IST Policies & Procedures | Judson University Christian College
IST Policy Header

Information Systems and Technology
Policies & Procedures

Judson University provides information systems and technology resources to a large and varied group, including faculty, staff, students, and guests. All members of this community are accountable for using these resources in an ethical and respectful manner that protects sensitive university information and follows the Information Systems and Technology policies and procedures.

University Policies

Acceptable Use Policy

1.0 PURPOSE

JudsonUniversity’s technology infrastructure exists to support the organization and administrative activities needed to fulfill the organization’s mission. Access to these resources is a privilege that should be exercised responsibly, ethically and lawfully.
The purpose of this Acceptable Use Policy is to clearly establish the University’s position relating to the acceptable use of its technology and the role each member of the organization has in protecting its information assets, and communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable Judson University to implement a comprehensive system-wide Information Security Program.

2.0 SCOPE

This policy applies to all users of computing resources owned, managed or otherwise provided by the organization. Individuals covered by this policy include, but are not limited to all employees, students, and service providers with access to the organization’s computing resources and/or facilities. Computing resources include all Judson University owned, licensed, or managed hardware and software, email domains and related services and any use of the organization’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

3.0 PRIVACY AND PROPERTY

Judson University will make every reasonable effort to respect a user's privacy. However, employees or students do not acquire a right of privacy for communications transmitted or stored on the organization’s resources. In addition, in response to a judicial order or any other action required by law or permitted by official Judson University policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the University reserves the right to access, review, intercept, monitor and/or disclose data created, transmitted, accessed, and/or stored on the University’s network and/or computer equipment. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the organization’s rules, regulations or policy, or when access is considered necessary to conduct University business due to the unexpected absence of an employee or to respond to health or safety emergencies.
The campus network is maintained and provided to assist in the conduct of the University's business. The network is University property, and all data composed, created, transmitted and/or stored on the network, is and will remain University property, not the private property of any individual. Data residing on personally-owned workstations that are connected to the campus network is not considered to be University property, but any data created, transmitted, accessed, and/or stored on the campus network by users of these individually-owned computers is subject to the same policies, procedures, guidelines and constraints as data created, transmitted, accessed, and/or stored through the use of University-owned computers.

4.0 POLICY

Activities related to Judson University mission take precedence over computing pursuits of a more personal or recreational nature. Any use that disrupts the organization’s mission is prohibited.
Following the same standards of common sense, courtesy and civility that govern the use of other shared facilities, acceptable use of information technology resources generally respects all individuals' privacy, but subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All users of Judson University’s computing resources must adhere to the requirements enumerated below.

4.1 FRAUDULENT AND ILLEGAL USE

Judson University explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the organization’s information systems, a user must not engage in any activity that is illegal under local, state, federal, and/or international law. As a part of this policy, users must not:

  • Violate the rights of any individual or company involving information protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by Judson University.
  • Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the organization does not have a legal license.
  • Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
  • Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.

Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify the Vice President for University Information Systems and Technology and/or Director of Human Resources immediately.
If any user creates any liability on behalf of Judson University due to inappropriate use of the organization’s resources, the user agrees to indemnify and hold the organization harmless, should it be necessary for Judson University to defend itself against the activities or actions of the user.

4.2 CONFIDENTIAL INFORMATION

Judson University has both an ethical and legal responsibility for protecting confidential information in accordance with its Data Classification Policy. To that end, there are some general positions that the organization has taken:

  • Transmission of confidential information by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) is prohibited.
  • The writing or storage of confidential information on mobile devices (phones, tablets, USB drives) and removable media is prohibited. Mobile devices that access confidential information will be physically secured when not in use and located to minimize the risk of unauthorized access.
  • All workforce members and service providers will use approved workstations or devices to access organization’s data, systems, or networks. Non-organization owned workstations that store, process, transmit, or access confidential information are prohibited. Accessing, storage, or processing confidential information on home computers is prohibited.
  • All company portable workstations will be securely maintained when in the possession of workforce members. Such workstations will be handled as carry-on (hand) baggage on public transport. They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.
  • Photographic, video, audio, or other recording equipment will not be utilized in secure areas.
  • Use of College equipment or systems to record sound, pictures, or video of exchanges or information relating to Judson University business or employment practices—regardless of the location of use or whether the use occurs on or off work time—is forbidden without appropriate authorization. This includes, but is not limited to, surveillance of University property or recording of meetings or interactions taking place at the University or concerning the University’s business. It is inappropriate to record any conversations or exchanges of communications without providing advance notice and obtaining the consent of all participating persons.
  • All confidential information stored on workstations and mobile devices must be encrypted.

4.3 HARRASSMENT

Judson University is committed to providing a safe and productive environment, free from harassment, for all employees. For this reason, users must not:

  • Use organization information systems to harass any other person via e-mail, telephone, or any other means, or
  • Actively procure or transmit material that is in violation of sexual harassment or hostile workplace laws.

If an individual feels he/she is being harassed through the use of the organization’s information systems, the user is encouraged to report the harassment as provided in the University’s Discrimination, Harassment, and Sexual Misconduct Policy.

4.4 MALICIOUS ACTIVITY

Judson University strictly prohibits the use of information systems for malicious activity against other users, the organization’s information systems themselves, or the information assets of other parties.

4.4.1 DENIAL OF SERVICE

Users must not:

  • Perpetrate, cause, or in any way enable disruption of Judson University’s information systems or network communications by denial-of-service methods;
  • Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or
  • Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system or network.

4.4.2 CONFIDENTIALITY

Users must not:

  • Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access;
  • Facilitate use or access by non-authorized users, including sharing their password or other login credentials with anyone, including other users, family members, or friends;
  • Use the same password for Judson University accounts as for other non-Judson University accesss (for example, personal ISP account, social media, benefits, email, etc.);
  • Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another user’s password; or
  • Make copies of another user’s files without that user’s knowledge and consent.
  • All encryption keys employed by users must be provided to Information Technology if requested, in order to perform functions required by this policy.

4.4.3 IMPERSONATION

Users must not:

  • Circumvent the user authentication or security of any information system;
  • Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
  • Create and/or use a proxy server of any kind, other than those provided by Judson University, or otherwise redirect network traffic outside of normal routing with authorization; or
  • Use any type of technology designed to mask, hide, or modify their identity or activities electronically.

4.4.4 NETWORK DISCOVERY

Users must not:

  • Use a port scanning tool targeting either Judson University’s network or any other external network, unless this activity is a part of the user’s normal job functions, such as a member of the Office of Information Technology, conducting a vulnerability scan, and faculty utilizing tools in a controller environment.
  • Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the user’s, unless this activity is a part of the user’s normal job functions

4.5 OBJECTIONABLE CONTENT

Judson University strictly prohibits the use of organizational information systems for accessing or distributing content that other users may find objectionable. Users must not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials considered to be:

  • Political
  • Racist
  • Sexually-explicit, and /or
  • Violent or promoting violence

4.6 HARDWARE AND SOFTWAREb>

Judson University strictly prohibits the use of any hardware or software that is not purchased, installed, configured, tracked, and managed by the organization. Users must not:

  • Install, attach, or connect, or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any organizational information system without the knowledge and permission of Information Technology;
  • Download or install, or disable, remove, or uninstall, software of any kind, including patches of existing software, to any organizational information system without the knowledge and permission of the organization;
  • Use personal flash drives, or other USB based storage media, without prior approval from their manager; or
  • Take Judson University equipment off-site without prior authorization.

4.7 MESSAGING

The organization provides a robust communication platform for users to fulfill its mission. Users must not:

  • Automatically forward e-mail or messages of any kind, by using e-mail client mail handling rules or any other mechanism;
  • Send unsolicited e-mail messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
  • Solicit e-mail for any other e-mail address, other than that of the poster's account, with the intent to harass or to collect replies; or
  • Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.
  • Use of Judson’s equipment or systems to engage in unprofessional communication that could negatively impact the University’s reputation or interfere with the University’s core mission, or unprofessional/inappropriate communication regarding members of the Judson University community—regardless of the location of use or whether the use occurs on or off work time—is forbidden.

4.8 OTHER

In addition to the other parts of this policy, users must not:

  • Stream video, music, or other multimedia content unless this content is required to perform the user’s normal academic business or co-curricular functions;
  • Use the organization’s information systems for commercial use or personal gain; or
  • Use the organization’s information systems to play games or provide similar entertainment in their role as employees. Reasonable use by students of the University network to play games or provide similar entertainment is allowed.

5.0 ROLES AND RESPONSIBILITIES

Judson University reserves the right to protect, repair, and maintain the organization’s computing equipment and network integrity. In accomplishing this goal, Judson University IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and Internet activities. Any information obtained by IT personnel about a user through routine maintenance of the organization’s computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of Judson University’s computing resources.

6.0 ENFORCEMENT

Enforcement is the responsibility of the organization’s President or designee. Users who violate this policy may be denied access to the organizational resources and may be subject to penalties and disciplinary action both within and outside of Judson University. The organization may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the organization or other computing resources or to protect Judson University from liability.
Users are subject to disciplinary rules described in the Student and Employee Handbook, and any other applicable policies and procedures.

7.0 EXCEPTIONS

Exceptions to the policy may be granted by the Vice President for University Information Systems, or his or her designee. All exceptions must be reviewed annually.

8.0 REFERENCES

  • The Gramm - Leach Bliley Act (GLBA)
  • Family Educational Rights and Privacy Act (FERPA)
  • NIST 800-53
  • FIPS-199
  • PCI DSS 3.1
  • Code of Ethics of the American Library Association

Password Policy

1.0 PURPOSE

The purpose of the User Password Policy is to create a uniform standard for the creation of User IDs and passwords associated with applications, network systems, and other computer system accounts used at Judson University.
A poorly chosen password may result in the compromise of Judson's entire network. As such, all Judson employees (including contractors and vendors with access to Judson systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The Policy works to balance restrictions to prevent unauthorized access against the requirement to provide efficient access in accordance with the needs of the faculty, staff and students.

2.0 SCOPE

The policy is applicable to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that belongs to Judson, resides at any Judson location, has access to the Judson network, or stores any Judson information.

3.0 PASSWORD CHARACTERISTICS

Passwords within the Active directory system must meet the following requirements:

  • Passwords are set to expire upon employee termination or 180 days after a student’s last class.
  • Any password that is discovered to be compromised either intentionally or accidentally is to be immediately disabled. The appropriate supervisor must authorize reactivation after a new password is assigned.
  • Passwords must be nine or more characters in length and should be sufficiently complex to receive a “Passed!” score when tested by the Judson password tester located at https://password.judsonu.edu/tester.
  • Passwords must be changed at least once every calendar year.

Accounts are temporarily locked out for 15 minutes after 5 wrong attempts within 15 minutes.

4.0 SYSTEM REQUIREMENTS

Any system requesting a password must obscure the password during entry and must not transmit the password in clear text across the network.

5.0 ENFORCEMENT

Enforcement is the responsibility of the organization’s Vice President for University Information Systems and Technology or designee. Users who violate this policy may be denied access to the organizational resources and may be subject to penalties and disciplinary action both within and outside of Judson University. The organization may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the organization or other computing resources or to protect Judson University from liability.
Users are subject to disciplinary rules described in the Student and Employee Handbook, and any other applicable policies and procedures.

6.0 EXCEPTIONS

Exceptions to the policy may be granted by the Vice President for University Information Systems, or his or her designee. All exceptions must be reviewed annually.

7.0 REFERENCES

  • The Gramm - Leach Bliley Act (GLBA)
  • Family Educational Rights and Privacy Act (FERPA)
  • NIST 800-53

Electronic Mail Policy

1.0 PURPOSE

The purpose of this email policy is to ensure the proper use of Judson University’s email system and make users aware of what the University deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within the University’s Network.

2.0 SCOPE

This policy covers appropriate use of any email sent from a Judson University email address and applies to all employees, students, and agents operating on behalf of Judson University.

3.0 POLICY

  1. University Use of email
  2. Email is an official means for communication within Judson University. Therefore, the University has the right to send communications to faculty, communications to faculty, staff and students via emailand the right to expect that those communications will be received and read in a timely fashion. If you have an Internet Service Provider, you can access the University's email system from on campus and off-campus.

  3. Assignment of emailaddresses
  4. Information Systems and Technology (IST) will assign all faculty, staff and students an official University email address. It is to this official address that the University will send email communications . This official address will be the email address listed in directories and business cards.

  5. Redirecting email
  6. The University recommends that faculty, staff and students use the University’s email system. If faculty, staff or students wish to have an email redirected from their official address to another email address (e.g., @aol.com, @hotmail.com) they may do so, but at their own risk. The University will not be responsible for the handling of email by outside vendors. Having an email redirected does not absolve a faculty member, staff member or student from the responsibilities associated with communication sent to his or her official email address.

  7. Email communications expectations
  8. Faculty, staff and students are expected to check their official email address on a frequent and consistent basis in order to stay current with University communications. The University recommends checking emailat least once a day ; in recognition that certain communications may be time-critical.

  9. Educational uses of email
  10. Faculty may determine how email will be used in their classes. It is highly recommended that if faculty have email requirements and expectations they specify these requirements in their course syllabus. Faculty may expect that students' official emai laddresses are being accessed and faculty may use email for their courses accordingly.

  11. Appropriate use of email
  12. In general, email is not appropriate for transmitting sensitive or confidential information unless an appropriate level of security matches its use for such purposes. The email sytem is not designed to be a record retention system. In addition, it is suggested that important documents be sent with a return receipt.

4.0 CONFIDENTIAL INFORMATION

All use of email, including use for sensitive or confidential information, will be consistent with the Acceptable Use Policy.
All use of email will be consistent with local, state, and federal law, including the Family Educational Rights and Privacy Act of 1974 (FERPA). All use of email, including use for sensitive or confidential information, will be consistent with FERPA. To ensure compliance with FERPA regulations, all correspondence which concerns confidential or sensitive information should utilize official Judson University email addresses.

5.0 MESSAGING

The organization provides a robust communication platform for users to fulfill its mission. Users must not:

  • Automatically forward e-mail or messages of any kind, by using e-mail client mail handling rules or any other mechanism;
  • Send unsolicited e-mail messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
  • Solicit e-mail for any other e-mail address, other than that of the poster's account, with the intent to harass or to collect replies; or
  • Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.
  • Use of Judson’s equipment or systems to engage in unprofessional communication that could negatively impact the University’s reputation or interfere with the University’s core mission, or unprofessional/inappropriate communication regarding members of the Judson University community—regardless of the location of use or whether the use occurs on or off work time—is forbidden.

6.0 ENFORCEMENT

Enforcement is the responsibility of the organization’s Vice President for University Information Systems and Technology or designee. Users who violate this policy may be denied access to the organizational resources and may be subject to penalties and disciplinary action both within and outside of Judson University. The organization may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the organization or other computing resources or to protect Judson University from liability.
Users are subject to disciplinary rules described in the Student and Employee Handbook, and any other applicable policies and procedures.

7.0 EXCEPTIONS

Exceptions to the policy may be granted by the Vice President for University Information Systems, or his or her designee. All exceptions must be reviewed annually.

8.0 REFERENCES

  • The Gramm - Leach Bliley Act (GLBA)
  • Family Educational Rights and Privacy Act (FERPA)
  • NIST 800-53

Judson University, Shaping Lives that Shape the World