OSU Foundation Information Technology System Policy
November 2006
I. Purpose |
This administrative Policy establishes procedures and guidelines that specify who owns and controls the information within the OSU Foundation's (OSUF) Electronic Information Processing Systems ("System"), the Foundation's right of access to the information contained in the System, and the use of the systems, associated network, software and equipment.
II. Scope |
This Policy applies to all OSUF employees and others ("Users") who have access (direct or through any type of remote access solution) to the System. The System includes all computer devices, software and hardware (CPU's, memory devices, storage devices and storage media), personal digital assistants (PDA's), and wireless communications devices that access the Foundation's network and printers. For purposes of this Policy, an electronic record or communication includes any data or information in any form processed or stored within the System whether generated directly or indirectly.
Where any section, subsection, sentence, clause, or phrase of this Policy is found to conflict with any state or federal law or administrative rule, the terms of such laws or rules shall prevail.
III. Policy |
The System is an OSUF resource and tool for assisting in the conduct of OSUF business. Unless otherwise specified by initial agreement, all programs, documents, and data generated, processed, and/or stored on the System are OSUF property. Use of the System shall be conducted in accordance with this Policy.
IV. Definition of Terms |
Sensitive information
This includes information about people where the identities of individual people cannot be determined.
Confidential information
This includes information that can be linked, directly or indirectly, to individual people. Examples include social security number, credit card, year of birth, mother's maiden name, or driver's license number.
V. Backup of Electronic Files |
The Network Administrator periodically backs up all network directories. These back-ups are for the purpose of restoring needed, active files in the event of accidental deletion or data loss. Backup tapes are put into permanent storage twice a year (January and July) for the purpose of archiving data that is no longer actively used. Local hard drives on personal computers (PCs) are not backed up.
VI. Computer Network Security Guidelines |
Users are responsible for following reasonable security practices regarding System physical access, System configuration, and network rights.
A. System physical access
Turn off individual workstations and laptops when not in use overnight and over weekend periods, unless there is a business purpose for leaving the computer on.
Follow reasonable guidelines for securing work areas during off-hours. Laptops should be placed in a secured, locked drawer if left in the office overnight or over a weekend.
To ensure network security, no User shall connect any device to the OSUF network (including wireless) without prior approval by Information Technology.
Report any concern regarding unauthorized utilization or suspected tampering at the workstation to Information Technology immediately. Please place both a call to the Help Desk at (541)737-7911 and an e-mail to osufithelp@oregonstate.edu to report a security concern.
B. Network Rights
Network passwords are utilized as a key element of the System security strategy. Passwords are required of all Users and should not be shared; verbally, in writing, or by entering the password to allow another person access to system resources. System defined requirements for minimum password length, password renewal, and password reuse applies to all Users of the System. System Users should protect their passwords, and change them immediately if the password is compromised. Periodic password changes, with limitations on password reuse, are enforced as a matter of network security. Information Technology may require passwords that do not meet minimum security requirements to be changed immediately.
A User profile is established for each individual at the time network rights are established. This profile will limit the User's session to the information resources required for performing his or her job. If the User feels he or she is constrained by rights afforded through an existing profile, a request for review should be placed with Information Technology. Additional access should not be achieved through sharing the network rights of others, nor should it be explored through attempting to access systems on an unauthorized basis.
Users assigned remote access rights are to safeguard security information provided including phone numbers, security codes, and passwords. Remote access capabilities are assigned to specific individuals and are non-transferable between Users.
C. Security for Devices that Operate off the Network
Password protection should be employed on all notebooks and Personal Digital Assistants (PDA) and similar devices carried into the field by OSUF employees. Devices that do not support password protection should not be used to store OSUF data.
D. Unauthorized Use of Utilities and Network Tools
Many sophisticated system monitoring and diagnostic tools are readily available through the Internet. Implementation of any type of key board capture, network diagnostic, scanning, "sniffing", or port mapping tool by Users is prohibited. Contact Information Technology if there is a requirement to use these devices.
E. System Configuration
Careful control of access points to the network is vital to System security. No User shall install, or allow an outside service provider to install any software or hardware solution that allows remote access or remote control of a device within the OSUF network. No User shall utilize any unauthorized software package or service to gain access to a device outside the OSUF network. A network connected PC configured with a remote access or remote control software, with or without a modem represents a significant security exposure to the entire network. Users are not allowed to set up desktop modems to provide dial-in capabilities. Modem access is to be coordinated with Information Technology. Where business needs dictate, local modems may be required in a work group. In these cases Information Technology will work with the User to assure that required needs are met with a configuration that is consistent with System security requirements.
A firewall is maintained to separate the OSUF network from the Internet. Many web-based services offered by outside agencies, for communicating and transferring data, require modifications to the firewall. Every modification constitutes a compromise in network security. OSUF will assess requests for access through the firewall on a case by case basis through a formal request process.
No User should attempt to modify their desktop operating system or software applications installed on the System. This includes the use of registry editors, any type of disk management software, menu, or other utility not included in the standard operating system. Users should not experiment with their PC operating system configurations using "tips and tricks" type information found in magazines, bulletin boards, user groups etc.
No User should install or download any software or program onto the System, this includes PCs not connected to the OSUF network. In general, Information Technology is solely responsible for installation and configuration of software on PCs and the System. Users should consult Information Technology prior to responding to any prompt from an Internet-based source to upgrade standard components on an OSUF PC (ie Adobe Acrobat, Flash, components of Internet Explorer). Additional guidelines for software licensing and ownership are defined in the software security portion of this Policy.
Users are not to install software that enables a workstation to serve as a communications host for remote access. No User shall install or download any software or activate any service that enables a PC or any component of a User profile to communicate through the firewall to any outside service, host, remote PC, etc. This includes "webshots" type novelty programs, "cellular" e-mail services, remote control software, streaming video and audio not related to OSUF business, and any of the emerging products that utilize ports configured for standard browsing, file transfer, and Internet e-mail routing.
Information Technology relies on standard configurations when restoring systems after component failures. IT is not responsible for restoring any custom configurations implemented by end users in violation of this policy.
Users should not disable or modify the network security software placed on their system including anti-virus software. Users connecting to the network are obligated to participate in distributed updates of their systems.
Users should limit the use of local drives (C:drives) for storing data. Any storage of data on the local drives should take place with the understanding that in the centrally administered network, the local PC hard drive is the least secure location to place data. Local drives do not receive the full protection of the network security system and are not backed up.
VII. Software Licensing Policy |
All programs, documents, and data generated, processed, and/or stored on the System are OSUF property, unless otherwise specified by a license agreement. OSUF licenses the use of copies of computer software from a variety of outside companies. OSUF does not own the copyright to this software or its related documentation. OSUF, except for copies for backup purposes or unless expressly authorized by the copyright owner(s), does not have the right to reproduce it for use on more than one computer or network.
Users are not permitted to copy any software or program on or connected to the System.
OSUF employees learning of any misuse of software or related documentation should notify the Information Technology management. According to the U.S. and Canadian Copyright law, unauthorized reproduction of software is a federal offense. Offenders can be subject to civil damages of as much as US$100,000 per title copied, and criminal penalties, including fines (up to US$250,000 per work copied, CN$1,000,000) and imprisonment (up to 5 years per title copied).
VIII. Electronic Communications Tools |
This part of the Policy covers electronic communications tools including network-based electronic mail, scheduling, browsing, and information management capabilities. The electronic communications tools are OSUF resources provided to assist in the conduct of OSUF business. Except as allowed under this Policy, the electronic communications tools may only be used for OSUF business.
A. E-Mail
1. Usage
E-mail is a network based electronic communications, scheduling, information management tool and is provided as a tool in the conduct of OSUF business. Each department should establish internal guidelines for the appropriate level of formality for internal e-mail.
E-mail communications must not be used improperly. Examples of improper use include but are not limited to:
a) personal gain, personal business, or political ventures;
b) soliciting junk mail or subscribing to newsgroups unrelated to OSUF business;
c) the sending of offensive messages; and
d) personal use except in compliance with this Policy.
"Offensive" for the purposes of this Policy is broadly defined as containing information or images that would be considered inappropriate in the OSUF workplace or that would contribute to creating a hostile work environment. Examples include, but are not limited to, content which could make others feel uncomfortable because of their treatment of topics involving gender, race, disabilities, or sexual matters.
2. Confidential Information
E-mail should not be considered a secure method of transmitting data. E-mail is not encrypted and could be stored on several servers and backup media while being transmitted to its intended recipient(s).
E-mail is never to be used to transmit confidential information which includes, but is not limited to: social security numbers, credit card numbers and/or expiration dates, mother's maiden name, date of birth or driver license numbers. This applies not only to messages sent outside of the OSU campus, but to messages sent to OSUF staff, including sending mail to one's own self.
Contact IT if you have a justifiable business need to transfer confidential information so that an alternative, secure method can be utilized.
B. Browsing Software
Access to the Internet is provided as a tool in the conduct of OSUF business. Many resources are available through Internet connections to assist employees in performing their work in a more efficient and effective manner. Typical usage includes using a browser tool to conduct research or find information and the communication or exchange of information with others for business purposes.
IX. Access and Privacy |
Users of the System should be aware that there is no right of privacy for any electronic record or communication. Users should be aware that OSUF may access, view or listen to any electronic record or communication in the System.
All Users should also be aware that the use of a password does not give rise to any right of privacy and that the use of the deletion keystroke does not necessarily mean that a record, communication, or document has been eliminated from the System.
Users are prohibited from engaging in any unauthorized transmittal, copying, modification or removal of data on OSUF systems. Nor should any User provide unauthorized access to OSUF systems. Many voice and data systems create and maintain detailed records of user utilization. Users should be aware that their uses of OSUF computing resources are not completely private. It is the policy of the Foundation not to monitor individual usage of computing resources. However, the Foundation reserves the right to monitor and record the usage of all computing resources as necessary to evaluate and maintain system efficiency, and may further monitor and record the usage of individuals, including the disclosure of individual files:
- if it has reason to believe that activities are taking place contrary to this policy, or any other applicable policy (OSU/OUS)
- to respond to an administrative court or judicial court order
- to respond to a request for discovery in the course of litigation
X. Personal Use of the System |
OSUF does not prohibit personal use of the System (i.e., sending e-mail over the Internet, accessing sites on the Internet, typing a letter, or making a local telephone call) provided that the use is infrequent and brief. OSUF recognizes that employees occasionally have a need to talk to family members, schedule service technicians, confer with children's schools, and take care of a variety of other matters during "regular" working hours and that, in today's electronic environment, use of the System for these purposes may be more efficient. OSUF believes that personal use for these purposes during regular working hours is less disruptive than requiring employees to take formal breaks or leave work, provided that the use is brief, infrequent, and in compliance with the following guidelines and understandings:
A. There is no right of privacy for any electronic record or communication, whether personal or not, on the System.
B. Personal communications to group "Bulletin Boards" or "Chat Rooms" is prohibited.
C. Employees shall not use any component of the System for illegal activities, engaging in profit making ventures, or personal business.
An example of "personal business" for purposes of this Policy is on-line stock trading or subscribing to a financial newsletter for delivery via OSU e-mail.
D. Employees shall not access sites containing pornographic or offensive materials.
E. Downloading software or any information which requires storage on OSUF equipment, not related to your assigned job responsibilities, is prohibited.
F. Unauthorized access to protected resources is prohibited.
Employees shall not utilize OSUF systems to access or store music, videos or any other copyrighted material for personal use. Downloads of such material for official business are allowed only if the appropriate permissions, licenses or other authorizations are obtained and the downloading is approved by an authorized supervisor. Employees who use the system to violate copyright laws shall be personally liable for any fines, penalties or other costs.
Employees are encouraged to limit personal use of the System and apply good judgment and common sense.
XI. Content |
All records, messages, and communications should be appropriate, professional, and courteous. Users are not to store sensitive, confidential information, in any media/file format such as word documents, spreadsheets, e-mail messages, and contact information. Sensitive, confidential information may only be stored by authorized personnel in approved instances using sanctioned methods where such information is necessary to specific business needs. Only the OSUF Chief Financial Officer in consultation with the OSUF Management Team, may authorize storage of sensitive information. At no time, should confidential information be transmitted via e-mail, ftp or various other non-secure methods.
XII. Violation of Policy |
Violation of this Policy may constitute just cause for disciplinary action up to and including discharge. If a user is found to be in violation of this policy, their actions will be reported to their supervisor and the OSUF Chief Financial Officer.
