Policy Title | Information Technology (IT) Policy on Computing Resources, Privacy, and Copyright |
---|---|
Policy Category | Information Technology |
Original Policy Approval Date | November 4, 2022 |
Policies Superseded | Interim Information Technology Policy dated March 29, 2017 |
Responsible Office | Information Technology |
Related Policies | Acceptable Use Policy; Data Governance Policy; Records Management Policy |
Frequency of Review | 5 Years |
Date of Next Review | November 2027 |
I. Scope
This Information Technology (IT) Policy (“Policy”) applies to all Authorized Users of Technology Resources owned, managed, or otherwise provided by the University. All capitalized terms within this Policy not defined within an applicable section are defined in Section IV below.
II. Policy Statement
The University’s technology infrastructure exists to support the academic and administrative activities needed to fulfill the University’s mission. Access to Technology Resources is valuable for community members to communicate and conduct business, as well as to retain and exchange knowledge. Access to these resources, however, is a privilege that should be exercised responsibly, ethically, and lawfully.
The purpose of this Policy is to provide guidelines to protect the security of the Technology Resources that are available for members of the University community. It also establishes each member’s role in protecting its information assets, and to communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable the University to implement a comprehensive system-wide information security program.
The University will make reasonable efforts to respect Users’ privacy. However, Users do not have, and should not expect, any right to privacy for communications transmitted or stored on the University’s Technology Resources, except as provided by applicable law. Additionally, in response to a judicial order or any other action required by law or permitted by University policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the University, the University may authorize a University official or an authorized agent, to access, review, monitor, and/or disclose computer files associated with a User’s account. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the University’s rules, regulations, or policies, or when access is considered necessary to conduct University business due to the unexpected absence of a User or to respond to health or safety emergencies.
III. Policy
A. Technology Resource User Table
This table describes various University Users. | |
Authorized Users | Arcadia Technology Resource Service Terms |
Alumni | Access to University Technology Resources ends 365 days after graduation. If you wish to keep your email, you will need to opt in by responding to a communication from the University indicating that you would like to retain your email account. For alumni who do not opt in, the University will hold the email address for 365 days after graduation. |
Students | Access to University Technology Resources ends 365 days after separation from the University or may be terminated immediately for misconduct or in the best interests of the University. Students on official leave of absence maintain access to email, calendar, and productivity tools. Access to University Technology Resources ends 365 days after a student is placed on academic suspension. |
Faculty – emeritus | Faculty retaining “emeritus” status as designated by the University are eligible for continued access to University Technology Resources. User accounts inactive beyond 365 days may be terminated. |
Former faculty (including adjunct, part-time, and retired) Staff – retired |
Access to University Technology Resources ends 365 days after separation from the University unless access is being utilized for one of the below scenarios: to support ongoing academic/research endeavors; to facilitate University business continuity; or for volunteer activities in support of a department, school/college, campus, or the University in general. Users in this category must: Comply with all University policies including the Acceptable Use Policy; and Complete an annual information security training module. |
Former full-time faculty (non-retired) staff (former full-time and/or part-time) (non-retired) |
Access to University Technology Resources ends on the last day of employment and all Technology Resources associated with that faculty or staff member are deactivated, and all data therein is deleted, 30 days after the last day of employment unless an extension is requested by the manager. |
Sponsored affiliates (e.g., visiting scholars) | Visiting faculty, staff or scholars with a temporary association with the University are provided temporary access to University Technology Resources, which ends on the last day of their affiliation with the University. |
Vendors and contractors | In certain situations, vendors and contractors may require access to University systems in order to complete their scoped work. The account will be provisioned upon request from the vendor’s sponsor, a University employee responsible for managing the work of the vendor or contractor. The account will remain active for a two-week period, after which it will be automatically deactivated. If an account needs to be used for a longer period of time, the sponsor will need to submit a request for an extension of the use of the account. |
Board of Trustees members | Trustees will be provided with a University account for use during their time as a member of the University Board of Trustees. Upon completion of their term, the account will be deactivated, unless the trustee meets the definition of another category of Authorized User as defined by this table which provides Technology Resource access. |
B. Account Management, Devices, and Passwords
1. Account Management and University owned devices
Account Management applies to the account assigned to you when you first become affiliated with the University. The University generates and assigns unique authentication credentials to Users at the University. This account provides electronic access to services. Only one account is provided to an individual at the time the individual initially assumes or resumes a relationship with the University. The account remains the property of the University and the University reserves the right to change, delete, or add credentials. Obtaining an account is a prerequisite for accessing Technology Resources and is used to identify and authenticate an individual.
Any hardware or devices provided by the University to any University employee are to be returned on the last day of employment.
2. Personally Owned Devices
The University provides internet and network access only. The University does not provide hardware or software for personally owned devices. Personally owned devices may have limited access to Technology Resources compared to using a University-owned device.
Access to University owned data from personally owned devices is permissible when appropriate safeguards are utilized. For the security of University owned data, the following usages are not permitted:
- Storing a local copy of University owned data to personally owned devices;
- Accessing University owned data for reasons other than job responsibilities from a personally owned device; and
- Distributing University owned data to non-authorized persons from any device.
Faculty or staff who connect a personally owned device to the University network must take responsibility for their own device and its use, which includes:
- Familiarizing themselves with their device and its security features so they can ensure the safety of University owned information;
- Ensuring the operating system is updated and is not an end-of-life version as defined by the software manufacturer;
- Ensuring there is an active anti-virus/anti-malware tool with updated definitions; and
- Monitoring the download and installation of malicious software
The University reserves the right to prevent access of a personally owned device to the campus network or system if the device poses a threat to the integrity of the University’s Technology Resources. The University also reserves the right to retrieve and remove University owned data from unapproved devices.
Technical Support for your Device
All maintenance for a personally owned device, including software installations and updates and apps purchased will be the responsibility of the owner. Staff at the University Help Desk, available at 215-572-2898, will be able to offer help connecting to the network and can assist with other general troubleshooting queries. Staff at the Help Desk will not be able to provide support for complex problems with personally owned devices.
3. Passwords
All Authorized Users must employ a unique password that meets the following criteria:
- At least 15 characters in length
- Must contain 3 of the 4 below parameters:
- One (1) upper case letter
- One (1) lower case letter
- One (1) number
- One non-alphanumeric character (such as: ! @ # $ % ^ &, etc.)
Passwords must not be shared, written down, or recorded in an unsecured state. If a password needs to be recorded, the owner of the account must use the University owned and approved tool for password management. For information about the current University owned and approved password management tool, Authorized Users may contact the HelpDesk.
If a password is forgotten or needs to be reset, then the User must provide additional information to verify their identity. The Help Desk will ask to confirm at least two of the following before resetting your password:
- Date of Birth (DOB)
- Zip code
- Arcadia ID number
Resetting your password will result in a temporary password that must be changed again by the User before it can be used.
Your University password is valid for 365 days. You will be required to change your password when this period is over. Information technology staff at the University may ask you to reset your password outside of the regularly scheduled interval if account compromise is suspected.
C. Email Account Management
1. Faculty and Staff
Human Resources is the only approved party for requesting accounts of new employees to the University or asking for accounts to be terminated. Email is available for all full time faculty and staff, part time faculty and staff, adjunct faculty, student workers, and interns who are assigned a work account to conduct and communicate Arcadia business.
In all circumstances, student workers and interns will be provisioned a separate account in order to complete their work for the University (accounts can be requested through this form). All correspondence related to their work must be completed using this account and not their original student account. The account will be provisioned upon request from the student worker’s supervisor and will remain active until the end of the academic year, after which it will be automatically deactivated. If an account needs to be used for a longer period of time, the supervisor must submit a request for an extension of the use of the student account using the above form.
2. Students
Email is available for all undergraduate, graduate, dual-enrollment, and international students to support learning and for communication between the University and themselves.
3. Other Accounts
Individuals such as visitors, board members, emeritus/retired faculty and staff, alumni, vendors and contractors, or others who are not employees or students of the University, can be granted an email address which may be discontinued by the University at any time. For additional details on each relationship, please see the Technology Resource User Table as defined in Section III. A of this Policy.
4. Special Account and Group Types
The following are all categories of special email account types or groups. Each of these are implemented under specific use cases which are detailed in the sections below. All requests for these types of accounts must be submitted to and approved by the Information Technology department. If you would like to discuss different account and group solutions to meet your needs, please contact Information Technology.
Arcadia is free to discontinue the use of these accounts at any time.
5. Shared and Generic Name Accounts
Shared and generic accounts are in opposition to common security best practices. They will be approved on a case-by-case basis by the University’s Information Technology department. These requests can be submitted through the Help Desk. Each of these accounts will require a staff member to be the account sponsor. This sponsor will be responsible for ensuring the appropriate individuals have access to the account and will approve or deny requests for modifications or additions to the account.
6. Service Accounts
Service accounts have the ability to sign in to systems/services and are to be used only for automated processes and services. Provisioned service accounts must not be used by an individual to login or to complete daily or recurring tasks. These accounts are not assigned to a specific individual, but require a named account administrator. This staff member will be responsible for information regarding usage and continued existence of the service account.
7. Distribution Groups
Distribution groups are to be used for receiving email and distributing it to multiple users. They do not have the ability to authenticate to resources, meaning it cannot sign in to Gmail as it does not have an inbox. In addition, these groups cannot access Google Drive and other Google resources. The group also has the ability to reply to received emails as long as the individual has authorized access to send from this group.
Similar to shared and generic accounts, distribution groups are typically designated to a department or subset of a department but can also be allocated to a committee, club/organization, or other group of people. Distribution groups require an account administrator who is responsible for ensuring that the appropriate individuals are included in the group and will approve or deny requests for modifications or additions to the group.
These accounts are only provisioned under specific circumstances:
- There is a need for a group of people to receive emails under the same name (as a “group”);
- The group does not need to send emails under the alias of the group name;
- The group does not need to sign in to any resources under the alias of the group name.
D. Acceptable Use of University Email
All use of University email accounts must comply with the University’s Acceptable Use Policy.
1. Email Retention
This section applies to all University email accounts provided through the University’s email service. The purpose of this section is to establish the University’s policy regarding the retention of University emails. Authorized Users of the University’s email service are responsible for maintaining their email accounts in accordance with this Policy.
- Email messages shall be retained according to the University’s Records Management Policy.
- A litigation hold directive overrides this section until the hold has been cleared, as specified in the University’s Records Management Policy.
- Emails containing Personally Identifiable Information (PII) shall not be stored, transmitted, or processed using email infrastructure unless appropriate information security mechanisms (e.g. University provided email encryption) are employed.
- Users are not permitted to forward email to a non-University email service. All official email correspondence is to be performed from a University email account.
2. Security and Privacy of Email
The University respects the privacy of its email users. It does not routinely inspect, monitor, or disclose email. Nonetheless, subject to the requirements for authorization, notification, and other conditions specified in this section, the University may deny access to its email services and may inspect, monitor, or disclose email in accordance with the University Acceptable Use Policy. Email, whether or not created or stored on University Technology Resources, may constitute a University record subject to disclosure or other laws, or as a result of litigation. However, the University does not automatically comply with all requests for disclosure, but evaluates all such requests against the precise provisions of laws concerning disclosure and privacy, or other applicable law.
3. Violation of Policy
Authorized Users of the University’s Technology Resources whose actions violate this or any University policy may be subject to revocation or limitation of email privileges as well as other disciplinary actions or may be referred to appropriate external authorities.
E. VPN
1. Purpose
Virtual Private Network (VPN) service is managed and provided by the Information Technology department for Authorized Users at the University who require remote and secure access.
2. Intended Use
VPN access is provided for the campus community provided Users adhere to all established policies relating to the use of the University network and associated Technology Resources as well as applicable local, state and federal laws.
3. Usage Policy
VPN access will require authentication by username, password, and a two-factor token (not an email or short message service (SMS) or text passcode). All traffic will be encrypted using standard protocols. All authentication attempts will be logged.
Current University employees, excluding student workers, have permission to access the VPN solely for the purpose of conducting University business. Access by student workers and consultants is permitted on a case by case basis as assessed by IT.
If an individual is issued a University computer for performing a job function, that is the device that should be use for connecting to the VPN and not a personally owned device. All non-University owned computers and mobile devices connecting to the University’s VPN must adhere to the requirements set forth in section B2 of this Policy. Authorized Users acknowledge that their machines are a de facto extension of the University’s network, and as such are subject to the same rules and regulations that apply to University-owned equipment, i.e., their machines must be configured to comply with University policies.
VPN users will be automatically disconnected from the University’s network after a set period of time for security reasons. This period is updated to adhere to current security standards.
Only IT approved VPN clients may be used.
F. Digital Millennium Copyright Act
1. General
The purpose of this section is to address the University’s compliance with the Digital Millennium Copyright Act (DMCA) and specifically 17 U.S.C. Section 512(c), as amended. The University respects the rights of copyright holders, their agents and representatives, and implements appropriate policies and procedures to support these rights without infringing upon the legal use, by individuals, of those materials. All individuals who use University Technology Resources are responsible for their compliance with applicable copyright laws, University policies, and other applicable provisions. Under appropriate circumstances, the University may terminate authorization of users of its system or network who are found to intentionally or repeatedly violate the copyright rights of others.
The University’s designated registered DMCA Agent (defined below) shall receive all claims of infringement under the DMCA. Claims may come from inside or outside the University. The DMCA Agent shall promptly acknowledge receipt of each infringement claim, process, investigate, and take appropriate actions under the DMCA. The DMCA Agent shall coordinate activities, keep required records, and assure proper adjudication of incidents in conformity with University policies and procedures and applicable legal provisions.
The University will use a three-pronged approach to address DMCA related activities. The University will:
- provide annual disclosures to students about copyright law, policies, and penalties, as well as education on DMCA issues;
- use reasonable measures to prevent inappropriate use of peer-to-peer (P2P) programs and software, including technology methods; and
- annually suggest lawful alternatives for obtaining electronic copyrighted materials.
The DMCA provides an opportunity for colleges and universities to shield themselves from liability for the actions of users that infringe on the copyrights of others. Any use of the Technology Resources to illegally transfer copyrighted material including, but not limited to, software, text, images, audio and video is strictly prohibited.
Under the DMCA, the University will not be liable to the individual using electronic information for any harm they might suffer because of its actions in disabling access so long as it:
- Takes reasonable steps to notify the individual about the allegations in a conforming notice that was received;
- Promptly sends a copy of any substantially conforming counter-notice to the complainant indicating that it will restore access in 10 business days; and
- Restores access to the allegedly infringing work within 10 to 14 business days after the day it receives the counter-notice, unless it first receives a notice from the complainant that they have filed an action seeking a court order to restrain the page owner.
2. Notices and Takedown Requests
In accordance with the DMCA, the University has designated the Chief Information Officer (CIO) as the DMCA Agent to receive and respond to reports of alleged copyright infringement. This designation is listed on the University’s public facing website. DMCA notices and takedown requests must be routed to the University’s DMCA Agent.
The DMCA specifies that any DMCA notice or takedown requests must be in writing (either on paper or electronic mail) and must include the following elements: a physical or electronic signature; description of the work claimed to be infringed; description of the allegedly infringing work and the location on the University’s public facing website; contact information for the complaining party; a statement that the complaining party has a good faith belief that the use of the material in the manner complained of is not authorized by the copyright owner or law; and a statement that the information contained in the notification is accurate, under penalty of perjury, and that the complaining party is authorized to act on behalf of the copyright owner. Failure to include information required by the DMCA in the notice of alleged infringement may result in a delay of the processing of the DMCA notification. The University reveals names of alleged offenders only when provided a valid subpoena.
Upon receipt of a DMCA notice or takedown request, the University’s DMCA Agent or designee will follow the takedown procedure outlined in the Digital Millennium Copyright Act, U.S. Copyright Law, Chapter 5, Section 512(c)(3). In addition, the DMCA Agent or designee will notify the individual responsible for the content that the takedown has taken place, and inform them of their rights regarding counter-notice and put back procedures, which are outlined in the Digital Millennium Copyright Act, U.S. Copyright Law, Chapter 5, Section 512(g).
G. University Oversight and Enforcement
1. University’s Oversight
The University reserves the right to protect, repair, and maintain the University’s Technology Resources and network integrity. In accomplishing this goal, University IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and internet activities. Any information obtained by IT personnel about a user through routine maintenance of the institution’s computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of Arcadia University’s Technology Resources.
2. Enforcement
Users who violate this Policy may be denied access to the University’s Technology Resources and may be subject to penalties and disciplinary action both within the University, up to and including separation from the University, and external to the University, including investigation and/or prosecution by local, state, or federal authorities. The University may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the University’s or other Technology Resources, or to protect the University from liability. The University is not liable for the actions of anyone connected to the internet through the University’s Technology Resources. All Users will assume full liability—legal, financial, or otherwise—for their actions in violation of the Policy. Users are subject to disciplinary rules described in the Staff Handbook, Faculty Handbook, Student Handbook and Code of Conduct, and other policies and procedures governing acceptable behavior.
3. Exceptions
Exceptions to this Policy may be granted by the CIO, or by the CIO’s designee. All exceptions must be reviewed annually or more frequently if deemed necessary and/or appropriate by the CIO.
IV. Definitions
Alumni: individuals who have been granted a degree from the University.
Authorized Users or Users: all users of Technology Resources including, but not limited to, employees, temporary employees, faculty, students, alumni, campus visitors, contractors, vendors, consultants and their related personnel, and other users authorized by the University to access its systems and networks.
Technology Resources: assigned computer accounts, email services, and the shared University network which includes resources and facilities operated by the University, whether owned, leased, used under license or by agreement, including, but not limited to: telephones (including mobile devices) and telephone equipment, voice mail, SMS (text), mobile data devices, desktop and laptop computers. Email, chat, facsimiles, mail, any connection to the University’s network or use of any part of the University’s network to access other networks, connections to the internet that are intended to fulfill information processing and communications functions, communication services, hardware, including printers, scanners, facsimile machines, any off-campus computers and associated equipment provided for the purpose of University work or associated activities.
Information Systems: any system that creates, collects, stores, and processes data.
Information Technology Department: the department at the University that is responsible for managing the University’s Technology Resources.
University: Arcadia University, its colleges, schools, affiliates, divisions, and subsidiaries.
V. Effective Date
This Policy is effective on the date that it is signed by the President.
VI. Signature, Title, and Date of Approval
Ajay Nair, President
November 4, 2022