Technology Security Policy
Usage concerns the safe and respectful use of technology at Marylhurst. Employees are responsible for knowing and adhering to all the following policies and guidelines.
Marylhurst University has a tradition of providing an open learning environment for all members of its community: students, alumni, faculty, staff, and administration. This tradition and the nature of the institution require a high degree of trust in the handling of information. The services offered by the campus network are all intended to foster open communication, to improve access to information, and to enhance teaching and learning activities.
The purpose of this Security Policy is to establish and promote the ethical, legal, and secure use of computing and electronic communications for on-campus Marylhurst University staff.
Marylhurst University owns and operates a campus intranet to provide services that directly support the educational and institutional goals of the University. For authorized users, the Marylhurst intranet provides access to various systems including institutional databases, email accounts, access to the Internet, and Web publishing.
Employees are provided access to the campus intranet only when they have signed an acknowledgment form indicating that they have read and accepted the policies governing use of technology at Marylhurst.
Responsible use of University networked services means that authorized users will maintain the integrity of passwords. Users are responsible for all actions taken with their usernames and passwords.
The University reserves the right to monitor use of the network for the purposes of user statistics, service improvements, security audits and job performance reviews.
Violations of Marylhurst University’s information technology policies should be reported to a Director of Information Technology Services or to Human Resources. If violations appear to constitute a criminal offense, as defined by local, state, or federal statutes, the appropriate authorities will be notified.
Information Services is responsible for maintaining backups of all data on the University servers. Full backups are run on a nightly basis. Additional steps are taken to create archives at regular intervals which are stored in physically protected locations (i.e., a fire safe).
End users are responsible for adequately ensuring their data is backed-up. Students should not rely on Marylhurst to backup their academic work. We encourage all students to keep their own copies of work and electronic data.
ITS provides network accessible storage on University servers. Marylhurst often contracts with outside vendors to host web sites or data. Contracts with outside vendors will address backups and data security and will meet the University’s requirements.
End users are assigned Marylhurst accounts that allow use of certain information technology resources based on their role. All are responsible for using secure passwords and to not share accounts or passwords under any circumstances. Password policies are enforced by our systems. All end users should avoid keeping written records of passwords, as these can be compromised.
ITS staff will never reveal a password, and in most cases are unable to know a password. The Marylhurst One Account system stores passwords in encrypted files, those passwords can only be known by the end user.
Some University sites and services allow the user to request a temporary password to be emailed to the address on file. In this circumstance, the user is responsible for immediately changing the password.
End users that work with financial information must prevent unauthorized observance or access at work by physical placement of the information devices (generally a computer screen) away from the general public. Financial users are required to take appropriate measures to prevent unauthorized observance of either financial or student information.
Managers and supervisors are responsible for notifying Human Resources when (or before) an employee leaves the university or transfers to another department, HR then notifies ITS so that access can be revoked or set appropriately. Terminations must be reported by Human Resources to Information Services immediately upon learning of the termination.
Occasionally it may be necessary to grant access to computing resources to individuals other than employees of the University. Examples of such individuals are consultants, software vendors, Web site hosts, review board members, and volunteers. Employees must never give out their passwords to others. If access is needed by external individuals, it should be requested from ITS and they will execute a Confidentiality Agreement.
ITS may routinely audit access to University information technology and reserves the right to temporarily disable questionable access. Managers and supervisors are responsible for reviewing all access of their direct reports at least annually for possible unauthorized access.
The following section applies only to University Employees.
University data that is processed or stored on systems outside of the University premises or via systems not owned by the University are more vulnerable to being lost, compromised, or corrupted.
Approved Marylhurst employees and authorized third parties (customers, vendors, etc) may utilize the benefits of remote access and Virtual Private Networks. The End user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, and paying associated fees, unless explicitly negotiated otherwise with the University.
Employees requesting remote access to the University Intranet must contact ITS. An ITS Director must give final approval on all requests, prior to the purchase of hardware or software.
Employees must take appropriate measures to secure devices and networks when working remotely. When dealing with any high or medium risk information use only encrypted networks (those requiring authentication or use a VPN connection).
A security incident is defined as any act that violates an explicit security policy. Violations may include events having actual or potential adverse effects which compromise an aspect of computer, network or user resources, including but not limited to: loss of confidentiality of information; a compromise of the integrity of information; misuse of service, systems or information; damage to systems and damage or loss of property or information.
Notify ITS immediately with the following information:
• Date and time of incident
• Type of incident and any other pertinent details that would assist in verifying incident
• A statement describing the impact on users, department or the network including the number of users/departments affected.
• Contact information of submitter
ITS will take immediate action to:
• Secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet.
• Preserve and review files or programs that may reveal how the breach occurred; and
• If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
In addition, the University will:
• Notify individuals if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
• Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
• Notify the credit bureaus and other businesses that may be affected by the breach.
All ITS policies are reviewed annually. Policies may be updated at any time. Changes to ITS policies must be approved by a Director of Information Technology Services.