Policies and Guidelines

We value responsible use of information technology resources. We have assembled this list of policies and guidelines to provide information technology users a secure and reliable experience. Please review Common Good Core Resources to understand which services are supported for the Common Good. The following policies are related to information technology and are available at the Oakland University Administrative Policies and Procedures site and the Office of Legal Affairs site.

Appropriate use and general information technology policy

#890 Use of University Information Technology Resources

#830 Information Technology

Ellucian Banner

#218 Data Entry Standards for Banner Users Policy

Request the Banner Shared Data Committee Charge document by emailing [email protected]

Request the Supplemental Data Engine Governance Process document by emailing [email protected]

Data

#430 Freedom of Information Act

#470 Release of Student Educational Records

#840 Preferred Name Policy

#860 Data Management and Information Security

(Note: Michigan Enrolled Senate Bill No. 452 Michigan Identity Theft Protection Act)

Request the Policy #860 Approved Data Stewards document by emailing [email protected]

#481 Records Retention and Disposal

Family Educational Rights and Privacy Act (FERPA)

Request the Student Employee and Student Intern Confidentiality Agreement document by emailing [email protected]

Email

#420 Employee Broadcast E-Mail Procedure

#1160 Student E-Mail System Use

Network

#850 Network Policy

Please note that Oakland University domain URLs contain oakland.edu. Other formats, such as .com, are not supported. Naming format standard is www.oakland.edu/academic-department/department-name. Domain name requests must be approved by Communications and Marketing and University Technology Services as noted in this policy.

Payment / Credit Card

#212 Bankcard Information Security Requirements

Please review the PCI Compliance FAQ if you have questions about what PCI Compliance is or how your payment card transactions must be handled to meet compliance standards.

Software

#870 Software Regulations

#410 Contracting and Employment Appointment Authority

In Policy #410, note Section 2. Purchase Contracts (4) when purchasing software.

Software Information and Processes

Centralized versus Decentralized Services and Functions:

This section details a list of examples of centralized functions (which would required UTS involvement) and a list of decentralized functions (which would usually not required UTS involvement).

Centralized Functions

Administration and management of IT organization, skill assessment, development of technical expertise, professional development.
Servers and systems administration
IT strategic planning, technology research and development, assessment of emerging technologies
Enterprise Systems / administrative systems, applications and systems dealing with Confidential Data or Operational Critical Data, including Banner / Enterprise Resource planning systems support.
Enterprise systems engineering, architecture, and administration
Campus private cloud services and public cloud resources
Desktops and Applications Virtualization
Information Technology architecture and engineering
University Backup / Data Disaster Recovery services
Collaboration tools and systems
Identity and access management
IT policy management
IT security architecture design\review, management, noting that every system must have satisfactory security controls.
Network infrastructure and services management
Operations / data center management
High Performance Computing and research support
Telephone and voice service management
Web support services

Decentralized Functions

End-user device and application support
IT Service Desk; face-to-face, telephone, e-mail and chat support
Local desktop disaster recovery planning
Local desktop asset management
Analysis and support for local technology planning
Academic and administrative general IT support
On-site computing labs management
Departmental web page content management
Business and administrative process analysis and support
Reporting, data administration and data analysis
Training and support

Privacy and Security Notice

The following standardized message is displayed when logging into provided services:

Usage of all Oakland University systems, services, and networks is governed by official Oakland University Policies and University Technology Services Guidelines. By accessing and using these resources, individuals agree to use all information technology resources responsibly and in compliance with Oakland University Policies and Guidelines.

Governance

The CIO is responsible for coordinating IT governance and IT policy.

A description of information technology governance is available in the document Information Technology Governance. You can request the document by emailing [email protected]. The groups identified in the document identify and approve technology projects for their representative areas. Project plans follow Prioritization guidelines.

Policies are reviewed and updated annually as needed; Oakland University recommends that policies be updated at least every five years. The CIO leads UTS staff members in the drafting of new IT policies or updates to existing IT policies. The governance process requires that the appropriate advisory committees then review and update the drafted policy. The policy approval process then flows:

University Senate Academic Computing Committee
Administrative Council with review by General Counsel
Academic Council
Deans Council
President's Council, final approval
Posting on the university policy site

The CIO provides ongoing status updates about policies to the Chief Operating Officer, who is informed at every step of the process. The process oversight is managed by the Chief Financial Officer.

Access, Accounts, and Password Management

Access and Accounts are provided to individuals through processes based on the individual's relationship to the university. Account access policies are defined in Policy #890 Use of University Information Technology Resources, Procedures, Section III Access to Resources. University Technology may require proof of identity to process Accounts. Information about UTS provisioning systems, account termination, and application access can be found in on the Access, Accounts, and Password Guidelines page.

Employee Accounts are processed by either University Human Resources or Academic Human Resources. All new employees are introduced to and agree to abide by University technology policies during the hiring process with the appropriate hiring office.

Student Accounts are processed by one of the admissions offices through the admissions process.

Access to specific data is generally limited by need to know, job responsibilities, supervisor approval, data steward approval, and university Policy #860 Data Management and Information Security. Access to certain enterprise systems is administered by University Technology Services.

The authorizing body that created an account must authorize emergency or non-standard account termination, with review by General Counsel if required by Policy #890 Use of University Information Technology Resources:

Employee account initiation termination is processed through University Human Resources.

Faculty account termination is processed through Academic Human Resources.

Student account termination is processed through the Dean of Students.

Guest accounts expire annually, unless covered by a specific contract providing for a specific time-period.

Sponsored access typically expires within 48 hours or at the end of an event.

Oakland University is a member and participant in the InCommon Federation. The InCommon Federation is the U.S. education and research identity federation. InCommon Participant Operational Practices are shared with other participants in the InCommon Federation.

Third Party Access to an account is allowed only under specific circumstances and within policy guidelines. The process for requesting and handling third party access are Third Party Access Procedures.

Execution of scripts or otherwise attempting to circumvent standard data entry procedures is not permitted for any account or system access.

Change and Architecture Management

Change Management is a process for handling changes so that changes are efficient, organized, and minimally disruptive to the existing technology environment. Changes typically represent new components in the architecture.

Architecture Management is a process for handling routine maintenance and updates to the existing architecture so that the handling is efficient, organized, and minimally disruptive to the technology environment. Architecture Management items typically do not require new or additional testing; prior testing has yielded a commonly used, standardized and repeatable practice. A fail-back and recovery plan is already in place. Items do not require a communications plan, have minimal impact, and have minimal or no risk as identified through a prior risk assessment. Architecture Management items are usually handled during the posted maintenance window time periods (on the University Technology Services home page).

Change Management is required when a task, process or project meets any of the following listed criteria; a Change Management request must be completed. Changes are thoroughly tested prior to submission to the Change Management Committee. Change Management requests must address:

Full change plan
Scheduling plan
Testing scope
Failure back-off or stand down decisions
Expected performance
Security
Availability
Reliability
Impact
Risk assessment
Functionality
Staffing and vendor support
Competing projects or initiatives
Communications plan

Projects of large or significant scope will require the presentation of a Change Management Communications Plan in writing to the Change Management Committee. The Change Management Communications Plan must be submitted and reviewed with the Change Management request.

Requests submitted for Change Management review are submitted via a ticket to [email protected]. The tickets generated by submitted requests must be reviewed and approved by the Change Management Committee, which meets every Monday morning. The individual submitting and performing the tasks in a Change Management ticket is welcome to attend the Change Management Committee meeting, and is encouraged to do so to facilitate change planning. Changes must be submitted by 3 PM Friday for inclusion on the Change Management review report for the following Monday.

Emergency Change Management items are urgent changes need to respond to and mitigate security incidents or to maintain reliable university operational environments. Emergency Change Management is an unusual occurrence. Emergency Change Management requests follow the same process as regular Change Management events, originating with an email to [email protected], but the review and approval process is via email or emergency in-person discussion. The ticket is not closed until after final review at the subsequent Monday Change Management meeting.

The criteria for required Change Management are:

Planned production outage of a significant operation or service, or change work scheduled outside the Architecture Management maintenance window.
Changes or repairs to any system that requires business interruption of any type during regular business hours (8 AM to 8 PM, Monday through Friday), or academic interruption of any type on any day or time within a term.
Changes to a client interface or a client service, including service names, URLs, SSIDs, and other names that client's use regularly.
Changes to security architecture or changes that affect the compliance environment (i.e., PCI, HIPAA, FERPA).
Change to any network device determined to be in-scope for regulatory compliance (i.e., PCI, HIPAA, etc.).
Significant business or operational practice change that would affect how we provide instructions, directions, or help.
Any change that requires a notice on the UTS home page or a campus notification.
Installation or decommission of a server in a secured datacenter facility.
Any new server configuration, rack, or other changed architecture prior to purchase.
Any wiring work that will be performed above the ceiling or under the tile floor in any facility that has a fire suppression system.
Changes on any system that affect backup, restore, disaster recovery or business continuity.
Changes that require third-party or vendor access to a secured datacenter facility or remote access to a system.
Significant changes or repairs to financial systems, including production install of Banner Finance, Banner Financial Aid, and Banner Document Management releases.
Introduction or discontinuance of an information technology resource, virtualized server or resource, or service.
Periodic review of firewall and router rules per Policy #850.

Change Management items will be considered complete when all of the following items have been addressed:

Security has been reviewed, risk assessment completed, and all identified issues and vulnerabilities have been addressed.
Permanent location is assigned and recorded.
Installation is complete.
Backup and restore have been tested and verified.
Start-up and shutdown procedures are documented for Operations.
Business continuity and disaster recovery procedures are documented for Operations.
Architecture diagram has been updated.
Inventory database has been updated.
Communication plan has been implemented.
Production date is processed.
Service level agreement is complete.
Identity management and access controls are complete.

Postponement, back-off or stand down decisions require good judgment based on:

Elevated security concerns expressed by the Information Security Officer.
What percentage of services are functional and available?
Are affected services primary, secondary, or peripheral?
What is the scope of the disruption, such as one person, one department, one division or the entire campus?
What level of problem-solving is present, available to engage, and has relevant knowledge for problem resolution?
What calendar period is this in relation to the problem (i.e., a registration problem during peak registration periods)?
How long will it take to back-off or stand down the change?
What is the shortest path to full problem resolution and completion of the original project?
What is the impact and project dependency for other project deadlines?
How effectively can the problem be communicated to those affected?

The Security Advisory Group reviews the firewall implementation for the Firewall Rule Change process. This group is charged with defining the default firewall implementation. Requests to change the firewall are submitted on the Firewall Change Request Form. You can request this form by emailing [email protected]. The request will be reviewed for compliance with university policies by the Security Advisory Group.

When to Contact UTS

Please contact us as soon as you are aware that you have a potential information technology project that may involve existing or new centralized services or if you are planning an event that requires network access. Also, please contact us if there is an urgent technology issue or security issue. Any issue related to Banner, servers, or telephones should be reported to UTS.

Please report lost or stolen devices promptly by submitting the Checklist for Lost, Stolen or Missing Computer, Smartphone or Other Media Storage Devices.

Please contact us to report any accessibility issues or other regulatory issues.

Also, UTS staff members are ready to assist you with your software, web site service, or other information technology procurement initiative. Contact UTS by following the Campus Software, As a Service Providers, Hosted Solutions, Web Sites, Apps, Tools and Services guidelines.

If considering development, please contact us after you review the Web Development Guidelines and Accessibility Toolkits section.

The best method to initiate contact is by sending e-mail to [email protected]. Systems monitoring and operations are handled 24 hours a day, 5 days a week, on regularly scheduled weekdays, during standard business hours, 8 AM to 5 PM. Extended support hours may be available. When possible, UTS will attempt to extend the business day through flexible scheduling. The extended day is generally from 7:30 AM to 6:00 PM on regularly scheduled weekdays. Extended service is not guaranteed.

Goodwill service may be available at other times, such as nights, weekends, and holidays. Goodwill service is not guaranteed. Goodwill service refers to UTS staff members casually monitoring systems and notifications during their personal time. We do not have an on-call scheduled rotation due to staffing limits.

Scheduled support service for a specific event can be arranged in advance through planning by contacting UTS at least 6 weeks prior to the planned event. If support requests are expected over major holidays (4th of July, Thanksgiving, Christmas, holiday break), the request should be submitted 6 months in advance.

UTS will respond to critical requests within 4 hours of receiving a report within standard support hours. A best effort response will be provided at other times. UTS will immediately respond to emergency situations as defined in the Oakland University Emergency Response Plan and the Desktop Emergency Guide.

Copyright: Plan for Compliance

It is the policy of Oakland University to comply with copyright law (Policy #890 Use of University Information Technology Resources, note section II, c), and in particular, the Digital Millennium Copyright Act.

Sanctions for policy violations are described in section IV. Please note the following UTS plan for combating illegal file sharing. We run a large research network, and a ban of peer-to-peer traffic could have the effect of disrupting legitimate network traffic. We seek to avoid high-cost solutions that would add charges to the environment (leading to additional student fees or an increase in tuition).

Sharing movies and music is fun and easy, but it can be legal issue and a violation of university policy if done incorrectly and illegally. Lawsuits initiated by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have resulted in financial issues for students. There are a number of websites that provide music and movie files that can be downloaded legally, or that provide additional information about downloading. Music, movies, photos, images displayable on computer screens, computer software, books, magazines, scientific and other journals are some of the things subject to copyright. A copyright notice is not required.

It is a violation of copyright law to copy, distribute, display, exhibit, or perform copyrighted works without the authority of the copyright owner. Copyright infringement is the act of exercising, without copyright owner permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code), subject to exceptions contained in 17 U.S.C. §§ 107 and 108. Sharing, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Protected copyright rights include the right to reproduce or distribute a copyrighted work. In the file-sharing context, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Penalties for copyright infringement include civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or "statutory" damages affixed at not less than $750 and not more than $30,000 per work infringed. For "willful" infringement, a court may award up to $150,000 per work infringed. A court can, in its discretion, also assess costs and attorneys' fees. For details, see Title 17, United States Code, Sections 504, 505. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. For more information, please see the website of the U.S. Copyright Office, especially the FAQ's.

We use technology-based deterrents to combat illegal file sharing.

For Oakland University's campus network, all traffic to and from peer-to-peer sharing sites with a reputation of hosting copyrighted material are blocked. In addition, all unsolicited inbound traffic is denied to user desktops, preventing clients from being dedicated servers of copyrighted material. The network is also continually monitored for anomalous traffic patterns which may be indicative of P2P super-nodes. Moreover, recent firewall upgrades have included the potential to provide additional bandwidth shaping and proactive notification services.

For Oakland University's residence network, all traffic to and from peer-to-peer sharing sites with a reputation of hosting copyrighted material are blocked. Additional technology that shapes bandwidth using algorithms that flatten traffic spikes and provides relatively equal use of the network for everyone on that segment and restricts large bandwidth users from becoming P2P super-nodes.

We actively educate students about copyright and peer-to-peer file sharing issues.

We publicly post our policies, and we have an "appropriate use" policy that governs all IT systems and networks – Policy #890 Use of University Information Technology Resources. It specifically states in section II c. "Using Resources to download or share copyrighted music, movies, television shows or games without the permission of the copyright owner may result in sanctions." Sanctions are described in the policy, and do include disabling network access.

Students have to agree to abide by Policy #890 every time they register to use the network and when they access key systems, such as MySAIL.

We teach students about copyright and illegal downloading during orientation. It is reinforced in the printed Golden Grizzly Guide that every new student receives.

File-sharing is covered in the Student Handbook and in Residence Halls materials.

We actively measure the effectiveness of the program by measuring and monitoring the number of complaints we receive.

We provide information about legal alternatives to illegal peer-to-peer sharing of materials.

Other linked material at this site provides information on civil and criminal liabilities and summary information about penalties in federal copyright laws.

Also, every time students log into the MySAIL portal, the link for legal alternatives is presented with all other critical university systems (Webmail, Moodle, SAIL, etc.).

When complaints occur, we take the following actions:

We receive the notice from a copyright monitoring group representing an industry group such as the Recording Industry of America or the Motion Picture Industry of America. This is processed with two actions: a violation of the Digital Millennium Copyright Act, which is a legal issue, and a violation of university policy, which is a university conduct issue.
We verify the validity and format of the complaint. If the complaint is invalid, the Chief Information Officer will make a good-faith effort to notify the copyright agent with the reason that the notice is invalid.
The format may be a DMCA notice, a pre-litigation settlement notice, or a preservation letter.
We identify the individual and immediately block network access to the content (which is the legal issue) and block access for the individual (in response to the conduct issue).
If a preservation letter is received, the university will comply and preserve the requested information, and will also handle the letter as a DMCA notice. The material will be preserved at least 30 days, and not longer than 1 year, unless otherwise advised by the Office of Legal Affairs.
We send a letter and a copy of the notice to the individual.
Legally, the individual has an option to file a counter-notice.
The individual may be subject to further legal action from the industry (a subpoena or early settlement letter may be issued).
Students must visit the Dean of Students to handle the policy issue. The Dean of Students provides a refresher view of copyright infringement. Students pay a fine to cover the costs of the process. The student then visits University Technology Services and reviews materials about copyright.
We review the computer with the student to make sure the infringing material has been removed, and then we reconnect network access for the student.
In all cases, students must decide how to handle the matter. Students who receive pre-litigation settlement notices or preservation letters would be well-advised to consult an attorney promptly.
Complaints for employees are processed in accordance with university policy and employment contracts.

Electronic Signatures

It is the policy of Oakland University to comply with federal and state law, where applicable, for electronic signatures. The applicable federal law is the Electronic Signatures in Global and National Commerce Act (ESIGN). The applicable Michigan law is the Uniform Electronic Transactions Act (UETA).

The term "Electronic Signature" is generally defined as letters, characters, symbols, or sounds, that are attached to or logically associated with a contract, document, or other record, and executed or adopted by a person with the intent to sign or authenticate an electronic document or transaction. Electronic signatures are not the same as digital signatures, which have a higher security and privacy standard. Digital signatures generally involve using a highly secure technology to implement electronic signatures. Generally, electronic signatures are used to sign a document, eliminating the paper-routing overhead and adding efficiency.

The intent of the law describing electronic signatures was to state that a signature, contract, or other record relating to a transaction may not be ruled invalid or unenforceable solely because it is in electronic form.

To evaluate if an electronic signature meets the legal standard, the following must be evaluated:

What category of document or transaction is being signed? A contract, for example, must follow the standard. Other document or transaction approval types may need to achieve compliance with the standard by university policy.

The signatory must be uniquely identified and linked to the signature. Approval identities may not be shared.

The signatory must have the sole control of the private key that was used to create the electronic signature. For example, someone walking up to a computer should not be able to access, process, or execute an electronic signature belonging to someone else who uses the same computer.

The signature must be capable of identifying if its accompanying data have been tampered with after the document or material was signed. In general, the document or data on the document are intentionally frozen at the moment of signature. An audit trail appropriate to the process must be created.

In the event that accompanying data have been changed, the signature must be invalidated.

Examples of valid electronic signatures in the Oakland University environment:

Approval of leave reports within Banner Sail.
Online routable forms in PerfectForms.
An email sent from an Oakland University individual account.
Agreement and submission of an admissions application.
Banner approval of journal vouchers.

Each of these processes has been reviewed for authenticated signatures and documented audit trails, for example. Other processes may use electronic signatures if the process meets the stated standards. In particular, if the documents involved were created by or provided by a third party or someone external to the university, review of the signature process is appropriate. Please contact UTS for process review. If there are questions about whether an electronic signature is required or appropriate for a process or document, please contact the Office of Legal Affairs for review. To review the appropriateness of the audit trail, please review the process with the Controller or with Internal Audit.

Information Security Plan

The designated Security Advisory Group program administrator is Dennis Bolton, Information Security Officer. The Security Advisory Group, chaired by the Information Security Officer, supports information technology directions and work activities. Members are designated UTS employees with security responsibilities. Additional security advice is provided by all advisory groups identified in the Governance Process. Security Information is provided as a Common Good Core Resource.

Security supports and enforces Compliance for the various regulations that apply to higher education. Assigned responsibilities may be in university policies or described on this site. An overview of Compliance requirements is provided to UTS employees and it is expected that UTS employees will work to support all requirements. We follow the Higher Education Compliance Alliance for guidelines.

The Information Security Plan includes all the documentation on this page and includes the following specific items:

System management and controls, including implementation of university policy #880 Systems Administration Responsibilities. Systems management includes risk assessment, life cycle management, security review, and verification of critical systems by external audit. Procedures for system security review are located in the Systems Security Review Process.
Operational controls, including documentation of access, authentication, authorization, accounting, physical controls, and separation of duties.
Compliance with laws, regulations and mandates, including Payment Card Industry - Data Security Standard, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, and others.
The Information Security Officer is the designated HIPAA Security Officer, supported by the Chief Information Officer. Oakland University is a hybrid entity under FERPA; there is a designated Privacy Officer in each area designated for HIPAA compliance.
Some operations or initiatives may require a level of review and compliance with the Gramm-Leach-Bliley Act.
Federal requirements for protection of Controlled Unclassified Information (CUI) apply to certain federally funded research programs. Adherence to the standards posted in National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171) may be required.
Title IV Federal student financial aid is identified as CUI and requires compliance to Gramm-Leach-Bliley, and therefore adherence to the standards posted in National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171).
Annual audits for compliance in key areas are done.
Firewall rule changes.
Identity access controls and password management.
Backup, restore and disaster recovery planning and verification.
Security incident handling. Please review the document Incident Response Process.
Information Security as implemented in university policy #860 Data Management and Information Security.
Security practices, emphasizing compliance with State of Michigan law for Personally Identifiable Information.
Network access control and registration using NetID identity and access control management.
Local area network and role-based control using identity and access control management.
System and computer local login credentials.
Enterprise data access controls managed through the Banner environment.

University Technology Services reviews current risks, incidents, responses, and alerts in a weekly departmental Change Management meeting. The Security Advisory Group determines baseline security practices. Baseline security practices at this time include mandated patch management of operating systems, anti-virus and anti-malware protection, and disabling unneeded services and ports. Also included are multiple levels of access controls:

UTS annually engages in a data security review, a review of this plan, and a review of all security information on this site. This review is coordinated by the Chief Information Officer, reviewing results with Internal Audit. UTS, in consultation with the Security Advisory Group, develops and administers a Security Awareness Program.

University Technology Services complies with all audit procedures provided for by Oakland University Internal Audit and State of Michigan auditors. University Technology Services periodically engages an external vendor to perform risk analysis of information technology resources.

The Network Architecture Security Practices provides a description of documented security standards for the installation and operation of the Oakland University network. Additional information about network access is on the Networking site. Also, Internet connectivity is covered by the policies of Merit Network, Inc.: Merit Networks, Inc. Policies.

Priorities

We seek to prioritize projects that are in alignment with university strategic initiatives; highest priority is given to projects approved by Vice Presidents, Associate VPs, Assistant VPs, or Deans, aligned with University strategic goals and initiatives, and with strong sponsorship and committed resources. Priorities are periodically reviewed and established with assigned members of the President's Council.

Our top priorities are:

Strategic initiatives identified through university strategic planning.
Production systems or Internet connectivity unavailable.
Mitigation of university risk by improving availability and improving security.
Critical technical projects identified by priority analysis, targeting required technology upgrades, preserving technical investment, or removing technical obsolescence. Technical currency is assessed by actual age, technical age, project dependencies, technical obsolescence, and other factors.
Maintenance of a quality technical environment by replacing components every 5 years (or 20% of the foundation each year).
Compliance with government, legal, or regulatory mandated processes or initiatives.

All remaining work is prioritized by date of project submission, with consideration for the following factors:

Data integrity issues.
Design for resilience and redundancy, performance of release and patch installs, and other activities that support a highly reliable technical environment.
Projects approved by information technology advisory committees in the Governance structure.
Assessment of impact on the university mission.
Scope of repair or service interruption: campus, department, individual.
New system install, requested activation or move.
Project dependencies, noting that an orderly set of project tasks provides constant forward momentum.

Banner releases are installed by evaluation of priority. Minor Banner releases are installed into a test region within 90 days of Banner release. Data stewards have 30 days to test, unless the data steward requests a longer testing period or passage of a specific event, particularly with releases that cross modules. Releases are installed in production 30 days after last notice. Major releases are installed after approval by the data stewards, with delays or conflicts managed by the Banner Operating Committee. Also, major changes to Banner Finance are reviewed in Change Management prior to production installation.

UTS generally does not modify vendor delivered products. Data fixes are handled with high priority, but often require manual intervention. Please note that all data entry, changes, alterations, deletes and corrections must be done in accordance with university Policy #860 Data Management and Information Security. This is especially true for Banner. Examples of data maintenance are merging of duplicate records, correcting gift records, altering data for correction based on a vendor contact, or other unusual situations where the data cannot be fixed using a standard Banner form or process. Procedures related to Policy #860 Data Management and Information Security:

Production data will not be altered, changed, added or deleted without prior approval from the assigned data steward.
Acceptable data sources and values must be approved by the assigned data steward.
Changes affecting any financial data must be approved by the Controller.
One time data corrections, such as the merge of individual records or fixing a record, will be done by UTS as long as there is a ticket for each individual needed fix.
Banner data changes and corrections must first be reviewed with Ellucian and Ellucian directions for data change or correction must be submitted with the change request ticket, approved by the data steward. Similar procedures are required for other products and applications.
Data entry, corrections or updates that are ongoing and repeating must be turned into a job that is executed by the data custodian or data steward. Jobs must use established data relationship rules and standard application programming interfaces (APIs). The data steward must have approved data update access.
Volume of data maintenance does not automatically suggest that a process be developed. First, every effort must be made to use Banner delivered forms and processes for volume data entry and maintenance. If an alternative for volume data maintenance is still required, a Request for Product Enhancement must be filed with Ellucian. Other desktop tools must also be used (such as automated data update tool). A good business case must be made for automating data maintenance, if the volume of data entry cannot be processed using Banner forms, Banner processes or desktop tools. The business case must be approved by UTS leadership prior to development.
The data steward or custodian must be able to confirm a fixed population and guidelines for application of data changes.
The data steward or custodian must have a test plan to confirm the quality of the data change, which will be done in test mode and approved prior to a production run.

Privacy

The following informational documents on privacy may be useful guidelines:

All university employees are reminded that the Family Educational Rights and Privacy Act (FERPA) prohibits the release of any student information (except information classified as directory information) to any person outside the university community or to any university personnel without a legitimate educational reason to know. In addition, there are OU students who have requested that even directory information not be released. These students will appear in BANNER with the message, "Warning: Information about the person is confidential". Also, the word, "CONFIDENTIAL" appears in the upper left corner of BANNER forms related to the student.

Compliance with the General Data Protection Regulation may be required. If working with Sensitive Data described under GDPR, privacy notices and other security steps are required.

Privacy Notices should be posted on each Department’s website and in a central location on the University website. You can request the Privacy Notices template by emailing [email protected]. In addition, the Privacy Notices should appear in the relevant University processes (e.g., the UHR Privacy Notice should appear in the application process).

The GDPR treats the following sensitive data differently than other data. If a department collects any of the following information from individuals while the individuals are in the EU in a format that is personally identifiable and, if so, if the department obtains consent to collect and use that information, additional provisions may apply. If these provisions apply, the department may need to contact the Office of Legal Affairs to add a section to the privacy notice.

Personal and Sensitive data includes the following (IT Governance European Blog - The GDPR: What exactly is personal data?)

Biographical information
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health data
Sexual orientation
Criminal convictions
Metadata and IP addresses

All university employees involved in a process to share data are responsible for maintaining the appropriate privacy and security of the shared data. Data security exists to protect data privacy and to assure authorized access. Data security rules apply to the data regardless of location or system. Key principles from university Policy #860 Information Security are:

Data should only be shared with those with a defined "need to know", with authorization from the employee's supervisor, and with approval from the named Data Steward.
Data shared with a third party, such as a solution provider with whom there is a data feed requirement, should only be shared under the terms specified in a contract.
Confidential data must be encrypted at all points in the process. That means that the data must be encrypted at each storage point and during each transmission process.
Processes that can be centrally documented and automated are inherently more secure than ad-hoc or locally managed processes.

Third Party Access to an account is allowed only under specific circumstances and within policy guidelines. The process for requesting and handling third party access are Third Party Access Procedures.

There are state and federal laws protecting data privacy. University Policy #860 Data Management and Information Security and Policy #890 Use of University Information Technology Resources provide guidance for compliance with these laws. Data classified as Confidential in university policy should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. Data, information, and documentation covered by Non-Disclosure Agreements should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption.

OU Data are protected and require OU response to data breach, even if those data are stored on a personally owned device. All device thefts that involve storage of OU data must be reported to OUPD.

Confidential data must be stored in authorized campus solutions, on encrypted departmental share drives, or in approved locations. Mixing personal issues and university data on one device can complicate police investigations. Recent backups of laptops and proof of encryption can reduce university exposure in the event of theft. The exposure of personally identifiable information can result in assessments estimated to be $15 per record, not including time and inconvenience. This cost may be shared with the department.

IT Procurement and Purchasing: Service Providers, Outsourcing, Hosted Solutions, Web Sites, Software Solutions, and Application Service Providers

Supporting your procurement or purchase of information technology components requires adherence to all the policies and guidelines documented here. Please carefully review the Campus Software site for process documentation.

IT Incident and Risk Management

The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to information technology resources. In particular, employees should be aware of responsibilities assigned as systems administrators in Policy #880 Systems Administration Responsibilities. The following incidents are considered to be emergencies and should be reported immediately:

An entry or attempted entry via unauthorized access in any OU information system or resource.
Exposure of university data to unauthorized parties or via unauthorized processes.
Any process or technology that attempts to use university-owned systems as a conduit for unauthorized activity on another system, that targets systems for unauthorized activity, or that is used to make physical threats, create suspicious or fraudulent communications, commit fraud, or commit any illegal or criminal activity.
Failure of the telephone system or electrical systems.
Damage due to fire, water, lightning, storms, tornado, or physical break-in, or other property damage.
Emergency failure of an enterprise system.
Theft, loss or corruption of university critical information technology assets, including data.
Violations of any university information technology policy.
Impersonation or unauthorized use of identity.
Significant interruption to business and academic operations.

Events should be reported by email to [email protected]. Crisis events occurring during non-regular business hours may be reported to the OU Police Department at 248-370-3331.

Thefts of Oakland University technology should be reported to the OU Police Department at 248-370-3331. We will work with the technology user to assess risk by following the Incident Response Process. You can view the Incident Response Process document by emailing [email protected].

University Technology Services can assist your department with Risk Assessment. Please review the Risk Assessment Checklist when:

Evaluating the information technology risk for a department.
Changing the data management or technology management of your operation.
Considering purchase of a new information technology resource.
Considering the outsourcing of an information technology or data management operation.
Staff or processes change, or on a regular audit basis, periodically or annually.
Processing payment card, credit card or medical data.

You can request the Risk Assessment Checklist by emailing [email protected].

Social Networks

Oakland University faculty may choose to use web-enabled software and social network tools in instruction. Such tools may include alternative online learning systems, chat rooms, blogs, collaborative workspaces, wikis, and podcast/video sites. These learning tools may offer positive potential for engaging students in learning. However, there may privacy concerns or service reliability concerns when an instructor chooses to use a non-Oakland University tool in instruction.

As a general recommendation, start by reviewing Oakland University policy #860 Data Management and Information Security. Know data elements classified as Confidential, particularly under the Family Educational Rights and Privacy Act (FERPA) and how it applies to your course. In particular, note if participation from people outside the enrolled class is allowed; this may be a violation of FERPA.

Become familiar with the question: Where is the information stored? Understand when you are creating and storing your course data and other information using campus information technology resources, and when you are storing data in off-campus or third-party technologies.

Note that software licenses, application service provider contracts and other agreement must follow university standard procedures, particularly as it applies to Procurement and Purchasing.

Instructional materials are often protected by copyright law. Further, some service provider agreements claim rights to use the content created or uploaded to the technology solution. Review carefully so that you do not share intellectual property that you are not entitled to, or do not want to, share.

Communicate with your students. Make sure your students understand when they are sharing material in off-campus social networks, tools, and technologies. Your students may be uncomfortable with such storage; determine if participation is a requirement, or if you need to have alternative plans.

Web and IT Accessibility Guidelines and Procedures

Rationale

Oakland University (the University) is committed to enabling equally effective access to information through information technologies, databases, services, and resources, including that all information provided through the University's website(s) (i.e., online content) is accessible to students, prospective students, employees, guests, and visitors with disabilities, particularly those with visual, hearing, or manual impairments or who otherwise require the use of assistive technology to access information. This commitment is consistent with the Common Good Resources Philosophy that underlies Information Technology (IT) services and resources provided by University Technology Services (UTS).

Definitions

"Accessible," as used in these Web and IT Accessibility Guidelines and Procedures (Guidelines), means a person with a disability is afforded the opportunity to acquire the same information, engage in the same interactions, and enjoy the same services as a person without a disability in an equally effective and equally integrated manner, with substantially equivalent ease of use, and afforded the opportunity to acquire the same information and services in substantially the same time period. A person with a disability must be able to obtain the information as fully, equally, and independently as a person without a disability. Although this might not result in identical ease of use compared to that of persons without disabilities, it still must ensure equal opportunity to the educational benefits and opportunities afforded by the technology and equal treatment in the use of such technology. More information about student educational materials has been presented by the Office of Civil Rights and the U.S. Department of Justice, Civil Rights Division in Dear Colleague letters.

The standard definition for technology covered by the technical standards is Electronic and Information Technology (EIT); the international term as updated in 2017 is Information and Communication Technology (ICT) and University materials may refer to either standards label. All online information and communications are included in ICT, regardless of the medium chosen for the communication; communication includes the transfer of information and encompasses information conveyed through computer-related, web-related, and online environments. ICT covers solutions implemented or offered by the University. ICT includes online content provided by or developed by third parties (e.g. vendors, video-sharing websites, other open sources) that the University chooses to make available on its websites or in its provided solutions.

Guidelines and Procedures

Technical Standards

The applicable oversight policy for these Guidelines is Administrative and Procedures #890 Use of University Information Technology Resources.

The University has also adopted widely accepted technical standard(s) to determine whether University online content is accessible. Those standards to which actions require conformance are as noted here, with current versions as announced from time to time by UTS:

W3C WAI Web Content Accessibility Guidelines version 2.0 Levels A and AA

WCAG2ICT Guidance on Applying WCAG 2.0 to Non-Web Information and Communications Technologies

Management

These Guidelines will be coordinated and managed by the University's Chief Information Officer (CIO) with counsel from the University IT Accessibility Committee. The CIO has authority to allocate resources to fulfill the intent of these Guidelines and all other commitments relating to technological accessibility. The CIO will chair and be advised by the University IT Accessibility Committee, which was created as part of the IT Governance structure, given the following charge:

To review public-facing University web sites, content, and ICT for compliance with applicable law.
Evaluate and recommend possible tools and technologies for use in achieving compliance.
Create, identify, or provide training and educational materials needed to achieve compliance and create a culture of compliance.
Prioritize projects, recommend policy changes, and recommend procedural changes.
Provide ICT recommendations to, and address issues identified by, the Department of Disability Support Services.
Provide ICT recommendations to, and address issues identified by, the Center for Excellence in Teaching and Learning, in support of the Universal Design for Learning initiative.

The University IT Accessibility Committee is composed of the following members:

Lori Tirpak, Interim Chief Information Officer, University Technology Services, Chair and ICT Officer
Teri Abbo, Director IT Services Alliance, University Technology Services
Judith Ableser, Director, Center for Excellence in Teaching and Learning
Robert Burns, Manager Library Technology Services, Kresge Library
Aaron Grant, Associate Director Emerging Technology, University Technology Services
Sarah Guadalupe, Director, Disability Support Services
James Hargett, Assistant Vice President and Controller, Controller's Office
Mary Konicki, University Risk Manager, Risk Management
Chad Martinez, Director, Diversity, Equity, and Inclusion
Shaun Moore, Director, E-Learning and Instructional Support
Todd Nucci, Director, Marketing, Web, and Digital Services, Communications and Marketing
Paula Reyes, Director of Purchasing, Purchasing Department

Communications and Marketing (C&M) and UTS will coordinate review, monitoring, and update of ICT within the University centralized content management system. UTS will coordinate review, monitoring, and update of ICT outside the centralized content management system. Such reviews will be conducted annually or more frequently as needed.

The Center for Excellence in Teaching and Learning (CETL) will provide support, educational materials, and guidelines for faculty based on using Universal Design for Learning (UDL) principles. Members of the University Accessibility Committee may serve on CETL advisory groups from time to time in support of UDL initiatives.

Third-Party Vendors

All University online content and information obtained through online content provided or developed by third parties, e.g. vendors, service providers, video-sharing websites such as YouTube, or other open sources (collectively Vendor) must be accessible to afford equal opportunity to the educational benefits and opportunities afforded by the technology and equal treatment in the use of such technology.

Those individuals responsible for making recommendations about which Vendor products and/or services to procure must consider accessibility as one of the criteria for acquisition. The University IT Accessibility Committee is will assist employees in this endeavor.

All request to acquire Vendor products and/or services should be directed to the Purchasing Department. UTS will assist the Purchasing Department and work with potential Vendors to review the full Security and Compliance Statement, including obtaining a relevant Voluntary Product Accessibility Template or similar documented attestation from the Vendor. If there are issues that prevent the Vendor from meeting accessibility standards, the Vendor must describe its current ongoing efforts to address issues in a timely manner. UTS will also work with the University's Office of Legal Affairs for accessibility assurances and ongoing accessibility compliance in negotiated contract language, as may be necessary.

Selection of a Vendor product or service that that does not meet minimum accessibility standards will be handled as a policy exception under standard University policies, and only accepted if the Vendor can provide a timetable for compliance that is acceptable to the University.

Additional information that may be helpful for the procurement process include the Campus Software Process and the IT Service Providers, Outsourcing, Hosted Solutions, Web Sites, Software Solutions and Application Service Providers Guidelines.

Training

Annual training will be available for any staff (e.g. administrators, faculty, support staff, student employees) responsible for creating or distributing information with online content to students, employees, guests, and visitors with disabilities, including, but not limited to, education on these Guidelines and their roles and responsibilities to ensure that web design, documents, and multimedia content are accessible. The training and education will be provided, in whole or in part, by qualified personnel with sufficient knowledge, skill, and experience to understand and employ the technical standards adopted by the University, or through an online training/education program vetted by said qualified personnel. Failure to complete any required training, particularly for the centralized content management system, will result in removal of access.

See also the following useful information about ICT accessibility in higher education:

UTS and University Communications and Marketing have partnered to create documentation about policies and guidelines to assist individuals and departments considering web development. Please review Web Development Guidelines if you are considering customized web development.

Resources and Knowledge Base

UTS has also created a knowledge base for reference. The knowledge base, Accessibility Efforts and Toolkits, provides material for education, training, and testing. The knowledge base also contains material about Captions, Transcripts, and Audio Descriptions. Also, a short summary of ongoing efforts is presented; more information about projects and progress is available by sending an email request to [email protected].

CETL provides accessibility resources and eLIS provides accessibility guideline resources of specific interest to faculty. University Communications and Marketing provides content management materials to assist with compliance.

Compliance and Audits

Activities to demonstrate consistent progress toward a culture of compliance will be monitored and documented, with periodic review and priority assessment completed by the University IT Accessibility Committee. Legacy ICT must be updated to be in compliance in a timely way and as prioritized by the University IT Accessibility Committee. Each University college, department, program, or unit will make available a timetable for updating, transitioning, or removing legacy ICT upon notification that the ICT is not in compliance. Failure to address issues may result in ICT removal or removal of access for the individual assigned to maintain ICT.

In addition, an annual accessibility audit will be completed at the direction of the CIO, during which information provided by the University through its online content is measured against the technical standards adopted in these Guidelines (Audit). The CIO may also conduct more frequent and/or limited-targeted Audits at the CIO's discretion. All problems and reviewed for priority activities by the University IT Accessibility Committee. All problems identified through the Audit will be documented, evaluated, and if necessary, remediated within a reasonable period of time.

Reporting Violations

Please contact us to report any accessibility issues, violations of the technical standards used by the University, or to submit requests for assistance. The best method to contact us is by sending e-mail to [email protected] Reports will be promptly reviewed by UTS staff members. If needed, project priorities or best practice directions will be reviewed and handled by the University IT Accessibility Committee. Individuals may also file a formal complaint through the University's Section 504 and Title II grievance procedure.

Backup and Recovery

University Technology Services provides a backup and recovery service for datacenter services. Please review Storage and comparison options posted on the UTS site.

July 2023

University Policies