4.181 Administration & Institutional Effectiveness
INFORMATION TECHNOLOGY POLICIES AND PROCEDURES
Date Adopted/Most Recent Revision: 08/05/2011

 

A.    General

This policy applies to all users of the university's telecommunications, computer and network services. The university provides telephone, computer and network resources for use by students, faculty, staff and other persons affiliated with the university.  The use of these resources is governed by this policy.  Any violation of this policy or misuse of these resources, whether deliberate or incidental, may result in disciplinary actions according to university policies, as well as possible legal actions. Violations of security protocols in this policy shall be reported to the supervisor, the Chief Information Officer and the appropriate vice president or the provost.

B.    Definitions

1.    Telecommunications

Hardware, software and personnel to provide audio and digital voice communications on and off campus. This includes the installation, maintenance and design of existing and future voice requirements.

2.    Computer Systems

Midrange, server, and personal computer assets that are used for university administration, student development and academic endeavors. Use of these assets is governed by legal statues for copyrighted software, university-developed software policy, and software developer licenses.

3.    Network Services

Operations, equipment, maintenance and technical services that are provided to the university for the continued growth and development of the campus-wide communications network. These services include small computer software and hardware maintenance and installation of university-purchased equipment.

C.    Guidelines

The university has established the following guidelines governing the proper use and workload management of Information Technology resources and personnel.

1.    Telecommunications

All telephone outages will be reported by the user through the telephone outage reporting system at Ext. 4555. Requests for new installations, system reprogramming and telephone instrument relocations will be submitted using the Information Technology work order system.

2.    Computer Systems Programming Requests

Information Technology service requests will be submitted using the Information Technology work order system.  Once submitted, the data custodian for the area must approve the concept and access to specific data elements. Following approval from the data custodian to proceed, Information Technology will determine actual feasibility of the project and/or report.  It is the practice of the university to not perform custom programming on purchased applications unless there is no other viable solution.

3.    Network Services

Trouble resolution, technical solutions, network upgrades and network security services will be provided to the university by Information Technology. All services other than trouble reporting must be requested using the Information Technology work order system. This includes requests for technical solutions or network design.

4.    Trouble Reporting

Small computer software and hardware trouble reporting will be managed through the Information Technology Help Desk at Ext. 4278 or email at helpdesk@mwsu.edu. Users should report detailed information describing the problem. A work order will be assigned and tracked until completion. New installations of small computers will be accomplished according to the delivery schedule provided by the vendor. Any modifications to this schedule will be determined by the Chief Information Officer.

5.    Technical Solutions

Technical solutions will be provided to the university faculty and staff to satisfy approved requirements for information technology equipment and software. These solutions will conform to the university guidelines established for interoperability and uniformity.

6.    Network Upgrades

Information Technology will be responsible for the network upgrades that are consistent with university policy and technology availability. All upgrades will provide a migratory path for future conversions and implementations.

7.    Laboratory Management

Information Technology is responsible for providing technical staffing for the general purpose student labs. This includes the following:

a.    Provide general purpose software and qualified student employees for general purpose       student labs.

b.    Provide supplies and printer services as required during normally scheduled lab periods.

c.    Provide first-look maintenance on equipment and outage reporting.

d.    Maintain lab physical security and cleanliness.

8.    Electronic Network Access

Users of the university electronic network facilities and services will indemnify and hold harmless the university against any and all actions or claims of infringement of intellectual property rights arising from the use of a network-based service or facility provided by the university. Network access is provided by password control. All passwords are managed and controlled by Information Technology. The following policies are established for network access:

       a. Use of facilities and services in such a way as could be deemed foul, threatening, inappropriate, harassing, or abusive including but not limited to racial and sexual slurs, is prohibited.

b. All accounts are for the sole use of the student, faculty or staff of the university. Account information will not be released by Information Technology to any other individual.

c. Network access shall not be used for any non-university related activity. Use of network access should be consistent with the instructional, research, public service and administrative purposes and goals of the university.

d. A network access account may be requested by a currently enrolled student, employed faculty/staff member or emeriti faculty/administrator.

e. Student access will be deactivated upon the student's withdrawal from the university or non-enrollment.

f. Faculty and staff network access accounts will be deactivated upon termination of employment.

        g. Unauthorized access to the network is strictly prohibited and could result in disciplinary action up to and including legal criminal action. Network account information is for the sole use of the original requester.

        h. Electronic mail is subject to search at any time, with or without notice, as the university administration deems necessary.  There should be no expectation of privacy.

        i. Use of university electronic mail accounts to send unsolicited commercial mail is prohibited.

       j. To best serve the general campus population and to conserve limited resources, remote access users will be limited to four (4) hours of on-line time per session.

 

9.    Copyright and Computer Software

Midwestern State University and its students, faculty, and staff must maintain legal and ethical standards regarding the use of computer software. The unauthorized duplication of computer software, data or computer manuals, unless appropriate written consent is obtained, is grounds for disciplinary action and referral to the appropriate law enforcement or investigative agency.

a.     In strict compliance with Public Law 96-517, Section 10(b), which, in amending Section 117 of Title 17 U.S. Code to allow for the making of computer software back-up copies, state in part "it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy of adaptation of that computer program provided:

1.     "That such a new copy or adaptation is created as an essential step in utilization of the computer program in conjunction with a machine and that it is used for no other manner, or

2.     "That such a new copy and adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful."

3.    Where appropriate written consent (from the holder of such copyright) is obtained.

4.    Where the software is in the public domain and that can be proven.

b.    Under PL 101-650, phonograph records, computer programs, tapes, CDs or videos may not be rented, leased or loaned for direct or indirect commercial advantage. However, the nonprofit lease or lending of computer software (bearing the warning notice prescribed by the Register of Copyrights) to this institution's staff, faculty and students for their nonprofit use is exempt from these restrictions.

c.     Also exempt (from PL 101-650's restrictions) is the lawful transfer of possession of a lawfully made copy of a computer program between nonprofit education institutions and between such institutions and the individual comprising their staff, faculties, and student bodies.

d.    Illegal copies of software may not be used on this university's computers.

e.    Determination made under section 2 and 3 above are to be made by Midwestern State University and not the individual. Any indication of a violation of Section 4 will be promptly and thoroughly investigated.

f.     Unauthorized distribution of copyrighted material, including peer-to-peer file sharing, is prohibited under this policy.  This includes illegally downloading and/or sharing music and video files.

  1.   Violations will result in disciplinary proceedings against the student.  Sanctions given will be commensurate with the violation, and may include termination of computer privileges.

  2.   Individuals violating this policy may face legal action, which could include fines and/or imprisonment.

 

10.    Training and Education (TX Admin. Code 202.77)

a.    The university will provide training during new employee orientation to familiarize employees with the rules of information security.  Employees will be required to receive, sign, and agree to comply with the Data Standards and Responsibility Agreement.  During orientation, employees will receive a copy of this policy, #4.181, and specific training on the importance of ensuring the confidentiality of information.  Additionally, they will be informed of the proper computer use, computer account security, document handling, and verbal release of information.  Before computer system access is granted, employees will be required to attend job-specific training provided by the relevant academic and administrative areas throughout the university.

b.    The university shall establish an ongoing information security awareness education program for all users.  At least annually, or more often as needed when security issues arise, employees will be informed regarding information security procedures and safeguards. 

 

11.   Computer Security and Privacy

All faculty and staff employees and students shall be responsible for complying with the Computer Security and Privacy policies. These policies are as follows:

       a. The university president shall appoint an administrator responsible for developing and maintaining university regulations and procedures regarding security and privacy of computer data, software, and hardware.

       b. Any student's or faculty/staff employee's use of university computing facilities is a privilege that shall be revoked for violation of this policy, regardless of the need for computer use in performing assigned duties or class work. Specific causes for revocations are as follows:

1.    Student, faculty or staff who intentionally gains access to a computer or file that is protected from general access by the public.

2.    Gaining unauthorized access to privacy protected information that may reside on university computer systems.

3.    Purposely placing or injecting a virus into the university computer systems or networks.

4.    Compromising computer network system security by responding to spam, phishing, and other email requests for release of secure computer system user names and passwords.

5.    Removing university computer assets from campus without prior approval.

6.    Connecting personally owned computers and software to the university networks without prior approval.

7.    Public domain (shareware) will not be downloaded from public access bulletin board systems to any user computer connected to the campus network. All software loaded on university computers will first be approved by Information Technology and certified virus free.

8.    User departments will identify to Information Technology personnel computer workstations used to store confidential or sensitive information or to run critical applications. The users will be responsible for notifying Information Technology for periodic virus scans.

9.    Users will not install personal computers onto the university’s network.

 c. Some jobs or activities of the university involve access to resources critical to computer security and privacy. The university may require faculty/staff employees or students involved in these jobs or activities to disclose personal histories, participate in special training, and /or sign special agreements concerning computer use.

 d. All students and faculty/staff employees shall cooperate with official state and federal law enforcement authorities in aiding the investigation and prosecution of any suspected infraction of security and privacy involving either university personnel or university computing facilities.

 

12.  Computer System Access Control

        The Chief Information Officer will maintain computer system integrity through the effective use of security controls. In an effort to control access to computing resources, the following policy is in effect:

    a. Only employees of the university or approved student workers may be assigned a logon to allow use of computing resources. All passwords will be changed quarterly.

    b. A logon will be assigned by Information Technology after verification by Human Resources of the individual’s current employment with the university.

    c. Each director level supervisor must determine the level of access (input vs. inquiry) for each employee within his or her supervision.  A request for access must be approved through the appropriate area data custodian.

 d. Each employee who is granted access to the university computing resources must be assigned a unique logon. Generic logons are not acceptable.

 e. Assigned logon access and passwords must be protected from unauthorized use. Sharing of passwords or logging-on in order for someone else to use the systems is a violation of university policy and strictly prohibited. Users may not request access to another person’s password.

f. Assigned users shall be held responsible for any disruptive, destructive, or illegal activities originating from their assigned access and will be subject to disciplinary actions for misuse up to and including termination of employment and possible criminal prosecution.

g. No exceptions will be granted to this policy without written approval from the appropriate vice president.

 

                13.  Password Complexity

a. Purpose – The purpose of this policy is to safeguard confidential information.  Complex passwords will help protect user accounts and the information contained therein from being compromised by others.

                                b. Scope – This policy applies to all users of the university’s computer and network services.

                                c. Policy

1.       All passwords must be at least eight characters in length, with a maximum length of 32 characters.

2.       Passwords must not have been used in four previous passwords.

3.       Passwords must contain at least three of the following four items:

a.       at least one upper case letter (A-Z),

b.       at least one lower case letter (a-z),

c.        at least one number (0-9),

d.       at least one special character (!@#$%^&*()<>?).

 

d. Frequency – Passwords must be changed at least one every 90 days, but no more frequently than once every 30 days.

 

14.  Computer Operations Center

The Chief Information Officer will maintain control and supervision of the production, scheduling and output of the Computer Operations Center. The following policies for services provided by the operations center are in effect.

    a. The user departments are responsible for scheduling of processing and reports prior to the actual run time. Schedules will be made according to cycles (semester, month, week, etc.). All efforts will be made to conform to the customer requests providing other conflicts for processing do not take priority.

    b. Input data should be checked for validity and accuracy by the submitting departments.

c. Output reports should first be checked for accuracy by Information Technology personnel and then rechecked by the user department before distribution and/or use. It is the user department's responsibility for accuracy of the reports.

    d. All non-emergency requests for reports must be initiated by contacting Information Technology. This request will provide detailed information on the task as well as a realistic due date.