Policy News Protecting Confidential Information - A new policy and standards for regulated private data - Social Security Numbers, bank account and credit/debit card numbers, state-issued drivers' license numbers and non-drivers' ID numbers, passwords and other computer access protection data, and protected health information - describe protective measures required for this highly confidential and regulated information. Information Security is everyone's responsibility: Learn more about how to secure the data you use as you do your job. UB IT Policies The following IT policies are in effect, having been reviewed and approved by key campus stakeholders, including the CIO's Executive Technology Advisory Group and the IT Node Leaders. Acceptable Use, Password Policy, Copyright and Fair Use UB Computer & Network Use Policy Password Policy This password protection policy defines standards for creating, protecting, and changing strong passwords. This policy has been reviewed and approved by the CIO's Executive Technology Advisory Group (major campus stakeholders) and the IT Node Directors Group (campus information technology and security experts and leaders). UB IT Resources - Conditions of Use Policy Digital Millennium Copyright Act (DMCA) Policies on Peer-to-Peer File Sharing and Illegal Downloading of Copyrighted Materials Copyright and Fair Use (University Libraries) Policy For Use of Online Information - University Libraries Policy Computer and Information Security Policies NY State Information Security Policy. Appendix: UB Modifications to NY State Information Security Policy Information Security: Data Access and Security Policy Access to Information Form (PDF) Access to non-public University information is limited to authorized individuals whose jobs require the information. Data trustees (access administrators), are responsible for granting and restricting access, and establishing and documenting access authorization. Data custodians (owners) oversee and manage University information resources and policies concerning these resources. Completion of the "UB Access to Information Form" by the authorized individual and the signature of his/her supervisor is required This policy has been modified to include roles and responsibilities for those granting access to University enterprise-wide summary/aggregate information. Protection of Regulated Private Data Policy Standards for Securing Regulated Private Data (Such as SSNs, Credit/Debit Card Numbers, State-issued Driver's License or ID numbers) UB is committed to protecting regulated private data (SSNs, credit/debit card numbers, state-issued driver's license or ID numbers, protected health information, passwords and computer access protection data) in order to safeguard the privacy of community members, reduce the threat of identity theft for community members, and comply with state, federal, and other laws and regulations. Incidents in which private data have been compromised occur daily and all UB community members need to understand the definition of regulated private data and take responsibility for protecting these data. This policy has been reviewed and approved by the CIO's Executive Technology Advisory Group (major campus stakeholders) and the IT Node Directors Group (campus information technology and security experts and leaders). The policy is required for University compliance with federal, state, and Payment Card Industry rules. Acceptable Use of RF Proprietary Data Outside the RF Business System Policy This policy is required by the central RF Office to ensure that UB provides a secure environment with proper contrals that ensure privacy, integrity, and confidentiality for extracted proprietary RF data. Policy on Securing Network Connected Devices One of the major shared resources of the University is its data network. If a compromised device is being actively used in a way that threatens the integrity of the University network or other devices on the University network, it may be necessary to disconnect it temporarily from the network and secure it before it is reconnected. Users must maintain the operating systems of their devices, install, continuously run and regularly update antivirus software (available free-of- charge from the http://ubit.buffalo.edu/software web site, and apply patches that close known security breaches as soon as they become available. Data Management and Retention Policies Management and Retention of Central Email Policy Quota and Data Retention Policy for Course Materials on Central Streaming Media Services The following release forms are provided as a convenience at the request of a UB academic unit. They are undergoing review by SUNY Counsel and by UUP representatives. It should be noted that faculty are not obligated to have lectures digitally recorded and distributed. Please see SUNY Copyright Policy, the UUP Contract, and Policies of the SUNY Board of Trustees for copyright ownership information. Digital Content/Recording Release Form - For Posting to a Public Site Digital Content/Recording Release Form - For Posting to a Secure Site Digital Millennium Copyright Act (DMCA) Policies and FAQ Domain Name Service Policy: Recording and Registration of Domain Names and Addresses Email Policies Google Apps Education Edition Service Disclaimer UB IT Central Email Policies and Procedures Mass Digital Communications: Policy, Guidelines, and Procedures This policy explains procedures for sending email or text messages to large constituencies, such as all students, faculty, staff, or alumni. The policy was updated to include policy text for communications with alumni and emergency communications including mass text alerts to cell phones, and reviewed and approved by ETAG in October, 2007. Student Affairs Policies Relating to the Use of Email to Contact Students for Research Purposes Student Affairs Mass Email Researchers Form Student Affairs Mass Email Sponsor Form Management and Retention of Central Email Policy Listserv Policy Policy on Email Servers Connected to the Network (PDF) Payment Card Industry (PCI) Compliance Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS version 1.1 is a set of comprehensive requirements for payment account data security, developed by a council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The UB Financial Services Office and the ISO work with all departments to ensure compliance with PCI DSS for all merchant IDs at UB. Completed PCI Self-Assessment Questionnaires are required annually from all UB merchants who accept credit card payments. Security scans by an approved scanning vendor are also required to help validate compliance with the PCI DSS. UB has contracted with Security Metrics to provide these scans. UB PCI Compliance Web site PCI Self-Assessment Questionnaire PCI Security Scanning Procedures Policy on Securing Network Connected Devices Policy on Network Port Access Open Port Policies Public Printing Policy Change at UB (PDF) Social Security Number Policy (PDF) UB is committed to maintaining the privacy and confidentiality of an individual's SSN as mandated by law. It is the policy of UB that the use of SSN as a common identifier and primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions. Disclosure statements will be provided whenever a SSN is requested, in compliance with the Federal Privacy Act of 1974. Sample disclosure statements are available for use. As a university we must work to reduce or eliminate the use of SSNs for identification purposes and to ensure the SSNs are secured in all university databases and applications. Requesting Access to InfoSource Data Containing Social Security Numbers Access to UB InfoSource data containing SSNs is limited to those with a legal or business need in the performance of their job responsibilities, as described in this policy. Standards for Securing Regulated Private Data (Such as SSNs, Credit/Debit Card Numbers, State-issued Driver's License or ID numbers) Standards for the secure access, handling, usage, transmission, storage and disposal of private and regulated information, such as information including SSN, credit/debit card numbers, driver's license numbers, and non-driver identification numbers. Telephone Use Policy User Termination of Access Policy Web Privacy Policy Statement of Support for Web Browsers Procedures and Guidelines Accounts and Quotas UB IT Name (account) Initial Password Email Blackboard Guest Accounts Creation of Groups for UB IT Names Creation of E-mail Alias Oracle Accounts User disk space Disk space in the UBFS shared area Disk space on the UBWings machine Tape Storage Computer Harassment Computer Harassment Complaint Procedure Sometimes harassment is delivered via computer. The following flow chart indicates the manner in which this is handled. Fair Data Search Fair Data Search Policy and Procedures Network Newsgroups Creation and Addition of Newsgroups News (Article) Expiration Public Computing and Classrooms Adaptive Computing Draft: Public Printing Policy Change at UB (PDF) Rights and Responsibilities Rights & Responsibilities Support Service Policies IT Workshops Oracle Support Policy UBUnix Usage Policies Central UBUnix Backup Policy Use of cron and at Utilities Web Policies Web Accessibility