Bentley_Master_VertStack_1C.jpg

Information Technology Policies

  1. Computing and Network Policy  (Last updated 6-4-14 @ 12:25pm EST)
  2. Digital Millennium Copyright Act (DMCA) Policy
  3. Email Policy
  4. Acceptable Use Policy
  5. Mobile Device Policy
  6. Data Classification and Usage Policy
  7. Clean Desk Initiative
  8. Payment Card Industry Data - Security Standards (PCI-DSS) Policy
  9. Remote Access Policy
  10. Gramm-Leach-Bliley Policy
  11. Technology Purchasing Policy

Computing and Network Policy    

Code for Ethical Use of Computing Resources

All members of the Bentley community make use of technology – for example, personal computers, smartphones, application software, Bentley’s network and server infrastructure and the Internet – in pursuing their primary academic and administrative endeavors at the university. Using the university's technology resources for incidental purposes is also permitted, but all usage use must comply with state and federal laws, as well as with Bentley’s own policies governing appropriate use of technology. Bentley requires that technology resources are not 1) used in a way that consumes excessive network resources; 2) abused or wasted; 3) employed in a way that interferes with, damages or harms a person; 4) employed in a way that intentionally interferes with the business operations of the university or any other company; 5) used for commercial gain; 6) used for dishonest or personal advantage; or 7) used to publicly convey what would reasonably be considered a private matter concerning another employee or student. With the exception of employment-related endeavors, excessive use of network resources is defined as individual consumption of bandwidth that is greater than 10 times the average. Computing resources may not be used to promote or facilitate illegal or inappropriate activities or to facilitate actions that violate academic integrity (these may include, but are not limited to, harassment, theft, child pornography, sending or receiving pornographic images, selling papers or other course work, or copyright violation (including the distribution and reception of copyright protected music, movies and games which are obtained illegally). Please be aware that Bentley will cooperate with internal and external authorities in the investigation of illegal activities. Bentley is also obligated to report any instances of child pornography to the appropriate authorities.

Bentley has a legitimate interest in protecting its investment in technology. Toward this end, the university reserves the right to require the registration of all technology-related devices used on campus, regardless of whether the device is owned by the institution or an individual; to prevent or restrict the use of technology brought on campus by faculty, staff and students; to identify and quarantine devices suspected of adversely affecting the network; to employ tools to monitor (at the port level) network-related activity, including bandwidth consumption and point-to-point file transfers; to monitor bandwidth consumption and restrict or eliminate bandwidth allocation to specific devices; to monitor the transmission and storage of confidential information; and to terminate without notice individual network and Internet access upon detecting activities that violate the law or university policies.

Violations of this policy may result in temporary or permanent loss of technology-related privileges including Internet, network and e-mail access, fines, assignment of financial responsibility, discipline up to and including immediate termination of employment, expulsion as a student, and legal action.

Certain kinds of computer abuse and computer-related fraud are not only prohibited by this policy, but are illegal and punishable by any or all of the following: civil sanctions, criminal fines or imprisonment. Copies of Fraud and Related Activity in Connection with Computers (18 U.S.C. § 1030) and the Wiretap and Electronic Communications Privacy Acts (18 U.S.C. §§ 2510-2520, 2701, 2710) are available from Bentley's Human Resources Department or the Computing Services Desk. The university may report suspected illegal conduct to the appropriate authorities.

Back to Top

Limitations on Use of Computing Resources     

Individual Access

All members of the community are obliged to act responsibly in the use of technology.  Faculty, staff and students are expected to provide and maintain accurate data about themselves (i.e. date of birth, address, Social Security number, etc.) when updating personal information on any of Bentley's administrative and academic systems.
An individual may access only those accounts, files, software, and other computing resources authorized under his or her particular username and password and for which a legal license exists. Individuals must take reasonable precautions to protect his or heraccount(s) information, including passwords, usernames and PINs. Sharing individual IDs and passwords is expressly prohibited. All members of the Bentley community are expected to exercise care in logging out of network resources and applications, in regularly changing their individual password(s), and in maintaining the confidentiality of their password. It is also a violation of Massachusetts law to access a password protected file without proper authorization.

An individual who intentionally shares their user ID and password with another person, where the primary intent is to provide access where it would otherwise be unavailable, may be subject to disciplinary action up to and including expulsion and immediate termination.

Back to Top

Hacking

Hacking is the intentional, unauthorized access to hardware or software. A hacker is a person who breaks into computers, usually by gaining access to administrative controls, with the intent to take over, read, modify, or cause damage. With the exception of specific course-based activities designed to educate students which are conducted under the aegis of the CIS or IPM Departments, Bentley will not tolerate hacking by students, employees, contractors, consultants, volunteers, visitors, or any other person or device. Responsible parties include those who instigate, plan, initiate, participate in, or perform hacking offenses. 

Students, employees, volunteers, consultants and contractors suspected of engaging in hacking are expected to cooperate fully with Bentley and legal authorities in the investigation of such incidents. In investigating complaints of possible violation of university policy, Bentley reserves the right to examine the contents of personal computers used by faculty, staff and students or other computers attached to our network, without prior consent or knowledge of the individual being investigated. Bentley also reserves the right to confiscate computers used by faculty, staff and students. Cooperation may include, but is not limited to, providing transaction logs, copies of electronic mail messages, data files, usage records, hardware, account and password information, or other information as required by those authorities. Those who are financially responsible for the perpetrators, such as parents or guardians, may also be held accountable.

Back to Top

Commercial Use

For-profit activities may be conducted on the Bentley network only under the auspices of officially recognized and sanctioned campus organizations or academic and administrative programs (i.e., service-learning, scholarship fundraising, etc.). Independent businesses may not be developed or cultivated using university technology resources. Bentley reserves the right to remove, without warning, unapproved commercial sites. To seek approval for officially recognized and sanctioned programs, students should consult the dean of student affairs; faculty should consult their respective dean; and employees should consult their divisional vice president. 

Back to Top

Permission to Record

Faculty, staff and students may not use any technology resources on campus, especially those available on personal devices, to record conversations, lectures, or classroom interactions without the express consent of those individuals being recorded.  Such actions may also violate state and federal law. Faculty, at their sole discretion, may elect to make their lectures available for recording. Members of the Bentley community who intentionally record other students, faculty and staff without their prior written consent may form the basis of a civil libel action and may be subject to disciplinary action up to and including immediate termination and expulsion. 

Back to Top

File Sharing Applications and Copyright Law

Person-to-person (P2P) applications allow individuals to electronically exchange music, movies, videos, software, games and other kinds of copyright-protected and non-copyright-protected information. While some owners of music, movies and software explicitly allow their products to be copied, many do not. It is best to assume that these materials are copyright protected, unless explicitly stated otherwise. Downloading and making available to other individuals copyrighted material, such as music, movies, videos, text and software, without permission of the rightful owner, violates the United States Copyright Act (Title 17, United States Code), which has significant potential liability for damages.  Moreover, using P2P file sharing applications may contribute to an excessive consumption of bandwidth and create a potential security risk, which also violates Bentley policy.

As part of Bentley’s efforts to comply with copyright law, Bentley’s Digital Millennium Copyright Act (DMCA) Policy can be viewed here. This policy outlines the specific procedures that Bentley will take if the university receives any copyright infringement notices.

Violations of copyright law may result in temporary or permanent loss of access rights, fines, assignment of financial responsibility, disciplinary action up to and including immediate termination of employment, expulsion as a student, and legal action.

Back to Top

Social Media 

Bentley is committed to maintaining an environment in which opposing views on issues of the day may be fully and freely aired. Such an environment requires all community members to tolerate expressions of opinion that differ from their own and that, in some instances, some people may find unpalatable; however, activities that violate the university’s policy against harassment, or that constitute an invasion of another’s privacy, do not promote free expression and undermine the environment that the university seeks to maintain. They also may result in the imposition of sanctions for violation of university policy. Additionally, untrue statements of fact that harm another’s reputation may be defamatory and may subject the individual making such statements to civil action by the person harmed by such statements.

Employees and students who choose to engage in blogs, chat rooms, discussion groups, Facebook, Twitter, bulletin boards or other forms of social media should do so with the understanding that they may inadvertently pose a threat to their own or others personal safety and personal privacy. Publishing personally identifiable content (i.e., photos, addresses, phone numbers, banking information, health information, etc.) can lead to identity theft, stalking and other potentially dangerous outcomes. Employees and students who engage in activities that compromise the privacy of others, or disclose or discuss confidential or proprietary information, are violating institutional policy and will be subject to appropriate sanctions.

Bentley reminds students and employees who are acting in their individual capacity of their obligation to clearly state that opinions expressed are their own and not those of Bentley University.

Back to Top

Policy Violations

Those who violate policies on individual access, hacking, commercial use, permission to record, file sharing or social media may incur temporary or permanent loss of technology-related privileges, fines, assignment of financial responsibility, discipline up to and including immediate termination of employment, expulsion as a student, and legal action. For contractors and other external vendors, sanctions may include immediate dismissal, termination of contract and legal action.

Back to Top

Information Privacy

Keeping information secure and private are top priorities for Bentley. To this end, Bentley attaches a formal privacy statement to the bottom of its website. Please see the Bentley University Information Privacy Statement for details on the data that are collected through the university's official websites. This privacy statement applies to the www.bentley.edu domain and administrative applications used for e-commerce linked to www.bentley.edu. It does not apply to internal and/or external websites that might be linked to or from this domain. 

Websites created by individuals using Bentley resources may not collect personal information from visitors without abiding by and linking to Bentley's information privacy statement. In addition, individuals may not post images of any member(s) of the Bentley community, or provide personal information about them, without their prior written permission. Websites that violate the policy may be removed without advance warning. Federal, state and local laws, regulations, and judicial decisions may also apply in cases where a person's privacy is violated. 

Back to Top

Electronic Mail Policy

E-mail is the communication medium of choice for the Bentley community and the official vehicle by which the members of the university communicate with each other. Students, faculty and staff are all expected to read e-mail regularly to glean the critical information that is routinely conveyed. 

Bentley provides electronic mail services to the campus community, at the university's expense, in support of academic and administrative pursuits. Incidental personal use is also permitted, so long as the use does not violate federal or state laws, or university policy. These guidelines apply to electronic mail sent or stored on servers, on personal computers, on personal devices such as Blackberries or other smartphones, on PDA devices, and to all archived and backup e-mail files and folders created using Bentley technology resources, regardless of where they reside. The university reserves the right to change these policies at any time as may be reasonable under the circumstance. To view Bentley’s full Electronic Mail Policy, please visit here.

Back to Top

Use of Institutional Information

Information technology and data constitute valuable Bentley assets. In order to protect the security, confidentiality and integrity of Bentley data from unauthorized access, modification, disclosure, transmission or destruction, as well as to comply with applicable state and federal laws and regulations, all Bentley data are now classified within security levels, with requirements on the usage of data at different levels. View the full data classification policy. In addition, any employee or contractor that handles credit card information is subject to Bentley’s PCI Policy; employees or contractors that process certain types of financial information are also bound by Bentley’s Gramm-Leach-Bliley Policy.

Back to Top

Remote Access

In an effort to keep sensitive data secure, while also understanding that our changing culture requires work to be performed remotely, Bentley employs Virtual Private Network (VPN) software to enable faculty, staff and a limited number of contractors to access certain technology resources remotely with appropriate approval. Faculty and staff are responsible for protecting confidential data and therefore should not downloaded confidential data to laptop computers or portable storage devices. VPN allows faculty and staff members to work with confidential data in a secure manner. To view Bentley’s Remote Access policy, visit here.

Back to Top

Cell Phone and PDA Policy

Increasingly, employees are using cellular technology as a means of sending and receiving Bentley e-mail, synchronizing calendars and contacts, transmitting text messages and connecting to the Internet. Bentley standardized on the Blackberry Enterprise Server (internal BES) for employee sponsored phones.  However, we recognize that some employees, although not required to carry a cell phone as part of their position responsibilities, would still like to connect personal devices to Bentley’s Blackberry Enterprise Server or Bentley’s Active Sync Server.  Bentley employs technology to allow this, but requires employees to comply with Bentley’s Cell Phone and PDA Policy located here.

Back to Top

Promotional Photographs for Bentley University

Bentley reserves the right to take photos on the Bentley campus and Bentley public events and use those photos on the web and in print publications. For additional information on our website privacy, please visit here.


DMCA Policy

  1. Overview and Purpose
  2. Scope
  3. Policy
  4. University DMCA Agent
  5. Exceptions
  6. Enforcement
  7. Policy Support Contact
  8. Approval and Revisions
  9. Supporting Documentation

1.0 Overview and Purpose

The distribution of copyrighted material, which includes but is not limited to music, movies, videos, software, games and other kinds of copyright-protected and non-copyright-protected information, for which you do not have the owner's permission, is a violation of the Digital Millennium Copyright Act (DMCA), university policy and criminal and civil laws. Moreover, using these programs may contribute to an excessive consumption of bandwidth and create a potential security risk, all of which are violations of university policy.

Back to Top

2.0 Scope

This policy applies to Bentley University faculty, staff, students, contractors, vendors, and other personnel who are granted privileges to the Bentley University network and its resources.

3.0 Policy

As part of Bentley’s compliance with the DMCA and federal copyright law, the university employs network monitoring tools to combat DMCA violations. There is also a designated DMCA Agent who responds to notices of copyright violations. When the university receives a notice alleging copyright infringement, Bentley’s DMCA agent works with staff in Information Technology, Human Resources and Student Affairs to research and adequately address the infringement as follows.

4.0 University DMCA Agent

Phillip Knutel, Ph.D., Chief Information Officer

5.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Committee as needed.

Back to Top

6.0 Enforcement

As described in Bentley University’s Acceptable Usage Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination of employment, expulsion as a student, and legal action. Violations of copyright law may result in temporary or permanent loss of access rights, fines, and assignment of financial responsibility.

Back to Top

7.0 Policy Support Contact

8.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

9.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;

Back to Top


Email Policy

  1. Overview and Purpose
  2. Scope
  3. Email Data Ownership
  4. Email Data Security
  5. Inappropriate Uses of Email
  6. Email Data Retention
  7. Distribution Lists
  8. Email Storage Quotas
  9. Email Account Termination
  10. Exceptions
  11. Enforcement
  12. Policy Support Contact
  13. Approval and Revisions
  14. Supporting Documentation

1.0 Overview and Purpose

Bentley University provides electronic mail services to the campus community, at the university's expense, in support of academic and administrative pursuits. This policy applies to electronic mail sent and/or received through the university’s email systems. As well as any email stored on university owned or supplied systems such personal computers or mobile devices (mobile devices include but are not limited to items such as: laptops, smartphones, and/or tablets) and all archive and backup email data stored on university systems.

Back to Top

2.0 Scope                                                          

This policy applies to Bentley University employees, faculty, staff, students, contractors, vendors, and other personnel who are granted privileges to the Bentley University network and its computing systems.

Back to Top

3.0 Email Data Ownership

Electronic mail created or distributed by university resources is considered sole property of the university, regardless of content. Employees and students should be aware that email sent and received using the university's email resources cannot be considered confidential or private. The university upon reasonable grounds may access email data at any time, and without prior notice. Access to an employee’s or student’s email data will require the approval from – the Vice President of Finance and Administration and the divisional Vice President responsible for the employee or student. The university will not read or make available the contents of any individual's electronic mail unless there are reasonable grounds to do so. Reasonable grounds for doing so may include but are not limited to the following.

Back to Top

4.0 Email Data Security

The university's ability to secure (encrypt) email data when transferred over the network, is limited to messages sent between university email accounts only. The university cannot guarantee the secure transfer (encryption) of email data that is sent or forwarded from a university account to an external email account.

Back to Top

5.0 Inappropriate Use of Email

No person may use the university's electronic mail system to send harassing or threatening message(s), or a message that would be considered offensive. Individuals who engage in such behavior may be subject to disciplinary action. If a complaint of a harassing email message is received, the university reserves the right to fully investigate the matter by reviewing the logs and message data of both recipient and sender. The university may also pursue disciplinary actions including, but not limited to, termination or expulsion. Prohibited uses of email may include but are not limited to the following.

Back to Top

6.0 Email Data Retention

The University maintains limited backup copies of all email data. Please be aware that deleting email messages from a folder or in-box does not necessarily delete a previously archived or backup copy of that message. The university is under no obligation to provide students or employees with archived copies of their email data upon graduation or termination of the relationship with the university.

Back to Top

7.0 Distribution Lists

Email distribution lists are considered sole property of the university. They may be furnished to an external third party only in conjunction with a legitimate academic or administrative initiative, approved in writing by the divisional Vice President sponsoring the activity. In such cases, contractual arrangements with any party wishing to use university distribution lists must include language that prevents that party from furnishing, duplicating or selling the distribution list to another party.

Back to Top

8.0 Email Storage Quotas

The university reserves the right to implement email storage quotas for both employee and student email accounts. Individuals are responsible for regularly deleting email that is no longer needed for university purposes. Failure to maintain an email account properly may result in the temporary loss of privileges until the cumulative email data stored can be reduced below the defined email quota.

Back to Top

9.0 Email Account Termination

The university reserves the right to immediately terminate access to email for employees and students who no longer have a relationship with the university. In cases where there is an immediate need to terminate the access of an employee or student, the university will alert the appropriate support groups to immediately disable access to university systems for the affected account. Furthermore, faculty, staff and student account management is performed in accordance with the following process.

Back to Top

10.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Council as needed.

11.0 Enforcement

As described in Bentley University’s Acceptable Use Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination or expulsion.

Back to Top

12.0 Policy Support Contact

13.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

14.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;

Back to Top


Acceptable Use Policy

1.0 Code for Ethical Use of Information Technology Resources

2.0 Limitations on the Use of Technology

2.1 Individual Access

2.2 Commercial Use

2.3 Permission to Record

2.4 P2P File Sharing Applications and Copyrights Laws

2.5 Social Media

2.6 Inappropriate Use of Information Technology Resources

2.7 Policy Violations

3.0 Information Privacy

4.0 Electronic Mail Policy

5.0 Use of Institutional Data

6.0 Remote Access

7.0 Mobile Device Policy

8.0 University Promotional Photographs

9.0 Exceptions

10.0 Policy Support Contact

11.0 Approval and Revisions

12.0 Supporting Documentation

1.0 Code for Ethical Use of Information Technology Resources

Members of the Bentley University community make use of information technology on a daily basis – for example, personal computers, mobile devices, applications, the university’s network and server infrastructure, and the Internet – in pursuing their primary academic and administrative endeavors. Using the university's information technology resources for incidental purposes is permitted, but all usage use must comply with state and federal laws, as well as with the university’s own policies governing appropriate use of technology. 

Bentley University requires that all information technology resources be utilized in an appropriate and legal manner. These resources must not be abused or used for illegal or inappropriate activities. These may include, but are not limited to the following.

Please be aware that Bentley will cooperate with internal and external authorities in the investigation of illegal activities. The university is also obligated to report any instances of illegal activity to the appropriate authorities.

Bentley has a legitimate interest in protecting its investment in technology. Toward this end, the university reserves the right to require the registration of all technology-related devices used on campus, regardless of whether the device is owned by the institution or an individual; to prevent or restrict the use of technology brought on campus by faculty, staff and students; to identify and quarantine devices suspected of adversely affecting the network; to employ tools to monitor network-related activity, including bandwidth consumption and illegal peer-to-peer file sharing activity; restrict or eliminate bandwidth allocation to specific devices; to monitor the transmission and storage of confidential information; and to terminate without notice individual network and Internet access upon detecting activities that violate the law or university policies. 

Violations of this policy may result in temporary or permanent loss of technology-related privileges including Internet, network and email access, fines, assignment of financial responsibility, discipline up to and including immediate termination of employment, expulsion as a student, and legal action.

Certain kinds of computer abuse and computer-related fraud are not only prohibited by this policy, but are illegal and punishable by any or all of the following: civil sanctions, criminal fines or imprisonment. Copies of Fraud and Related Activity in Connection with Computers (18 U.S.C. § 1030) and the Wiretap and Electronic Communications Privacy Acts (18 U.S.C. §§ 2510-2520, 2701, 2710) are available from Bentley's Human Resources Department or the Computing Services Desk.

Back to Top

2.0 Limitations on the Use of Technology

2.1 Individual Access

All members of the community are obliged to act responsibly in the use of technology.  Faculty, staff and students are expected to provide and maintain accurate personal information about themselves (i.e. date of birth, address, Social Security number, etc.) when adding or updating personal information on any of the university’s administrative or academic systems.

An individual may access only those accounts, files, software, and other computing resources authorized under his or her particular username and password and for which a legal license exists. Individuals must take reasonable precautions to protect his or her account(s) information, including passwords, usernames and PINs. Sharing individual IDs and passwords is expressly prohibited. All members of the Bentley community are expected to exercise care in logging out of network resources and applications, in regularly changing their individual password(s), and in maintaining the confidentiality of their password. It is also a violation of Massachusetts law to access a password protected file without proper authorization.

An individual who intentionally shares their user ID and password with another person, where the primary intent is to provide access where it would otherwise be unavailable, may be subject to disciplinary action up to and including expulsion and immediate termination.

Back to Top

2.2 Commercial Use

Commercial activities may be conducted on the university network only under the auspices of officially recognized and sanctioned campus organizations or academic and administrative programs (i.e., service-learning, scholarship fundraising, etc.). Independent businesses may not be developed or cultivated using university technology resources. Bentley reserves the right to remove, without warning, unapproved commercial sites. To seek approval for officially recognized and sanctioned programs, students should consult the dean of student affairs; faculty should consult their respective dean; and employees should consult their divisional vice president.

Back to Top

2.3 Permission to Record

Faculty, staff and students may not use any recording devices on campus to record conversations, lectures, or classroom interactions without the express consent of those individuals being recorded.  Such actions may also violate state and federal law. Faculty, at their sole discretion, may elect to make their lectures available for recording. Members of the Bentley community who intentionally record other students, faculty and staff without their prior written consent may form the basis of a civil libel action and may be subject to disciplinary action up to and including immediate termination and expulsion.

Back to Top

2.4 P2P File Sharing Applications and Copyright Law

Peer-to-peer (P2P) file sharing applications allow individuals to electronically exchange music, movies, videos, software, games and other kinds of copyright-protected and non-copyright-protected information. While some owners of music, movies and software explicitly allow their products to be copied, many do not. It is best to assume that these materials are copyright protected, unless explicitly stated otherwise. Downloading and making available to other individuals copyrighted material, such as music, movies, videos, text and software, without permission of the rightful owner, violates the United States Copyright Act (Title 17, United States Code), which has significant potential liability for damages. Moreover, using P2P file sharing applications may contribute to an excessive consumption of bandwidth and create a potential risk to the university, which is a violation of university policy.

As part of Bentley’s efforts to comply with copyright law, the university developed the Digital Millennium Copyright Act (DMCA) Policy. This policy outlines the specific procedures that the university will take if it receives any copyright infringement notices. Violations of copyright law may result in temporary or permanent loss of access rights, fines, assignment of financial responsibility, disciplinary action up to and including immediate termination of employment, expulsion as a student, and legal action.

Back to Top

2.5 Social Media

Bentley University is committed to maintaining an environment in which opposing views on issues of the day may be fully and freely aired. Such an environment requires all community members to tolerate expressions of opinion that differ from their own and that, in some instances, some people may find unpalatable. Activities that violate the university’s policy against harassment, or that constitute an invasion of individual’s privacy, and do not promote free expression undermine the environment that the university seeks to maintain. These actions may result in the imposition of sanctions for violation of university policy. Additionally, untrue statements of fact that harm another’s reputation may be defamatory and may subject the individual making such statements to civil action by the person harmed by such statements.

Employees and students who choose to engage in blogs, chat rooms, discussion groups, bulletin boards or other forms of social media should do so with the understanding that they may inadvertently pose a threat to their own or others personal safety and privacy. Publishing personally identifiable content (i.e., identification numbers, photos, addresses, phone numbers, banking information, health information, etc.) can lead to identity theft, stalking and other potentially harmful outcomes. Employees and students, who engage in activities that compromise the privacy of others, or disclose or discuss confidential or proprietary information, are violating university policy and will be subject to appropriate sanctions.

Bentley reminds students and employees who are acting in their individual capacity of their obligation to clearly state that opinions expressed are their own and not those of Bentley University.

Back to Top

2.6 Inappropriate Use of Information Technology Resources

The university will not tolerate the illegal use or misuse of information technology resources by students, employees, contractors, consultants, volunteers, visitors, or any other person or device. Any illegal, intentional misuse or unauthorized access to university information technology resources is strictly prohibited.

All students, employees, volunteers, consultants and contractors caught engaging in the illegal use or intentional misuse of university information technology resources must cooperate fully with the university and legal authorities in the investigation of such incidents. In investigating complaints of possible violation of university policy, Bentley reserves the right to examine the contents of personal computers used by faculty, staff and students or other devices attached to our network, without prior consent or knowledge of the individual being investigated. Bentley also reserves the right to confiscate computers used by faculty, staff and students. Cooperation may include, but is not limited to, providing transaction logs, copies of electronic mail messages, data files, usage records, hardware, account and password information, or other information as required by those authorities. Those who are financially responsible for the perpetrators, such as parents or guardians, may also be held accountable.

Back to Top

2.7 Policy Violations

Those who violate policies on individual access, commercial use, permission to record, file sharing or social media or engage in illegal activities may incur temporary or permanent loss of technology-related privileges, fines, assignment of financial responsibility, discipline up to and including immediate termination of employment, expulsion as a student, and legal action. For contractors and other external vendors, sanctions may include immediate dismissal, termination of contract and legal action.

Back to Top

3.0 Information Privacy

Keeping information secure and private are top properties for the university. To this end, Bentley attaches a formal privacy statement to the bottom of its web site.  Please see the Bentley University Information Privacy Statement for full details on the data that are collected through the university's official web sites.

Web sites created by individuals using Bentley University resources may not collect personal information from visitors without abiding by and linking to Bentley's information privacy statement. In addition, individuals may not post images of any member(s) of the Bentley community, or provide personal information about them, without their prior written permission. Web sites that violate the policy may be removed without advance warning. Federal, state and local laws, regulations, and judicial decisions may also apply in cases where a person's privacy is violated.  

Back to Top

4.0 Electronic Mail Policy

Email is the communication medium of choice for the university community and the official vehicle by which the members of the university communicate with each other. Students, faculty and staff are all expected to read e-mail regularly to glean the critical information that is routinely conveyed.

The university provides electronic mail services to the campus community, at the university's expense, in support of academic and administrative pursuits. Incidental personal use is permitted, so long as the use does not violate federal or state laws, or university policy. These guidelines apply to electronic mail sent or stored on servers, on personal computers, on personal devices such smartphones, tablets, and to all archived and backup e-mail files and folders created using university technology resources, regardless of where they reside. The university reserves the right to change these policies at any time as may be reasonable under the circumstance. For full details please visit Bentley University’s Electronic Mail Policy.

Back to Top

5.0 Use of Institutional Data

Information technology and data constitute as valuable university assets. In order to protect the security, confidentiality and integrity of university data from unauthorized access, modification, disclosure, transmission or destruction, as well as to comply with applicable state and federal laws and regulations, all university data are now classified within security levels, with requirements on the usage of data at different levels. For full details please visit Bentley University’s Data Classification and Usage Policy. In addition, any employee, student (working on behalf of the University) or contractor that handles credit card information is subject to Bentley’s PCI-DSS Policy; employees or contractors that process certain types of financial information are also bound by the university’s Gramm-Leach-Bliley Policy.

Back to Top

6.0 Remote Access

In an effort to keep sensitive data secure, while also understanding that our changing culture requires work to be performed remotely, Bentley employs Virtual Private Network (VPN) technology to enable faculty, staff and a limited number of contractors to access certain technology resources remotely with appropriate approval. Faculty and staff are responsible for protecting confidential data and therefore should not store confidential data on laptop computers, smartphones, tablets or portable storage devices (USB drives). VPN allows faculty and staff members to remotely work with confidential data in a secure manner. For full details on the policy please visit the university’s Remote Access Policy.

Back to Top

7.0 Mobile Device Policy

Increasingly, employees are using mobile technology as a means of sending and receiving university email, synchronizing calendars and contacts, transmitting text messages and connecting to the Internet. Bentley uses standardized mobile device management software to manage employee mobile devices. However, we recognize that some employees, although not required to use a mobile as part of their position responsibilities, would still like to connect personal devices to Bentley’s services. Bentley employs technology to allow this, but also requires university members to comply with all applicable policies and procedures regarding mobile devices.

Back to Top

8.0 University Promotional Photographs

Bentley reserves the right to take photos on the Bentley campus and Bentley public events and use those photos on the web and in print publications. For additional information on our website privacy, please visit Bentley’s Privacy Statement.

9.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Committee as needed.

Back to Top

10.0 Policy Support Contact

11.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

12.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines:

Back to Top


Mobile Device Policy

  1. Overview and Purpose
  2. Scope
  3. University Owned Mobile Devices
  4. Personal Owned Mobile Devices
  5. Mobile Security Policy
  6. Report a Lost or Stolen Mobile Device
  7. Exceptions
  8. Enforcement
  9. Policy Support Contact
  10. Approval and Revisions
  11. Supporting Documentation

1.0 Overview and Purpose

University employees use mobile technology as a means of sending and receiving university email, synchronizing calendars and contacts, transmitting text messages and connecting to the Internet. The purpose of this policy is to describe the conditions under which the university permits the use of mobile devices for its employees. Also how the university manages mobile technology to minimize risk, especially in the event of loss or theft.

Back to Top

2.0 Scope

This policy applies to Bentley University faculty, staff, contractors, vendors, and other personnel who are granted privileges to access Bentley University resources.

3.0 University Owned Mobile Devices

Certain university employees are required to use of mobile devices to facilitate university business. Employee supervisors must identify those employees who require a mobile device as part of their job responsibilities. The university purchasing department directly works with these individuals to assist with the purchase of a mobile device and the appropriate data/voice plan.

Employees are allowed incidental personal use of university owned mobile devices as long as no applicable state or federal laws and university policies are being violated by such use. Employees are reminded that university owned mobile devices, data stored on a device, and the data/voice plans and records are sole property of the university. When an employee leaves the university, all university owned mobile devices must be returned to the university.

Back to Top

4.0 Personally Owned Mobile Devices

The university recognizes and allows employees, although not required to use a mobile device as a requirement of their position, to connect personally owned mobile devices to the university’s resources to access and synchronize email data, contacts, and calendar information. All usage use must comply with state and federal laws, as well as with the university’s own policies governing appropriate use of technology.

Back to Top

5.0 Mobile Security Policy

If an employee, either due to work-related requirements or through their own personal choice, elects to access university’s resources via a mobile device, they must accept the security policies defined by the university that will be downloaded and installed on the device upon connecting to university resources. The mobile security policies are designed to accomplish the following primary objectives.

Back to Top 

6.0 Report a Lost or Stolen Mobile Device

Back to Top

7.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Committee as needed.

8.0 Enforcement

As described in Bentley University’s Acceptable Usage Policy anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

Back to Top

9.0 Policy Support Contact

10.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

11.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;

Back to Top


Data Classification and Usage Policy

  1. Overview and Purpose
  2. Scope
  3. Data Type Definitions
  4. Examples of Data Types
  5. Data Handling Requirements and Acceptable Uses
  6. Inappropriate Uses of University Data
  7. Data Destruction Guidelines and Retention Schedule
  8. Exceptions
  9. Enforcement
  10. Reporting Violations
  11. Policy Support Contact
  12. Approval and Revisions
  13. Supporting Documentation

1.0 Overview

Information technology resources and data constitute as valuable University assets. In order to protect the security, confidentiality and integrity of University data from unauthorized access, modification, disclosure, transmission or destruction, as well as to comply with applicable state and federal laws and regulations, all University data are now classified within different levels of sensitivity, with requirements on the appropriate usage of data at each level.

Back to Top

2.0 Scope

This policy applies to all university employees, faculty, staff, contractors, vendors, and other personnel who are granted privileges to university data. This policy applies to all university administrative data, all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Bentley University also expects all employees, partners, consultants and vendors to abide by the university's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by the university's information security policies.

Back to Top

3.0 Data Type Definitions

Level 1 - High Risk Confidential: This includes data which is protected by state or federal laws. Level 1 data if compromised by an unauthorized user can create a substantial risk of identity theft or fraud against the data owner. High risk confidential data requires formal notification to the owner of the data within a reasonable amount of time, in addition to state and federal entities, if the unauthorized acquisition or unauthorized use of unencrypted data is suspected or detected.

Level 2 - Internal Restricted: This includes data not defined as Level 1 and may be protected by applicable state or federal laws, regulations, university policy, legal contractual agreements and any university proprietary information.

Level 3 - Public (Unrestricted): This includes data for which there is no expectation for privacy or confidentiality. This data may be disclosed to any individual or entity inside or outside of the university.

Back to Top

4.0 Data Type Examples (not all-inclusive)

http://www.bentley.edu/offices/sites/www.bentley.edu.offices/files/media_crop/1531/public/DataTypes1.jpg

5.0 Data Management Requirements and Acceptable Uses

Level 1 Data Management Requirements and Acceptable Uses: Level 1 data, whether in physical (paper) or electronic format, shall only be accessed when business requires such use and all controls shall be appropriately designed to allow for authorized access only. Protection of this data is required by law. Use of this data must not violate university policy or any applicable state and federal laws.

All third party storing level 1 data must sign the university Confidentiality Agreement;

Back to Top

Level 2 Data Management Requirements and Acceptable Uses: Level 2 data, whether in physical (paper) or electronic format, shall only be accessed when business requires such use and all controls shall be appropriately designed to allow for authorized access only. Protection of this data is at the discretion of the owner or custodian. Use of this data must not violate university policy or any applicable state and federal laws.

Back to Top

Level 3 Data Management Requirements and Acceptable Uses: Level 3 data, whether in physical (paper) or electronic format, that can reside in the public domain and is available to all students, faculty and staff. Protection of this data is at the discretion of the owner or custodian. Use of this data must not violate university policy or any applicable state and federal laws.

6.0 Inappropriate Uses of University Data

Inappropriate Uses of Level 1 Data (include but are not limited to);

Inappropriate Uses of Level 2 Data (include but are not limited to);

Inappropriate Uses of Level 3 Data (include but are not limited to);

Back to Top

7.0 Data Destruction Guidelines and Retention Schedule

Back to Top

8.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Council as needed.

9.0 Enforcement

As described in Bentley University’s Acceptable Use Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

10.0 Reporting Violations

Report suspected violations of this policy to the Information Security and Privacy Administrator, the appropriate Data Manager or the Responsible Organization/Party. Reports of violations are considered restricted data until otherwise classified.

11.0 Policy Support Contact

12.0 Approval and Revisions

13.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;

Back to Top

Clean Desk Initiative

  1. Overview and Purpose
  2. Scope
  3. Actions
  4. Tips to Keeping a Clean Desk
  5. Exceptions
  6. Enforcement
  7. Policy Support Contact
  8. Approval and Revisions
  9. Supporting Documentation

1.0 Overview and Purpose

The purpose for this initiative is to establish a culture of security and trust for employees at Bentley. An effective clean desk effort involving the participation and support of Bentley employees can greatly protect paper documents that contain sensitive information about our students, employees, donors, alumni, parents and friends. All employees that handle confidential data should familiarize themselves with the guidelines of this initiative.

The main purpose for a clean desk initiative is to reduce the risk of unauthorized disclosure of confidential information when left unattended; sensitive documents left in the open can be stolen by a malicious entity or lost.

Back to Top

2.0 Scope

At known extended periods away from your desk, such as a lunch breaks or meetings, sensitive working papers containing Level 1 or 2 data should be placed in locked drawers or a locked office.  At the end of the working day, an employee should tidy his or her desk and to put away all office papers that contain Level 1 or 2 data or lock his or her office.  Bentley provides locking desks and filing cabinets for this purpose.

Back to Top

3.0 Actions

Back to Top

 4.0 Tips to Keeping a Clean Desk

Back to Top

5.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Council as needed.

6.0 Enforcement

As described in Bentley University’s Acceptable Use Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

7.0 Policy Support Contact

8.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

9.0 Supporting Documentation

This policy is supported by the following policies, rules, standards, and procedures:

Back to Top


PCI DSS Policy

  1. Overview and Purpose
  2. Scope
  3. Definitions
  4. Credit Card Acceptance and Processing
  5. Credit Card Data Security
  6. Data Retention and Destruction
  7. Responding to a Data Security Breach
  8. Exceptions
  9. Enforcement
  10. Policy Support Contact
  11. Approval and Revisions
  12. Supporting Documentation

1.0 Overview and Purpose

This policy addresses Payment Card Industry (PCI) Data Security Standards (DSS) that are contractually imposed by the major credit card brands on merchants that accept these cards as forms of payment.

Back to Top

2.0 Scope

The policy covers the following specific areas contained in the PCI standards related to cardholder data: collecting, processing, transmitting, storing and disposing of cardholder data. All departments that participate in credit card processing must have documented procedures pertaining to the items noted above.  The documents should be available for periodic review.

Back to Top

3.0 Definitions

Back to Top

4.0 Credit Card Acceptance and Processing

In the course of doing business at Bentley University, it may be necessary for a department to accept credit cards for payment. The opening of a new merchant account for the purpose of accepting and processing credit cards at the University is done on a case by case basis and coordinated through Financial Operations. Any fees associated with the acceptance of the credit cards in a department will be charged to that department.

Any department accepting credit cards on behalf of the University must designate an individual within the department who will have primary authority and responsibility within that department for credit card transactions.

Specific details regarding processing and reconciliation will depend upon the method of credit card acceptance and type of merchant account. Detailed instructions will be provided by Financial Operations when a new merchant account is opened.

Back to Top

5.0 Credit Card Data Security

Departments must have in place the following components in their procedures and ensure that these components are maintained on an ongoing basis.

Back to Top

6.0 Data Retention and Destruction

  1. Cardholder data in paper form should be retained for three months or less for reconciliation purposes and destroyed immediately following the required retention period.
  2. A regular schedule of deleting or destroying data should be established in the department to ensure that no cardholder data is kept beyond the record retention requirements.
  3. Paper documents should be shredded in a cross-cut shredder.
  4. Electronic data should be sanitized with an electronic shredding tool sponsored by the University.

Back to Top

7.0 Responding to a Data Security Breach

In the event of a breach or suspected breach of security, the department or unit must immediately execute each of the relevant steps below:

Back to Top

8.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Committee as needed.

9.0 Enforcement

Failure to meet the requirements outlined in this policy may result in suspension of the physical and, if appropriate, electronic payment capability with credit cards for affected departments. As described in Bentley’s Acceptable Usage Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

10.0 Policy Support Contact

11.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

12.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;

Back to Top


Remote Access Policy

  1. Overview and Purpose
  2. Scope
  3. Policy
  4. Exceptions
  5. Enforcement
  6. Policy Support Contact
  7. Approval and Revisions
  8. Supporting Documentation

1.0 Overview and Purpose

The university provides secure remote access technologies that enable authorized users to remotely access the university network and its internal resources. Secure remote access technologies provide several benefits to the organization and its constituents including, but not limited to:

This purpose of this policy is to define the appropriate users and uses of university remote access technologies.

Back to Top

2.0 Scope

This policy applies to university employees[1], faculty, staff, contractors, vendors, and other personnel who are granted remote access privileges to the university network and its internal resources. This policy does not apply to remote access of publicly (externally) available campus-wide resources such as web email, web sites and applications.

Back to Top

3.0 Policy

Remote access is provided for university related activity only. All devices that are used to connect to the university network through an approved remote access technology are considered to be extensions of the university network and are subject to all applicable university policies, standards and rules.

3.1 Requirements

Back to Top

3.2 Authorization

Back to Top

3.3 Technology Configuration and Management

Back to Top

4.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Director of Systems, Networks, and Telecom and the Information Security and Privacy Administrator in consultation with the Information Privacy Committee.

5.0 Enforcement

As described in the university’s Acceptable Use Policy anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

6.0 Policy Support Contact

7.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

Revision v1: Approved by the Information Privacy Committee on 9/30/2013

8.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;

[1] Non-exempt employees requiring remote access as part of their job function must receive approval from both their management and human resources before being granted an authorized remote access account.

[2] Non-exempt employees requiring remote access as part of their job function must receive approval from both their management and human resources before being granted an authorized remote access account.

Back to Top


Gramm-Leach-Bliley Policy

  1. Overview and Purpose
  2. Applicability
  3. Definitions
  4. Administration and Implementation
  5. Exceptions
  6. Enforcement
  7. Policy Support Contact
  8. Approval and Revisions
  9. Supporting Documentation

1.0 Overview and Purpose

The Gramm-Leach-Bliley Act (GLB) was enacted in 1999 and affects all financial institutions. Colleges and universities fall under GLB as part of financial lending and alumni processes.The GLB Financial Privacy Rule requires financial institutions to provide a privacy notice at the time the consumer relationship is established and annually thereafter. It defines the protection of non-public personal information (NPI). It also requires institutions to implement thorough administrative, technical and physical safeguards to protect against any anticipated threats or hazards to the security or integrity of such information.

The university’s written information security plan addresses the administrative, technical and physical safeguards mandated by the Federal Trade Commission's Safeguards Rule of the Gramm-Leach-Bliley Act (GLB). This document outlines the university’s general policy on GLB.

Back to Top

2.0 Applicability

GLB applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the university, whether in paper, electronic or other form, which is handled or maintained by, or on behalf of Bentley University or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from Bentley University, (ii) about a student or other third party resulting from any transaction with Bentley University involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

Back to Top

3.0 Definitions

Financial Service: A "financial service" is defined by federal law to include, but not be limited to, such activities as the lending of money; investing for others; providing or underwriting insurance; giving financial, investment or economic advisory services; marketing securities and the like.

Back to Top

4.0 Administration and Implementation

  1. Responsibilities. The Information Security and Privacy Administrator is responsible for coordinating and overseeing the university’s Written Information Security Program.
  2. Risk Identification and Assessment. As part of the university’s Written Information Security Plan, we will identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information. This identification and assessment includes:
  1. Designing and Implementing Safeguards. The Information Security and Privacy Administrator will work with departments to implement safeguards to control the risks identified through the audits mentioned above.
  2. Overseeing Service Providers. As part of the university’s Third Party Assurance process, and under the direction of General Counsel, all Services Providers that store, transmit or receive nonpublic personal information must incorporate specific language into university contracts stating that the Service Provider will protect the university’s nonpublic personal information according to commercially acceptable standards and no less rigorously than it protects its own information. A Third Party Assurance Questionnaire must be completed and reviewed by the General Counsel, and the Information Security and Privacy Administrator.
  3. Adjustments. The Information Security and Privacy Administrator is responsible for evaluating and adjusting the GLB Act Policy based on the risk identification and assessment activities undertaken, as well as any material changes to the university's operations or other circumstances that may have a material impact it.

Back to Top

5.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Committee as needed.

6.0 Enforcement

As described in Bentley’s Acceptable Use Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

7.0 Policy Support Contact

8.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

9.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines.

Back to Top


Technology Purchasing Policy

  1. Overview and Purpose
  2. Scope
  3. Policy
  4. Exceptions
  5. Enforcement
  6. Policy Support Contact
  7. Approval and Revisions
  8. Supporting Documentation

1.0 Overview and Purpose

Information Technology at Bentley is charged with supporting university owned computer hardware, software and peripherals in ways that meet university strategic priorities.  In addition, Information Technology is responsible for maintaining the university network, servers, workstations, and peripherals, and maintaining quality at reasonable costs.  This policy establishes standards, guidelines, and procedures for the purchase of these technologies in ways that ensure the best use of university resources.

In a proactive effort to be wise stewards of university resources, we purchase technologies that are sustainable, compatible with existing systems, and can be efficiently supported.  As a result, Information Technology at Bentley has negotiated numerous purchasing agreements with hardware, software, network, and telecommunication vendors, service agencies, multimedia companies, software developers and others. In order to take advantage of these contracts and ensure that technology purchases meet university standards, Information Technology must be involved in all technology related purchases in order to provide:

  1. compatibility with Bentley’s network environment;
  2. compliance with Bentley’s security policy;
  3. suitability based on needs assessment;
  4. licensing compliance for software purchase;
  5. hardware and software that can be efficiently supported;
  6. availability of sufficient Bentley resources (including initial and recurring costs);

Back to Top

2.0 Scope

This policy applies to all university employees, faculty and staff who make technology purchases.  It includes the purchase of software, hardware, third party vendor hosted services and any technology consulting services.

3.0 Policy

3.1 Hardware Purchases

3.2 Software and Technology Service Purchases

Any proposed software or technology services purchase that will cost more than $25,000 over a two year period are subject to review by Information Technology and the IT Governance process (http://www.bentley.edu/offices/it-governance). Proposed software or technology service purchases of less than $25,000, should be reviewed by Information Technology for approval if your answer to any of the questions below is “yes”:

Back to Top

4.0 Exceptions

Purchase of infrastructure and system software by Systems and Networks.

Any other exceptions to this policy are to be reviewed and approved by the Chief Information Officer with consultation of IT Directors as needed.

5.0 Enforcement

As described in Bentley University’s Acceptable Usage Policy anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

6.0 Policy Support Contact

7.0 Approval and Revisions

8.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;