Home > Organization > Policies
Policies
- Responsible Use of University Computing Resources
Purpose
The following is the policy on Responsible Use of University Computing Resources.
Status: Reviewed August 11, 2022.
Policy Stewards: Chief Information Officer, ITS
Policy Owner: Chief Information Officer, ITS - Social Media Guidelines
Purpose
The following are the Social Media Guidelines approved by University Communications.
Status: Reviewed September 6, 2018
Policy Stewards: University Communications
Policy Owner: Chief Information Officer, ITS - Web Privacy Policy
Purpose
The University of San Diego is firmly committed to maintaining your privacy. We strive to uphold the highest privacy standards on the web. This privacy policy is provided to explain what information we collect, the collection process and how it is used in order to continue to provide you with exceptional service.
Application
Web servers are generally capable of collecting, storing, and analyzing a variety of information about those who visit the site. Our goal is to keep the information collected at this website secure and to use it only for purposes for which it was intended or to improve the quality of the web service we provide.
In some cases, USD contracts with commercial services for specific web services, generally related to financial transactions, and links to their sites for those transactions. If you are redirected to another site, something other than “sandiego.edu” in the URL, privacy and security are governed by the policies of those services and are documented by those sites.
Practice/Standard
-
What information does USD collect on its website?
We collect personal information (such as name, address, phone, e-mail address) only if you provide it to us voluntarily through e-mail, registration forms, information request forms or surveys, or otherwise. Personal information is kept confidential and will not be disclosed to third parties except as may be required by law. Credit card information and social security numbers are only collected for specific purposes where the information is required for the transaction, such as to register you in a course or program, allocate funds to a USD Campus Card account, or when we accept donations. Any information of that nature is saved on our secure server and is only accessible to authorized employees to process payments or registrations or for other legitimate purposes. Once processed, the information is deleted from the server. Credit card information collected via commercial services such as CASHNet or the Verisign Payment Gateway is not stored on our server.
Our web server software automatically logs the following information each time someone visits our website: date, time, web browser, URLs of page requested and referring page, among others. We use the information gathered to help us improve our website.
-
Internet protocol (IP) addresses
An IP address is a number assigned to your computer that identifies your location when browsing the internet. This information is used to improve our service and make it more interesting for you based on general usage statistics. This information may also be used for system administration or diagnostic purposes or to enforce compliance with our privacy policies. Our web server software automatically logs the client and server IP addresses, browser type and computer operating system.
-
Cookies
Cookies are small pieces of information stored by your web browser on your hard drive when browsing a website. Cookies will never store private information but will only reference such information elsewhere. In those cases, cookies are used only to record security keys with limited lifetimes for your convenience in accessing other secured pages. For example, cookies provide a way to remember your account information and log you in automatically when revisiting a site or automatically populating data on forms. Cookies also provide statistical information that allows us to improve our service based on your preferences and usage behaviors. Web browsers usually accept cookies automatically. However, you can change your browser settings to block cookies.
USD also uses services which will issue cookies from their own servers and which will be able to track website visitors throughout USD web pages and through any other sites that use those services. USD does not control how those cookies are issued, or the data that they store. Examples of services being used on the USD website which track website visitors are: Google; Facebook; addthis.com.
-
What does USD do with the personal information collected on this website?
Certain personal information is used to provide information back to you, such as grades, transcripts, etc. We do not and will not sell your personal information to anyone. Certain postal information may be provided to our mailing service that handles the distribution of class materials and announcements. USD may share statistical information about customers, sales, or website traffic but this will never contain personal, identifiable information.
-
Is credit card / transaction information secure on this website?
We care about the safety and security of your transaction. We use SSL (Secure Sockets Layer) to communicate with your browser software when you register with us online. SSL is the industry standard security protocol, which makes it extremely difficult for anyone else to intercept your credit card or other information that you send us. You can tell you are using SSL whenyou see https:// in the front of the URL, or see a “lock” symbol at the beginning of the URL bar.
We have partnered with commercial Internet financial services such as CASHNet and Verisign to handle credit card transactions, and we do not store credit card information on USD’s servers after the transaction is processed.
-
What does USD do to safeguard personal information on this site?
We have instituted safeguards to check that our internal procedures meet our high policy standards. Only authorized employees have access to the information you provide us. All personal details are stored in a secure, firewall-protected database. Access to personal information is limited to personnel authorized to use such information for administrative purposes only. Data and passwords are encrypted and can never be retrieved. All e-commerce transactions take place across secure server software (SSL) encryption.
-
Internet communication security in general
The privacy of communication over the Internet cannot be guaranteed because the Internet is not a secure medium. USD does not assume any responsibility for any harm, loss or damage you may experience or incur by the sending of personal or confidential information over the Internet by or to USD.
-
Online Disclosure of Information
If you voluntarily disclose personal information in public areas of the Site such as on your About or Contact areas or on message boards, we cannot control how that information may be used by third-parties. This information may be collected by third-parties to send you unsolicited messages, advertisements, or for other purposes so please do so with caution.
-
Consent
By using this site, you signify your consent to USD’s online privacy statement. If you do not agree to this privacy statement, please do not use this site. We reserve the right, at our discretion, to update, change, modify, add, or remove portions of this privacy statement from time to time. This policy has been developed with the recognition that Internet technologies are rapidly evolving and that underlying standard business models are still not well established. Accordingly, this policy is subject to change. Any such changes will be posted on this page.
-
How to Protect Your Information
Never give out your passwords. If you have forgotten your password, a new one will be automatically generated for you by using the “Forgot my password” link on the login page (login URL). Logout of secure areas and close the browser window that you were working within before leaving your computer.
Exceptions
None
Appendices
None
Status: Created October 26, 2018
Policy Steward: Sr. Directory, Library and Web Services
Policy Owner: Chief Information Officer, ITS
-
- Web Security Statement
Purpose
Guidelines regarding confidential and sensitive content on a USD website, how information is secured on USD web servers, as well as how web systems are monitored.
By default any information stored on USD web servers is not secured and can be viewed by anyone and may be crawled by search engines. In addition, any information stored on USD-affiliated websites created outside the sandiego.edu domain is not secured. As a result, websites should not collect and store confidential or sensitive information unless the data can be properly secured.
Application
These policies apply to websites on the USD domain (*.sandiego.edu) that are supported by ITS University Web Services, as well as personal USD Sites (WordPress-powered) websites.
University websites and personal WordPress websites will be reviewed annually by University Web Services to assess ongoing security of data and check for any inappropriate confidential or sensitive information.
University Web Services will periodically review storage utilization reports and file listings for the campus web server and will contact persons who violate this procedure and request they remove the offending files or provide justification for their storage on the campus web server.
Practice/Standard
- Acceptable use and responsible use of university computing resources applies to all maintainers who add content to any pages on the USD website.
- Confidential and sensitive data, including FERPA and HIPAA, is identified in the Information Security Policy. Servers are scanned for specific violations on a periodic basis.
- Security against hackers and malware attacks. For security purposes and to make sure USD websites and personal WordPress websites remain available to all users, we use special software programs and scripts to monitor network traffic and identify unauthorized attempts to upload or change information, or otherwise cause damage to the system. These programs collect no information that would directly identify individuals, but can collect information to help identify someone attempting to tamper with USD websites. Activities may be monitored and recorded. Anyone using USD websites expressly consents to such monitoring.
- Obtaining access to a university website. Any USD-affiliated department/organization, faculty/staff member or student is eligible to add content to the site. For the university website, users must complete the Content Management System (CMS) training and submit an online access request after training is complete to have their account created. All academic and administrative websites must be housed on the university web server and are required to use the *.sandiego.edu domain.
- Obtaining a personal USD Sites website. The university provides a USD Sites (WordPress-driven) solution offering users a web-based content management system and themes to choose from. USD Sites is a self-service personal or professional website system that can be used to build class websites, e-portfolios, individual or group blogs, or project or group websites. There is a dynamic USD-branded theme allowing you to create your website with little coding knowledge or web software needed. Activate your account by completing the 'Register' form on the USD Sites landing page. Currently, there is no technical assistance provided for this intuitive platform after your account is opened. Refer to Wordpress.org for documentation and other resources. Note that all imagery posted to personal and professional websites should follow copyright guidelines. The USD Gallery is a resource for professional imagery of the USD campus and students.
- Web Server Storage. The campus web servers should only be used to store files that are needed for the website. They should not be used as file storage space for files not needed for the actual website. This would include all non-web files, unedited images or video clips, or personal files. Appropriate usage of storage space is reviewed periodically.
Exceptions
It is highly discouraged to create a separate domain from sandiego.edu. However, if an exception is made on an outside server, such as through Squarespace, GoDaddy, etc., the same policies apply for exposing confidential/sensitive information. However, these spaces cannot be maintained or monitored by University Web Services.
Examples of Potential Cases
Policies apply to all types websites:
- https://www.sandiego.edu/ (Main website)
- https://www.sandiego.edu/peace (Academic area website)
- https://www.sandiego.edu/finance (Departmental website)
- https://alumni.sandiego.edu (3rd-party vendor domain)
- https://www.meetatusd.com (Personal domain websites)
- https://sites.sandiego.edu/webteam (USD Sites WordPress-driven site)
Status: In effect, created November 11, 2016; Reviewed August 28, 2018
Policy Steward: Senior Director, University Web Services
Policy Owner: Chief Information Officer, ITS
- USD Sites Guidelines
Purpose
This Policy establishes the guidelines for using USD Sites, USD's WordPress platform for personal and professional websites used by faculty, students and staff.
Acceptable Use
- All users of the University of San Diego Sites service agree to follow USD’s policy on responsible use of university computing resources.
Copyright
- Users of the USD Sites service grant to USD and its agents a non-exclusive license to use all content posted in blogs and sites hosted within the tool.
- The writer of the page, blog entry and/or comment retains the copyright to that content.
- All imagery posted to personal and professional websites should follow copyright guidelines. The USD Gallery is a resource for professional imagery of the USD campus and students
Privacy
- USD MySanDiego account username and passwords, which serve as the authentication method to USD Sites, are specific to the individual and may not be shared with others.
Accounts
- Only members of the University of San Diego community are eligible to open websites and blogs on the USD Sites platform. This includes faculty, staff, administrators, and students and requires a valid MySanDiego username, password, and e-mail address. Activate your account by completing the 'Register' form on the USD Sites landing page
- Sites and/or blogs may be opened for personal or professional use to represent the writer’s personal or professional activities. No blogs or sites on USD Sites can be opened to replace or duplicate academic or administrative websites served on www.sandiego.edu.
- After an account owner leaves the university his/her USD Sites account will be closed; if the individual oversees organizational or group accounts beyond a personal or professional site or blog for themselves, the affected sites/blogs will need to be transferred to new ownership in order to remain open.
Design
- Only themes designed and developed by or through University Web Services can be used on USD Sites. We cannot upload custom themes for users at this time, as we do not provide access to the CSS or other features that would be needed for customizing individual sites or blogs.
- When a site or blog is activated it automatically receives the ‘standard’ theme; to select one of the other options, please see the theme gallery.
External Development
- We strongly encourage the USD community to utilize the USD-branded themes that are available via the USD Sites service.
- In the event that you would like to hire an external designer or developer to create a theme for you, there are development guidelines that any consultant can follow to create a new website.
Scope of Service
- USD Sites provides a pre-configured environment with a robust set of themes and plugins that site owners can use to create their own web space. USD Sites is not a custom development environment, which means that users may not install their own themes or plugins or obtain access to the back end of the service.
- University Web Services provides account start-up and management of a small number of themes but does not provide web design consultation, in-depth personalized training, or assistance with custom CSS or other design and development tasks. WordPress is open-source software and there is online documentation and information available at http://wordpress.org.
- Access to create sites is available to individuals with official USD faculty, staff or student status. Others may participate in a site when invited to do so by the site owner but do not have access to create sites.
Comments
- All blogs in the USD Sites service must have comments moderated (i.e. reviewed prior to publication).
- Blogs will be set up with moderation enabled, and blog owners are responsible for ensuring that moderation takes place.
Recommendations
- Recommendations for updates can be submitted via the USD Sites landing page.
Status: Reviewed November 11, 2022
Policy Steward: Senior Director, University Web Services
Policy Owner: Chief Information Officer, ITS
- Copyright Infringement Policy
Purpose
This Policy establishes the process for handing copyright infringements notifications for student, faculty or staff. This process is not for early settlement notifications.
Application
Applies to any Student, Faculty or Staff member who has been identified as infringing on Copyright Laws.
Practice/Standard
All Incidents
- Create a folder and preserve all communications, logs, and letter.
First Offense
Student
- Email student of receipt of notification and include the RIAA or MPAA letter with the initial correspondence.
- Add student to a list of offenders.
Employee (faculty/staff)
- Email employee and their immediate supervisor and include the RIAA or MPAA letter with the initial correspondence.
- Add employee to a list of offenders.
Second Offense
Student
- Email notification of impending account closure (24 hours) if they do not contact the ITS Help Desk (619) 260-7900 or help@sandiego.edu
- After 24 hours, the user's account is disabled until contact can be made with ITS Help Desk.
- ITS Help Desk will dispatch a technician to delete ONLY the material specified in the letters of notification.
- Inform student of the law and their responsibilities regarding copyright infringement.
- Inform student about the Policy on Responsible Use of University Computing Resources.
Employee (faculty/staff)
- Email notification of impending account closure (24 hours) if they do not contact the ITS help Desk (619) 260-7900 or help@sandiego.edu.
- After 24 hours, the user's account is disabled until contact can be made with ITS help Desk.
- ITS Help Desk will dispatch a technician to delete ONLY the material specified in the letters of notification.
- Inform student of the law and their responsibilities regarding copyright infringement.
- Inform student about the Policy on Responsible Use of University Computing Resources.
Third Offense
Student
- Immediate termination of account access.
- Referred to Student Discipline Board.
- Removal of copyrighted material.
- Suspension of account access for indeterminate period or limited access Student Discipline Board or by the Dean of Students.
Employee (faculty/staff)
- Immediate termination of account access.
- Referred to Human Resources or Office of the General Counsel.
- Removal of copyrighted material and/or application.
- Suspension of account access for indeterminate period or limit access as determined by Human Resources or Office of the General Counsel.
Exceptions
No exceptions.
Status: In effect, created September, 2006. Last reviewed August 27, 2018.
Policy Stewards: Sr. Director, Network Infrastructure Systems and Services
Policy Owner: Chief Information Officer, ITS - CAN-SPAM Policy
The Law
A federal law related to commercial e-mail is now in effect. The "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" or "CAN-SPAM Act of 2003" was signed into law in January 2004. This law will provide some relief from the ever-increasing amount of spam e-mail that we all receive.
One of the keys to this new law is that it applies to many types of e-mail messages and has very specific requirements for commercial e-mail that offers or promotes products or services. Upon review we have found that this law applies to a considerable amount of e-mail that is sent to recipients both on and off campus from USD organizations and individuals. This laws covers not only unsolicited commercial e-mail, but also electronic communications where the recipient has initiated the exchange. There are some exceptions for e-mail sent as a result of our transactional relationship (students, employees, vendors, etc.), however the exclusions are very specific and examples are detailed below.
In general we must ensure that we are truthful in addresses and subject descriptions and offer recipients an opportunity to decline from receiving future messages. It is important to remember that if an individual has opted out from receiving unsolicited commercial e-mail from USD and is sent another e-mail message covered by this law, then the University can be fined up to $750 per unlawful message. To reduce the possibility of this occurring we are in the process of instituting policies and capabilities to comply with the law while minimizing the effect on the business of the University.
How it Affects You
Any individual, group, or organization (internal or external to USD) that sends an e-mail on behalf of the University that promotes a commercial product or service is affected. Frequently as part of our normal course of business, e-mail messages are sent to faculty, staff, students, alumni, and others informing them of upcoming events and activities. If there is a charge for engaging in these activities or receiving services, then this new law is applicable. The law does not make a distinction between an electronic communication to a single recipient or a mass e-mail campaign.
While the new law covers all commercial e-mail, there are specific requirements to provide notices and opt-out capability for specific types of e-mail messages.
What types of e-mail communications are subject to the notice and opt-out requirement?
Here are some examples of messages that would be affected by the new law:
- Tickets for a play, movie or event where there is charge for admittance. It doesn't matter whether the event is on or off our campus.
- E-mail sent to student prospects. You must provide them with an opt-out notice, even if they have initiated the e-mail exchange.
- An offer to sell computers, cars, furniture, or just about anything. This applies whether you are offering the items through your capacity at USD or using your USD e-mail account for personal use. If it is on behalf of the University, then USD is considered the sender.
- An external organization sending electronic e-mail on behalf of the University. For example a marketing or publishing company that sends an electronic newsletter or e-mail that contains any promotion for a commercial product or service such as an athletic event, play, or exhibit.
- An e-mail that contains a Web link to a USD site that promotes a product or service. For example, a link to a USD Web page that sells clothing. This would not apply if you were including a link to https://www.sandiego.edu in a non-commercial e-mail message.
General Requirements for Commercial Email
- Provide recipients with a clear and conspicuous opportunity to decline (opt-out) to receive further commercial e-mail messages from USD. We can provide an opportunity for the recipient to specify the types of messages they decline to accept. In any case we must provide the capability for them to opt-out from all commercial e-mail from USD.
- Include a fully functional and clearly displayed return e-mail address or other Internet-based mechanism to comply with the opt-out option described above.
- If the e-mail message is unsolicited (exchange not initiated by the recipient) they you must clearly indicate that it is an advertisement or solicitation. The opt-out message we provide below provides this notification.
- Include the valid physical postal address of USD. Post office boxes are not acceptable.
- Subject lines and headers must be accurate. This applies to all e-mail.
- The "from" line must be accurate. No anonymous, fictitious, or misleading addresses are permitted.
What types of electronic communications are not subject to notice or opt-out requirements?
If the email is directly related to an employment or transactional relationship or is non-commercial in nature, then it is not affected. This is narrowly defined by the law and doesn't provide for very much variance. Here are some examples that would be exempt from the new law:
- Human resources sending email directly related to benefit plans in which the recipient is currently involved, participating, or enrolled. An e-mail describing changes in benefits would be exempt, while an e-mail describing discounts for products or services would require the disclaimer.
- Financial Aid sending email related to loans and grants for which the student is either currently receiving or has applied for consideration.
- An electronic message that details charges that are owed to the University.
- Announcements of free events or services. If any money is collected, whether or not it is clearly indicated in the e-mail, it is covered by the law.
- An electronic newsletter sent by an external organization on behalf of USD that does not contain any solicitation or advertisement of product or services.
While e-mail that is clearly not commercial in nature is exempt from the disclaimer, it may be prudent to offer individuals an opportunity to opt-out from your list. Of course this would not be applicable to e-mails that involve a transactional relationship.
How do you comply with the new law?
If your email message meets the above criteria we have developed methods for both internal and external mailing. If in doubt, please call the Tech Support Center (x7900) and we will help you make the determination.
Internal Mailings
We have modified the on-campus mass email system to accommodate the new law. You can submit your e-mail through the existing approval process and we will append the necessary notice and only send your message to the appropriate individuals.
External Mailings
We have two methods of compliance:
1. A Web site has been created where you can compose your message (or cut and paste) and upload your list of addresses. The system will automatically append the required notice and cleanse your list of opt-out addresses before sending the message. This is a limited access site, currently only available to a few people that represent the Vice Presidents in their area.
NOTE: If you need access to this site, please contact the Tech Support Center and we can help you.
2. Another capability on the Web site is the ability to upload an address list and the system will purge your list of opt-out addresses and then return to you a clean list. This address list is a file that contains e-mail addresses that are delimited by commas, tabs, or one on each line.
You can then take your list and use your own email program to compose and send your message. You will need to append the opt-out notice at the end of your message.
If you have external organizations that send email on the behalf of USD, you could pass the address list through this system and obtain a clean file that can be sent to the vendor. It will be important that everyone uses the same opt-out link for email. This is especially important for external vendors. If they don't use our opt-out link, we won't know the preferences of the recipients for other email, which could jeopardize our compliance.
Opt-Out Notice
The following notice will be appended to all commercial email messages:
This message is considered a commercial message. You have the option of opting out of receiving commercial messages from USD or only from a specific area. You can visit the USD Opt Out of Commercial Messages site for more information.
University of San Diego 5998 Alcala Park San Diego, CA 92110-2492 (619) 260-4600.
Status: In effect, created September, 2006. Revised July 28, 2016. Reviewed August 27, 2018
Policy Stewards: Sr. Director, Network Infrastructure Systems and Services
Policy Owner: Chief Information Officer, ITS - Standards for Equipment Attached to USD Network
Rationale
USD's academic and business units require continuous use of network services in order to reach both on-campus and Internet resources. Devices that have been compromised or improperly configured can negatively affect services to part or all of the USD community. In order to prevent this from occurring, the attachment of equipment to USD's network is regulated by Information Technology Services.
Statement
The University of San Diego requires that all network devices (e.g., switches, wireless access points, routers) connected to the campus network must be approved by the ITS department. Actual connections of such devices to the campus network must be performed by the ITS department.
Standards
- Only authorized personnel from the ITS department may connect devices to USD's network. No other USD employees or students may do so.
- Non-University personnel and outside vendors can gain temporary connection to the campus network via usdguest wireless. Requests for network connectivity may be sent to telecom@sandiego.edu.
- Access to campus building wiring closets is limited to Network Services and Telecommunications staff only.
- Changes to campus network routing and topology are limited to the NETS staff.
- Any attached wired or wireless devices that cause a service disruption will be removed from the campus network.
Areas Covered
All areas of the University, its students, vendors, visitors, and other guests, are covered.
Status: In effect, created August, 2006. Reviewed September 5, 2018
Policy Stewards: Sr. Director, Network Infrastructure Systems and Services
Policy Owner: Chief Information Officer, ITS
- Lab Computing Use Policy
Purpose
The use of University of San Diego computer laboratory facilities is reserved exclusively for currently enrolled students, faculty and staff of the University. A valid current USD photo ID must be provided for lab access.
This policy is mandated by availability of computing resources and personnel. Individuals who lack current valid student or employee photo identification, including alumni, contractors/corporate associates and university affiliates may be prevented from accessing computing laboratories. Members of the extended University community, who lack identification, are encouraged to use the computer facilities at the USD University Center or at the Copley Library.
This policy shall be enforced at all times by Information Technology Services personnel.
Status: In effect, created January 2007
Policy Steward: ITS Lab Manager
Policy Owner: Sr. Director of Client Support Services - Server Configuration/Installation Policy
Purpose
This policy is intended to standardize the deployment of Operating Systems (OS), Microsoft Windows, Linux or IBM AIX.
Application
The Practice/Standard applies to all USD ITS staff members, vendors, and contractors who require or have the ability to install the server OS on either Virtual Servers (in University of San Diego operated/managed data centers) or install and configure the OS on physical hardware (in University of San Diego operated/managed data centers). For change management purposes and to facilitate a documentation of our servers, installation and configuration steps are initiated with an ITS Helpdesk ticket requesting the server be created and what business purpose the application(s) are for. The ticket is assigned to a member or members of the ITS Systems Team.
Practice/Standards
This Practice/Standard extends to USD ITS System Administrators and Architects or anyone who is authorized by an Infrastructure Manager or Sr. Director to deploy a Server.
Installation
Requests come in via ITS Help Desk’s ticketing system and are approved by the Systems team Manager. Once approved, a System Administrator and/or Architect will be assigned and begin configurations/installation. Base installation is commonly deployed via Virtual Server template. See Server Install Checklist for building VM Template.
Configuring/Updating
Standard practice is to check/perform the following:
- Request IP’s and use IP’s provided by the Networking team.
- Install all current OS updates and configure auto-updates for “Download but let me install them”.
- Install the latest Anti Virus (AV) program and updated (4 hours) by local Symantec Endpoint server.
- Join to the AD Domain.
- Configure Firewall.
- Configure SNMP to universal monitoring system.
- Add root/admin password to Secret Server.
- Add necessary Local Admin privilege to AD user to administer application.
- Add AD account to Remote Group for Application Administrator.
Disabling/De-provisioning
De-provisioning requests will come from the application owner stating the system is no longer needed. System will then be shut down and typically achieved for a period of 1 month before being deleted and removed from inventory.
Documentation
More technical documentation is kept by System Administrators and/or Architects. / See Appendix for Installation Checklist.
Operating System Updates
Updates to the operating system will be performed regularly (e.g. Monthly) and manually or automatically based upon update availability; however, software vendors/applications will sometimes insist that the ‘latest’ version of an operating system or service (e.g. Apache) are not yet supported. In this case, updates are delayed. It is the responsibility of the application owner to notify Systems Administrators or Architects when an application cannot operate on the most recent version/path level of an OS.
Anti-Virus Updates/Scanning/Monitoring
Anti-Virus (AV) updates shall be set to automatic, every 4 hours. “Live Scanning” and alerting are also automatically configured. Server scans should be done weekly during off hours so as not to impact server/disk performance.
Monitoring is set to automatic reporting to the AV Dashboard in both ITS Help Desk and Systems Area. Alerts of a virus should be routed to the ITS Help Desk ticketing system with the following information;
- Username or computer name information
- Virus information
- Dispatch Desktop service technician for remediation
Exceptions
In rare cases, some software manufacturers will not support additional software running on a server (i.e. Commvault Backup Agent, Symantec Endpoint Anti-Virus Software, etc.) In these rare cases additional steps are required by the Systems Administrator/Architect to make sure the system is backed up and secure.
Appendix – Update/Security Requirements
- Prior to turning the server over to the requestor (client), the latest Generally Available (GA) operating system updates are installed/deployed.
- Configure Anti-Virus for “Live Scan” and automatic “Quarantine”
- Configure Anti-Virus for weekly scan during off-hours.
- If the server will need access from outside the USD campus (i.e. a NAT request on Port X through the main USD firewall) the system is scanned for open ports/vulnerabilities by the ITS Systems Security Administrator Prior to turning the server over to the requestor (client).
Server Installation Checklist
- Server Name (proposed)
- VM or Physical (only in rare cases are Physical Servers provisioned)
- OS
- Memory
- CPU Cores
- C:/root Drive Size
- Other Drives
- IP Public
- IP SAN (Storage Area Network)
- Install VM Tools
- Disconnect Boot Image
- Desktop Experience
- Remote Desktop/SSH
- Microsoft/RHEL/AIX Update
- Change Machine Name
- Join Domain (if Windows O/S)
- Turn on Menus
- Show all Files
- NIC Binding Order
- Mask CPU (VM)
- VM - Disable serial and Parallel Ports
- IIS (Version)
- SQL (Version) - software is traditionally downloaded by not installed/configured
- Storage
- BGINFO
- Symantec
- Sym - Scan
- Sym - Exclusions
- SNMP
- Network Monitoring System(s) (NMS)
- Commvault
- Firewall
- Defrag
- Applications
- Complex Password
- UAC
- Local Admins
- Secret Server
Status: In effect, created January 23, 2015, updated August 28, 2018
Policy Steward: Manager of Systems Support, NISS
Policy Owner: Sr. Director Network, Infrastructure, Systems and Services (NISS) - Computer Equipment Replacement
Purpose
ITS follows several procedural guidelines for the Computer Replacement Program to ensure that employees can request and receive upgraded technology in a timely manner.
Eligible employees should contact their faculty/staff representative, area technician, or a staff member in Information Technology Services as the third anniversary of their desktop equipment approaches or to find out if their computer is up for replacement. All appropriate administrative and technical representatives are listed on our Computer Options site.
Eligible employees should review standard computer configurations and specifications on the Computer Options Web site. Standard specifications are reviewed and updated biannually (or as needed) so that USD employees have access to current information tools.
Employees may then submit their computer requests to their faculty/staff representative. Employees are strongly encouraged to speak with their area technician prior to submitting a request form so that the equipment requested meets the employee's work requirements. No changes or modifications can be made to a request after the equipment has been approved and ordered. The employee's department will be responsible for purchase of any external hardware items for the system if additional capabilities become necessary after the fact.
Approved requests are forwarded to Information Technology Services for ordering. Orders are placed every few weeks, since ITS normally places orders in bulk to receive discounted pricing.
Depending on the vendor involved, computer systems generally take one to three weeks to arrive to campus. After a system arrives to campus, it is placed into the queue of a member of Desktop Support Services who images and prepares the computer. You will then be contacted to schedule an appointment for installation of your new computer and pickup of your old computer system.
Please note that when your new computer is delivered and installed in your office, the displaced equipment cannot remain in your office. Prior instances of this practice resulted in a shortfall of recycled workstations for part-time faculty, staff, and student employees not eligible for equipment through the Computer Replacement Program. More importantly, with the recent changes in state law, there is an increased liability associated with accidental release of personal information. We need to ensure that all disk contents are removed before a workstation is reallocated for other uses, even if this is within the same office. We also need to ensure that workstations are maintained with current security patches and updated anti-virus software.
After you receive your new computer (or if you have received a computer through the replacement program in the past), you cannot swap the system with a co-worker. At no time is it permissible to exchange equipment with other co-workers or other departments. We inventory machines by employee name and computer serial number and exchanging equipment makes it difficult for us to locate and collect equipment when it is needed for return.
- Wireless Spectrum Management Policy
Purpose
This policy is intended to provide a mechanism for managing the wireless communications spectrum at the University of San Diego. Wireless communications for data, voice, and video are an increasingly important part of the overall technology plan of the University. Thoughtful management of that spectrum will improve reliability, availability and security of these services to all members of our community. This policy applies only to over-the-air use of wireless spectrum. It does not include any broadcast over wired systems, such as Cable TV.
Definitions
Wireless Access Point
An access point is a device which is intended to provide a communication path from a wireless network to a wired network.
Wireless Network Interface Card (WNIC)
A Wireless Network Interface Card is a device which is installed into a computing system for the purpose of communication with a wireless network operating in an unregulated band. A computing system includes, but is not limited to desktop computer, laptop computer, workstation, cellphone, smart phone, tablet, and various wearable wireless devices when using an unlicensed band.
Policy
This policy applies to both the licensed and unlicensed portions of the Radio Frequency Spectrum. It does not apply to wireless technologies which are outside of that spectrum, such as Infrared or microwave.
Licensed Spectrum
The use of licensed spectrum is controlled by the Federal Communications Commission (FCC) [1]. It is the responsibility of the license holder to maintain a valid license and to comply with all applicable Federal, State and Local regulations regarding the use of such equipment. Departments which utilize licensed spectrum must annually report the frequencies used to the Senior Director of Network Infrastructure Systems and Services.
Unlicensed Spectrum
The FCC provides several portions of the R Spectrum for public use without licensing. While the lack of license requirements provides accessibility, the lack of control increases the likelihood of radio interference.
Currently, the FCC provides the following Spectra for unlicensed use 902-948 MHz, 2400 – 2483.5 MHz and 5725-5850 MHz [2]. This policy will apply to any future unlicensed spectrum which may from time to time be made available by the FCC. Should such bandwidth become available, the most restrictive policy will apply. Each section of Spectrum has difference requirements and will be treated separately.
- 902-928MHz: This band is typically used by consumer electronics such as cordless telephones.
- Restrictions: No reporting is required. Users causing interference to any other frequency user are expected and required to amend their usage to eliminate interference.
- 2400-2483.5 MHz: This band is currently used for a variety of technologies today, including Bluetooth, Cordless Telephones, and 802.11, WiFi.
- Bluetooth: There are no restrictions for Bluetooth users. Bluetooth use may cause interference with other devices in this spectrum and with each other. Users causing interference for any other user are expected and required to amend their usage to eliminate the interference. Failure to perform such remediation could result in removal of access by the University. Due to the limited security available with Bluetooth devices, users are responsible for ensuring the proper security for all of their devices.
- Cordless Telephone: Cordless Telephones that operate in this spectrum may not be used.
- 802.11, WiFi: Information Technology Services is responsible for the deployment of a campus-wide wireless network. No Access Points may be installed without the express, written permission of the Information Systems Department. In cases where particular locations on campus are not served, members of the University of San Diego Community may request access contracting the Information Technology Services Help Desk.
- 5725-5850 MHz: This spectrum is reserved solely for Data Communications purposes. No Access Points operating within this spectrum may be installed on campus without the express written permission of the Chief Information Officer, University of San Diego. Only University approved WNICs may be used.
Security
Due to the public nature of the wireless signals themselves, access to the University of San Diego Wireless network is permitted only to persons with valid USD Network Accounts. Visitors and guests to the campus may register and use the USD Guest (usdguest) Wireless Network. Assistance with usdguest wireless may be obtained through the USD ITS Help Desk (x7900) or online at help@sandiego.edu.
Standard
It is the policy of the University of San Diego to standardize personal computing technologies whenever possible. Non-standard Access Points are not permitted. Non-Standard WNICs are permitted, but will not be supported by Information Technology Services. Such non-standard WNICs must comply with all appropriate 802.11 standards. WNICs which do not conform will be removed from the campus network.
Applicability
The University’s policies on Responsible Use of University Computing Resources (Policy 2.5.1) applies to the use of all devices on the University Wireless Data Network.
Disciplinary Action
Violations of this policy may result in the suspension of access to the University Network. Appeal of any decision related to this policy may be made to the Vice Provost and Chief Information Officer.
Responsibility and Oversight
The Chief Information Officer is responsible for implementing this policy. The policy may be revised from time to time as required by the Committee on Information Technology.
Status: In effect, Updated December 1, 2014, Updated August 23, 2018
Policy Steward: Senior Director – Network Infrastructure Systems and Services
Policy Owner: Chief Information Officer, ITS
[1] A description of the Spectrum Allocation is described in Title 47 of the U.S. Code of Federal Regulations, Volume 1, Section 2.106. This is available from the FCC at http://www.gpo.gov/fdsys/pkg/CFR-2001-title47-vol1/content-detail.html
[2] Reference: Code of Federal Regulations, Title 47, Volume 1. Revised as of October 1, 2001. An online copy of this policy is available at http://www.odessaoffice.com/wireless/fcc_ism.html
- 902-928MHz: This band is typically used by consumer electronics such as cordless telephones.
- Switch and Router Standards Policy
Purpose
This policy is to standardize the deployment of Network Switches and Routers. All templates for network devices (Switches and Routers) are located in Solarwinds Configuration Manager.
Application
The configuration template will apply to all new or replacement access layer (Layer 2) Switch or Router deployments performed throughout the university network environment.
Practice/Standard
This Practice/Standard consists of the following steps:
- Remove current (vendor delivered) configuration and database.
- Copy configuration commands from the Switch or Router template with the following customizations:
- Configure hostname with the naming convention of “building room-Switch or Router type-number of ports-switch number”, i.e. MH199-3560GP-48-2.
- Only add the required VLANs and manually prune the VLANs allowed on the trunk link.
- Configure the management VLAN IP or VRF.
- Configure the default-gateway based on the distribution switch.
- Customize the MOTD banner with device location.
- Configure trunk interface “connected to” description.
- Configure spanning-tree priority for VLANs to 49152 (Layer-3 Switch/Router 4096)
- Copy the remaining standard Switch or Router configuration.
- Ensure the “service password-encryption” is enabled.
- Ensure SSH version 2 is configured.
- Ensure Telnet is removed as an acceptable protocol for remote login
Exception
There are no deployment exceptions to this policy.
Status: In effect, created February 12, 2015, last reviewed August 23, 2018
Policy Steward: Telecommunications and Network Manager, NISS
Policy Owner: Sr. Director Network, Infrastructure, Systems and Services (NISS) - Remote or SSH Access Policy
Purpose
This policy is to standardize remote or SSH access of university private electronic resources for the purpose of accessing, updating, managing data, systems and/or applications remotely (off-campus).
Application
The Practice/Standard applies to all USD employees (faculty/staff and *students), internal and external contractors, and vendors. All remote or SSH access for business, maintenance, or upgrade purposes to the university’s electronic resources and systems must be conducted through the university’s Virtual Private Network (VPN) or secure Tunnel.
*In rare instances, USD students may receive remote or SSH access privileges for grant and/or research purposes that is sponsored by a USD tenured or tenure-track faculty member. Any such privileges for students are limited for one semester and will expire at the end on the semester. Application for a student VPN account will require supporting documentation of the research activity from the faculty member.
Practice/Standard
All faculty and staff requiring access to the university’s electronic resources for business, maintenance or upgrade access must use the university provided VPN Request Form and Duo Two Factor authentication. Staff and Faculty requests for VPN access to the university’s electronic resources must have approval from their supervisor, manager, or department chair or Dean. VPN Request Form and Duo Two Factor authentication are required for anyone seeking privileges for remote or SSH or SSH access.
Vendor/Contractor access requires a university sponsor, with an account access form signed by the sponsor with a specified end date. Vendor/Contractor VPN Access will be granted only during the university’s normal work day. If a business requirement necessitates the normal work day in the Vendor’s/Contractor’s time zone, the specific application, systems, or services and the associated ports to be accessed must be specified by the Vendor/Contractor or university Sponsor at time of VPN request.
All VPN accounts will be reviewed on an annual basis and modified or deleted for compliance with this policy.
Exceptions
With the exception of rare instances for research/grant purposes, USD Students and student employees are not granted remote or SSH access to the university private electronic resources.
ITS Employees are not allowed access by any other means than the VPN Portal without written approval by the Chief Information Officer.
VPN Request Form and Duo Two Factor authentication
Status: In effect, created January 22, 2015, updated August 23, 2018
Policy Steward: Telecommunications and Network Manager, NISS
Policy Owner: Sr. Director Network, Infrastructure, Systems and Services (NISS) - Firewall Policies and Procedures
Purpose
This policy creates standards for Firewall Policies/Rules and Procedures to ensure institutional data security and best practices while providing service and support to the University’s academic and business community.
Additionally, this policy is intended to create a process for periodic review and assessment of existing Firewall Policies/Rules.
The policy also stipulates the process and requirements for the creation of new Firewall Policies/Rules.
Application
The Practice/Standard applies to all existing firewalls and new firewalls introduced to the University of San Diego network and computing infrastructure. This includes all network firewalls and server/systems firewalls specific to enterprise applications and databases.
Practice/Standard
Requests for Firewall Policies/Rules must be made using the ITS Help Desk ticketing system. Additionally, all Firewall Policies/Rules when created, modified, or disabled requires a CHANGE MANAGEMENT APPROVAL. The approval shall be included within the comment field, time of entry, the date of entry, purpose of the policy/rule, and initials of person making the entry.
Requested Policies/Rules must contain information such as: system name, application, object, or group name(s). Additionally, the request must list the responsible party or organization, port(s) required prior to requesting any virtual or physical server implementation.
For security and audit purposes, Firewall Policies/Rules shall be reviewed every 6 months or whenever an existing Policy/Rule, Object, or Groups Category is modified or disabled. Our practice also requires that ITS Network Administrators complete/update the Comment Filed whenever any entry is made or changed in the firewall. The ITS Network Team will complete periodic review work and, if funding permits, a third-party IT security firm may be contracted to assess and recommend modifications to USD Firewall Policies/Rules, Objects, and Group Categories for relevance and correctness.
Whenever a request for Firewall Policies/Rules is received through the ITS Help Desk Ticketing System for a server or service application requiring direct access from the Internet the following information must be included:
- Server(s) or Application Name (Service Application Owner)
- Request for Routable IP Address(es) (Service Application Owner)
- Ascertain and fully understand the customer/client requirements or use case(s) (ITS Network Team)
- Required technical requirements (ITS Network Team)
- Load Balancer (SSL Cert, Multiple server or cluster)
- Port(s) to be Allowed
- DNS name (CNAME, Alias)
- Scan Server(s)/Application(s) for vulnerabilities using Nessus (ITS Network Team)
- Assign External (Routable) IP Address (ITS Network Team)
- CHANGE MANAGEMENT APPROVAL
- Create or Modify and Apply to appropriate Firewall Policy/Rule (ITS Network Team)
- Update external DNS (ITS Network Team)
- Validate with Service Application Owner
- Test DNS Name resolution (ITS Network Team)
- Require testing by Service Application Owner
- Verify actual port usage in Firewall Logs (ITS Network Team)
- Make appropriate adjustment as necessary (ITS Network Team)
- Add or Modify Comments Field with date of entry, purpose, and initials of firewall technician (ITS Network Team)
Examples of Potential Cases
- Implementation of new Application(s)
- Implementation of new Server(s)
Status: In effect, created January 30, 2015, updated August 24, 2018
Policy Steward: Telecommunications and Network Manager, NISS
Policy Owner: Sr. Director Network, Infrastructure, Systems and Services - Privileged Account & Password Policy
Purpose
This policy is to standardize the use of Privileged Accounts and Complex Passwords i.e., root, administrator, etc.
Application
The Practice/Standard applies to all USD ITS staff members and contractors who require or have privileged access to desktops, servers, databases, and applications where sensitive or personal data is present. ITS employees or contractors must use a complex password with a privileged account. Password must meet USD’s password complexity requirements (See Appendix).
Practice/Standard
This Practice/Standard extends to USD ITS System and Database Administrators, Application Developers, Contractors, or anyone who has access to sensitive data.
Provisioning
A Privileged Account is granted either by the Data Custodian responsible for the application data entry or USD ITS Management for the administration or management of the application or database. Requests are made by email, e-form, or paper form sent by the Data Custodian or ITS manager responsible for the data/application and submitted to the Account Management Group.
Tracking/Auditing
Tracking of use, review of relevant role and access, and notification separation from the university are the responsibility of the signing authority (Data Custodian or ITS Management). The Account Management Group is responsible for a yearly review of all ITS privileged account access.
Disabling/De-provisioning
A Privileged Account is disabled (password changed) immediately upon notification of employee/consultant due to a leave of absence or separation from USD, Role and Access change requested by the Human Resources Department, Data Custodian, or ITS Management. De-provisioning of privileged accounts will occur within 30 days of notice.
Documentation
Documentation of privileged accounts is kept by the Account Management Group for possible review by external or internal auditing.
Appendix – Password Requirements
- A minimum of 12 characters and a maximum of 30
- Must contain at least 1 numeric character
- Must contain at least one of the following special characters:
- ! . % # $ ^ * ( ) _ + { } [ ] ; : , ? & | \ - @ ~ '
- Cannot contain < >
- Cannot contain username, first name or last name
- Should not be a common word in the dictionary
Status: In effect, created January 16, 2015, updated August 24, 2018
Policy Steward: Sr. Director Network, Infrastructure, Systems and Services
Policy Owner: Chief Information Officer, ITS - Vendor Performance Review Policy (SaaS and Hosted Systems)
Purpose
This policy is intended to define a process of technology vendor performance on services and controls on an annual basis. This process is done in conjunction with the University Controller to help review and interpret various financial and accounting attestation reports.
Application
The Practice/Standards below are applied to vendors hosting USD enterprise systems (e.g. Ellucian for the Banner Student Information System, Oracle for E-Business Suite, Salesforce and TargetX for Constituent Relationship Management, and Blackboard Learning Management System).
Practice/Standards
On July 1 of each year ITS will formally request the following reports and information from the vendors:
- Corporate Financial Statements
- SSAE 16 Reports / SAS 70 Reports
- Statistics/Reports on Key Performance Indications specific to vendor services and responsiveness.
- Statistics/Reports on systems performance and systems availability.
- Statistics/Reports on technical support requests/tickets relative to Service Level Agreements.
As vendor contracts are renewed, ITS will work to see that enterprise software licensing agreements (with Ellucian, Oracle, Blackboard, and Salesforce/TargetX) include language that stipulates the aforementioned reports and statistics are to be provided annually to the University of San Diego.
Similarly, for any new enterprise software licensing agreements under the scope of this policy ITS will work to have language inserted within the contract that stipulates the aforementioned reports and statistics are to be provided annually to the University of San Diego.
The University Controller will be engaged in the assessment of the Financial Statements, SSAE 16/SAS70 reports due financial and accounting information contained within those reports.
Upon review of the reports ITS will consult with the University Controller to determine appropriate action or response to the assessment of information.
Exceptions
None; these application of the policy is for vendors hosting USD enterprise systems.
Status: In effect, created February 13, 2015, updated August 24, 2018
Policy Steward: Sr. Director ERP Technologies
Policy Owner: Chief Information Officer, ITS - Review and Identification of Critical Systems Policy
Purpose
This policy is intended to establish a review process to define USD systems that contain, access or transmit data classified by USD as restricted. Restricted data or information is defined as any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University’s reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.
Application
The systems identified as containing, accessing or transmitting this data will have defined processes to ensure logs are enabled/reviewed and internal vulnerability scans are completed. This requirement supports compliance with Federal FERPA and HIPAA law, Payment Card Industry regulations, USD recommendations and industry best practice.
Practice/Standards
This Practice/Standard extends to the Vice Provost and CIO and the Associate Vice President for Finance and Controller. They will perform an annual review, on July 1st, of the university’s critical systems along with penetration and vulnerability testing of the systems and generate a memo stating the status of the critical systems.
Appendix – University of San Diego Administrative/ERP Systems (as of July 1, 2018)
- Ellucian Advance Web
- iModules (UR CRM and Gifts/Donations)
- Advizor (UR predictive analytics)
- SmartCall Call Manager (UR fund raising)
- Ellucian Banner Student Information System
- Ellucian Operational Data Store/Enterprise Data Wearhouse
- IBM Cognos Reporting and Business Intelligence Analytics
- Ellucian Luminis Portal
- Ellucian BDMS (Banner Document Management System)
- Ellucian Degree Works
- Parchment Online Transcripts
- SurveyDig
- EMS (Event Management System)
- QMATIC (OneStop Queuing application)
- Apply Yourself
- Ruffalo Cody
- Scanell and Kurz
- Salesforce/TargetX CRM
- Form Assembly
- Ellucian Degree Works
- Sunapsis (Federal International SEVIS II Compliance)
- Terra Dotta StudioAbroad
- Terra Dotta AlertTraveler
- TMA Facilities Management System
- StarRez Housing
- Onity Lock System
- SALTO Lock System
- Oracle E-Business Suite (HRMS and Finance)
- Oracle Hyperion
- PageUp Recruitment
- Kronos Payroll and Time Keeping
- SciQuest Contract Director
- KBase HR Reporting
- Noetix Finance Reporting
- Cayuse SP/424/IRB
- Point-N-Click Health Records
- Handshake
- Gallery Systems – The Museum System (TMS)
- Campus Labs CollegiateLink (Greek Life)
- Maxient Title IX and Student Judicial
- Alertus Desktop and Digital Signage Emergency Notification
- ReGroup Emergency Notification
- PlateSmart Public Safety Application
- MOC – Minors on Campus Application
- Insight Mobile
- MyUSD mobile app
- Future Torero Mobile
- Law Mobile
- CBORD CS Gold
- CBORD Micros
- CBORD Food Service Suite
- CBORD NetHims (inventory system)
- CBORD Event Master (catering)
- CBORD NetCatering
- CBORD UGRYD (external vendors for Campus Cash)
- NEEBO WinPrism
- Dining Menu Boards (Custom Solution through ICG)
- NuPark
- Verba (site comparison for book sites)
- Microsoft Sharepoint
- SAS Enterprise Guide (for IRP analytics)
- Civitas College Scheduler
- Projecto (for FM Capital Project Management)
- Veritix (Sports Ticketing)
- Innosoft Fusion Campus Recreation
Status: In effect, created April 15, 2015; last updated July 9, 2018
Policy Steward: CIO; Associate Vice President of Finance & Controller
Policy Owner: CIO; Associate Vice President of Finance & Controller - Log Monitoring Policy
Purpose
This policy is intended to specify log monitoring practices for USD’s Network and Critical Systems.
Application
The Practice/Standards apply to system and network logs associated with USD Lightweight Directory Access Protocol (LDAP), Active Directory (AD), network devices, and Critical Systems. The Critical Systems are defined through the ITS policy for Review and Identification of Critical Systems.
Practice/Standard
The Information Technology Services (ITS) has access to computer system and network device logs; various alerts are generated that inform ITS staff of events or anomalies that occur within any large complex network and computing environment. This policy establishes standards for log monitoring that will be done in addition to the existing alert systems that are in place.
- Oracle Enterprise Grid Control is setup to inform ITS-EA DBA team of failed login attempts and monitoring of Oracle Databases associated with “Critical Systems” (as defined in USD’s Review and Identification of Critical Systems Policy, https://www.sandiego.edu/its/about/policies/). These logs and alerts are monitored on a daily basis. The Database Administrators (DBA) take action by reviewing alerts on a daily basis. If the alerts are deemed malicious the DBA’s will work the appropriate teams to address risk.
- A program to analyze login anomalies to LDAP is used to generate reports that are reviewed on a monthly basis by the ITS-NISS Systems team. A SolarWinds SIEM (Security Information and Event Management) module is used to identify and report login anomalies to Active Directory (AD). The Systems team takes action by reviewing the reports and investigating the accounts in question. If the Systems team determines there is malicious action being performed by the account, they will then contact the user, the helpdesk, and/or public safety as well as USD leadership. Continued review of any accounts in question will continue during subsequent reviews to eliminate any possibility of continued malicious behavior. Note: ITS will seek to improve the frequency of LDAP and Active Directory log reviews on an incremental basis from 1 month to 3 weeks, then 3 weeks to 2 weeks, and eventually to 1 week.
- Kaseya and SolarWinds Network Configuration Manager (NCM) are used to monitor the status of all network devices. The ITS-NISS Systems/Network teams receive notifications/alerts from Kaseya and SolarWinds which are used to identify hardware and infrastructure anomalies. These alerts are received immediately and are acted upon immediately by the ITS-NISS Systems/Network teams. Kaseya is used to report on the status of network devices, servers, and normal services; SolarWinds is used to report on anomalies, the ITS-NISS Systems/Network teams works directly with the application or system owner to investigate and determine if the behavior is suspicious or expected. If monitored behavior is determined to be malicious the system(s) and/or application will be fixed immediately or shutdown; remediating any potential threat(s) will be the first priority of root cause analysis followed by proactive steps to ensure long-term safety of applications and systems. Kaseya reports are reviewed on a monthly basis. SolarWinds reports are reviewed on a monthly basis.
- Palo Alto’s logging module is used to automate the log aggregation, analysis, monitoring, and reporting associated with data specific to network intrusion and anomalous events that are found in voluminous firewall logs. The ITS-NISS Network team is responsible for using the Palo Alto console and reports to identify network security incidents and to investigate them. Typical security incidents that are reported in Palo Alto include, but are not limited to:
- Denial of Service Attacks
- Distributed Denial of Service Attacks
- DNS Queries
- Bots
- Viruses
- Malware
- Advanced Persistent Threats
- Port Scans
- High Connection Rate Anomalies
- Application and Server vulnerabilities
- Geo-protection
Palo Alto reports/analytics are monitored on a daily basis. Depending on the incident, the ITS-NISS Network team takes action by investigating malicious traffic detected based on the severity of the incident. The Network Team will configure the IPS protection from "detect" to "prevent" on the particular malicious traffic and/or add the IP address to the "Zero Access" firewall group - which will deny any access to and from the Palo Alto Firewall. If the source IP address of any malicious traffic is determined to be internal, we will identify the device and/or user. Upon identification, the ITS-NISS Network team will notify the user, ITS Helpdesk, and/or Systems team to take immediate action to prevent further network access.
Exceptions
As important new security applications and tools become available, ITS may opt to supplement or replace the log monitoring and security solutions specified in this policy.
Status: In effect, created August 6, 2015, updated August 24, 2018
Policy Stewards: Sr. Director Network, Infrastructure, Systems and Services, Sr. Director Enterprise Applications
Policy Owner: Chief Information Officer, ITS - Software Copyright Compliance Policy
Purpose
The University of San Diego licenses the use of its computer software from a variety of outside companies. The University of San Diego does not own this software or its related documentation and, unless authorized by the software developer, does not have the right to reproduce it.
It is University of San Diego policy that employees, students and other users of University Computing Facilities shall use the software only in accordance with the license agreement.
University of San Diego employees found to be making, acquiring or using unauthorized copies of computer software will be disciplined as appropriate under the circumstances.
Status: Reviewed September 4, 2018
Policy Stewards: Chief Information Officer, ITS
Policy Owner: Chief Information Officer, ITS - iPad Purchasing
May 26, 2010
This IT procedure pertains to purchasing and IT support of university iPads by USD faculty and staff. It does not apply to the purchase of personal iPads. Personal iPads are not supported by university Information Technology Services.
As of May 26, 2010, a new practice was implemented pertaining to the purchase of Apple iPads at USD. Specifically, these are iPads that are used for University academic and business activities. Requests and justifications for purchases of iPads will be made through Information Technology Services at the following website:
Requests for reimbursement of an iPad purchase or iPad accessory(ies) purchase made outside the university (for example, at the Apple Store) will be denied by USD Procurement. This procedure also provides proper asset control and allows the university to maximize purchasing power.
Requests for university iPads are required to go through the ITS website and will be reviewed and approved in a manner similar to requests for second computers. All requests must be accompanied by clear justification of academic/business purpose and proper departmental and budget approvals. The iPads purchased through the University will be considered a university technology asset and tagged and inventoried through the ITS asset management system. Please note that any university iPad purchases will include a $99 two-year AppleCare support contract.
The university will not pay for any cellular voice/data plans associated with iPads. Those cellular service plans shall be paid by the individual or with approved departmental budget or grant funds. The individual user, or the user's department with approval, will be responsible for any charges related to acquisition of individual applications for the device. Applications may be purchased directly from the Apple App Store (ie. iTunes) by the user or user's department. If any applications will be paid for with university funds, a justification of academic/business purpose must accompany the invoice receipt.
Future generations of the iPad may resolve current problems with the operating system, printing capabilities, etc. Certainly, if Apple formulates agreements with textbook publishers, it will revolutionize the way academia may deliver textbook content and course packs. In the future, as Apple improves the device, there is a possibility that we will list the Apple iPad as an option in the USD Computer Replacement Program (CRP). This procedure and the procedures will be revised as iPad technology evolves.
For questions about this new purchasing practice, you may contact crp@sandiego.edu.
- Multimedia Equipment Use Policy
Purpose
ITS multimedia equipment is intended to support academic activities here on campus. Equipment, facilities, and services are available to USD faculty, staff, students and alumni with a current ID. Individuals are responsible for all equipment they check out, for returning it on time and for paying any fines.
We accept reservations for equipment and basic instruction on equipment operation can be provided. A small inventory of items is available only to faculty and staff. This more restricted list includes laptop computers, data projectors and media cabinet keys.
Items in the ITS inventory have a limited loan period; the length of that period depends on demand for the item and future reservations. Requests for off-campus use are handled on a case-by-case basis.
No copyrighted materials may be duplicated in the ITS facilities without written permission.
- Mass Mail Guidelines
Purpose
The massmail system is being phased out in 2020 due to on-going problems with the program and out-dated code. No new accounts will be created in massmail. Instead, please contact Enterprise Applications at crm@sandiego.edu to learn how to use SalesForce TargetX to send out your mass emails.
Mass e-mail is a blast message sent to a large group such as all faculty, students, staff, or administrators who have USD e-mail accounts (i.e.: username@sandiego.edu). It is used to convey emergency information, critical alerts or information of campus-wide interest.
MassMail is now considered the secondary/back-up way of sending out messages to faculty, staff or administrators. The primary method is Target-X, using Salesforce. You may request access at https://usd.tfaforms.net/
217986. The USD website has a feature where events can be posted, in addition to emailing an announcement. You can access this page at MyPostings.
To send a mass e-mail, the following guidelines apply:
Approval
- Emails to the university community (faculty, staff, administrators, students) must be sent through Target-X, Salesforce or MassMail. Third party email systems (by vendors or a department's own system) may be used in lieu of this email system ONLY if the message is directed towards external parties (non-university email addresses).
- The text of the message must be approved by the Vice President to whom the individual department or group wishing to send the message reports. See below for divisional contact person(s) to whom the mass message request should be sent. The divisional contact may also authorize employees in their division to upload e-mails to the mass e-mail queue without having to send their text for approval.
- Events can be posted through MyPostings in addition to a mass e-mail message being sent. An event is any activity open to a broad group of the university community. Examples: seminars, trainings, conferences, workshops, lectures, receptions, concerts. This does not include private meetings or department meetings. The mass e-mail system should not be used to send out event reminders, unless for major campus events, such as Commencement, All Faith Service, etc. A personal message in MyPostings is an option for event reminders.
- Messages for enrollment or registration in USD degree programs or classes will not be approved except if they are part of a USD strategic initiative. A personal message in MyPostings is an option.
- Requests for mass e-mails ideally should be received by the VP approver at least three (3) business days prior to the requested send date. (Ideally there should be at least two full business days notice for the approved e-mailing.)
- E-mail the full mass e-mail message with subject line, return e-mail address, and designated group to the following individual in the specific vice presidential area:
Division
Official Contact
Secondary Contact
Academic Affairs Kristin Scialabba Justine Gonzales Finance Ginny Proctor Ginny Proctor Institutional Effectiveness and Strategic Initiatives Hilda DePeder Lori Ermac-Nash Mission and Ministry Cathy Johnson N/A Student Affairs Kathe Myrick Alejandro Cervantes University Relations Lisa Fernandes Linda Long Athletics Charlene Ables Charlene Ables
Content
- Include the subject of the message and the e-mail address of the individual to whom replies concerning the message should be sent.
- Attachments or graphics are not allowed within the message. Links to documents on websites are permitted.
- A link to a web page can be included in the message to provide additional information when needed.
- Keep the message short and succinct. Long messages may be returned to the sender for editing by the VP approver.
- Messages should contain information about USD only; no messages promoting issues not directly related to the university will be approved.
- It is recommended that AP Style guidelines are used when composing a message. Here are the USD brand guidelines. As an example, building names should be spelled out (e.g., Mother Rosalie Hill Hall rather than SOLES).
- Please proofread your message closely. No "corrected versions" will be sent after the original message has gone out.
Formatting
- There are three primary templates available (Standard Text, Raw HTML, and USD HTML).
- The USD HTML template uses the group or sub-group under which the sender is listed as a header in the body of the message.
- The Raw HTML template is the one you use in conjunction with the USD email builder.
- The Standard text template is a simple template that can be used that provides minimal formatting.
Targeted Groups
- You can send mail to everyone at USD or to a list of divisions, schools or departments (noted in the mass e-mail queue as groups or sub-groups). You can also separate by Administrators, Faculty, Staff, or Students.
- Departments with fewer than 40 employees are not listed as a sub-group.
It is the responsibility of the individual requesting the mass message to meet the above requirements.
Status: Reviewed August 28, 2018
Policy Steward: Senior Director Library and Web Services
Policy Owner: Chief Information Officer, ITS
- DocuSign Guidelines
Purpose
DocuSign is an e-signature and workflow solution. It allows you to electronically send documents for signature and manage the documents you send, allowing for multiple people to sign and the ability to access and store all your documents instantly and securely. DocuSign is not a contract management system.
To use DocuSign please use the following guidelines:
Approval- First and foremost, it is important to note that the use of DocuSign does not override or circumvent the university’s Contract Signature Authority Policy. Please read the policy and confirm that people added as signers to the workflow are authorized to sign contracts and agreements, especially those dealing with money transactions. Legal Policies.
- Because DocuSign is not a contract management system, contract review and approvals must be made prior to uploading a document in DocuSign. The university’s Contract Signature Authority Policy describes the advance review by the Office of the General Counsel and other relevant departments that is required before the execution of a contract.
-
To create a DocuSign account, please go to docusign.sandiego.edu and log in with your USDOne credentials. You will automatically have Viewer status. To obtain Sender status, please email docusign@sandiego.edu. Training will be provided to you upon request.
- DocuSign has been approved for internal workflow and e-signature collection. Should a department wish to use DocuSign with any Third Party vendor/signers, please contact your area’s budget administrator/assigned sender for upload and routing of documents. It is important to have approval from the third party vendor to send a document via DocuSign. Please contact vendors prior to uploading a document to verify they do not require the document to have a “wet” signature.
Area Approved Uploaders Secondary Uploaders College of Arts and Sciences Catherine Cornell Carla Wilson School of Engineering Choa Kang N/A School of Business Kelli Bagley N/A School of Law Kay Manansala N/A School of Nursing Linda Johnston N/A SOLES Vlad Bolsakov N/A Copley Library Jasmin De Unamuno N/A Facilities Management Lynne Morris N/A Information Technology Services Lori Ermac-Nash Liza Peterson-Gary Signers
- Any employee who is authorized to sign an agreement on behalf of the University of San Diego and who chooses to do so through DocuSign must sign the agreement using an official University of San Diego-issued DocuSign account. Personal or non-USD DocuSign accounts may not be used to sign agreements on behalf of USD.
- A signer always has the option to print the document, “wet” sign it and return a hard copy to the sender, instead of agreeing to sign a contract through DocuSign. For any questions on signing documents please email docusign@sandiego.edu.
- Signers should not delegate signing authority to those who do not have authorization to sign documents. In order to maintain the security of DocuSign, please do not give your username and password to anyone.
- Please keep personal DocuSign accounts separate from official University of San Diego-issued DocuSign accounts. Access to USD’s DocuSign account is made through your University of San Diego email address and your password for that address. If you have any questions with settings please contact your area Desktop Technician.
- Please read the Electronic Record And Signature Disclosure found in your DocuSign account under “Preferences” or under the “More” tab prior to signing.
- Your electronic signature, with DocuSign, is a legally binding signature.
- Under the university’s Contract Signature Authority Policy, the university official executing the contract is responsible for maintaining the fully-executed contract, including all attachments, in a manner consistent with the university’s Record Retention Policy. The university official executing the contract also is responsible for maintaining records evidencing any electronic signatures obtained through DocuSign.
- DocuSign senders must be approved by DocuSign administrators and attend training prior to sending documents through DocuSign. ITS will either provide training in a lab or one-on-one training, depending on the group.
- When creating workflow through DocuSign, it is the responsibility of the sender to verify that all signers for contracts dealing with university affairs or monetary agreements have signature authority. Please refer to the Contract Signature Authority Policy to verify signing authority.
For more information please visit the DocuSign website.
For questions regarding the legality of e-signatures via DocuSign please visit:
DocuSign E-Signature LegalityFor information on DocuSign security please visit:
DocuSign Security
Status: In effect, April 20, 2015. Revised August 9, 2018.
Policy Steward: Budget & Administrative Operations Manager, ITS
Policy Owner: Chief Information Officer, ITS - Web Accessibility Policy
Purpose
The purpose of the university website is to access official university information, to disseminate and extend knowledge, and to foster the free exchange of ideas. It is also a valuable asset for marketing and branding the university and for reaching and engaging with the university's prospective students.
The University of San Diego is committed to providing equal access to its official websites and web-based information for all users. This includes persons with disabilities accessing the web through auxiliary technologies, software and hardware.
Application
University Web Services makes a concerted effort to comply with the accessibility standards specified in Section 508 of the Rehabilitation Act of 1973 and WCAG (Web Content Accessibility Guidelines) 2.0. In addition, the WCAG 2.0 AA standards are set by the World Wide Web Consortium (W3C) which provides guidelines to develop websites to their fullest potential, including web accessibility.
University Web Services works in coordination with university Disability Services to provide websites that work with auxiliary technologies available in several locations across campus, such as JAWS (Windows), Window-Eyes (Windows), and VoiceOver (Mac).
This policy applies to University Web Services, website maintainers across campus, students, faculty, and staff that update their own websites through the university’s content management system (CMS), Cascade Server, or other means (e.g. WordPress). Each web developer and maintainer is responsible for achieving compliance with this policy for pages created by or for their academic area or administrative department.
Practice/Standard- University Web Services continually improves website standards, including accessibility compliance (WCAG 2.0 Level AA). As guidelines change, retroactive changes are being implemented. Best practices have been put into place to assure that future-forward website creation and updates will attain a high standard. Accessibility guidelines used in website development can be found online .
- Basic Standard for Site Accessibility:
- Add alternative text description (ALT tags) for any graphics, videos, animations, and other non-text elements on a web page
- Create meaningful title attributes
- Use descriptive text for hypertext links, instead of “click here”
- Caption or transcribe audio and video for the hearing-impaired (University Web Services recommends that YouTube be used for uploading videos. YouTube has a built-in closed caption feature that allows hearing impaired individuals to read words being spoken in the video)
- Ensure that color contrast is adequate, especially between text and background color, and that color is not the only thing used to communicate important text
- Ensure that all functions of the page can be accessed using the keyboard alone, including navigation
- Ensure tables are accessible
- Form elements should make use of the label tag to properly associate the label and element
- Add skip to content links
- Keep navigation consistent
- Avoid flickering elements on a web page. They increase the risk of optically-induced seizures
- When a timed response is required, be sure to alert the user, and allow sufficient time for the user to indicate more time is required
Exceptions
Exceptions may be granted to this policy when compliance is not possible or requires extraordinary measures. University Web Services, academic areas and administrative departments make every effort to retroactively improve sites and create sites that are compliant with WCAG 2.0 level AA guidelines. Faculty, students and staff are trained on web accessibility compliance as part of Cascade CMS training.
If University Web Services becomes aware that websites created by vendors, faculty, students or staff that are maintained outside the official USD website, and not controlled or monitored by University Web Services they will be notified to correct any compliance issues that are found.
Contacts and Resources
- University Web Services, Accessibility and Training Web Developer, webaccess@sandiego.edu
- Reference materials, tutorials, and accessibility tools can be found at https://www.sandiego.edu/its/support/web/accessibility/
- University Disability Services, https://www.sandiego.edu/disability/
- Reporting Website Accessibility Problems: https://www.sandiego.edu/feedback.php
Status: In effect, created May 30, 2016; Reviewed August 28, 2018
Policy Steward: University Web Services Accessibility and Training Web Developer
Policy Owner: Sr. Director Library and Web Services - Standard Computer Policy
Purpose
To make the most efficient use of university resources, all desktop and laptop computers, printers and digital signs acquired by the university must be based on standard configurations approved by Information Technology Services (ITS). Standards allow ITS to provide better and more efficient support for the university, efficient acquisition, and the most cost-effective pricing available. The standards include both Windows and Macintosh platforms. There is at least one desktop and one laptop model available for each platform and the models can be reviewed here: https://www.sandiego.edu/its/support/hardware/computer-standards.php
Application
This policy applies to all computers purchased or leased with University of San Diego funds regardless of funding source (i.e. including grants, startup funds, etc.)
Practice/Standard
This policy governs the procurement of any computers, monitors, printers, digital signs or hardware asset supported by Information Technology Services. All hardware assets purchased or leased at USD must align with the standard models identified and supported by ITS. Non-standard computers, procured by departments without approval by ITS, are not eligible to receive support from ITS.
- A “standard model computer” is one that has been designated by ITS as a model that meets or exceeds the needs of the majority of the campus community. It must meet the following standards:
- Enterprise / business model (no consumer models)
- Warranty must last the duration of the lease period or a minimum of 3 years, whichever is longer
- ITS staff must be able to order parts and perform repairs to the computer while under warranty
- Computer must be compatible with an operating system that is supported by the vendor for the full life cycle of the computer
- Computer must be compatible with all ITS standard software and hardware
- Computer must be manufactured by an ITS approved vendor
- “ITS Support” includes:
- Ordering / procurement of the computer
- Initial setup and software installation
- Imaging of the computer
- Deployment of computer
- Troubleshooting and repairs
- Installation of software
- Patching and updating of software
- Connecting to the network, printers or other peripherals
- Retirement and/or replacement of computers at the end of their planned life
ITS strongly discourages the procurement of non-standard computers due a number of factors:
- Consumer models lack the manageability, spare parts availability and support of business models. They are built with lower quality components which have short life cycles and lower tolerance to the business or educational environment.
- ITS staff are trained and certified to provide warranty repairs for ITS approved vendors and are able to directly order parts from vendors. This training and certification does not extend to non-standard models.
- ITS computer management processes are designed and optimized to function with computers that have been predefined and selected by ITS. Non-standard computers may not be compatible with existing ITS processes, and can required additional manual & time consuming support by ITS staff.
- Computers have varying life expectancy and compatibility with operating systems. ITS approved models are guaranteed to be compatible with the latest operating system and will be receive ongoing security patches throughout the entire planned life of the system, and typically much longer than the planned life cycle. Non-standard computers (especially consumer models) have no guarantee of ongoing compatibility with operating systems and cannot always be easily upgraded to new versions. This can introduce a security risk to the USD network when unpatched / unsupported hardware continues to be used past its planned life cycle.
In the event that an unsupported computer (i.e. a non-standard configuration that has NOT been preapproved by ITS) is procured, the following will apply:
- ITS will not participate in the initial staging, imaging (installation of ITS configured operating systems and software), or deployment of the computer.
- ITS will not provide any level of support for the computer.
- The procuring individual or department will be responsible for patching, updating, maintaining, troubleshooting or repairing and unapproved computers.
- The procuring individual or department will be responsible for purchasing and installing any required software.
- ITS will not install any software on unsupported computers.
- ITS will not connect any unsupported computers to the USD network.
- ITS will remove any unsupported computers from the USD network if they are found to be unpatched, running an unsupported operating system or otherwise insecure
Exceptions
Non-standard computers will be eligible for support ONLY if they are pre-approved by ITS in advance of being procured. Non-standard computers must meet the same requirements as standard computers as listed above, but may have different specifications from those typically acquired. Typically, these non-standard computers are required to run specific specialized applications and ITS is happy to assist with the selection and deployment of these computers. For example, an approved non-standard computer may have:
- A faster processor
- More memory
- Larger or multiple hard drives
- Different video card
- Different case (ultra-small form factor, full-size tower, etc.)
- Different monitor
- Different keyboard or mouse
Non-standard computers ARE NOT eligible for support if they do not meet all of the criteria listed within the definition of a “standard model computer”, notwithstanding the list of exceptions stated above.
Status: In effect, created May 26, 2017
Policy Stewards: Sr. Director of Client Support Services
Policy Owner: Chief Information Officer, ITS - A “standard model computer” is one that has been designated by ITS as a model that meets or exceeds the needs of the majority of the campus community. It must meet the following standards:
- Classroom Technology Standards
Purpose
To make the most efficient use of university resources, all Classroom learning spaces, Seminar rooms and Conference rooms implemented by the university must be based on standard configurations approved by Information Technology Services (ITS). Standards allow ITS to provide better and more efficient support for the university, efficient acquisition, and the most cost-effective pricing available. The standards include different levels of technology based on need and budget.
Application
This guideline applies to all technology purchased or leased with University of San Diego funds regardless of funding source (i.e. including grants, startup funds, etc.)
Practice/Standard
This policy governs the procurement of any Classroom technology, displays, digital signs or hardware asset supported by Information Technology Services. All hardware assets purchased at USD must align with the standard models identified and supported by ITS. Non-standard Equipment, procured by departments without approval by ITS, are not eligible to receive support from ITS.
Level 2 - Basic+ Level 3 - Standard Level 4 - Advanced/Enhanced Dry Erase or Chalkboard
Network Infastructure
Projection Screen (one)
Data Projector (one)
Latop Display Connection
In Wall Equipment Rack
Dedicatied Room Computer
Blu Ray Disc Player
AV Control Panel (basic control)
Sound Playback System
Dry Erase or Chalkboard
Network Infastructure
Projection Screen (one)
Data Projector (one)
Latop Display Connection
Technology Lecturn/ Podium
Dedicated Room Computer
Blu Ray Disc Player
AV Control Touch Panel
Sound Playback System
Document Camera
Interactive Display
Apple TV
Dry Erase or Chalkboard
Network Infastructure
Projection Screen (one or 2)
Data Projector (one or 2)
Laptop Display Connection
Technology Lecturn/ Poduim
Dedicated Room Computer
Blu Ray Disc Player
AV Control Touch Panel
Sound Playback System
Document Camera
Interactive Display
Apple TV
Special Features:
Large Interactive Display
Lecture Capture
Web or Video Confrencing
Exceptions
Non-standard equipment will be eligible for support ONLY if they are pre-approved by ITS in advance of being procured. Non-standard equipment must meet the same requirements as standard equipment as listed above, but may have different specifications from those typically acquired. Typically, these non-standard components are required to run specific specialized applications and ITS is happy to assist with the selection and deployment.
Status: In effect, created May 19th, 2017
Policy Stewards: Sr. Director of Client Support Services
Policy Owner: Chief Information Officer, ITS
- Information Security Incident Response Policy
Purpose
Information Technology Services recognizes the need to follow established steps to address situations that could indicate the security of the University of San Diego's information assets may have been compromised. Such procedures include ensuring the appropriate level of University management becomes involved in the determination of actions implemented in response to an Information Security Incident.
This policy outlines the procedures for decision-making regarding emergency actions taken for the protection of the University of San Diego's information resources from accidental or intentional unauthorized access, disclosure or damage. The fundamental intent of this policy is to:
- Augment protection of USD IT resources and data from unauthorized access, use or damage,
- Ensure that USD achieves its obligations under University policy, and federal and state laws and regulations with respect to information security incidents, and
- Mitigate the impact from an information security incident.
Application
This policy describes the procedures when an information security incident is discovered involving an Academic or Administrative Computing System operated by the University, its faculty, students, employees, consultants, vendors or others operating such systems on behalf of USD. It also describes steps to be followed when information residing on any computing or information storage device is, or may have been, inappropriately accessed, whether or not such device is owned by USD. Moreover, this policy is applicable to all University students, faculty, staff, and to all others granted use or custodianship of the University of San Diego information resources.
Practice/Standard
An Information Security Incident is defined as any real or suspected adverse event in relation to the unauthorized access of University computer systems, computer networks, which may constitute a breach of electronic data/information. Such information may be restricted or prohibited information, including the following:
- Social Security Numbers
- Credit Card Numbers and Security Codes
- Financial and Bank Account Numbers
- Driver's License Numbers
- Health Insurance Policy ID Numbers
- Passport and Visa Information
- Salary information
- Tax information
- Grades and Transcript information
- FERPA Protected Information
- HIPPA Protected Information
- Background Check Reports
Examples of possible adverse events include:
- Theft or loss of a laptop, desktop, or other device that contains restricted or prohibited information.
- DoS (Denial of Service Attack).
- Malware or Ransomware attack.
- Unauthorized physical access to a USD Data Center.
- The unauthorized use of a system for the processing, cloning, or storage of data.
- Brute-Force Logon attempts to gain unauthorized access to a system or data.
- Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.
If a member of the University of San Diego Community who becomes aware of a potential Information Security Incident should immediately contact the ITS Help Desk at (619) 260-7900 or help@sandiego.edu to report the incident.
When an Information Security Incident is reported, the University’s Chief Information Officer (CIO) will do the following:
- Have the ITS Help Desk and/or Office of the CIO designee instruct the individual to avoid making any updates or other modifications to software, data, or equipment suspected of involvement with an Information Security Incident until after the ITS technical designee has completed its investigation and authorizes such activity.
- If a suspected system or device is available, ITS will work to disconnect the compromised system and equipment from USD's network. If the suspected system or device is lost or stolen, ITS will attempt to locate it through USD’s Computrace Internet tracking software, via Absolute Software.
- The CIO will appoint the appropriate IT professionals (DBA’s, Systems Architects, Network Engineers, Desktop Technicians, etc.) to investigate the Information Security Incident. The individuals chosen to participate in the investigation may vary, depending upon the type of adverse event and skills needed to complete an investigation.
- In order to complete a proper investigation, the CIO has the authority to restrict information system access or operations to protect against unauthorized information disclosures. In order to complete the investigation, the CIO may convene a preliminary fact-finding working group that may include relevant ITS technical staff and, if necessary University administrative staff. The fact-finding group will focus on any logs, event monitoring statistics, or technical evidence to affirm or deny the suspected compromise of restricted or prohibited information.
- If necessary, the CIO may engage an IT forensics firm and other technology vendors to help in defining the extent, root cause, and mitigation steps associated with a data breach.
- The CIO will consult with the University Office of the General Counsel to determine if applicable federal or state laws or regulations may have been violated. Law enforcement agencies will be notified, if appropriate.
Incident Response and Communications
Depending upon outcomes from the preliminary fact-finding working group, the CIO, in consultation with ITS Senior Director’s (NISS and EA) and other Administrative/Business unit leaders will determine if there is a significant likelihood of unauthorized access to prohibited or restricted Information. If necessary, the CIO will convene an Information Security Incident Response Team (ISIRT), potentially composed of representatives from some or all of the following offices:
- Information Technology Services
- Finance and CFO’s Office
- Office of the General Counsel
- Internal Audit and/or Institutional Compliance Department
- Office of the Associate Vice President for University Communications
- Enterprise Applications
- Network Infrastructure Systems and Services
- Division Vice Presidents or AVP’s, as needed.
- Other departments or constituencies, as appropriate.
The ISIRT, will work with the Office of the CIO and Office of University Communications to develop and execute communication and other action plans to ensure:
- Appropriate action is taken in a timely manner, including reporting, notification and other communication of the Information Security Incident, as required by law or otherwise deemed appropriate. If necessary, University Communications, in coordination with the CIO’s office, will draw on language in a pre-drafted Data Breach Letter that is contained within the Communications Section of the University Emergency Response Plan.
- Progress reports are made on the Information Security Incident and execution of the mitigation efforts to appropriate groups:
- Office of the President
- Academic Affairs
- Student Affairs
- University Relations
- Human Resources
- Alumni Association
- Other impacted constituencies, as appropriate for the incident.
In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of the University and others impacted by the incident.
The Office of the CIO (ITS Staff) will be responsible for documenting the deliberations and decisions of the ISIRT as well as all actions taken pursuant to ISIRT deliberations.
Incident Report
The Office of the CIO will be responsible for writing a final report on the incident and the investigation, which summarizes findings regarding the Information Security Incident and, if appropriate, makes recommendations for improvement of related information security practices and controls. The final report may include input for the preliminary fact-finding group, the Information Security Incident Response Team (ISIRT), and findings from any IT forensics firms and technology vendors involved in assessment of the incident. The Report will be distributed to the Vice President for Institutional Effectiveness and Strategy, and other appropriate University office(s), if any.
Exceptions
This policy does not apply to externally hosted systems, vendor provided SaaS applications, or cloud based solutions in which USD Information Technology Services does not oversee the systems/data security (e.g. Salesforce/TargetX, Google Gmail/Docs, Microsoft Office 365, etc.).
Status: In effect, created July, 2016; updated August 24, 2018
Policy Stewards: Sr. Director Enterprise Applications and Sr. Director of Network Infrastructure, Systems, and Services
Policy Owner: Chief Information Officer, ITS - Account Name Re-Credentialing
Purpose
This policy is to standardize the process of Account Re-credentialing or Vanity account name changes.
Application
The Practice/Standard applies to all USD students, staff, faculty, and guests with authorized USD Account Names.
Practice/Standard
This Practice/Standard extends to all USD students, staff, and faculty requesting a vanity or legal name change. Re-credentialing, account name changes, or vanity name changes are not allowed. A request for account re-credentialing must be accompanied by a document from a court of law and entered in the University’s employee system of record or student system of record. In both cases the Registrar’s office or Human Resources must validate the legal name change.
USD One identity system now creates user account name automatically using an unused name combinations of the person’s first, middle, and last names. In some case, people with very common names may have a number automatically appended to their account name since no other choices are available. Account names created as of April 2015 cannot be changed.
Exceptions
- A student may request a re-credentialing because their legacy account name had been appended with their proposed graduation date i.e., smith-10@sandiego.edu **
- Faculty/author with a Nom de plume, literary double, or pseudonym documented in the University’s employee system of record may request an account name re-credentialing.
- Stalking or harassing cases documented by a Law Enforcement agency or USD’s Department of Public Safety will be granted an account name change. Case numbers must accompany a request for account name change.
- A USD One Identity System created account name; using combinations of the Employee’s or Student’s first, middle initial, and last name, which is inappropriate or offensive will be granted a one-time account name change.
- Re-credentialing due to business continuity – see Email Transition Policy
Appendix
**Legacy account names appended with proposed graduation date ended in 2013 and only those students may request a one-time account name change.
Status: In effect, created April 13, 2015; reviewed August 24, 2018
Policy Steward: Sr. Director Network, Infrastructure, Systems and Services
Policy Owner: Chief Information Officer, ITS - Hosted Personal and Professional Website Policy
Purpose
The University of San Diego provides faculty, staff and students with a hosted WordPress account at https://sites.sandiego.edu. This solution is offered for ease of access, password security, basic training and multiple-user access to a single site.
If you choose to utilize WordPress, you will need to have a web browser installed on your computer. Note that all imagery posted to personal and professional websites should follow copyright guidelines. The USD Gallery is a resource for professional imagery of the USD campus and students.
WordPress Application
Request a WordPress site if you need the following:
- Multiple people need to access this site to perform updates or add pages to the site.
- The site will contain only content and images.
- You are a faculty member and you require basic one-on-one training.
Retention
- Faculty/Staff: For the length of employment.
- Students: Once a student graduates, the site may remain up until it has been inactive for a year. At that time, ITS reserves the right to remove the site.
Training and Support
Faculty who request a new site will be offered the option for a one-on-one basic training and documentation to do the following. The training option is only available to those with faculty status and we are not able to accommodate staff training requests at this time.
- Add/remove pages
- Add/remove menu items
- Update text content
- Update links
- Update media such as images, video, etc.
Additional support links to WordPress are provided below.
Exception
If WordPress does not meet the requestor’s needs, the University of San Diego can offer access to an HTML site. If your needs can be met by utilizing a WordPress site, then you will not be granted an HTML site.
- The site will be used by students to learn HTML and CSS. If so, each student will need to request their own HTML site. These sites will be kept for a period of 1 year.
HTML Website Application
Request an HTML site if you need the following:
- The site will be used by students to learn HTML and CSS. If so, each student will need to request their own HTML site. These sites will be kept for a period of 1 year.
- The site requires specialized database and/or PHP programming. Please note: your PHP programming will be subject to review and may be refused from being placed on the server if the programming is insecure.
Server Characteristics
The HTML site server has the following characteristics:
- Apache 2.4
- PHP 7.X
- MariaDB 10.X
Responsibilities
Your responsibilities as an HTML site owner:
- Javascript framework: The only Javascript framework permitted on the HTML site server is jQuery. You are responsible for ensuring that the version of jQuery you run is no more than 3 releases older than the current version.
- University Web Services will upgrade Apache, PHP, and MariaDB as time allows. It is the site owner’s responsibility to ensure that their programming continues to function as expected when upgrades are applied.
- If the site owner fails to maintain their site in proper functioning order, with appropriate upgrades as needed, the site will be taken offline until such time as they have made the necessary updates.
Access and Updating
- In order to make updates to your HTML site, you will need to be connected to the campus internal network.
- You will need to understand HTML and CSS at a minimum, and if you are providing interactivity, you will need to understand PHP, and possibly SQL.
- You will need to use HTML editing software as well as SFTP software.
Training and Support
No training or technical support is provided other than setting up the HTML account.
Retention
- Faculty/Staff: For the length of employment.
- Students: Once a student graduates, the site may remain up until it has been inactive for a year. At that time, ITS reserves the right to remove the site.
Contacts and Resources
- Web Privacy and Security Policy
- WordPress reference materials and tutorials: WordPress is open-source software and there is online documentation and information available at http://wordpress.org/.
- For questions and reporting site problems, submit a web request.
Status: In effect, created and reviewed August 28, 2018
Policy Steward: University Web Services, Senior Web Administrator
Policy Owner: Sr. Director Library and Web Services
- Multi-Factor Authentication
Purpose
This policy is to standardize the process of protecting sensitive data or Personal Identifiable Information (PII) using the USDOne password and a second factor (2FA, Duo, Google Authenticator, etc.) authentication.
Application
The Practice/Standard applies to all USD students, staff, and faculty accessing critical applications or systems with well-known network ports (i.e. SSH) either from on campus or off-campus.
Practice/Standard
This Practice/Standard extends to all USD students, staff, and faculty needing via VPN to access research projects, servers supporting SSH protocol, Oracle’s e-Business Suite (any application or service that holds or potentially holds sensitive data or PII).
Current applications or services;
- Oracle e-Business Suite
- Virtual Private Network
Future applications and service (no particular order);
- Email (Google)
- My.SanDiego Portal
- DocuSign
- Salesforce
- Banner
Exceptions
None
Appendix
None
Status: In effect, created August 24, 2018
Policy Steward: Sr. Director Network, Infrastructure, Systems and Services
Policy Owner: Chief Information Officer, ITS - GDPR Privacy Notice
Purpose
The University of San Diego is committed to safeguarding the privacy of personal data. This Privacy Notice outlines the collection, use and disclosure of personal data provided to the University by students, faculty and staff, alumni, and other members of our community. This Notice also provides certain required information to persons located in the European Union, a European Economic Area member state, or Switzerland pursuant to the EU General Data Protection Regulation (“GDPR”). When you submit information to the University or use the University’s website or other services, you consent to the collection, use and disclosure of your personal data as described in this Notice.
Application
University Use of Information
The University collects and processes personal data (“Information”) from individuals only as necessary to exercise the University’s legitimate interests, functions and responsibilities as a private, non-profit institution of higher education. Information means any information which relates to or identifies you as an individual. The data being collected may also include Sensitive Information, which means data such as race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation, and/or criminal convictions.
The University will only process your personal data for lawful purposes under the GDPR related to the University’s educational, charitable, and scientific purposes and arising from your relationship with the University as a prospective, current, or former student (or such student’s parent or guardian), faculty or staff member, employee, contractor, donor, supporter, research subject, visitor to the University or its website, or attendee at a University event. For example, the University collects and processes Information from individuals who are applicants for employment positions. The University also collects Information from students or student applicants to: enroll and register individuals in the University; provide and administer housing; manage student accounts; administer grant, scholarship and financial aid programs; provide academic advising; develop and deliver education programs; track academic progress; provide student support services; comply with regulatory reporting, auditing and maintenance of accreditation; and other related University processes and functions. The University collects and processes Information from alumni in order to send correspondence for networking, job placement, continuing education, and fundraising. The University also uses Information to conduct general demographic and statistical research to improve University programs, identify appropriate support services or activities, provide reasonable accommodations, and enforce University policies or comply with applicable laws.
The University will ordinarily collect and process your personal data because it is necessary for the performance of a contract to which you are a party or because the University has another legitimate interest in doing so. When the University cannot rely on either of these grounds, it will seek your consent before collecting and processing your data.
Any personal data provided to the University will be accessed by those who have a legitimate University-related business need to access it. Your personal data may also be shared by the University with third parties who have entered into contracts with the University to perform functions on behalf of the University, subject to the obligation of confidentiality and safeguarding from unauthorized disclosure.
Third Party Use of Sensitive Information
The University may disclose your Sensitive Information and other Information as follows:
- Consent: We may disclose your information if we have your consent to do so.
- Emergency Circumstances: We may share your information when it is necessary to protect your interests and you are physically or legally incapable of providing consent.
- Employment Necessity: We may share your information when necessary for administering employment or social security benefits in accordance with applicable law, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Public Information: We may share your information if you have manifestly made it public.
- Archiving: We may share your information for archival purposes in the public interest, and for historical research and statistical purposes.
- Performance of a Contract: We may share your information when necessary to administer a contract you have with the University.
- Legal Obligation: We may share your information when the disclosure is required or permitted by international, federal, and state laws and regulations.
- Service Providers: We use third parties who have entered into a contract with the University to support the administration of University operations and policies. In such cases, we share your Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- University-Affiliated Programs: We may share your information with parties that are affiliated with the University for the purpose of contracting you about goods, services, charitable giving or experiences that may be of interest to you.
- De-Identified and Aggregate Information: We may use and disclose information de-identified or aggregate form without limitation.
Practice/Standard
Security
The University implements appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it on our information technology systems.
Cookies and Other Technology
The University’s use of cookies and other data can be found at: https://www.sandiego.edu/its/about/policies/#webprivacy
Your Rights
If you are subject to GDPR, you have the right to request access to, a copy of, rectification, restriction in the use of, or erasure of your Information in accordance with all applicable laws. The erasure of your Information shall be subject to applicable state and federal laws, and the University’s applicable retention periods as set forth in the Records Retention Policy. If you have provided consent to the use of your Information, you have the right to withdraw consent without affecting the lawfulness of the University’s use of the Information prior to receipt of your request.
As explained above, the University will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to further the University’s legitimate interests. If you do not provide such information, sometimes the University will not be able to process such contracts, pursue those legitimate interests, or comply with its legal obligations, and you will not be eligible to receive the benefits that may result from those contracts, interests, or obligations.
Personal data created in the European Union will be transferred out of the European Union to the University. If you feel the University has not complied with applicable foreign laws regulating such information, you have the right to file a complaint with the appropriate supervisory authority in the European Union.
Retention and Destruction of Information
Personal data will be retained by the University in accordance with applicable federal and state laws and the applicable retention periods developed by the University and set forth in its Records Retention Policy. Personal data will be destroyed upon your request unless applicable law requires destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity, value and criticality to the University.
Contact Information
The University is the controller of the personal data it collects. If you would like to contact the University in its capacity as controller, please contact: privacy@sandiego.edu.
Status: Created October 26, 2018
Policy Steward: Chief Information Officer, ITS
Policy Owner: Chief Information Officer, ITS
- Cell Phone Allowances and University-Issued Cell Phones: Standards and Procedures
Cell Phone Allowances and University-Issued Cell Phones: Standards and Procedures
I. Overview
Certain employees, due to the nature of their positions, may require cell phones (including smart phones) in order to adequately conduct University business. This document outlines the standards and procedures addressing the approval and issuance to eligible employees of cell phone allowances or a University-issued cell phone and service plan. These standards and procedures apply to all USD employees.
Effective November 1, 2018, USD will no longer purchase or upgrade cell phones or related accessories, nor will the University carry service contracts for cell phones used by employees, except as specifically permitted and approved according to the standards and procedures outlined in this document. The University’s preferred business approach is to provide eligible employees with a non-taxable monthly allowance based on the employee’s level of required business use of a cell phone. The allowance is not intended to pay the entire bill, under the assumption that most employees also use their cell phones for personal use.
The Finance Division, in collaboration with ITS Telecommunications, is responsible for overseeing the implementation of these standards and procedures.
II. Employee-Owned Cell Phones with University Allowance
Eligibility and Approval
An employee may be eligible for a cell phone allowance only under the following circumstances:●
- The employee’s job requires the employee to work regularly in the field with a need to communicate in real time with University employees or others to give or receive direction in connection with University business;
- The employee has administrative responsibilities related to critical University business functions, support of the University’s infrastructure, or campus safety, and needs to be immediately accessible at all times; and/or
- The employee is required to travel frequently on University business and must be accessible or have access to information technology systems while traveling in order to perform required job functions. A frequent traveler is defined as at least 30 travel days per fiscal year.
The use of cell phones is not a job requirement for most employees. A cell phone allowance is based on the employee’s actual job duties, not a particular title or position. Simple convenience is not a criterion for approving a cell phone allowance.
The Vice President of the division in which the employee is employed, together with the Finance Office, will determine when an employee is eligible for a cell phone allowance and, if so, the amount of the allowance to be approved. The following chart should be used to determine the appropriate allowance amount:
Required Business Use
Monthly Allowance
Low – Either data is not necessary (i.e. only voice/text required) or less than 40% of the employee’s cell phone use is for business purposes.
$15
Medium – Data, voice and text capabilities are required. Between 40-60% of the employee’s cell phone use is for business purposes.
$30
High - Data, voice and text capabilities are required. More than 60% of the employee’s cell phone use is for business purposes.
$45
Approval for a cell phone allowance, and the amount of the allowance, must be granted on an annual basis. The allowance will be charged to the budget of the employee’s department. Under no circumstances should the approved monthly allowance exceed the actual monthly cell phone charges incurred by the employee.
The cell phone allowance is requested using a Department Action Form (DAF). The employee also must provide a current billing statement in order to apply for the allowance. The DAF must be approved by the employee’s supervisor, budget manager, Vice President of the employee’s division, and the Finance Office.
The cell phone allowance will be reviewed annually at or near the start of each fiscal year (July 1) to determine if the allowance should be continued as-is, changed, or discontinued. A new DAF must be submitted, including a copy of the employee’s then-current billing statement, if the allowance will be continued.
If an employee receiving an allowance is terminated, resigns, or otherwise is no longer eligible for the allowance, the employee’s supervisor must submit a DAF to process the change.
The receipt of a cell phone allowance is not an entitlement. The University may deny an allowance request, change the amount of the allowance, or withdraw approval for an allowance at any time in its sole discretion.
Costs above Allowance Levels for International Use
In some instances, international business requires incremental cellular service costs that may be reimbursed through the Finance Office with appropriate documentation. If business use results in a billed amount that is more than the allowance amount, reimbursement may be sought with appropriate documentation through regular expense reimbursement procedures. If increased business use will continue, the monthly allowance can be revised by submitting an updated DAF specifying that the monthly allowance should be increased and the effective date of the increases. Increases will not be considered retroactively. The DAF must be approved by the employee’s supervisor, budget manager, Vice President of the employee’s division, and the Finance Office.
Employee Responsibilities
The employee is responsible for selecting and purchasing a cell phone and enrolling in an appropriate service plan. Payment of bills for the service plan, the device, insurance and accessories is the responsibility of the employee.
An employee who receives a cell phone allowance must provide his/her supervisor with the device phone number within five (5) working days of activation. The employee is responsible for maintaining an active device contract for the duration of the receipt of the allowance and must notify his/her supervisor immediately if the device is disconnected or the plan is terminated, in which case the allowance will be discontinued.
The employee shall be responsible for any cancellation or other early termination fees.
Transition
To avoid cancellation fees and to allow for an orderly transition, employees currently using a USD-owned cell phone will have until the end of the current contract to make alternative arrangements to comply with these standards and procedures. At the expiration of each contract, the cell phone will transfer ownership from USD to the employee at no cost to the employee. At that time, the employee is responsible for transferring to a personal device contract, and the University will not be responsible for the condition of the equipment.
III. University-Owned/Funded Cell Phones and Plans
USD’s preferred business practice is to provide a monthly allowance to eligible employees who are required to have a cell phone for business purposes. In limited circumstances, departments may request approval for the purchase of University-owned devices and University-funded plans for certain employees, for shared use within a department, or for use on a rotational basis among employees within the department (e.g. for employees on-call).
To be eligible to be considered for a USD-owned device and USD-funded plan, the employee must be the primary point of contact for safety, security and/or effective operations of the University community at all times. If the request is approved by the Vice President who oversees the department making the request, and by the Finance Office, then USD’s Telecommunication Services will be responsible for overseeing the purchase of the device and the associated plan.
Because these devices are intended to be restricted to business use only, no documentation of usage is required prior to approval. Any reasonable personal use of a USD-owned device will be treated as a non-taxable de minimus fringe benefit. Any unusual or excessive personal use of a University-owned device must be paid by the employee to the University. Charges above the monthly plan are an indication of unusual or excessive use, and the employee must justify
such use if payment by the employee to the University for the excess use is to be avoided. All activity and usage of USD-owned devices is subject to review and audit by the Finance Office.
IV. Expense Reimbursement Requests
Employees who are not eligible for or approved to receive a cell phone allowance may submit expense reimbursement requests for occasional, incremental business expenses. To be reimbursed for calls or service, an employee must provide documentation to justify the additional costs incurred for business use in accordance with Section 17.1 of the expense reimbursement procedures. Such reimbursements may not exceed the total overage charge shown on the billing statement, as the expenses for minutes included in the employee’s personal plan will not be reimbursed.
(Approved by Executive Council October 2, 2018)
Contact Information
Office Hours
Help Desk at University Center 117
Monday - Friday: 8 a.m. - 5 p.m.
Help Desk at Copley Library
Temporarily closed
Need help? help@sandiego.edu
Have a comment? suggestions@sandiego.edu