Pursuant to the Gramm Leach Bliley Act (GLBA) Safeguards Rule codified at 34 CFR 314.4, the Federal Trade Commission required the adoption of an Information Security Program no later than June 9, 2023 to develop, implement and maintain safeguards to protect the security, confidentiality, and integrity of customer financial records and related non-public personally identifiable financial information. Certain activities conducted by 精品成人福利在线 are subject to the GLBA. The GLBA does not contain an exemption for colleges or universities.

Applicability of Policy

This policy applies to any College, Division, department or unit of 精品成人福利在线, any Service Provider of 精品成人福利在线, and any Related Entities of 精品成人福利在线, that collects, stores or processes Covered Data in connection with the delivery of Financial Services (as defined below in this Policy). This obligation is in addition to any other University policies and procedures adopted pursuant to international law or U.S. federal and state laws and regulations for the protection of personal data, including the Family Educational Rights and Privacy Act (FERPA).

By way of example, the type of Covered Data regulated by the GBLA includes the following:

1. Information provided by an applicant or student to obtain a loan or extension of credit from the University, a private lender, or the federal government;
2. Information provided by a student to regularly receive refunds or make payments by wire transfer or debit card;
3. Information from a consumer report regarding a student to receive a loan;
4. Information from an employee or student to license real property from the University;
5. Account balance information, payment history, overdraft history, credit or debit card purchase information;
6. Any information provided by a student in connection with collecting on or servicing an account;
7. Personal information collected through an internet cookie for the provision of Financial Services (as defined below) by the University.

The following offices within the University handle Covered Data in the delivery of Financial Services:

1. Enrollment (Admissions, Financial Aid, Student Accounts)
2. Finance
3. Residence Life
4. Development
5. Information Technology

Objective of The Program

The objectives of the Program are to: 1) protect the security and confidentiality of Covered Data; 2) protect against anticipated threats or hazards to the security or integrity of Covered Data; and 3) protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to an individual.

Definitions

鈥淐overed Data鈥� means (i) non-public personal financial information about a Customer and (ii) any list, description, or other grouping of Customers (and publicly available information pertaining to them) that is derived using any non-public personal financial information. Examples of Covered Data include bank and credit card account numbers, income and credit histories, tax returns and social security numbers and lists of public information such as names, addresses and telephone numbers derived in whole or in part from personally identifiable financial information (e.g., names of students with outstanding loans). Covered Data is subject to the protections of GLBA, even if the Customer ultimately is not awarded any financial aid or provided with a credit extension. Covered Data does not include aggregated personal information that has been de-identified or anonymized.

鈥淐ustomer鈥� means any person (student, parent, faculty, staff, or other third party with whom the University interacts) who receives a Financial Service from the University for personal, family or household reasons that results in a continuing relationship with the University.

鈥淔inancial Service鈥� includes offering or servicing student loans, receiving income tax information from a student or a student鈥檚 parent when offering a financial aid package, reviewing credit reports in connection with providing a loan to a student or prospective student, engaging in debt collection activities, and leasing real or personal property to students for their benefit.

鈥淩elated Entities鈥� means the following types of entities and their subsidiaries, if legally separate from the University: auxiliary corporations, not-for-profit organizations to receive charitable contributions or for any other purpose, for-profit organizations for the creation of academic units or research and development purposes. For the avoidance of doubt, Related Entities include the 精品成人福利在线 University Foundation, Inc. and will include Bloomfield College of 精品成人福利在线 University.

鈥淪ervice Provider鈥� means any person or entity that receives, maintains, processes, or otherwise is permitted access to Covered Data through its direct provision of Financial Services to the University. For the avoidance of doubt, Service Provider includes software-as-a-service providers who contract with the University and Related Entities to receive Covered Data for the delivery of Financial Services. Service Providers also include any person or entity that administers any aspect of the University鈥檚 participation in U.S. Department of Education Title IV programs.

Program Requirements

1. Designation of Qualified Individual Responsible for Overseeing and Implementing Program

The Vice President for Information Technology (VPIT), or designee, shall: (1) coordinate the Program, (2) identify internal and external risks to the security and confidentiality of Covered Data and evaluate current safeguards, (3) design and implement safeguards to control the identified risks and regularly test and monitor the effectiveness of these safeguards, (4) oversee the assessment of security provided by contracted Service Providers, and (5) evaluate the effectiveness of the Program.

The VPIT or designee shall also designate an appropriate individual(s) to serve as the University Program Coordinator, who will administer this Information Security Program for the University and serve as the primary resource and liaison with 精品成人福利在线鈥檚 Divisions, departments, units, Service Providers and Related Entities for addressing issues related to the GLBA Safeguards Rule and disseminating relevant information and updates.

2. Risk Assessment

Prior to the adoption of this Program, 精品成人福利在线 performed an information security risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Covered Data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of information and the sufficiency of safeguards in place to control these risks. Specifically, Montclair recognized the following internal and external information security risks include but are not limited to:

• Unauthorized access of Covered Data and information by someone other than the owner of the Covered Data
• Compromised system security as a result of system access by an unauthorized person of data during transmission
• Loss of data integrity
• Physical loss of data in the event of a disaster
• Errors introduced into the system
• Corruption of data or systems
• Management of account users in systems maintained by the University and SaaS providers
• Unauthorized access of Covered Data by employees
• Unauthorized requests for Covered Data
• Unauthorized access through hardcopy files or reports
• Unauthorized transfer of Covered Data through third parties

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data, and that new risks are created regularly, VPIT will actively monitor appropriate cybersecurity advisory literature for identification of risks in the future and ensure that information security risk assessments are performed periodically in the future.

Safeguards to Control Risks Identified Through Risk Assessment

The following are a list of current safeguards implemented, monitored and maintained by the University which are reasonable and sufficient to provide security and confidentiality to Covered Data. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.

1. Employee Management and Training

References and/or background checks (as appropriate depending upon position) of new employees working in areas that have access to Covered Data are performed. New employees who handle Covered Data receive proper training on the importance of confidentiality of student records, student financial information and all other Covered Data, and the proper use of computer information and passwords. Thereafter, all employees are required to complete annual training in cybersecurity and FERPA to ensure compliance. Cybersecurity awareness training also includes controls and procedures to detect and identify ransomware, phishing and social engineering tactics to prevent employees from providing Covered Data to an unauthorized individual. These training efforts minimize risk and safeguard Covered Data and information. Security updates are regularly distributed to all employees to raise awareness and test vulnerability to social engineering tactics.

2. Physical Security

Montclair has addressed the physical security of Covered Data by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to employees with a legitimate business need for such information. Furthermore, each department responsible for maintaining Covered Data is instructed to take steps to protect such information from viewing by unauthorized persons, destruction, loss or damage.

3. Information Systems

Access to Covered Data and information via Montclair鈥檚 on campus computer information system or licensed SaaS systems is limited to those employees and faculty who have a legitimate business reason to access such information. The University has policies and procedures in place to complement the physical and technical safeguards in order to provide security to Montclair鈥檚 IT information systems. These policies and procedures, listed as related policies below, are also listed on the University鈥檚 website. The management of University servers storing or processing Covered Data and information have also been transferred entirely to the VPIT and are all housed in a secure data center.

Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, Montclair does not use social security numbers as student identifiers but instead uses a net ID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented and legitimate business need.

Covered Data is protected by encryption when transmitted by the University in transit over external networks or stored and at rest. The University has also implemented or will implement multi-factor authentication for any systems that processes or stored covered data unless the VPIT, or designee, has approved in writing the use of reasonably equivalent secure access controls.

4. Management of System Failures

IT has developed written policies and procedures to assist in detecting any actual or attempted attacks on Montclair鈥檚 on campus IT systems, and evaluating the security of third parties providing off-campus IT systems. A written Data Breach Response Protocol provides written procedures for responding to an actual or attempted unauthorized access to Covered Data, and is available upon request to the VPIT.

5. Oversight of Service Providers

GLBA requires Montclair to take reasonable steps to select and retain Service Providers who maintain appropriate safeguards for Covered Data by contractually requiring Service Providers to implement and maintain such safeguards. Montclair鈥檚 Security Official reviews and approves a HECVAT1 prepared by a Service Provider who has or will have access to Covered Data, and works with University Counsel, as appropriate, to ensure that the Service Provider鈥檚 contracts contain appropriate terms to protect the security of Covered Data. Purchasing units are responsible for managing the Service Provider鈥檚 contract and also account management by removing users when their access to Covered Data is terminated. The University Program Coordinator shall periodically reassess the continued adequacy of safeguards provided by Service Providers to Covered Data based upon the risks presented.

6. Retention and Disposal of Records Containing Covered Data

Records containing Covered Data shall be retained and destroyed in accordance with Montclair鈥檚 Records Retention and Destruction Policy.

7. Detection and Testing

The VPIT or designee shall ensure that University IT systems that collect, store and process Covered Data shall:

• a) be designed to monitor and log the activity of authorized users and detect unauthorized access or use of or tampering with Covered Data by such users;
• b) be regularly or continually tested or monitored to evaluate the effectiveness of key controls, systems, and procedures, including those that detect actual and attempted attacks on or intrusions;
• c) no less than annually be subject to penetration testing based upon the above identified risks in accordance with a risk assessment; and
• d) no less than every 6 months or whenever circumstances present a reason to determine the potential for a material impact upon the University鈥檚 IT systems, perform a vulnerability assessment that includes system scans or reviews of IT systems reasonably designed to identify publicly known security vulnerabilities.

Continuing Evaluation and Adjustment

This Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the Program will be the responsibility of the University Program Coordinator, who will assign specific responsibility for technical, logical, physical, and administrative safeguards implementation and administration as appropriate. The University Program Coordinator, in consultation with University Counsel, will review the standards set forth in this Program and recommend updates, revisions and adjustments as may be necessary to reflect changes in technology, the sensitivity of Covered Data, and internal or external threats to information security.

Related Policies:

Account Management: Account Management 鈥� Policies and Procedures – 精品成人福利在线 University

Client Use Administrative Rights: Client Use Administrative Rights Policy (Faculty) 鈥� Policies And Procedures – 精品成人福利在线 University

Data Classification and Handling: Data Classification And Handling 鈥� Policies And Procedures – 精品成人福利在线 University

Email Accounts: Email Accounts 鈥� Policies And Procedures – 精品成人福利在线 University

Google Drive Usage Guidelines: Google Drive Usage Guidelines 鈥� Policies And Procedures – 精品成人福利在线 University

HECVAT Cloud Vendor Assessment: Higher Education Cloud Vendor Assessment 鈥� Information Technology Division – 精品成人福利在线 University

Network Access and Usage: Network Access And Usage Policy 鈥� Policies And Procedures – 精品成人福利在线 University

Password Management Policy: Password Management Policy 鈥� Policies And Procedures – 精品成人福利在线 University

Record Retention and Destruction Policy: Record Retention And Destruction Policy 鈥� Policies And Procedures – 精品成人福利在线 University

Responsible Use of Computing: Responsible Use Of Computing 鈥� Policies And Procedures – 精品成人福利在线 University

Secure Directory Access: Secure Directory Services Access 鈥� Policies And Procedures – 精品成人福利在线 University

Security Incident Response Framework: Security Incident Response Framework (External) 鈥� Policies And Procedures – 精品成人福利在线 University

FERPA Policy: Family Education Rights And Privacy Act (FERPA) 鈥� Policies And Procedures – 精品成人福利在线 University

EUGDPR Policy: European Union General Data Protection Regulation (EUGDPR) 鈥� Policies And Procedures – 精品成人福利在线 University

China PIPL Policy: Personal Information Protection Law Of The People鈥檚 Republic Of China (PIPL) 鈥� Policies And Procedures – 精品成人福利在线 University

Security incidents involving restricted personally identifiable information (PII) or confidential information as defined by the Data Classification and Handling Policy must be reported immediately to the Office of Information Security (security@montclair.edu)

What is a Security Incident?

An incident is an adverse event in an information system, including the significant threat of an adverse event. In other words, it implies harm or the attempt to harm. An incident can be defined as any act that violates University Information Security policies and/or the Guidelines for Responsible Computing. The following activities are common incidents and should be reported to the Office of Information Security:

• Attempts to gain unauthorized access
• Unwanted disruption of services or denial of resources
• Unauthorized use of a system
• Changes to a system without the owner鈥檚 knowledge, instruction, or consent
• Theft or loss of University computing equipment

What is not an incident?

Spam is not considered an incident as the high volume of spam e-mails makes it difficult to investigate every case. Only when the spam is a sign of a compromised 精品成人福利在线 University account, or if the spam contains criminal content will it be considered an incident. If you are interested in reporting unsolicited email (Spam) please contact the IT Service Desk at itservicedesk@montclair.edu. You are encouraged to read this page prior to making a complaint to help you distinguish activities which do not violate the law or policy.

How can I report an incident?

If you would like to report an incident that meets the criteria for a violation please contact the appropriate agency. Please do not submit personally identifiable information such as your CWID, passwords, or financial information via e-mail. This contact matrix provides guidance in the event you observe or experience the following:

What are some signs of common Security Incidents?

If you are experiencing issues with your computer or a resource located on the network it is recommended to first check with the University IT Service Desk or your local technical team to rule out common problems.

Signs of a Denial of Service Attack

• The network appears to be running slower than usual or there is no connection at all (opening files or visiting websites)
• Unable to reach a University website, resource or any public website or resource available through the internet
• Mailbox is inundated with spam to the point that no legitimate e-mails can be delivered
• The hard drive has suddenly become full

Signs of Malicious Code (Virus, Malware, Spyware, Rootkits)

• Computer is running abnormally slow or crashes for no apparent reason
• Files are being deleted or becoming corrupt
• Internet homepage is different and/or there are additional components added to the browser
• Pop-up ads are always appearing on the desktop
• Random Windows error messages appear
• The mouse cursor moves around without any interaction

Signs of Unauthorized Access

• Computer is not in the same physical condition that it was left in
• Files and folders have been added, deleted, or changed
• You witness someone using a system or using credentials that do not belong to them

Investigation

Once the initial response is performed and the incident is classified and contained, further investigation may be required to determine the cause. All actions taken should be fully documented within an incident in ServiceNow. Report incidents by logging into our ServiceNow self-service portal and submitting an ISIM 鈥淪ecurity Incident Reporting Form鈥� ticket.

Recovery

Recovering from an incident occurs when the investigation process is complete and the machine can be returned to normal operation. Lessons learned will be identified and any implementation to protect from any future incidents of the same kind will be taken. A final report to communicate findings with University IT Security Office, IT staff and other affected parties will need to be developed and shared.

Information Security Breach Notification Guidelines

Breach of restricted personal or confidential information requires special handling. Refer to the 精品成人福利在线 University Breach Response Protocol for an appropriate response. The Information Security Breach Reporting Form must be used to report a security breach to the Office of Information Security.

Request for Computer Forensic Examination

Computer forensics is the analysis of data from a computer system in response to a security incident. A computer forensic examination may be needed when it is suspected that a computer was misused, violating University Guidelines for Responsible Computing or used to commit a crime. To learn more and to request a computer forensic examination, please contact security@montclair.edu.

精品成人福利在线 University鈥檚 web presence is essential to its mission of teaching, learning, and public service. However, any information published to a web server can potentially be viewed, copied, and redistributed by anyone who can access it via a web browser. Thus, the University鈥檚 Web Publishing policy seeks to establish standards and guidelines that will:

• Support the vision, mission, goals and traditional academic values of the university.
• Assist web publishers in developing sites that comply with university policies, rules, and regulations, and all applicable local, State, and Federal laws.
• Facilitate the official business of the University and appropriate online transactions while maintaining the necessary level of security and privacy.
• Outline mechanisms for maintaining the integrity and security of confidential/sensitive information that for legitimate business or pedagogical reasons must be stored on or accessed via a campus web server.
• Define web account creation policies to ensure that only those individuals with proper authorization can publish content to web servers in the montclair.edu domain.

This Web Publishing policy document is not intended as a style guide for the look and feel of web pages, nor does it address areas of web page design or branding. Please refer to the Division of University Advancement鈥檚 Web Services page for guidelines pertaining to 精品成人福利在线鈥檚 standards for web page design and branding. Specific requirements for the proper protection and handling of sensitive and confidential information in any medium by members of the 精品成人福利在线 University community are described in the University鈥檚 Safeguarding Sensitive and Confidential Information policy document.

2.0 Scope

This policy document applies to:

• 精品成人福利在线 University鈥檚 official website, http://www.montclair.edu
• All web pages located on servers within the montclair.edu domain.
• University-affiliated sites outside of the montclair.edu domain using approved 精品成人福利在线 University trademarked or copyrighted materials, images, logos, etc.
• Web pages of Application Service Providers (ASPs) or vendors that have contracted with the University to deliver online services. Examples include, but are not limited to, online learning management systems and vendor 鈥減ortals鈥� for procurement of equipment, services, and supplies.
• Faculty, staff, and student pages located on any server or device connected to the Campus network that is capable of delivering web content.
• Individuals who have been assigned custodial rights to a departmental web publishing account.

3.0 Policy

Web publishers are responsible for the content of the pages they publish and are expected to abide by the highest standards of quality and responsibility. These responsibilities apply to all publishers, whether they are colleges, departments, student or employee organizations, or individuals.

• All web content must conform to the University鈥檚 Safeguarding Sensitive and Confidential Information policy document. Among other things, this means that sensitive University information including, but not limited to, student records, financial records, or any other confidential or private information may not be displayed on publicly-accessible web pages or stored on a web server in unencrypted form.
• Web pages may only be published to a server on the campus network using an IT-authorized user account. Examples of authorized user accounts include MSU NetIDs and any departmental or application-specific logins created by OIT for the purposes of web content publishing.
• All accounts used for web publishing shall conform to the University鈥檚 Account Management and Password Management policies.
• Any website or online form that requests a username and password for authentication must do so over a secure (SSL/TLS) connection for both the username/password entry and the actual form submission process. See Section 3.4 for more details.
• A web site鈥檚 home page should clearly identify the person or unit responsible for its creation and maintenance. It is recommended that any sub-pages linked from the site鈥檚 home page should contain similar information.

3.1 College and Departmental Web Pages

Non-OIT web servers that are maintained and operated by a college or department are subject to all University policies regarding server configuration, security, account management, and content as defined in the following policy documents:

• Network Connectivity Policy
• Account Management Policy
• Password Management Policy
• Safeguarding Sensitive and Confidential Information Policy
• Web Application Development Policy

At the University鈥檚 discretion, College and Departmental web server may be included in the University鈥檚 overall search engine indexing and website statistics gathering processes.

3.2 Personal Web Pages

There are numerous services available on the campus community that facilitate the publishing of personal web pages. Some examples include:

• MSUWeb 鈥減ublic_html鈥� folders available to all faculty, staff, and students with an active MSU NetID.
• Faculty/staff cover pages on the main University website.
• The Blackboard learning management system (course content, student portfolios, discussion groups.)
• Various college and departmental web servers that allow personal web pages.
• Personal computers with web server software installed (note: access to these web servers is restricted by the University鈥檚 firewall to on-campus traffic only.)

Individuals who utilize one or more of the above services to publish web content are subject to all of the policies herein, as well as all other University computing policies, and state, federal, and local laws.

3.3 Copyright

All web publishers are required to respect the intellectual and creative property rights of others and abide by all applicable policies and guidelines for fair use of copyrighted materials.

3.4 Online forms and Transactional Web Pages

Various colleges, departments, and Administrative units have a legitimate need to collect and process information using online forms and transactional web pages. Some examples include WESS online registration, applications for Financial Aid, Graduate School applications, event/seminar registration, and surveys. The following rules apply to any online form or transactional web page, whether it is hosted on an OIT-operated web server, college or departmental web server, or an individual鈥檚 web server.

• Individual (personal) web pages may NOT be used to gather personally identifiable information such MSU NetIDs and passwords, Social Security numbers, home address, or any other personal identity information as defined by applicable state, federal, and local laws.
• Colleges, departments, and Administrative units needing to gather personal identity information may only do so using web forms or transaction systems that have been provided by OIT for this purpose or have been evaluated by OIT for security and privacy compliance.
• Any online form or transactional website must clearly state on the site what will be done with the information collected, and provide a link to the University鈥檚 privacy policy.
• All transactional websites must comply with University policies regarding server configuration, security, account management, and content as defined in Section 3.1 above.
• Online forms and transactional websites should only collect the minimum amount of information that is required to complete the form or transaction.
• Where possible, give users the option of not identifying themselves.
• Clearly state who is collecting the information and provide context so that users are aware why it is being collected.
• Use and disclose personal information only for the primary purpose for which it was collected, and in accordance with the University鈥檚 Safeguarding Sensitive and Confidential Information policy.

Eligibility for the program is determined by the Information Technology Division鈥檚 Assistant Vice President of Technical Support Services in accordance with this policy which is reviewed annually by the Vice President of Information Technology in collaboration with the University鈥檚 Vice Presidents and Academic Deans.

Please Note: We have extended all leases acquired before May 2021 by 12 months to fit the new 60-months lifecycle and have moved to a purchase program.

Replacement Terms

• Computers are typically replaced every five years, a duration that corresponds to industry benchmarks for the useful life of laptop and desktop computer systems.
• Prior to the end of the typically 60-months term, those with a lifecycle program asset in their possession will be contacted by the IT Support Services Manager or local support tech team, via email, to select a replacement computer and to establish a date for the equipment exchange.
• The Computer Lifecycle Replacement Program will cover normal wear and tear replacement during the course of the program.聽 Damage outside of normal wear and tear is the responsibility of the user or department.
• All program equipment (including cables, mouse, keyboard, and other items delivered with the computer) must be returned to the University. There is no option to purchase Lifecycle Replacement Program computers.
• Replacement of computers is subject to available funding.

User Responsibility

University personnel is expected to exercise care to assure against theft and damage of equipment provided to them. In situations where negligence or violations of this policy result in damage or loss of equipment, the cost for its repair or replacement will be the responsibility of the employee and/or department.聽 Stolen equipment requires a police report.

Equipment is provided to University personnel exclusively for their use. Its use by others is prohibited except for occasional use by other University personnel who are eligible to participate in the Lifecycle Replacement Program. In certain instances, the equipment can be reallocated to another employee at the University but only with the prior documented permission of the Assistant Vice President of Technical Support Services.

Upon separation from the University, for any reason, the Lifecycle Program equipment must be returned to either the IT Service Desk or the local technical support teams in the Academic Unit.

It is prohibited to affix stickers, adornments, or to alter anything on the body of the equipment that could affect the value of the machine when it is returned to the leasing vendors.

Replacement Policies

In order to contain costs and realize maintenance and support efficiencies, the University community is provided with a list of approved computer systems from which to choose. The equipment standards are developed by an ad hoc committee recruited by the Vice President for Information Technology from among the various administrative and academic units that comprise the University. The Committee is charged to review the hardware options available in relation to campus needs and to recommend specific hardware configurations that best meet the features and functionality requirements of the University overall.

Default Equipment

The default computer platform for the Computer Lifecycle Replacement Program is one PC (Windows) laptop or desktop聽listed among the standard computer configurations. Please refer to our for a listing of approved configurations.

Exceptions to the Standard Build and Configurations

Please see the following processes:

• Protocol for Workstation Approval

Quarterly Non-default Workstation Inventories

On a quarterly basis, IT will distribute inventories of non-default (Apple or Advanced Windows) workstations assigned to individuals along with upcoming renewal dates, to the Deans, Vice Presidents, and Technology Directors/Coordinators for their future reference when reviewing requests for non-default workstations.

Replacement Process

In order to request replacement equipment as part of the Computer Lifecycle Replacement Program, you must log into ServiceNow (SNOW) Self-Service portal that can be found at .聽 You can request a replacement up to sixty (60) days before the equipment is due back to be replaced.

• Select Hardware Request and then follow the prompts to request a replacement device.

Once your request has been submitted, it will be reviewed by Information Technology or your local technology team.聽 Once approved then the process to replace will begin for replacement.

Requests for Non-default Workstations (Advanced or Higher Windows Machines, Apple Equipment) will require a submitted justification, approval from your local tech teams or Assistant Vice President, approval from the Dean or Division Vice President.

精品成人福利在线 University’s Information Technology Division (IT) has adopted a web application development platform consisting of specific operating systems, web servers, databases, and programming tools that can be used to host web applications developed in-house or by outside contractors. The purpose of this document is to define the components of the University’s supported web development platform, coding standards, and testing and approval process so that applications can be developed in a manner consistent with accepted interoperability and security practices and be fully compatible and supportable in our environment.

2. Scope

Any University division, department, or individual that develops applications that will run on IT or departmental computing platforms. This includes both web-based and traditional client/server based applications.

3. Acceptable Technologies

In general, in-house developers or outside contractors hired to develop custom web-based applications for use on IT supported servers should develop those applications using open standard protocols, languages, and tools. IT defines open standard to mean:

鈥淎 technology whose specifications are published and freely available, (ex. HTML, XML, PHP, Java) and sufficiently detailed such that applications written according to the specification will work with any other software or platform designed for compliance with said specification.鈥�

The list of acceptable open-standards technologies that are supported by IT include but are not limited to:

• Java / JSP / JavaEE (Java is IT’s preferred platform for all application development)
• PHP 5 or later.
• W3C standards-compliant HTML, XHTML, CSS, DHTML, XML, DOM.
• Javascript/ECMAScript
• Python
• Ruby
• SSL/TLS
• Apache/Tomcat
• SQL standards such as SQL-92, 99, or 2003 (vendor-specific SQL extensions should be avoided)

Note: Web developers intending to use any technologies other than those listed above must consult with IT before any development work begins. IT cannot guarantee application compatibility with our existing infrastructure if non-supported technologies are used for development or deployment.

4. Platform and Functionality Considerations

To ensure application compatibility within MSU’s campus computing infrastructure, web application developers should keep the following in mind:

• Production web applications servers at MSU primarily use Apache 2.x on Linux, Solaris and Windows Server platforms.
• Microsoft’s IIS web server and/or Active Server Pages (ASP) technologies are supported only when required by third-party applications.
• While IT primarily uses Apache Tomcat, all Java web application code must be written to run in any J2EE 6 or higher-compliant web application container architecture.
• Microsoft SQL server is supported by IT for traditional client-server database applications. However, the preferred database platforms for web-based applications are Postgres, MySQL, and Oracle 11g.
• Web-based applications must support recent versions of all popular web browsers, including Mozilla Firefox 17 or higher, Internet Explorer 10 or higher, and Safari 5 or higher. Adhering to W3C web standards is the best way to ensure this compatibility.
• Any user authentication mechanisms must provide an encrypted (SSL) HTTPS connection for the login screen to avoid transmitting username and password information in plain text. IT can provide SSL certificates upon request.
• Authentication mechanisms that utilize MSU NetIDs must be done via an encrypted, anonymous bind to the campus LDAP server. Where applicable, user authorization should be handled via LDAP groups.
• Any file transfer operations, SQL queries, or directory service lookups must occur over a secure channel such as SSL, SFTP, or SCP.

5. Application Verification Testing and Development Lifecycle

• Applications should be designed based on the platforms, tools, and data connectivity guidelines presented in this document and other related University policy documents such as Safeguarding Sensitive and Confidential Information and Secure Directory Services Access for User Authentication and Authorization.
• Functional requirements for applications should consider all appropriate University policies, industry guidelines, and state and federal regulations for secure access, handling of sensitive data, and protection of personally identifiable information (PII) or financial records. Examples include HIPAA, FERPA, and PCI-DSS.
• Whenever possible, application development will be performed in a secure ‘dev’ or ‘test’ environment that is isolated from the Internet and may have limited or no access to the University’s production server farm and campus network.
• Prior to moving an application from the dev/test environment to production use, the application will be scanned by IT’s Systems and Security Group for known security vulnerabilities using automated tools such as WebInspect, AppScan, or other commercial and open-source utilities. Application developers are encouraged to request periodic security scans during the development process (i.e. at each milestone of the project) to pro-actively address security vulnerabilities and reduce the likelihood of issues arising during the final pre-production scan.
• When the pre-production application scanner has been completed, the application will be moved into the appropriate production environment and any required external firewall rules for remote communication will be enabled.
• IT’s Systems and Security Group will periodically re-scan applications that are in聽production use to ensure that they are not vulnerable to new attack methods.

精品成人福利在线 University maintains two primary directory services for user login authentication and authorization: Sun Enterprise Directory (LDAP-compliant directory) and Microsoft ActiveDirectory. All faculty, staff, and currently-enrolled students have a unique “NetId” based on their last name plus first initials (plus digit for student accounts) and an encrypted password.

2. Scope

Any in-house developed or third-party vendor applications, either hosted at the University or provided as a Software as a Service, that need to perform user login authentication/authorization against the University’s LDAP and/or ActiveDirectory services must do so using industry-standard secure access protocols. In-house or third-party vendor applications, toolsets, or programming libraries may not record or archive MSU NetID passwords, either in encrypted or non-encrypted form, on any server or storage medium. Any web form that provides a login page for users to enter their NetID and password must be served over a secured HTTPS connection using an SSL certificate issued by an industry-recognized Certificate Authority.

University data security policies require that all data communications between applications and the directory service that pass authentication information (i.e. usernames/passwords) -must- occur over a secure connection. The preferred security mechanism is “LDAP over SSL” (LDAPS) but the application should also be capable of supporting StartTLS (LDAP ver. 3) as the University will be converting to that mechanism in the future.

3. Policy

All applications developed in-house or delivered by a third-party vendor will be audited by IT security personnel prior to production deployment to ensure that the above data communications policy guidelines have been met. Periodic audits may occur after application deployment to ensure that compliance is maintained.

The purpose of this policy is to establish a standard for the administration of computing accounts that facilitate access or changes to 精品成人福利在线 University information resources. An account, at minimum, consists of a user ID and a password. Supplying account information will usually grant access to some set of services and resources. This policy establishes guidelines for issuing and managing accounts.

2.0 Scope

This policy is applicable to those responsible for the management of user accounts or access to shared information or network devices; information can be held within a database, application or shared file space. This policy covers departmental accounts as well as those managed centrally by the Information Technology Division.

3.0 Policy

Server Owners and Application Administrators are responsible for ensuring that all accounts at the OS level or within a particular application are created according to the following procedures:

3.1 Account Provisioning and Access Control Standards

Accounts that access electronic computing and information resources require prudent oversight. The following security precautions should be part of account management:

• All accounts must have a password that adheres to the practices outlined in the Password Management Policy document.
• Any account that is not used for interactive login or authentication must be 鈥渓ocked鈥� or 鈥渄isabled鈥� according to the definition of those terms for the particular OS in question.
• Prior to creating a user account, that user’s affiliation with the University must be verified by the sponsoring unit or division (i.e., Human Resources, Registrar).
• Users must attend all appropriate application聽or data handling training courses prior to their account being activated.
• Accounts for individuals not affiliated with the University must have prior approval from IT.
• There may be only one user associated with an account. Users may NOT share an account.
• Accounts should not be granted any more privileges than those that are necessary for the functions the user will be performing. When establishing accounts, standard security principles of 鈥渓east required access鈥� to perform a function must always be used, where administratively feasible. For example, a root or administrative privileged account must not be used when a non-privileged account will suffice.
• Directory and file permissions should be set correctly to prevent users from listing directory contents or reading, modifying, or deleting files that they are not authorized to access.
• Account setup and modification shall require the signature of the account requestor, the requestor鈥檚 immediate supervisor, the data owner and the Office of Information Technology.
• The organization responsible for a resource shall issue a unique account to each individual authorized to access that networked computing and information resource. It is also responsible for the prompt deactivation of accounts when necessary, i.e., accounts for terminated individuals shall be removed/disabled/ revoked from any computing system at the end of the individual’s employment or when continued access is no longer required; and, the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location.
• The identity of users must be authenticated before providing them with account and password details. If an automated process is used, then the account holder should be asked to provide several information items that in totality could only be known by the account holder. In addition, it is highly recommended that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged access (e.g., user accounts used for email do not require an identity validation process as thorough as for those user accounts that can be used to post information to public web pages or modify department budgets).
• Passwords for new accounts should NOT be emailed to remote users unless the email is encrypted.
• The date when the account was issued and its expected expiration date (if applicable) should be recorded in an audit log.
• All managers of accounts with privileged access to University data must sign a Confidentiality Agreement that is kept in the department file under the care of a Human Resources representative or liaison.

3.2 Managing Accounts

• All accounts shall be reviewed at least annually by the data owner to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status. IT Security may also conduct periodic reviews for any system connected to the 精品成人福利在线 University network.
• All guest accounts (for those who are not official members of the University community) with access to computing resources shall contain an expiration date of one year or the work completion date, whichever occurs first. All guest accounts must be sponsored by the appropriate authorized member of the administrative entity managing the resource.
• For access to sensitive information managed by a department, account management should comply with the standards outlined above. In addition, naming conventions must not cause contention with centrally managed University NetIDs. Should the potential for contention arise, the account will not be created until a mutually satisfactory arrangement is reached.
• The identity of users must be authenticated before providing them with ID and password details. In addition, it is required that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged access.
• Account management should allow for lock-outs after a set number of failed attempts (ten is the recommended number). Access should then be locked for a minimum of one hour unless a local system administrator intercedes. Lock-outs should be logged unless the log information includes password information.

4.0 Enforcement

Any member of our community found in violation this policy is subject to disciplinary proceedings including suspension of system privileges, expulsion from school, termination of employment and/or legal action as may be appropriate and in accordance with the administrative handbooks and codes of conduct applicable to the individual鈥檚 role at the University.

5.0 Related Policies and Links

• Responsible Use of University Computing Resources
• Password Management Policy

Usage Policy

Google Drive use was previously permitted with a restriction on data classified as Private in the University鈥檚 Data Classification and Handling Policy. With the revision to this policy in May 2020, that restriction has been lifted and Google Drive with Docs, Sheets, and Slides may be used to collect, store, or share files that contain sensitive data. This includes data classified as Private with the exception of healthcare related data as managed by a Board of Trustees defined component area under the campus鈥� hybrid HIPAA designation. (Defined HIPAA component areas should consult the Healthcare Compliance Committee in regards to special BAA covered instances of Google Drive for this purpose.) However, it is critically important that all users working with sensitive (confidential or private) data take additional steps to ensure the proper protection of this data on Google Drive.

One of the additional benefits of Google Drive is the ability to share and collaborate on documents with entities external to the University such as research colleagues or third party vendors who would not normally have access to the campus MSUFILES service. As related to this benefit, MSU employees sharing files via Google Drive that contain sensitive information are responsible for ensuring that the files are shared only to appropriate and authorized internal and external recipients.

Support Agreement

Support for the Google Drive service is being offered through the IT Service Desk and will include basic end-user documentation and troubleshooting assistance. When using this service, users will be expected to leverage the online help resources provided by Google wherever possible. For online help and documentation please see the following web page:

In addition, Information Technology can make no guarantees of the stability or availability of the Google Drive service beyond the Terms of Service that are provided by Google as part of their Workspace for Education offering. Please see the following web page for additional detail:

1.0 Purpose

In the course of their routine work-related activities, members of the University community will encounter sensitive and confidential information regarding other individuals, institutions and organizations. This policy establishes specific requirements for the proper classification and handling of sensitive and confidential information by members of the 精品成人福利在线 University community in order to ensure that the University maintains strict confidentiality in compliance with applicable requirements and regulations of the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA) of 1974 as amended, the Health Insurance Portability and Accountability Act (HIPAA), and other applicable federal and state privacy laws. Additionally, the Policy for Safeguarding Sensitive and Confidential Information is intended to help members of the University community determine what information can be disclosed to non-employees and how, as well as the relative sensitivity of information that should not be disclosed within or outside of 精品成人福利在线 University without proper authorization.

2.0 Scope

This policy pertains to the security and privacy of all non-public information including student information, employee information, constituent information and general University information whether it is in hard copy or electronic form. Accordingly, documents that include sensitive and confidential information such as social security numbers, dates of birth, student education records, medical information, benefits information, compensation, loans, or financial aid data, and faculty and staff evaluations need to be secured during printing, transmission (including by fax), copying, storage and disposal.

The information covered in this policy includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

All University employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to secure personally identifiable information and 精品成人福利在线 University confidential information. Questions about the proper classification of a specific piece of information should be addressed to your Dean or direct supervisor. Questions about this policy document should be addressed to the Information Technology Division.

3.0 Sensitivity Classification of Information Assets

All 精品成人福利在线 University information that is stored, processed or transmitted by any means shall be classified into one of four levels of sensitivity: Public, Internal, Confidential and Private. The sensitivity classification identifies information in terms of what it is and how access, processing, communications and storage must be controlled. If more than one sensitivity level could apply to the information the highest level (most restrictive) will be selected.

Note: A sensitivity classification shall attach to and follow the information to which it applies until such time that the classification is changed by the Data Owner/Custodian (see Glossary)

Public 鈥� (least restrictive) Information that has been declared public knowledge by University Counsel in response to a request for records under the New Jersey Open Public Records Act, N.J.S.A. 47:1A-1, et. seq. (鈥淥PRA鈥�), or by someone else who is duly authorized by the University to do so, and thus may be freely distributed. The disclosure, unauthorized access, or unauthorized use of Public information would not adversely impact the University, its students or staff, the state, and/or the public. Accordingly, information made public in official University publications or on the public facing 精品成人福利在线 website may be released without special authorization.

Examples of Public information include:

• Board of Trustees actions
• Faculty/staff bios
• Course catalogs
• Press releases and marketing materials
• Email sent to campus-wide distribution lists unless otherwise stated in the email communication
• NetIDs or email addresses (without corresponding password)
• Student directory information, unless a student has requested such information not otherwise be disclosed.

Sensitive information is defined by 精品成人福利在线 University as any information that has not otherwise been expressly declared as public information. Sensitive information is categorized as either 滨苍迟别谤苍补濒,听Confidential or Private, with corresponding increased levels of sensitivity and restrictions imposed on its handling and distribution. It is understood that some information classified as Internal/Confidential/Private may be more critical than others, and should be protected in a more secure manner in accordance with the categories identified below.

Internal 鈥� Information that is available to University employees with a legitimate educational or business interest in them to be used for official purposes but would not be released to the public unless requested pursuant to and authorized by 精品成人福利在线 business practices, consistent with applicable law. The disclosure, unauthorized access, or unauthorized use of internal information would have a limited adverse impact on the University, the State, and/or the public.

Examples of Internal information include:

• Financial accounting information
• Department project data such as construction plans that do not impact University security
• Unit budgets
• Purchase orders
• Admissions metrics and statistics
• Donor contact information and non-public gift amounts
• Non-public 精品成人福利在线 policies and policy manuals
• 精品成人福利在线 internal memos and email, non-public reports, budgets, plans, and financial information
• Non-public contracts
• Campus Wide ID鈥檚 (CWIDs) (without corresponding PIN or date of birth)

Confidential 鈥� Information of a sensitive nature that is available only to designated personnel or third parties with a legitimate business or educational interest in them. The disclosure, unauthorized access, or unauthorized use of confidential information would have a significant adverse impact on the University, the State and/or the public. Confidential information is information that is not available to the public under all applicable State and Federal laws, including but not limited to OPRA, the Family Educational Right to Privacy Act (鈥淔ERPA鈥�) and the Health Insurance Portability and Accountability Act (鈥淗IPAA鈥�)

Examples of Confidential information include:

• Medical examiner and other non-PHI medical records
• Passport and visa numbers
• Export controlled information under U.S. laws
• Criminal investigations, Campus Police records and evidentiary materials
• Advisory, consultative or deliberative material
• Victims records
• Trade secrets and proprietary commercial or financial information obtained from any source, or information that is the subject of a non-disclosure agreement with the University.
• Documents subject to attorney-client privilege
• Administrative or technical information regarding computer hardware, software and networks which would jeopardize computer security
• Emergency or security information for any building that would jeopardize the security of the building or persons therein
• Security measures and surveillance techniques
• Information that would give an advantage to competitors or bidders
• Sexual harassment complaints and investigations
• Grievances filed
• Collective bargaining negotiations
• Communications with insurance carriers or risk management officers
• Information required to be kept confidential by court order
• Social security numbers, credit card numbers, unlisted telephone numbers and driver鈥檚 license numbers
• Certain pedagogical, scholarly and/or academic research records
• Test questions, scoring and other examination data
• Charitable contributions
• Admission applications
• Student records, grievance or disciplinary proceedings
• Biotechnology trade secrets
• Personnel and pension records
• Student records other than directory information

Private 鈥� (most restrictive) All personally identifiable information (PII) pertaining to individuals that is protected by Federal or State law shall be Private. The disclosure, unauthorized access, or unauthorized use of Private information would have a significant adverse effect on the University, the State and the individuals whose information was disclosed. Exposure of certain Private information may require the University to report such exposure to various Federal and State agencies and/or Financial institutions as well as the individuals whose information was exposed.

Examples of Private information include:

• Social Security numbers
• Health information, including Protected Health Information (PHI) and any data covered under the Health Insurance Portability and Accountability Act (HIPAA)
• Credit聽card account聽number, or debit聽card number and any required security code, access聽code or password that聽would permit聽access to an individual’s financial account聽(e.g. other cardholder data)
• Personal financial information, including checking or investment account numbers
• Driver鈥檚 license numbers
• Health insurance policy ID numbers
• Unlisted telephone numbers
• Student directory information that a student has requested not to be disclosed
• Student and employee ID numbers (CWIDs) combined with PINs and/or birth dates
• NetID usernames or other account names combined with unencrypted password string

4.0 Handling and Distribution of Information Assets

Many employees generate or are exposed to sensitive University information and personally identifiable information (PII) in the course of their jobs and use it to perform important functions. It is vitally important that all employees handle such information properly. Often, such information contains personally identifiable data that places individuals at risk of identity theft. It may also contain proprietary information, research findings or other intellectual property.

Access to non-public, sensitive information is restricted to those who have a need to know as defined by job duties and access is subject to University authorized approval. Anyone who receives non-public sensitive information has a responsibility to maintain and safeguard that information and to use it with consideration of that regard for others. Circumventing or attempting to circumvent restrictions on the use and dissemination of internal, confidential, or private information is considered a serious offense and may be subject to discipline. If such information is received in error, the recipient has an obligation to alert the sender that they have received this information in error and to properly delete and or destroy the received copy of the information.

The release or exchange of individual or University information may only be made by University employees in accordance with the guidelines outlined below. University employees and students may not divulge information regarding the University to an outside party except for a legitimate business, research or academic purpose. If information about the University has not been made public by the University, it should continue to be treated as sensitive.

In general, 精品成人福利在线 University personnel are expected to use common sense judgment and to handle data categorized as Internal, Confidential, and Private in an appropriate manner. If an employee is uncertain of the sensitivity of a particular piece of information, he or she should consider it Private by default and contact their Vice President, Dean or their designee, or direct supervisor for clarification before taking any action with regard to the information in question.

The guidelines that follow provide details on how to properly handle and/or distribute information with varying degrees of sensitivity, including acceptable electronic transfer and storage methods. Where applicable, disposal guidelines are given as well as the scope of potential penalty for deliberate or inadvertent disclosure.

Please note that these guidelines represent the most common use cases for the handling and distribution of University data and should be used as a reference only. Information in each category may necessitate more or less stringent measures of protection depending upon the specific circumstances and the nature of the information in question.

Public information

There are no specific restrictions on the distribution or handling of public information, although University personnel must respect all copyright, trademark and intellectual property rights of any data that they distribute.

Access:听础苍测辞苍别

Distribution within 精品成人福利在线 University:聽No restrictions

Distribution outside of 精品成人福利在线 University:聽No restrictions

Storage: No restrictions

Disposal/Destruction: Not applicable

Penalty for deliberate or inadvertent disclosure: None

Internal information

Internal information is considered non-public and should be protected from unnecessary exposure or transmission to parties outside of the University.

Access: 精品成人福利在线 University employees, or non-employees with signed non-disclosure agreements, who have a legitimate business or academic need to know.

Distribution within 精品成人福利在线 University: Standard interoffice mail, campus email, password-protected web site, or campus file sharing repositories.

Distribution outside of 精品成人福利在线 University: encrypted email, password-protected file, password-protected web site to retrieve encrypted file, secure electronic file transmission with file encryption.

Storage:聽Hardcopy must be stored in a physically secure area (i.e. locked file cabinet) Information may only be stored electronically on University-owned and maintained computers or on a remote site such as a cloud storage provider that is under contract with the University for such services.聽 These services must be implemented with appropriate technical and organizational measures as necessary to safeguard the information, taking into account the nature, scope, context and purposes of processing, costs of implementation, and the risks of varying likelihood and severity to protect the rights of the individual. Regardless of physical storage location, it is recommended that files containing information classified as Internal be stored in an encrypted format. Acceptable forms of encryption are password protected files (i.e. Microsoft Office password protection) or a public/private key algorithm such as PGP or GnuPG.)

Disposal/Destruction: Shred hardcopy; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure: Up to and including termination of employment, possible civil and/or criminal prosecution.

Confidential information

Confidential information should be protected to prevent unauthorized access or exposure by implementing appropriate technical and organization measures as necessary to safeguard the information, taking into account the nature, scope, context and purposes of processing, costs of implementation, and the risks of varying likelihood and severity to protect the rights of the individual.

Access:聽精品成人福利在线 University employees whose job functions require them to have and are approved by their supervisor to have access, and University vendors or consultants who have executed non-disclosure agreements with the University.

Distribution within 精品成人福利在线 University: Delivered direct – signature required, envelopes stamped confidential. Electronic files must be encrypted (and optionally signed) using a public key encryption algorithm such as PGP or GnuPG or be password-protected at the application level (i.e. signed PDF or Word document.) The encrypted/password-protected files can then be sent via email and/or secure electronic file transmission.

Distribution outside of 精品成人福利在线 University: Delivered direct; signature required; approved private carriers. Electronic files must be encrypted (and optionally signed) using a public key encryption algorithm such as PGP or GnuPG or be password-protected at the application level (i.e. signed PDF or Word document.) The encrypted/password-protected files can then be sent via email and/or secure electronic file transmission. Third parties who are handling and/or storing Confidential information must agree to abide by the University鈥檚 policies for safeguarding such information.

Storage: Hardcopies must be limited to the minimum number required. Hardcopies must be stored in a secure location at all times. Unless there is a critical business need, no portion of Confidential information should be stored locally on employee desktop or laptop computers beyond the Office of University Counsel. Confidential information may be stored on a University owned file server, central computing server, or on a remote site such as a cloud storage provider that is under contract with the University for such services. Regardless of physical storage location, confidential files must be stored in an encrypted format. Acceptable forms of encryption are password protected files (i.e. Microsoft Office password protection), and encrypted hard disk or folder, or a public/private key algorithm such as PGP or GnuPG.)

Disposal/Destruction: All hardcopy must be cross-cut shredded and disposed of in specially marked disposal bins on 精品成人福利在线 University premises; electronic data should be expunged/cleared with a data scrubbing utility to ensure that portions of the original data cannot be reconstructed from the hard drive or other electronic storage medium.

Penalty for deliberate or inadvertent disclosure: Up to and including termination of employment, possible civil and/or criminal prosecution.

Private information

Private information has the highest level of sensitivity and represents the most risk to the University, the State, and individuals should such information be accessed by or exposed to unauthorized parties. Therefore, University employees who handle Private information or who use systems that store, transmit, or manipulate Private data are required to maintain the privacy of such information/data at all times.

础肠肠别蝉蝉:听精品成人福利在线 University employees whose job functions require them to have and are approved by their supervisors to have access, and University vendors or consultants who have executed non-disclosure agreements with the University.

Distribution within 精品成人福利在线 University: Delivered direct – signature required, envelopes stamped Private. Electronic files must be encrypted (and optionally signed) using a public key encryption algorithm such as PGP or GnuPG. The encrypted/password-protected files can then be stored on a central IT file server such as MSUFiles and access granted to authorized individuals using NetID group share permissions. Alternatively, secure temporary file storage with email notification to authorized users via the MSU FileHawk service may be used to provide access to Private information. Private information should not be sent via email attachment unless there is no other viable transmission method, and then only if the email message and any attachments are encrypted per-recipient using PGP or GnuPG. Password-protecting a file at the application level (ex. PDF or Word document) is not sufficient protection for Private information.

Distribution outside of 精品成人福利在线 University: Delivered direct; signature required; approved private carriers. Electronic files must be encrypted (and optionally signed) using a public key encryption algorithm such as PGP or GnuPG before transmission to an authorized entity outside of the University. File transmission of encrypted data should occur using a secure protocol such as SFTP, HTTPS, or SSH. Alternatively,
secure temporary file storage with email notification to authorized users via the MSU FileHawk service may be used to provide access to Private information. Private information should not be sent via email attachment unless there is no other viable transmission method, and then only if the email message and any attachments are encrypted per-recipient using PGP or GnuPG.Password-protecting a file at the application level (ex. PDF or Word document) is not sufficient protection for Private information.

Storage: Hardcopies must be limited to the minimum number required. Hardcopies must be stored in a secure location at all times. No Private information may be stored locally on employee desktop or laptop computers, tablet, phone, or on any non-University device. Instead, Private information must be stored on a University owned file server, central computing server, or on a remote site such as a cloud storage provider that is under contract with the University for such services. Regardless of physical storage location, files containing Private information must be stored in an encrypted format. Acceptable forms of encryption include an encrypted hard disk or folder or a public/private key algorithm such as PGP or GnuPG. Password-protecting a file at the application level (ex. PDF or Word document) is not sufficient protection for Private information.

Disposal/Destruction: All hardcopy must be cross-cut shredded and disposed of in specially marked disposal bins on 精品成人福利在线 University premises; electronic data should be expunged/cleared with a data scrubbing utility to ensure that portions of the original data cannot be reconstructed from the hard drive or other electronic storage medium.

Penalty for deliberate or inadvertent disclosure:聽Up to and including termination of employment, possible civil and/or criminal prosecution.

5.0 Guidelines for Protecting Information Stored Electronically

All employees and users of networked computing devices on Montclair鈥檚 network are responsible for protecting the University’s information because their machines provide potential gateways to private information stored elsewhere on the network. Therefore, whether or not they deal directly with sensitive University information, employees should take the following steps to reduce risk of unauthorized disclosure of the University’s information:

• Familiarize yourself with all University computing and security policies and Social Media Policy, and understand their implications for the information for which you are responsible.
• Immediately advise your supervisor of any suspicious activity on your computer or a suspected information system security compromise and report the event to the University Help Desk for follow-up action.
• Be mindful of how you are sharing or transmitting sensitive information across the network.
• Do not share sensitive information via unencrypted/unsigned email. Unencrypted and unsigned email is not secure; it can be forged, and it does not afford privacy.
• Do not publish sensitive information to unsecured web sites. All sensitive information on web sites must be encrypted and password protected.
• Do not collect Confidential or Private information with web forms that are not secured via https connection with a valid SSL certificate.
• Be certain your machine is always protected from viruses and other malware. Install anti-virus software on your computer and ensure that the software is set to automatically update its virus definitions regularly. (the Information Technology Division distributes the Sophos Antivirus tool at no charge. Please contact the University Help Desk for more information)
• Take precautions not to send anything by e-mail that you wouldn’t want disclosed to unknown parties. Recipients have been known to distribute information to unauthorized recipients or store it on unsecured machines, and viruses have been known to distribute archived e-mail messages to unintended recipients.
• Theft of 精品成人福利在线 electronic computing equipment must be immediately reported to the University鈥檚 Police Department; loss or suspected compromise of 精品成人福利在线 sensitive data must be immediately reported to the Security Official within the Information Technology Division or the University Compliance Officer, or the University Privacy Officer, as applicable.
• Ensure that functions that enable data sharing on an individual workstation are either turned off or set to allow access only to authorized personnel.
• Be aware that information stored on laptop computers, tablets, smart phones and other similar mobile devices is susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure. Even networks using encryption are vulnerable to intruders.
• Information that is categorized as Confidential or Private shall not be stored on a personal laptop, desktop, tablet, phone, or other end-user device.
• Confidential and Private information should only be stored on centrally-managed IT servers or on a cloud service provider with whom the University has a contractual relationship for such service.
• Employ passwords that comply with the University鈥檚 Password Management Policy.
• Secure your passwords, and restrict access to them. Passwords written on a post-it in a work area, placed under a keyboard, or stored in an unlocked desk drawer are not safe from unauthorized access.
• Never share your passwords or accounts.
• Restrict file sharing on your computer to mitigate the risk of unintentionally granting access to unknown parties.
• Apply system updates for your desktop systems and department servers’ operating systems and their integrated network services (e.g., e-mail and web browsers) in a timely manner.
• Keep local applications updated and patched.
• Encrypt sensitive files. Use IT Security-approved encryption methods only.
• Ensure that remote access (from off campus) connections are done securely using HTTPS, SSH or VPN.

6.0 Enforcement

Any student or employee of the University found in violation of this policy is subject to disciplinary proceedings including suspension of system privileges, expulsion, termination of employment and/or legal action as may be appropriate and in accordance with the applicable employment handbook, collective bargaining agreement, and student code of conduct applicable to the individual鈥檚 relationship to the University.

7.0 Glossary of Relevant Terms and Definitions

Access Controls

Access Controls are methods of electronically and/or physically protecting files from being accessed by people other than those specifically designated by the owner.

Campus Email

The University’s official email system (mail.montclair.edu) operated by the Information Technology Division.

Data Custodian

The custodians of data are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner or custodian of the data to classify the data. However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data. Any data not yet classified by the owner/custodian shall be deemed Private.

Data Owner

The entity to which the data belongs. For example, a person owns his/her social security number, date of birth, and address.

Encryption

Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms. PGP use within 精品成人福利在线 University is done via a license. GnuPGP is freely available for most platforms.

Encrypted email

Electronic mail that has been encrypted and digitally signed using a public-key algorithm such as PGP/GPG.

Expunge

To reliably and irretrievably erase data from a storage medium such as magnetic disk or tape, or from electronic media such as flash memory. In most cases special software utilities are required to repeatedly overwrite data with random values to make subsequent retrieval of the original data impossible.

Personally Identifiable Information (PII)

The term 鈥淧II,鈥� refers to information that can be used to distinguish or trace an individual鈥檚 identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important to recognize that non-PII can become PII whenever additional information is made publicly available 鈥� in any medium and from any source 鈥� that, when combined with other available information, could be used to identify an individual.

Physical Security

Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.

Secure Electronic File Transmission Methods

Includes Secure FTP (sftp), SecureCopy (scp) and SecureShell (ssh) protocols.

Unencrypted data (鈥渃lear text鈥�)

Unencrypted data is able to be viewed as-is without the need for a password or software key and is often referred to as clear text.

8.0 Related Policies & Links

• 精品成人福利在线 Policy on Responsible Use of Computing
• Password Management Policy
• Social Media Policy

See also:

1. 
   US Senate Banking Committee, Financial Services Modernization Act, Summary of Provisions
2. 
   US Department of Education, Final regulations (4/16/2004)

• Laptops are available only to current 精品成人福利在线 students on a first-come, first-served basis, with a valid 精品成人福利在线 University ID. (Faculty or staff members needing a loaner laptop may request one from the IT Service Desk.)
• Students may take the laptop outside the building and off campus, provided they care for the equipment properly and return it on time. Borrowers must follow all Computing Lab Policies and the Policy on Responsible Use of University Computing Resources.
• The laptop must stay in the possession of the person who checked it out at all times. The borrower is responsible for the equipment if it is lost, stolen, or damaged.
• Any problems with the device should be reported immediately to the authorized staff member at the same lending location.
• Eating or drinking near the loaned laptop is not allowed.
• Laptops do not have floppy or CD/DVD drives. Files saved on the desktop are erased when the laptop is restarted. Save files to an external drive or network share. Neither 精品成人福利在线 University nor the Division of Information Technology is responsible for any files lost in transfer via disks or network accounts.
• Printing defaults to simplex and can be retrieved from printers in the designated print areas of the University Libraries. Print jobs are held for one hour and then discarded.
• The laptop must remain powered on when returned so that staff can verify it is in good working order. This check may take 5鈥�10 minutes, so be prepared to wait.
• Potential damage fees include:
  • The replacement fee for lost or stolen PC laptops varies depending on the model and can be as much as $1000.
  • Liquid damage: Usually not covered by warranty; the replacement fee applies unless otherwise covered.
  • Other damages (such as LCD, chassis, keyboard): Based on actual repair costs.

Statement of Liability

• By borrowing a laptop, the borrower agrees to these terms. Non-compliance can result in:
  • A $15 fine for each hour late; after four hours, the laptop is considered lost or stolen, and the borrower can be billed up to $1000 for replacement depending on the model.
  • If stolen, a police report will be filed, and the device may be prosecuted under federal and New Jersey laws.
  • Repeated late returns (more than three times) or damage may result in losing loan privileges for the semester or academic year.
  • Cases will be referred to the Dean of Students for adjudication under the University鈥檚 Code of Conduct, with sanctions ranging from probation to expulsion.
  • Charges for damage, late return, or loss will be billed to the borrower鈥檚 University account. A hold may be placed on the account depending on the charges.