.Use of Alzaytoonah University technology resources (computing services, networks, phones, etc.) is restricted to purposes related to the University’s mission of education, research, and public service. Access to technology resources is a privilege granted to all University faculty, staff, and students in support of their studies, instruction, duties as employees, official business with the University, and other University-sanctioned activities. Access may also be granted to individuals outside the University for Purposes consistent with the mission of the University. However, sponsorship of these accounts and their activities by a faculty member or University administrator is required. Requests for such access should be directed to the Information Technology Policy Office, Office of the President for Information Technology, accompanied by the reason for the access and the name and contact information of the sponsor.

RATIONALE:

Computers, network systems, and other technologies offer powerful tools for communication among members of the University community and of communities outside of the University. Such University assets will only be used in support of the University’s missions of research, instruction and learning, and community service.

When used appropriately, these tools can enhance dialog and communications. However, unlawful or inappropriate use of these tools reduces the amount of resource available to satisfy the University’s missions, and can infringe on the rights of others. The University expects all members of its community to use information technologies in a responsible manner.

As long as they do not conflict with the precepts of institutional policy, campuses, schools, departments, colleges and other administrative units may issue ancillary technology policies and procedures that support organizational requirements.

POLICY:

Unless otherwise specified in this policy, use of Alzaytoonah University technology resources is restricted to purposes related to the University’s mission of education, research, and public service. Access to University technology resources is a privilege granted to University faculty, staff, and students in support of their studies, instruction, duties as employees, official business with the University, and other University-sanctioned activities.  Access to technology resources may be granted to individuals outside of Alzaytoonah University for purposes that directly support the missions of the University.

“Incidental personal use” is an accepted and appropriate benefit of being associated with Alzaytoonah University’s rich technology environment. However, this type of personal use must still adhere to all University appropriate use policies, and must never have an adverse impact on uses of technology and information resources in support of the University’s missions. The senior management of University departments and agencies has the responsibility to consider and publish statements defining the acceptable level of personal incidental use for members of their departments. An employee’s supervisor may also decide that personal activities are affecting the abilities of the employee or colleagues to perform job functions, and it is their right to ask the employee to cease those activities. University technology service providers will always place a higher priority on support of University-related activities over any form of non-related use.

DEFINITIONS:

Alzaytoonah University Information Technology Resources includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies; computing and electronic communication devices and services, including modems; electronic mail; phones; voice mail; facsimile machines, multimedia and hyper media equipment and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.

Personal incidental use: use of technology resources by members of the Alzaytoonah community in support of their non-University-related activities. For example, use of email to send personal messages to friends, family, or colleagues, and use of the personal home page (PHP) server to provide information about your personal hobbies or interests fall into the category of incidental personal use. If personal use impacts University operations or activities in any significant way, the user will be asked to cease those activities immediately. All direct costs (for example, printer or copier paper and other supplies) attributed to personal incidental use must be borne by the user.

PROCEDURES:

In cases of requests to use Alzaytoonah technology resources by outside entities where, the relation to Alzaytoonah activities and benefit to members of the Alzaytoonah community is unclear, the Computer Center Director, will determine whether the activity directly supports the missions of the University.

The Computer Center Director represents the University for these issues related to the Alzaytoonah and Alzaytoonah campus, and is also available to provide advice and policy interpretation to any member of the Alzaytoonah community in these situations.

RATIONALE:

Sources of funding supporting technology resources at Alzaytoonah University expect that these assets will only be used in support of the University’s missions of research, instruction and learning, and community service. Unrelated and inappropriate use reduces the amount of resource available to satisfy these missions.

POLICY:

As with any violation of Alzaytoonah University policies or standards of behavior, incidents of abuse or misuse of Alzaytoonah University information technology resources by members of the University community or by others not affiliated with the University will be reported to will be reported to the President.

DEFINITIONS:

Alzaytoonah University Information Technology Resources includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software, and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies, computing and electronic communication devices and services, modems, electronic mail, phone access, voice mail, Fax transmissions, video, multimedia and hyper media information, instructional materials, and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.

RATIONALE:

Computer use has become an essential part of most Alzaytoonah University activities. While much computing is now done on privately controlled computers (personal computers, workstations, and so forth) most information sources and telecommunications systems reside on shared, central computers, or use shared networks. Distributed resources such as microcomputer clusters provide additional computing tools.  The Computer Center at the University have responsibility for providing and maintaining shared computing tools.

POLICY:

Continued eligibility to use University technology resources by faculty, staff, and students will be tested automatically and periodically against official University sources, including employee databases, faculty records databases, and student enrollment databases. Other sources may be used where these databases do not accurately reflect ongoing affiliation.

Continued access and use of technology resources by persons not affiliated with Alzaytoonah University requires initial and periodic verification of need by a University department, faculty member or administrator. Requests must be accompanied by the reason for the access, the name and contact information of the sponsoring faculty member or administrator, and the length of time for which the access will be required.

Access to University technology resources by an employee or faculty may be immediately removed given a written request from the President or from the Dean/Senior executive administrator of the individual’s department or School, if the individual is terminated for cause and there is concern for safety of systems or data; if there is reasonable belief that the individual to whom the account is assigned has perpetrated or is involved in illegal activities or activities that violate University policy; or given a written request from the President.

Access to University technology resources by a student may be immediately terminated given a written request from the appropriate Dean or the President, if there is reasonable belief that the individual to whom the account is assigned has perpetrated or is involved in activities that are illegal or that violate University policy.

Any access to University technology resources may be disabled unilaterally by the technician responsible for the particular service, if processes in an assigned account are causing or will cause damage to systems or data, or are causing or will cause serious service degradation for other users.  Access will be restored as soon as possible after the threat has been removed, unless other provisions of this Policy are invoked.

Continued use of University technology resources by Alzaytoonah University retired faculty or staff is a recognized benefit of honorable service to the University community. This statement applies primarily to electronic mail and general purpose academic or research systems, and the service will be extended to retired account holders on these systems as long as the computing resource is available to support it. If resources become constrained, this practice will be reviewed and possibly restricted or eliminated in favor of allocating required resources to active faculty, student, or staff activities.

Use of University technology resources by spouses of faculty or staff who become deceased while on active appointment is a recognized benefit of honorable service to the University community. This statement applies primarily to electronic mail, and the service will be extended to retired account holders on these systems as long as the computing resource is available to support it. If resources become constrained, this practice will be reviewed and possibly restricted or eliminated in favor of allocating required resources to active faculty, student, or staff activities.

For individuals having access to institutional information systems and data, the appropriate data steward/manager will review the permissions and make a determination if the access should continue past the retirement date. Unless there are special circumstances where continued access to these data and systems by retired faculty or staff is required to support the unit’s University mission, such access should be removed immediately upon termination of active employment.

DEFINITIONS:

Alzaytoonah University Information Technology Resources includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software, and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies, computing and electronic communication devices and services, modems, electronic mail, phone access, voice mail, Fax transmissions, video, multimedia and hyper media information, instructional materials, and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.

PROCEDURE:

Requests for access to central campus computing and networking resources should be directed to the Computer center Director. The Director of Computer Center is also available to provide advice and policy interpretation to any member of the Alzaytoonah community in these situations.

Requests for access to other campus technology resources, such as teaching and learning technologies and software, should also be directed to the Computer Center Director.

Requests for use of other technology services (phones, copy machines, computers, etc.) within a specific departmental area should be directed to the Dean/Executive officer of the department in which the service is located.

Permanent Faculty may access and use Alzaytoonah IT resources until the termination of their affiliation with the University. Renewal is automatic and is based on official University faculty records databases.

Appointed Staff/Hourly Employees may access and use Alzaytoonah IT resources until the termination of their affiliation with the University. Renewal is automatic and is based on official University personnel records databases.

Retired Faculty/Staff may access and use Alzaytoonah IT resources as long as there are resources available to support their continued use. Renewal is automatic and is based on continued active account use and official University personnel records databases. If a resource supporting “active” users becomes constrained and the number of accounts belonging to retired members must be reduced, technology managers will use account longevity as the criteria for removing accounts as necessary to recover appropriate resource. These accounts will be the second candidates for removal in the case of constrained resources, after accounts of spouses of deceased Retired Faculty/Staff have been removed.

Family members of any of the above with no other affiliation to Alzaytoonah may access and use Alzaytoonah IT resources with written certification of involvement in activities directly benefiting Alzaytoonah University, from a Alzaytoonah  President, Dean, Director or Department Chair. However, final review and approval is reserved to the Office of the President. Accounts will be removed at the termination of the activity; however annual renewal is required.

Spouses of Faculty/Staff who become deceased while on active appointment may access and use Alzaytoonah IT resources as long as there are resources are available to support their continued use. Renewal is automatic and is based on continued active account use. If a resource supporting “active” users becomes constrained and the number of accounts belonging to spouses of deceased individuals must be reduced, technology managers will use account longevity as the criteria for removing accounts as necessary to recover appropriate resource. These accounts will be the first candidates for removal in the case of constrained resources.

Undergraduate & Graduate Students may access and use Alzaytoonah IT resources until they graduate or are not enrolled for two consecutive semesters (not including Summer). A student’s account will be disabled after 1 inactive semester, and archived after the last enrollment period of the second semester for which the student is not enrolled. Enrollment is determined by based on official University student databases.

Post-Doctoral Students may access and use Alzaytoonah IT resources until the termination of their affiliation with the University. Renewal is automatic and is based on official University graduate records databases.

Adjunct Faculty may access and use Alzaytoonah IT resources until the termination of their affiliation with the University. Renewal is automatic and is based on official University faculty records databases. It is important that departments ensure that adjunct faculty be reported to the Director of Computer Center office so that records are updated to reflect their affiliation.

Continuing Education Students may access and use Alzaytoonah IT resources until the last day of class or upon termination of enrollment, whichever is first. Renewal is automatic and is based on information supplied by Faculties.

Non-Alzaytoonah Research Collaborators may access and use Alzaytoonah IT resources with written certification of need from an Alzaytoonah research sponsor. Annual renewal for accounts held by Non-Alzaytoonah Research Collaborators is required.

Visiting Faculty may access and use Alzaytoonah IT resources until the termination of their visit to the University. Renewal is automatic and is based on official University faculty records databases. It is important that departments ensure that visiting faculty be reported to the director of computer Center so that records are updated to reflect their affiliation.

Visiting Students may access and use Alzaytoonah IT resources with a written request from Alzaytoonah Faculty member or academic faculty advisor. Renewal for accounts held by Visiting Students is required each semester.

Contract Employee/Consultant may access and use Alzaytoonah IT resources for the duration of their contract, with written certification of need from a departmental executive officer.

Persons associated with external entities under contract to Alzaytoonah University may access University IT resources if such access is necessary to full-fill their obligation to Alzaytoonah under the contract. The required computer and network access and limits thereon will be specifically defined in the associated contract. A sponsor must be identified on any computer accounts provided for this purpose, and the sponsor must be a full-time faculty or staff member in the Alzaytoonah department that is the primary beneficiary of the service or products provided under the contract.

RATIONALE:

Alzaytoonah University cherishes the diversity of values and perspectives endemic in an academic institution and so is respectful of freedom of expression.  The University does not condone censorship, nor does it endorse the systematic inspection of electronic files or monitoring of network activities related to individual activities.  However, there are legitimate reasons for persons other than the account holder to access computer files or computers or network traffic: ensuring the continued integrity, security, or effective operation of University systems; to protect user or system data; to ensure continued effective departmental operations; to ensure appropriate use of University systems; or to satisfy a lawful court order.

POLICY:

Stored computer information, voice and data network communications, and personal computers may not be accessed by someone other than the person to whom the computer account in which the information has been stored is assigned, or from whom the communication originated, or to whom the device has been assigned, outside of the provisions of this policy.  This policy covers:

Data and other files, including electronic mail and voice mail, stored in individual computer accounts on University-owned centrally-maintained systems;

Data and other files, including electronic mail and voice mail, stored in individual computer accounts on systems managed by the University;

Data and other files, including electronic mail or voice mail, stored on personally-owned devices on University property;

Data and other files, including electronic mail or voice mail, stored on University-owned computers assigned to a specific individual for their use in support of job functions; and

Telecommunications (voice or data) traffic from, to, or between any devices described above.

A technician or administrator may access or permit access to the resources described above, if he or she has written (verifiable email or paper) permission from the individual to whom the account or device or communication has been assigned or attributed; or in an emergency situation, has a reasonable belief that a process active in the account or on the device is causing or will cause significant system or network degradation, or could cause loss/damage to system or other users’ data; or receives a written authorization from the appropriate authority, for situations where there is reasonable belief that the individual to whom the account or device is assigned or owned has perpetrated or is involved in illegal activities using the accounts or device in question; or

receives a written authorization from the appropriate authority, for situations where there is reasonable belief that the individual to whom the account or device is assigned or owned has perpetrated or is involved in violations of University policy using the accounts or device in question; or receives a written request from the appropriate of a department to access the account of a staff or faculty member who is deceased, terminated, or is otherwise incapacitated or unavailable, for the purposes of retrieving material critical to the operation of the department; or receives a written request from the appropriate authority, on behalf of the parents or estate manager of a deceased student; or receives a written authorization from the appropriate authority, for situations where there is reasonable belief that a student to whom the account or device is assigned or owned has perpetrated or is involved in illegal activities using the accounts or device in question; or receives a written authorization from the appropriate authority, for situations where there is reasonable belief that a student to whom the account or device is assigned or owned has perpetrated or is involved in violations of University policy using the accounts or device in question; or receives a legal court order and subsequent direction the president, or receives other legal documents and subsequent direction from the President.

In the event that University officials are notified of a University or law enforcement investigation for alleged misconduct or illegal activity on the part of a member of the Alzaytoonah community, contents of an individual’s e-mail, other computer accounts, office computer, or network traffic may be copied and stored to prevent destruction and loss of information, pending formal review of that material.  Subsequent release of the stored materials must be in accordance with the above-specified criteria.

Except when inappropriate or impractical, all efforts will be made to notify the involved individual prior to accessing the computer account or device, or before observing network traffic attributed to them.  Where prior notification is not appropriate or possible, all efforts will be made to notify the involved individual as soon after the access as is possible.

System-generated, content-neutral information (“metadata”) may be used for the purposes of monitoring system and storage utilization, problem troubleshooting, security administration, technology abuse or misuse incident investigation, and in support of formal audits.   This information includes operating system logs (i.e., record of actions or events related to the operation of the system or device), user login records (i.e., what usernames were used to connect to Alzaytoonah University systems, from where, and when) dial-up logs (i.e., who connected to Alzaytoonah University modems, from where, and when), network activity logs (i.e., what connections were attempted or completed to Alzaytoonah University systems, from where, and when), email logs (i.e., who sent email to or from Alzaytoonah University email systems, and when), and auditing logs (i.e., records of what actions were taken on Alzaytoonah University systems, against what resources or applications, and when).

Any intrusive or restrictive actions taken by the University related to information technologies will be in accordance with guidelines and procedures set forth in other applicable University policies, codes, or laws.   University policies include (but are not limited to) the Code of Student Ethics, the Academic Handbook, administrative procedures and policies, and technology appropriate use policies.

APPLICABILITY:

This policy applies to all Alzaytoonah University faculty, students, and staff, including employee supervisors and administrators and computer and network technicians who have been assigned the task of maintaining Alzaytoonah University information technology systems in central campus computing center or in departments.

PROCEDURE REFERENCE:

Where possible and feasible, technicians receiving requests for access to computer accounts, files, or network traffic by persons other than the account holder will consult with Computer Center Director prior to granting the access.   The Director will ensure that that the provisions of this policy have been followed.

Court orders and other legal documents directing that access be afforded to law enforcement agencies will be delivered to Alzaytoonah University President.  Should such documents be served on individual system technicians or other persons, the document should immediately be sent to University President for review.

RATIONALE:

Sources of funding supporting technology resources at Alzaytoonah University expect that these assets will be used equitably and only in support of the University’s missions of research, instruction and learning, and community service. Unrelated and inappropriate use reduces the amount of resource available to satisfy these missions.

On occasion, individual users or processes may be identified as using what appears to be, in comparison with other users and processes on the same system or network, an inordinate amount of technology resource. These situations cause sometimes-significant degradation of service to other users.

POLICY:

Persons whose Alzaytoonah University-mission-related activities are consuming an inordinate amount of Alzaytoonah University technical resource will be contacted by the appropriate responsible Team Head and adequate alternate arrangements for fulfilling the requirements of the project will be identified (where possible and feasible).

Persons whose non-Alzaytoonah University-mission-related activities are consuming an inordinate amount of Alzaytoonah University technical resource will be contacted by the appropriate responsible Tem Head and asked to cease that activity.

DEFINITIONS:

“An inordinate amount of Alzaytoonah University technical resource”: a user or process is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue their practice or activity. Network engineers and systems administrators must use experience and knowledge of normal service usage patterns to make good decisions about standard or non-standard usage.

PROCEDURE REFERENCE:

The Tem Head will notify the user that they are consuming an unfair share of the resource, reporting to the user an appropriate metric by which they can gauge their use against that of other users. The user will be asked to describe their activity or purpose for the process or use. If there is a University-related activity involved, the manager or administrator should attempt to accommodate that user’s needs in a way that does not impact other users. At times, this may not be feasible and it may be necessary for the user to change the way they are operating. If the use is not related to University activities, the user should be asked to stop.

These are examples of instances where service managers may choose to establish usage limits. This is not an exhaustive list, and users must be aware of similar restrictions on services that they use:

1.         System CPU — individual server processes. Multi-user processes executing from individual user accounts can be a significant drain on system resources, especially of the server process is mis-configured or not written well. Unless there is a reason consistent with academics or administration of the University, no user should be running server processes from their personal computer accounts.

2.         Electronic mail — mass mailings. Sending electronic mail to a large number of recipients simultaneously can degrade the email service for all users. Alzaytoonah University has a bulk electronic mail policy, which must be reviewed prior to initiating such a mailing — if a large mailing otherwise satisfies the policy, the mailing should be broken into pieces with sufficient time between mailings.

3.         Network bandwidth — campus/Internet network. Individuals and personal computers can consume a large amount of the Alzaytoonah campus’ networks. For example, a popular file server on a residence hall computer can consume 15% of the campus network, simply handling traffic to-and-from that computer. Network administrators monitor traffic patterns, and will contact owners of devices that are using an unfair amount of network resource.

4.         Account usage — in instances where computer resource is becoming constrained and where resource augmentation is not feasible or possible, service managers may review account usage and remove and archive accounts for which there has been no activity for a period inconsistent with the normal use patterns for that service. Account holders should be made aware of specific procedures for a particular service, and where possible affected account holders should be informed of the intent to archive their account.

RATIONALE:

Computing and networking and other information technologies have become critical in support of most if not allAlzaytoonah University operations.  This dependence has resulted in a very large, very diverse, and very complex technology environment, which in turn has resulted in a greater opportunity for intrusion attempts.  At the same time, much more data is being stored, accessed, and manipulated electronically, and as the risk to systems increases, the risk of unauthorized disclosure or modification of personal, proprietary, or institutional data is also increased.  It is very important that everyone associated with providing and using these technology services is diligent in their administration and responsive to security threats.  It is also important that information related to intrusions, attempted intrusions, or other such incidents are shared so the event can be recognized and perhaps avoided elsewhere.

The use of automated scanners and break-in scripts makes it easy for someone to quickly scan entire networks for vulnerable systems. Systems that are not properly secured are likely to be discovered, and they will then be subject to intrusion.  Data on vulnerable/exploited systems WILL be compromised, altered, or destroyed.  Such systems may be used to compromise or initiate denial of service attacks against other University systems or systems at external sites.

POLICY:

Alzaytoonah University organizational units (campuses, departments, offices, affiliated agencies, etc.) operating technology resources are responsible for ensuring that those systems are managed securely.  This is required for all such systems, but is especially critical for those systems that support vital business functions and/or host sensitive personal or institutional information.

The University Information Technology Policy and Security Offices have the authority to develop and implement policies necessary to minimize the possibility of unauthorized access to Alzaytoonah University’s information technology infrastructure.  This entails establishing security resources, policies, guidelines, and standards, and to provide consulting services, for all Alzaytoonah University computer systems, telecommunications, or other information technology resources.

Team Heads and technicians within functional units are required to report any breaches or possible breaches of the security of Alzaytoonah University networks, systems, or data to the University Computer Center Director, per published procedures.  The University Information Technology Policy and Security Offices will assess the situation, and minimally provide advice as to appropriate response and reporting.  While circumstances will vary, response will be guided by published general procedures and will be the task of the reporting unit.

The University Computer Center have the authority to assume leadership, responsibility, and control of responses to unauthorized access to Alzaytoonah University’s information technology infrastructure, unauthorized disclosure of electronic information, and computer security breaches regardless of the Alzaytoonah University office involved.

PROCEDURES:

The following are generalized goal-oriented requirements; some may have multiple methods or solutions.  Attending to these is important for all systems, but is ABSOLUTELY CRITICAL for those systems that support vital business functions and/or host sensitive personal or institutional information.

(Numbers do not indicate sequence or priority; they merely provide a method to reference specific items.)

For a computer system to be managed securely, functional unit management must:

Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.

Hire technicians with the expertise necessary to appropriately maintain the hardware, operating systems, systems software, programs and other associated components of the systems to which they are assigned.

Ensure that technicians understand their responsibilities and the consequences of poorly managed systems (compromise of local or other systems, damage to data or systems, disclosure of sensitive data, potential legal liability for the department and Alzaytoonah University.

Provide necessary initial and refresher training to technicians as hardware or software components are revised or added.

Ensure that assignments and job plans account for time required for systematic and periodic audit and maintenance of systems.

For a computer system to be managed securely, functional unit technicians must:

Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.

Not choose operating systems that are known as being difficult to maintain and secure.

Use technical tools to take an “image” of any freshly installed operating systems in order to speed recovery in the case of a system compromise.

Remove or disable unneeded services and software, especially those that are network-accessible.

Log activities on the system:

Successful user logins, including the location from which the logins originated,

Unsuccessful login attempts, including the location from which the attempts originated,

Unsuccessful file access attempts, and

Successful file accesses for files and databases containing sensitive information.

Disable or secure remote access from system-to-system (e.g., rlogin).

Proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities, within a timeframe commensurate with the level of risk (i.e., within 24 hours for high-risk, with 48 hours for medium-risk, and within 72 hours for low-risk).

Encrypt stored sensitive data where possible to minimize disclosure if the system is compromised.

Encrypt sensitive data being transmitted to-and-from the system where possible to ensure the data is protected in transit.

Deploy encrypted communications methods (e.g., Secure Shell) for user access to the system and for access via privileged accounts (e.g., “root”) from other than the console.

Technically limit access to local network addresses where possible (e.g., TCPWrappers) given the function or process being supported.

Scan computers for security vulnerabilities using available technical tools:

Regularly, at least every 30 days to ensure new vulnerabilities are identified promptly,

Immediately after installation/configuration of a new system is completed,

Immediately after introduction of a new operating system or an upgrade to a current operating system, and

Immediately after installation or upgrade of networking or other system software.

Install and maintain anti-virus software on operating systems for which Alzaytoonah University has licensed such software, and maintain current virus pattern files.

Subscribe to vendor and other advisory services applicable to the operating environment being maintained.

Provide access to only those persons who are otherwise eligible to use Alzaytoonah University technology resources, and require all users be identified and authenticated before access is allowed.

Limit access to needed services to only authorized persons.

Use different passwords for privileged accounts (“root”, for example) on various systems being maintained by the same technician(s).

Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities.

Ensure that all accounts require a password, and if technically possible, that there are automatic routines (dictionaries, pattern enforcers, etc.) that force the user to choose a good password initially and each time the password expires.

Implement a system such that all re-usable passwords are not sent over the network in clear-text, where technically possible.

Securely remove data from media once that data and/or device is no longer required, in order to prevent unauthorized disclosure of the data.

 Intrusion attempts, security breaches, or other technical security incidents perpetrated against University-owned computing or other information technology resources either attached to an Alzaytoonah University-operated telecommunications network or freestanding in a University office must be reported to the Director.

Team heads and/or technicians must:

Report any successful security breaches in order to obtain assistance, advice, or (minimally) for file in the central incident database.

Report any systematic unsuccessful attempts (e.g., login attempts, “probes” or “scans”).

Where feasible given the circumstances, reports should be sent as soon as the situation is detected; minimally the report should be sent as soon as possible thereafter.

Upon receiving a report of a security incident, the Director will:

Ensure that appropriate information is collected and logged per applicable procedures.

Immediately assess actual or potential disclosure or inappropriate access to institutional or personal information.

Report the situation to the President.

Consult with and/or assign the incident to a security engineer for further investigation as necessary.

Provide preliminary advice or comment to the functional unit technician as required.

Initiate steps to warn other Alzaytoonah University technicians if it appears that the situation has the potential to affect other University systems as well.

Perform or assist in any subsequent investigation and/or perform computer forensics as required.

The Team Head managing a system that has been compromised is ultimately responsible for making the determination if the system will be only restored and operations resumed, or if pursuit of the perpetrator is feasible and appropriate based on possible continued affect on operations.  Such investigation may be requested by law enforcement, and University Presidentl must be consulted to see if any such request is legally binding before a contrary decision is made to only recover the system and restore the service.

The Team Head managing a system that has been compromised is responsible for all monetary, staff, and other costs related to investigations, cleanup, and recovery activities resulting from the compromise, response, or recovery.

In order to protect University data and systems, as well as to protect threatened systems external to the University, the University Computer Center Director may place limits or restrictions on technology services provided on or from any University-owned or -managed system and network.

Limitations may be implemented through the use of policies, standards, and/or technical methods, and could include (but may not be limited to) usage eligibility rules, password requirements, or restricting or blocking certain protocols or use of certain applications known to cause security problems.

Restrictions may be deployed permanently based on continuing threat or risk after appropriate consultation with affected constituents, or they may be deployed temporarily, without prior coordination, in response to an immediate and serious threat.

Restrictions deployed temporarily will be removed when the risk is mitigated to an acceptable level, or where the affect on University functions caused by the restriction approaches or exceeds risk associated with the threat, as negotiated between the affected constituents and the Computer Center Director.

In order to protect University data and systems, as well as to protect threatened systems external to the University, the University Computer Center Director may unilaterally choose to virtually isolate a specific University system from University, campus, or external networks, given

Advance consultation with the President, where practical and where circumstances warrant.

Information in-hand reasonably points to the system as having been compromised.

There is ongoing activity associated with the system that is causing or will cause damage to other University systems or data or to assets of other internal or external agencies, or where there is a medium-to-high risk of such damage occurring.

DEFINITIONS:

 “Alzaytoonah University information technology resources” or “systems” includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies; computing and electronic communication devices and services, including modems; electronic mail; phones; voice mail; facsimile machines, multimedia and hyper media equipment and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.

Security breach — any successful unauthorized access to an Alzaytoonah University computer or system or network.

University-owned computing resources — computer and computer-related equipment acquired and maintained all or in part by funds through Alzaytoonah University.

Systematic unsuccessful attempts — continual probes, scans, or login attempts, where the perpetrators obvious intent is to discover a vulnerability and inappropriately access that device.

Very High Risk – response should be immediate:

Damage to the system or data is occurring, or

Attempts to exploit the vulnerability on that system are occurring, or

The vulnerability is currently being actively exploited against other similar technologies within the University; damage to systems and data is being experienced in those other incidents.

High Risk – response should be within 24 hours:

The vulnerability is known to exist on the system;

the exposure is currently being actively exploited against other similar technologies external to the University; damage to systems and data is being experienced in those other incidents.

Medium Risk – response should be within 48 hours:

The system is susceptible to the vulnerability given that the system is configured incorrectly;

the exposure is currently being actively exploited against other similar technologies external to the University; there is some potential for damage to systems and data.

Low Risk – response should be within 72 hours:

The system is susceptible to the vulnerability given that the system is configured incorrectly;

the exposure is currently being actively exploited against other similar technologies external to the University; damage to systems and data is possible but is not considered likely.

RATIONALE:

In order to ensure that University information systems and processes have a consistent view and that the outside world has a consistent view of the Alzaytoonah University population, accounts administration and management processes and procedures must be consistent.

POLICY:

Identity and eligibility to use Alzaytoonah University technology resources will be authenticated for all users. Level of identification and authentication will be commensurate with the capabilities and sensitivity of the specific resources they are using.

Each eligible individual obtaining an account will have a University-wide unique username assigned, built from a standard format agreed to by all naming parties. All necessary steps will be taken to coordinate the assignment of usernames among ALL technical operations within the University where naming takes place.

All usernames will be three to eight characters in length. The required naming pattern/sequence is as follows:

The first initial of the first name followed by up to seven characters of the last name (e.g., csmith).

The first initial of the first name followed by the middle initial followed by up to six characters of the last name (e.g., casmith).

The first initial of the first name followed by up to six characters of the last name, followed by a numeric tiebreaker (e.g., csmith6).

Usernames will not be changed unless the individual’s name changes in the official University databases and the personally requests such a change, or in cases where there might be personal danger to the individual if they have a commonly derived username. Changes will also be allowed where the combinations of characters result in an objectionable name or term. Vanity username changes will not be permitted.

To ensure optimal use of resources and to address security concerns, accounts databases will be kept clean. That is, published eligibility criteria will be consistently applied, testing procedures will be applied at required intervals, and appropriate account removal and archiving tasks will be performed as required.

All accounts will be directly assigned to single individuals based on eligibility rules, and those individuals will be the sole contact and have sole responsibility for all actions taken with and in that account.

Account holders who leave their accounts active and unattended will be charged with a violation of University policy. They may also be charged with more serious violations if others use their unattended account for more serious infractions.

Passwords are assigned to individuals, and never will Accounts or System Administrators, supervisors, or any other agent of Alzaytoonah University ask for or require a user to give them their password for any reason. Only the account owner will know the password for computer accounts assigned to them. Circumstances under which Accounts or System Administrators or other any other person can learn or obtain the user’s assigned password must be minimal in the extreme, and where possible initially assigned passwords must expire causing the user to choose a new one that only they know.

All account holders will read and agree to a set of responsibilities BEFORE they gain control of their account.

Individuals may have multiple accounts assigned to them. Requests for such accounts must be reviewed and the reason for them must be consistent with activities related to Alzaytoonah University functions. The individual to whom the accounts are assigned will be responsible for all actions taken with and in these accounts.

“Group” accounts (that is, those assigned to and used by members of an organization) will be created only in support of activities directly associated with Alzaytoonah University functions. A current full-time faculty or appointed staff member must identify himself or herself as the person responsible for management of and use of the account. When requesting or renewing the account, this “sponsor” will provide information stating their relationship to the group, outlining the group’s membership and affiliation/benefit to Alzaytoonah University, and an indication that they understand their responsibilities related to the use of the group account.

Accounts may be assigned to individuals not affiliated with Alzaytoonah University only in support of activities directly associated with Alzaytoonah University functions. A current full-time faculty or appointed staff member must identify himself or herself as the sponsor or contact related to the individual’s activities while they are at the University. When requesting or renewing the account, this “sponsor” will provide information stating their relationship to the individual, outlining the individual’s affiliation/benefit to Alzaytoonah University, and an indication that they understand their responsibilities related to the use of the individual account.

Accounts Administrators will retain all documentation related to computer accounts while the account is active, and for 1 year following the point at which the individual is no longer associated with Alzaytoonah University, or from the point where the organization having a group account has been dissolved.

The standard Alzaytoonah University identification number maintained in the official University employee or faculty or student information databases (“Student ID”, “Employee ID”, or “Faculty ID”) will be used to track account assignments. ID numbers assigned to accounts will be that of the account holder or account sponsor.

Extracts of student, staff, or faculty information in support of computer account administration activities or user directories will be taken from the official University sources.

Extracts of faculty/staff or student information in support of accounts administration activities or user directories will be used ONLY for this purpose. Secondary release of this information is not permitted without review and approval by the University Computer Center Director.

DEFINITIONS:

Alzaytoonah University Information Technology Resources includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software, and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies, computing and electronic communication devices and services, modems, electronic mail, phone access, voice mail, Fax transmissions, video, multimedia and hyper media information, instructional materials, and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.

PROCEDURE REFERENCE:

The University Computer Center Director will coordinate accounts administration procedures, and will develop and publish central account procedures and processes to be used on all campuses.

Individual campuses The Director will be responsible for local adherence to this policy, and for additional local processes, procedures, and additions to this and other accounts policies on their campuses as required.

RATIONALE:

Various network devices can be deployed to better secure or isolate network segments containing computer systems in departmental areas, or to extend the network so that more devices can be connected.   Such devices include (but are not limited to) hubs, switches, wireless access points, firewalls, network address translators, virtual private networks, and remote access servers.  These devices, if not deployed and configured correctly, can cause service interruptions and make network problems (in some cases) impossible to isolate and identify.  In addition, remote access services, if not properly secured, can give unauthorized users access to the University network.  It is important that installation of these devices be controlled and coordinated; University Information Technology Services Telecommunications maintains documentation of the entire network topology of the University, and must know about and approve the deployment of these devices.

POLICY:

University Information Technology Services (UITS) is responsible for the management of Internet Protocol (IP) address spaces assigned to Alzaytoonah University, including public addresses and private addresses.

Layer 2 devices may not be used to extend the University network beyond the room containing the data jack to which they are attached.

Layer 3 IP devices are often complex and difficult and time consuming to manage, individual departments are not permitted to deploy these services independently.   Deployment of these services and devices will be controlled by and coordinated with UITS.

Individual departments are not permitted to independently deploy remote access services, Virtual Private Networks or dial-in modem services.

Individual departments deploying wireless networks must do so in accordance with the prevailing UITS policies on such deployment.

DEFINITIONS:

IP Address spaces in this context means blocks of Internet Protocol address assigned to Alzaytoonah University by Internet addressing authorities.

Layer-2 Devices are Ethernet devices such as hubs, switches, repeaters, and Wireless Access Points (WAP).   These devices are often used to provide network connectivity to multiple machines in the same room using a single data jack.

Extending the network is defined as connecting something other than a single end-system to a part of the Alzaytoonah network.   For these purposes, an end-system is defined as a device (e.g., computer) that has no other network connections, physical or virtual, other than the physical link to the data jack.  Devices that extend the network include but are not limited to: Hubs, Switches, Routers, Firewalls, Wireless Access Points (WAP), Network Address Translators (NAT), Remote Access Servers (RAS), and Virtual Private Networking (VPN) servers.

Private IP addresses are local network addresses that are not routed on the Internet, so that connections to them from other devices on the Internet are not possible.  Public IP addresses are local network addresses that are routed on the Internet, so that connections to them from other devices on the Internet are allowed.

Layer-3 Devices are IP devices such as firewalls, Network Address Translators (NAT), and packet-filtering routers that isolate or conceal other devices from the rest of the network.

Remote access services are defined as any mechanism that allows a machine outside of the physical Alzaytoonah data network to appear as though it’s part of the Alzaytoonah network.  Typically this involves creating a link over either the data network or a phone line and assigning an Alzaytoonah address to the remote machine.  A common example of this is Remote Access Services, or RAS.

PROCEDURE REFERENCE:

Certain layer-2 devices, such as switches, are very common and pose little to no problems.  Therefore these devices are exempt from the Device Registration policy.  However, these devices should not be used to extend the Alzaytoonah network beyond the room of the data jack to which they are attached.  For example, using a WAP, wireless repeater, or a very long cable to provide network connectivity to an adjacent building is not acceptable.  Exceptions to this policy will be reviewed by UITS on a case-by-case basis.

If a department deploys a device that conceals the MAC addresses of the hosts behind it, the department will need to inform UITS of the number of hosts behind that device.  This occurs with Layer-3 devices such as routers and firewalls. The number of MAC addresses behind such a device must be registered with the Network Operations Center.

Requests for any exceptions to this policy should be sent to the Network Operations Center.

Contact the Network Operations Center to report/discuss needs for services that may be satisfied with Layer-3 devices.

RATIONALE:

Wireless networking must not be considered a replacement for a well-wired campus.  An exception is deployment in places where fixed wiring is not an option, due to building configuration, age, or location; i.e., where installing traditional wiring is either not possible or not practical.

Wired access speeds are likely to improve significantly faster than wireless technologies, and as applications that require higher bandwidth become commonplace, wireless network technology may not be able to provide a suitable conduit.  So, wireless should be seen as an augmentation to the physical wire plant, extending the network for general-purpose network access into zones of transient use such as common areas.  Wireless is only appropriate in cases where the number of users is limited and where there is a reasonable expectation that the users will have a higher-level knowledge of wireless issues.  Due to the shared bandwidth nature of wireless, it a given access point cannot support an unlimited number of users; the more users, the smaller the share of the bandwidth available to each.

Wireless is most appropriate at this time for the most pervasive applications – Web browsing and e-mail.

POLICY:

Wireless networking is an extension of the Alzaytoonah University network and as such falls under the technical and policy domain of the Computer Center Director.  University Information Technology Services will establish policy and procedures that will provide departmental flexibility while ensuring a high-quality, supportable, and secure telecommunications infrastructure.

PROCEDURE REFERENCE:

University Information Technology Services (UITS) will manage all wireless hubs, except those that are mobile, temporary, or serially-connected.

All UITS-managed wireless hubs will be connected via the VPN-secured system, unless a specific exception is granted.

 Ethernet traffic on VPN-secured wireless will be limited.  Specifically:

·         Only IP protocol will be supported.

·          No multicast traffic will be allowed.

·         SMTP (email) traffic initiated from a wireless connection will only be allowed if it is destined for the official Alzaytoonah mail servers.

·         Certain types of ICMP packets may not be allowed to originate from wireless connections (i.e. PING).

Departments planning to implement mobile, temporary, or serially-connected wireless hubs must notify the UITS NetworkOperations Center of such installations.  Only hubs pre-evaluated and approved by UITS will be used, and UITS will publish and maintain a current list of acceptable devices at an appropriate place on the UITS web site.  Upon request, UITS will make a site visit to assist departmental staff in determining the optimal location of equipment.  Where possible, hubs installed by departments must make use of the central VPN-secured system. Departments must contact the UITSNetwork Operations Center have their wireless networks added to the VPN-secured system.

If equipment installed by a department interferes with the wireless network maintained for the University by UITS, the configuration of that equipment will have to be changed to eliminate the conflict, or it will have to be removed.

Mobile, temporary, and serially-connected wireless networks that cannot be deployed to make use of the central VPN-secured system must be deployed using SSID (network name), and encryption key, and the network name and encryption keys must be changed at least every 60 days.  These parameters act as passwords for network use and should follow the guidelines for good passwords, and should not be easily guessable.  In addition, the wireless access point must be configured to allow only known Ethernet addresses.  Plans for the deployment of mobile, temporary, or serially-connected wireless hubs by departments must be reviewed by the University Information Technology Security Office to ensure that these requirements are met.

Several categories of devices use radio frequencies in the same range as 802.11b wireless Ethernet and therefore other devices that use the same frequencies may disrupt wireless communications.  Such devices include cordless phones, microwave ovens, and personal network devices using the emerging Bluetooth technology.  These interferences can be intermittent and very difficult to diagnose. UITS will resolve frequency conflicts between wireless access points; however, UITS will not be responsible for resolving problems resulting from non-network wireless devices.

DEFINITIONS:

VPN-secured on Alzaytoonah campus UITS has created a unified wireless subnet with a Virtual Private Network (VPN) gateway.  This assures that wireless users have a University account and also provides for secure encryption of the wireless data stream.

Users of the VPN-secured wireless network must use a VPN client to use the gateway.

Temporary Wireless Networks — If the need for a temporary wireless LAN arises, such as for a conference, departments can request that UITS install wireless equipment for a short time period.  Users of such ad hoc installations will be required to configure their wireless client with certain information (SSID, or network name, and encryption key). Such installations should be considered as insecure and users should be informed as such.

Mobile Wireless Networks — Some departments may wish to create a mobile lab that uses wireless network cards. Such mobile installations should follow the guidelines for temporary networks, above, and use the MAC address filtering capabilities of the wireless access point to only allow registered addresses to use the access point.

RATIONALE:

Electronic mail (“e-mail”) has become an essential tool for accomplishing the University’s day-to-day academic and administrative activities.

However, the ease at which an e-mail can be sent to one or thousands of recipients can be a disadvantage as well as an advantage.  There are millions of e-mail messages traversing through the University network daily. Most users are receiving dozens of e-mails per day, and some are receiving hundreds per day.  While much of this e-mail is appropriate to the activities of the recipient, more and more e-mail can be classified as Internet junk e-mail, often referred to as “Spam,” unsolicited bulk e-mail (UBE), or unsolicited commercial e-mail (UCE).  Mailings from marketers and anonymous sources on the Internet are increasing – users are being placed on marketing lists without their consent, and often if the user responds to ask to be removed, the volume of unsolicited e-mail simply increases because the validity of their e-mail address is confirmed

Thus, users of e-mail are getting used to discarding e-mails that do not have a direct relevance to them or to their activities.  Unfortunately, legitimate internal mailings often get lost amongst this flood of junk mail, reducing the effectiveness of e-mail as a tool for communication.

It is also very important that e-mail, like all other communication methods, be used in a collegial and constructive manner. Messages must be formed in ways that reduce the possibility of confusion as to source, destination, or intent, and in ways that show respect for others and tolerance of differences in culture, attitudes and opinions.

Administrative communications in e-mail carry the same business requirements as do communications on paper; for example, restrictions on access to data protected by statute, retention schedules, etc.  As requirements vary for different business processes, individual administrators and offices must understand what these requirements are related to activities in which they are involved.

Finally, e-mail should not be considered a completely secure method for transmitting sensitive information.  In the past, it has been said that e-mail should be considered as secure as sending a paper postcard.  While this isn’t exactly analogous, and e-mail can be secure under certain circumstances, this is a good rule from which to start.

POLICY:

Alzaytoonah University electronic mail (“e-mail”) users are required to comply with the law, University policies, and normal standards of professional and personal ethics, courtesy, and conduct.  All communications via e-mail will be consistent with all pertinent sections of the Code of Student Ethics, the Academic Handbook, and all other applicable administrative policies.

Under normal circumstances, when an individual’s affiliation with the University ends, eligibility to use a University-provided e-mail account also ends.  The University may elect to continue the account for use by the individual as necessary to further University missions.

Unless inappropriate use stems from technical or other problems outside of the individual’s control, persons to whomAlzaytoonah University e-mail accounts are assigned are responsible for actions taken with their accounts.  Accounts and account passwords are not to be sold, rented, or shared with any other person, including friends, family, roommates, supervisors, technical staff, vendors, etc.

Unless an individual or an organization has explicitly solicited anonymous input or comments, all communications sent using any Alzaytoonah University technology service or facility must clearly identify the actual sender by a valid address in the basic header (From:) or in the message text.   Forged communications are prohibited under any circumstance.

No one may state or imply in an e-mail that they represent or speak on behalf of Alzaytoonah University or any organizational element of Alzaytoonah University, unless they are tasked to do so by virtue of their assigned duties or they have been formally designated to do so by the Board of Trustees of Alzaytoonah University or by University executive administration.

Electronic mail will not be sent by members of the University community to persons with whom the sender does not have an established mutually-accepted personal, business, or academic relationship.

Sensitive institutional and personal information will not be sent via e-mail, unless specific steps are taken to confirm that the transmission is secure.

University electronic mail will not be used for personal commercial purposes or for personal financial or other gain.

All mailing lists supported by University resources will be owned and maintained by members of the Alzaytoonah University community, and each list will have a stated purpose and policy.  Mailing lists will be moderated so that inappropriate postings are intercepted and rejected, and electronic mailing lists will be protected as far as technically possible from commercial exploitation. Communications to mailings lists will be in accordance with the stated purpose and policy, and list members who consistently experience inappropriate postings may unsubscribe even if membership was initially required.  Requests from individuals to be unsubscribed from these and from voluntary lists must be honored.

PROCEDURE REFERENCE:

After technical verification is complete using system or other logs, and in accordance with other applicable policies and procedures, the incident will be reported to the appropriate University judicial officer for review and possible action.

DEFINITIONS:

Mutually-accepted personal, business, or academic relationship – an association between two individuals established as a result of a job function, a business function, or an academic activity.  Examples: a person sending an invitation to a party to a friend; a Human Resources employee sending an e-mail to employees enrolled in a specific benefits plan; a professor sending class information to students in the class; a student asking another student in class a question about an assignment.

Forged communications – e-mails that are made to appear as if they originated from a person or organization other than the person from whom the message was actually sent.

University judicial officer – is the Dean of Students or equivalent (for Students), the Dean of a School and Dean of Faculty (for faculty members), the Director of a department and Human Resources Management (for staff).

Alzaytoonah University respects the privacy of visitors to its web sites.  This Online Privacy Statement explains the University’s policy concerning the collection, use, and disclosure of visitor information.

University web sites will comply with all applicable laws and institutional policy regarding visitor privacy.

Applicability:

This statement applies to all web sites that are created or maintained either by or for academic, administrative, or auxiliary units of the University (“University web sites”), regardless of whether or not the sites are hosted on University servers or external servers.  This includes web sites of professional associations and publications that are formally hosted, maintained and operated by faculty or staff of the University.  All University websites must post a readily visible link to this policy on the initial page of the site.

All other web sites that may be hosted on University servers, such as personal home pages and student organizational websites, are encouraged to adhere to the terms of this statement as well.  The University is not responsible, however, for the content of these sites or for their practices regarding the privacy of their online visitors.

Because Internet technologies continue to evolve rapidly, the University may make appropriate changes to this statement in the future.  Any such changes will be consistent with the University’s commitment to respecting visitor privacy, and will be clearly posted in a revised Online Privacy Statement.

Technical Information:

When you access a University web site from the Internet, your computer automatically provides its Internet Protocol (“IP”) address to the computer hosting that web site, as is the case when you attach to any Internet-connected computer. This is so that the computer knows where to send the requested information.

We collect and store this information in the University’s computer system.  We use this information in aggregate form in order to help diagnose problems with our computer systems, plan the use of system capacity, and improve the quality of the information and services available to you on our web sites.

Some University web sites may also automatically collect and store certain information about your visit, such as the date, time, and duration of the visit and the Internet address of the site that referred you to them (via a web link).  This information is used in the aggregate to help manage the sites and improve service generally, and may also be used to customize the services offered to you.

Except as provided in the Disclosure of Information section below, the University does not attempt to use the technical information discussed in this section to identify individual visitors.

Cookies:

A “cookie” is a small data file that is written to your hard drive that contains information about your visit to a web page. University web sites may use cookies to store information about your actions or choices on pages associated with those web sites, in order to customize the information and services that the sites offer you.  University web sites must clearly inform visitors if they use cookies.  If you prefer not to receive cookies, you may turn them off in your browser, or you may set your browser to ask you before accepting a new cookie.  Some University web pages may not function properly if the cookies are turned off, or you may have to provide the same information each time you visit those pages.

Information Visitors Provide Voluntarily

General:

A lot of information is necessarily collected when an individual establishes a formal relationship with the University (as a student, employee, or faculty, for examples).  This information is generally required to maintain and manage that relationship, including providing associated necessary services.  If, in the course of visits to University web sites, individuals in these categories find that information being displayed about them or their status is incorrect, they should contact the appropriate office to have it corrected (i.e., Human Resources Management, Student Affairs, Academic Affairs, etc.).

Other than this necessary information, some technical information, and cookies as described above, the only other information that University web sites may obtain will be information that you provide voluntarily.  University web sites may ask you to provide information in order to make products and services available to you or to better understand and serve your needs.

All University web sites that ask you to provide information must: 

State why the information is being requested and how it will be used;

Use the information only for the stated purpose;

State whether the information will be shared with any external party (other than for investigative or law enforcement purposes described in the Disclosure of Information section below);

Make a copy of your information available to you on request;

Delete or modify your information on request;

State that you may contact the site’s Webmaster to obtain, modify, or delete information you have provided, and give you the Webmaster’s contact information;

State that providing the requested information is wholly voluntary, and indicate how not providing the requested information (or subsequently asking that the data be removed) will affect the delivery of products or services for which the information is needed;

Provide the statements they are required to make to you in a way that is easily seen and read before you submit any requested information; and provide a link to this University Online Privacy Policy.

Unsolicited Email:

If you send unsolicited email to a Webmaster, it will be directed to appropriate personnel for any response, and may be used to help improve the services supported by the web site.

Disclosure of Information:

Other than sharing your information with appropriate University personnel to ensure the quality, functionality, and security of our web sites, the University will not disclose your information except under the following circumstances:

With your prior written (including email) consent;

When a University web site has given you clear notice that it will disclose information that you voluntarily provide;

With appropriate University personnel and external parties, such as law enforcement agencies, in order to investigate and respond to suspected violations of law or University policy.  Any such disclosures shall comply with all applicable laws and University policies.

Security:

Due to the rapidly evolving nature of information technologies, no transmission of data over the Internet can be guaranteed to be completely secure.  While Alzaytoonah University is committed to protecting the privacy of our visitors, the University cannot guarantee the security of any information that you transmit to University web sites, and you do so at your own risk.

Once the University receives your information, we will use our best efforts to maintain the security of that information on University systems.  Units that maintain University web sites are expected to maintain those sites, and supporting systems and databases, at a security level consistent with prevailing industry standards, commensurate with the sensitivity of the data being stored.

In addition, Alzaytoonah University will comply with all laws regarding the privacy and security of visitor information.

Links to non-University web sites:

University web sites may provide links to other, non-University web sites.  The University is not responsible for the availability, content, or privacy practices of those sites.  They are not bound by this Privacy Statement and may or may not have their own privacy policies.

Contact Information

If you have questions or concerns about a University web site’s compliance with this policy, please contact the Computer Center Director.

compcenter@zuj.edu.jo

Print Friendly