Policies and Guidelines

This is a list of information technology policies and guidelines available for review:

University Policies

Security Statement

Governance

Access, Accounts, and Password Management

Change and Architecture Management

Contact UTS - When to Contact UTS

Copyright: Plan for Compliance

Electronic Signatures

Information Security

Priorities

Privacy

IT Risk Management

IT Service Providers, Outsourcing, Hosted Solutions, Web Sites and Application Service Providers

Social Networks

Web and IT Accessibility Guidelines and Procedures

Backup and Recovery

References

University Policies

We value responsible use of information technology resources. We have assembled this list of policies and guidelines to provide information technology users a secure and reliable experience. The following policies are related to information technology and are available at the Oakland University Administrative Policies and Procedures site and the Office of Legal Affairs site.

Appropriate use and general information technology policy

#890 Use of University Information Technology Resources

#830 Information Technology

Ellucian Banner

#218 Data Entry Standards for Banner Users Policy

Banner Shared Data Committee Charge

Data

#430 Freedom of Information Act

#470 Release of Student Educational Records

#860 Information Security

Policy #860 Approved Data Stewards

#481 Records Retention and Disposal

#1130 Family Educational Rights and Privacy Act

Student Employee and Student Intern Confidentiality Agreement

Email

#420 Employee Broadcast E-Mail Procedure

#1160 Student E-Mail System Use

Network

#850 Network Policy

Please note that Oakland University domain URLs contain oakland.edu. Other formats, such as .com, are not supported. Naming format standard is www.oakland.edu/academic-department/department-name. Domain name requests must be approved by Communications and Marketing and University Technology Services as noted in this policy.

Payment / Credit Card

#212 Bankcard Information Security Requirements

Software

#870 Software Regulations

#410 Contracting and Employment Appointment Authority

In Policy #410, note Section 2. Purchase Contracts (4) when purchasing software.

Software Information and Processes

Surveillance

#674 Surveillance and Monitoring Technology

Systems Administration

#880 Systems Administration Responsibilities

University Terms and Conditions

Terms and Conditions and other Legal Forms

Security Statement

The following standardized message is displayed when logging into provided services:

Usage of all Oakland University systems, services and networks is governed by official OU IT and Security Policies. By accessing these resources you agree to use all information technology resources responsibly and comply with University policies and guidelines.


By accessing Banner and other university-provided password protected systems, you agree to the following Security statements:

You are entering a secure area.  Please do not share your ID or password, as you are responsible for changes made with your ID and permission.

All students, alumni, faculty, staff, and guests are expected to use information technology resources in compliance with University policies.

Execution of scripts or otherwise attempting to circumvent standard login procedures is not permitted.

All university employees are reminded that the Family Educational Rights and Privacy Act (FERPA) prohibits the release of any student information (except information classified as directory information) to any person outside the university community or to any university personnel without a legitimate educational reason to know. In addition, there are OU students who have requested that even directory information about them not be released. These students will appear in Banner with the message "Warning: Information about the person is confidential." Also, the word "CONFIDENTIAL" appears.

Governance

A description of information technology governance is available in the document Governance. The CIO is responsible for coordinating governance and IT policy.  Policies are reviewed and updated annually as needed; Oakland University recommends that policies be updated at least every five years.  The CIO leads UTS staff members in the drafting of new IT policies or updates to existing IT policies.  The governance process requires that the appropriate advisory committees then review and update the drafted policy.  The policy approval process then flows:

University Senate Academic Computing Committee

Administrative Council with review by General Counsel

Academic Council

Deans Council

President's Council, final approval

Posting on the university policy site 

The CIO provides ongoing status updates about policies to the Chief Operating Officer, who is informed at every step of the process.  

Access, Accounts, and Password Management

Access and Accounts are provided to individuals through processes based on the individual's relationship to the university.  Account access policies are defined in Policy #890 Use of University Information Technology Resources, Procedures, Section III Access to Resources. University Technology may require proof of identity to process Accounts.  Information about UTS provisioning systems, account termination, and application access can be found in Accounts.

Employee Accounts are processed by either University Human Resources or Academic Human Resources.  All new employees are introduced to and agree to abide by University technology policies during the hiring process with the appropriate hiring office. 

Student Accounts are processed by one of the admissions offices through the admissions process.

Access to specific data is generally limited by need to know, job responsibilities, supervisor approval, data steward approval, and university Policy #860 Information Security. Access to certain enterprise systems is administered by University Technology Services.

The authorizing body that created an account must authorize emergency or non-standard account termination, with review by General Counsel if required by Policy #890 Use of University Information Technology Resources:

Employee account initiation termination is processed through University Human Resources.

Faculty account termination is processed through Academic Human Resources.

Student account termination is processed through the Dean of Students.

Guest accounts expire annually, unless covered by a specific contract providing for a specific time-period. 

Sponsored access typically expires within 48 hours or at the end of an event.

Oakland University is a member and participant in the InCommon Federation.  The InCommon Federation is the U.S. education and research identity federation.  InCommon Participant Operational Practices are shared with other participants in the InCommon Federation.

Third Party Access to an account is allowed only under specific circumstances and within policy guidelines. The process for requesting and handling third party access are Third Party Access Procedures.

Change and Architecture Management

Change Management is a process for handling changes so that changes are efficient, organized and minimally disruptive to the existing technology environment. Changes typically represent new components in the architecture.

Architecture Management is a process for handling routine maintenance and updates to the existing architecture so that the handling is efficient, organized and minimally disruptive to the technology environment. Architecture Management items typically do not require new or additional testing; prior testing has yielded a commonly used, standardized and repeatable practice. A fail-back and recovery plan is already in place. Items do not require a communications plan, have minimal impact, and have minimal or no risk as identified through a prior risk assessment. Architecture Management items are usually handled in the Wednesday morning maintenance window (midnight to 8:00 AM).

When a task, process or project meets any of the following listed criteria, a Change Management request must be completed.

Changes are thoroughly tested prior to submission to the Change Management Committee. Change Management plans must address failure back-out, performance, security, availability, reliability, impact, risk assessment and functionality.

The Change Management Communications Plan must be submitted and reviewed with the Change Management request. Projects of large or significant scope will require the presentation of a Change Management Communications Plan in writing to the Change Management Committee.

Requests submitted to Change Management must be reviewed and approved by the Change Management committee, which meets every Monday morning. The individual submitting and performing the tasks in a Change Management ticket is welcome to attend the Change Management Committee meeting, and is encouraged to do so to facilitate change planning. Changes must be submitted by 3 PM Friday for inclusion on the Change Management review report for the following Monday.

Change Management Criteria:

Planned production outage of a significant operation or service, or a change outside the Architecture Management maintenance window on Wednesday mornings.

Business interruption of any type during regular business hours (8 AM to 8 PM, Monday through Friday), or academic interruption of any type on any day or time within a term.

Changes to a client interface or a client service, including service names, URLs, SSIDs, and other names that client's use regularly.

Changes to security architecture or changes that affect the compliance environment (i.e., PCI, HIPAA, FERPA). 

Significant business or operational practice change that would affect how we provide instructions, directions, or help.

Any change that requires a notice on the UTS home page or a campus notification.

Installation or decommission of a server in a secured datacenter facility.

Any new server configuration, rack, or other changed architecture prior to purchase. 

Any wiring work that will be performed above the ceiling or under the tile floor in any facility that has a fire suppression system.

Changes on any system that affect backup, restore, disaster recovery or business continuity.

Changes that require third-party or vendor access to a secured datacenter facility or remote access to a system.

Significant changes to financial systems.

Change to any network device determined to be in-scope for regulatory compliance (i.e., PCI, HIPAA, etc.).

Introduction or discontinuance of an information technology resource, virtualized server or resource, or service.

Periodic review of firewall and router rules per Policy #850.

Change Management items will be considered complete when all of the following items have been addressed:

Security has been reviewed, risk assessment completed, and all identified issues and vulnerabilities have been addressed.

Permanent location is assigned and recorded.

Installation is complete.

Backup and restore have been tested and verified.

Start-up and shutdown procedures are documented for Operations.

Business continuity and disaster recovery procedures are documented for Operations.

Architecture diagram has been updated.

Inventory database has been updated.

Communication plan has been implemented.

Production date is processed.

Service level agreement is complete.

Identity management and access controls are complete.

The Security Advisory Group reviews the firewall implementation for the Firewall Rule Change process. This group is charged with defining the default firewall implementation. Requests to change the firewall are submitted on the Firewall Change Request Form. The request will be reviewed for compliance with university policies by the Security Advisory Group.

When to Contact UTS

Please contact us as soon as you are aware that you have a potential information technology project that may involve existing or new centralized services or if you are planning an event that requires network access. Also, please contact us if there is an urgent technology issue or security issue.  Any issue related to Banner, servers, or telephones should be reported to UTS. 

Please contact us to report any accessibility issues or other regulatory issues.

Also, UTS staff members are ready to assist you with your software, web site service, or other information technology procurement initiative.  Contact UTS by following the Campus Software, As a Service Providers, Hosted Solutions, Web Sites, Apps, Tools and Services guidelines.  

If considering development, please contact us after you review the Web Development Guidelines and Accessibility Toolkits section.

The best method to initiate contact is by sending e-mail to uts@oakland.edu.  Systems monitoring and operations are handled 24 hours a day, 5 days a week, on regularly scheduled weekdays, during standard business hours, 8 AM to 5 PM.  Extended support hours may be available.  When possible, UTS will attempt to extend the business day through flexible scheduling.  The extended day is generally from 7:30 AM to 6:00 PM on regularly scheduled weekdays. Extended service is not guaranteed. 

Goodwill service may be available at other times, such as nights, weekends, and holidays.  Goodwill service is not guaranteed.  Goodwill service refers to UTS staff members casually monitoring systems and notifications during their personal time.  We do not have an on-call scheduled rotation due to staffing limits.

Scheduled support service for a specific event can be arranged in advance through planning by contacting UTS at least 6 weeks prior to the planned event.  If support requests are expected over major holidays (4th of July, Thanksgiving, Christmas, holiday break), the request should be submitted 6 months in advance.  

UTS will respond to critical requests within 4 hours of receiving a report within standard support hours.  A best effort response will be provided at other times.  UTS will immediately respond to emergency situations as defined in the Oakland University Emergency Response Plan and the Desktop Emergency Guide.  

Copyright: Plan for Compliance

It is the policy of Oakland University to comply with copyright law (Policy #890 Use of University Information Technology Resources, note section II, c.  Sanctions for policy violations are described in section IV.  Please note the following UTS plan for combating illegal file sharing. We run a large research network, and a ban of peer-to-peer traffic could have the affect of disrupting legitimate network traffic. We seek to avoid high-cost solutions that would add charges to the environment (leading to additional student fees or an increase in tuition). 

Sharing movies and music is fun and easy, but it can be legal issue and a violation of university policy if done incorrectly and illegally. Lawsuits initiated by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have resulted in financial issues for students. There are a number of websites that provide music and movie files that can be downloaded legally, or that provide additional information about downloading.  Music, movies, photos, images displayable on computer screens, computer software, books, magazines, scientific and other journals are some of the things subject to copyright. A copyright notice is not required.   

It is a violation of copyright law to copy, distribute, display, exhibit, or perform copyrighted works without the authority of the copyright owner. Copyright infringement is the act of exercising, without copyright owner permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code), subject to exceptions contained in 17 U.S.C. §§ 107 and 108 (http://www.copyright.gov/title17/92chap1.html). Sharing, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Protected copyright rights include the right to reproduce or distribute a copyrighted work. In the file-sharing context, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Penalties for copyright infringement include civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or "statutory" damages affixed at not less than $750 and not more than $30,000 per work infringed. For "willful" infringement, a court may award up to $150,000 per work infringed. A court can, in its discretion, also assess costs and attorneys' fees. For details, see Title 17, United States Code, Sections 504, 505. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. For more information, please see the website of the U.S. Copyright Office, especially the FAQ's

We use technology-based deterrents to combat illegal file sharing.

For Oakland University's academic and administrative campus network, all traffic to and from the well-known addresses for the top three peer-to-peer sharing sites is blocked.  In addition, all unsolicited inbound traffic is denied to user desktops, preventing clients from being dedicated servers of copyrighted material.  The network is also continually monitored for anomalous traffic patterns which may be indicative of P2P super-nodes.  Moreover, recent firewall upgrades have included the potential to provide additional bandwidth shaping and proactive notification services.

For Oakland University's residence network, there is an additional technology that shapes bandwidth using algorithms that flatten traffic spikes and provides relatively equal use of the network for everyone on that segment.  This restricts large bandwidth users from becoming P2P super-nodes. 

We actively educate students about copyright and peer-to-peer file sharing issues. 

We publicly post our policies, and we have an "appropriate use" policy that governs all IT systems and networks – Policy #890 Use of University Information Technology Resources. It specifically states in section II c. "Using Resources to download or share copyrighted music, movies, television shows or games without the permission of the copyright owner may result in sanctions." Sanctions are described in the policy, and do include disabling network access.

Students have to agree to abide by Policy #890 every time they register to use the network and when they access key systems, such as MySAIL.

We teach students about copyright and illegal downloading during orientation. It is reinforced in the printed Golden Grizzly Guide that every new student receives.

File-sharing is covered in the Student Handbook and in Residence Halls materials.

We actively measure the effectiveness of the program by measuring and monitoring the number of complaints we receive. 

We provide information about legal alternatives to illegal peer-to-peer sharing of materials. 

The material is posted on this website.

Other linked material at this site provides information on civil and criminal liabilities and summary information about penalties in federal copyright laws.

Also, every time students log into the MySAIL portal, the link for legal alternatives is presented with all other critical university systems (Webmail, Moodle, SAIL, etc.).

When complaints occur, we take the following actions: 

We receive the notice from a copyright monitoring group representing an industry group such as the Recording Industry of America or the Motion Picture Industry of America. This is processed with two actions: a violation of the Digital Millennium Copyright Act, which is a legal issue, and a violation of university policy, which is a university conduct issue. 

We verify the validity and format of the complaint.  If the complaint is invalid, the Chief Information Officer will make a good-faith effort to notify the copyright agent with the reason that the notice is invalid.

The format may be a DMCA notice, a pre-litigation settlement notice, or a preservation letter.  

We identify the individual and immediately block network access to the content (which is the legal issue) and block access for the individual (in response to the conduct issue). 

If a preservation letter is received, the university will comply and preserve the requested information, and will also handle the letter as a DMCA notice.  The material will be preserved at least 30 days, and not longer than 1 year, unless otherwise advised by the Office of Legal Affairs.

We send a letter and a copy of the notice to the individual.

Legally, the individual has an option to file a counter-notice.

The individual may be subject to further legal action from the industry (a subpoena or early settlement letter may be issued).

Students must visit the Dean of Students to handle the policy issue. The Dean of Students provides a refresher view of copyright infringement. Students pay a fine to cover the costs of the process. The student then visits University Technology Services and reviews materials about copyright.

We review the computer with the student to make sure the infringing material has been removed, and then we reconnect network access for the student.

In all cases, students must decide how to handle the matter.  Students who receive pre-litigation settlement notices or preservation letters would be well-advised to consult an attorney promptly.

Complaints for employees are processed in accordance with university policy and employment contracts. 

Electronic Signatures

It is the policy of Oakland University to comply with federal and state law, where applicable, for electronic signatures. The applicable federal law is the Electronic Signatures in Global and National Commerce Act (ESIGN). The applicable Michigan law is the Uniform Electronic Transactions Act (UETA).

The term "Electronic Signature" is generally defined as letters, characters, symbols, or sounds, that are attached to or logically associated with a contract, document, or other record, and executed or adopted by a person with the intent to sign or authenticate an electronic document or transaction.  Electronic signatures are not the same as digital signatures, which have a higher security and privacy standard.  Generally, electronic signatures are used to sign a document, eliminating the paper-routing overhead and adding efficiency.

The intent of the law describing electronic signatures was to state that a signature, contract, or other record relating to a transaction may not be ruled invalid or unenforceable solely because it is in electronic form.

To evaluate if an electronic signature meets the legal standard, the following must be evaluated:

What category of document or transaction is being signed?  A contract, for example, must follow the standard.  Other document or transaction approval types may need to achieve compliance with the standard by university policy.

The signatory must be uniquely identified and linked to the signature.  Approval identities may not be shared. 

The signatory must have the sole control of the private key that was used to create the electronic signature.  For example, someone walking up to a computer should not be able to access, process, or execute an electronic signature belonging to someone else who uses the same computer.

The signature must be capable of identifying if its accompanying data have been tampered with after the document or material was signed.  In general, the document or data on the document are intentionally frozen at the moment of signature.  An audit trail appropriate to the process must be created.

In the event that accompanying data have been changed, the signature must be invalidated.

Examples of valid electronic signatures in the Oakland University environment:

Approval of leave reports within Banner Sail.

Online routable forms in PerfectForms.

An email sent from an Oakland University individual account.

Agreement and submission of an admissions application.

Banner approval of journal vouchers.

Each of these processes has been reviewed for authenticated signatures and documented audit trails, for example.  Other processes may use electronic signatures if the process meets the stated standards. Please contact UTS if you need to review your process.  If there are questions about whether an electronic signature is required or appropriate for a process or document, please contact the Office of Legal Affairs for review.  To review the appropriateness of the audit trail, please review the process with the Controller or with Internal Audit.

Information Security Plan

The designated Security Advisory Group program administrators are Theresa Rowe, Chief Information Officer, and Dennis Bolton, Information Security Officer.   The Security Advisory Group, chaired by the Information Security Officer, supports information technology directions and work activities.  Members are designated UTS employees with security responsibilities.  Additional security advice is provided by all advisory groups identified in the  Governance Process.

The Information Security Plan includes all the documentation on this page and includes the following specific items:

Security Information is provided as a Common Good Core Resource.

System management and controls, including implementation of university policy #880 Systems Administration Responsibilities. Systems management includes risk assessment, life cycle management, security review, and verification of critical systems by external audit. Procedures for system security review are located in the Systems Security Review Process.

Operational controls, including documentation of access, authentication, authorization, accounting, physical controls, and separation of duties.

Compliance with laws, regulations and mandates, including Payment Card Industry - Data Security Standard, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, and others.  Annual audits for compliance in key areas are done.

Firewall rule changes.

Identity access controls and password management.

Backup, restore and disaster recovery planning and verification.

Security incident handling. Please review the document Incident Response Process.

Information Security as implemented in university policy #860 Information Security.

Security practices, emphasizing compliance with State of Michigan law for Personally Identifiable Information.

University Technology Services reviews current risks, incidents, responses, and alerts in a weekly departmental Change Management meeting.  The Security Advisory Group determines baseline security practices.  Baseline security practices at this time include mandated patch management of operating systems, anti-virus and anti-malware protection, and disabling unneeded services and ports.  Also included are multiple levels of access controls:

Network access control and registration using NetID identity and access control management.

Local area network and role-based control using ADMNET identity and access control management.

System and computer local login credentials.

Enterprise data access controls managed through the Banner environment.

UTS annually engages in a data security review, a review of this plan, and a review of all security information on this site. This review is coordinated by the Chief Information Officer, reviewing results with Internal Audit. UTS, in consultation with the Security Advisory Group, develops and administers a Security Awareness Program.

University Technology Services complies with all audit procedures provided for by Oakland University Internal Audit and State of Michigan auditors. University Technology Services periodically engages an external vendor to perform risk analysis of information technology resources.

The Network Architecture Security Practices provides a description of documented security standards for the installation and operation of the Oakland University network. Additional information about network access is on the Networking site.  Also, Internet connectivity is covered by the policies of Merit Network, Inc.:  Merit Networks, Inc. MichNet Policies (http://www.merit.edu/policies/)

Priorities

We seek to prioritize projects that are in alignment with university strategic initiatives; highest priority is given to projects approved by Vice Presidents, Associate VPs, Assistant VPs, or Deans, aligned with University strategic goals and initiatives, and with strong sponsorship and committed resources.  Please review #830 Information Technology.

Our top priorities are:

Strategic initiatives.

Production systems or Internet connectivity unavailable.

Mitigation of university risk by improving availability and improving security.

Critical technical projects identified by priority analysis, targeting required technology upgrades, preserving technical investment, or removing technical obsolescence. Technical currency is assessed by actual age, technical age, project dependencies, technical obsolescence, and other factors.  Maintenance of a quality technical environment by replacing components every 5 years (or 20% of the foundation each year).  

Compliance with government, legal, or regulatory mandated processes or initiatives.

All remaining work is prioritized by date of project submission, with consideration for the following factors:

Data integrity issues.

Design for resilience and redundancy, performance of release and patch installs, and other activities that support a highly reliable technical environment.  

Projects approved by information technology advisory committees in the Governance structure.

Assessment of impact on the university mission.

Scope of repair or service interruption: campus, department, individual.

New system install, requested activation or move.

Project dependencies, noting that an orderly set of project tasks provides constant forward momentum.

Banner releases are installed by evaluation of priority. Minor Banner releases are installed into a test region within 90 days of Banner release.  Data stewards have 30 days to test, unless the data steward requests a longer testing period or passage of a specific event, particularly with releases that cross modules.  Releases are installed in production 30 days after last notice.  Major releases are installed after approval by the data stewards, with delays or conflicts managed by the Banner Operating Committee.  Also, major changes to Banner Finance are reviewed in Change Management prior to production installation.

UTS generally does not modify vendor delivered products. Please note that all data entry, changes, alterations, deletes and corrections must be done in accordance with university Policy #860 Information Security. This is especially true for Banner. Examples of data maintenance are merging of duplicate records, correcting gift records, altering data for correction based on a vendor contact, or other unusual situations where the data cannot be fixed using a standard Banner form or process. Procedures related to Policy #860:

Production data will not be altered, changed, added or deleted without prior approval from the assigned data steward.  

Acceptable data sources and values must be approved by the assigned data steward.

One time data corrections, such as the merge of individual records or fixing a record, will be done by UTS as long as there is a ticket for each individual needed fix.

Data entry, corrections or updates that are ongoing and repeating must be turned into a job that is executed by the data custodian or data steward.  Jobs must use established data relationship rules and standard application programming interfaces (APIs).  The data steward must have approved data update access.

Volume of data maintenance does not automatically suggest that a process be developed. First, every effort must be made to use Banner delivered forms and processes for volume data entry and maintenance. If an alternative for volume data maintenance is still required, a Request for Product Enhancement must be filed with Ellucian. Other desktop tools must also be used (such as automated data update tool). A good business case must be made for automating data maintenance, if the volume of data entry cannot be processed using Banner forms, Banner processes or desktop tools. The business case must be approved by UTS leadership prior to development.

The data steward or custodian must be able to confirm a fixed population and guidelines for application of data changes.

The data steward or custodian must have a test plan to confirm the quality of the data change, which will be done in test mode and approved prior to a production run.

Banner data changes and corrections must first be reviewed with Ellucian and Ellucian directions for data change or correction must be submitted with the change request ticket, approved by the data steward.  Similar procedures are required for other products and applications. 

Privacy

The following informational documents on privacy may be useful guidelines.

Student Records Privacy - FERPA
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Privacy Technical Assistance Center - U.S. Department of Education (http://ptac.ed.gov/)

University Web Privacy Statement 

G Suite Security and Privacy

Third Party Access to an account is allowed only under specific circumstances and within policy guidelines. The process for requesting and handling third party access are Third Party Access Procedures

There are state and federal laws protecting data privacy.  University Policy #860 Information Security provides guidance for compliance with these laws. Data classified as Confidential in university policy should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. Data, information, and documentation covered by Non-Disclosure Agreements should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. OU Data are protected and require OU response to data breach, even if those data are stored on a personally owned device.  All device thefts that involve storage of OU data must be reported to OUPD. We recommend that Confidential data be stored on encrypted departmental share drives or in OakShare (https://files.oakland.edu). Mixing personal issues and university data on one device can complicate police investigations. Recent backups of laptops and proof of encryption can reduce university exposure in the event of theft. The exposure of personally identifiable information can result in assessments estimated to be $15 per record, not including time and inconvenience.  This cost may be shared with the department. 

IT Risk Management

The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to information technology resources. In particular, employees should be aware of responsibilities assigned as systems administrators in Policy #880 Systems Administration Responsibilities. The following events are considered to be emergencies and should be reported immediately:

An entry or attempted entry via unauthorized access in any OU information system or resource.

Any process or technology that attempts to use university-owned systems as a conduit for unauthorized activity on another system, that targets systems for unauthorized activity, or that is used to make physical threats, create suspicious or fraudulent communications, commit fraud, or commit any illegal or criminal activity.

Failure of the telephone system or electrical systems.

Damage due to fire, water, lightning, storms, tornado, or physical break-in, or other property damage.

Emergency failure of an enterprise system.

Theft, loss or corruption of university critical information technology assets, including data.

Violations of any university information technology policy.

Impersonation or unauthorized use of identity.

Events should be reported by email to uts@oakland.edu. Crisis events occurring during non-regular business hours may be reported to the OU Police Department at 248-370-3331.

Thefts of Oakland University technology should be reported to the OU Police Department at 248-370-3331.  We will work with the technology user to assess risk by following the Incident Response Process.  

University Technology Services can assist your department with Risk Assessment. Please review this Risk Assessment Checklist when:

Evaluating the information technology risk for a department.

Changing the data management or technology management of your operation.

Considering purchase of a new information technology resource.

Considering the outsourcing of an information technology or data management operation.

Staff or processes change, or on a regular audit basis, periodically or annually.

Processing payment card, credit card or medical data.

IT Service Providers, Outsourcing, Hosted Solutions, Web Sites, Software Solutions, and Application Service Providers

The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to outsourcing, hosted solutions, software as a service, and application service providers (ASP), commonly knows as "web sites". To begin a project involving an outsourced, hosted, SaaS, or ASP solution, please review this Checklist. A vendor security review must be completed as part of this process; vendors must complete the Security Statement providing a documented response must be provided.  If University data are involved, language that protects the security and privacy of data is required in agreements and contracts; please coordinate with the Purchasing department. Note that sending university data off-site requires compliance with the Information Security Advisory Group policy #860 Information Security following the procedures for Secure File Transmission and Encryption.

Social Networks

Oakland University faculty may choose to use web-enabled software and social network tools in instruction.  Such tools may include alternative online learning systems, chat rooms, blogs, collaborative workspaces, wikis, and podcast/video sites.  These learning tools may offer positive potential for engaging students in learning.  However, there may privacy concerns or service reliability concerns when an instructor chooses to use a non-Oakland University tool in instruction.

General Recommendations are covered in a list below, starting with university policy:

Review Oakland University policy #860 Information Security.  Know data elements classified as Confidential, particularly under the Family Educational Rights and Privacy Act (FERPA) and how it applies to your course.   In particular, note if participation from people outside the enrolled class is allowed; this may be a violation of FERPA.

Become familiar with the question:  Where is it stored?  Understand when you are creating and storing your course data and other information using campus information technology resources, and when you are storing data in off-campus or third-party technologies. 

Note that software licenses, application service provider contracts and other agreement must follow university standard procedures, particularly as it applies to Procurement and Purchasing.

Instructional materials are often protected by copyright law.  Further, some service provider agreements claim rights to use the content created or uploaded to the technology solution.  Review carefully so that you do not share intellectual property that you are not entitled to, or do not want to, share.

Communicate with your students.  Make sure your students understand when they are sharing material in off-campus social networks, tools, and technologies.  Your students may be uncomfortable with such storage; determine if participation is a requirement, or if you need to have alternative plans.

Web and IT Accessibility Guidelines and Procedures

Rationale

Oakland University (the University) is committed to enabling equally effective access to information through information technologies, databases, services, and resources, including that all information provided provided through the University's website(s) (i.e., online content) is accessible to students, prospective students, employees, guests, and visitors with disabilities, particularly those with visual, hearing, or manual impairments or who otherwise require the use of assistive technology to access information.  This commitment is consistent with the Common Good Resources Philosophy that underlies Information Technology (IT) services and resources provided by University Technology Services (UTS). 

Definition

"Accessible," as used in these Web and IT Accessibility Guidelines and Procedures (Guidelines), means a person with a disability is afforded the opportunity to acquire the same information, engage in the same interactions, and enjoy the same services as a person without a disability in an equally effective and equally integrated manner, with substantially equivalent ease of use.  A person with a disability must be able to obtain the information as fully, equally, and independently as a person without a disability.  Although this might not result in identical ease of use compared to that of persons without disabilities, it still must ensure equal opportunity to the educational benefits and opportunities afforded by the technology and equal treatment in the use of such technology.   

Guidelines and Procedures

  • Technical Standards

The applicable oversight policy for these Guidelines is Administrative and Procedures #890 Use of University Information Technology Resources.  

The University has also adopted widely accepted technical standard(s) to determine whether University online content is accessible.  Those standards to which actions require conformance are as noted here, with current versions as announced from time to time by UTS:

W3C WAI Web Content Accessibility Guidelines version 2.0 Level AA, including Level A

WCAG2ICT Guidance on Applying WCAG 2.0 to Non-Web Information and Communications Technologies 

The standard definition for technology covered by the technical standards is Electronic and Information Technology (EIT); the international term as updated in 2017 is Information and Communication Technology (ICT) and University materials may refer to either label.

  • Management

These Guidelines will be coordinated and managed by the University's Chief Information Officer (CIO) with counsel from the University IT Accessibility Committee.  The CIO has authority to allocate resources to fulfill the intent of these Guidelines and all other commitments relating to technological accessibility.  The CIO will chair and be advised by the University IT Accessibility Committee, which was created as part of the IT Governance structure, given the following charge:

  • To review public-facing University web sites, content, and ICT for compliance with applicable law.
  • Evaluate and recommend possible tools and technologies for use in achieving compliance.
  • Create, identify, or provide training and educational materials needed to achieve compliance and create a culture of compliance.
  • Prioritize projects, recommend policy changes, and recommend procedural changes.
  • Provide ICT recommendations to, and address issues identified by, the Department of Disability Support Services.
  • Provide ICT recommendations to, and address issues identified by, the Center for Excellence in Teaching and Learning, in support of the Universal Design for Learning initiative.

The University IT Accessibility Committee is composed of the following members:

  • Chief Information Officer, Chair and ICT Officer
  • Director, Marketing, Web, and Digital Services - Communications and Marketing and primary lead for all design and content in the University content management system, within oakland.edu domain
  • Director, Disability Services
  • Director, Center for Excellence in Teaching and Learning
  • Director, E-Learning and Instructional Support
  • University Risk Manager
  • Assistant Vice President and Controller
  • Director of Purchasing
  • Manager Library Technology Services, Kresge Library
  • Director IT Services Alliance
  • Senior Application Architect

Communications and Marketing (C&M) and UTS will coordinate review, monitoring, and update of ICT within the University centralized content management system.  UTS will coordinate review, monitoring, and update of ICT outside the centralized content management system.  Such reviews will be conducted annually or more frequently as needed.

The Center for Excellence in Teaching and Learning (CETL) will provide support, educational materials, and guidelines for faculty based on using Universal Design for Learning (UDL) principles.  Members of the University Accessibility Committee may serve on CETL advisory groups from time to time in support of UDL initiatives.  

  • Third-Party Vendors

All University online content and information obtained through online content provided or developed by third parties, e.g. vendors, service providers, video-sharing websites such as YouTube, or other open sources (collectively Vendor) must be accessible to afford equal opportunity to the educational benefits and opportunities afforded by the technology and equal treatment in the use of such technology.

Those individuals responsible for making recommendations about which Vendor products and/or services to procure must consider accessibility as one of the criteria for acquisition.  The University IT Accessibility Committee is will assist employees in this endeavor.

All request to acquire Vendor products and/or services should be directed to the Purchasing Department.  UTS will assist the Purchasing Department and work with potential Vendors to review the full Security and Compliance Statement, including obtaining a relevant Voluntary Product Accessibility Template or similar documented attestation from the Vendor.  If there are issues that prevent the Vendor from meeting accessibility standards, the Vendor must describe its current ongoing efforts to address issues in a timely manner.  UTS will also work with the University's Office of Legal Affairs for accessibility assurances and ongoing accessibility compliance in negotiated contract language, as may be necessary. 

Selection of a Vendor product or service that that does not meet minimum accessibility standards will be handled as a policy exception under standard University policies, and only accepted if the Vendor can provide a timetable for compliance that is acceptable to the University.

Additional information that may be helpful for the procurement process include the Campus Software Process and the IT Service Providers, Outsourcing, Hosted Solutions, Web Sites, Software Solutions and Application Service Providers Guidelines.

  • Training

Annual training will be available for any staff (e.g. administrators, faculty, support staff, student employees) responsible for creating or distributing information with online content to students, employees, guests, and visitors with disabilities, including, but not limited to, education on these Guidelines and their roles and responsibilities to ensure that web design, documents, and multimedia content are accessible.  The training and education will be provided, in whole or in part, by qualified personnel with sufficient knowledge, skill, and experience to understand and employ the technical standards adopted by the University, or through an online training/education program vetted by said qualified personnel.  Failure to complete any required training, particularly for the centralized content management system, will result in removal of access.

See also the following useful information about ICT accessibility in higher education:

UTS and C&M have partnered to create documentation about policies and guidelines to assist individuals and departments considering web development.   Please review Web Development Guidelines if you are considering customized web development.

UTS has also created a knowledge base for reference.  The knowledge base, Accessibility Efforts and Toolkits, provides material for education, training, and testing.  Also, a short summary of ongoing efforts is presented; more information about projects and progress is available by sending an email request to uts@oakland.edu. 

  • Compliance and Audits

Activities to demonstrate consistent progress toward a culture of compliance will be monitored and documented, with periodic review and priority assessment completed by the University IT Accessibility Committee.  Legacy ICT must be updated to be in compliance in a timely way and as prioritized by the University IT Accessibility Committee.  Each University college, department, program, or unit will make available a timetable for updating, transitioning, or removing legacy ICT upon notification that the ICT is not in compliance.  Failure to address issues may result in ICT removal or removal of access for the individual assigned to maintain ICT.

In addition, an annual accessibility audit will be completed at the direction of the CIO, during which information provided by the University through its online content is measured against the technical standards adopted in these Guidelines (Audit).   The CIO may also conduct more frequent and/or limited-targeted Audits at the CIO's discretion.  All problems  and reviewed for priority activities by the University IT Accessibility Committee.  All problems identified through the Audit will be documented, evaluated, and if necessary, remediated within a reasonable period of time.

  • Reporting Violations

Please contact us to report any accessibility issues, violations of the technical standards used by the University, or to submit requests for assistance.  The best method to contact us is by sending e-mail to uts@oakland.edu with a copy to Theresa Rowe, Chief Information Officer, Oakland University, Dodge Hall, Room 220, at rowe@oakland.edu, or call 248-370-2100).  Reports will be promptly reviewed by UTS staff members.  If needed, project priorities or best practice directions will be reviewed and handled by the University IT Accessibility Committee.  Individuals may also file a formal complaint through the University's Section 504 and Title II grievance procedure.  

Backup and Recovery

University Technology Services provides a backup and recovery service for datacenter services.  Please review Storage and comparison options posted on the UTS site. 

References

December 2017