Information Technology Security, Privacy and Confidentiality Policy
Gwynedd Mercy University Information Technology Security, Privacy and Confidentiality Policy
Gwynedd Mercy University is committed to providing a secure and accessible information technology environment for teaching and learning. Security and privacy policies help Gwynedd Mercy University protect students, faculty and staff, ensure business continuity, protect the value of data usability, protect the University from lawsuits and generally avoid damage to the institution ad the Gwynedd Mercy University brand. Many Gwynedd Mercy University vendors require security policies to do business. When applicable it is necessary to comply with government regulation such as Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA) and other policies required by law.
Security includes protection against unauthorized access to, use of and/or modification of information, denial of service and unauthorized access of computers, electronic devices, computer systems, networks and any and all technology.
Gwynedd Mercy University computers, systems and networks may be used by only individuals authorized by the University. Account creation and access to systems must be approved by an authorized University official. Inquiries regarding access, accounts, best practices, behavior and permitted uses must be referred to the Chief Information Security Officer.
Any and all attempts by an individual to gain access to accounts or systems that do not belong to that individual on any Gwynedd Mercy University system is prohibited unless approved by the Director of Institutional Technology Services.
Multi-use and/or shared accounts, generic accounts, test accounts or any accounts that are not directly identified with an authorized Gwynedd Mercy University individual are not permitted on any computer, device or system without prior written authorization from the Director of Institutional Technology Services.
Access to all data centers, processing facilities and administrative system technology spaces are restricted to authorized Institutional Technology Services users. See Gwynedd Mercy University Data Center operations policy.
All College computers, systems, networks and technology space will comply with all laws without limitation including security, privacy and appropriate usage.
The Univeristy shall not be liable for, and users assume the risk of loss, destruction and/or interference of data, files or information resulting from the University’s efforts and initiatives to maintain privacy, integrity and security of the University’s computers, computer systems, networks and all associated technologies.
The Director of Institutional Technology Services is responsible for establishing and overseeing the implementation and enforcement of this policy.
Any University representative or agent who accesses or users a device or system under the authority defined in this policy must make a good faith effort to protect the integrity and privacy of data within or associated with the system.
The Chief Information Security Officer is responsible for developing, implementing and enforcing this policy under the direction of the Director of Institutional Technology Services and for coordinating issues and questions with the appropriate University department including but not limited to Campus Safety, University Counsel, Finance and Administration, Student Services, Executive Council, and all external law enforcement and government agencies.
Gwynedd Mercy University computer, computer system and network users are responsible for:
Understanding and complying with all security and computer usage policies governing College computers, computer systems, networks and technology.
Put forth a good faith effort to protect the integrity and privacy of data within the Colleges computers, computer systems and networks.
Maintain and monitor the proper use of account and account activity conducted in the use of the account including creating and protecting safe passwords and ensuring local system security protection is enabled.
Ensure the local security of any system on the University network connected to by the user.
Reporting any suspected, detected or observed security lapses, issues or incidents on any College computer system or network to the University Chief Information Security Officer.
Respect and maintain the physical hardware and network configuration of College networks. No system user shall modify, limit, extend the University network or network configurations on which the user’s system resides without the written authorization of Institutional Technology Services.
No user will alter, install, modify or delete stored or executed on any computer or system without the express permission of the owner, department or office.
Refrain and avoid the use of College computer and technology resources for any and all unlawful purposes including without limitation infringement of intellectual property including any and all copyrighted materials.
System administrators have the same responsibilities as general users above and additional responsibilities because of their position and system privileges. System administrators including all Institutional Technology Services staff are responsible for:
- Preparing and maintaining security procedures compliant with this policy and other applicable information security policy and procedures
- Plan and implement reasonable precaution to guard against corruption or compromise of College computers, computer systems or networks.
- Plan appropriate measures to prevent unauthorized use of system users files or data.
- Assure all hardware and software license are current and in force.
- Assure all computers, computer systems and networks have appropriate backup procedures and adequate disaster recovery and business continuity plan tested and in place.
- Limit access to privileged supervisory accounts to the administrator, except as approved by the Director of Institutional Technology.
- Establish a change control process before planning any work or installing software, including patches on any information system that is in production and service users. All major changes or upgrades must be documented in writing.
Specifically, Gwynedd Mercy University students, temporary workers, vendors and visitors are not permitted access to systems that contain student records, financial information, business intelligence, strategic data or other confidential College information. Generic or group accounts are strictly prohibited and can never be created for these groups. All Gwynedd Mercy University accounts must be associated with an individual.
- No individual, office or department may make exception to this rule by creating a temporary or generic account, allowing others to login with their account or otherwise allowing access to unauthorized individuals.
- It is the responsibility of the Gwynedd Mercy University community to notify the Chief Information Security Officer of violations to protect Gwynedd Mercy University.
- The office of Institutional Technology Resources is responsible for configuring and managing the network as well as all wired and wireless connectivity to the University network.
- All remote access to any College system is subject to monitoring by Institutional Technology Services.
- All access to restricted systems requires authentication (name and password).\College printers, print servers, copiers, faxes, storage and other systems shall not be access able from the Internet without the written approval of the Chief Information Security Officer.
- All IP –capable devices installed on the University network must have an IP address issued by Institutional Technology Services.
- Institutional Technology Services may filter network traffic to exclude malicious traffic on both an incoming or outgoing basis. Malicious traffic can include viruses, and unsolicited e-mail.
- All wireless communication on the University network and authenticated access to the University network systems and servers must follow the Institutional Technology Services standard encryption protocol.
- Security patches will be applied within 30days of vendor release unless otherwise approved by the Chief Information Security Officer.
- All IP addresses assigned to computer equipment by Institutional Technology Services will be protected by the University’s approved antivirus protector which is regularly maintained and updated.
Privacy, Security and Confidentiality
- The privacy and security of files electronic communication and other information belonging to individual College users shall be protected to the extent reasonably possible. However, computers, computer systems and networks, specifically Gwynedd Mercy University networks should never be considered fully private particularly because of the open nature of the Internet and related technology and the ease in which files and data can be accessed, copied and distributed. Users should take all appropriate precautions to protect sensitive and confidential information stored on their systems.
- To support privacy and secure data authority to log, intercept, inspect, copy, remove or otherwise alter data, file or system resource on Gwynedd Mercy University’s network rests with the Director of Institutional Technology Services. The Director, at his sole discretion, may take action when he determines there is a potential or actual threat to the security or integrity of College computers, computer systems, networks or non-standard or unauthorized use. All requests for such actions must be made to the office of the Director of Institutional Technology.
- Without limiting it’s right in any way the University specifically reserves the right, in its sole discretion to limit, restrict of suspend or terminate any user’s account or use of the University network or use of any computer or computer system at any time for any reason.
- All computers removed from service shall be purged of all information stored in the system.
- All media returning from back up storage to be passed to a different end-user or taken out of usage altogether shall be purged of all information contained therein.
- The purchase of anti-virus software for purposes of installation on any College computer must be pre-approved by the Director of
- Institutional Technology. The purchase and use of Information Security tools including firewalls, intrusion detection systems and hacking tools, must be pre-approved in writing by the Chief Information Security Officer.
CONFIDENTIALITY STATEMENT: The information contained in any Gwynedd Mercy University e-mail, system, report, account, repository, hard copy, wireless device, PDA, including attachments and verbal explanation, is the confidential information of, and/or is the property of, Gwynedd Mercy University. The information is intended for use solely by the authorized individual or entity and may not be shared, discussed or translated with any other entity or individual. All Gwynedd Mercy University system users must adhere to the Gwynedd Mercy Universitycomputer usage and e-mail policy. If you are not an intended user of any Gwynedd Mercy University system, then any review, printing, copying, discussion or distribution of any such information is prohibited