Policies and Guidelines
We value responsible use of information technology resources. We have assembled this list of policies and guidelines to provide information technology users a secure and reliable experience. The following policies are related to information technology and are available at the Oakland University Administrative Policies and Procedures site and the Office of Legal Affairs site.
The following standardized message is displayed when logging into provided services:
Usage of all Oakland University systems, services and networks is governed by official OU IT and Security Policies. By accessing these resources you agree to use all information technology resources responsibly and comply with University policies and guidelines.
By accessing Banner and other university-provided password protected systems, you agree to the following Security statements:
- You are entering a secure area. Please do not share your ID or password, as you are responsible for changes made with your ID and permission.
- All students, alumni, faculty, staff, and guests are expected to use information technology resources in compliance with University policies.
- Execution of scripts or otherwise attempting to circumvent standard login procedures is not permitted.
- All university employees are reminded that the Family Educational Rights and Privacy Act (FERPA) prohibits the release of any student information (except information classified as directory information) to any person outside the university community or to any university personnel without a legitimate educational reason to know. In addition, there are OU students who have requested that even directory information about them not be released. These students will appear in Banner with the message "Warning: Information about the person is confidential." Also, the word "CONFIDENTIAL" appears.
A description of information technology governance is available in the document Governance. The CIO is responsible for coordinating governance and IT policy. Policies are reviewed and updated annually as needed; Oakland University recommends that policies be updated at least every five years. The CIO leads UTS staff members in the drafting of new IT policies or updates to existing IT policies. The governance process requires that the appropriate advisory committees then review and update the drafted policy. The policy approval process then flows:
- University Senate Academic Computing Committee
- Administrative Council with review by General Counsel
- Academic Council
- Deans Council
- President's Council, final approval
- Posting on the university policy site
The CIO provides ongoing status updates about policies to the Chief Operating Officer, who is informed at every step of the process.
Access, Accounts, and Password Management
All new employees are introduced to and agree to abide by University technology policies during the hiring process with the appropriate hiring office. Information about UTS provisioning systems, account termination, and application access can be found in Accounts.
Account access policies are defined in Policy #890 Use of University Information Technology Resources, Procedures, Section III Access to Resources.
Access to specific data is generally limited by need to know, job responsibilities, supervisor approval, data steward approval, and university Policy #860 Information Security. Access to certain enterprise systems is administered by University Technology Services.
The authorizing body that created an account must authorize emergency or non-standard account termination, with review by General Counsel if required by Policy #890 Use of University Information Technology Resources:
- Employee account termination is processed through University Human Resources.
- Faculty account termination is processed through Academic Human Resources.
- Student account termination is processed through the Dean of Students.
Third Party Access to an account is allowed only under specific circumstances and within policy guidelines. The process for requesting and handling third party access are Third Party Access Procedures.
Change and Architecture Management
Change Management is a process for handling changes so that changes are efficient, organized and minimally disruptive to the existing technology environment. Changes typically represent new components in the architecture.
Architecture Management is a process for handling routine maintenance and updates to the existing architecture so that the handling is efficient, organized and minimally disruptive to the technology environment. Architecture Management items typically do not require new or additional testing; prior testing has yielded a commonly used, standardized and repeatable practice. A fail-back and recovery plan is already in place. Items do not require a communications plan, have minimal impact, and have minimal or no risk as identified through a prior risk assessment. Architecture Management items are usually handled in the Wednesday morning maintenance window (midnight to 8:00 AM).
When a task, process or project meets any of the following listed criteria, a Change Management request must be completed.
Changes are thoroughly tested prior to submission to the Change Management Committee. Change Management plans must address failure back-out, performance, security, availability, reliability, impact, risk assessment and functionality.
The Change Management Communications Plan must be submitted and reviewed with the Change Management request. Projects of large or significant scope will require the presentation of a Change Management Communications Plan in writing to the Change Management Committee.
Requests submitted to Change Management must be reviewed and approved by the Change Management committee, which meets every Monday morning. The individual submitting and performing the tasks in a Change Management ticket is welcome to attend the Change Management Committee meeting, and is encouraged to do so to facilitate change planning. Changes must be submitted by 3 PM Friday for inclusion on the Change Management review report for the following Monday.
Change Management Criteria:
- Planned production outage of a significant operation or service.
- Business interruption of any type during regular business hours (8 AM to 8 PM, Monday through Friday), or academic interruption of any type on any day or time within a term.
- Changes to a client interface or a client service, including service names, URLs, SSIDs, and other names that client's use regularly.
- Significant business or operational practice change that would affect how we provide instructions, directions, or help.
- Any change that requires a notice on the UTS home page or a campus notification.
- Installation or decommission of a server in a secured datacenter facility.
- Any new server configuration, rack, or other changed architecture prior to purchase.
- Any wiring work that will be performed above the ceiling or under the tile floor in any facility that has a fire suppression system.
- Changes on any system that affect backup, restore, disaster recovery or business continuity.
- Changes that require third-party or vendor access to a secured datacenter facility or remote access to a system.
- Significant changes to financial systems.
- Change to any network device determined to be in-scope for regulatory compliance (i.e., PCI, HIPAA, etc.).
- Introduction or discontinuance of an information technology resource, virtualized server or resource, or service.
- Periodic review of firewall and router rules per Policy #850.
Change Management items will be considered complete when all of the following items have been addressed:
- Security has been reviewed, risk assessment completed, and all identified issues and vulnerabilities have been addressed.
- Permanent location is assigned and recorded.
- Installation is complete.
- Backup and restore have been tested and verified.
- Start-up and shutdown procedures are documented for Operations.
- Business continuity and disaster recovery procedures are documented for Operations.
- Architecture diagram has been updated.
- Inventory database has been updated.
- Communication plan has been implemented.
- Production date is processed.
- Service level agreement is complete.
- Identity management and access controls are complete.
The Security Advisory Group reviews the firewall implementation for the Firewall Rule Change process. This group is charged with defining the default firewall implementation. Requests to change the firewall are submitted on the Firewall Change Request Form. The request will be reviewed for compliance with university policies by the Security Advisory Group.
When to Contact UTS
Please contact us as soon as you are aware that you have a potential information technology project that may involve existing or new centralized services or if you are planning an event that requires network access. Also, please contact us if there is an urgent technology issue or security issue. Any issue related to Banner, servers, or telephones should be reported to UTS. The best method to initiate contact is by sending e-mail to email@example.com. Systems monitoring and operations are handled 24 hours a day, 5 days a week, on regularly scheduled weekdays, during standard business hours, 8 AM to 5 PM. Extended support hours may be available. When possible, UTS will attempt to extend the business day through flexible scheduling. The extended day is generally from 7:30 AM to 6:00 PM on regularly scheduled weekdays. Extended service is not guaranteed.
Goodwill service may be available at other times, such as nights, weekends, and holidays. Goodwill service is not guaranteed. Goodwill service refers to UTS staff members casually monitoring systems and notifications during their personal time. We do not have an on-call scheduled rotation due to staffing limits.
Scheduled support service for a specific event can be arranged in advance through planning by contacting UTS at least 6 weeks prior to the planned event. If support requests are expected over major holidays (4th of July, Thanksgiving, Christmas, holiday break), the request should be submitted 6 months in advance.
UTS will respond to critical requests within 4 hours of receiving a report within standard support hours. A best effort response will be provided at other times. UTS will immediately respond to emergency situations as defined in the Oakland University Emergency Response Plan and the Desktop Emergency Guide.
Copyright: Plan for Compliance
It is the policy of Oakland University to comply with copyright law (Policy #890 Use of University Information Technology Resources, note section II, c. Sanctions for policy violations are described in section IV. Please note the following UTS plan for combating illegal file sharing. We run a large research network, and a ban of peer-to-peer traffic could have the affect of disrupting legitimate network traffic. We seek to avoid high-cost solutions that would add charges to the environment (leading to additional student fees or an increase in tuition).
Sharing movies and music is fun and easy, but it can be legal issue and a violation of university policy if done incorrectly and illegally. Lawsuits initiated by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have resulted in financial issues for students. There are a number of websites that provide music and movie files that can be downloaded legally, or that provide additional information about downloading. Music, movies, photos, images displayable on computer screens, computer software, books, magazines, scientific and other journals are some of the things subject to copyright. A copyright notice is not required.
It is a violation of copyright law to copy, distribute, display, exhibit, or perform copyrighted works without the authority of the copyright owner. Copyright infringement is the act of exercising, without copyright owner permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code), subject to exceptions contained in 17 U.S.C. §§ 107 and 108 (http://www.copyright.gov/title17/92chap1.html). Sharing, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Protected copyright rights include the right to reproduce or distribute a copyrighted work. In the file-sharing context, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Penalties for copyright infringement include civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or "statutory" damages affixed at not less than $750 and not more than $30,000 per work infringed. For "willful" infringement, a court may award up to $150,000 per work infringed. A court can, in its discretion, also assess costs and attorneys' fees. For details, see Title 17, United States Code, Sections 504, 505. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. For more information, please see the website of the U.S. Copyright Office, especially the FAQ's.
We use technology-based deterrents to combat illegal file sharing.
- For Oakland University's academic and administrative campus network, all traffic to and from the well-known addresses for the top three peer-to-peer sharing sites is blocked. In addition, all unsolicited inbound traffic is denied to user desktops, preventing clients from being dedicated servers of copyrighted material. The network is also continually monitored for anomalous traffic patterns which may be indicative of P2P super-nodes. Moreover, recent firewall upgrades have included the potential to provide additional bandwidth shaping and proactive notification services.
- For Oakland University's residence network, there is an additional technology that shapes bandwidth using algorithms that flatten traffic spikes and provides relatively equal use of the network for everyone on that segment. This restricts large bandwidth users from becoming P2P super-nodes.
We actively educate students about copyright and peer-to-peer file sharing issues.
- We publicly post our policies, and we have an "appropriate use" policy that governs all IT systems and networks – Policy #890 Use of University Information Technology Resources. It specifically states in section II c. "Using Resources to download or share copyrighted music, movies, television shows or games without the permission of the copyright owner may result in sanctions." Sanctions are described in the policy, and do include disabling network access.
- Students have to agree to abide by Policy #890 every time they register to use the network and when they access key systems, such as MySAIL.
- We teach students about copyright and illegal downloading during orientation. It is reinforced in the printed Golden Grizzly Guide that every new student receives.
- File-sharing is covered in the Student Handbook and in Residence Halls materials.
We actively measure the effectiveness of the program by measuring and monitoring the number of complaints we receive.
We provide information about legal alternatives to illegal peer-to-peer sharing of materials.
- The material is posted on this website.
- Other linked material at this site provides information on civil and criminal liabilities and summary information about penalties in federal copyright laws.
- Also, every time students log into the MySAIL portal, the link for legal alternatives is presented with all other critical university systems (Webmail, Moodle, SAIL, etc.).
When complaints occur, we take the following actions:
- We receive the notice from a copyright monitoring group representing an industry group such as the Recording Industry of America or the Motion Picture Industry of America. This is processed with two actions: a violation of the Digital Millennium Copyright Act, which is a legal issue, and a violation of university policy, which is a university conduct issue.
- We verify the validity and format of the complaint. If the complaint is invalid, the Chief Information Officer will make a good-faith effort to notify the copyright agent with the reason that the notice is invalid.
- The format may be a DMCA notice, a pre-litigation settlement notice, or a preservation letter.
- We identify the individual and immediately block network access to the content (which is the legal issue) and block access for the individual (in response to the conduct issue).
- If a preservation letter is received, the university will comply and preserve the requested information, and will also handle the letter as a DMCA notice. The material will be preserved at least 30 days, and not longer than 1 year, unless otherwise advised by the Office of Legal Affairs.
- We send a letter and a copy of the notice to the individual.
- Legally, the individual has an option to file a counter-notice.
- The individual may be subject to further legal action from the industry (a subpoena or early settlement letter may be issued).
- Students must visit the Dean of Students to handle the policy issue. The Dean of Students provides a refresher view of copyright infringement. Students pay a fine to cover the costs of the process. The student then visits University Technology Services and reviews materials about copyright.
- We review the computer with the student to make sure the infringing material has been removed, and then we reconnect network access for the student.
- In all cases, students must decide how to handle the matter. Students who receive pre-litigation settlement notices or preservation letters would be well-advised to consult an attorney promptly.
- Complaints for employees are processed in accordance with university policy and employment contracts.
Before you download music or movies or install software to download or share, you should check these lists first:
- RIAA Legal Music Sites The RIAA is the recording industry trade group active in protecting the intellectual property rights of American recording artists throughout the world.
- Respect Copyright Legal Content Online
- MPAA is the movie industry group active in protecting the intellectual property rights of American filmmakers and motion picture studios.
- The BSA is the software industry group that promotes legal downloading of commercial software.
- Chilling Effects provides information useful in understanding all sides of the copyright issue and the protections that the First Amendment and intellectual property laws provide for online activities.
Information Security Plan
The designated Security Advisory Group program administrators are Theresa Rowe, Chief Information Officer, and Dennis Bolton, Information Security Officer. The Security Advisory Group, chaired by the Information Security Officer, supports information technology directions and work activities. Members are designated UTS employees with security responsibilities. Additional security advice is provided by all advisory groups identified in the Governance Process.
The Information Security Plan includes all the documentation on this page and includes the following specific items:
- Security Information is provided as a Common Good Core Resource.
- System management and controls, including implementation of university policy #880 Systems Administration Responsibilities. Systems management includes risk assessment, life cycle management, security review, and verification of critical systems by external audit. Procedures for system security review are located in the Systems Security Review Process.
- Operational controls, including documentation of access, authentication, authorization, accounting, physical controls, and separation of duties.
- Compliance with laws, regulations and mandates, including Payment Card Industry - Data Security Standard, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, and others. Annual audits for compliance in key areas are done.
- Firewall rule changes.
- Identity access controls and password management.
- Backup, restore and disaster recovery planning and verification.
- Security incident handling. Please review the document Incident Response Process.
- Information Security as implemented in university policy #860 Information Security.
- Security practices, emphasizing compliance with State of Michigan law for Personally Identifiable Information.
University Technology Services reviews current risks, incidents, responses, and alerts in a weekly departmental Change Management meeting. The Security Advisory Group determines baseline security practices. Baseline security practices at this time include mandated patch management of operating systems, anti-virus and anti-malware protection, and disabling unneeded services and ports. Also included are multiple levels of access controls:
- Network access control and registration using NetID identity and access control management.
- Local area network and role-based control using ADMNET identity and access control management.
- System and computer local login credentials.
- Enterprise data access controls managed through the Banner environment.
UTS annually engages in a data security review, a review of this plan, and a review of all security information on this site. This review is coordinated by the Chief Information Officer, reviewing results with Internal Audit. UTS, in consultation with the Security Advisory Group, develops and administers a Security Awareness Program.
University Technology Services complies with all audit procedures provided for by Oakland University Internal Audit and State of Michigan auditors. University Technology Services periodically engages an external vendor to perform risk analysis of information technology resources.
The Network Architecture Security Practices provides a description of documented security standards for the installation and operation of the Oakland University network. Additional information about network access is on the Networking site. Also, Internet connectivity is covered by the policies of Merit Network, Inc.: Merit Networks, Inc. MichNet Policies (http://www.merit.edu/policies/)
We seek to prioritize projects that are in alignment with university strategic initiatives; highest priority is given to projects approved by Vice Presidents, Associate VPs, Assistant VPs, or Deans, aligned with University strategic goals and initiatives, and with strong sponsorship and committed resources. Please review #830 Information Technology.
Our top priorities are:
- Strategic initiatives.
- Production systems or Internet connectivity unavailable.
- Mitigation of university risk by improving availability and improving security.
- Critical technical projects identified by priority analysis, targeting required technology upgrades, preserving technical investment, or removing technical obsolescence. Technical currency is assessed by actual age, technical age, project dependencies, technical obsolescence, and other factors. Maintenance of a quality technical environment by replacing components every 5 years (or 20% of the foundation each year).
- Compliance with government, legal, or regulatory mandated processes.
All remaining work is prioritized by date of project submission, with consideration for the following factors:
- Data integrity issues.
- Design for resilience and redundancy, performance of release and patch installs, and other activities that support a highly reliable technical environment.
- Projects approved by information technology advisory committees in the Governance structure.
- Assessment of impact on the university mission.
- Scope of repair or service interruption: campus, department, individual.
- New system install, requested activation or move.
- Project dependencies, noting that an orderly set of project tasks provides constant forward momentum.
Banner releases are installed by evaluation of priority. Minor Banner releases are installed into a test region within 90 days of Banner release. Data stewards have 30 days to test, unless the data steward requests a longer testing period or passage of a specific event, particularly with releases that cross modules. Releases are installed in production 30 days after last notice. Major releases are installed after approval by the data stewards, with delays or conflicts managed by the Banner Operating Committee. Also, major changes to Banner Finance are reviewed in Change Management prior to production installation.
UTS generally does not modify vendor delivered products. Please note that all data entry, changes, alterations, deletes and corrections must be done in accordance with university Policy #860 Information Security. This is especially true for Banner. Examples of data maintenance are merging of duplicate records, correcting gift records, altering data for correction based on a vendor contact, or other unusual situations where the data cannot be fixed using a standard Banner form or process. Procedures related to Policy #860:
- Production data will not be altered, changed, added or deleted without prior approval from the assigned data steward.
- Acceptable data sources and values must be approved by the assigned data steward.
- One time data corrections, such as the merge of individual records or fixing a record, will be done by UTS as long as there is a ticket for each individual needed fix.
- Data entry, corrections or updates that are ongoing and repeating must be turned into a job that is executed by the data custodian or data steward. Jobs must use established data relationship rules and standard application programming interfaces (APIs). The data steward must have approved data update access.
- Volume of data maintenance does not automatically suggest that a process be developed. First, every effort must be made to use Banner delivered forms and processes for volume data entry and maintenance. If an alternative for volume data maintenance is still required, a Request for Product Enhancement must be filed with Ellucian. Other desktop tools must also be used (such as automated data update tool). A good business case must be made for automating data maintenance, if the volume of data entry cannot be processed using Banner forms, Banner processes or desktop tools. The business case must be approved by UTS leadership prior to development.
- The data steward or custodian must be able to confirm a fixed population and guidelines for application of data changes.
- The data steward or custodian must have a test plan to confirm the quality of the data change, which will be done in test mode and approved prior to a production run.
- Banner data changes and corrections must first be reviewed with Ellucian and Ellucian directions for data change or correction must be submitted with the change request ticket, approved by the data steward. Similar procedures are required for other products and applications.
The following informational documents on privacy may be useful guidelines.
There are state and federal laws protecting data privacy. University Policy #860 Information Security provides guidance for compliance with these laws. Data classified as Confidential in university policy should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. Data, information, and documentation covered by Non-Disclosure Agreements should not be stored on laptops; if laptop storage is the only option, the laptop must be encrypted and records kept proving the encryption. OU Data are protected and require OU response to data breach, even if those data are stored on a personally owned device. All device thefts that involve storage of OU data must be reported to OUPD. We recommend that Confidential data be stored on encrypted departmental share drives or in OakShare (https://files.oakland.edu). Mixing personal issues and university data on one device can complicate police investigations. Recent backups of laptops and proof of encryption can reduce university exposure in the event of theft. The exposure of personally identifiable information can result in assessments estimated to be $15 per record, not including time and inconvenience. This cost may be shared with the department.
IT Risk Management
The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to information technology resources. In particular, employees should be aware of responsibilities assigned as systems administrators in Policy #880 Systems Administration Responsibilities. The following events are considered to be emergencies and should be reported immediately:
- An entry or attempted entry via unauthorized access in any OU information system or resource.
- Any process or technology that attempts to use university-owned systems as a conduit for unauthorized activity on another system, that targets systems for unauthorized activity, or that is used to make physical threats, create suspicious or fraudulent communications, commit fraud, or commit any illegal or criminal activity.
- Failure of the telephone system or electrical systems.
- Damage due to fire, water, lightning, storms, tornado, or physical break-in, or other property damage.
- Emergency failure of an enterprise system.
- Theft, loss or corruption of university critical information technology assets, including data.
- Violations of any university information technology policy.
- Impersonation or unauthorized use of identity.
Events should be reported by email to firstname.lastname@example.org. Crisis events occurring during non-regular business hours may be reported to the OU Police Department at 248-370-3331.
Thefts of Oakland University technology should be reported to the OU Police Department at 248-370-3331. We will work with the technology user to assess risk by following the Incident Response Process.
University Technology Services can assist your department with Risk Assessment. Please review this Risk Assessment Checklist when:
- Evaluating the information technology risk for a department.
- Changing the data management or technology management of your operation.
- Considering purchase of a new information technology resource.
- Considering the outsourcing of an information technology or data management operation.
- Staff or processes change, or on a regular audit basis, periodically or annually.
- Processing payment card, credit card or medical data.
IT Service Providers, Outsourcing, Hosted Solutions, Web Sites and Application Service Providers
The following information is intended to provide university employees with information and tools to properly assess, mitigate and manage risk related to outsourcing, hosted solutions, software as a service, and application service providers (ASP), commonly knows as "web sites". To begin a project involving an outsourced, hosted, SaaS, or ASP solution, please review this Checklist. A vendor security review must be completed as part of this process; vendors must complete the Security Statement providing a documented response must be provided. If University data are involved, language that protects the security and privacy of data is required in agreements and contracts; please coordinate with the Purchasing department. Note that sending university data off-site requires compliance with the Information Security Advisory Group policy #860 Information Security following the procedures for Secure File Transmission and Encryption.
Oakland University faculty may choose to use web-enabled software and social network tools in instruction. Such tools may include alternative online learning systems, chat rooms, blogs, collaborative workspaces, wikis, and podcast/video sites. A partial list of options is provided by ELIS. These learning tools may offer positive potential for engaging students in learning. However, there may privacy concerns when an instructor chooses to use a non-Oakland University tool in instruction.
An excellent overview of the issues is presented in this Educause article by Merri Beth Lavagnino, Chief Privacy Officer and Compliance Coordinator at Indiana University:
Lavagnino, M.B. (2010). Policy as an Enabler of Student Engagement. EDUCAUSE Review, 45, no.5: 104-105.
General Recommendations, based on the information from that article:
- Review Oakland University policy #860 Information Security. Know data elements classified as Confidential, particularly under the Family Educational Rights and Privacy Act (FERPA) and how it applies to your course. In particular, note if participation from people outside the enrolled class is allowed; this may be a violation of FERPA.
- Become familiar with the question: Where is it stored? Understand when you are creating and storing your course data and other information using campus information technology resources, and when you are storing data in off-campus or third-party technologies.
- Note that software licenses, application service provider contracts and other agreement must follow university standard procedures, particularly as it applies to Procurement and Purchasing.
- Instructional materials are often protected by copyright law. Further, some service provider agreements claim rights to use the content created or uploaded to the technology solution. Review carefully so that you do not share intellectual property that you are not entitled to, or do not want to, share.
- Communicate with your students. Make sure your students understand when they are sharing material in off-campus social networks, tools, and technologies. Your students may be uncomfortable with such storage; determine if participation is a requirement, or if you need to have alternative plans.
Web Development Guidelines
University Technology Services and Communications and Marketing have partnered to create this list of policies and guidelines to assist individuals and departments considering web development. The university goal is a consistent experience for the community and a sustainable, security technology environment. Please review Web Development Guidelines if you are considering customized web development.
Backup and Recovery
University Technology Services provides a backup and recovery service for datacenter services. Please review Storage and comparison options posted on the UTS site.