Policy News The U.S. Department of Education proposed new regulations updating the Family Educational Rights and Privacy Act (FERPA) on March 24, 2008. FERPA is a federal law that protects the privacy of student education records. The proposed IT changes provide recommendations on safeguarding educational records and clarify the following: what can be included in student directory information; the use of student Social Security Numbers, other student ID numbers, and email addresses; and the use of reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom personally identifiable information is disclosed. The proposed rules are available online. The Department invited comments on the proposed rules by May 8, 2008. The EDUCAUSE/Internet2 Computer and Network Security Task Force and the American Council on Education have provided Comments on the Proposed Changes. In addition, Rodney Peterson, EDUCAUSE Government Relations Officer and Security Task Force Coordinator, is gathering feedback on the proposed rules and will be posting more information on the EDUCAUSE web site. Policies The following IT policies are currently in effect unless otherwise noted. They have been reviewed and approved except where it is noted that the review process is incomplete. For those in the policy review queue, the current review and approval status are indicated. Acceptable Use, Password Policy, Copyright and Fair Use UB Computer & Network Use Policy Password Policy This interim policy is in effect while it undergoes final review and acquires final approval in UB's Institutional Policy Review process. It has been reviewed and approved by the CIO's Executive Technology Advisory Group and the IT Node Directors Group. UB IT Resources - Conditions of Use Policy Copyright and Fair Use (University Libraries) Policy For Use of Online Information - University Libraries Policy Computer and Information Security Policies NY State Information Security Policy. Appendix: UB Modifications to NY State Information Security Policy NYS Cyber Incident Reporting Procedure (PDF) Information Security: Data Access and Security Policy Access to Information Form (PDF) Access to non-public University information is limited to authorized individuals whose jobs require the information. Data trustees (access administrators), are responsible for granting and restricting access, and establishing and documenting access authorization. Data custodians (owners) oversee and manage University information resources and policies concerning these resources. Completion of the "UB Access to Information Form" by the authorized individual and the signature of his/her supervisor is required This policy has been modified to include roles and responsibilities for those granting access to University enterprise-wide summary/aggregate information. Standards for Securing Sensitive and Regulated Information (Such as SSNs, Credit/Debit Card Numbers) Policy on Securing Network Connected Devices Data Management and Retention Policies Management and Retention of Central Email Policy Quota and Data Retention Policy for Course Materials on Central Streaming Media Services: DRAFT The following release forms are provided as a convenience at the request of a UB academic unit. They are undergoing review by SUNY Counsel and by UUP representatives. It should be noted that faculty are not obligated to have lectures digitally recorded and distributed. Please see SUNY Copyright Policy, the UUP Contract, and Policies of the SUNY Board of Trustees for copyright ownership information. Digital Content/Recording Release Form - For Posting to a Public Site Digital Content/Recording Release Form - For Posting to a Secure Site Digital Millennium Copyright Act (DMCA) Policies and FAQ Email Policies UB IT Central Email Policies and Procedures Mass Digital Communications: Policy, Guidelines, and Procedures This policy explains procedures for sending email or text messages to large constituencies, such as all students, faculty, staff, or alumni. The policy was updated to include policy text for communications with alumni and emergency communications including mass text alerts to cell phones, and reviewed and approved by ETAG in October, 2007. Student Affairs Policies Relating to the Use of Email to Contact Students for Research Purposes Student Affairs Mass Email Researchers Form Student Affairs Mass Email Sponsor Form Management and Retention of Central Email Policy Listserv Policy Policy on Email Servers Connected to the Network (PDF) Payment Card Industry (PCI) Compliance Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS version 1.1 is a set of comprehensive requirements for payment account data security, developed by a council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The UB Financial Services Office and the ISO work with all departments to ensure compliance with PCI DSS for all merchant IDs at UB. Completed PCI Self-Assessment Questionnaires are required annually from all UB merchants who accept credit card payments. Security scans by an approved scanning vendor are also required to help validate compliance with the PCI DSS. UB has contracted with Security Metrics to provide these scans. PCI Self-Assessment Questionnaire PCI Security Scanning Procedures Policy on Securing Network Connected Devices Policy on Network Port Access Open Port Policies Public Printing Policy Change at UB (PDF) Social Security Number Policy (PDF) UB is committed to maintaining the privacy and confidentiality of an individual's SSN as mandated by law. It is the policy of UB that the use of SSN as a common identifier and primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions. Disclosure statements will be provided whenever a SSN is requested, in compliance with the Federal Privacy Act of 1974. Sample disclosure statements are available for use. As a university we must work to reduce or eliminate the use of SSNs for identification purposes and to ensure the SSNs are secured in all university databases and applications. Requesting Access to InfoSource Data Containing Social Security Numbers Access to UB InfoSource data containing SSNs is limited to those with a legal or business need in the performance of their job responsibilities, as described in this policy. Standards for Securing Sensitive and Regulated Information (Such as SSNs, Credit/Debit Card Numbers) Standards for the secure access, handling, usage, transmission, storage and disposal of private and regulated information, such as information including SSN, credit/debit card numbers, driver's license numbers, and non-driver identification numbers. User Termination of Access Policy Web Privacy Policy Statement of Support for Web Browsers Procedures and Guidelines Accounts and Quotas UB IT Name (account) Initial Password Email Blackboard Guest Accounts Creation of Groups for UB IT Names Creation of E-mail Alias Oracle Accounts User disk space Disk space in the UBFS shared area Disk space on the UBWings machine Tape Storage Computer Harassment Computer Harassment Complaint Procedure Sometimes harassment is delivered via computer. The following flow chart indicates the manner in which this is handled. Fair Data Search Fair Data Search Policy and Procedures Network Newsgroups Creation and Addition of Newsgroups News (Article) Expiration Public Computing and Classrooms Adaptive Computing Draft: Public Printing Policy Change at UB (PDF) Rights and Responsibilities Rights & Responsibilities Support Service Policies IT Workshops Oracle Support Policy Services and Responsibilities for UNIX Systems Support (Undergoing Revision 10.17.03) UBUnix Usage Policies Central UBUnix Backup Policy Use of cron and at Utilities Web Policies Web Accessibility IT HR Guidelines Business Casual Dress Guidelines (PDF) Flexible Work Schedule Guidelines (PDF)