/
Volume II: 2.4 Information Technology Policies

Volume II: 2.4 Information Technology Policies

2.4  Information Technology Policies


2.4.1 Acceptable Use of University Computer and Network Systems Policy

ACCEPTABLE USE OF UNIVERSITY COMPUTER AND NETWORK SYSTEMS POLICY 

Effective Date:

May 6, 2019

Policy Number:

II – 2.4.1

Supersedes:

Not Applicable.

Issuing Authority:

President

Responsible Officer:

Chief Information Officer

Applicability:

 

 

All students, staff, faculty, contractors, consultants, and other workers at Canisius University, including all personnel affiliated with third parties. This policy applies to all University-owned or University-leased information systems, including but not limited to, computer and network systems.

History:

Updated Nov. 9, 2021


PURPOSE

The purpose of this policy is to outline the acceptable use of the University’s information systems, including but not limited to, its computer and network systems and to promote the efficient, ethical, and lawful use of the University’s information systems and equipment.

POLICY

Canisius University information systems, including but not limited to its computer and network systems (hereinafter collectively referred to as “information systems”), are intended for use in University-related research, instruction, learning, enrichment, and administrative activities. Authorized Users must use only those information systems that they are authorized to use and are permitted to use them only in the manner and to the extent authorized. Ability to access such systems does not, by itself, imply authorization to do so. Authorized Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding. See the Access Control Policy for additional information.

Further, the University expects University employees, students, and other Authorized Users to utilize the University’s information systems and resources in a lawful and responsible manner consistent with the University’s mission of education, research, and service. While the University makes its information systems available primarily for use in University-related research, instruction, learning, enrichment, and administrative activities, it realizes the need for personal use of its systems for the convenience of the campus community. Any personal use of these systems may not violate any University practice or policy, including but not limited to the procedures and policy guidelines set forth in this policy. Moreover, the use of the University’s systems by employees for purposes unrelated to their University positions, however, must be limited and not interfere with their official responsibilities or University functions. It is the responsibility of University employees to consult their supervisors if they have any questions in this respect.

The University recognizes that Authorized Users may use personal devices when conducting University business or accessing the University’s information systems. Authorized Users are still responsible for following the Acceptable Use Policy when using personal devices. See also the Mobile Device and Support Policy for more information.

If an Authorized User is not clear as to what constitutes an appropriate use, the user should contact the University’s chief information officer to determine whether a particular activity is permissible.

DEFINITIONS

Authorized User—are all individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel, and other individuals authorized by the University to access a University computer, the University network(s), or information systems that collect, process, maintain, use, share, disseminate or dispose of University Data.

University Data— any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any department, program or office of the University in support of the University’s mission.

University Information System—a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  The term system is used throughout this policy to represent all types of computing platforms that can process, store, or transmit University Data.

University Personnel—Canisius University trustees, executive officers, administrators, faculty, staff, student employees, contractors, and others who act on behalf of the University.

Computer and Network Systems—any University-owned or leased computer, mobile device, or software, as well as any part of the University’s computer, data, voice or video networks (including all information systems) physically located on any University owned, leased, or rented property or located on the property of any third-party with the permission of the University. This includes devices on such networks assigned any routable and non-routable IP addresses and applies to the University’s wireless network and the network serving the University’s student residence housing and any other vendor supplied network made available to the University community.

Covered Data and Information—means all Non-Public Personnel Information of customers required to be protected under the Title V of the Gramm Leach Bliley Act of 1999 (“GLBA”), including Student Financial Information. Covered Data and Information includes both paper and electronic records.  Covered Data and Information is classified as Private, Highly Restricted University Data pursuant to the Data Classification Policy.

Data Custodians—the custodian of University Data is generally responsible for the processing and storage of University Data.  The custodian is responsible for the administration of controls as specified by the Data Owner.  By definition, Data Custodians are also Authorized Users.

Data Owners—the owner of a collection of University Data is usually the manager responsible for the creation of that data or the primary user of that information.  This role often corresponds with the management of department.  In this context, ownership does not signify proprietary interest, and ownership may be shared.  By definition, Data Owners are also Authorized Users.

Media—includes, but is not limited to, paper, hard drives, random access memory (RAM), read-only memory (ROM), disks, flash drives, memory devices, phones, Mobile Devices, networking devices, and all-in-one printers.

Members of the University Community—includes any person who is a student, University employee, volunteer, trustee, alumni, as well as University organizations, clubs, groups, and teams.  This definition also includes all University departments, offices and programs.

Mobile Device— any handheld or portable computing device including running an operating system optimized or designed for mobile computing.  Any device running a full desktop version operating system is not included in this definition.

Non-Public Personal Information—any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available.  Examples of personally identifiable financial information include names, date and place of birth, mother’s maiden name, biometric records, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.

Personally Identifiable Information or PII—any information about an individual that (i) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (ii) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual; and (iii) is protected by federal, state or local laws and regulations or industry standards.

Private University Data—any University Data classified as Private-Highly Restricted and Private-Restricted pursuant to this policy.  By definition, Private University Data includes, but is not limited to, Covered Data and Information, Student Financial Information, Personally Identifiable Information, Student Education Records, Human Subjects Research Data or Other Sensitive Research Data, Protected Health Information,  and Sensitive Authentication Data.  See the University Data Classification Policy for additional information.

Public University Data—University Data that by law are available to the public upon request, and that the loss of the data would not cause significant personal, institutional, or other harm.

Sensitive Authentication Data—Full track data (magnetic strip data or equivalent on a chip, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks.

Software—any programs used to operate computers and related devices. Software is frequently divided into two categories: system software and application software. System software includes the operating system and the utilities that enable the computer or device to operate. Application software consists of programs that perform productive work for users. Application software includes such items as word processors (e.g., Word, WordPerfect), spreadsheets (e.g.: Excel), graphic and data management programs (e.g.: Photoshop, Access), and statistical packages.

Student Education Records—as defined by the Family Educational Rights and Privacy Act (FERPA), student education records are all records which contain information directly related to a student and maintained by the University, including those files, documents, and other materials (in handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche) that contain information directly related to a student which are maintained by the University or by a person acting for the University pursuant to University or department policy.  Information that is captured as a result of a student’s various activities at the University is part of the student record.  This information includes, but may not be limited to, logs, databases or other records of: websites the student has visited, purchases made at University facilities, entry day/time into University facilities, library use and biometric records.

Student Financial Information—information the University or its affiliates have obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CRF §225.28.  Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

PROCEDURES/GUIDELINES

I. Conditions of Use

In using the University’s information systems, Authorized Users agree to the following conditions of use:

  1. Authorized Users of the University’s information systems do so subject to applicable laws and the University’s policies and procedures;
  2. The University will endeavor to safeguard the confidentiality of Authorized Users and the possibility of loss of information within the University’s information systems but will not be liable to the user in the event of any such loss. The user must take all reasonable measures to further safeguard against any loss of information within the University’s information systems;
  3. Authorized Users of the University’s information systems recognize that when they cease to be formally associated with the University (e.g., no longer an employee, student, contractor, or visitor to the University), their information/data may be removed from the University’s information systems without notice. Exceptions will be reviewed by the chief information officer;
  4. The University reserves the right to limit permanently or restrict any Authorized User’s usage of the University’s information systems; to copy, remove, or otherwise alter any information/data or system that may undermine the authorized use of the University’s information systems; and to do so with or without notice to the user in order to protect the integrity of the University’s information systems against unauthorized or improper use, and to protect authorized users from the effects of unauthorized or improper usage;
  5. The University, through authorized individuals, reserves the right to periodically check and monitor its information systems, including but not limited to the right to review, access, audit and monitor files/messages on Authorized Users’ assigned computers, mobile devices, and emails;
  6. The University reserves the right to take emergency action to safeguard the integrity and security of its information systems. This includes but is not limited to the termination of a program, job, or on-line session, or the temporary alteration of Authorized User account names and passwords. 

Canisius University disclaims any responsibility and/or warranties for information and materials residing on non-University information systems or available over publicly accessible networks, except where such responsibility is formally expressed. Such materials do not necessarily reflect the attitudes, opinions, or values of the University, its employees, or students.

II. Acceptable Uses

     A. General Guidelines

     General guidelines for the acceptable use of University information systems are based on the following principles and Authorized Users are expected to:

  1. Behave in a manner consistent with the University’s mission and comply with all applicable laws, regulations, and University policies, as well as applicable licensing and contractual agreements;
  2. Behave responsibly and respect the name of the University and the integrity and security of University information systems at all times;
  3. Respect the rights and property of others, including privacy of person-to-person communication in all forms, including voice (telephone), text (electronic mail and file transfer), and images (graphics and video), confidentiality, and intellectual property (e.g. do not violate copyright laws or use software procured with academic use licenses for commercial applications or development, unless the license explicitly permits such use);
  4. Use University information systems for the activities or purposes for which they are assigned (e.g., University information systems are not to be used for personal commercial purposes without written authorization from the University);
  5. Guard against abuses that disrupt or threaten the viability of any University information systems, including those at the University and those on networks to which the University’s information systems are connected or accessible; 
    1. Abuses include but are not limited to the use of unauthorized equipment such as wireless access points, wireless routers, cable routers, etc. or utilizing shared resources such as CPU cycles or network bandwidth to a degree that adversely impacts academic or research activities;
  6. Comply with information technology security policies and associated controls employed by the University and protect assigned accounts and non-public University Data from unauthorized access by others; and
  7. Report violations of this policy to the chief information officer.

If an Authorized User is not clear on what constitutes an appropriate use, the user is expected to contact Information Technology Services (“ITS”) to determine whether a particular activity is permissible.

     B. Security Habits

     In addition to the above, Authorized Users are expected to adhere to reasonable and necessary security habits when using University resources. These habits include:

  1. Accessing Private University Data only to conduct University business and only as authorized by the applicable Data Owner;
  2. Keeping account information, including passwords, confidential;
  3. Logging out of computers or using a password-protected screensaver when leaving the office;
  4. Running University-provided antivirus and antispyware software;
  5. Installing operating system updates when prompted;
  6. Using caution when opening email attachments and other unexpected data;
  7. Storing Private University Data, whenever feasible, on a centrally managed server, rather than a local hard drive or portable device (see the Media Protection Policy);
  8. In cases when an Authorized User must create or store Private University Data on a local hard drive or a portable device such as a laptop computer, tablet computer, smart phone, or other mobile device, the Authorized User must ensure the data is encrypted in accordance with Media Protection and Mobile Device Use and Support policies;
  9. Encrypting Private University Data during transmission over an unsecured network;
    1. Email sent to and received from University email accounts are automatically encrypted. ITS provides tools and processes for Authorized Users to send encrypted data over unsecured networks to and from other locations;
    2. Authorized Users who store University Data using commercial cloud services must use services provided or sanctioned by University, rather than personally obtained cloud services;
  10. Disconnecting devices determined by ITS to lack required security software or otherwise pose a threat to University information systems;
  11. Returning all University information systems that are no longer being used productively for University business to ITS for reallocation, repair, or disposal. 
  12. Authorized Users may not directly give, lend, rent, donate, or dispose of University information systems. See also the Media Protection and Mobile Device Use and Support policies; and Adhering to the standards of outside resources accessed from the Canisius network.

III. Privacy and Personal Use

Since the University’s communication systems are the property of the University, all communications are subject to review by appropriate and authorized employees at any time. Data may be retained in backup systems, even after its apparent deletion.

Users should be aware that personal privacy in their use of the University’s information systems sent to or from, or stored in, the University’s systems cannot be guaranteed in the event of legal or disciplinary proceedings.

Authorized Users are responsible for exercising good judgment regarding the personal use of the University’s information systems. If there is any uncertainty regarding personal use of the University’s information systems, users should consult the ITS Help Desk. University personnel may also consult with their supervisor or manager. At no time should the University’s information systems be used in a way that is at odds with University policy or applicable state or federal law.

IV. Unacceptable Use

Certain actions are strictly forbidden when an Authorized User is granted access to a University information systems. Under no circumstances shall a user of the Canisius University’s information systems:

  1. Engage in any illegal activity using University information systems assets;
  2. Engage in any activity contrary to University policy using University information systems assets;
  3. Introduce malicious software into the campus information systems;
  4. Reveal University information or allow the unauthorized use of University information systems by people outside of the Canisius community;
  5. Attempt to breach, disrupt, eavesdrop on, circumvent the security of, or otherwise tamper with network communications, the personal devices of others in use at the University, or technology external to the University;
  6. Access a University information systems using another user’s account information;
  7. Use University information systems to violate intellectual property laws;
  8. Use Canisius University information systems assets for personal commercial or for-profit activities, or to promote political causes;
  9. Use Canisius equipment or network resources for viewing or exchanging pornography or sexually explicit materials except when engaged in the study of such material as part of an approved academic activity;
  10. Acquire University information systems assets on behalf of the University, whether by purchasing, licensing, or subscribing to them, or by donating or accepting donations, whether their use is for a fee or free. In addition, users may not unilaterally dispose of University technology resources. See the Computer Asset Disposal and Computer Replacement policies for more information;
  11. Contact information technology vendors seeking additional products or services on behalf of the University except for individuals authorized to do so as part of an approved ITS project or activity and faculty exploring instructional technologies to enhance individual courses. All additions and changes to University information systems (especially systems and software) are to be governed by an organized methodology;
  12. Attempt to modify or repair University information systems, or arrange with technology vendors or private individuals for modifications or repairs. Authorized Users must contact the ITS Help Desk promptly to report problems with technology;
  13. Connect personal equipment (e.g. networking equipment, keyboards, monitors, printers, scanners, etc.) to information systems assets at University locations, with the exception of external storage devices;
  14. Give, loan, or relocate University information systems assets without of the chief information officer or designee approval;
  15. Use any software on personal devices connected to University information systems that provides network or file services to others (such as web servers, file servers, network protocols);
  16. Use the University’s information systems to assume the identity of another (e.g., by sending forged electronic mail);
  17. Utilize the University’s information systems to interfere with the proper functioning or the ability of others to make use of such systems, of others’ personal technology, or of technologies external to the University (e.g. excessive use of storage in the Canisius google workspace);
  18. Utilize the University’s information systems to engage in any conduct that is likely to result in retaliation against the information systems, the personal devices of others, or technology external to the University, including engaging in behavior that results in any server being the target of a denial of service attack; and
  19. Attempt to decrypt encrypted information unless they are authorized staff performing security reviews or investigations. The use of network “sniffers” is restricted to authorized system administrators or contractors tasked with solving network problems or conducting security audits. Network tools must not be used to monitor or track any individual’s network activity except under special authorization by the chief information officer.

Canisius University strongly protects the right of all members of the University community to be free from any form of electronic harassment or abuse. Members of the University community receiving any such unwanted or threatening electronic messages should immediately contact ITS so that appropriate disciplinary and/or legal action may be taken. In the event of an incident of Sexual or Gender-based Misconduct, the University’s Title IX coordinator may be contacted. Responsible Employees who become aware of such incidents are required to report the incident to the Title IX coordinator. See the University’s Sexual and Gender-Based Misconduct Policy for additional information, including confidential reporting procedures.

V. Withdrawal of Access

Access to the University’s information systems, from both remote and on campus site, is a privilege granted to Authorized Users. Access to University’s information systems may be granted, limited, or withdrawn by the University at any time. 

partial list of possible factors for termination include:

  1. Observance of relevant University policies and associated controls, guidelines, laws, and contractual obligations;
  2. The requester’s need to know;
  3. The information’s sensitivity;
  4. System load;
  5. Availability of training;
  6. Risk of damage to or loss by the University; and
  7. The Authorized User’s previous history of use.

The University reserves the right to monitor, extend, limit, restrict, or deny privileges and access to its information systems for any reason at any time.

If it appears that the integrity, security, or functionality of the University’s information systems are at risk, Canisius University reserves the right to take any necessary action to investigate and remediate the problem. This action may include monitoring network activity, viewing user-generated files, and/or terminating access. In such cases, a written report of the findings will be forwarded to the appropriate University officials. In order to assure continuity for academic and administrative departments, similar procedures may be used after an employee is separated from the University or no longer able to perform required duties.

VI. Use of University Email Systems

     A. Access to University Email System(s)

       1.Account Creation

University email accounts are created based on the official name of the employee as reflected in Human Resource records. Student and alumni accounts are created based on the name on file with the Registrar. 

Requests for name changes to correct a discrepancy between an email account name and official University records will be processed, in which case the email account name will be corrected. Requests for email aliases based on name preference, middle name, etc., are evaluated on a case-by-case basis.

Employees or departments may request temporary email privileges for individuals outside of the University (i.e., guests, third-party contractors, volunteers).  Such requests must be approved in writing by the appropriate area vice president or designee.

       2.Account Termination

Individuals may leave the University for a variety of reasons, which gives rise to differing situations regarding the length of electronic mail privileges or expiration of electronic mail accounts.  Guidelines governing those privileges are set forth below. Notwithstanding the guidelines below, access to University’s email system(s) may be limited or withdrawn by the University at any time.

  1. Faculty who leave before retirement–full-time faculty who leave before retirement and have not been granted emeritus status will have email privileges removed effective on their last day worked. If such separation is for cause, email privileges may be immediately revoked without notice.
  2. Staff who leave before retirement– staff who leave the University will have email privileges removed effective on their last worked day. Exceptions for business continuity may be made upon request of the department head and approval by the chief information officer. If such separation is for cause, email privileges may be immediately revoked without notice.
  3. Retired Faculty– full-time faculty who have retired and/or have been granted emeritus status from the University will be permitted to retain their email privileges if their account remains active. These accounts are renewable on a 5-year cycle. At the end of each cycle the faculty member will receive an email notification to which they must respond, otherwise the account will be subject to deletion.
  4. Retired Staff–staff who have retired from the University will have email privileges removed effective on their last worked day. Exceptions for business continuity may be made upon request of the department head and approval by the chief information officer.
  5. Volunteers and Guests-volunteers and guest who leave the University will have email privileges removed effective on their last day with the University. If such separation is for cause, email privileges may be immediately revoked without notice.
  6. Students who leave before graduation–students who leave the University without completion of their degree or other program may keep their email privileges for 180 days from the last term when they were registered.
  7. Expelled students-if a student is expelled from the University, email privileges will be terminated immediately.
  8. Alumni– students who have graduated from the University will be permitted to retain their email privileges for five (5) years after they graduate, provided their account remains active. All email accounts that are inactive for a period greater than one year are subject to removal.

     B. Acceptable Use of University Email Systems

  1. Authorized Users are expected to read their University email on a regular basis and manage their email accounts appropriately. Authorized Users are presumed to have received and read all email messages sent to their official University email account.
  2. Authorized Users must ascertain, understand, and use their accounts in accordance with the acceptable use policies outlined above and other applicable University policies, as well as those laws, regulations, contracts, and licenses applicable to the use of email systems and accounts.
  3. To avoid confusing official University business with personal communications, University employees may not use non-University email accounts to conduct University business. Conversely, University email should not be used for personal communications.
  4. Authorized Users must comply with security measures employed by the University and protect assigned electronic mail accounts from access by others.
  5. University email accounts may not be used to send mass emailing or commercial solicitations (a.k.a “spam”) to individuals, newsgroups, or mailing lists where such content is not part of the purpose of the group or list or for the purpose of University business (see the Mass Email Policy).
  6. Microsoft Exchange email accounts are subject to the same retention policy as paper records and the University’s Email Retention Policy. Authorized Users who receive a notice of a legal hold are responsible for keeping copies of all relevant documents, including email.
  7. If an Authorized User is not clear on what constitutes an appropriate use, the user is expected to contact his/her supervisor or ITS to determine whether a particular activity is permissible.

Note: Authorized Users who use email communications with persons in countries outside the United States should be aware that they may be subject to the laws of those other countries and the rules and policies on other systems and networks.

     C. Unacceptable Uses of University Email Systems

The following specific actions and uses of University email systems are improper:

  1. Any use of a University email account that interferes with University activities and functions or does not respect the mission, image, and reputation of the University;
  2. Alteration of a source or destination address of email;
  3. Use of a University email account for commercial or private business or personal communications that have not been approved in writing by the appropriate area vice president;
  4. Use of a University email account in violation of University policy or applicable laws and regulations;
  5. Use of a University email account to harass, threaten, incite violence, threaten violence, defraud, or defame other individuals;
  6. Use of a University email account to infringe on another person’s copyright, trade or service mark, patent, or other property right or is intended to assist others in defeating those protections;
  7. Email content that violates, or encourages the violation of, the legal rights of others or federal and state laws;
  8. Use of a University email account to intentionally distribute viruses, worms, Trojan horses, malware, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
  9. Purposefully interfering with the use of the University’s email system(s), or the equipment used to provide the email services by customers, authorized resellers, or other Authorized Users;
  10. Purposefully altering, disabling, interfering with, or circumventing any aspect of the University’s email system(s);
  11. Testing or reverse-engineering the University’s email system(s) in order to find limitations, vulnerabilities or evade filtering capabilities;
  12. Use of a University email account to create a risk to a person’s safety or health, create a risk to public safety or health, compromise national security, or interfere with an investigation by law enforcement;
  13. Use of a University email account to improperly expose trade secrets or other confidential or proprietary information of another person;
  14. Sending unsolicited email messages, junk mail, spam, or advertising material to individuals who did not specifically request such material, as well as sending mass or chain messages in violation of the Mass Email Policy;
  15. Forging or the unauthorized use of email header information;
  16. Use of a University email account to unlawfully discriminate against another individual on the basis of age, race, religion or creed, color, sex, national or ethnic origin, sexual orientation, marital status, military status, genetic predisposition or carrier status, gender identity, gender expression, familial status, domestic violence victim status, pregnancy, citizenship or immigration status, disability, criminal conviction or any other status protected by local, state or federal law;
  17. Sending, viewing, or downloading offensive content of any kind, including pornographic material or messages of a sexist, obscene, harassing, threatening, or racist nature;
  18. Sending, viewing, or downloading messages of a political nature for the purpose of proselytizing and/or soliciting funds or donations;
  19. Creating or forwarding chain letters, Ponzi, or other pyramid schemes of any type;
  20. Transmitting Private University Data without appropriate encryption protection ; and
  21. Use of a University email account for illegal gambling.

Authorized Users are responsible for the content of their email messages and must understand that others can use such content as evidence against them.

Any questions as to whether the use of a University email account for academic, research, or educational purposes could violate the spirit of this policy should be brought to the attention of the user’s supervisor or ITS.

VII.     Enforcement

ITS is responsible for the appropriate enforcement of this policy. During the course of any investigation of alleged inappropriate or unauthorized use, it may be necessary to temporarily suspend a user’s system privileges, but only after determining there is at least a prima facie case against the individual, as well as a risk to University’s information systems if privileges are not revoked. This is a necessary action taken to prevent further misuse and does not presume that the account holder initiated the misuse. Unsubstantiated reports of abuse will not result in the suspension of user account or network access unless sufficient evidence is provided to show that inappropriate activity occurred.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Any student found to have violated this policy will be subject to disciplinary action through the Community Standards.

Visitors and others third party users who violate the provisions of the policy are subject to loss of access to the University’s information systems. They may also be subject to criminal and/or civil proceedings. In addition, the vice president for finance and administration may administer other appropriate sanctions.

VIII.    Notification

Users must report any identified weakness in University computer security and any incident of possible misuse or violation of this policy to ITS.

RELATED POLICIES

Access Control Policy

Audit and Accountability Control Policy

Cloud Computing Policy

Computer Asset Disposal Policy

Computer Asset Replacement Policy

Configuration Management Policy

Copyright and Intellectual Property Policy

Data Classification Policy

Email Retention Policy

Health Insurance Portability and Accountability Act Policy

Identification and Authentication Policy

Information Security Program

Information Security Awareness and Training Policy

Information Technology Incident Response Policy

Mass Email Policy

Media Protection Policy

Mobile Device Use and Support Policy

Password Policy

Peer-to-Peer File Sharing Policy

Personnel Security Policy

Political Activities and Speakers Policy

Record Retention and Disposal Policy

Remote Access Policy

Sexual and Gender-Based Misconduct Policy

Social Media Policy

Standards of Ethical Conduct

Student Records (FERPA) Policy

Wireless Access Points Policy

2.4.2 Access Control Policy

ACCESS CONTROL POLICY

Effective Date:

May 9, 2019

Policy Number:

II – 2.4.2

Supersedes:

Enterprise Resource Planning (ERP) Access Policy.

Issuing Authority:

President

Responsible Officer:

Chief Information Officer

Applicability:

 

All University Information Systems that collect, process, maintain, use, share, disseminate or dispose of Private University Data (“applicable information system(s)”), as well as all Authorized Users who access, use, or handle those resources.

History:



PURPOSE

The purpose of this policy is to protect information systems that collect, process, maintain, use, share, disseminate or dispose of Private University Data. Access control ensures that an authenticated user accesses only the systems and Private University Data for which that user is authorized to access.

POLICY

It is the policy of Canisius University to limit access to University Information Systems that collect, process, maintain, use, share, disseminate or dispose of Private University Data to authenticated Authorized Users. The University employs the principle of least privilege, allowing access only to those authenticated Authorized Users (or processes acting on behalf of Authorized Users) necessary to accomplish assigned tasks in accordance with the University’s mission and business functions.

DEFINITIONS

Authorized User—are all individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel, and other individuals authorized by the University to access a University computer, the University network(s), or information systems that collect, process, maintain, use, share, disseminate or dispose of University Data.

University Data— any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any department, program or office of the University in support of the University’s mission.

University Employees—includes Canisius University executive officers, administrators, faculty, staff, student employees, contractors, and others who act on behalf of the University.

University Information System—a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used throughout this policy to represent all types of computing platforms that can process, store, or transmit University Data.

Covered Data and Information—means all Non-Public Personnel Information of customers required to be protected under the Title V of the Gramm Leach Bliley Act of 1999 (“GLBA”), including Student Financial Information. Covered Data and Information includes both paper and electronic records. Covered Data and Information is classified as Private, Highly Restricted University Data pursuant to the University Data Classification Policy.

Data Custodians—the custodian of University Data is generally responsible for the processing and storage of University Data. The custodian is responsible for the administration of controls as specified by the Data Owner. By definition, Data Custodians are also Authorized Users.

Data Ownersthe owner of a collection of University Data is usually the manager responsible for the creation of that data or the primary user of that information.  This role often corresponds with the management of department. In this context, ownership does not signify proprietary interest, and ownership may be shared. By definition, Data Owners are also Authorized Users.

Members of the University Community—includes any person who is a student, University employee, volunteer, trustee, alumni, as well as University organizations, clubs, groups, and teams. This definition also includes all University departments, offices and programs.

Non-Public Personal Information—any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, date and place of birth, mother’s maiden name, biometric records, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.

Personally Identifiable Information or PII—any information about an individual that (i) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (ii) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual; and (iii) is protected by federal, state or local laws and regulations or industry standards.

Private University Data—any University Data classified as Private-Highly Restricted and Private-Restricted pursuant to the University Data Classification Policy. By definition, Private University Data includes, but is not limited to, Covered Data and Information, Student Financial Information, Personally Identifiable Information, Student Education Records, Human Subjects Research Data or Other Sensitive Research Data, Protected Health Information, and Sensitive Authentication Data. See the Data Classification Policy for additional information.

Public University Data—University Data that by law are available to the public upon request, and that the loss of the data would not cause significant personal, institutional, or other harm.

Sensitive Authentication DataFull track data (magnetic strip data or equivalent on a chip, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks.

Student Education Recordsas defined by the Family Educational Rights and Privacy Act (FERPA), student education records are all records which contain information directly related to a student and maintained by the University, including those files, documents, and other materials (in handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche) that contain information directly related to a student which are maintained by the University or by a person acting for the University pursuant to University or department policy. Information that is captured as a result of a student’s various activities at the University is part of the student record. This information includes, but may not be limited to, logs, databases or other records of: websites the student has visited, purchases made at University facilities, entry day/time into University facilities, library use and biometric records.

Student Financial Information—information the University or its affiliates have obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CRF §225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

PROCEDURES/GUIDELINES

I.          Role Based Access Control

Access to a given resource in the applicable information system is authorized based on the individual’s job classification and function (also called “role-based access control”) and is approved by the applicable Data Owner in accordance with the granting of access procedures set forth below. An Authorized User is given the minimum access level to a given resource in the ERP system in order to perform his/her job or contracted duties.

A.        Granting of Access

Access to University information systems is granted by the applicable Data Owner. The request for access must be submitted, in an email message to bannersecurity@canisius.edu, by the supervisor of the employee who needs access. This request must include a delineation of the University Data that the employee (or vendor or other third-party contractor) needs to access, so that proper accommodations can be made. See the Information Technology Personnel Security Policy for additional information.

Access to forms containing Private University Data, including social security numbers, date of birth, bank account numbers, or salary data, etc. must be approved by the controller.

B.        Rescinding of Access

Access to an information system will be removed by Information Technology Services (“ITS”) immediately upon termination of employment or, in the case of a vendor or other third-party, cessation of the individual’s engagement with the University. Additionally, access to an information system will be removed when an employee’s position changes within the University, regardless of whether there is a change in department. See the Information Technology Personnel Security Policy for additional information.

Access to the software, for purposes of the new position, will be granted through the standard Granting of Access procedure above. 

C.        Special Consideration for Student Access

Because of the higher turnover among student employees, information system software access for all students will be terminated at the end of every semester. Departments that need access for their students will apply for that access at the beginning of the next semester through the Granting of Access procedure above.

There is to be no write access to information systems for undergraduate student employees. Graduate students may have write access, in keeping with the standards outlined in Granting and Rescinding of Access procedure above. While “generic” accounts may exist for data lookup purposes, any data modification must be done with an Authorized User account.

D.        Sharing of Access

In keeping with the University’s Acceptable Use Policy, sharing of login credentials in an attempt to circumvent access restrictions is a serious offense. Authorized Users who need access to particular forms or data should contact the applicable Data Owner so that accommodations may be made. Authorized Users issued login credentials are responsible for any actions, including data access, manipulation, modification, or deletion that takes place under the auspices of those credentials.

II.        Access Enforcement

Access to applicable information systems is managed using the following controls:

  1. Access to Private University Data via a University information system is controlled through centralized authentication and overseen by the applicable Data Owner to ensure only Authorized Users are allowed access to the data (see Section I above);
  2. University information systems are configured by ITS to authenticate user credentials prior to allowing access to the system:
    1. All systems with University Data not entirely classified as Public in accordance with the Data Classification Policy must be accessed by a unique Login ID issued by ITS and an associated account; and
    2. Shared accounts must be assigned to a primary responsible Authorized User and issuance requires the approval of the chief information officer or designee;

See Section I above for additional information.

III.       Separation of Duties

Where feasible, the University separates duties of individuals for tasks that are susceptible to fraud or other unauthorized activity.

  1. ITS, in collaboration with applicable Data Owners, considers separation of duties when approving access within applicable information systems. Separation of duties include, but are not limited to, the following:
    1. Mission functions and distinct information system support functions are divided among different individuals/roles;
    2. Different individuals perform information system support functions (e.g., system management, configuration management, quality assurance and testing, network security);
    3. ITS staff who administer access control functions do not administer audit functions; and
    4. Different administrator accounts are issued for different roles.
    5. The Data Owner is responsible for ensuring and documenting separation of duties.

IV.       Least Privilege

The University employs the principle of “least privilege” when assigning access to Authorized Users. This means that Authorized Users are assigned only the minimum rights necessary to perform the roles and responsibilities of the job function.

  1. Authorized User accounts must be approved by the applicable Data Owner;
  2. Administrator access accounts are approved by the chief information officer (or a designee), who ensures the duties assigned to the user require administrator access to the system and accompanying University Data;
    1. ITS maintains a list(s) of employees approved for administrator account access;

                                                              i.      The list(s) is reviewed at least annually by the chief information officer or designee;

  1. Each individual granted administrator access receives appropriate security awareness training in accordance with the Information Technology Security Awareness and Training Policy;
  2. Each individual granted administrator access must use the account or access privilege most appropriate for the requirements of the work being performed (e.g., Authorized User account vs. administrator account);
  3. Each individual granted administrator access must refrain from abuse of privilege and only conduct investigations as directed by the chief information officer;
  4. Each individual granted administrator access must use a password escrow to enable ITS to gain access to the system in an emergency.
  5. Use of shared administrator accounts are generally not allowed. However, in some situations, a provision to support the functionality of a process, system, device (such as servers, switchers or routers) or application may be made (e.g., management of file shares).  Such exceptions require the approval of the chief information officer and documentation which justifies the need for a shared account:
    1. The password for a shared administrator access account must change under the following conditions:

                                                              i.      An individual knowing the password leaves the University or department;

                                                            ii.      Job duties change such that the individual no longer performs functions requiring administrator access; and

                                                          iii.      A vendor or third-party contractor with administrator account access leaves or completes its work.

  1. Special access accounts (e.g., vendor or third-party contractor) are to be used in very limited situations and must provide individual accountability. Special access accounts must be:
    1. Requested in writing by a Data Owner (or his/her authorized designee) and authorized by the chief information officer or designee.
    2. Created with a specific expiration date;
    3. Monitored when accessed remotely by the vendor or third-party contractor; and
    4. Removed when the task or project is complete.
    5. In those cases where law enforcement agencies request access in conjunction with a lawful investigation, the request must be made in writing (e.g., subpoena, court order). All such requests must be reported to the chief information officer, who will consult with the University’s legal counsel, before any action is taken.

V.        Unsuccessful Login Attempts

ITS enforces, through the use of baseline configurations, a limit of login attempts by a user. If a user has unsuccessfully attempted more than three (3) attempts to login to an account within a 15-minute timeframe, the account will be locked for a minimum of thirty (30) minutes (or until an ITS enables the user ID) and the user may try again after that time. This control is in place, in part, to help prevent brute force attacks.

VI.       System Use Notification

University information systems are configured by ITS, where feasible, to display a screen at login which clearly states that the system is the property of the University and is for authorized use only.  The notification informs potential users that the system may be monitored, recorded, and audited, and that use of the system implies consent to monitoring and recording. The text displayed also states that the user acknowledges and agrees with the Acceptable Use of the University Computer and Network Systems Policy and that unauthorized use may be subject to disciplinary action, as well as criminal and civil penalties. The notification will remain on the screen until the user acts to log onto the system, acknowledging the notification.

VI.       Session Lock

ITS, through the use of baseline configurations, enforces a session lock as a temporary action taken when an Authorized User stops work, and the resource is idle. The session lock, where feasible, will be set to initiate after an appropriate period of idle time in order to conceal potentially Private University Data on the screen. The session lock, however, is not intended to take the place of logging out of a resource, as required in the Physical and Environmental Protection Policy.

VII.     Permitted Actions without Identification or Authentication

To protect the integrity and availability of Public University Data, ITS generally requires identification and authentication on information systems containing only Public University Data. Some uses of these systems may be exempted to not require authentication, such as general form submission and anonymous reporting. 

VII.     Remote Access

Remote access is any access to a University information system by an Authorized User (or process acting on behalf of a user) communicating through an external network (e.g., the Internet or connection (e.g., dial-up, broadband, wireless).

ITS requires that all Authorized Users with a need to connect to a University information system while not physically located on the University network to use the encrypted virtual private network (VPN) to securely connect. This includes all connections using broadband, wireless, or dial-up methods.  The use of the VPN protects the confidentiality and integrity of University Data. Once connected, the Authorized User’s normal access privileges are granted.

  1. It is the responsibility of an Authorized User with VPN privileges to the University network to ensure that the remote access connection is given the same consideration as the Authorized User's on-site connection to the University network;
    1. VPN access is to be controlled using the Authorized User’s NetID and LDAP password;
    2. When connected to the University VPN, all traffic from the user will be sent through the encrypted tunnel.  All other traffic will be dropped;
    3. The VPN concentrator(s) will be set up and maintained by ITS;
    4. All computers connecting to the University VPN must have active, up-to-date antivirus software and operating system patches;
    5. VPN users will be automatically disconnected from the network after 60 minutes of inactivity;
    6. In the unusual circumstance that an employee connects to the VPN using non-University equipment, he or she must configure that equipment to comply with Canisius University VPN and network standards;
    7. Only VPN clients approved by Canisius University ITS may be used to connect to the University VPN;
    8. ITS will occasionally require the user of a VPN-connecting computer to bring it to campus to be audited and updated. Failure to do so will result in the suspension of the user’s VPN privileges;
    9. At no time is a remote user connected to the University network permitted to connect to another network or device beyond the initial device making the connection. This includes, but is not limited to split tunneling, dual homing, or otherwise re-routing University traffic beyond the intended endpoint;
    10. It is the responsibility of an Authorized User with VPN privileges to ensure that unauthorized users (e.g., family, friends, etc.) are not allowed access to the University network;
    11. Authorized Users may not provide the user’s NetID and LDAP password to other individuals;
    12. Authorized Users must take every reasonable effort to ensure the confidentiality, integrity, and availability of University Data and University information technology resources used remotely (e.g., not leaving Mobile Devices unattended or in public plain view);
    13. Remote access users are not permitted to download or otherwise store Private University Data on their personal Mobile Devices (see the System and Communications Protection, Media Protection and Mobile Device Use and Support policies). This includes the transfer of such data to a personal cloud service such as Dropbox or Google Drive (see the Cloud Computing Policy);
    14. Authorized Users must understand their responsibilities for protecting Private University Data, and the consequences for mishandling such data.



Note: Logon through VPN is mandatory for all remote access by administrative users to the University information systems.


VIII.    User of External Information Technology Resource Systems

Authorized Users must comply with the Cloud Computing Policy before using an externally-managed information system.

All connections between University information systems and external systems must be approved and documented in accordance with the Cloud Computing Policy. 

All third-party connection requests must have approval from the chief information officer.

IX.       Publicly Accessible Content

The Office of Marketing and Communication is responsible for ensuring that publicly-accessible information technology resources such as webpages and social media applications do not contain Private University Data. Additionally, the Office of Marketing and Communication must review the proposed content of publicly-accessible information and remove non-public information prior to posting onto University webpages, social media applications, or any other information technology resource.  Individuals must be authorized to post content onto webpages, social media applications, or any other information technology resource that is publicly accessible. The Office of Marketing and Communication will periodically review publicly accessible web material for nonpublic or inappropriate information.

See also the System and Communications Protection Policy, which outlines security controls in place to safeguard the University’s public access servers.

IX.       Responsibilities

Data Owners shall:

  1. Approve and document all Authorized Users in their department in accordance with the procedures set forth in the Information Technology Personnel Security Policy.
    1. Data Owners must maintain all Authorized User account data, information, and documentation associated with an Authorized User’s logical access on file in accordance with the Record Retention Policy and Schedule;
    2. Adhere to the procedures set forth in the Information Technology Personnel Security Policy for removing accounts of individuals who are no longer authorized to have access to the applicable information system;
    3. Adhere to the procedures set forth in the Information Technology Security Personnel Policy to modify an Authorized User account to accommodate situations such as name changes, accounting changes, and permission changes;
    4. Periodically review (on at least an annual basis) existing Authorized User accounts for validity; and
    5. Ensure that Authorized Users in the department are not sharing accounts, unless the system resides on a guest network.

B.        Information Technology Services (ITS) Access Control Responsibilities

  1. Ensures that access credentials for internal information systems are delivered to the Authorized User in a confidential manner;
  2. Ensures that access credentials for Internet-facing only systems are securely delivered (e.g., by alternate channels such as U.S. Mail) to all external Authorized Users of systems that access Private University Data;
  3. Configures applicable information system to automatically audit account creation, modification, disabling, and termination actions and notifies, as required, appropriate Data Owners and supervisors;
  4. Investigates any unusual system access activities observed in logs or reported by employees. Investigation activities include the following:
    1. Monitoring applicable systems for atypical usage of information system accounts;
    2. Reporting atypical usage to the chief information officer; and
    3. Tracking and monitoring privileged role assignments (e.g., key management, network and system administration, database administration, and web administration).

RELATED POLICIES

Acceptable Use of University Computer and Network Systems Policy

Cloud Computing Policy

Data Classification Policy

Identification and Authentication Policy

Information Security Program

Information Security Awareness and Training Policy

Health Insurance Portability and Accountability Act Policy

Mobile Device Use and Support Policy

Password Policy

Payment Card Information Security Policy

Personnel Security Policy

Record Retention Policy and Schedule


2.4.3 Cloud Computing Policy 

CLOUD COMPUTING POLICY

Effective Date:

May 6, 2019

Policy Number:

II – 2.4.3

Supersedes:

Not Applicable.

Issuing Authority:

President

Responsible Officer:

Chief Information Officer

Applicability:



All University Information Systems that collect, process, maintain, use, share, disseminate or dispose of Private University Data (“applicable information systems”), as well as all Authorized Users who access, use, or handle those resources.

History:



PURPOSE

The purpose of this policy is to ensure that Private University Data is not inappropriately stored or shared using public Cloud Computing and/or file sharing services.

POLICY

Private University Data as defined in this policy may not reside within any cloud computing environment unless Canisius University has entered into a legally binding agreement with the service provider to ensure that the data is protected and managed in accordance with standards and procedures required by law and acceptable to the Information Technology Services (“ITS”).

Private University Data placed into a University authorized cloud environment must be encrypted in transit and encrypted at rest. Moreover, the cloud service provider’s contract must indicate that it conforms to all relevant federal, state, and local laws and regulations. Finally, any Private University Data residing within a cloud computing environment must be retrievable by the University and not solely by the individual who placed the data in the cloud environment, as well as conform to the University’s Record Retention Policy and Schedule.

DEFINITIONS

Authorized User—are all individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel, and other individuals authorized by the University to access a University computer, the University network(s), or information systems that collect, process, maintain, use, share, disseminate or dispose of University Data.

Cloud Computing/Cloud Environment—encompasses utilizing any external computing, software services, or hosting environment that is not directly controlled by Canisius University.

University Data— any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any department, program or office of the University in support of the University’s mission.

University Employees—includes Canisius University executive officers, administrators, faculty, staff, student employees, contractors, and others who act on behalf of the University.

University Information System—a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used throughout this policy to represent all types of computing platforms that can process, store, or transmit University Data.

Covered Data and Information—means all Non-Public Personnel Information of customers required to be protected under the Title V of the Gramm Leach Bliley Act of 1999 (“GLBA”), including Student Financial Information. Covered Data and Information includes both paper and electronic records. Covered Data and Information is classified as Private, Highly Restricted University Data pursuant to the University Data Classification Policy.

Data Custodians—the custodian of University Data is generally responsible for the processing and storage of University Data. The custodian is responsible for the administration of controls as specified by the Data Owner. By definition, Data Custodians are also Authorized Users.

Data Ownersthe owner of a collection of University Data is usually the manager responsible for the creation of that data or the primary user of that information. This role often corresponds with the management of department. In this context, ownership does not signify proprietary interest, and ownership may be shared. By definition, Data Owners are also Authorized Users.

Encrypted Data—refers to information that has been converted through software into a non-human readable form typically via a password or phrase (which is also used to decrypt the file when the information is to be accessed). All encryption referred to within this policy must conform to prevailing industry standards.

Encryption—the process of encoding (or scrambling) information so that it can only be converted back to its original form (decrypted) by someone who (or something which) possesses the correct decoding key.

Members of the University Community—includes any person who is a student, University employee, volunteer, trustee, alumni, as well as University organizations, clubs, groups, and teams. This definition also includes all University departments, offices and programs.

Mobile Device—any handheld or portable computing device running an operating system optimized or designed for mobile computing that is capable of accessing, storing, and manipulating information in an untethered manner (usually, but not always, through a wireless connection). This includes, but is not limited to, laptops, tablets, smart phones/cell phones, PDAs, or other portable devices.  Any device running a full desktop version operating system is not included in this definition.

Non-Public Personal Information—any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, date and place of birth, mother’s maiden name, biometric records, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.

Personally Identifiable Information or PII—any information about an individual that (i) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (ii) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual; and (iii) is protected by federal, state or local laws and regulations or industry standards.

Private University Data—any University Data classified as Private-Highly Restricted and Private-Restricted pursuant to the University Data Classification Policy.  By definition, Private University Data includes, but is not limited to, Covered Data and Information, Student Financial Information, Personally Identifiable Information, Student Education Records, Human Subjects Research Data or Other Sensitive Research Data, Protected Health Information, and Sensitive Authentication Data.  See the University Data Classification Policy for additional information.

Public University Data—University Data that by law are available to the public upon request, and that the loss of the data would not cause significant personal, institutional, or other harm.

Sensitive Authentication DataFull track data (magnetic strip data or equivalent on a chip, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks.

Student Education Recordsas defined by the Family Educational Rights and Privacy Act (FERPA), student education records are all records which contain information directly related to a student and maintained by the University, including those files, documents, and other materials (in handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche) that contain information directly related to a student which are maintained by the University or by a person acting for the University pursuant to University or department policy. Information that is captured as a result of a student’s various activities at the University is part of the student record. This information includes, but may not be limited to, logs, databases or other records of: websites the student has visited, purchases made at University facilities, entry day/time into University facilities, library use and biometric records.

Student Financial Information—information the University or its affiliates have obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CRF §225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

PROCEDURES/GUIDELINES

I.          Contract Approval Procedures

All legally binding written agreements with a Cloud Computing service provider must be approved in writing by the vice president for finance and administration.

The chief information officer or his/her designee will endorse the use of Cloud Computing services, including file storing and sharing, only if:

  1. The Cloud Computing vendor meets established University data security requirements as set forth in applicable University information security-related policies and conforms to all relevant federal, state and local laws and regulations;
  2. The Cloud Computing vendor provides appropriate levels of recovery for Private University Data by the University and not solely by the individual who placed the data in the Cloud Computing environment;
  3. The Cloud Computing vendor accepts and is contractually bound to implement the University’s explicit restrictions on storage of Private University Data (i.e., Private University Data must be encrypted in transit and encrypted at rest);

The use of such service, in the judgement of the chief information officer (or his/her designee) does not place the University at an unreasonable risk of experiencing data breach, data loss/non-recovery, or degradation of applicable information systems and University Data.

II.        Enforcement

ITS is responsible for the appropriate enforcement of this policy. During the course of any investigation of alleged inappropriate or unauthorized use of cloud computing environment, it may be necessary to temporarily suspend an Authorized User’s network or computing privileges, but only after determining there is at least a prima facie case against the individual, as well as a risk to applicable information systems if privileges are not revoked. This is a necessary action taken to prevent further misuse and does not presume that the user initiated the misuse. Unsubstantiated reports will not result in the suspension of user account or network access unless sufficient evidence is provided to show that inappropriate activity occurred.

Students and employees who violate the provisions of the policy are subject to disciplinary action pursuant to the University’s applicable disciplinary policies, as well loss of access to applicable information systems.

Visitors and others third party users who violate the provisions of the policy are subject to loss of access to applicable information systems. In addition, the vice president for finance and administration may administer other appropriate sanctions.

RELATED POLICIES

Acceptable Use of University Computer and Network Systems Policy

Data Classification Policy

Information Security Program

Health Insurance Portability and Accountability Act Policy

Mobile Device Use and Support Policy

Record Retention and Disposal Policy

Student Records (FERPA) Policy

Wireless Access Points Policy


2.4.4. Computer Asset Disposal Policy 

COMPUTER ASSET DISPOSAL POLICY

Effective Date:

May 9, 2019

Policy Number:

II – 2.4.4

Supersedes:

Not Applicable.

Issuing Authority:

President

Responsible Officer:

Chief Information Officer

Applicability:

All computer assets and other applicable information systems purchased or leased with Canisius University funds.

History:



PURPOSE

The purpose of this policy is to outline the rules for disposal of computer assets and other applicable information systems owned or leased by the University. Once a computer asset or applicable information system has reached the end of its active life on campus, it can be purchased by a member of the University community, donated, or disposed of as waste.

POLICY

University personnel are responsible for the appropriate disposal of University computer assets and other applicable information systems in accordance with the procedures and guidelines set forth in this policy. Members of the University community may not directly give, lend, rent, donate, or dispose of University’s computer assets and other applicable information systems.

DEFINITIONS

Authorized User—are all individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel, and other individuals authorized by the University to access a University computer, the University network(s), or information systems that collect, process, maintain, use, share, disseminate or dispose of University Data.

University Data— any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any department, program or office of the University in support of the University’s mission.

University Employees—includes Canisius University executive officers, administrators, faculty, staff, student employees, contractors, and others who act on behalf of the University.

University Information System—a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used throughout this policy to represent all types of computing asset platforms that can process, store, or transmit University Data.

Computer Assets—any device that contains electronic circuitry or any data storage media that keeps information. Devices with electronic circuitry include, but are not limited to, computers, laptops, mobile devices, copy machines, fax machines, calculators, and telecommunication equipment. Computer assets also includes data storage media.

Covered Data and Information—means all Non-Public Personnel Information of customers required to be protected under the Title V of the Gramm Leach Bliley Act of 1999 (“GLBA”), including Student Financial Information. Covered Data and Information includes both paper and electronic records. Covered Data and Information is classified as Private, Highly Restricted University Data pursuant to the University Data Classification Policy.

Data Custodians—the custodian of University Data is generally responsible for the processing and storage of University Data. The custodian is responsible for the administration of controls as specified by the Data Owner. By definition, Data Custodians are also Authorized Users.

Data Ownersthe owner of a collection of University Data is usually the manager responsible for the creation of that data or the primary user of that information. This role often corresponds with the management of department. In this context, ownership does not signify proprietary interest, and ownership may be shared. By definition, Data Owners are also Authorized Users.

Disposal—any computer asset leaving custody of the University, regardless of whether the equipment is being returned as part of a lease, being sold, donated, or being thrown away.  It is the responsibility of the department and the employee in custody of the item to understand and manage the terms and conditions of its disposal.

Members of the University Community—includes any person who is a student, University employee, volunteer, trustee, alumni, as well as University organizations, clubs, groups, and teams. This definition also includes all University departments, offices and programs.

Mobile Device—any handheld or portable computing device running an operating system optimized or designed for mobile computing that is capable of accessing, storing, and manipulating information in an untethered manner (usually, but not always, through a wireless connection). This includes, but is not limited to, laptops, tablets, smart phones/cell phones, PDAs, or other portable devices.  Any device running a full desktop version operating system is not included in this definition.

Non-Public Personal Information—any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, date and place of birth, mother’s maiden name, biometric records, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.