Policy

User Technology Policies

USER TECHNOLOGY POLICIES

____________________________________________________

Document Number: INFOTECH -- 100

Revision #: 1.0

Document Owner: Vice President for Facilities and Infrastructure

Date Last Updated: 02/10/2020

Date Originally Created: 09/03/2019

_____________________________________________________

 

When it comes to technology, Cumberland University (“Cumberland University” or “the university”) recognizes that policies must strike a balance between ease of use and reasonable security.  These policies are intended to strike an appropriate balance based on the current state of technology, the university’s internal security needs, and technology standards and confidentiality requirements that many of our clients insist we follow and/or are required by law.  At the same time, the university must create a computer and technology platform that is reliable, cost-effective, and capable of being maintained and upgraded as needed in an efficient manner.

Unless noted otherwise, these technology policies apply to all Cumberland University personnel regardless of title.  References in these policies to "all Cumberland University employees" or "you" include all employees, regardless of title, in addition to all temporary personnel or contractors employed by Cumberland University.  When appropriate, exceptions to these policies may be made by university management for specific purposes approved in advance.

Sensitive data is defined in these User Policies as information, which, if made available to unauthorized persons, may adversely affect Cumberland University, its clients, or management. Examples include, but are not limited to, personal or university data, personal identifiable information (PII), protected health information (PHI), financial information, trade secrets/differentiation, client databases, and anything deemed proprietary or confidential by clients and by contracts. Please know that data is presumed to be sensitive unless deemed otherwise.

 

Table of Contents

Acceptable Use of Resources and Communications Systems Policy            1.

 No Expectation of Privacy.          1.1

 Confidentiality and Proprietary Rights.          1.2

 Internet and Email Systems.          1.3

 Text Messaging.          1.4

 Telephones and Voicemail.          1.5

 Spam.          1.6

 Inappropriate Use of University IT Resources and Communications Systems.          1.7

 Conduct Not Prohibited by This Policy.          1.8

Password Guidelines Policy            2.

 User Password Minimum Standard Structure.          2.1

 Generic User ID or Username.          2.2

 Two-Factor Authentication..          2.3

 Password Precautions/Restrictions/Sharing.          2.4

Mobile and Portable Device Management            3.

Definitions          3.1

Mobile Devices          3.2

Portable Devices and Physical Security          3.3

Clean Desk Policy            4.

Technology Equipment Disposal Policy            5.

Security Incident Reporting Policy            6.

Policy Violations Sanctions            7.

______________________________________________________________

  1. Acceptable Use of Resources and Communications Systems Policy

    Personal use of IT resources and communications system, including the internet, is not strictly prohibited but should only be used occasionally for brief periods and must not interfere with your work responsibilities and duties. Any personal use of IT resources and communications systems must be lawful and consistent with Cumberland University policies.  IT resources and communications systems, including email, may not be used during working hours to solicit others for commercial ventures or membership in organizations (other than professional associations relevant to Cumberland University and other civic and charitable organizations). IT resources and communications systems may not be used or accessed by non-employees (including family members).

    Cumberland University’s policies prohibiting harassment, located in the Discrimination and Harassment section of the Employee Handbook apply to the use of Cumberland University IT resources and communications systems. No one may use any communications or computer system in a manner that may be construed by others as harassing or offensive based on race, national origin, sex, sexual orientation, age, disability, religious beliefs, or any other characteristic protected by federal, state, or local law.

    The use of Cumberland University’s IT resources and communications systems by an employee shall signify his or her understanding and agreement to the terms and conditions of these policies as a condition of employment. These User Technology Policies may be modified by Cumberland University at any time without prior notice.  The provisions of these policies are not intended to be all inclusive and do not limit the right of Cumberland University to address issues of employee conduct and job performance in whatever manner is appropriate under the circumstances.

    Nothing in these policies is intended to infringe upon employee rights under Section 7 of the National Labor Relations Act or to be incompatible with the National Labor Relations Act.

    1.1 No Expectation of Privacy.

      All contents of Cumberland University’s IT resources and communications systems are the property of the university. Therefore, employees should have no expectation of privacy whatsoever in any messages, files, data, documents, facsimiles, telephone conversations, social media posts, conversations, or any other kind or form of information or communication transmitted to, received or printed from, or stored or recorded on the university’s electronic information and communications systems.

    You are expressly advised that in order to prevent misuse, Cumberland University reserves the right to monitor, intercept, and review, without further notice, every employee's activities using the university’s IT resources and communications systems, including but not limited to e-mail (both outgoing and incoming), telephone conversations, voice mail recordings, instant messages, internet, and social media postings and activities, and you consent to such monitoring by your acknowledgement of this policy and your use of such resources and systems. This might include, without limitation, the monitoring, interception, accessing, recording, disclosing, inspecting, reviewing, retrieving, and printing of transactions, messages, communications, postings, logins, recordings, and other uses of the systems as well as keystroke capturing and other network monitoring technologies.

    The university may also store copies of such data and communications for any period after they are created and may delete such copies from time to time without notice.

    1.2 Confidentiality and Proprietary Rights.

    Cumberland University’s confidential information and intellectual property (including trade secrets) are extremely valuable to Cumberland University.  Treat them accordingly and do not jeopardize them through your business or personal use of electronic communications systems, including e-mail, text messaging, internet access, social media, telephone conversations, and voice mail.  Disclosure of the university’s confidential information to anyone outside Cumberland University and misuse of the university’s intellectual property is subject to disciplinary action.  Ask one of the university’s partners if you are unsure whether to disclose confidential information to particular individuals or how to safeguard the university’s proprietary rights.

    The confidences of our clients and of Cumberland University must be strictly protected. IT resources and communications systems may not be used in any way that will disclose or may lead to disclosure of confidential or privileged information.  Employees shall not access or duplicate client or any other university information, documents or files, whether in electronic or other form, except to the extent needed to perform their job responsibilities.

    Do not use Cumberland University’s name, brand names, logos, taglines, slogans, or other trademarks without written permission from a Cumberland University partner.

    This policy also prohibits use of the university’s IT resources and communications systems in any manner that would infringe or violate the proprietary rights of third parties. Electronic communications systems provide easy access to vast amounts of information, including material that is protected by copyright, trademark, patent, or trade secret law. You should not knowingly use or distribute any such material downloaded from the internet or received by e-mail without the prior written permission from a Cumberland University partner.

     

    1.3 Internet and Email Systems.

    As noted in Section 1.1 of this document, the equipment, services, software applications, and communications network that you use to access the internet and send or receive email are the property of the university and you should have no expectation of privacy when using such property, whether for business or personal purposes.The university has the right to actively monitor how you use Cumberland University property and resources, including researching and retrieving any data that you write, send, or receive through the university’s computer systems.The following policies have been established to ensure that all Cumberland University employees act professionally and responsibly when using the university’s internet and email systems:

    a. The office of information technology will assign students, faculty, and staff with an official university email address.

    b. The university will not be responsible for handling email of third parties (local mail servers, Yahoo, Gmail, Hotmail, etc.).

    c. With respect to email, you may not write, send, forward, download, or store data that contains content that could be considered discriminatory, offensive, obscene, threatening, harassing, intimidating, or disruptive to anyone.Examples of unacceptable content include (but are not limited to) sexual comments or images, racial slurs or other comments or images that could reasonably be expected to offend someone based on race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law.

    d. Copyrighted materials not belonging to Cumberland University may not be transmitted on the university’s computer systems. Anyone who obtains access to any other university’s or individual’s materials must respect all copyrights and may not copy, retrieve, modify, or forward copyrighted materials, except with permission or otherwise in accordance with copyright laws.

    e. Communications unrelated to the university’s business may not be for commercial purposes (whether for profit or not-for-profit) and must not violate any laws, including any laws against discrimination, harassment, or defamation.

    f. No email or other electronic communication may be sent which hides the identity of the sender or represents to be someone other than the actual sender. This does not apply in cases where an assistant uses “Send As” or “Sent on Behalf of” for their manager.

    g. Any sensitive data transmitted over external networks must be encrypted. Email is not appropriate for transmitting sensitive or confidential information unless it is encrypted.

    h. Visiting any Internet site as needed to represent a client is always permissible.

    i. In order to limit unintended access to certain categories of websites, the university utilizes content filtering to block potentially harmful, threatening, or otherwise prohibited website access on the university’s network. Attempting to access certain other website categories will trigger a "Blocked Page" warning that will require you to request Cumberland University’s IT Department to allow you to access the site, which you should request as needed to conduct Cumberland University business.

     

     

    1.4 Text Messaging.

    While text messaging is not an approved means of communication of business-related information, there are times when it cannot be avoided.In these limited cases, users should respect the rights and sensitivities of recipients and potential recipients and should ensure that all messages reflect the professional image that Cumberland University wishes to portray.For additional information, refer to the Electronic Communications and Retention section of Cumberland University’s Compliance Manual.

     

     

    1.5 Telephones and Voicemail.

    Cumberland University provides landline and/or mobile telephone access and voicemail systems to employees for use in connection with performance of their job duties. To ensure that our customers are provided with courteous and respectful service, and to prevent misuse of the university’s IT resources, Cumberland University may monitor, record, and review telephone conversations and voicemail messages.Cumberland University may also store recorded telephone conversations and voicemail messages for a period after they occur and may delete such recordings from time to time.

    As noted in Section 1.1 of this document and as with all of Cumberland University’s IT resources, Cumberland University expressly reserves the right, without further notice, to monitor, review, and record telephone conversations and voicemail messages you have or leave whether business or personal in nature, and you consent to such monitoring, review, and recording by your acknowledgement of this policy and by using any of Cumberland University’s telephones or voicemail systems.

     

    1.6 Spam.

    Unfortunately, users of e-mail will occasionally receive unsolicited commercial or bulk e-mail (spam) which, aside from being a nuisance and a drain on IT resources, might be a means to spread computer viruses and other malicious software.Avoid opening unsolicited messages and report any suspicious e-mail to IT Support.Users may delete spam e-mail and are encouraged to do so.If a user is suspicious about the validity of an e-mail, they are requested to forward the suspicious e-mail to Cumberland University’s IT Department.Cumberland University’s IT Department will investigate further into the validity of an e-mail when requested. Do not reply to a suspicious e-mail message in any way until approval has been given by Cumberland University’s IT Department, even if it states that you can request to be removed from its distribution list. If delivery persists, you may ask Cumberland University’s IT Department to block any incoming e-mail from that address.

     

     

    1.7 Inappropriate Use of University IT Resources and Communications Systems.

    You are never permitted to use Cumberland University’s IT resources and communications systems, including e-mail, text messaging, internet access, social media, telephone, or voicemail for any inappropriate or unlawful purpose.  This includes but is not limited to:

    a. Misrepresenting yourself as another individual or company.

    b. Sending, posting, recording, or encouraging receipt of messages or information that may be offensive because of sexual, racist or religious content.

    c. Revealing proprietary or confidential information, including official Cumberland University information, employee information, or intellectual property without authorization.

    d. Conducting or soliciting illegal activities.

    e. Representing your personal opinion as that of Cumberland University.

    f. Interfering with the performance of your job or the jobs of other Cumberland University employees.

    g. For any other purpose that violates Cumberland University policies or practices.

     

    1.8 Conduct Not Prohibited by This Policy.

    This policy is not intended to restrict communications or actions protected or required by state or federal law.

  2. Password Guidelines Policy

    2.1 User Password Minimum Standard Structure.

    Passwords are an important means of preventing unauthorized access to computers, systems, and information resources. With minimal effort, users can greatly increase the effort required by an unauthorized user to compromise systems or information.  The minimum standards for passwords at Cumberland University are:

    1. At least 8 characters in length.
    2. Must contain characters from three (3) of the four (4) classes below:
      1. Numeral
      2. Upper case letter
      3. Lower case letter and/or
      4. Special character: (e.g. !@#$%^*?-+).
    3. Avoid using the same password for different systems (e.g. Domain access, Core access).
    4. Change passwords at least every 365 days.
    5. User password cannot repeat the last password used.

     

    2.2 Generic User ID or Username.

     

      The use of generic User IDs is prohibited except for training and systems accounts as approved by the Security Officer.

    1. Multiple system users may not share a generic User ID and/or password except for a limited number of applications as expressly approved by the Security Officer.

     

     

    2.3 Two-Factor Authentication.The use of two-factor authentication is encouraged when accessing systems that contain sensitive data.

     

    1. Implementation and usage of two-factor authentication will be utilized for systems that contain sensitive data, where applicable.
    2. Evaluation of implementation of two-factor authentication for systems that contain sensitive data will be conducted quarterly.

     

     

    2.4 Password Precautions/Restrictions/Sharing.

    1. Choose passwords that you will be able to remember.
    2. Do not insert passwords into email messages or other forms of electronic communication.
    3. Do not share your password with others.
    4. Do not write, print, or record in any fashion your password and store it anywhere in the office.
    5. Do not store passwords in a file on any computer system (including Smart Phones or similar devices).
    6. Do not place your password in your laptop case, tape it to the bottom of your laptop or attempt to hide it amongst papers stored in your laptop case.
    7. When sharing your password with the IT Department, the following policies apply:
      1. The IT Department will provide support if you give them your password when necessary to correct an issue.However, it is necessary for the Cumberland University user to change their password upon completion of the IT work completed on their laptop or workstation.Cumberland University’s IT Department can assist with a password reset, when requested.The password reset can be delayed if requested, for example, until the Cumberland University user has completed travel, so it does not make system access more difficult while traveling.

     

     

  3. Mobile and Portable Device Management

    In certain cases, it may be expected or required that Cumberland University personnel use laptops, tablets, mobile phones, or other Portable Devices for business-related purposes.  This section pertains to both company-issued devices and personal devices.

    3.1 Definitions

    1. Mobile device and smart phones. tablet computersis defined as any device which can be carried easily by hand and used for mobile computing either or by being connected to and removed from other computing devices. Mobile devices include
    2. Portable Devices include all forms of personal computers, organizers (paper and electronic) and mobile phones, which are required for working from home or are being transported away from the normal work location.These devices can also be in the form of DVD’s, USB Drives, CD’s, disk drives or other forms of portable media.
    3. Sensitive data is defined as information, which, if made available to unauthorized persons, may adversely affect Cumberland University or its clients. Examples include, but are not limited to, personal or company data, personal identifiable information (PII), protected health information (PHI), financial information, trade secrets/differentiation, client databases, and anything deemed proprietary or confidential by clients and by contracts. Please know that data is presumed to be sensitive unless deemed otherwise.

     

    3.2 Mobile Devices

    1. Users should refrain from storing sensitive data on mobile devices whenever possible. In the event it is necessary for business purposes, information should be minimized and stored in an encrypted format.
    2. Users should ensure that mobile devices are physically secure when not in use.
    3. Individuals using Cumberland University data on mobile devices have a responsibility to protect the data from unauthorized use, disclosure, access, loss, corruption, damage, or destruction and to adopt all proper and sensible precautions in their handling of sensitive and personal data.
    4. Ensure mobile devices are protected by a secure password and that the password-protected auto-locking feature (where present) is enabled. Cumberland University will provide technical measures to help keep data secure and prevent loss, damage, and destruction and will assist staff in implementing such measures.
    5. Store mobile devices that contain confidential information in a protected, safe area.
    6. Protect data on mobile devices from theft or loss. If you travel by car with such devices, make sure they are locked and out of sight in the trunk of the vehicle. When home, put devices in a secure place to limit risks from theft or damage.
    7. Report lost or stolen devices immediately to Cumberland University’s Security Officer.
    8. Make sure you keep software updated and patched with current releases on mobile devices to minimize security risks.
    9. Use of personal electronic devices for work purposes, including but not limited to smartphones, tablets, laptops and computers, is allowed only when Cumberland University employees adhere to the Information Security Plan section of Cumberland University’s Compliance Manual.This includes utilizing and updating patches for operating systems, firewalls, and anti-virus and malware software and encryption of portable devices.

     

    3.3 Portable Devices and Physical Security

    1. If a Cumberland University user requires a Portable Device for authorized purposes, the configuration of that device includes appropriate software and other safeguards to protect the integrity and security of confidential business information that may be accessed via or maintained on that Portable Device.
    2. If a Cumberland University user is not approved to have a Portable Device for authorized purposes, he or she shall not download or access confidential business information onto or through a smart phone, laptop, or other portable device without prior approval from the Security Officer.
    3. Cumberland University users must safeguard all Portable Devices that maintain or provide access to confidential business information. All Portable Devices must be safeguarded from theft, unauthorized use, and access and misuse, especially when left, for example, in cars and other forms of transport, hotel rooms, conference centers, and meeting places. Equipment carrying important, sensitive, or critical business or confidential personal information must not be left unattended. When not in use, equipment must be locked away.
    4. In the event a Portable Device is lost or stolen, or the integrity of that device is otherwise compromised or suspected to be compromised, the user shall immediately notify the Security Officer.
    5. When using a Portable Device, special care should be taken to ensure Cumberland University and Cumberland University client information is not compromised.
    6. Portable Devices, equipment, and other media that contain or allow access to Cumberland University business information that is taken off Cumberland University premises must not be left unattended in public places.Portable Devices must be carried as hand luggage and disguised, where possible, when traveling.
    7. Other than approved Portable Devices, equipment such as printers or desktop computers or software owned by Cumberland University should not be taken off-site without prior authorization from the Security Officer.

     

  4. Clean Desk Policy

    Cumberland University’s users are expected to exercise precaution to protect the university’s facilities, data, and IT assets from unauthorized access. A clean desk is best achieved by using the following best practices:

    a. Users are required to ensure that all sensitive/confidential data, including but not limited to Personally Identifiable Information (PII) or Protected Health Information (PHI) in hardcopy or electronic form is kept secure.

    b. Users are requested to lock workstations when the workspace is unoccupied.

    c. The following steps are used to lock computer workstations.

    1. Select CTRL-ALT-DEL (these buttons are on the computer’s keyboard)
    2. Select “Lock This Computer” or “Lock”

d. Any sensitive/confidential data including but not limited to Personally Identifiable Information (PII) or Protected Health Information (PHI) must be secured.

e. Portable devices such as laptops, tablets, and smartphones must be secured.

f. Upon disposal, documents containing confidential or sensitive data, Personally Identifiable Information (PII) or Protected Health Information (PHI) should be placed in the secure confidential shred bins.

g. Any questions regarding the treatment and security of sensitive data, including but not limited to Personally Identifiable Information (PII) or Protected Health Information (PHI) protection are to be directed to the Security Officer.

 

5. Technology Equipment Disposal Policy

This policy applies to university-owned computer/technology equipment that is no longer needed at Cumberland University, including but not limited to the following: personal computers, servers, hard drives, laptops, smart phones, tablets, peripherals, printers, scanners, portable media, and portable storage devices (i.e., USB drives).

  1. When technology assets have reached the end of their useful life, they should be sent to the Cumberland University Information Technology Security Officer for proper disposal.
  2. The Security Officer will work to securely erase all storage media in accordance with current industry best practices.
  3. Whenever possible, hard disk drives will be removed and shredded with an appropriate Certificate of Destruction (COD) for audit trail purposes.

6. Security Incident Reporting Policy

The intention of this policy is to provide guidance to Cumberland University staff, so that they will be able to:  1) Recognize events or circumstances which may indicate that a security event is occurring or has occurred; 2) Know how to report possible security events; 3) Know who is responsible for and authorized to respond to possible security events.

A Security Event is any action or event which:

  1. Allows an unauthorized individual access to and/or the ability to use, destroy, modify, or disclose Sensitive Data, including but not limited to Sensitive Data or Personally Identifiable Information(“PII”).
  2. Allows an unauthorized person to modify the operation of the Cumberland University Information System, including any device or computer and any operating system or software application which is connected to that Information System, or any authorized media or authorized device used to access, process, transmit or store sensitive data, including but not limited to Sensitive Data or Personally Identifiable Information(“PII”).
  3. Allows a software application which is not authorized for use on the Cumberland University Information System, a device or computer connected to that Information System, or any authorized media or authorized device used to access, process, transmit or store Sensitive Data, including but not limited to Personally Identifiable Information (“PII”), to access or perform actions affecting Sensitive Data, including but not limited to Personally Identifiable Information (“PII”) or the operation of the Cumberland University Information System.

Cumberland University employees are to report any observed or known security incidents to the Cumberland University Security Officer.  The Security Officer with the assistance of Cumberland University management will determine if the Cyber Incident Response Plan will be activated.

7. Policy Violations Sanctions

Disciplinary sanctions will be imposed by Cumberland University for violations of these policies.  These sanction policies apply to all Cumberland University’s principals and permanent employees.  Contracts may be terminated for temporary employees and independent contractors at the sole discretion of Cumberland University for any violation of these policies.

Any Cumberland University employee found to have violated these policies may be subject to disciplinary action, up to and to including termination of employment.

 


ACKNOWLEDGEMENT OF RECEIPT AND REVIEW

 

 

I, _________________________________________ (employee name), acknowledge that on ____________________________ (date), I received and read a copy of Cumberland University’s User Technology Policies and understand that it is my responsibility to be familiar with and abide by its terms. I understand that the information in this Policy is intended to help Cumberland University’s employees work together effectively on assigned job responsibilities. These policies are not promissory and do not set terms or conditions of employment or create an employment contract.

 

                                                                                                               

Signature

 

                                                                                                               

Printed Name