Conditions for Use of Campus
Conditions for Use of Campus Computing Resources -
Users are responsible for understanding and complying with the following Conditions for protecting Shawnee State’s computing systems from unauthorized access and electronic attacks, and to safeguard the University’s Institutional Data and Confidential/Customer Information (see SSU Policy 5.30).
1.1 Institutional Data
1.1.1 Institutional Data are information created, collected, maintained, stored or managed by the University, its staff, and agents working on its behalf. It includes data for the administrative, academic and research functions, operations, and mission of the University. All data derived within SSU’s enterprise and departmental systems including but not limited to: Jenzabar, Oracle, Blackboard, FEITH and Cognos applications, including any applications containing SSU student data, are considered Institutional Data.
1.1.2 Institutional data do not include personal data created, collected, maintained, transmitted, or recorded on University-owned resources that are not related to University business, and not identified as Customer Information.
1.2 Confidential Information
1.2.1 Confidential Information is defined as that information which is restricted by FERPA, HIPAA, GLBA, PCI, Ohio Revised Code and other regulatory requirements (e.g., Red Flag rules), and is not releasable to the public under state or federal law. These restricted data could reasonably be used to perpetrate identity theft, constitute a serious and unwarranted invasion of personal privacy, compromise the physical security of University employees or property, or compromise the University’s computer systems. Examples of “Confidential Information” include, but are not limited to, the following:
1.2.2 "Personal information" which includes an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:
18.104.22.168 Social security number;
22.214.171.124 Driver's license number or state identification card number;
126.96.36.199 Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
1.2.3 “Personal Financial Information” which would link an individual with nonpublic information about that individual’s tax return, gross income, investments, financial aid, etc. Note: A public employee’s salary is not “personal financial information.”
1.2.4 Educational Records, as defined under state and federal law as:
188.8.131.52 “Any record with certain exceptions, maintained by an institution that is directly related to a student or students. This record can contain a student’s name, or students’ names, or information from which an individual student or students can be individually identified.
184.108.40.206 These records include: files, documents, and materials in whatever medium (handwriting, print, tapes, disks, microfilm, microfiche, etc…) which contain information directly related to students and from which students can be personally identified.”
1.2.5 “Medical Treatment Records” as defined under state and federal law. The HIPAA Privacy Rule defines private health information (PHI) as individually identifiable health information, held or maintained by a covered entity (i.e. our SSU group health plan) or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse.
1.2.6 Security and Infrastructure records, to include records or information concerning the protection of a University office against sabotage or attack.
1.2.7 Information which would allow unauthorized access to University computer systems or electronic files.
1.3 Customer Information
1.3.1 Customer information includes any information about a customer provided to obtain financial products or services. Customer information results from any transaction involving a financial product or service between the institution and a customer, or otherwise obtained about a customer in connection with providing a financial product or service to the customer.
2.0 INFORMATION SECURITY
2.1 Importance of Information Security
2.1.1 Information Security is critical to the interests of the University and the many constituencies it serves. As a result of the University’s dependency on electronic information, it is critical that information and information systems be protected from unauthorized access and electronic attacks so the University can operate without interruption. Furthermore, it is paramount the University safeguard Institutional Data as well as protect Confidential Information from unauthorized access.
2.1.2 Officially protected or Confidential Information created or maintained by the University including student academic records may reside only on systems or networks operated and maintained by ITS, without prior written authorization by the Chief Information Officer.
2.1.3 The Department of Information Technology Services (ITS) has overall responsibility for the security of the University's information technologies. Implementation of and adherence to security guidelines and best practices to protect Confidential Information, Customer Information and Institutional Data are the responsibility of all SSU supervisors, employees and students
3.0 DEPARTMENTAL MANAGERS/DIRECTORS RESPONSIBILITIES:
3.1 The President or the President’s designee, upon recommendation by the Chief Information Officer, may authorize other networks solely for academic purposes which do not come under the supervision of ITS, provided the department understands its responsibility for the security of such networks under its domain of control and responsibility, and may not use the network to host officially protected or Confidential Information. These responsibilities include but are not limited to responsibility for general security issues, e.g., legal issues, security compliance and reporting, physical security, communications, and IT infrastructure security on wired and wireless networks. Authorization may be revoked if the President or President’s designee finds the network is operating contrary to University policy or the law.
3.2 All academic and administrative office managers/directors have the primary responsibility and authority to ensure their respective departments comply with University requirements for privacy and security of specific types of confidential information (e.g., student educational records, personnel records, health records, and financial transaction data). These unit managers/directors are responsible for general security issues (e.g., legal issues, security compliance, physical security and communications) as well as for completing risks assessments and assisting in the development of University IT security policies, standards and Best Practices in the areas of their responsibility.
4.0 INDIVIDUAL RESPONSIBILITIES TO PROTECT INSTITUTIONAL DATA:
4.1 Shawnee State University employees require access to Institutional Data in support of the University’s teaching, research, and operational objectives. The University’s Institutional Data is a valuable asset and must be maintained and protected as well as remain in compliance with SSU records retention rules.
4.2 The privacy of University members and their personal information defined within the University’s Institutional Data must be protected to the greatest possible extent. The purpose of these guidelines are to help ensure the protection of the University’s Institutional Data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use Institutional Data for appropriate University purposes.
4.3 Users who use University or personally-owned devices to access University resources are responsible for the security of Institutional Data originating on or downloaded to the mobile device, and are subject to the following:
4.3.1 The provisions of the Campus Computer and Network Use Policy 5.30 and Procedure 5.30:1 Conditions for Use of Campus Computing Resources
4.3.2 The guidelines for reporting lost/stolen Confidential, Customer or Institutional Data, and any associated University-owned data storage device at (insert link).
4.3.3 All other laws, regulations, network and computer-use policies applicable to the individual user or the University.
4.3.4 Completing periodic audits of Confidential and Customer Information electronically stored in their respective areas.
4.3.5 Developing procedures and guidelines for your area to implement an ongoing process for continued information security which includes periodic security reviews referencing this action plan.
5.1 Transmitting or Sharing Stored Institutional Documents
5.1.1 All electronic documents stored within the University-approved databases are considered SSU Institutional Documents, comprised of Institutional Data necessary for University business, and potentially SSU Confidential and Protected Information.
5.1.2 University employees who use stored Institutional Data during the normal course of business have the responsibility to comply with all state and federal mandates and other applicable laws, SSU guidelines and policies for protecting Confidential/Customer Information, and are responsible for protecting SSU Institutional Data using all reasonable measures within their employee role at the University.
5.1.3 Transmitting or sharing electronic documents created within the University-approved storage databases, to other SSU employees, is permissible using SSU Microsoft Azure cloud services and the data users authorized network account access.
5.1.4 Emailing or Forwarding Institutional Data to third-party email systems is not permissible without prior written permission from an SSU departmental supervisor.
5.2 Remotely Accessing Confidential Data
5.2.1 Individuals who need remote access to Shawnee State’s computer network from off-campus require written authorization from the President or Vice President of Finance and Administration. Upon approval, ITS will establish a secure connection to the user’s desktop computer. The user is responsible for insuring that data accessed remotely are secured and protected from unauthorized access. Additionally, ITS recommends:
220.127.116.11 Remote access to SSU-managed computing resources is enabled by securely connecting an approved user device to the user's SSU managed office computer.
18.104.22.168 The user acknowledges in writing to his/her supervisor these Conditions and associated responsibilities of the remote access granted to him/her.
5.3 Secured Storage of SSU Institutional Data
5.3.1 Electronic files with student or employee Confidential Information or Institutional Data should not be locally (C: drive) stored, stored on departmental Web shared spaces, or stored on unapproved third-party internet storage mediums. If departmental files need to be locally accessible, a request for a department share should be forwarded to ITService@shawnee.edu to ensure appropriate security access protocols are established in advance.
5.3.2 Any use of “Cloud” services for storing SSU Institutional Data or Confidential/Customer Information should be reviewed and approved by ITS prior to such usage.
6.0 REPORTING SECURITY VIOLATIONS
6.1 Reporting suspected violations of the Conditions for Information Security is the responsibility of all members of the University community.
6.2 Examples of prohibited (actual or attempted) behavior include, but are not limited to:
6.2.1 Allowing institutionally or personally-owned devices with officially protected or personal, Confidential Information to leave the campus without prior written authorization by the departmental supervisor and reasonable efforts by ITS to apply campus-standard security technologies and protocols on the device.
6.2.2 Allowing others to use your personal accounts to access any SSU computing resource or network.
6.2.3 Any attempt involving campus-computing resources for the purpose of hacking. Hacking is defined as attempting (either successfully or unsuccessfully) to break into or gain unauthorized access or rights on a computer system or network. Any unauthorized attempts to access non-university systems will be reported to the administrators of these non-university systems.
6.2.4 Accessing or using a protected computer account assigned to another person or the unauthorized sharing of a password to a protected account with another person without prior authorization by the Chief Information Officer
6.2.5 Misuse or abuse of computer equipment, networks, software, or peripheral devices.
6.2.6 Any act which interferes with the appropriate access rights of others.
6.2.7 Transmitting or posting fraudulent, defamatory, harassing, obscene, or threatening messages, or any communications prohibited by law.
6.2.8 Use of any computer network for a purpose contrary to the stated purpose of that network.
6.2.9 Software theft or piracy, data theft, or any other action which violates the intellectual property rights of others.
6.2.10 Deletion, examination, copying, or modification of files and/or data belonging to other users without their prior consent.
6.2.11 Forgery (or attempted forgery) of electronic mail messages.
6.2.12 Deliberate interference with the ability of other users to send/receive electronic mail.
6.2.13 Installation of departmental or enterprise systems intended to support the SSU mission and operations, without prior authorization by ITS.
6.2.14 Unauthorized decryption of system or user passwords and files.
6.2.15 The copying of copyrighted materials, or unauthorized sharing of electronic files (audio/video) or third party software, without the express written permission of the owner of the copyright.
6.2.16 Intentional attempts to crash systems or programs to disrupt normal operations.
6.2.17 Any improper or unauthorized attempts to secure a higher level of privilege on Shawnee State systems.
6.2.18 A physical connection of any computer to any of the University's networks without proper authorization from the appropriate network administrator.
6.2.19 Misrepresenting one's identity or relationship to the University when obtaining or using University computer or network privileges.
6.2.20 Creating, installing, or knowingly distributing a computer virus, "Trojan horse", or other surreptitiously destructive program on any University computer or network, regardless of whether any demonstrable harm results.
6.2.21 Adding, modifying or reconfiguring (without proper authorization) the software or hardware of any University computer or network.
6.2.22 Loading of software on campus computers for the purpose of accessing unauthorized network resources.
6.2.23 Any unauthorized access (or attempted access) of student identifiable data.
6.2.24 Using any University computer or network resources to perpetrate a violation of state or federal law or University policies.
6.3 Reporting a Data Security Breach or Loss of Data
6.3.1 Reporting a perceived incident involving Information Security and the potential loss or breach of SSU Confidential Information is the responsibility of all members of the University community. SSU employees are charged to take immediate action when made aware so that responsible persons can meet the institution’s obligation to protect SSU Confidential Information, and limit the institution’s risk of loss.
6.3.2 Immediately complete and submit the form titled Confidential Information-Data Loss or Breach of Security Incident Notification Report accessed from https://www.shawnee.edu/areas-study/clark-memorial-library/information-technology-services/information-security/emergency-response-plan
7.0 COMPLIANCE WITH BEST PRACTICES
7.1 Users are required to know and comply with Best Practices established by ITS, SSU, state and federal standards. Failure to comply with these Practices may result in loss of computing privileges and/or disciplinary action.
7.1.1 Lock down console (using <Ctrl-Alt-Delete> function) when not at user station.
7.1.2 Do not share passwords. Passwords should be complex in nature i.e. uses upper/lower case, numbers, special characters.
7.1.3 Log-off or lock down computer when leaving office for the day.
7.1.4 Lock doors when not in office.
7.1.5 Do not share personal office computers with unauthorized users.
7.1.6 Do not share Confidential Information via the Internet without a secure connection.
7.1.7 Do not respond to emails phishing for personal or institutional information.
7.1.8 Do not store passwords or usernames in a non-secure location.
7.1.9 Do not allow unauthorized individuals into your office or to access your computer. Request ID information from unfamiliar individuals.
7.1.10 Notify ITService@shawnee.edu when a student or departmental employee terminates employment with SSU or leaves the department.
7.1.11 Notify ITService@shawnee.edu when an electronic data transmit process (dialup transmission or the Internet) is needed to complete a University business function.
7.1.12 Access to the Internet from computers with Confidential files stored on the local hard drive.
7.1.13 Change passwords to third-party software on a frequent basis, using complex passwords (at least every 90 days or as required by the third-party).
7.1.14 Do not keep paper reports with Confidential Information in non-secured areas and shred all reports and electronic media when no longer needed. Decommissioning of electronic storage devices requires an evaluation by ITS for stored drives/data that must be destroyed prior to related equipment leaving campus.
7.1.15 Do not download (from the Internet) unauthorized, non-work related software onto your computer (i.e. Screensavers, Pointers, etc).
7.1.16 Do not consume computing resources to the extent that it negatively impacts normal usage by others.
7.1.17 Respect the privacy of other users and their accounts, regardless of whether those accounts are securely protected.
7.1.18 Use only those computing resources you are authorized to use and use them only in the manner and to the extent authorized.