Policy News The U.S. Department of Education proposed new regulations updating the Family Educational Rights and Privacy Act (FERPA) on March 24, 2008. FERPA is a federal law that protects the privacy of student education records. The proposed IT changes provide recommendations on safeguarding educational records and clarify the following: what can be included in student directory information; the use of student Social Security Numbers, other student ID numbers, and email addresses; and the use of reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom personally identifiable information is disclosed. The proposed rules are available online. The EDUCAUSE/Internet2 Computer and Network Security Task Force and the American Council on Education have provided Comments on the Proposed Changes. Policies The following IT policies are in effect, having been reviewed and approved by key campus stakeholders, including the Executive Technology Advisory Group and the IT Node Leaders. Occasionally, a policy that has been vetted and approved by these campus stakeholders is declared an "Interim Policy" while it awaits final approval in the institutional policy approval queue. This is done in order to be responsive to rapidly changing information security/data protection needs and the regulatory landscape, and to protect the institution and our community from serious risks and costs. Interim policies are fully in effect. Acceptable Use, Password Policy, Copyright and Fair Use UB Computer & Network Use Policy Password Policy This password protection policy defines standards for creating, protecting, and changing strong passwords. This interim policy is in effect while it undergoes final review and acquires final approval in UB's Institutional Policy Review process. It has been reviewed and approved by the CIO's Executive Technology Advisory Group (major campus stakeholders) and the IT Node Directors Group (campus information technology and security experts and leaders). UB IT Resources - Conditions of Use Policy Copyright and Fair Use (University Libraries) Policy For Use of Online Information - University Libraries Policy Computer and Information Security Policies NY State Information Security Policy. Appendix: UB Modifications to NY State Information Security Policy NYS Cyber Incident Reporting Procedure (PDF) Information Security: Data Access and Security Policy Access to Information Form (PDF) Access to non-public University information is limited to authorized individuals whose jobs require the information. Data trustees (access administrators), are responsible for granting and restricting access, and establishing and documenting access authorization. Data custodians (owners) oversee and manage University information resources and policies concerning these resources. Completion of the "UB Access to Information Form" by the authorized individual and the signature of his/her supervisor is required This policy has been modified to include roles and responsibilities for those granting access to University enterprise-wide summary/aggregate information. Protection of Regulated Private Data Policy Standards for Securing Regulated Private Data (Such as SSNs, Credit/Debit Card Numbers, State-issued Driver's License or ID numbers) UB is committed to protecting regulated private data (SSNs, credit/debit card numbers, state-issued driver's license or ID numbers, protected health information, passwords and computer access protection data) in order to safeguard the privacy of community members, reduce the threat of identity theft for community members, and comply with state, federal, and other laws and regulations. Incidents in which private data have been compromised occur daily and all UB community members need to understand the definition of regulated private data and take responsibility for protecting these data. This interim policy is in effect while it undergoes final review and acquires final approval in UB's Institutional Policy Review process. It has been reviewed and approved by the CIO's Executive Technology Advisory Group (major campus stakeholders) and the IT Node Directors Group (campus information technology and security experts and leaders). The interim policy is required for University compliance with federal, state, and Payment Card Industry rules and regulations and is fully in effect. Policy on Securing Network Connected Devices One of the major shared resources of the University is its data network. If a compromised device is being actively used in a way that threatens the integrity of the University network or other devices on the University network, it may be necessary to disconnect it temporarily from the network and secure it before it is reconnected. Users must maintain the operating systems of their devices, install, continuously run and regularly update antivirus software (available free-of- charge from the http://ubit.buffalo.edu/software web site, and apply patches that close known security breaches as soon as they become available. Data Management and Retention Policies Management and Retention of Central Email Policy Quota and Data Retention Policy for Course Materials on Central Streaming Media Services: DRAFT The following release forms are provided as a convenience at the request of a UB academic unit. They are undergoing review by SUNY Counsel and by UUP representatives. It should be noted that faculty are not obligated to have lectures digitally recorded and distributed. Please see SUNY Copyright Policy, the UUP Contract, and Policies of the SUNY Board of Trustees for copyright ownership information. Digital Content/Recording Release Form - For Posting to a Public Site Digital Content/Recording Release Form - For Posting to a Secure Site Digital Millennium Copyright Act (DMCA) Policies and FAQ Email Policies UB IT Central Email Policies and Procedures Mass Digital Communications: Policy, Guidelines, and Procedures This policy explains procedures for sending email or text messages to large constituencies, such as all students, faculty, staff, or alumni. The policy was updated to include policy text for communications with alumni and emergency communications including mass text alerts to cell phones, and reviewed and approved by ETAG in October, 2007. Student Affairs Policies Relating to the Use of Email to Contact Students for Research Purposes Student Affairs Mass Email Researchers Form Student Affairs Mass Email Sponsor Form Management and Retention of Central Email Policy Listserv Policy Policy on Email Servers Connected to the Network (PDF) Payment Card Industry (PCI) Compliance Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS version 1.1 is a set of comprehensive requirements for payment account data security, developed by a council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The UB Financial Services Office and the ISO work with all departments to ensure compliance with PCI DSS for all merchant IDs at UB. Completed PCI Self-Assessment Questionnaires are required annually from all UB merchants who accept credit card payments. Security scans by an approved scanning vendor are also required to help validate compliance with the PCI DSS. UB has contracted with Security Metrics to provide these scans. UB PCI Compliance Web site PCI Self-Assessment Questionnaire PCI Security Scanning Procedures Policy on Securing Network Connected Devices Policy on Network Port Access Open Port Policies Public Printing Policy Change at UB (PDF) Social Security Number Policy (PDF) UB is committed to maintaining the privacy and confidentiality of an individual's SSN as mandated by law. It is the policy of UB that the use of SSN as a common identifier and primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions. Disclosure statements will be provided whenever a SSN is requested, in compliance with the Federal Privacy Act of 1974. Sample disclosure statements are available for use. As a university we must work to reduce or eliminate the use of SSNs for identification purposes and to ensure the SSNs are secured in all university databases and applications. Requesting Access to InfoSource Data Containing Social Security Numbers Access to UB InfoSource data containing SSNs is limited to those with a legal or business need in the performance of their job responsibilities, as described in this policy. Standards for Securing Regulated Private Data (Such as SSNs, Credit/Debit Card Numbers, State-issued Driver's License or ID numbers) Standards for the secure access, handling, usage, transmission, storage and disposal of private and regulated information, such as information including SSN, credit/debit card numbers, driver's license numbers, and non-driver identification numbers. User Termination of Access Policy Web Privacy Policy Statement of Support for Web Browsers Procedures and Guidelines Accounts and Quotas UB IT Name (account) Initial Password Email Blackboard Guest Accounts Creation of Groups for UB IT Names Creation of E-mail Alias Oracle Accounts User disk space Disk space in the UBFS shared area Disk space on the UBWings machine Tape Storage Computer Harassment Computer Harassment Complaint Procedure Sometimes harassment is delivered via computer. The following flow chart indicates the manner in which this is handled. Fair Data Search Fair Data Search Policy and Procedures Network Newsgroups Creation and Addition of Newsgroups News (Article) Expiration Public Computing and Classrooms Adaptive Computing Draft: Public Printing Policy Change at UB (PDF) Rights and Responsibilities Rights & Responsibilities Support Service Policies IT Workshops Oracle Support Policy Services and Responsibilities for UNIX Systems Support (Undergoing Revision 10.17.03) UBUnix Usage Policies Central UBUnix Backup Policy Use of cron and at Utilities Web Policies Web Accessibility IT HR Guidelines Business Casual Dress Guidelines (PDF) Flexible Work Schedule Guidelines (PDF)