Data Acceptable Use Policy

The Information Security department’s intention for publishing an acceptable use policy is to impose restrictions that are not contrary in nature to Sacred Heart University’s established culture of trust, integrity, and openness.

Information Security is committed to protecting University employees, students, partners, and the corporate entity from illegal or damaging actions by individuals, either knowingly or unknowingly.

Effective IT Security practices are a team effort which involve the participation and support of every University employee and affiliate who deal with information and/or information systems. It is the responsibility of each computer user to know these guidelines and to conduct their activities accordingly. 

Purpose

The purpose of this policy is to outline the acceptable use of files and data at Sacred Heart University. This policy is in use to protect employees, students, and Sacred Heart University, Inc. Inappropriate use exposes the University to risk including loss of data, exposure of data and files to unwarranted parties, and potential loss of personally identifiable information (PII). Implementation of this policy ensures that everyone at the University has access to University files and data on an as-needed basis.

Scope

This policy applies to the use of information resources to conduct business. Forms of data may include but are not limited to email, financial data, proprietary information, procedures, company graphics, and strategic planning documentation. All University employees, students, contractors, consultants, temporary, and other workers and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information. This acceptable use policy is not necessarily inclusive of all aspects of data and files; rather, it provides guidelines surrounding use of and access to the data. 

Policy

University use of files and data – General Use and Ownership

  • Sacred Heart University proprietary information stored on electronic and computing devices whether owned or leased by the University, the employee, the student, or a third party, remains the sole property of the University. You must ensure through legal or technical means that proprietary information is protected in accordance with University data protection standards.
  • You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of proprietary information.
  • You may access, use, or share proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
  • Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
  • For security and network maintenance purposes, authorized individuals within may monitor equipment, systems and network traffic at any time, per the Information Security department’s audit policy in order to ensure safety of University data.
  • The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

Security and Proprietary Information

Providing access to another individual, either deliberately or through failure to secure its access, is prohibited unless explicit permission is provided.  This must be documented.

  • All computing devices, personal or company-owned, must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less or locked manually when not in use. You must lock the screen or log off when the device is unattended.
  • Postings by employees from an email address to newsgroups is prohibited unless approved by University executive management. In case of any exception the communication should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of the University, unless posting is during business duties.
  • Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware. 

Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a computer or device if that computer or device is disrupting production services).

Under no circumstances is an employee, student, or affiliate of the University authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing University-owned resources. Said resources may be informational (data), virtual or physical (computers or devices) in nature.

The list below is by no means exhaustive but attempts to provide a framework for activities which fall into the category of unacceptable use. 

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the University.
  • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the University or the end user does not have an active license is strictly prohibited.
  • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, phishing email, etc.).
  • Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
  • Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
  • Making fraudulent offers of products, items, or services originating from any account.
  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
  • Providing information about, or lists of, employees to parties outside the University.

Redirecting of email

For University students, it is permissible to have email electronically redirected to another email address.  However, those persons who use email redirection from their official address to another email address (e.g., @aol.com, @hotmail.com) do so at their own risk. The University will not be responsible for the handling of email by outside vendors. Having email redirected does not absolve anyone of the responsibilities associated with communication sent to his or her official email address. 

For University employees, it is prohibited to have email electronically redirected to another email address. Employee email is considered a legal document and is property of the University.

Expectations regarding student use of email

Students are expected to check their official email address on a frequent and consistent basis in order to stay current with University communications. We recommend checking email at least as often as your most frequent class meets in a week, in recognition that certain communications may be time critical. For example, if you are taking four classes a week and your most frequent class meets three times a week, then our recommendation is that you should check your mail a minimum of three times a week, but if you are a part-time student meeting once a week, checking email at least once prior to class should be sufficient, depending on the logistics communicated by the course instructor). 

Educational uses of email

Faculty may determine how email will be used in their classes. It is highly recommended that if faculty have email requirements and expectations, they specify these requirements in their course syllabus. Faculty may expect that students' official email addresses are being accessed, and faculty may use email for their courses accordingly.  

Appropriate use of email

In general, email is not appropriate for transmitting sensitive or confidential information unless an appropriate level of security matches its use for such purposes. 

  • Confidentiality regarding student records is protected under the Family Educational Rights and Privacy Act of 1974 (FERPA). All use of email, including use for sensitive or confidential information, will be consistent with FERPA. 
  • Email shall not be the sole method for notification of any legal action. 

Procedures

The IT Security Office will review this policy as needed. The Vice President for Information Technology, as appropriate, will authorize changes. Students, staff, and faculty with questions or comments about this policy should contact the Office of Information Security. 

Acceptable and Appropriate Use of Sensitive Information

Access to and authorization regarding the handling of sensitive information is permitted provided that specific procedures are adhered to, which are in place to protect this data and people. Sensitive data consists of, but is not limited to, any of the following forms of PII (Personally Identifiable Information). This data is information that may be used to identify an individual or compromise their privacy, and if it is mishandled it may be used by fraudsters for malicious reasons. Information classified as PII may be:

  • Birthdate
  • Social security number
  • Street address
  • Phone number
  • Credit/debit card number
  • Passport number
  • Visa number
  • Ethnicity
  • Gender
  • Driver’s license number
  • National ID number
  • School transcripts
  • IP address information used in conjunction with other PII used to identify an individual
  • Health records 

The following procedures are accepted and approved methods for handling Sacred Heart University sensitive information:

  1. SecureDesk: SecureDesk is the University solution that provides users access in a secure environment to desktops and application that either contain sensitive information or should only be accessed through University resources. See procedure to start a SecureDesk session.
  2. OneDrive for Business: Microsoft OneDrive is a cloud storage solution for the Sacred Heart Community. It is a secure, monitored method of securely transferring files to intended parties. See information regarding OneDrive and procedures for using this file transfer solution.
  3. SHU MFT (Managed File Transfer): SHU MFT is a web-based file transfer system used by employees, vendors, prospective and current students, and student family members, etc. to send documentation and images to the University securely. Multiple files can be uploaded at once. Information regarding the procedure for using SHU MFT can be found online.
  4. Encrypted Email: The email encryption option used for internal confidential communication withing. It can also be used with any client, customer, or vendor using Office365. It must be understood that great care is taken in setting the encryption for the email and verifying that only the intended recipient(s) will receive the information. See information regarding procedure for sending encrypted email

Responsible Organization

The Office of the Vice President for Information Technology will be responsible for this policy. 

Related Link

Family Educational Rights and Privacy Act (FERPA)