We value responsible use of information technology resources. We have assembled this list of policies and guidelines to assure you and all other information technology users a pleasant, secure and reliable experience. The following policies are related to information technology and are available at the Oakland University Administrative Policies and Procedures site and the Office of Legal Affairs site (upper case links).
The following standardized message is displayed when logging into provided services:
Usage of all Oakland University systems, services and networks is governed by official OU IT and Security Policies. By accessing these resources you agree to use all information technology resources responsibly and comply with University policies and guidelines.
By accessing Banner and other university-provided password protected systems, you agree to the following security statements:
- You are entering a secure area. Please do not share your ID or password, as you are responsible for changes made with your ID and permission.
- All students, alumni, faculty, staff and guests are expected to use information-technology resources in compliance with University policies.
- Execution of scripts or otherwise attempting to circumvent standard login procedures is not permitted.
- All university employees are reminded that the Family Educational Rights and Privacy Act (FERPA)
prohibits the release of any student information (except information classified as directory information) to any person outside the university community or to any university personnel without a legitimate
educational reason to know. In addition, there are OU students who have requested that even directory information about them not be
released. These students will appear in Banner with the message "Warning: Information about the person is confidential." Also, the word "CONFIDENTIAL" appears.
A description of information technology governance is available in the document Governance . Policies are reviewed and updated annually as needed. Oakland University mandates that policies be updated at least every five years. Policies related to information technology are drafted by University Technology Services. The governance process requires that the appropriate advisory committee first review and update the drafted policy. The policy approval process then flows:
- University Senate Academic Computing Committee
- Academic Council
- Administrative Council with review by General Counsel
- Deans Council
- President's Council, final approval
Access, Accounts, and Password Management
All new employees are introduced to and agree to abide by University technology policies during the hiring process with the appropriate hiring office. Information about UTS provisioning systems, account termination, and application access can be found in Accounts.
Account access policies are defined in Policy #890 Use of University Information Technology Resources , Procedures, Section III Access to Resources.
Access to specific data is generally limited by need to know, job responsibilities, supervisor approval, data steward approval, and university Policy #860 Information Security. Access to certain enterprise systems is administered by University Technology Services.
The authorizing body that created an account must authorize emergency or non-standard account termination, with review by General Counsel if required by Policy #890 Use of University Information Technology Resources:
- Employee account termination is processed through University Human Resources.
- Faculty account termination is processed through Academic Human Resources.
- Student account termination is processed through the Dean of Students.
Third Party Access to an account is allowed only under specific circumstances and within policy guidelines. The process for requesting and handling third party access are Third Party Access Procedures.
Change and Architecture Management
Change Management is a process for handling changes so that changes are efficient, organized and minimally disruptive to the existing technology environment. Changes typically represent new components in the architecture.
Architecture Management is a process for handling routine maintenance and updates to the existing architecture so that the handling is efficient, organized and minimally disruptive to the technology environment. Architecture Management items typically do not require new or additional testing; prior testing has yielded a commonly used, standardized and repeatable practice. A fail-back and recovery plan is already in place. Items do not require a communications plan, have minimal impact, and have minimal or no risk as identified through a prior risk assessment. Architecture Management items are usually handled in the Wednesday morning maintenance window (midnight to 8:00 AM).
When a task, process or project meets any of the following listed criteria, a Change Management request must be completed.
Changes are thoroughly tested prior to submission to the Change Management Committee. Change Management plans must address failure back-out, performance, security, availability, reliability, impact, risk assessment and functionality.
The Change Management Communications Plan must be submitted and reviewed with the Change Management request. Projects of large or significant scope will require the presentation of a Change Management Communications Plan in writing to the Change Management Committee.
Requests submitted to Change Management must be reviewed and approved by the Change Management committee, which meets every Monday morning. The individual submitting and performing the tasks in a Change Management ticket is welcome to attend the Change Management Committee meeting, and is encouraged to do so to facilitate change planning. Changes must be submitted by 3 PM Friday for inclusion on the Change Management review report for the following Monday.
Change Management Criteria:
- Planned production outage of a significant operation or service.
- Business interruption of any type during regular business hours (8 AM to 8 PM, Monday through Friday), or academic interruption of any type on any day or time within a term.
- Changes to a client interface or a client service, including service names, URLs, SSIDs, and other names that client's use regularly.
- Significant business or operational practice change that would affect how we provide instructions, directions, or help.
- Any change that requires a notice on the UTS home page or a campus notification.
- Installation or decommission of a server in a secured datacenter facility.
- Any wiring work that will be performed above the ceiling or under the
tile floor in any facility that has a fire suppression system.
- Changes on any system that affect backup, restore, disaster recovery or business continuity.
- Changes that require third-party or vendor access to a secured datacenter facility or remote access to a system.
- Significant changes to financial systems.
- Change to any network device determined to be in-scope for regulatory compliance (i.e., PCI, HIPAA, etc.).
- Introduction or discontinuance of an information technology resource, virtualized server or resource, or service.
- Periodic review of firewall and router rules per Policy #850.
Change Management items will be considered complete when all of the following items have been addressed:
- Security has been reviewed, risk assessment completed, and all identified issues and vulnerabilities have been addressed.
- Permanent location is assigned and recorded.
- Installation is complete.
- Backup and restore have been tested and verified.
- Start-up and shutdown procedures are documented for Operations.
- Business continuity and disaster recovery procedures are documented for Operations.
- Architecture diagram has been updated.
- Inventory database has been updated.
- Communication plan has been implemented.
- Production date is processed.
- Service level agreement is complete.
- Identity management and access controls are complete.
The IT Security Committee reviews the firewall implementation for the Firewall Rule Change process. This group is charged with defining the default firewall implementation. Requests to change the firewall are submitted on the Firewall Change Request Form. The request will be reviewed for compliance with university policies by the IT Security Committee.
When to Contact UTS
Please contact us as soon as you are aware that you have a potential information technology project that may involve existing or new centralized services or if you are planning an event that requires network access. Also, please contact us if there is an urgent technology issue or security issue. Any issue related to Banner, servers, or telephones, should be reported to UTS. The best method to initiate contact is by sending e-mail to email@example.com. Systems monitoring and operations are handled 24 hours a day, 5 days a week, on regularly scheduled weekdays, during standard business hours, 8 AM to 5 PM. Extended support hours may be available. When possible, UTS will attempt to extend the business day through flexible scheduling. The extended day is generally from 7:30 AM to 6:00 PM on regularly scheduled weekdays. Extended service is not guaranteed.
Goodwill service may be available at other times, such as nights, weekends, and holidays. Goodwill service is not guaranteed. Goodwill service refers to UTS staff members casually monitoring systems and notifications during their personal time. We do not have an on-call scheduled rotation due to staffing limits.
Scheduled support service for a specific event can be arranged in advance through planning by contacting UTS at least 6 weeks prior to the planned event. If support requests are expected over major holidays (4th of July, Thanksgiving, Christmas, holiday break), the request should be submitted 6 months in advance.
UTS will respond to critical requests within 4 hours of receiving a report within standard support hours. A best effort response will be provided at other times. UTS will immediately respond to emergency situations as defined in the Oakland University Emergency Response Plan and the Desktop Emergency Guide.
Copyright: Plan for Compliance
It is the policy of Oakland University to comply with copyright law (Policy #890 Use of University Information Technology Resources). Please note the following UTS plan for combating illegal file sharing. We run a large research network, and a ban of peer-to-peer traffic could
have the affect of disrupting legitimate network traffic. We seek to avoid high-cost solutions that would add charges to the environment (leading to additional student fees or an increase in tuition).
Music, movies, photos, images displayable on computer screens, computer software, books, magazines, scientific and other journals are some of the things subject to copyright. A copyright notice is not required.
It is a violation of copyright law to copy, distribute, display, exhibit, or perform copyrighted works without the authority of the copyright owner. Copyright infringement is the act of exercising, without copyright owner
permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code), subject to exceptions contained in 17 U.S.C. §§ 107 and 108 (http://www.copyright.gov/title17/92chap1.html). Sharing, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement.
We use technology-based deterrents to combat illegal file sharing.
- For Oakland University's academic and administrative campus network, all traffic to and from the well-known addresses for the top three peer-to-peer sharing sites is blocked. In addition, all unsolicited inbound traffic is denied to user desktops, preventing clients from being dedicated servers of copyrighted material. The network is also continually monitored for anomalous traffic patterns which may be indicative of P2P super-nodes. Moreover, recent firewall upgrades have included the potential to provide additional bandwidth shaping and proactive notification services.
- For Oakland University's residence network, the border router employs Network Based Application Recognition and Quality of Service protocols that match a "policy library" with active traffic and then limits based on the match. We have listed known peer-to-peer traffic defined in the policy library and are limiting based on that standard. There is an additional technology that shapes bandwidth using algorithms that flatten traffic spikes and provides relatively equal use of the network for everyone on that segment. This restricts large bandwidth users from becoming P2P super-nodes.
We actively educate students about copyright and peer-to-peer file sharing issues.
- We publicly post our policies, and we have an "appropriate use" policy that governs all IT systems and networks – Policy #890 Use of University Information Technology Resources. It specifically states in section II c. "Using Resources to download or share copyrighted music, movies, television shows or games without the permission of the copyright owner may result in sanctions." Sanctions are described in the policy, and do include disabling network access.
- Students have to agree to abide by Policy #890 every time they register to use the network and when they access key systems, such as MySAIL.
- We teach students about copyright and illegal downloading during orientation. It is reinforced in the printed Golden Grizzly Guide that every new student receives.
- File-sharing is covered in the Student Handbook and in Residence Halls materials.
We actively measure the effectiveness of the program by measuring and monitoring the number of complaints we receive.
We provide information about legal alternatives to illegal peer-to-peer sharing of materials.
- The material is posted on the UTS copyright compliance website.
- Other linked material at this site provides information on civil and criminal liabilities and summary information about penalties in federal copyright laws.
- Also, every time students log into the MySAIL portal, the link for legal alternatives is presented with all other critical university systems (Webmail, Moodle, SAIL, etc.).
When complaints occur, we take the following actions:
- We receive the notice from a copyright monitoring group representing an industry group such as the Recording Industry of America or the Motion Picture Industry of America. This is treated with two separate views: a violation of the Digital Millennium Copyright Act, which is a legal issue, and a violation of university policy, which is a university conduct issue.
- We verify the validity and format of the complaint. If the complaint is invalid, the Chief Information Officer will make a good-faith effort to notify the copyright agent with the reason that the notice is invalid.
- The format may be a DMCA notice, a pre-litigation settlement notice, or a preservation letter.
- We identify the individual and immediately block network access to the content (which is the legal issue) and block access for the individual (in response to the conduct issue).
- If a preservation letter is received, the university will comply and preserve the requested information, and will also handle the letter as a DMCA notice. The material will be preserved at least 30 days, and not longer than 1 year, unless otherwise advised by the Office of Legal Affairs.
- We send a letter and a copy of the notice to the individual.
- Legally, the individual has an option to file a counter-notice.
- The individual may be subject to further legal action from the industry (a subpoena or early settlement letter may be issued).
- Students must visit the Dean of Students to handle the policy issue. The Dean of Students provides a refresher view of copyright infringement. Students pay a fine to cover the costs of the process. The student then visits the Helpdesk and watches a video "Campus Downloading, Protect Yourself, Do It Legally".
- We review the computer with the student to make sure the infringing material has been removed, and then we reconnect network access for the student.
- In all cases, students must decide how to handle the matter. Students who receive pre-litigation settlement notices or preservation letters would be well-advised to consult an attorney promptly.
- Complaints for employees are processed in accordance with university policy and employment contracts.
Information Security Plan
The designated security program administrator is Theresa Rowe, Chief Information Officer. The core security council is the CIO, the Director - Systems Engineering, and the Network Security Analyst, who meet regularly. Work is supported by the IT Security Committee, which includes the Director - Systems Engineering (chair), Network Security Analyst, and others with designated security responsibilities. Additional advice and counsel for security is provided by all advisory groups identified in Governance Process.
The Information Security Plan includes all the documentation on this page and includes the following specific items:
- System management and controls, including implementation of university policy #880 Systems Administration Responsibilities. Systems management includes risk assessment, life cycle management, security review, and verification of critical systems by external audit. Procedures for system security review are located in the Systems Security Review Process.
- Operational controls, including documentation of access, authentication, authorization, accounting, physical controls, and separation of duties.
- Compliance with laws, regulations and mandates, including Payment Card Industry - Data Security Standard, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, and others. Annual audits for compliance in key areas is done.
- Firewall rule changes.
- Identity access controls and password management.
- Backup, restore and disaster recovery planning and verification.
- Security incident handling. Please review the document Incident Response Process.
- Information security as implemented in university policy #860 Information Security.
- Security practices, emphasizing compliance with State of Michigan law for Personally Identifiable Information.
University Technology Services reviews current security risks, incidents, responses, and alerts in a weekly departmental Change Management meeting. Baseline security practices are determined by the IT Security Committee. Baseline security practices at this time include mandated patch management of operating systems, anti-virus and anti-malware protection, and disabling unneeded services and ports. Also included are multiple levels of access controls:
- Network access control and registration using NetID identity and access control management.
- Local area network and role-based control using ADMNET identity and access control management.
- System and computer local login credentials.
- Enterprise data access controls managed through the Banner environment.
UTS engages in an annual data security review, a review of this plan and a review of all security information on this site. This review is coordinated by the Chief Information Officer, reviewing results with Internal Audit. UTS, in consultation with the IT Security Committee, develops and administers a Security Awareness Program.
University Technology Services complies with all audit procedures provided for by Oakland University Internal Audit and State of Michigan auditors. University Technology Services periodically engages an external vendor to perform risk analysis of information technology resources.
The Network Architecture Security Practices
provides a description of documented security standards for the installation and operation of the Oakland University network. Additional information about network access is on the Networking site. Also, Internet connectivity is covered by the policies of Merit Network, Inc.: Merit Networks, Inc. MichNet Policies (http://www.merit.edu/policies/)
We seek to prioritize projects that are in alignment with university strategic initiatives; highest priority is given to projects approved by Vice Presidents, Associate VPs, Assistant
VPs, or Deans, aligned with University strategic goals and initiatives,
and with strong sponsorship and committed resources. Please review #830 Information Technology.
Our top priorities are:
- Strategic initiatives.
- Production systems or Internet connectivity unavailable.
- Mitigation of university risk by improving availability, improving security, preserving technical investment, or removing technical obsolescence.
- Compliance with government, legal, or regulatory mandated processes.
All remaining work is prioritized by date of project submission, with consideration for the following factors:
- Data integrity issues.
- Technical currency assessed by actual age, technical age and technical obsolescence.
- Projects approved by information technology advisory committees.
- Scope of repair or service interruption: campus, department, individual.
- New system install, requested activation or move.
Banner releases are installed by evaluation of priority. Minor Banner releases are installed into a test region within 90 days of Banner release. Data stewards have 30 days to test, unless the data steward requests a longer testing period or passage of a specific event, particularly with releases that cross modules. Releases are installed in production 30 days after last notice. Major releases are installed after approval by the data stewards, with delays or conflicts managed by the Banner Operating Committee. Also, major changes to Banner Finance are reviewed in Change Management prior to production installation.
UTS generally does not modify vendor delivered products. Please note that all data entry, changes, alterations, deletes and corrections must be done in accordance with university Policy #860 Information Security. This is especially true for Banner. Examples of data maintenance are merging of duplicate records, correcting gift records, altering data for correction based on a vendor contact, or other unusual situations where the data cannot be fixed using a standard Banner form or process.
Procedures related to Policy #860:
Production data will not be altered, changed, added or deleted without prior approval from the assigned data steward.
Acceptable data sources and values must be approved by the assigned data steward.
One time data corrections, such as the merge of individual records or fixing a record, will be done by UTS as long as there is a ticket for each individual needed fix.
Data entry, corrections or updates that are ongoing and repeating must be turned into a job that is executed by the data custodian or data steward. Jobs must use established data relationship rules and standard application programming interfaces (APIs). The data steward must have approved data update access.
- Volume of data maintenance does not automatically suggest that a process be developed. First, every effort must be made to use Banner delivered forms and processes for volume data entry and maintenance. If an alternative for volume data maintenance is still required, a Request for Product Enhancement must be filed with Ellucian. Other desktop tools must also be used (such as automated data update tool). A good business case must be made for automating data maintenance, if the volume of data entry cannot be processed using Banner forms, Banner processes or desktop tools. The business case must be approved by UTS leadership prior to development.
- The data steward or custodian must be able to confirm a fixed population and guidelines for application of data changes.
- The data steward or custodian must have a test plan to confirm the quality of the data change, which will be done in test mode and approved prior to a production run.
- Banner data changes and corrections must first be reviewed with Ellucian and Ellucian directions for data change or correction must be submitted with the change request ticket, approved by the data steward. Similar procedures are required for other products and applications.
The following informational documents on privacy may be useful guidelines.
There are state and federal laws protecting data privacy. University Policy #860 Information Security provides guidance for compliance with these laws. Data classified as Confidential in university policy should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. Data, information, and documentation covered by Non-Disclosure Agreements should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. OU Data are protected and require OU response to data breach, even if those data are stored on a personally owned device. All device thefts that involve storage of OU data must be reported to OUPD. We recommend that Confidential data be stored on encrypted departmental share drives or in OakShare (https://files.oakland.edu
). Mixing personal issues and university data on one device can complicate police investigations. Recent backups of laptops and proof of encryption can reduce university exposure in the event of theft. The exposure of personally identifiable information can result in assessments estimated to be $15 per record, not including time and inconvenience. This cost may be shared with the department.
IT Risk Management
The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to information technology resources. In particular, employees should be aware of responsibilities assigned as systems administrators in Policy #880 Systems Administration Responsibilities.
The following events are considered to be emergencies and should be reported immediately:
- An entry or attempted entry via unauthorized access in any OU information system or resource.
- Any process or technology that attempts to use university-owned systems as a conduit for unauthorized activity on another system, that targets systems for unauthorized activity, or that is used to make physical threats, create suspicious or fraudulent communications, commit fraud, or commit any illegal or criminal activity.
- Failure of the telephone system or electrical systems.
- Damage due to fire, water, lightning, storms, tornado, or physical break-in, or other property damage.
- Emergency failure of an enterprise system.
- Theft, loss or corruption of university critical information technology assets, including data.
- Violations of any university information technology policy.
- Impersonation or unauthorized use of identity.
Events should be reported by email to firstname.lastname@example.org. Crisis events occurring during non-regular business hours may be reported to the OU Police Department at 248-370-3331.
University Technology Services can assist your department with Risk Assessment. Please review this Risk Assessment Checklist when:
- Evaluating the information technology risk for a department.
- Changing the data management or technology management of your operation.
- Considering purchase of a new information technology resource.
- Considering the outsourcing of an information technology or data management operation.
- Staff or processes change, or on a regular audit basis, periodically or annually.
- Processing payment card, credit card or medical data.
Outsourcing, Hosted Solutions and Application Service Providers
The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to outsourcing, hosted solutions, software as a service, and application service providers (ASP), commonly knows as "web sites". To begin a project involving an outsourced, hosted, SaaS, or ASP solution, please review this Checklist. A vendor security review must be completed as part of this process; vendors must be able to meet current university Security Standards and a documented response must be provided. If University data are involved, language that protects the security and privacy of data is required in agreements and contracts; please coordinate with the Purchasing department. Note that sending university data off-site requires compliance with the Information Security policy #860 Information Security following the procedures for Secure File Transmission and Encryption.
Backup and Recovery
Each individual is responsible for the backup and recovery strategy for the information technology resources used, including data and software on desktops, laptops and other devices.
- Oakland University does not make backup copies of any email, calendar, or anything stored in Google Apps for Education.
- University Technology Services does not backup individual desktops.
- University Technology Services does backup the systems and servers managed in facilities under UTS operation and control. To verify that systems or data in UTS are backed up to the needs and expectations for your area or department, contact by email to email@example.com. Please review Storage and comparison options posted on the UTS site.
To create a personal backup strategy, please review the sample document on backups. Faculty and staff should check with their department or local help desk for acceptable department procedures.