麻豆网站列表

Banner Image
Home | ePolicy Manual | 800 - Technology   800 - Technology

800 - Technology

 

TECHNOLOGY 800-817

801 - The Worldwide Web Policy

麻豆网站列表 recognizes that the Web is an important electronic publication medium that facilitates its mission. It is in the interest of the University that all Web sites are maintained in a consistent manner so that they provide high quality information about the University's educational offerings, mission, programs and events to the community, prospective students, and the general public. The Web sites serve as a gateway to college services, teaching and learning resources.

This policy sets minimal standards that are meant to ensure that information published electronically is visually appealing, well-written and follows the same high standards as other forms of published information.

The World Wide Web is one of the primary ways in which TROY presents itself and communicates to various audiences. Therefore, it is essential that Web sites of the University present an image that is unified, of a high quality and favorably represents the University. The TROY Web Guide is intended to serve in this regard as a valuable resource for those who contribute in any way to the Web presence of 麻豆网站列表.

Please direct any questions or comments to members of the Web Team whose names are located on the last page of this Web Guide.

801.1

Review of Policy

TROY recognizes that electronic publication technology is evolving rapidly and this policy is expected to evolve along with it. The policy will be reviewed as needed by the Web Team and the Associate Vice Chancellor for Marketing and Communication. This policy does not address all servers, such as Spectrum or Prism servers, or faculty Web pages.

801.2

Site Life Cycle

Information on Web pages should be updated as regularly as necessary, whether that is daily, weekly, monthly, quarterly, etc. The date the page was last updated should be indicated somewhere on the page. If a page does not need to be updated more than once a year, the 鈥渢his page is updated鈥 should be changed at least every six months to let visitors know that the information is relatively accurate. Every office is encouraged to update or refresh the content and design of their pages twice a year, preferably every fall and spring or more frequently if needed.

As new templates are developed, they will be available on the 麻豆网站列表 Web site.

801.3

Design Quality

Graphic design is the first and last part of the site observed by online visitors. Effectively designed Web sites grab viewer attention and offer clear, consistent navigation. The Web team will provide templates to help design sites that are consistent with the look and feel of the University's homepage and interior pages. Templates may be viewed on the 麻豆网站列表 Web site.

801.4

Content Quality

For recommended style standards, refer to the TROY Style and Graphic Standards Manual. For Web-related words, keep in mind the following: homepage is one word, Web is uppercase when it stands alone; lowercase when combined with another word (e.g. Web site; World Wide Web; webmaster), download and upload are spelled as one word and online is one word, no hyphen.

801.5

Use of University Marks and Branding

TROY logos and word marks may be used on official University Web sites such as University departments, approved student groups and schools, as long as the logos are used correctly. For correct logo usage, consult the TROY Style and Graphic Standards Manual (Marketing).

801.6

Navigation

A clear, easy navigation through every page of the TROY Web site is a necessity. A site and its pages should not be a maze where visitors must guess their next move or try the 鈥淏ack鈥 button to get out. Every page should, at a minimum, include (a) a link to the TROY homepage and (b) the homepage footer menu bar. Pages should also include a link to the appropriate department/division/school/etc. from where the page originates. URL links should be tested routinely to ensure that they are still correct.

The TROY templates include navigation to frequently used sites within TROY and quick links to the University's interior pages.

801.7

Templates

麻豆网站列表 requires Web pages to look consistent, including certain common design elements. To simplify this process, University-approved templates are available for use on the 麻豆网站列表  Web site.

801.8

World Wide Web Guidelines

801.8.1 General

This policy governs documents (Web pages) appearing on the World Wide Web from Troy University servers. Both official and unofficial University Web sites, as defined below, must comply with all copyright laws of the United States, all other applicable local, state and federal laws and applicable policies, rules and guidelines of Troy University, including those defined herein. The dominant theme of any Web site, whether an official or unofficial University Web site, must not appeal to prurient interest to the average person applying contemporary community standards. This policy will be periodically revised in response to pertinent legal and/or technological issues in consultation with the appropriate entities. Any questions, comments or suggestions concerning this policy should be addressed to the 麻豆网站列表 Web Team.

801.8.2 Official University Web Sites

Official University Web sites are defined as Web sites or Web pages created by Troy University entities including, but not limited to, its colleges, schools, departments and administrative offices stating they represent TROY.

All official University Web sites must be approved by the Web coordinator who has administrative oversight over the area represented by the Web site or by the TROY Web team. The associate vice chancellor for marketing and communication will be the final approving authority for all official Web sites.

All official University Web sites must adhere to the minimum standards described below. These minimum standards are presented in conjunction with associated recommendations in this Web Guide.

Display clear identification of 麻豆网站列表 on the top-level pages of each Web site. The preferred means of identification is to display a 麻豆网站列表 word mark. The official TROY templates are required for University offices.

Display a clearly labeled link on each Web page to the TROY homepage ().

Display clearly labeled ownership information on each Web page in the form of a contact e-mail address, which may be supplemented by a contact name and/or telephone number. In unusual cases, a contact name and telephone number may be substituted for a contact e-mail address.

Display a clearly labeled disclaimer (example: http://www.troy.edu/disclaimer): 鈥淎lthough the authors of this Web site have made every reasonable effort to be factually accurate, no responsibility is assumed for editorial or clerical errors or error occasioned by honest mistake. All information contained on this Web site is subject to change by the appropriate officials of 麻豆网站列表 without prior notice. Material on this Web site does not serve as a contract between TROY and any other party.鈥

The appropriate administrative unit(s) that publishes information on an official University Web site is fully responsible for factually accurate content and currency of information. Web sites that contain out-of-date information may be requested by the Web team or a member of that team to make necessary corrections. Web sites failing to comply following such requests may be unlinked from the University page until the necessary corrections have been made.

All official University Web sites must present information using the highest editorial standards (spelling, punctuation, grammar, style, etc.). Web sites that contain editorial errors may be requested to make the necessary corrections by any member of the Web Team. Web sites failing to comply following such requests may be unlinked from the University page until the necessary corrections have been made.

Any official University Web site desiring to conduct commercial activity, including receipt of online credit card payments, must take appropriate steps to ensure secured transactions. These type transactions must be approved by the Vice Chancellor for Finance prior to placing this type of information or capability on the University Web site.

Links to commercial entities must be related to the University's mission and must not imply endorsement by the University.

All names used to represent the University must be official names recognized by Troy University, e.g., 鈥溌槎雇玖斜,鈥 鈥淭ROY,鈥 鈥淭ROY-Dothan campus,鈥 etc. Except when referring to 麻豆网站列表 athletics, the use of Trojans鈥 is discouraged.

801.8.3 Unofficial University Web Sites

Unofficial University Web sites are defined as Web sites or Web pages created and maintained by anyone other than 麻豆网站列表 campuses, Web coordinators or site masters.

All unofficial University Web sites must carry the following disclaimer: 鈥淭he views, opinions and conclusions expressed in this page are those of the author or organization and not necessarily those of 麻豆网站列表 or its officers and trustees. The content of this page has not been reviewed or approved by 麻豆网站列表 and the author or organization is solely responsible for its content.鈥

麻豆网站列表 will not undertake to pre-approve or review the content of unofficial University Web sites. However, any pages discovered in violation of this policy are subject to immediate removal from 麻豆网站列表 Web servers.

Unofficial University Web sites may not be used for commercial purposes or for personal financial gain or benefit. 麻豆网站列表 is not responsible for any liability resulting from any such activities prior to their discovery and appropriate remedy.

801.9

Site Ownership

801.9.1 Web Team

The Web team will be coordinated by the Information Technology (IT) department of the university. Its responsibilities are assisting with the development of templates, approving templates and making them available to departments in the realm of the Web. Members of the Web Team will be responsible for assisting content providers and site masters and in monitoring the various sites to ensure the accuracy and timeliness of the published information. In addition, the Web team will seek the advice of document and design experts when necessary.

801.10 Content Providers

Administrative departments, academic units, individual faculty and staff, and student and college organizations may contribute content to the various Web sites. Content providers, in effect, own the content of a given page and are responsible for accuracy. Content providers should have firsthand knowledge of a particular page's content. Though they need not have specialized Web publishing knowledge, familiarity with Web-writing guidelines is very useful because text online is read differently than printed text and thus needs to be written differently. All pages should include the content provider's e-mail address on the bottom of the page, along with the date that the page was last updated so that interested readers can get in touch with the content expert. 

Other things content providers should remember in the design of Web sites include the following:

  • In the construction of your pages, avoid
  • sexist and/or racist material
  • offensive language
  • defamatory, abusive or harassing material
  • pornographic material
  • commercial advertising

Do nothing that might lead users of the TROY Web site into making improper use of our facilities, 
for example, providing links to:

  • archives that may contain pornographic material
  • sites that distribute illegal software
  • bulletin boards that contain dubious material

801.11 Site Master

Every site must be owned and maintained by a staff or faculty member鈥攏ot a student or external company. Using an external vendor to create, and in some instances to help maintain a site, is acceptable; however, at least one faculty or staff member from the responsible office must own and be accountable for the site, including having a basic knowledge of how to update, remove or change information on the site. Student interns may help create or update sites; however, a student cannot be the owner of the site and cannot be the only person in the responsible office who knows how to update and manipulate the site. 

Ownership by staff or faculty is essential in order to maintain continuity of a Web site. Student workers are a marvelous resource, but when the student leaves, the Web site still needs to be maintained, updated and even redesigned at some point in time. Without ownership by staff or faculty, material on the Web can easily become outdated. Outdated and inaccurate information on a Web site is often worse than no information at all. 

801.12 Registry

The individual Web coordinators for each site will oversee and maintain the registry of site owners. The information gathered for the registry is used to not only delete old or non-maintained sites, but also to quickly identify who is responsible for each existing University site. Each owner of a newly created site must register with the Web coordinator for his/her particular campus or site. This can be done online on the 麻豆网站列表 Web site.

801.13 Departmental vs. Central Control

Every office, organization and school is responsible for the look and content presented on its site, as well as keeping the sited updated, fresh and consistent with the overall look of the 麻豆网站列表 homepage and interior pages. The Web team has overall oversight not only of the University's homepage and interior pages, but also of all pages on the TROY Web site.

801.14 Shutting Down a Site

Every office, organization and school is responsible for the look and content of their site. When there are egregious errors or problems with a site, the Web team will contact the person responsible for the page and discuss ways to fix the problem. If the problem persists or if it is an emergency situation that requires immediate attention, the Web team maintains the right and responsibility to shut down a site either on a temporary or permanent basis.

801.15 External Vendors

Working with an external Web design vendor is an acceptable solution when developing a University Web site or page. 

Unless there are extenuating circumstances, the following policies should be understood and shared when working with external vendors.

All code and images belong to 麻豆网站列表. The created Web site must reside on an approved Web server.

801.16 Requested Changes in Web Area Structure

Requested changes to the structure of existing Web areas, such as moving existing areas to new locations, removing existing areas or redirecting areas, will need to be approved by the Web coordinator at the campus where the changes are requested and by any other department heads whose departments may be affected by the requested changes.

801.17 Correct HTML

All tags should conform to the guidelines and recommendations given by the World Wide Web Consortium.

The Consortium also offers a validation service for your pages. So if you wish to test them, just type your URL into the appropriate box.

801.18 Checking for Errors

Always check your pages carefully, particularly if you have been using a word processor that translates text into html. When the text is translated, these programs often insert alien characters, such as accents and random letters, or shrink the text to an unreadable size. Such word processors include Microsoft Excel, SPSS Data Analysis Software, Microsoft Word and Corel WordPerfect, etc.

802 - Information Technology Usage Policy

麻豆网站列表 uses information technology to help students, faculty, and staff accomplish their goals. Information technology also helps the 麻豆网站列表 reach its objectives. This worldwide reliance upon diverse technologies means increased responsibilities and opportunities for everyone throughout the University. The timely and appropriate use of these information technologies will help each person succeed.

麻豆网站列表's information technology (computing, information technology, radio and television, telephone, and network resources) is provided to faculty, staff and students for the purposes of study, research, service, and related academic and administrative activities. University information technology facilities are valuable resources and must be used in a responsible manner. These resources are shared among many people. Each person should use technology resources in a manner that allows others to also use information technology.

Use of the 麻豆网站列表 information technology is a privilege, not a right. This includes use of computer labs. All users of 麻豆网站列表's information technology resources must agree to use the facilities legally, ethically, and in keeping with their intended purpose.

802.1

Policy

麻豆网站列表 IT Resources must be used in accordance with applicable licenses and contracts, and according to their intended use in support of 麻豆网站列表's mission. 

All users must comply with federal, state, and local laws, as well as 麻豆网站列表 policies, when using 麻豆网站列表 IT Resources.

The following sections define the acceptable uses of 麻豆网站列表 IT Resources.  Any conflict between these policies and the legitimate business of 麻豆网站列表 can be resolved through the policy exception request process as defined with the Policy Exception Policy.

802.2

Acceptable Use

802.2.1 Employees and Student Employees

With the exception of incidental personal use, as defined below, 麻豆网站列表 IT Resources must be used only to conduct the legitimate business of 麻豆网站列表 (e.g., scholarly activity, academic instruction, research, learning, business operations).

Personal devices are not allowed on 麻豆网站列表 Administrative networks; personal devices are allowed on public WiFi networks.

Incidental personal use of 麻豆网站列表 IT Resources by 麻豆网站列表 employees is permitted if the personal use does not interfere with the execution of job duties, does not incur cost on behalf of 麻豆网站列表, and is not unacceptable as defined in the Unacceptable Use section below.

802.2.2 Students

麻豆网站列表 students may use the ResNet, Gaming networks for recreational and personal purposes to the extent that such use is not unacceptable as defined in the Unacceptable Use section below and does not adversely affect network service performance for other users engaged in academic, research, or official business activities.

802.3 Unacceptable Use

麻豆网站列表 employees, including students acting as employees, are prohibited from the following actions when using 麻豆网站列表 IT Resources:

  • Unauthorized use of IT Resources for commercial purposes or personal gain
  • Transmitting commercial or personal advertisements, solicitations, or promotions

All users are prohibited from using 麻豆网站列表 IT resources in a manner which results in a violation of law or policy or potentially adversely affects network service performance.

Examples of Unacceptable Use include, but are not limited to, the following:

  • Activity that violates federal, state, or local law
  • Activity that violates any 麻豆网站列表 or Board of Trustee policy
  • Activities that lead to the destruction or damage of equipment, software, or data belonging to others or 麻豆网站列表
  • Circumventing information security controls of 麻豆网站列表 IT Resources
  • Releasing malware
  • Intentionally installing malicious software
  • Impeding or disrupting the legitimate computing activities of others
  • Unauthorized use of accounts, access codes, passwords, or identification numbers
  • Unauthorized use of systems and networks
  • Unauthorized monitoring of communications

This list is not complete or exhaustive. It provides examples of prohibited actions. Any user in doubt about the acceptable use of 麻豆网站列表 IT Resources should contact Cyber Security for further clarification and assistance.

802.4 Scope

All 麻豆网站列表 IT resource users are covered by this policy.

802.5 Policy Terms

麻豆网站列表 IT Resources

麻豆网站列表 owned computers, networks, devices, storage, applications, or other IT equipment. 鈥溌槎雇玖斜 owned鈥 is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).

802.6 Enforcement

Violations of this policy may result in loss of 麻豆网站列表 system and network usage privileges, and/or disciplinary action (up to and including termination or expulsion) as outlined in applicable 麻豆网站列表 policies.

If a user suspects that they are a victim of a violation of this policy, then the violation may be reported directly to the 麻豆网站列表 Cyber Security team by sending an email to security@troy.edu per the Incident Reporting procedures found in the Cyber Security Policy.

803 - System Integrity

It is improper to take actions that will interfere with or alter the integrity of the University's information technology systems.  Such actions include unauthorized use of accounts, impersonation of other individuals, unauthorized access to or any attempt to alter, share or distribute restricted databases, attempts to capture or crack passwords, attempts to break encryption protocols, compromising privacy; destruction or alterations of data or programs belonging to other users, experiments to demonstrate computer facility vulnerabilities, and attempts to steal or destroy software on campus computing facilities or computer hardware. These types of actions are improper and can result in a loss of the right to use information technology resources. 

Computer accounts and passwords should be protected against unauthorized use. Accounts and passwords should never be shared with anyone.  Each computer user has the specific responsibility to protect his/her password. Anyone suspecting his/her password may be compromised should immediately report this to an administrator of the computer facility. This helps protect the integrity of Troy's information technology systems. 

Changing another person's password without authorization is considered a form of harassment and is improper behavior. 

Users must not browse, access, copy, share, distribute, or change private or administrative files without authorization. Users must not change public files without authorization. Users must not attempt to modify the computer systems or software in any unauthorized manner. 

The use of invasive software, such as worms, 鈥渃rackers,鈥 and viruses is unethical, improper, and illegal. No computer user should use his/her knowledge of a computer system to destroy or alter accounts, files, software, or hardware to obtain extra resources or to deprive others of information technology resources. 

Users are responsible for damages caused by infected software they introduce into the system. 

Hardware, software, network equipment, manuals, supplies and other information technology related equipment, must not be removed from their established site(s) without proper authorization. Abuse or misuse of any computer hardware, software, or other campus related technology including networking resources is illegal and/or unethical behavior.

804 - Security Policy

The office of Information Technology is responsible for the coordination and implementation of all information technology security policies and procedures. 麻豆网站列表 endeavors to provide first-class electronic resources to its academic and administrative communities. To maintain stable, reliable electronic infrastructures, 麻豆网站列表 has outlined the following guidelines concerning the use of all University electronic resources. Users should not use the University's electronic resources in a manner subject to criminal or civil liability. 

All software must be accompanied by a valid software license. 

University electronic resources may not be employed for private gain. Alabama Code 36-25-5 (a) and 36-25-27 (a) specifically prohibits personal gain through the use of public resources.

All electronic data are considered private and protected. Misuse or manipulation of electronic data is subject to criminal and civil actions.

Use of electronic resources in a careless, destructive, defamatory or illegal manner is prohibited.

The University reserves the right to limit or stop any electronic activity not in accordance with University policy or state and federal statutes.

804.1

Data Classification

804.1.1 Scope

This policy covers all data produced, collected or used by 麻豆网站列表, its employees, student workers, consultants or agents during the course of University business.

804.1.2 Purpose

The purpose of this policy is to identify the different types of data, to provide guidelines and examples for each type of data, and to establish the default classification for data.

804.1.3 Policy

Data Classification Types

All data covered by the Scope of this policy will be classified as TROY Protected data, TROY Sensitive data, or TROY Public data.

804.1.3.1 TROY Protected Data

TROY Protected data is any data that contains personally identifiable information concerning any individual and is regulated by local, state, or Federal privacy regulations, or by any voluntary industry standards or best practices concerning protection of personally identifiable information that TROY chooses to follow.

These regulations may include, but are not limited to:

  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standards (PCI-DSS)
  • Examples of some of the types of data that are regulated are listed in the appendix.
804.1.3.2 TROY Sensitive Data

TROY Sensitive data is any data that is not classified as TROY Protected data, but which is information that TROY would not distribute to the general public. This classification is made by the department originating the data. Examples of the types of data included are: budgets, salary and raise information, TROY/TWE ID, EMAIL ID and possible properties for TROY to purchase.

804.1.3.3 TROY Public Data

TROY Public data is any data that TROY is comfortable distributing to the general public. For department-specific data, this classification comes from the department. If data is created jointly by more than one department, the involved departments should jointly classify the data. If they are unable to come to a consensus, then the data must be classified as TROY Sensitive Data. For University-wide data, this classification can only come from the Office of the Chancellor, the Office of Registration and Records, the Division of Academic Affairs, or Institutional Research.  Examples of the types of data included are: department faculty lists, department addresses, press releases, and the TROY web sites. Any TROY data that does not contain personally identifiable information concerning any individual, and that is not TROY Protected data or TROY Sensitive data, must be classified as TROY Public data.

804.1.3.4 Default Classification of Data

Any data that contains personally identifiable information concerning any individual or that is covered by local, state, or Federal regulations, or by any voluntary industry standards concerning protection of personally identifiable information that TROY chooses to follow, is automatically classified as TROY Protected Data. All other data is classified as TROY Sensitive Data by default. Online resources will be available to assist individuals in properly classifying data.

804.1.4 Questions About This Policy

If you have questions about this policy, please contact the Information Security team security@troy.edu.

804.1.5 Appendix

TROY Protected Data Listed below are examples of types of personally identifiable information that are generally protected by local, state, or Federal privacy regulations. These examples are not an exhaustive list of all possible types of information that are protected by local, state, or Federal privacy regulations.

Examples:

  • Social security numbers
  • Credit card and debit card numbers
  • Bank account numbers and routing information
  • Driver's license numbers and state identification card numbers
  • Student education records
  • Business Office: Student account files and Perkins loan information
  • Departments and Colleges: Academic advising records, admission files, including ACT, SAT and TOEFL scores, and high school and college transcripts and other scholastic records
  • Financial Assistance: Financial assistance application files, student federal work-study information, scholarships and Stafford loan information
  • Intercollegiate Athletics: Injury reports, scholarship contacts, performance records, height and weight information
  • Registration and Records: Permanent record of academic performance (grades, transcript, including supporting documents), course schedules
  • Residence Life: Residential life and housing services files
  • Student Life: Student activity files, student disciplinary files, multi-cultural programs and services files, and intramural sports files
  • Student Services: Career planning files, including placement information and employers' files, international programs and services files
  • Undergraduate Admission and other admission offices: Admission files on prospective students
  • University Library: Circulation records
  • Personal health records
  • Patient information: addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses Note: Personal health records stored in education records are subject to FERPA and are excluded from HIPAA.

804.1.6 Additional Information About Referenced Regulations

FERPA

FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student's education record.  It also allows schools to publish certain 鈥渄irectory鈥 information about students, unless the student has requested that the school not do so.

  • Directory Information upon student request
  • Student's name and email address
  • Dates of attendance
  • Major and minor fields of study, degree desired, classification (freshman, sophomore, junior, senior) and full-time or part-time status
  • Participation in officially recognized activities
  • Degrees and awards received (i.e. Dean's List, Who's Who, etc.)

The penalty for failing to comply with FERPA may result in the loss of all federal funding, including grants and financial aid.

Additional FERPA information can be found on the  page and on the 麻豆网站列表 Web site.

GLBA

GLBA protects consumers' personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected.

The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.

Additional GLBA information can be found on the  Web site.

HIPAA

HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient's health status, provision of health care, medical records or payment history.

Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one year to a ten year prison term, depending on the circumstances. These fines are for the individual, not the institution.

Additional HIPPA information can be found on the  Web site.

Payment Card Industry Data Security Standards (PCI-DSS)

PCI DSS is an industry standard which protects credit card customer account data. It requires specific control objectives be met by any organization that accepts credit cards for payment.  These control objectives include secure network, server, and desktop standards, as well as procedures to ensure that credit card data is properly protected during the transaction.

Failing to comply with PCI DSS can result in significant fines.  Credit card providers can fine merchants up to $500,000 per compromise when the merchant was not compliant at the time of the compromise. Merchants may also be banned from accepting certain types of credit cards. Additional information can be found on the  Website.

Additional US State Laws

If you work for TROY inside the United States but outside of Alabama or the United States, please send an email containing the state in which you work to security@troy.edu. The Information Security team will respond to you with any data privacy laws that also apply to you.

804.1.7 History

June 4, 2009: Initial Policy (TROY IT Best practices)
August 2, 2016: Policy Updated for review
September 7, 2016: Policy submitted for adoption

804.2

Encryption

804.2.1 Scope

This policy covers all computers, electronic devices, and media capable of storing electronic data that house TROY Protected data or TROY Sensitive data as defined by the Data Classification Policy. This policy also covers the circumstances under which encryption must be used when data is being transferred.

804.2.2 Purpose

The purpose of this policy is to establish the types of devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software used for encryption.

804.2.3 Policy

804.2.3.1 Devices and Media Requiring Encryption

Encryption is required for all laptops, workstations, and portable drives that may be used to store or access TROY Protected data. Encryption is recommended for all laptops, workstations, and portable drives that may be used to store or access TROY Sensitive data. IT will provide, install, configure, and support encryption where it is needed. Departments who have a laptop, workstation, or portable drive that needs to be encrypted should contact the IT Information Security team at security@troy.edu.

804.2.3.2 Electronic Data Transfers

Any transfer of unencrypted TROY Protected data or TROY Sensitive data must take place via an encrypted channel. Encrypted TROY Protected data or TROY Sensitive data may be transmitted via encrypted or unencrypted channels. All email communications that involve email addresses outside of TROY use an unencrypted channel, and therefore require that messages containing 麻豆网站列表Protected data or TROY Sensitive data be encrypted. Approved methods of encrypting electronic data transfers are listed in the appendix. If the encryption method includes a password, that password must be transferred through an alternative method, such as calling the individual and leaving the password on their voice mail. Email messages containing encrypted data may never include the password in the same message as the encrypted data. Individuals who are unsure if they are correctly encrypting electronic data transfers should contact the IT Information Security team at security@troy.edu.

804.2.3.3 Physical Transfer of Electronic Data

Any time TROY Protected data or TROY Sensitive data is placed on a medium such as a CD, DVD, or portable drive to facilitate a physical transfer, either entirely within TROY or between TROY and a 3rd party, that data must be encrypted. Archiving TROY Protected data or TROY Sensitive data to a physical medium is not recommended, but is permitted if the data is encrypted. All archiving should be done electronically, so that it is stored in a controlled data center and backed up by IT.

804.2.3.4 Software

IT will install software that is capable of encrypting the entire hard drive on all identified TROY computers and electronic devices subject to this Policy. Users who require encryption software should contact IT to arrange installation of encryption software.

804.2.4 Questions About This Policy

If you have questions about this policy, please contact the Information Security team at security@troy.edu.

804.2.5 Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Handbook, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

804.2.6 Appendix

Examples of portable drives:

  • Flash drives
  • Thumb drives
  • Memory sticks
  • USB hard drives
  • iPods

IT will make the following approved encryption methods available for electronic data transfers

  • Transport Layer Security (TLS1.1 TLS1.2)
  • SSH File Transport Protocol (SFTP)
  • Connecting via an IT-approved Virtual Private Network (VPN)
  • Referenced Policies

804.2.7 History

August 9, 2009: Initial Policy (IT Best practices)
August 2, 2016: Updated
September 7, 2016: Submitted for adoption

805 - Copyright Observance

All users of University-owned computers will abide by copyright laws and licensing agreements. No software should be loaded on any University computer in violation of licenses or laws. Copyrighted software must be used only in accordance with its license or purchase agreement. Users do not have the right to reprint, use unauthorized copies of software, or make or attempt to make unauthorized copies of software. 

In addition to federal and state laws prohibiting the theft of software, 麻豆网站列表 prohibits copyright licensing infractions from or on any component of the University's information technology systems. 麻豆网站列表 will not be liable for copyright or licensing infringements by any student, faculty or staff member.

806 - Privacy Rights

麻豆网站列表 respects every individual's right to privacy in the electronic forum and prohibits use of University computers, including personally owned computers linked via University telecommunications equipment to other systems, from violating such rights. Attempts to read another person's electronic mail, access another's files, access electronic records containing information concerning another person, or use of another person's password are examples of violations of privacy rights.

There are important University concerns that place some legitimate restrictions on the privacy of programs, data files and electronic mail on the University's information technology systems.  Instructors may monitor class accounts of students in their courses. Authorized technical personnel may access accounts for the purpose of maintaining computers or network systems. Authorized technical personnel may also monitor accounts and network activity to detect violations of this policy. 

807 - Courtesy

Computer accounts should be used for their assigned purposes. For example, an account assigned to a student for a specific course should be used for work related to that course. 

All computer and network users engaged in activities not directly connected to study, research, or University-related services should willingly yield their computer terminals to others ready to use University computers and networks for their University-related work. 

Excessive use of paper, making electronic mass mailings, and using University owned computers and network resources for personal monetary gain are some examples of abuses of 麻豆网站列表information technology facilities. 

Certain types of communications are expressly forbidden on Troy's computer systems and networks. This includes the random mailing of messages, the sending of obscene, pornographic, harassing, nuisance, abusive, or threatening material, and the use of the facilities for commercial or political purposes. 

University-owned public access computers will not be used for games unless specifically authorized by a faculty member for educational purposes.

808 - Sanctions
The University may take disciplinary and/or legal action against any individual who violates any information technology usage policy. Violations of 麻豆网站列表's information technology usage policy are treated like any other violation of the Standards of Conduct as outlined in the Oracle, Troy's student handbook, and applicable faculty and staff handbooks. Violators may also be billed for illegal use of the computer systems. Any changes caused by misuse may lead to the violator being temporally or permanently suspended from 麻豆网站列表Technology facilities. Those violating statutory requirements may be prosecuted.
809 - Liability
麻豆网站列表 hereby expressly and explicitly disclaims any liability and/or responsibility for violations of this policy.
810 - Coordination of Technology Implementation

Departments or units wishing to implement a new technology process (including applications software) or new technology infrastructure (equipment and/or networks) must submit a proposal to the Chief Technology Officer(CTO) for review and approval. The CTO's director committee will review the requests. The committee shall be composed of the Chief Technology Officer and the major unit directors for Information Technology. This process is designed to ensure continuity and compatibility of technology equipment and software used by the University. All technology infrastructure and multi-user software are to be vetted through the Chief Technology Officer (CTO). The Chief Technology Officer should issue procedures for implementing this policy. Any disputes arising from decisions issued by the CTO will be mediated by the Senior Vice Chancellor for Financial Affairs and Online Education.

Approved: Cabinet, August 8, 2007
Updated: 13 May 2019
OPR: SVC, Administration
Review: Annually

811 - CyberSecurity Policy

811.1

Responsibilities

811.1.1 Chief Information Security Officer

The Chief Information Security Officer is responsible for creating and maintaining a cyber security program and leading the 麻豆网站列表 Cybersecurity team. The purpose of the cyber security program is to maintain the confidentiality, integrity, and availability of 麻豆网站列表 IT Resources and 麻豆网站列表 data. In addition, the Chief Information Security Officer, or a designee, is responsible for leading the investigation of and response to cyber security incidents. The response to any incident will be developed in collaboration with the data steward, 麻豆网站列表 Marketing and Communication, Legal Affairs, and other campus offices as appropriate.

811.1.2 Users

麻豆网站列表 IT Resource users (IT Resource users include both students and employees) are responsible for protecting the security of all data and IT Resources to which they have access. This includes implementing appropriate security measures on personally owned devices which access 麻豆网站列表 IT Resources. In addition, users are required to keep their accounts and passwords secure in compliance with the 麻豆网站列表 Password Policy.

麻豆网站列表 employees may grant IT Resource guest access to third parties (e.g., visiting scholars), after consultation with 麻豆网站列表 IT. Any 麻豆网站列表 employee who grants guest access to IT Resources is responsible for the actions of their guest users.

811.1.3 Research

麻豆网站列表 recognizes the value of research in the areas of computer and network security. During the course of their endeavors, researchers may have a need to work with malicious software and with systems that do not adhere to the security standards as prescribed by the Chief Information Security Officer. Researchers are responsible for their actions and must take all necessary precautions to ensure that their research will not affect other 麻豆网站列表 IT Resources or users. In addition, researchers are responsible for making all appropriate notifications to those that may be affected by their research. 麻豆网站列表 IT provides an Academic Computing Network for such activities; unless otherwise approved, these efforts should take place on the Academic Computing Network.

811.1.4 Network Management

The Office of Information Technology (OIT) is responsible for planning, implementing, and managing the 麻豆网站列表 network, including wireless connections.

The following network appliances cannot be implemented at 麻豆网站列表 without prior written approval by OIT or a Unit's IT lead:

  • Routers
  • Switches
  • Hubs
  • Wireless access points
  • Voice over IP (VOIP) infrastructure devices
  • Intrusion detection systems (IDS)
  • Intrusion prevention systems (IPS)
  • Virtual Private Networking (VPN)
  • Consumer grade network technologies
  • Other networking appliances that may not be included in this list

Units or individuals who install any of the technologies listed above are responsible for capturing network traffic logs and storing them for a minimum of 365 days or an appropriate amount as negotiated with the OIT network team.

Network traffic logs should include the following information:

  • Source MAC address
  • Source and destination IP address
  • Physical interface (where applicable)
  • Date and time
  • User account where available (e.g. VPN logs)

811.1.5 System Administration

Every 麻豆网站列表 owned IT Resource (including virtual resources such as virtual machines and cloud based services) must have a designated system administrator. The 麻豆网站列表 expectation is that every 麻豆网站列表 owned IT Resource will be professionally managed by the unit technical support team unless prevailing regulations dictate otherwise.

The system administrator is responsible for proper maintenance of the machine, even if the system administrator is not a member of the unit technical support team. This responsibility must be acknowledged and documented. In addition, the machine must be accessible to the unit technical support team for incident management purposes unless legal restrictions will not allow such access.

Negligent management of a 麻豆网站列表 owned IT Resource resulting in unauthorized user access or a data breach may result in the loss of system administration privileges.

System administration responsibilities for all 麻豆网站列表 owned IT Resources, including those that are self-administered, include the following:

  • Complying with all applicable 麻豆网站列表 IT policies and procedures
  • Performing an annual cyber security self-assessment for the set of IT Resources administered
  • Working with the unit technical support team to establish the following:Installing and running endpoint security/management agents that have been approved by 麻豆网站列表 Cyber Security (a link to a list of these is provided on the IT website)
  • Establishing an appropriate backup strategy and performing regular system backups
  • Regularly updating the operating system and other applications installed on the machine
  • Using, where possible and practical, central 麻豆网站列表 IT services for system login and account management (e.g. Active Directory)

811.2

Scope

All 麻豆网站列表 IT resource users and all 麻豆网站列表 IT resources are covered by this policy.

811.3

Policy Terms

Endpoint

Laptop computers, desktop computers, workstations, group access workstations, mobile devices, USB drives, personal network attached storage. 

麻豆网站列表 IT Resources

麻豆网站列表 owned Computers, Networks, Devices, Storage, Applications, or other IT equipment. 鈥溌槎雇玖斜 owned鈥 is defined as equipment purchased with either 麻豆网站列表 funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).

811.4

Procedures

811.4.1 Incident Reporting

If a 麻豆网站列表 IT Resource user suspects that a security incident has occurred or will occur, they should report the suspicion immediately to the system administrator or unit technical lead.  Users may also report the suspected security incident directly to the 麻豆网站列表 Cybersecurity team by sending an email to security@troy.edu

System administrators and unit technical leads who have identified any of the following security events should report the suspected security event to the 麻豆网站列表 Cybersecurity team:

  • Any occurrence of a compromised user account
  • Any breach or exposure of Category 3 sensitive data (see Data Access Policy)
  • Any occurrence of a server infected with malware
  • Three or more simultaneous occurrences of endpoints infected with malware
  • Any other instance of malware or suspected intrusion that seems abnormal

811.5

Enforcement

Violations of this policy may result in loss of 麻豆网站列表 system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion as outlined in applicable 麻豆网站列表 policies.

811.6

Related Information

812 - Data Privacy Policy

812.1

Policy Statement

麻豆网站列表 provides information technology resources to faculty members, staff and students for the purpose of furthering 麻豆网站列表's mission and conducting 麻豆网站列表 business. While personal use of such systems is permitted, as per the Information Technology Acceptable Usage policy, personal communications and files transmitted over or stored on 麻豆网站列表 systems are subject to the same regulations as business communications.

麻豆网站列表 is committed to respecting the privacy expectations of its employees and students; however, consistent with this policy, electronic information that is transmitted over or stored in 麻豆网站列表 systems and networks is subject to being audited, inspected and disclosed to fulfill administrative or legal obligations which may include, but are not limited to, the following:

  • is necessary to comply with legal requirements or process (e.g., Alabama Open Records Act or subpoena);
  • may yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected infraction of 麻豆网站列表 or Board of Trustee policy;
  • is needed to maintain the security of 麻豆网站列表 computing systems and networks;
  • is needed for system administrators to diagnose and correct problems with system software or hardware;
  • may yield information needed to deal with an emergency;
  • is needed for the ordinary business of 麻豆网站列表 to proceed, (e.g., access to data associated with an employee who has been terminated/separated or is pending termination/separation, is deceased, is on extended sick leave, or is otherwise unavailable);
  • is necessary to comply with a written request from the Senior Vice-Chancellor for Student Affairs, or designee, on behalf of the parents, guardian, or personal representative of the estate of a deceased student; or
  • is for research authorized by 麻豆网站列表 under a data use agreement that precludes the disclosure of personally identifiable information.

812.2

Scope

This policy governs access to the files and communications transmitted on or stored in 麻豆网站列表's IT Resources.

Any individual whose personal files and communications exist on a 麻豆网站列表 IT Resource by virtue of unauthorized access will have no expectation of privacy.

812.3

Definitions

Information Technology Resources (IT Resources)
Computers, Networks, Devices, Storage, or other IT equipment

812.4

Procedures

812.4.1 Application, System, and Network Login Banner

Where possible, all 麻豆网站列表 applications and systems (excluding endpoints and mobile devices) must display the following login banner to all users prior to authentication of user credentials:

812.4.2 Terms of Use

This information technology resource is the property of 麻豆网站列表 and is available for authorized use only, in accordance with Institute IT policies. Any and all files on this system are subject to being audited, inspected and disclosed to authorized system administrators and/or law enforcement personnel to fulfill administrative and/or legal obligations. By using this system, I acknowledge these terms.

812.4.3 Requests for Access

All requests for access to information that is transmitted over or stored on Troy University systems and networks should be directed to the CTO or designee. The determination of whether access to information is necessary to fulfill administrative or legal obligations is made by the CTO or designee, and may not be made at the departmental or unit level.

  • Business Continuity
    Refer to Security Standards and Procedures for detailed procedures.
  • Deceased Students
    Refer to Security Standards and Procedures for detailed procedures.
  • Emergency
    Refer to Security Standards and Procedures for detailed procedures.
  • Legal Requirements
    Refer to Security Standards and Procedures for detailed procedures.
  • Research
    Refer to Security Standards and Procedures for detailed procedures.
  • System Integrity
    Refer to Security Standards and Procedures for detailed procedures.
  • Violation of Law or Policy
    Refer to Security Standards and Procedures for detailed procedures.

812.5

Enforcement

Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable 麻豆网站列表 disciplinary procedures, as well as personal civil and/or criminal liability.

813 - GLBA Information Security Program

813.1

Reason For Policy

This Information Security Plan ("Plan") describes safeguards implemented by 麻豆网站列表 to protect covered data and information in compliance with the FTC's Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided to:

  • Ensure the security and confidentiality of covered data and information;
  • Protect against anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.
  • This Information Security Program also identifies mechanisms to:
  • Identify and assess the risks that may threaten covered data and information maintained by 麻豆网站列表;
  • Develop written policies and procedures to manage and control these risks;
  • Implement and review the program; and
  • Adjust the program to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.

813.2

Policy Statement

GLBA mandates that 麻豆网站列表 appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.

813.2.1 Information Security Program Coordinator(s)

The Chief Technology and Security Officer and Vice-Chancellor of Finance and Business Affairs have been appointed as the coordinators of this Program at 麻豆网站列表. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to 麻豆网站列表. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security policies and practices delineated in this program.

813.2.2 Identification and Assessment of Risks to Customer Information

麻豆网站列表 recognizes that it is exposed to both internal and external risks, including but not limited to:

  • Unauthorized access of covered data and information by someone other than the owner of the covered data and information
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems
  • Unauthorized access of covered data and information by employees
  • Unauthorized requests for covered data and information
  • Unauthorized access through hardcopy files or reports
  • Unauthorized transfer of covered data and information through third parties

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, 麻豆网站列表 Cyber Security will actively participate and monitor appropriate cybersecurity advisory groups for identification of risks.

Current safeguards implemented, monitored and maintained by 麻豆网站列表 Cyber Security are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by 麻豆网站列表. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.

813.2.3 Employee Management and Training

References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Cashiers Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard covered data and information.

813.2.4 Physical Security

麻豆网站列表 has addressed the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to 麻豆网站列表 employees with an appropriate business need for such information.

Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.

813.2.5 Information Systems

Access to covered data and information via 麻豆网站列表's computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. 麻豆网站列表 has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to 麻豆网站列表's information systems. These policies and procedures, listed in Section 3 below, are available upon request from the Chief Security Officer.

Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, 麻豆网站列表 has discontinued the use of social security numbers as student identifiers in favor of the 麻豆网站列表ID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.

813.2.6 Management of System Failures

麻豆网站列表 Cyber Security has developed written plans and procedures to detect any actual or attempted attacks on 麻豆网站列表 systems and has an Incident Response Plan which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This document is available upon request from the Chief Security Officer.

813.2.7 Oversight of Service Providers

GLBA requires 麻豆网站列表 to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Security Program Coordinator(s) will identify service providers who have or will have access to covered data, and will work with the Office of Legal Affairs and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data.

813.2.8 Continuing Evaluation and Adjustment

This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinator(s), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s), in consultation with the Office of Legal Affairs, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.

813.3

Policy Terms

Covered data and information

Covered data information for the purpose of this program includes student financial information (defined below) that is protected under the GLBA. In addition to this coverage, which is required under federal law, 麻豆网站列表 chooses as a matter of policy to include in this definition any and all sensitive data, including credit card information and checking/banking account information received in the course of business by 麻豆网站列表, whether or not such information is covered by GLBA. Covered data and information includes both paper and electronic records.

Pretext calling

Pretext calling occurs when an individual attempts to improperly obtain personal information of 麻豆网站列表 customers so as to be able to commit identity theft. It is accomplished by contacting 麻豆网站列表, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit (sometimes referred to as Social Engineering), convincing an employee of 麻豆网站列表 to release customer-identifying information.

Student financial information

Student financial information is that information that 麻豆网站列表 has obtained from a student or customer in the process of offering a financial product or service, or such information provided to 麻豆网站列表 by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

813.4

Procedures

813.4.1 Related Policies, Standards and Guidelines

麻豆网站列表 has adopted comprehensive policies, standards, and guidelines relating to information security, which are incorporated by reference into this Information Security Program. They include:

813.4.1.1 Policies
  • Cyber Security Policy
  • Unit-Level Network Usage Policies
  • Data Access Policy (including Sensitive Data & Server Registration)
  • Credit Card Processing Policy
813.4.1.2 Standards

Data Protection Safeguards

813.4.1.3 Communication

Upon approval, this policy shall be published on the 麻豆网站列表 website. The following offices and individuals shall be notified via email and/or in writing upon approval of the program and upon any subsequent revisions or amendments made to the original document:

  • Senior Vice-Chancellors
  • Deans
  • Vice-Chancellors
  • Chairs
  • Department Heads
  • Unit-level business officers
  • Internal Auditing

813.5

Related Information

Gramm-Leach-Bliley Act

FTC: Final Rule--Standards for Safeguarding Customer Information (16 CFR Part 314) 
FTC: Final Rule--Privacy of Consumer Financial Information (16 CFR Part 313)
FTC Guidance: Financial Institutions and Customer Data--Complying with the Safeguards Rule
NACUA Cyber Security Resources Page
NACUBO GLB Act Resources Page

814 - Credit Card Processing Policy

814.1

Policy Statement

814.1.1 The approval process for all credit card processing activities

The Senior Vice Chancellor of Financial Affairs or delegate must approve all credit card processing activities at the 麻豆网站列表 prior to entering into any contracts or purchasing equipment. This requirement applies regardless of the transaction method used (e.g. online processing at 麻豆网站列表, outsourced to a third party, or swipe terminals).

All technology implementation associated with the credit card processing must be in accordance with the Credit Card Processing Procedures and approved by the Chief Technology Officer prior to entering into any contracts or purchasing equipment.

All credit card numbers must be handled in accordance with the Data Access Policy requirements for category 4 data. Please contact OIT Information Security for assistance with interpretation and implementation. However, instances of P-card numbers or corporate cards where 4 or fewer numbers are functionally present may be handled as category 3 data. Any conflicts between the requirements of the Data Access Policy and the Credit Card Processing Procedures will be resolved in favor of the Credit Card Processing Procedures.

814.1.2 Units approved for credit card processing activities must maintaining the following standards

Provide appropriate training to all employees handling systems with credit card numbers including both personnel within the unit handling the credit card transactions and appropriate personnel in the Office of Information Technology.

Create, maintain and test annually business continuity/disaster recovery plans and system compromise response plans.

All outsourcing agreements must meet the standards set forth in the Credit Card Processing Procedures.

All servers storing or processing credit card numbers will be housed with the Office of Information Technology. All servers and POS Terminals will be administered in accordance with the requirements of the Credit Card Processing Procedures.

Credit card numbers will be retained for a maximum of 90 days. The only exception is transactions for future events, which may be retained up to 180 days from the transaction date. All media used for credit card numbers must be destroyed when retired from this use. All hardcopy must be shredded by at least a cross-cut shredder prior to disposal.

Access to credit card numbers must be restricted to the minimum number of people possible. No employee may have access to credit card numbers until he or she has attended the Credit Card Processing Policy Training and has tendered written acknowledgement of receipt of a copy of this policy, the Credit Card Processing Procedures and other appropriate policies (e.g., Data Access Policy, Service Certification Process and Procedure, and unit level security policy). After completion of these requirements, the unit head may issue, in writing, authorization for the employee's access. No employee will have access to credit card numbers without such written authorization.

Each unit responsible for credit card processing must complete audits quarterly on all systems storing or processing credit card numbers to ensure compliance with this policy and the associated procedures. The Office of Information Technology will participate in these audits. Annual audits must be performed by Office of Information Technology Information Security to confirm the results of the quarterly audits.

All computers handling, processing, or storing credit card numbers must be registered in accordance with the revised Computer and Network Usage Policy.

814.2

Scope

All academic units, administrative units, organizations, and employees of the Troy University or that use systems or networks supported 麻豆网站列表 must abide by this policy.

This policy specifically addresses all credit card processing by the 麻豆网站列表. All POS terminals handling credit card numbers (in full or truncated) and all servers receiving, storing, or transmitting credit card numbers (in full or truncated) are subject to this policy. An exemption is provided for P-card numbers provided the credit card number are functionally truncated to four digits or less.

814.3

Policy Terms

Application Server

The computer hosting the application that the general end-user or the point-of-sale (POS) terminal connects

Category III Data Sensitive

This information is considered private and should be guarded from disclosure; However, public disclosure of this information due to a system compromise generally does not result in financial fraud or violation of State and/or Federal law. Examples include intellectual property information, private directory listings, and contract negotiations.

Category IV Data Highly Sensitive

Any disclosure of this information, intentional or otherwise, may contribute to financial fraud and/or violate State and/or Federal law. Examples include Social Security numbers, credit card numbers, financial institution account numbers, and employee and student health records.

Cardholder Information Security Program (CISP)

The formal data protection program mandated by Visa

Card Verification Value 2 (CVV2)

An additional verification code used in transaction processing

Credit Card Number

Any part or all of the unique number identifying the account for a financial transaction

Database Servers

The computer storing the sales and/or credit card numbers

eCommerce Application

Any internet-enabled financial transaction application, whether a buying application or selling application

Employee

Any employee (as defined by the Employee Handbook) faculty, student employee, or contractor employed by a third party and providing services to the 麻豆网站列表

Encryption

Scrambling data in a recoverable format

Firewall

A network device or host-based software implementation designed to restrict network access to a computer

Hashing

Scrambling data in an unrecoverable but verifiable format

The computer storing the sales and/or credit card numbers

eCommerce Application

Any internet-enabled financial transaction application, whether a buying application or selling application

Employee

Any employee (as defined by the Employee Handbook) faculty, student employee, or contractor employed by a third party and providing services to the 麻豆网站列表

Encryption

Scrambling data in a recoverable format

Firewall

A network device or host-based software implementation designed to restrict network access to a computer

Intrusion Detection System (IDs)

A network monitoring device for recognition of attempts to compromise monitored systems

ISO 17799

The International Standards Organization document defining computer security standards. The credit card vendors may have based their policies on this standard.

POS Terminal

Point-of-Sale (POS) computer terminals either running as standalone systems or connecting to a server either at the 麻豆网站列表 or remotely off site

Purchase Cards (P-Cards)

Credit cards obtained by 麻豆网站列表 through a customer agreement with a bank for procurement purposes.

Site Data Protection Program (SDP)

The formal data protection program mandated by MasterCard

Swipe Terminal

POS credit card terminals

Two-factor Authentication

Authentication requiring two different methods confirming identity typically based on something the user has (e.g. a card, a key, a fingerprint) and something the user knows (e.g. a password)

Web Development

The design, development, implementation and management of the front-end of the eCommerce application

814.4

Procedures

814.4.1 Executive Summary

These procedures are required in direct support of the 麻豆网站列表 Credit Card Processing Policy and were included in the original approval of the policy. This document sets forth the technical details and procedural requirements for implementing credit card processing at the 麻豆网站列表 or outsourcing that processing to a third party. The procedures' scope, revisions, exceptions, and compliance are noted in the Credit Card Processing Policy.

The procedures are separated into the following general areas of interest:

814.4.2 Computer system security requirements

All computers handling credit card numbers must have the following in place:

  • A host-based firewall technology preventing connections from all ports except a specific subset (e.g. 443 for secure web transactions, IP restricted port 22 for system administration).
  • All firewall rules must be documented and modifications approved in keeping with the Service Certification Process.
  • All Microsoft Windows computers must run anti-virus software.
  • File integrity monitoring to an external system for critical system and application files for inappropriate/unauthorized modifications. Reviews for potential changes must occur daily.
  • System logging or auditing to an external server for all critical operating system modifications (e.g. all logins, unauthorized file access attempts) and maintain the log for at least 6 months
  • A single function (e.g. application or database) is implemented per server.
  • Security patches must be tested and, if possible, applied within one week of vendor release. All patches must be applied or documentation explaining the implementation problem within 30 days.
  • A change log must be maintained for all servers.
  • Passwords must be at least 8 characters long and require complex passwords (inclusion of a number or special character), expire after 90 days or less, not reuse the last 4 passwords, and stored in an encrypted or hashed format.
  • All accounts must be disabled after 30 days of inactivity and, if not re-enabled and actively used, removed after an additional 60 days. The only exception is emergency accounts used for system recovery and not used regularly.
  • All system patches must be applied to a new computer before connecting to the network. All default account names and default passwords must be changed before connecting to the network.
  • All computer security configurations and services/daemons must be reviewed before connecting to the network
  • Perform vulnerability testing on associated computers every 30 days with penetration testing at least annually.
  • Only allow computer access by uniquely assigned and auditable IDs.

814.4.3 Connectivity security requirements

All computers handling credit card numbers must have the following provisions in place for network and modem connectivity:

  • A network-based firewall preventing inappropriate/unauthorized access from outside the academic/business unit or specific authorized computers.
  • An intrusion detection system monitoring for unauthorized access attempts.
  • 24/7 monitoring for network-based firewall and IDs systems for potential penetrations and 24/7 on-call expertise for potential security incidents.
  • Two-factor authentication for routers servicing all computers connecting to, handling, processing, or storing credit card numbers.
  • Specific authorization for modem connections. All modem connection must be outbound only.
  • All data transfers and administrative access must be in an encrypted format (e.g. SSL, SSH, IPSEC).

814.4.4 Credit card number storage requirements

Credit card numbers must be protected by encryption, hashing, or truncation. No complete credit card numbers will be stored on computers owned by the 麻豆网站列表 in an unprotected manner. Standard encryption algorithms must use at least 128bit key. Minimum key lengths will be increased as computing processing power improves. Minimum key lengths for new encryption technologies must be provided with these guidelines prior to implementation. Keys must be in a single accessible location with back-ups. Keys must be changed every 90 days and old keys must be deleted/destroyed after an additional 30 days.

The following additional requirements apply to computers storing credit card numbers and network connectivity beyond those noted in "Computer System Requirements" and "Connectivity Security Requirements":

  • Accounts must lock-out after six or fewer invalid login attempts and require manual re-enabling.
  • Sessions must time-out after 15 minutes.
  • All accesses to credit card numbers must be logged.
  • All root access activities must be logged to an external server.
  • The system must not be openly accessible from any public network.
  • The computer's IP address must not be available outside the local subnet.
  • A dedicated firewall must be in place specifically for computers storing credit card numbers to preventing any public access to protected systems. Access is only permitted by exception by both IP and port.
  • Credit card numbers must not be stored in multiple locations with the exception of backups.
  • CVV2 information must not be stored beyond the transaction authorization point.
  • Two-factor authentication is recommended.

814.4.5 Physical security requirements

All servers storing credit card numbers must have the following provisions in place:

  • The servers must be in the Network Operations Center (NOC) for the Office of Information Technology. Servers placed in a separate locked room within the NOC or within locked racks. Video surveillance must be maintained on the servers. All access to servers by anyone except employees specifically approved for access to the credit card numbers must be escorted continuously.
  • The NOC must log all room access (maintained for at least 90 days), maintain video surveillance of room ingress and egress, and provide identification for easily distinguishing employees, visitors, and inappropriate access. Visitors must be issued a NOC ID that must be returned or issued a temporary ID and continuously escorted.
  • All backup media must be secured on site, off site, and in transit. All transportation must be handled by approved Institute employees or bonded couriers.

814.4.6 Outsource requirements

Any unit may select to outsource their credit card transaction processing. This option transfers the risk to the outsourced service. Approval for credit card transaction processing must follow the standard approval process.

Contracts must address these elements:

  • Compliance with all appropriate credit card company security requirements.
  • Service level agreements.
  • Defining data retention and destruction requirements.

814.4.7 Review process of credit card transaction processing request

  • Document the business need for accepting credit card transactions in a new unit or location.
  • Meet with Financial Services for justification and approval of business case.
  • Meet with Information Security to evaluate options and costs for implementation (using existing facilities, implementing separate facilities, or outsourcing transaction processing).
  • Meet with the CTO or designee for the Office of Information Technology for technical approval of implementation.
  • Meet with 麻豆网站列表 Legal Affairs to ensure all contracts meet federal, state, and contractual requirements.

814.4.8 Communication

Upon approval, this policy shall be published on the 麻豆网站列表 Office of Information Technology website under policies and will be the Business Office web site.

The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:

  • Senior Vice-Chancellors
  • Deans
  • Vice-Chancellors
  • Chairs
  • Internal Auditing

814.4.9 Revisions and Exceptions

This policy may be revised only by signature by the Chancellor of 麻豆网站列表.

The Senior Vice-Chancellor of Finance and the CTO may grant exceptions to this policy or revise the Credit Card Processing Procedures document by mutual agreement.

814.5

Enforcement

Failure to comply with this policy and the associated required procedures by employees will be deemed a violation of Institute policy and subject to personnel action up to and including termination as noted in the Employee Handbook and/or the Faculty Handbook. Technology that does not comply with this policy and the associated required procedures is subject to disconnection of network services or confiscation of equipment pending review and approval of processes, procedures, and/or equipment.

815 - Identity Theft Prevention Program

815.1

Reason for Policy

麻豆网站列表 developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (FTC) Red Flags Rule. The Red Flags Rule implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After consideration of the size and complexity of 麻豆网站列表's operations and account systems, and the nature and scope of 麻豆网站列表's activities, 麻豆网站列表 determined that this Program was appropriate.

815.2

Policy Statement

815.2.1 Requirements of the Red Flags Rule

Under the Red Flags Rule, 麻豆网站列表 is required to establish an Identity Theft Prevention Program. The program must contain reasonable policies and procedures to:

  • Identify relevant Red Flags for new and existing covered accounts, and incorporate those Red Flags into the Program;
  • Detect Red Flags that have been incorporated into the Program;
  • Respond appropriately to any Red Flags that are detected in order to help prevent and mitigate Identity Theft; and
  • Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of 麻豆网站列表 from Identity Theft.

815.2.2 Oversight

Responsibility for developing, implementing, and updating this Program lies with an Identity Theft Committee (Committee) for 麻豆网站列表. The Committee is headed by the CTO who is the Program Administrator. 麻豆网站列表's CTO, the representative of Legal Affairs and Risk Management, and such other individuals as may be appointed by the Chancellor of 麻豆网站列表 comprise the remainder of the committee membership. The Program Administrator is responsible for ensuring appropriate training of Troy staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program.

815.2.3 Staff Training and Reports

麻豆网站列表staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the steps to be taken when a Red Flag is detected. 麻豆网站列表employees are expected to notify the Program Administrator once they become aware of an incident of Identity Theft or of 麻豆网站列表's failure to comply with this Program.

At least annually, or sooner if requested by the Program Administrator, 麻豆网站列表staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management's response, and recommendations for changes to the Program.

815.2.4 Service Provider Arrangements

In the event 麻豆网站列表 engages a service provider to perform an activity in connection with one or more Covered Accounts, 麻豆网站列表 will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:

  • Require, by contract, that service providers have such policies and procedures in place; and
  • Require, by contract, that service providers review 麻豆网站列表's Program and report any Red Flags to the Program Administrator or 麻豆网站列表 employee with primary oversight of the service provider relationship.

815.2.5 Non-disclosure of Specific Practices

For the effectiveness of the Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Committee who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other 麻豆网站列表employees or the public. The Program Administrator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.

815.2.6 Program Updates

The Committee will periodically review and update the Program to reflect changes in risks to students and the soundness of 麻豆网站列表 from Identity Theft. In doing so, the Committee will consider 麻豆网站列表's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in 麻豆网站列表's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Committee will update the Program.

815.3

Scope

All employees, students, affiliates, contractors, consultants, vendors, or other consumers of Covered Accounts data, and all 麻豆网站列表data (electronic, paper or otherwise) that could be leveraged to conduct identity theft from Covered Accounts are covered by this policy.

815.4

Policy Terms

Covered Accounts

All student accounts or loans that are administered by 麻豆网站列表, including tuition payment plans, federal and school loans involving multiple payments, and campus payment cards.

Identifying Information

Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code. 

Identity Theft

A fraud committed or attempted using the identifying information of another person without authority.

Program Administrator

The individual designated with primary responsibility for oversight of the Identity Theft Prevention Program.

Red Flag

A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

815.5

Responsibilities

815.5.1 Program Administrator

This policy confirms the need for an Information Security organization, which is responsible for ensuring 麻豆网站列表compliance with this policy, and maintaining this policy as business processes, technology, and methods of identity protection improve. The Program Administrator monitors the activities of and works with the Data Stewards on the development and implementation of campus unit level Identity Theft Prevention Programs

815.5.2 Identity Theft Committee

The Identity Theft Committee is responsible for confirming incidents of identity theft and determining the appropriate course of action when incidents occur. Additionally, the committee is responsible for supporting the Program Administrator in ensuring the ongoing success of the Identity Theft Prevention Program.

815.5.3 Data Stewards

Data Stewards are responsible for developing and implementing Identity Theft Prevention within their purview. Data Stewards report to the Program Administrator on their activities in implementing unit level Identity Theft Programs.

815.6 Enforcement

Individuals covered by the scope of this policy are expected to: a) respect the confidentiality and privacy of individuals whose records they access; b) observe any restrictions that apply to sensitive data; and c) abide by applicable laws, policies, procedures, and guidelines with respect to access, use, or disclosure of information.

Individuals who become aware of potential Identity Theft are expected to report such an incident per the procedures defined by the Identity Theft Prevention Program Administrator. The Program Administrator will report violations to the appropriate Faculty and/or Employment body. Violations of this policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable 麻豆网站列表 disciplinary procedures, as well as personal civil and/or criminal liability.

816 - External Hosting Policy

816.1

Introduction

This Policy describes the requirements for appropriate and approved use of externally hosted 麻豆网站列表 Systems and/or Data.

816.2

Policy History

The effective date of this Policy is May 14, 2019.

816.3

Policy Text

External hosting of Systems and/or Data can be categorized as the following models:

  • Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.
  • Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.
  • Infrastructure as a Service (IaaS) is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it.

For the purpose of this document, the term cloud computing services is used to encompass SaaS, PaaS, and IaaS.

For external hosted Systems and/or Data, each System Owner shall ensure that the Systems protections described in Technology Policy Section 800 and on the 麻豆网站列表IT Best Practices guides are implemented as well as compliance with requirements in the Technology Policy, Section 800, data classification and encryption.

If Sensitive Data and/or Confidential Data are stored on cloud computing services, the relevant contracts must be approved by the University's Procurement Services and such System's protections must be assessed by the Information Security Office prior to implementation and reassessed on a periodic basis thereafter, as determined by the level of risk. Currently, vendors are requested to submit HECVAT documentation prior to contract signing.

In addition to other University policies, the following requirements which must be followed in the use of cloud computing services:

816.3.1 Pre-requisite Requirements

  • Consult with appropriate data owners, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with the Legal Office or the Information Security Office for guidance.
  • Contractual requirements:
    • Both the University and vendor must declare the type of Data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the Data owned by each party. The parties also must clearly define Data that must be protected.
    • The contract must specifically state what Data the University owns. It must also classify the type of Data shared in the contract according to the University's Data Classification policy requirements. Departments must exercise caution when sharing Sensitive or Confidential Data (as defined by Troy's Data Classification Policy) within a cloud computing service.
    • The contract must specify how the vendor can use University Data. Vendors cannot use University Data in any way that violates the law or University policies.

  • Ensure a Service Level Agreement (SLA) with the vendor exists that requires:
    • Clear definition of services;
    • Agreed upon service levels;
    • Performance measurement;
    • Problem management;
    • Customer duties;
    • Disaster recovery;
    • Termination of agreement;
    • Protection of sensitive information and intellectual property; and
    • Definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.
    • Cloud computing services should not be engaged without developing an exit strategy for disengaging from the vendor and/or service while integrating the service into normal internal business practices and/or business continuity and disaster recovery plans. The University must determine how Data would be recovered from the vendor.
    • A proper risk assessment must be conducted by the Information Security Office prior to any third party hosting or cloud computing service arrangement.

816.3.2 Intellectual property and copyright materials

  • 麻豆网站列表 marks, images, and symbols are owned by the University and may not be used or reproduced without the permission of the Office of Communications.
  • Review Copyright Policy and understand the appropriate use of intellectual property including copyrights, trademarks, and patents.

816.3.3 Privacy and data security

  • Information that the University has classified as 鈥淪ensitive Data鈥, "Confidential Data鈥, 鈥淚nternal Data鈥, or 鈥淧ublic Data鈥 may be used only in accordance with the policy related to the classification of information which may be found in the Data Classification Policy.
  • Personally Identifiable Information (PII) may only be used in compliance with information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, FERPA, the Alabama Information Security Breach and Notification Act, similar state laws and PCI-DSS.
  • Student information may only be used in compliance with FERPA guidelines.
  • Protected Health Information (PHI) may only be used in compliance with HIPAA requirements.
  • Export Controlled Information may only be used in compliance with U.S. export control regulations (ITAR, EAR).

816.3.4 Data availability and records retention

  • Ensure that all academic, administrative, or research related data are retained according to the records retention requirements.
  • Back-up data regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.

816.3.5 Supplemental Requirements

The requirements lists set forth in this Policy are not comprehensive and supplemental controls may be required by the University to enhance security as necessary.

817 - Data Governance

817.1
Introduction

This Policy describes the management of all 麻豆网站列表 data.

817.2
Policy History

The effective date of this Policy is May 14, 2019.  Last update June 29, 2022.

817.3
Policy Text

TROY University is committed to providing a widely-available campus computing environment consistent with the institution's mission of teaching, research and service. Equal to this commitment is the responsibility of the organization to ensure the integrity of TROY University data and to encourage and enforce confidential, legal and ethical standards of management and use of these data. An important aspect of this responsibility is TROY University's continuing compliance with all applicable federal and state laws governing disclosure of information in these databases.

All data captured using TROY University assets are resources of TROY University.  This policy applies to data critical to the administration of TROY University. TROY University is the Data Owner of data which may reside in different database systems, on different machines and in printed form. Data in aggregate may be thought of as forming a logical database.. This terminology does not imply that these data now or in the future should reside in a single physical database. It recognizes that regardless of where the data reside, there are some general principles of data management that should be applied in order to maintain the confidentiality, integrity and availability of TROY University's information resources. In addition, legal and ethical standards of use apply to all data available to TROY University computer users. These data include, but are not limited to, information in report form (printed or electronic); data stored on TROY University systems, local area networks and individual workstations; and transportable storage media and cloud, externally-hosted solutions.
 
TROY University considers violation of any of these general policies and standards to be a serious offense and reserves the right to copy and examine any files or information resident on TROY University computer systems allegedly related to inappropriate use. Violators are subject to disciplinary action as prescribed in the appropriate TROY University staff or faculty handbook. Offenders may also be subject to prosecution under applicable federal state and local statutes.

 

Complete data governance policy and data management framework is available at .

 

Cookie Acknowledgment
This website uses cookies to collect information and to improve your browsing experience. Please review our privacy statement for more information.