Abstract:  JSU must establish rules and operating parameters for JSU employees and third party vendors’ access to University critical information, their operator responsibilities, and protection of Jackson State University’s assets, data, and PII. Policy Number: 50000.003 Effective Date: 5/29/2019 Review/Revised Date: 4/13/2023  Category: Information Technology Policy Owner: CIO/Information Technology Policy Contact: CISO/Information Technology

Policy Statement

The purpose of this policy is to establish rules and operating parameters for JSU employees and third party vendors’ access to University critical information, their operator responsibilities, and protection of Jackson State University’s assets, data, and PII.  This policy supports compliance with federal and state data privacy laws. Jackson State University’s (“JSU” or “University”) Division of Information Technology’s (“DIT”) intention for publishing an Acceptable Use Policy is not to impose restrictions contrary to JSU’s established culture of openness, trust, and integrity. DIT is committed to protecting JSU faculty, staff, students (collectively, “users”), and partners from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems; including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, cloud integration, WWW browsing, websites, and active directory are the property of JSU.

Effective security is a team effort requiring the participation and support of every JSU user and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

 

Purpose

The purpose of this policy is to outline the acceptable use of computer systems, printers, digital devices or systems, network, email, websites, and active directory and remote access services at JSU. These rules are in place to protect its users and JSU. Inappropriate use exposes JSU to risks including virus attacks, compromise of network systems and services, and legal issues.

 

Definitions

• • Spam: Unauthorized and/or unsolicited electronic mass mailings
  • Junk: Non-University business related email
  • Users: JSU employees (faculty, staff, students, alumni), contractors, adjuncts, consultants, vendors, third parties and third party personnel
  • FERPA: Family Educational Rights and Privacy Act
  • Personally Identifiable: Information that can be directly tied to an individual
  • GLBA: Gramm-Leach-Bliley Act (Protection of banking information)
  • SOX: Sarabanes-Oxley Act (Integrity of financial reporting)

 

Employee Adherence

This policy applies to faculty, staff, students, alumni, contractors, consultants, vendors, and other workers at JSU, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by JSU

 

Policy

General Use and Ownership

While JSU’s network administration desires to provide a reasonable level of integrity, users should be aware that the data/email they create/receive on University systems remain the property of JSU and that no privacy can be expected while using these systems. Because of the need to protect the University’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to JSU. JSU is responsible for exercising good judgment regarding the reasonableness of personal use. DIT recommends that any information which users consider sensitive or vulnerable be encrypted and password protected. For security and network maintenance purposes, authorized individuals within the DIT group may at any time analyze network utilization, traffic patterns and volumes related to JSU systems/equipment and network. JSU’s DIT Group reserves the right to audit networks and systems periodically to ensure compliance with this policy

 

Secure and Proprietary Information

(Personally Identifiable, FERPA, GLBA, SOX, Federal/State regulated. See definitions in Section 3 of this policy.)

• Authorized users are responsible for the security of their passwords and accounts.
• All authorized users should take all necessary steps to prevent unauthorized access to systems with this information by 1) using a complex password of 15 characters or more at minimum, 2) keeping passwords secure by not writing them down and posting them on screens and desks, 3) not sharing their account access and 4) only use Multi-Factor/Dual Factor Authentication to log into systems with secure and proprietary information.
• System level passwords should be changed biannually (every 6 months). Previously used passwords will not be permissible.
• User level passwords should be changed biannually every 6 months).
• All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (Control+Alt+Delete for Win users) (Control+Shift+Eject for Mac users) (Control+Shift+Power for Retina Macbook Pro) when the system will be unattended. Because information contained on portable computers is especially vulnerable, special care should be exercised to protect this data.
• All Postings by employees from JSU email addresses to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of JSU, unless posting is in the course of business duties. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, or Trojan horse code.

 

Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances are users of JSU authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing JSU-owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

 

System and Network Activities

The following activities are strictly prohibited, without exception:

• All users should take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts.
• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by JSU.
• Collection, storage or distribution of pornography or material considered to be obscene in violation of this policy.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, copyrighted movies and the installation of any copyrighted software for which JSU or the end user does not have an active license is strictly prohibited.
• Illegally exporting software, technical information, encryption software or technology in violation of international or regional export control laws.
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.)
• Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
• Using a JSU computing asset to actively engage in procuring or transmitting material in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
• Making fraudulent offers of products, items, or services originating from any JSU account.
• Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, the following: Accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information.
• Port scanning or security scanning is expressly prohibited unless prior notification is given to DIT and/or these processes are within the scope of regular duties.
• Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duties.
• Circumventing user authentication or security of any host, network, or account.
• Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
• Using any program/script/command, or sending messages of any kind, with the intent to interfere with or disable a user’s terminal session, by any means, locally or via the Internet/Intranet/Extranet.
• Providing information about (or lists of) JSU users protected/non-directory information to parties outside the University without the express written permission of the University Administration.
• Any person found in violation of this policy will be notified immediately to cease and desist. The user will be given a time frame to comply or be disconnected from the JSU network until they can prove the issue has been addressed.

 

Email

• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by JSU.
• Collection, storage or distribution of pornography or material considered to be obscene in violation of this policy.

Note: please refer to the email policy for more information.

 Website

• Use of profanity in any form including research purposes without expressed or written consent from JSU’s DIT department.
• Use of any language that in any way articulates disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin.
• Use of spyware, viruses, worms, and other malware or harmful files that compromise and shutdown university systems.
• Linking to sites that display hate or pornographic images including research purposes without the expressed or written consent of the IT department.
• Listing of any users’ Private Personal Information (PPI). No student’s PPI can be made publicly available under FERPA law.
• Collection of student’s PPI via forms without the written consent of the DIT department.
• Any use of university website that breaches any applicable local, state, federal, or national laws or regulations.
• Any use of university website that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect.
• Transmitting or procuring the sending of any unsolicited or unauthorized advertising or promotional material or any other form of similar solicitation (spam).
• Sending and receiving, uploading, downloading, use or reuse of any material which does not comply with university content standards.
• Knowingly transmitting any data, send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware

 

Remote Access and VPN:

The following actions are specifically prohibited:

• Sharing VPN login credentials with an unauthorized JSU employee or a user who is not a JSU employee
• Remotely accessing systems with sensitive data without a legitimate business need
• The use of a VPN client that has not been provided or approved by the JSU IT department to remotely access the JSU network

 

Active Directory: Authentication

• JSU users are always added automatically through Banner and should never be input ad hoc.
• Vendors should be input ad hoc as needed via request and permission from DIT.
• Any system attached to the domain must be JSU property identifiable by E-number or affiliated with JSU in some way (e.g., service utilization, CBORD).
• Services utilizing this domain (i.e., one.jsums.edu) must maintain records/logs of interaction with AD and configuration of the system attached to the domain.

Active Directory: Password

• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by JSU.
• Collection, storage or distribution of pornography or material considered to be obscene in violation of this policy.
• All passwords should be reasonably complex and difficult for unauthorized people to guess. Users must choose passwords that are at least 15 characters long at minimum and contain a combination of upper- and lower-case letters, numbers, and punctuation marks and other special characters.
• Users must avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1″ and “Pa$$w0rd” are weak from a security perspective.
• All passwords must be changed regularly, with the frequency of every 90 days (3 months).
• Default passwords — such as those created for new users when they start or those that protect new systems when they’re initially set up — must be changed within 24 hours.
• Users may never share their passwords with anyone else, including co-workers, managers, administrative assistants, IT staff members, etc. Everyone who needs access to a system will be given their own unique password.
• Users may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
• Users should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All users will receive training on how to recognize these attacks.
• Users must refrain from writing passwords down and keeping them at their workstations.
• Users may not use password managers or other tools to help store and remember passwords without permission from DIT.

 

Policy Compliance

Faculty, Staff, Students

Any faculty, staff, or student found to have violated this policy may be subject to disciplinary action, up to and including suspension, expulsion and/or termination of employment in accordance with procedures defined by JSU administrative policies stated in the handbook governing that individual.

External Entities

Any external entity, contractor, consultant, or temporary worker found to have violated this policy may be held in breach of contract, and as such, may be subject to grievances or penalties allowed by such contract.

 

Related Standards, Policies, and Processes

• Acceptable Use Email Policy, 50000.004