff takes precedence over personal use. Use of university computers for personal commercial activities is prohibited. Recreational use of university-owned computers is prohibited during work hours except where an academic or administrative objective arises.
Generally, university work should be performed using equipment provided by the university. Where personally-owned equipment is used for university business, the university assumes no obligation to maintain or replace this equipment. Personally-owned equipment must not have university licensed software installed and may have limited or no access to some university resources.
Services Provided |
1:762:2 |
Providing and financing information technology service at Andrews University is shared by different groups and individuals:
-
Information Technology Services (ITS) provides and maintains the university’s wired and wireless networks and connections to the internet; various servers providing administrative and academic records, email, print and Web services; and a general computing laboratory.
-
Computer purchases are managed by ITS within the policies developed by the Computer Purchasing Committee (see policy #1:610:9) and are primarily centrally funded. Some unique accessories and components may be funded by the department utilizing the computer.
-
Computer software is provided for use on University-owned equipment through campus agreements managed by ITS or other departments. Funding is provided either centrally or by cost sharing among the departments utilizing the software. Software from these campus agreements must only be installed on University-owned computers.
-
Maintenance of computer hardware and software is provided by ITS, except as authorized by the Chief Information Officer (CIO). The cost of maintenance is shared with the department utilizing the computer.
-
Departments requesting specialized applications, unique hardware and/or servers should discuss their needs with ITS. Attempts to accommodate these requests will be made as resources allow.
-
ITS provides telephone and cable television services for University departments and residential facilities (excluding rental houses). These services are provided at a charge to University departments rather than directly to individuals.
-
ITS provides installation and support for classroom technology which is generally acquired via capital expenditures (centrally or departmentally funded). ITS provides audio and video production services for the University. Equipment installation and AV production services are billed to University departments, student clubs, or capital projects.
Technical Policies and Standards
Technical level policies and standards are set by ITS to ensure the successful interaction and interconnection of various information technology equipment. These include but are not limited to the following areas:
-
Wired and wireless networks including all devices connected to them
-
Servers and services
-
Cloud based services - require approval by the CIO.
-
Software purchase or development (see policy #1:762:2)
User Accounts and Access
All students, faculty, administration and staff must have an Andrews University account with a username and password. Access to University data is given only to authorized users and is granted to the user account. Access to the data will be discontinued when the individual no longer carries the role or function that required the access.
Passwords for Andrews University accounts must be carefully guarded, changed frequently, treated as a signature and never shared with anyone else including fellow employees or family members. Great care must be taken to avoid providing University usernames and passwords to any websites or servers that are not University systems, or in response to telephone or email requests.
The password chosen for use with the Andrews University account must be different from passwords used for other websites or organizations. Using the same password presents a significant security risk as there are frequent instances of security breaches where usernames and passwords are stolen.
Compromised user accounts will be disabled immediately. Attempts will be made to notify the individual responsible for the account. To reactivate the account, the password must be changed to a new password.
Email
Andrews University provides email for all students, faculty, administration and staff. The following policies govern the use of email:
-
All official Andrews University business conducted through email is to be sent and received utilizing the provided email system. For regulatory compliance and business continuity, the forwarding of email from faculty and staff University email accounts to other providers shall not be done.
-
Students who forward their email to other addresses will be held responsible for what has been sent to their University provided email address.
-
Emails to all faculty and staff or all students may only be sent by authorized individuals. Generally this includes Integrated Marketing and Communication, Human Resources, Campus and Student Life, Academic Records and the Offices of the President and Provost. All others interested in University wide emails should contact Integrated Marketing and Communication.
-
Confidential and sensitive information including financial information (e.g. credit cards, bank account numbers), information used for determining identity (e.g. birth dates, social security numbers, passwords) grades and other student or employee personal information protected by law must not be sent via email or other end-user messaging systems as this may violate state, federal or other regulations.
-
Email account size quotas will be set by ITS to protect the integrity of the email system and to help manage resources and functionality. Requests for needs in excess of the provided quotas may be made to the CIO.
-
Email messages will be filtered to remove objectionable email such as unsolicited email, email spreading malware, and email containing inappropriate content. Decisions regarding the methods and criteria to be used to filter email are made by the CIO.
Protection of University-Owned Computers
-
Every effort should be made to preserve the physical security of computers. Laptops must be under personal supervision, in a locked space, or secured with a locking device at all times, especially when traveling.
-
Users are responsible for the security of data on computers assigned to them. No files involved in official University business should be stored on individually assigned computers unless they must be accessed where no Internet services are available. In these situations a secure, passworded and encrypted method such as offline files must be used to protect these files from loss or access by unauthorized individuals.
-
University-owned computers are required to use directory services provided by ITS to access campus resources.
-
University-owned computers must be configured to utilize automatic security updates to the operating system and malware software and have other reasonable efforts deployed to protect from unauthorized access.
Wired and Wireless Networks
-
Connections to the wired data network will be made only by ITS personnel.
-
All switches, routers and wireless access points will be deployed and managed by ITS personnel except as approved by the CIO.
-
Wireless devices that interfere with University wireless services must not be utilized on campus.
-
No unauthorized servers providing user services such as name servers or DHCP servers are permitted on the campus network.
-
No connections may be made to an Internet Service Provider other than those provided by ITS.
-
ITS will allow access to network resources only through trusted network ports or protocols known to be reasonably safe from external threats. ITS may temporarily, and before giving notice, block normally usable ports or protocols under the existence or threat of a known attack until protective measures are taken on computers and/or network devices internal to the network.
-
In the case of significant risk to the availability of network resources, ITS may disconnect devices from the campus network without prior notice. ITS will make a good faith effort to contact the responsible and or affected parties as quickly as possible.
-
In cases involving lower risk, disconnection of devices shall occur only after reasonable attempts have been made to notify the user and after allowing a reasonable period of time for vulnerabilities to be corrected.
Network Monitoring
ITS may monitor the traffic on the University data network for the purpose of analyzing performance and resource utilization, intrusion detection, identifying security vulnerabilities and detecting malicious traffic. This process will generally not involve the inspection of individuals’ data.
ITS will make all reasonable attempts to support and maintain reliable information technology systems. Staff resources are not sufficient to provide monitoring of systems and correction of problems continuously. Attempts will be made to respond to significant service outages evenings and weekends as staff are able. When systems fail during the Sabbath hours, ITS staff will take action after the Sabbath has passed unless the failure has life/safety implications or in situations where a delay in response would potentially cause significantly increased damage to University property.
Departmental Servers
Any department wishing to operate servers on the University network that are not maintained by ITS must obtain authorization from the CIO. If approved the servers must be configured to permit administrative access by ITS staff so that they can react quickly in response to security vulnerabilities. Additionally, all authentication related interaction with servers must be encrypted utilizing secure methods.
Software Purchase or Development
To avoid duplication of administrative data and/or systems, to ensure data and network compatibility and to ensure that the software can be supported, software that uses or interfaces to institutional data (or potentially could interface) must be approved by the Director of Administrative Systems in ITS prior to purchase or development. Institutional data includes data involved in the official operation of University functions including those at the department or school level. Additionally any software involved in payment processing must meet the Payment Card Acceptance Policy (see policy #1:762:2 - Payment Card Acceptance Policy) including receiving the approval by the CIO and Financial Administration before being purchased or implemented.
When considering the purchase of other software that does not interface or use institutional data, consultation with the Director of Client Services in ITS is recommended prior to the purchase.
Payment Card Acceptance Policy
The protection of payment cardholder data is mandated by the Payment Card Industry for all organizations that process credit card transactions. Policies and procedures for processing of credit card transactions are established by Financial Administration and the CIO’s office and must be followed by all departments of the university in order to prevent significant fines and/or loss of the university’s ability to accept credit card transactions for payment.
All electronic transactions involving credit card data must be performed on systems provided or approved by University Financial Administration and the CIO’s office. Credit card information must not be stored in any electronic storage nor sent through email or other end user messaging system.
Paper documents containing credit card data must be kept only temporarily, unless approved by Financial Administration. These documents must be kept secured at all times and be transported to the Head Cahier for processing and storage. Once processing is completed, all paper documents containing credit card data must be destroyed with a cross-cut shredder.
All individuals involved in processing payment card transactions must participate in the university’s security awareness training and remain responsible for observing and reporting any signs of tampering with equipment or suspected theft or illegal use of credit card data.
Data Storage
-
Data involved in the official business of Andrews University must be stored on central storage systems supported by ITS rather than on computers assigned to individuals or departments.
-
Departments or offices requiring storage for databases, videos, or music must check with ITS prior to storage on the central storage systems for additional instructions.
-
Personal data (not related to the official business of Andrews University) must not be stored on University provided central storage systems. The storage of personal data on individually assigned university-owned computers is discouraged. It is the responsibility of the user to make backup copies of personal data as needed.
-
As departments become aware of new needs and increasing demands for data storage they should inform the Director of Servers and Networks in ITS so that appropriate capacity planning and capital expenditures can be completed to procure the storage needed.
Usage Policies |
1:762:3 |
Prohibited Activities |
1:762:3:1 |
Prohibited activities on Andrews University computers and networks, some of which may constitute criminal activity, include but are not limited to the following:
-
Unauthorized access to or use of other users’ accounts or data, system software, university data, network equipment, or other computer systems
-
Disclosing an individual’s password to another person or allowing another person access through one’s user account (logging in and allowing another person to use your access)
-
Unauthorized decryption of coded information such as passwords
-
Participation in a denial of service attack against any computers or networks
-
Retrieval, storage or transmission of copyrighted materials without the owner’s permission
-
Intentional introduction of malware or hardware or software used for unapproved collection of information
-
Attempts to evade or bypass system administration policies, such as resource quotas, firewall and web filtering
-
Forgery or attempted forgery of documents or email
-
Excessive use of resources, such as network bandwidth or disk storage
-
Unauthorized and/or unsolicited broadcasting of email
-
Harassment or intimidation of other users, including sexual harassment
-
Accessing, transmitting or storing documents, images or video that fail to meet content standards (See Section 1:762:3:2)Installation of servers, routers, switches or wireless access points (unless approved by the CIO) or in any location that disrupt ITS provided services
-
Using University resources for personal gain or to support a personal business
Content Standards |
1:762:3:2 |
Information transmitted over the network or made available to others (e.g. through Web applications, email, or other methods) shall be representative of a Christian university and must not include: profanity or obscene language; defamation of any individual or group; materials promoting hatred of cultural, ethnic, or religious groups; advocacy of lifestyles contrary to university policy; pornography and other sexually-oriented material. Illegal materials such as child pornography should not be accessed by or stored on any computer while connected with the university, whether personal or university owned.
Andrews University provides content filtering to minimize the exposure to inappropriate material on University computers and networks, however it is not possible to completely prevent it.
Privacy and Confidentiality |
1:762:4 |
ITS staff will make reasonable attempts to maintain the confidentiality and security of email and other documents stored on ITS managed and controlled servers. However, Andrews University cannot guarantee the confidentiality or privacy of email messages and other documents stored on ITS managed and controlled servers, and the university makes no promises regarding their security. The following items relate to confidentiality:
- Andrews University reserves the right to conduct routine maintenance, track problems, and maintain the integrity of its systems. As is the case with all data kept on university managed systems, the content of email and other documents may be revealed by such activities.
- ITS staff do not routinely monitor the contents of email or other documents. However, such monitoring may be conducted when required to protect the integrity of the systems or to comply with legal obligations. Additionally, automated systems may filter emails, documents and web sites for the purpose of protection from malware and inappropriate content.
- Andrews University reserves the right to inspect the contents of email and all documents in the course of an investigation into alleged impropriety or as necessary to locate substantive information not readily available by other means.
- Authorization to investigate the contents of user files must be given by the CIO on the basis of instructions from the university’s cabinet level administration.
Software and Intellectual Property |
1:762:5 |
All software on University or personally-owned computers must be legally licensed and users must observe license and copyright restrictions of all software and documentation.
Individuals must not retrieve, transmit or store copy protected materials such as movies, music, software, books, documents or graphics without the copyright owner’s permission. Additional information on this subject can be found on the University web site.
Policy Violation and Notification
If ITS staff find evidence of a violation of the Information Technology Usage policy, they will make reasonable efforts to inform the user, except when notification is impractical or when notification would be detrimental to an investigation of a violation of law or policy. Additionally, ITS staff will provide education and assistance in reconfiguration of hardware and software as resources allow.
Violations of the Information Technology Usage policy may result in short term loss of access to servers and network resources while the resulting problems are resolved and appropriate education and equipment reconfiguration occurs. In cases of serious policy violations, repeat occurrences or failure to receive cooperation from the individual, additional consequences may occur. These include longer term loss of access to server and network resources, referral to University discipline processes or if legal issues are involved, sharing the case with Campus Safety, local, county or state law enforcement or federal agencies.
Web (See section 1:765 Web Policy)
- All official University web sites must utilize the andrews.edu domain and URL’s unless an exception is approved by the Web Committee. Subdomains will be assigned by the office of Integrated Marketing and Communication.
- All official University web sites and services must be offered from ITS managed servers unless an exception is approved by the CIO.
- Web filtering systems are in effect for systems connected to Andrews University networks to attempt to minimize the exposure to inappropriate material.
WEB SITE MANAGEMENT
|
1:765
|
Andrews University is represented to the public through a university web site. This site is managed jointly by Information Technology Services (ITS) and the Office of Integrated Marketing & Communication. Its purposes are to:
- Project a positive image for Andrews University;
- Assist in the marketing of the university to various entities;
- Provide resources that support the educational mission of Andrews University.
- Improve internal communication for Andrews’ immediate and extended campuses. Procedures for the management of the web site are found on the web at: http://www.andrews.edu/siteinfo/
A Web Committee reporting to and chaired by Integrated Marketing & Communication director provides guidance in such management.
Responsibility for University Web Pages |
1:765:1 |
Centrally supported pages are designed to provide positive imaging for the entire university. Maintenance of these pages is the responsibility of the Web Coordinator(s) in the Office of Integrated Marketing & Communication in consultation with ITS.
Schools, academic departments and service departments create departmentally supported pages in order to provide information and resources. Maintenance of these pages is the responsibility of the dean or director of such entities.
Personal Home Pages |
1:765:2 |
Personal home pages are provided as a web service for faculty, staff and students. As an educational service, these pages are subject to the university standards for the content of pages stored on the university server (see policies #1:765:2:1 below, #1:762:3:1 and #1:762:3:2).
Content on personal web pages must comport with the ideals and mission of the university, as well as the spirit and specific content of the Code of Student Conduct in the Student Handbook. Such communication as intentional misrepresentation, racial or sexual harassment, profane or obscene language and sexually explicit material are prohibited. Personal web pages must not depict, describe or advocate that which is illegal or contrary to university standards. Links to other web sites and computers are also covered under this provision. Thus, a page may be judged in violation if it contains links to a page that is found in violation. All pages are subject to existing Andrews University policies as well as local, state and federal laws.
Intellectual Property Rights |
1:765:2:2 |
The content of all pages must respect intellectual property rights. For example, no copyrighted material may be shown on pages unless permission has been obtained in writing.
Commercial Business |
1:765:2:3 |
No commercial business endeavors are to be conducted through personal pages on the university system.
Parallel Organizations’ Home Pages |
1:765:3 |
The university server may host supporting organizations provided they meet the standards described on the web at http://www.andrews.edu/resources. Such sites must be registered with the Office of Information Technology Services (ITS). If the established criteria are not met, the site will not be hosted on the university server.
|