(A) Purpose and application
(1)
The purpose of
this rule is to establish the obligations of users and managers of
university-provided technologies and related resources. All users and managers
of university-provided and supported information technologies are required to
abide by applicable federal and state laws, relevant regulations, conditions
for use, and best practices to ensure the highest level of confidentiality,
integrity, security, and availability of technology services that can be
afforded by the university.
This policy
outlines the guidelines for responsible management and security of Shawnee
state university's (SSU) digital resources, ensuring alignment with relevant
procedures (SSU information security program and conditions for use), and
compliance with applicable regulatory frameworks. It is designed to protect the
integrity, confidentiality, security, and availability of SSU's technology
services and applies to all individuals interacting with SSU's digital and
network resources.
(2)
This rule applies to all users of campus computing
and network resources, whether or not employed by or affiliated with the
university, and for all uses of computing and network resources whether on
campus or from remote locations.
Universal in
scope, this policy encompasses both on-campus and remote interactions with
SSU's technology resources, covering all affiliated and non-affiliated
individuals.
(B)
Responsibilities and authority
(1)
All users are responsible for complying with this
rule, conditions for use, and any laws or regulations applicable to computer
systems, information security, network access, and application
computing.
All users are required to comply
with this policy, its applicable procedures (SSU information security program
and conditions for use), and relevant legal and regulatory
standards.
(2)
The university's chief information officer (CIO) is
responsible to maintain applicable policies and to ensure the conditions for
use reflect current operational expectations, incorporate best practices and
technical updates, and to implement measures required for compliance with
applicable laws and regulations that ensure privacy and security of data and
delivery of appropriate access to network resources.
The chief information security officer (CISO) is tasked with
the oversight of this policy, ensuring its ongoing relevance, compliance with
legal and operational standards, and the implementation of requisite security
measures.
(C)
Access privileges and restrictions of use
Access to
digital resources is predicated on authenticated identity and relevant
authorizations, managed in accordance with the SSU information security program
and conditions of use procedures.
(1) Access privileges are contingent
upon the authentication of an identity and authorization of that identity to
access specific technologies required to fulfill assigned roles or to complete
the applications and activities of that identity at the university. Such access
depends upon the role assigned by the department of human resources upon
employment or contractual relationship with the university. Additional accesses
may be managed by department supervisors in accordance with university
policies.
(2) Use of the university's
computing systems, resources and networks (on-site and remote) is granted
solely to Shawnee state active employees and retirees with ten years of
continuous service, currently enrolled students, contractual and term
employees, and others who have a business or operational need for access and
are designated in writing by the president or vice president for finance and
administration. The university will adopt measures necessary to protect its
computing systems and network including implementation of multi-factor
authentication.
(3) Commercial use of the
university's computing systems, resources, and networks is prohibited without
prior written consent from the office of the general counsel.
(4) Once on-site and remote access
to technology systems is assigned in accordance with human resources policies,
any modification of that access that involves personal and shared data may be
extended to or retracted from the initial authorized account users with written
consent of the respective vice president and in accordance with human resource
and relevant university policies.
(5) The university reserves the
right to limit, restrict, extend or deny computing privileges and access to its
resources.
(6) Testing and monitoring of
security will be routinely conducted as well as the regular review of files or
information resident on university systems to guard against unacceptable use.
All accounts assigned to authorized individuals will be treated as private by
university employees charged with managing university computer systems,
resources, and networks.
(7) An account may be accessed
without the user's permission by the appropriately assigned ITS officials upon
authorization by the president or the president's designee for any employee
placed on temporary or extended leave of absence, or otherwise is not
reasonably available, or when there is probable suspicion of violation of
university policies or evidence of criminal activity. The university reserves
the right to deny access to its computer systems, resources and networks until
consent to access the account is provided by the president or president's
designee.
(D)
Privacy expectations
(1)
Users are expected to be aware that their uses of
university computing systems, resources, and networks are not private. The
university routinely monitors individual and campus-wide usage on a regular
basis for suspicious activity and targeted threats. Service vendors often
require the examination of institutional files, data transmissions, and
system-generated logging files to maintain normal operations.
Users should anticipate monitoring of university technology
resources, in adherence to the information security program and conditions of
use procedures for operational and security purposes.
(2)
Shawnee
state's status as a financial institution obligates the university to protect
the consumer information it collects during the normal course of business.
Users authorized to maintain financial information must adhere to all state and
federal mandates and compliance required to meet external or internal audit
requirements.
SSU commits to protecting
sensitive information in accordance with Family Educational Rights and Privacy
Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR),
Payment Card Industry Data Security Standard (PCI DSS), and other regulations,
as outlined in the information security program procedure.
(3) As an institution of higher
education, Shawnee state is obligated to protect confidential information
restricted by FERPA, HIPAA, GLBA, GDPR, PCI, Ohio Revised Code and other
regulatory requirements (e.g. red flag rules), and is not releasable to the
public under state or federal law.
(E) Use of university computing resources
(1) Adherence to the information security program and the conditions for use
procedures
conditions for use is
mandatory in order for users to be granted the privilege of access to the
university's information technology systems.
(2)
All users are
responsible for complying with the conditions for use of Shawnee state's
computer systems, resources, and networks. conditions for use shall be
distributed to users via e-mail when substantive modifications are adopted.
They shall be posted on the university information services web page and made
available upon request.
All users are
responsible for complying with the information security program and the
conditions for use procedures when accessing university resources, and
networks. The information security program and the conditions for use
procedures shall be posted on the university policies and the information
technology services web pages and made available upon request.
(3) As a member of the Ohio academic
research network (OARnet), Shawnee state is expected to ensure compliance with
policies and procedures of OARnet and related networks. Therefore, users
granted privileges to access OARnet and other networks must comply with the
policies and procedures of those networks.
(F) Sanctions
Violation of computer use policies or non-adherence
to the conditions for use may result in sanctions by the university, up to and
including loss of computing privileges, termination of employment and dismissal
from the university in accordance with the appropriate policies and collective
bargaining agreements regarding disciplinary actions.
Violations of this policy and applicable procedures will be
subject to discipline according to university policies and collective
bargaining agreements.
(2) The process outlined in the
student handbook will determine sanctions for students.
(3) Disciplinary actions do not
preclude additional civil or criminal prosecution by the appropriate
authority.
