Original Effective Date: 02/17/2013
Revised Date: 04/20/2023

---

The computing and electronic communications facilities at Fairleigh Dickinson University support the instructional, research, and administrative activities of the University. Users of these facilities may have access to University resources, sensitive data, and external networks. Consequently, it is imperative for all users to behave in a responsible, ethical, and legal manner. This document presents specific guidelines for appropriate behavior and use of FDU computing resources.

SCOPE

These guidelines apply to all users of FDU computing resources. Users include all students, faculty, staff, visiting faculty, volunteers, guests of the administration, and external individuals or organizations.

Computing resources include, but are not limited to, desktop and laptop computers, file servers, smart phones, email and electronic communications, software, University-assigned email accounts, data storage, and networking equipment used to link these components together and to the Internet, whether owned, leased, or licensed by FDU. In addition, computing resources include use of the University network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network. Moreover, this policy applies to all usage of university computing resources, whether that usage occurs through a university owned device or personal device.

University property, including computing resources, are provided to you for University business. Although security protocols have been put in place to restrict access to computing resources to protect them against unauthorized access by external parties, it is important that all members of the University community take appropriate measures to safeguard these resources.

Users – and not the University — are responsible for the materials that users prepare, receive, or transmit through computing resources. Thus, as a condition of using the University’s computer system, all users represent that they are in compliance with applicable laws and University policies, including l federal, state, and international copyright and other intellectual property laws and laws regarding defamation.

ACCEPTABLE USE

Those who make use of the FDU computing resources are required to behave in a manner consistent with FDU’s codes of conduct. As a user of this network, you agree to the following usage guidelines:

1. You will not use an account that does not belong to you. You will use only the computers, computer accounts, and computer files for which you have authorization. You may not share accounts, files, or access to computer resources with any unauthorized person.
   
2. You are responsible for any computer account you have been given. You will set a password on the account that is in compliance with university password policies, and you may not share this password with any other person. If you discover that someone has made unauthorized use of your account, you should change your password immediately and immediately report the event to one of the individuals listed in Appendix 1.
   
3. You agree not to intentionally seek out information about, copy, or modify password files, other users’ files, or disks and tapes belonging to other people, unless specifically authorized by those persons, whether at FDU or other facilities.
   
4. You should not attempt to decrypt material to which you are not entitled or attempt to gain rights you have not been specifically granted by the owner. If you observe or discover a gap in system or network security, you agree to inform one of the individuals listed in Appendix 1 and not to exploit the gap.
   
5. You agree to refrain from any activity that interferes with a computer’s operating system or its logging and security systems, or that may cause such effects. Additionally, users are not authorized to remove any security software installed on FDU equipment by FDU Systems personnel.
   
6. You must be sensitive to the public nature of computing resources and agree not to transmit, post, or otherwise display material that is threatening, obscene, harassing, or defamatory. The use of University computing resources to libel, slander, or harass any other person is not allowed and could lead to University discipline as well as legal action by those who are the recipients of these actions.
   
7. You agree not to make copies of or distribute software the University owns or uses under license, unless the owner of the software or the owner of the license has specifically granted permission to copy. If in doubt as to whether you have permission to copy software, assume you don’t.
   
8. Messages, statements, and declarations sent as electronic mail or public postings should be treated as if they were tangible documents. From electronic identifiers used in the transmission of messages, addressees can see the University is the source of the message or its system is being used to transmit it, similar to how letterhead or return addresses on a tangible document would identify the University. Therefore, as a representative of the FDU community, you are expected to respect the University’s good name in your electronic dealings with those both within and outside the University. Moreover, in so far as employees make use of FDU computing resources to relay personal opinions, it is their obligation to make sure that no addressee can infer that their personal opinions are necessarily shared or authorized by the University, and they are obligated to clearly identify their opinions as their own and not those of the University.
   
9. You agree not to create, alter, or delete any electronic information contained in any system that is not your own work, unless specifically authorized by the owner of that information.
   
10. You agree not to create, send, or forward electronic chain mail letters. You agree not to attempt to alter or forge the “From” line or any other attribution of origin contained in electronic mail or postings. You agree not to use any of the University systems for sending what is commonly referred to as “SPAM” mail (unsolicited bulk email).
    
11. You may not use FDU computing resources as a means of obtaining unauthorized access to any other computing systems.  
    
12. FDU’s data storage on University servers, hosted servers, third party storage, or hosted storage, is an FDU computing resource with costs attached and should be used with care and discretion. It is primarily meant for current class work, research and development projects, business files, and temporary storage of other files. Users are expected to keep their disk usage reasonably minimized, in keeping with their University role.
    
13. Network addresses such as TCP/IP addresses and machine addresses are assigned by University Systems and Networking staff and may not be altered or otherwise assigned without the explicit permission of the Associate Vice President of Systems and Networking (or other designee). In addition, no equipment may be attached to the network without the explicit permission of the Associate Vice President of Systems and Networking (or other designee). This applies to all staff as well as academic departments.
    
14. FDU’s computing resources are not to be used for the transmission of commercial or personal advertisements, solicitations, and promotions or for extended reproduction of political, ideological or commercial material originated by a person or organization. This includes but is not limited to the execution of revenue-generating advertising programs which pay users when the programs are run. The Associate Vice President of Systems and Networking (or other designee) may suspend this rule when it is in FDU’s best interest to permit such activity.
    
15. Users may not contract with external Internet services, service providers, or the like without the explicit written approval of the Associate Vice President of Systems (or designee) and Networking and compliance with Finance and Office of General Counsel policies.
    
16. Without the explicit written permission of the Associate Vice President of Systems and Networking (or designee) you agree not to run any of the following protocols or services:
    
    • Port scanners, network monitors or other types of utilities that probe any other computer, be they inside or outside FDU’s network.
      
    • Routing or network serving protocols such as RIP, IGRP, OOTP or DHCP on the network.
      
    • Daemons, processes or programs that accept incoming connections, as a server would.
      
    • Streaming media servers or any other server that broadcasts continuous data streams.

17. FDU’s computing resources, including equipment, network, services, and wiring may not be modified or extended beyond the areas of their intended use.
    
18. Network connections may not be used to provide network access to anyone outside the University community or for any purposes other than those that are in direct support of the academic mission of the University.
    
19. All computers connected to FDU’s network must run an operating system and configuration that is supported by its vendor with regard to security patches and updates, as well as antivirus software with current virus definitions. It is the user’s responsibility to keep their virus definitions up to date and to apply all critical operating system updates. More information is available at https://it.fdu.edu or submit questions through the SAMI Support portal or by emailing fdutac@fdu.edu.
    
20. Users may not alter the operating system or configuration of University owned computers without the explicit written authorization of the Associate Vice President of Systems and Networking (or designee).
    

PERSONAL USE

Computing resources are created to support the instructional, research, and administrative activities of the University, and are the property of the University. Personal use of the University’s computing resources, except for students enrolled at the University, should be incidental and kept to a minimum. Use of such resources by an employee for other than work-related matters should be reasonable and limited so that it does not prevent the employee from attending to and completing work effectively and efficiently, does not incur additional cost to the University, and does not preclude others with work-related needs from using the resources, including the shared campus and Internet bandwidth.

Department Heads and other administrators may enact additional restrictions to further limit employees’ personal use of University computing resources. These restrictions may include but are not limited to: limiting time spent reading or writing personal email or visiting web pages, and limitations on acceptable content due to the possible exposure of screens to other individuals. Human Resources must be consulted, in advance, about any proposed restrictions.

SECURITY

Users should use reasonable available methods to safeguard their data, including regular changes of passwords, and encrypting sensitive data. In the event that files have been corrupted as a result of intrusion, you should notify a system administrator immediately. Please note that FDU’s computing resources are not completely secure. It is possible that others will be able to access files by exploiting shortcomings in system security. For this and other reasons, FDU cannot assure confidentiality of files and other transmissions.

The Office of Information Resources and Technology (“OIRT”) and each of its departments attempt to provide reasonable security against damage to files stored on FDU’s computing resources by filtering all outgoing and incoming electronic mail for viruses and junk mail and making regular backups of systems.

In connection with the University’s migration to Office 365, the University adopted a policy of retaining copy of each fdu.edu email for three (3) years. This means, regardless of individual user action, the University will maintain a copy of all email traffic for a period of 3 years.

In the event of lost or damaged files, a reasonable attempt will be made to recover the information; however, the University and the University Information Technology staff cannot guarantee recovery of the data or loss of data due to media failure, floods, fires, etc.

OIRT and each of its departments will make reasonable attempts to provide error-free hardware and software on our computing resources, however, it is not possible to guarantee this, and information provided by staff members is not guaranteed to be correct.

PRIVACY

Users should exercise caution when storing any confidential information in electronic format, because the privacy of such information cannot be guaranteed. User(s) must be aware that any personal files, including e-mail, maintained on University computing resources are University property and are subject to University storage, retrieval, and review. Individuals using FDU computing resources should have no expectation that any information transmitted through or stored on FDU computing resources, whether the information is contained on a computer hard drive, computer disks, University or third party server or in any other manner, will be private. By using FDU computing resources, the user consents to the University’s (and its designees’, both internal and external) access to their electronic files, documents, and materials stored, transmitted, or otherwise accessible on those resources.

Examples of where the University might access a user’s electronic files include system backups, which access all files in a user’s account; software upgrades which may require editing startup files in a user’s account; diagnostic and trouble-shooting activities, which may, for example, require viewing the address headers of e-mail messages to determine the cause of problems; keystroke monitoring of sessions to determine inappropriate use of the computing facilities; searches in connection with a litigation, threatened litigation, governmental proceeding or investigation; investigation of a possible data breach; investigation of possible breach of University policy, rules, handbooks, or protocols; and other measures to safeguard the University’s systems and compliance with laws. These examples are not intended to limit the University’s right to access a user’s electronic files under circumstances deemed appropriate by the University. In such situation(s), University computer resources in the possession of a user, or otherwise assigned to an individual, may be accessed, reviewed, duplicated, stored, and forwarded by appropriate personnel without the user’s permission or knowledge.

Without limitation, because employees are granted access to and use of FDU computing resources to conduct University business, the University reserves the right to access electronic mail messages left on or transmitted through the University’s computing resources. Employees should not assume that such messages are private and confidential or that the University or its designated representatives will not have a need to access and review this information.

The Family Education Rights and Privacy Act (FERPA) binds all users who have access to student data and this policy is subject to FERPA requirements. In general, FERPA gives students more control over their educational records, and it prohibits educational institutions from disclosing “personally identifiable information in education records” without the written consent of the student (subject to specified exceptions). To find out specifically what information you may or may not give out and to whom, contact the office of the Vice President for Student Affairs.

POLICY VIOLATIONS

Policy violations should be reported immediately to any one of the individuals listed in Appendix 1.

Violations of this policy will be addressed as described in the Student, Faculty and/or Employee Handbooks, any relevant contracts, and, if applicable, State and Federal law or regulations. University students and employees who violate this Policy will be met with appropriate disciplinary action, up to and including dismissal, expulsion, or termination from the University. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted. In addition, a user’s system privileges can be suspended for a specified time period or revoked and/or a monetary fine may be imposed on those in violation to reimburse the University for the staff time and other costs of investigating and rectifying the violation.

The University reserves the right to suspend computing resource privileges while investigating a complaint or troubleshooting a system or network problem.

This policy is subject to revision. Comments and suggestions are welcome and should be sent to Stuart Alper, Associate Vice President of Systems and Networking, mailstop T-BH1-01, or stuper@fdu.edu.

It is the user’s responsibility to remain informed about the contents of this document.

---

CONTACTS

Stuart Alper
Associate Vice President of Systems and Networking
Mailstop T-BH1-01
(201)-692-2414
stuper@fdu.edu

Saul Kleinman
Associate Vice President of Management Information Systems
Mailstop T-BH2-03
(201)-692-2065
saul@fdu.edu

---

Revision Date: New Policy
Effective Date: 11/1/2023

Section A – University Systems and Applications

I. Purpose

The purpose of this policy is to establish information security standards for individuals receiving credentials to Fairleigh Dickinson University (“FDU” or “University”) resources and how those resources are accessed.

II. Scope and Applicability

This policy applies to all university system resources. All Users are responsible for adhering to this policy.

III. Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Account: An established relationship between a User and a computer, network, or Information System which is assigned a credential such as a username and password.
   
2. System Administrative Account: An Account with elevated privileges intended to be used only when performing management tasks, such as installing updates and application software, managing user accounts, and modifying operating system and application settings.
   
3. Entitled Account: A user who has met the minimum requirement to be granted authorization to access electronic Fairleigh Dickinson University Resources.
   
4. Authorized User: A User who has been granted authorization to access electronic Fairleigh Dickinson University Resources and is current and active in their privileges.
   
5. Contractor or Vendor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
   
6. Employee: University staff faculty and adjunct, including nonexempt, exempt, and overseas staff and collegiate faculty.
   
7. Multi-Factor Authentication (MFA): Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).
   
8. Privileged Account: An Account that is authorized to perform security-relevant functions that an ordinary Account is not authorized to perform.
   
9. Single Sign-On (SSO): An authentication process that allows an Authorized User to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).
   
10. User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.

IV. Authentication

1. Any service, application or Information System, whether on-premise or in the cloud, that contains WISP protected information, especially PI or PHI; OR is accessed by a large group of employees (20 or more), must use Single Sign-on authentication.
   
   • If the service or application is being provisioned by a business unit, the unit must engage University Systems to work with the provider to enable SSO.
     
   • If SSO is not supported by the service or application, it will not be approved for use by the university.
     
   • See Section V for exceptions.
     
2. Multi-factor authentication (MFA) must be used to access University resources.
   
3. Passwords must be constructed in accordance with the minimum requirements as listed below:
   
   • Authorized User Account passwords must meet a minimum length of 8 characters.
     
   • Administrative and Privileged Account passwords must meet a minimum of 10 characters.
     
   • Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all digits, all special characters, or all alphabetic characters.
     
   • Automated controls must ensure that passwords are changed at 90-day intervals for both general users and administrative-level accounts.
     
   • NetIDs associated with a password must be disabled for a period of time after 10 consecutive failed login attempts. A minimum of 30 minutes is required for the reset period.
     
   • Passwords must not be the same as the NetID.
     
   • Passwords must not be displayed on screens.
     
   • Users must not share passwords.
     
   • Initial passwords and password resets must be issued pre-expired forcing the user to change the password upon first use.
     
   • Password reuse must be limited by not allowing the last 10 passwords to be reused. In addition, the password must be at least 2 days old in order to be voluntarily changed.
     
   • Access will be disabled 90 days past the date that a password expired if not changed.
     
   • Access will be disabled after 30 days of creation if NetID is not claimed.
     
   • Expired passwords must be changed before any other system activity is allowed.
     
4. Server Password Protocol
   
   • If, at any time, a member of the Community is granted permission to install a server, and access to that server is restricted via Login, and if that process is granted SSO exception through section VII., that system can not hold passwords in clear text. That system must use an approved irreversible cryptographic transform to protect its users’ passwords.

VI. Enforcement

• This policy will be enforced by technical controls wherever feasible; otherwise, this policy will be enforced by OIRT under the direction of the CIO. All members of FDU’s faculty and staff have a responsibility to promptly report any known instances of noncompliance to AVP of University Systems and Networking or the Director of Systems.
  
• Failure to comply with this policy can result in disciplinary action. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

VII. Exceptions

• Exceptions to this policy should be submitted to the AVP, USAN for review. Approval of the Chief Information Officer (CIO) or Data Security Incident Response Team (DSIRT) may be required.

---

Effective Date: April 1st, 2021

I. Objective

Fairleigh Dickinson University (FDU) has adopted and standardized use of the Microsoft Office 365 Suite of products for University business. Some external entities, however, that conduct business with University employees utilize the Google Suite of products. This policy stipulates which Google applications will be made available to faculty and staff (not students) to enable collaboration with these external entities to conduct University business.

II. Purpose

Fairleigh Dickinson University (FDU) has adopted and standardized use of the Microsoft Office 365 Suite of products for University business. However, it is recognized that not all entities use Microsoft Office 365 as their platform and, from time to time, FDU faculty and staff may need the ability to collaborate with external entities that may be using the Google Suite of products. This policy stipulates which Google applications will be made available to faculty and staff to enable collaboration with these external entities.

• Faculty and staff are reminded that in accordance with the University’s WISP policy, WISP protected data must not be stored or transmitted through any service, without the prior written authorization from the University Chief Information Security Officer.

• As stated in the “Policy for Acceptable Use for Email”, Google Gmail is not available for use. All University business must be conducted through an FDU email account on Microsoft Office 365.

• Faculty and staff may not use, or attempt to use, Google apps as a method of collaboration with students, faculty or staff. This FDU Policy on the Availability and use of Google Apps is expressly for the use with external entities only.

• This Policy on the Availability and use of Google Apps applies only to use of Google applications by faculty and staff, and not FDU students.

• Microsoft Office 365 is the only FDU supported platform for email and collaboration.

• Google Apps are not supported by FDU IT personnel.

III. Scope

This policy applies to all FDU faculty and staff, wherever located throughout the world. Students will NOT have access to the fdu.edu Google Apps suite of products.

IV. Data Security Coordinator

The University has designated the Chief Information Security Officer, working together with the Data Security Information Response Team (DSIRT) and the USAN Director of Systems, to implement, supervise and maintain this Policy.

V. Internal Risks

To combat internal risks to the security, confidentiality, and integrity of any electronic, paper or other records, adherence to this Policy and the WISP will be strictly enforced.

VI. External Risks

To combat external internal risks to the security, confidentiality, and integrity of any electronic, paper or other records, adherence to this policy and the WISP will be strictly enforced.

VII. In Case of Questions

Questions regarding the availability of Google Apps can be directed to the Fairleigh Dickinson University Technical Assistance Center (UTAC). The UTAC is available 24×7.

VIII. Other Applicable Policies

IX. Exceptions

Requests for exceptions to this Policy should be directed in writing to the Chief Information Security Officer via the Fairleigh Dickinson University Technical Assistance Center (UTAC).

X1.1 Google Apps Available to Faculty and Staff

Services	Descriptions
Assignments	Assignments brings together the capabilities of Google Docs, Drive and Search into a tool for collecting and grading student work.
Calendar	Google Calendar is a web-based tool for personal scheduling and calendar sharing. It can be accessed through either a Web browser or through a third-party calendar client.
Classroom	Google Classroom enables teachers to create an online classroom area in which they can manage all the documents that their students need.
Drive and Docs	Google Docs is an online word processor that lets you create and format text documents and collaborate with other people in real time. Google Drive on the web lets you store, access, and edit your files anywhere — on the web, on your hard drive, or on the go.
Google Meet	Google Meet enables conversations with photos, emoji, group video calls for free. You can connect across computers, Android and Apple devices.
Google Vault	Vault is an information governance and eDiscovery tool for Google Workspace. With Vault, you can retain, hold, search, and export users’ Google Workspace data.
Groups for Business	Google Groups for Business is an extended service available for G Suite users that allows you and other members in your organization to access the main Google Groups interface located at groups.google.com.
Jamboard	Google Jamboard is an online, collaborative whiteboarding application that lets you create, edit, and collaborate with other people in real time. Google Jamboard applications can be accessed on the Web, Android, and iOS.
Keep	Google Keep is a note-taking service included as part of the free, web-based Google Docs Editors suite offered by Google
Tasks	Google Tasks is a simple to-do list—but with lists, subtasks, and mobile notifications, it has the basics you need to stay productive and keep track of the most important things you need to do.
Applied Digital Skills	Applied Digital Skills is a free, flexible video-based curriculum that prepares students for the growing number of jobs that require basic digital skills, such as email and spreadsheets.
Google Ad Manager	Google Ad Manager is an ad exchange platform introduced by Google on June 27, 2018. It combines the features of two former services from Google’s DoubleClick subsidiary, DoubleClick for Publishers and DoubleClick Ad Exchange.
Google Ads	Google Ads is Google’s online advertising program. Through Google Ads, you can create online ads to reach people exactly when they’re interested in the products and services that you offer
Google AdSense	Google AdSense is an advertising program launched by Google in 2003 that allows website publishers to display targeted text, video, or image advertisements on website pages.
Google Alerts	Google Alerts is a tool that allows you to track your chosen keywords and phrases so that you never miss another important conversation.
Google Analytics	Google Analytics generates detailed statistics about a website’s traffic and traffic sources and measures conversions and sales
Google Cloud Platform	Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage and application development that run on Google hardware.
Google Cloud Print	Google Cloud Print is a web service offered by Google. Users associate printers with their Google Account.
Google Data Studio	Data Studio is Google’s reporting solution for power users who want to go beyond the data and dashboards of Google Analytics.
Google Earth	Google Earth is the most photorealistic, digital version of our planet.
Google My Maps	Google My Maps is your way to keep track of the places that matter to you.
Google Payments	Google Pay (stylized as G Pay; formerly Pay with Google and Android Pay) is a digital wallet platform and online payment system developed by Google to power in-app and tap-to-pay purchases on mobile devices, enabling users to make payments with Android phones, tablets or watches.
Google Play	In Google Play, the app description is split into two fields: Short Description, a limited 80 characters preview field and. the Full Description field, giving you space for an up to 4000 characters long app description.
Google Play Console	Google App Store
Google Search Console	The Search Console lets you, as a webmaster, check on the status of the indexing Google does on your site, helping you to optimize your page visibility in Google search results. Get data, tools and diagnostics for a healthy, Google-friendly site.
Google Takeout	Google Takeout is a service that allows users of Google products, such as YouTube, Gmail, etc., to export their data to a downloadable ZIP file.
Managed Google Play	Managed Google Play Managed Google Play is a version of Google Play that’s optimized for enterprises.
Material Gallery	Material Gallery is a collaborative tool for uploading design work, getting feedback, and tracking revisions – quickly and efficiently.
Partner Dash	Partner Dash is a service that hosts several applications used by Google’s partners to manage their relationships with us. Some of these applications are invite-only, while others are publicly available to anyone logged in with a Google Account.
Scholar Profiles	The Google Scholar Profile search pane in Publish or Perish allows you to look up a Google Scholar profile and analyze the associated publication metrics.
Search And Assistant	Google Assistant is Google’s artificial intelligence-powered voice assistant, which grew out of Google Now.

Due to the increasing demand of the academic computer facilities, a general document detailing the policies for computer lab reservations has been outlined. The purpose of the computer lab reservation policy is to provide faculty, staff and students with equitable access to campus computing lab resources. Most computer labs are used as classrooms and they are available for open-access use when there are no classes in session.

There are currently four Computing Services computer labs which can be used for classroom instruction on each campus. They are: D206, D207, D208, and D209 located in the Dreyfuss Building on the Florham Campus. The computer labs located on the Metropolitan Campus are: DH2163 and DH2164 in Dickinson Hall and UH Front Lab (UH22) and UH Back Lab (UH28) in University Hall. Also, there are three multimedia labs; two on the Florham campus and one on the Metropolitan campus. The multimedia labs for the Florham Campus are: D211-Animation Lab and ZEN110 – Graphic Design Lab) located in the Dreyfuss and ZEN Buildings. On the Metropolitan campus, the multimedia lab (MML) is located in Becton Hall Room 403. The multimedia labs are primarily used for courses offered by the FDU School of Arts. All labs used for classroom instruction and general use are equipped with a LaserJet printer and data projector. The Animation Lab is equipped with 3-D printers. All multimedia labs are equipped with ZOOM capability to support hybrid instruction.

If you have any questions regarding the lab reservation policy, please contact Denzel James via email at: d.james@fdu.edu

Effective Date: 11/07/2023
Last Revision: 11/01/2013

Select employees of Fairleigh Dickinson University may be required to engage with confidential University data. The FDU Confidentiality Agreement and Security Policy defines your obligations under Federal and State guidelines to preserve the security and confidentiality of this information.

Confidentiality Agreement and Security Policy

Fairleigh Dickinson University regards the security and confidentiality of data and information to be of utmost importance. Each individual granted access to electronic and/or hard copy data holds a position of trust and must preserve the security and confidentiality of the information to which he/she is granted access to. Therefore, it is the intent of this policy to ensure that University data, in any format, is not divulged outside of Fairleigh Dickinson University without explicit approval to do so by an Associate Vice-President of the University or higher who has responsibility for the data in question. As such, the University requires all users of data to follow the procedures outlined below:

Policy on Confidential Information

Users of University data are required to abide by all applicable Federal and State guidelines and University policies regarding confidentiality of data, including the Family Education Rights and Privacy Act (“FERPA”) and, as applicable, The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For more information, see: FDU’s General Confidentiality Policy, FERPA and HIPAA. 

Confidential Information shall be defined as:

• regarding student, faculty or staff: any personally-identifiable records, financial records (including social security and credit card numbers), health records; contracts, research data; alumni and donor records; personnel records other than an individual’s own personnel record; 

• regarding the University: University financial data; computer and system passwords, University issued PINS, University proprietary information/data; and 

• any other information for which access, use, or disclosure is not authorized by: 1) federal, state, or local law; or 2) University policy.

The individual receiving the Confidential Information shall have no obligation under this Policy with respect to Confidential Information which:

• is or becomes publicly available without breach of this Policy by the recipient;
• is rightfully received by the recipient without obligations of confidentiality; or
• is developed by the recipient without breach of this Policy; provided, however, such Confidential Information shall not be disclosed until thirty (30) days after written notice of intent to disclose is given to the University officer who has responsibility for the data in question, along with the asserted grounds for disclosure;
• is disclosed in accordance with any “whistle blower” action as provided in the U.S. False Claims Act, the New Jersey Conscientious Employee Protection Act (“NJCEPA”), or similar legislation.  (Brief overview of the NJCEPA is available here.

Any individual with authorized access to the Confidential Information is given access solely for the business of the University and must not divulge the Confidential Information outside of the University except for University business requirements approved by the President of the University or the division head responsible for the data in question. Specifically, with respect to Confidential Information, individuals must:

1. Access Confidential Information solely in order to perform his/her job responsibilities.
2. Not seek personal benefit or permit others to benefit personally from any Confidential Information that has come to them throughout their work assignments.
3. Not make or permit unauthorized use of any Confidential Information in the University’s information system or other records.
4. Not enter, change, delete or add data to any information system or files outside of the scope of their job responsibilities.
5. Not include or cause to be included in any record or report, a false, inaccurate or misleading entry known to the user as such.
6. Not alter or delete or cause to be altered or deleted from any records, report or information system, a true and correct entry.
7. Not release Confidential Information other than what is required in completion of job responsibilities which is consistent with this Policy.
8. Not exhibit or divulge the contents of any record, file or information system to any person unless it is necessary for the completion of their job responsibilities.

It is the individual’s responsibility to immediately report, as outlined under “Information Security Breach and Violation Reporting” at the end of this Policy, if the individual has violated this Policy. Additionally, given the potential harm that the University may suffer with the release of any Confidential Information, all employees are strongly encouraged to report any suspected violation of this policy or any other action, which violates confidentiality of data, as outlined at the end of this policy.

Security Measures and Procedures

All users of University information systems, including Datatel, MS File shares and FDU Office 365 email accounts, are supplied with an individual user account to access the data or systems necessary for the completion of their job responsibilities. Users of the University information systems are required to follow the procedures outlined below:

1. All transactions, processed by a user ID and password, or PIN, are the responsibility of the person to whom the user ID was assigned. The user’s ID, password, and PIN must remain confidential and must not be shared with anyone.
   • Using someone else’s user ID, password or PIN is a violation of policy, no matter how it was obtained.
   • Your user ID, password or PIN provides access to information that has been granted specifically to you.  To reduce the risk of shared passwords – remember not to post your password or PIN on or near your workstation or share your password or PIN with anyone.
   • It is your responsibility to change your password immediately if you believe someone else has obtained it.

NOTE: If you need your Password or PIN changed, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) immediately.

2. Access to any student or employee information (in any format) is to be determined based on specific job requirements. The appropriate Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President is responsible for ensuring that access is granted only to authorized individuals, based on their job responsibilities. Written authorization must be received by the Computer Center prior to granting system access.
   • You are prohibited from viewing or accessing additional information (in any format) unless you have been authorized to do so.  Any access obtained without written authorization is considered unauthorized access.
   • In order to prevent unauthorized use, the user shall log off of all applications that provide access to confidential information, or lock their computer when leaving their workstation. This is especially important during breaks and lunch. Unless there is a specific business need, all workstations should be shut down at the end of the workday.

NOTE:  If you require assistance in establishing your workstation password, please access the screensaver documentation or contact the Fairleigh Dickinson University Technical Assistance Center (UTAC).

3. If you have any reason to believe your password or PIN has been compromised or revealed inadvertently, you should change your password and immediately notify one of the individuals as outlined under “Information Security Breach and Violation Reporting” at the end of this policy.

NOTE: All University’s computer system will periodically prompt you to change your password.

4. Upon termination or transfer of an employee, Human Resources will notify University Systems and Security, who in turn will notify the appropriate areas in the Computer Center.

5. Generally, students, temporary employees and consultants should not have access to the University record system. Written approval by the Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President in charge of the respective area is required if it is determined that access is required. The student, temporary employee or consultant is to be held to the same standards as all University employees, and must be made aware of their responsibilities to protect student and employee privacy rights and data integrity. Written authorization must be received by the Computer Center prior to granting system access.

6. You agree to properly secure and dispose of any outputs or files you create in a manner that fully protects the Confidential Information.

Additionally, I understand that if granted access to process transactions via Datatel data entry screens, any information I enter or change will be effective immediately. Accordingly, I understand that I am responsible for any changes made using my ID.

I understand that my access to University data is for the sole purpose of carrying out my job responsibilities and Confidential Information is not to be divulged outside of The University, except as previously stated. Breach of confidentiality, including aiding, abetting, or acting in conspiracy with any other person to violate any part of this policy, may result in sanctions, civil or criminal prosecution and penalties, employment and/or University disciplinary action, and could lead to dismissal, suspension or revocation of all access privileges. I understand that misuse of University data and any violation of this policy or the FERPA, HIPAA or GLB policies are grounds for disciplinary action, up to and including dismissal. This Agreement shall not abridge nor supersede any rights afforded faculty members under the Faculty Handbook.

Information Security Breach and/or Policy Violation Reporting

If you suspect an Information Security Data Breach or a violation of this policy, report such an event to your department chair or staff supervisor and send an immediate email to violation@fdu.edu. If you do not have immediate access to email, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC); do not provide details but request a ticket be opened with University Systems & Security due to an information security data breach or policy violation requesting an immediate callback. When practical, also send an email to violation@fdu.edu.

---

Fairleigh Dickinson University vigorously enforces United States copyright law. When utilizing the FDU Local Area Network or FDU provided Internet Access, you are required to adhere to all existing US copyright laws.

To view the full statement of law, please visit:

Failure to comply with this document can result in FDU disciplinary action as well as civil and criminal penalties.

Last Revision: 02/07/2020

I. OBJECTIVE

In an effort to maintain the reputation, security, continuity, and technical oversight of university assets considered part of our overall catalog of services, the Office of Information and Resource Technology is issuing a new policy concerning domain names affiliated with Fairleigh Dickinson University. Affiliation with FDU is determined by OIRT in conjunction with the Offices of General Counsel and Communications and Marketing.

II. POLICY

All domain registrations that have an affiliation with the University must be registered through OIRT. An affiliation is defined as a domain that identifies the University as part of its naming nomenclature and houses content specific to the University or any function, whether administrative, academic, or student related to the University. To request a new domain, please complete the following:

Domain Transfer or Registration Request

You may also try emailing your questions to domainregistrar@fdu.edu.

In addition to the domain registration, ongoing certification renewals and any backend technical configurations will be managed by OIRT. All costs associated with the domain will be charged back to the department.

Any department that today independently manages/operates a University domain as defined above or has obtained a domain with any affiliation with FDU must notify OIRT of the existence of that domain so ownership can be moved over to OIRT management. Please contact OIRT by sending all available information to domainregister@fdu.edu. A member of OIRT will work with the department to move the ownership over properly. All content of any domain, as well as plug-ins or any other functionality of the domain, will be reviewed by OIRT but are the responsibility of the individual departments.

III. IN CASE OF QUESTIONS

All questions relating to the Domain Registration Policy can be addressed to the VP & CIO of Fairleigh Dickinson University.

---

Revised: April 2, 2019
Last Revised: June 1, 2017
Prior Revision: August 1, 2016

I. POLICY STATEMENT

FDU has implemented the FDU Alert system to expand and enhance its emergency notification methods. In the event of an emergency, FDU Alert may be used to provide pertinent information and instructions to FDU students, faculty and staff through voice, text messaging and/or E-mail. FDU Alert uses the a mass notification system that sends emergency messages instantly and simultaneously to registered mobile phones, wireless devices and E-mail addresses.

Reason For Policy

This policy establishes the proper use and testing of the FDU Alert Emergency Notification System (FDU Alert).

Who Should Read This Policy

Members of the University Community including Students, Faculty, Staff, as well as all other individuals who have been registered to receive FDU Alert emergency notifications.

Website Address For This Policy

The website for this policy as well as other related FDU Alert information can be found at the following URL or by clicking on Web Shortcuts on the top right of the FDU Homepage.

II. DEFINITIONS

These definitions apply to these terms as they are used in this policy.

Emergency	A sudden unforeseen crisis, usually involving danger, which requires immediate action.
FDU Alert System	The University’s emergency notification system is designed to alert, warn and inform registered members of the University Community of what to do in case of an emergency, a disaster, a crisis or any other situation that affects the FDU community. For example, receiving these alerts and messages could keep you from driving to campus only to find that a power failure has closed the campus.
FDU Alert Authorizer	Individual who has the authority to assess an emergency and activate the FDU Alert Emergency Notification System; this individual is authorized to contact an authorized Sender.
FDU Alert Sender	Individual who has been trained and is authorized to facilitate the actual sending of an Emergency Notification message.
Crisis	An unstable event or situation of extreme danger or difficulty, which is often sudden or unexpected, that disrupts the normal operations of the institution or its educational mission and threatens the well-being of personnel, property, financial resources and/or the reputation of the institution.
Timely Warning	Refers to the need to provide timely notification to the University Community after it is determined there is a credible threat to campus persons or property or when information is considered vital to the University community.
SMS	Refers to the Text Messaging method of FDU Alert delivery.
FDU Alert Spokesperson	An individual may be identified to respond to, and act as University spokesperson, to inquiries by students, faculty, staff, parents and others about an FDU Alert. Inquiries may be forwarded to the FDU Alert Spokesperson via the special call forwarding alert hotline.

III. OVERVIEW

Any time that an emergency situation arises, either on campus or in the immediate area of the campus, that in the judgment of an FDU Alert Authorizer poses an ongoing or continuing threat to the campus community, a campus “Timely Warning” will be issued. This warning may be issued through the FDU Alert system by one, all, or a combination of the following delivery methods.

• Voice mail or telephone notification
• E-mail
• Posted on the University website
• Posted notices
• Public address announcements
• Direct contact with individuals

Whenever possible, the FDU Alert Authorizer will consult with the Campus Director of Public Safety, the Campus Executive, or another Authorizer prior to using FDU Alert messaging capabilities.

In an emergency, and upon activation by Authorizers and Senders, FDU Alert will send notifications to registered individuals at one, some, or all of the following registered points of delivery.

• Work Phone
• FDU E-mail
• Cell Phone
• SMS (Text Message)
• Alternate E-mail
• Home Phone
• Parent/Significant Other E-mail
• Parent/Significant Other Phone
• Parent/Significant Other SMS (Text Message)
• Parent/Significant Other Cell Phone

To provide the safest possible environment for students, faculty, staff, and visitors to FDU campuses, the University will strive to provide timely, reliable notifications by all possible means in the event of emergency. Generally, an emergency is any incident that involves the possibility of death, serious injury, or the threat of death or serious injury to people, or to University facilities, materials or property.

Fairleigh Dickinson University uses a variety of methods to provide emergency and safety information, including mass notification systems, web pages, door-to-door assistance from on-site staff and Residence Hall assistants, over-the-air broadcasts, and a consolidated communications system. Collectively, these capabilities are called “FDU-Alert”. (1)

The communication system permits broadcast messages to be sent quickly as voice calls to office, local home, or cell phones, and as text messages to cell phones or University and external E-mail accounts. This system will be used to announce and provide guidance in an emergency or crisis and to communicate relevant critical updates.

If an emergency occurs near but not on an FDU campus, and in other situations in which emergency responders determine and report that no apparent or imminent threat to that campus exists, an advisory may be posted on informational web sites, E-mails, or text messages only. In these cases, you may not receive an emergency notification directly to your phone.

University administration or individual campuses may, as an authorizer deems appropriate, use the communications system for other urgent messages related to administration or operation, such as campus closings due to adverse weather, unusual situations, or utility outages.

---

(1) More information about these services, as well as current emergency status or preparedness information for FDU, is planned for availability on the University’s emergency preparedness website once established.

IIII. POLICY

Proper Use of FDU Alert

FDU Alert is offered not to replace but to augment existing emergency notification methods, which include: University-wide broadcast E-mails, online updates via web and coordinated use of public media outlets, fire alarms, public address systems, and signs.

Any time that a serious situation arises either on campus or in the immediate area of the campus that in the judgment of the campus Director of Public Safety, and whenever possible, in consultation with the Campus Executive poses an ongoing or continuing threat to the campus community, a campus “Timely Warning” will be issued. This warning may be issued through the FDU Alert system, voice mail or telephone notification, E-mail, posted on the University website, posted notices, public address announcements, and direct contact with individuals.

If, in the opinion of the local law enforcement authority, a message would hinder the police response or investigation and the local law enforcement authority has requested that we not send out a message, no message may be sent without the specific authorization of the President, University Provost, Sr. V.P. for Finance & Administration, or FDU legal counsel.

Limited Use of FDU Alert

Although the use of other emergency notification method(s) will be determined on a case-by-case basis, FDU Alert should only be used in the following situations:

(1) an imminent threat of physical danger to the campus community;

(2) a campus closure; and

(3) certain Campus Crime Alerts as determined by Public Safety;

(4) off-campus events that could impact health, safety, life or access to a campus.

The above situations can include but are not limited to ongoing criminal incidents, fires, chemical leaks, pandemics, campus-wide utility failures (such as gas, electrical, or water), and extreme weather conditions that result in a campus closure (e.g. snow/ice storms) or pose an imminent threat of physical danger to the campus community (e.g. tornado within close proximity to campus).

FDU Alert Authorizers

Only the people in the following positions have the authority to activate the FDU Alert emergency message system and author an appropriate message:

• President of the University
• University Provost & Senior Vice President for Academic Affairs
• Senior Vice President for Finance & Administration
• Campus Executives
• Deputy Campus Executive, Metropolitan Campus
• Associate Vice President for Communications
• Executive Director of Communications and News
• Director of Public Safety, Florham Campus
• Assistant Director, Public Safety, Florham Campus
• Director of Public Safety, Metropolitan Campus
• Campus Investigator, Public Safety, Metropolitan Campus
• Campus Executive, Vancouver Campus
• Business Manager, Vancouver Campus

FDU Alert Authorizers (“Authorizers”) have the authority to activate the system without consulting other Authorizers; however, when circumstances permit, an Authorizer should consult with at least one other Authorizer before sending a message.

FDU Alert Authorizer Responsibilities

Responsibility of Creating FDU Alert Messages

Authorizers have the responsibility to write and disseminate the appropriate message to be sent by Sender. For consistency, simplicity, and to minimize confusion, whenever possible, the Authorizer should base the message on one of the sample alert messages included in the Standard Operating Procedures manual.

This responsibility carries forward to writing and disseminating subsequent messages that must be sent to keep the recipients apprised of the status of the emergency event through to the conclusion of the emergency event with the transmission of an “All Clear-Resume Normal Schedule” message.

In the event more than thirty (30) minutes has passed while an emergency event is in progress, and there is no new information to communicate, the Authorizer should write a message(s) stating that the status of the emergency event remains the same, e.g., “Investigation continues, will communicate updates as new information becomes available.”

Messages should be written to support text to speech. Minimum or preferably no use of abbreviations and acronyms should be used. All messages must include an appropriate lead-in, for example, “!!FDU Florham Emergency Alert!!,” which includes where appropriate, the campus affected. Examples of these lead-in statements are included with the sample messages in the FDU Alert Confidential Operations Manual.

Responsibility of Authorizer to Prepare Additional Information

Alert Notifications and Updates Published via the FDU Website

Text Messaging (SMS) capability has a message character limit that precludes long and detailed messages. Detailed messages and updates regarding the FDU Alert can be made available on the University Website. Should it be necessary or appropriate to post additional information on the FDU website, it is the responsibility of the Authorizer to work with the Associate Vice President for Communications & Marketing or designee, to prepare and post the information on the University website in a timely manner. As this information will have wide and general exposure, it is critical to ensure that the information is current, correct, adequate, and consistent with the University messaging strategy.

It is the responsibility of the Authorizer, or designee as assigned by the Authorizer and the Associate Vice President for Communications & Marketing or designee, to keep vigil over the messaging to ensure accuracy and timeliness and message removal upon event termination.

FDU Alert Voicemail Box (Answer Only Voicemail Box)

Two FDU Alert Voicemail Boxes (one for each primary New Jersey campus) are available in order to provide the community with detailed information via a pre-recorded announcement regarding the FDU Alert. Should it be necessary or appropriate to post an additional information announcement on the FDU Alert Voicemail Box, it is the responsibility of the Authorizer to work with the Associate Vice President for Communications & Marketing or designee, to prepare, record, and post the announcement in the FDU Alert Voicemail Box in a timely manner. Because this information will have wide and general exposure, it is critical to ensure that the information is current, correct, adequate, and consistent with the University messaging strategy.

Requests for information or updates regarding the FDU Alert should be directed to the affected campus FDU Alert Voicemail Box.

• Metropolitan Campus: 201-692-7000
• Florham Campus: 973-443-8000

No voice mails can be left on the FDU Alert Voicemail Box. It is answer only.

The default message in the FDU Alert Voicemail Boxes will be “All University Operations Are Normal”

General telephone inquiries to the switchboard regarding the FDU Alert should be transferred to the appropriate FDU Alert Voicemail Box. Caller expectations can be managed by using phraseology such as “The latest and most current information regarding the FDU Alert is available on the FDU Alert Voicemail Box. Please hold while I connect you to this important informational announcement” in advance of the transfer.

It is the responsibility of the Authorizer, or designee as assigned by the Authorizer and the Associate Vice President for Communications & Marketing, to keep vigil over the messaging to ensure accuracy and timeliness and message removal upon event termination.

FDU Alert Spokesperson to Other Inquiries

FDU Alerts will stimulate telephone inquiries to the switchboard, Residence Life, Public Safety, Enrollment Services & other key offices. Callers should be directed to the University mailbox for announcements and updates. In the unusual event where it is determined to be necessary to have a Spokesperson available for call handling, callers will be directed to a special hotline with ultra-call forwarding setup to transfer to the FDU Alert Spokesperson.

The FDU Alert Spokesperson is an individual identified by the FDU emergency response teams to respond to inquiries by students, faculty, staff, parents, and others about an FDU Alert. Inquiries will be forwarded via the special call forwarding alert hotline.

The following are attributes for The FDU Alert Spokesperson:

• Must provide contact information (and back up) to the switchboard and emergency management teams
• Must be available to take calls continuously throughout the emergency (2)
• Must be aware of the event and current activities and commentable actions
• Must be media aware
• Must have the power to speak to the event with autonomy and authority

Emergency Event Status Reports on the FDU Website

The FDU Website Homepage provides an FDU Alert Icon under Web Shortcuts that links to a dedicated webpage containing information on the current status of the University’s operations. As referenced above in Section 4.3.1.3, in the event there is an emergency, the Authorizer will work with the Associate Vice President for Communications and Marketing or designee to prepare and post a message providing current information concerning the emergency event and the status of the University’s operations, which will be posted on the operations status page.

FDU Alert Senders

FDU Alert Senders (“Senders”), upon the request of Authorizer(s), have the authority to activate the system, enter messages under the direction of the FDU Alert Authorizer(s), and initiate the send message process. All FDU Alert Senders are provided with appropriate access to the secured FDU Alert emergency notification system and necessary training.

Sender names and contact information are included in the FDU Alert Operations Manual.

FDU Alert Sender Responsibilities

Senders are required to respond to Authorizer requests to facilitate the timely activation of the FDU Alert System. Senders acknowledge that time may be of the essence and will fulfill the request or immediately notify another Sender to fulfill the request. The transfer of such transfer of control requires Authorizer and/or emergency response team acknowledgment.

FDU Alert Senders will advise the FDU Alert Authorizer(s) when the message send process has been initiated and the sender can confirm delivery of such messaging.

---

(2) A special phone number with Remote Call Forwarding will be utilized for this purpose.

Message Content

Any message sent using FDU Alert should be as brief as possible and should, if appropriate, typically contain the following information:

• The reason for the message;
• Any response required;
• Location (campus) of event;
• The duration of the emergency and any relevant dates and times;
• Methods to obtain further information; and

When circumstances permit, before sending a message, Authorized Senders should consult with the relevant University administrator(s) regarding message content.

Because text messages may have a single message size limitation depending on the recipient’s device, they should be limited to 160 characters. While brevity and abbreviations will reduce a message size, care must be taken to ensure that all messages are brief, concise, accurate, and understandable. Sample messages are included in the FDU Alert Confidential Operations Manual.

After Message Review

After a message is sent using FDU ALERT, the Authorized Senders and the Campus Emergency Management Team will meet as appropriate to discuss the emergency, the results of the alert, and compliance with the FDU Alert Policy.

FDU Alert System Testing

System Wide Delivery Testing

Once every Fall and Spring semester, a live test of the FDU Alert system will be conducted. During the test, one or more messages will be transmitted to every individual registered in the system using every delivery method for each point of contact (phone, e-mail, SMS, etc.) The FDU Alert message(s) sent during the test will clearly state “THIS IS A TEST,” so that it is clear that there is no actual emergency.

FDU Alert Senders

At least once per calendar month, FDU Alert senders will test the FDU Alert system by sending themselves a test message. The message sent during this test will clearly state “THIS IS A TEST BY AUTHORIZED SENDER,” so that it is clear that there is no actual emergency.

Service Provisioning

Regular Reminders to University Community to Register/Update FDU Alert Individual Database Record

The effectiveness of any alert system depends upon the accuracy of the contact information in its database. All students, faculty, and staff will therefore receive notices/reminders prior to the semester’s scheduled test to review/update their emergency contact information. Emergency contact information can be modified at any time by logging onto Webadvisor.

V. EMERGENCY LEVELS AND INSTITUTIONAL MESSAGING GOVERNANCE

The following are three levels of emergencies and suggested methods of communications and notifications for each. No other use of this FDU Alert System is permitted.

Level 1 Emergency – Informational

Circumstance:

• incident has occurred
• incident is contained and/or well defined
• continuing activity/investigation
• caution conditions exists
• timely follow up communications required

Examples include:

• natural disaster
• aircraft crash, or similar event, near campus
• major structural collapse
• snow closings
• elevator accident
• must know information – (e.g. “Because of bad weather the University will close at…” and “An electrical cable to the SUB has been damaged and electrical power will not be restored until…”)

The “Authorizer” should use the following formats: E-mail/WWW/Text Messaging/Posted Notices/Public Address Announcements. Based on the event and any unusual circumstances, voice messaging may be used at the “Authorizer’s” discretion…

Level 2 Emergency – Life and Safety Alert

Circumstance:

• incident has occurred and/or is continuing
• incident is contained but may be extensive
• cautions exist
• continuing/on-going activity/investigation
• timely follow up communications required

Examples include:

• bomb threat
• contained/small scale explosion/fire
• act of violence on campus
• fire confined to an area
• contained/small hazardous material spill or release
• buildings without electricity, heat or water
• major building flooding

The “Authorizer” should use the following formats: E-mail/WWW/Text Messaging/Posted Notices/Public Address Announcements/Direct Contact with Individuals as necessary. During extended business hours (7 a.m. to 7 p.m.) voice messaging will also be used. The Authorizer will have the discretion to utilize voice messaging after extended business hours if it is deemed appropriate.

Level 3 Emergency – Imminent life or safety alert – Immediate Action Required

Circumstance:

• incident has occurred and/or is continuing
• scope of incident may be undefined
• alert action required
• cautions exist
• continuing/On-going activity/investigation
• time is of the essence follow up communications

Examples include:

• evacuations
• on-going violent campus demonstrations
• intruder alerts
• radiological incident
• contained or uncontained hazmat/hazardous material spill or release
• large explosion/fire
• aircraft crash, or similar event, on campus
• acts of terrorism
• confirmed explosives devices

The “Authorizer” should use all available formats: Voice Message/Voice Mail/E-mail/WWW/Text Messaging/Posted Notices/Public Address Announcements/Direct Contact with Individuals as necessary.

No other use of this FDU Alert System is permitted.

---

I. OBJECTIVE

Create a standard procedure by which Manager’s and their employee’s transfer University data during the period of time from when an employee makes their intention clear that they are separating from the University or the transfer of University data at the time of an employee’s involuntary separation from the University.

II. PRODUCURES

Voluntary Separation

It is the manager or direct supervisor’s responsibility to work with the separating employee to extract any data or files that reside locally on their computer that would be needed for business continuity. The supervisor should also ensure they understand what shared drives the separated employee used and have access to those drives if need be.

Using appropriate security precautions, the manager should meet several times with the separating employee to ensure all information is transferred over either email, a shared drive, One Drive or a thumb drive.

During the separation process, through the Employee Separation Checklist, the employee’s manager can select the ability to access the separating employee’s email for up to 30 days and/or forward emails addressed to the separated employee for up to 60 days.

Upon receiving the separation notice, Computing Services will validate through our Backup system that the separating employee’s complete laptop or desktop Image has been backed up.

Computing Services will manually trigger an additional backup within three days of separation.

Immediately upon the effective date of the separation, the separating employee’s manager is responsible for turning over the separating employees’ computer to Computing Services.

Computing Services will store the computer for 14 days as a precaution, and then wipe the data from that computer, reimage the computer, and shelf the computer for redistribution.

If it is discovered that information that resided on the separated employee’s computer was missed during the separation process and needs to be retrieved at a later point, the supervisor would need to contact the Vice President of Human Resources and request the specific data that would need to be recovered from our Backup system.

Involuntary Separation

Upon the dismissal of the individual, Human Resources, would immediately engage Computing Services as well as the direct supervisor to view and extract any data that might be needed by the department to ensure business continuity. This would take place as soon as possible from the date of dismissal.

If a legal hold is required, Computing Services and USAN would be notified and the existing processes of extracting and encrypting the hard drive as well as protecting all email correspondence would be executed. Computing Services would then remove the computer.

If a legal hold is not required, Computing Services will validate through our Backup system that the dismissed employee’s Image has been properly backed up and remove the computer.

Computing Services will store the computer for 14 days as a precaution, and then wipe the data from that computer, reimage the computer, and shelf the computer for redistribution.

If it is discovered that information that resided on the separated employee’s computer was missed during the separation process and needs to be retrieved at a later point, the supervisor would need to contact the Vice President of Human Resources and request the specific data that would need to be recovered from our Backup system.

III. IN CASE OF QUESTIONS

Questions regarding this procedure can be directed to the Vice President of Human Resources.

---

The Interactive Television (ITV) classrooms are located in Dickinson Hall 2245 (Metropolitan Campus), Dickinson Hall 1132 (Metropolitan Campus), Muscarelle 105 (Metropolitan Campus), Giovatto Library (Metropolitan Campus), Cybercrime area Dickinson Hall 2269 (Conference room) and 2270 (Lab) (Metropolitan Campus), Dreyfuss 214 (Florham Campus), Sarah Sullivan (Florham Campus), Moninger 105, Moninger 107, Moninger 119 (Florham Campus) and School of Pharmacy 104 and 208 and FDU Vancouver. The ITV rooms can be used for conducting inter-campus classes, classes with students at remote locations equipped with ITV, inter-campus meetings, or meetings and events with other colleges, universities, or organizations equipped with ITV. The ITV rooms can be scheduled by an authorized officer of a group or organization on campus for conducting official University business. Scheduling is on a first-come, first serve basis, with the exception that priority is always given to classes using the ITV room.

For reservations, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC). For instructions on how to use ITV, refer to the resources below:

---

ITV Meeting Policies

This policy pertains only to the ITV rooms managed by the Office of Academic Technology (on the Metro campus DH 2245 and DH 1132, and in Florham Dreyfuss 214, Sarah Sullivan, Moninger 105, Moninger 107, and Moninger 119). For policies pertaining to other rooms, please contact the individuals responsible for the relevant rooms.

Ending your meeting on time

Please be sensitive to the fact that other meetings are often scheduled immediately after the end of yours, and the participants in these meetings also have busy schedules and important business to discuss. Even when there is no meeting scheduled after yours, our employees must properly close the room and shut down the equipment and therefore must wait for you to finish before they can move on to other activities. Therefore, when your meeting time has come to an end, you must vacate the room. Individuals or groups that fail to vacate the room in a timely fashion more than two times will not be allowed to book the ITV room for future meetings.

Cancellation Policy

Please let us know as soon as possible if you must cancel a meeting, but at least 24 hours prior to your meeting. Individuals who cancel more than two meetings without notifying the Office of Academic Technology will not be allowed to book the ITV room for future meetings.

Meeting Conflicts

Meetings are usually scheduled solely on a first-come, first-served basis. If somebody else has booked a meeting when you need the ITV room, you must negotiate with the host of the conflicting meeting. The Office of Academic Technology will not intervene.

ITV priority for DH 2245

DH 2245 is also available for scheduling non-ITV meetings or events. However, if ITV capability is needed at the same time, you will be asked to find another room. The rationale for this policy is that there are many other non-ITV rooms, but only two ITV rooms on the Metropolitan campus.

Scheduling Meetings

No meetings will be scheduled for ITV until after the ITV course schedule for that semester has been finalized. You may request your meeting in advance, but if a class ends up being scheduled at the same time as your meeting you will need to reschedule your meeting. Classes always get first priority for the ITV schedule.

Inter-campus meetings

If you are scheduling an inter-campus meeting between the College at Florham and the Metropolitan Campus, you must request the ITV at least 24 hours prior to your meeting. This lead time is necessary in order for the Office of Academic Technology to allocate appropriate personnel to the ITV room. You may schedule such meetings by contacting the Fairleigh Dickinson University Technical Assistance Center (UTAC).

ITV Classrooms

Food & Drink Policy

The ITV classrooms contain sensitive and expensive equipment that could easily be damaged by spilled drinks or contamination by food particles. Also, the rooms do not receive regularly scheduled janitorial service. For these reasons: No food or drink is allowed under any circumstances in the ITV classrooms. Sealed containers are allowed provided that the container is not opened at any time while in the ITV classroom. If you are observed with food or drink you will be asked to remove this item from the ITV classroom.

Instructors are asked to enforce the no food or drink policy with the students in their classes, if members of a given class repeatedly viola this policy, the instructor will not be permitted to schedule the ITV classroom for future classes.

DH 2245 is configured differently and has different equipment, and as such food will be allowed in DH 2245. Any buffet set-up should be done in the adjoining kitchen area. Please ensure that all guests or meeting attendees exercise care with the food and keep the food in the table area.

ITV Class Policies

ITV Classrooms Procedures for semester-long courses

This policy pertains only to the ITV rooms managed by the Office of Academic Technology (on the Metro campus DH 2245 and DH 1132, and in Florham Dreyfuss 214, Sarah Sullivan, Moninger 105, Moninger 107, and Moninger 119). For policies pertaining to other rooms, please contact the individuals responsible for the relevant rooms

Proposing a course for ITV delivery

Instructors, Chairs, or Directors may propose a course for ITV delivery after receiving approval from the relevant Chair, Director, or Dean. ITV courses are proposed at least one full semester in advance of the start date for the course.

Requesting the ITV rooms for a course
To request the ITV rooms, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC).

Training Policy

No instructor may be scheduled to teach in the ITV room unless he or she attends training on using the sophisticated ITV equipment. Training should be scheduled as soon as possible after the instructor is identified, preferably a month prior to the start date of the course. To arrange for training, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC).

Cancellation Policy

If you must cancel a class, please let the Office of Academic Technology know as soon as possible and at least one full business day prior to your class. Instructors who cancel more than two class sessions without notifying the Office of Academic Technology will not be allowed to book the ITV room for future courses.

ITV Classrooms Food & Drink Policy

The ITV classrooms contain sensitive and expensive equipment that could easily be damaged by spilled drinks or contamination by food particles. Also, the rooms do not receive regularly scheduled janitorial service. For these reasons:

No food or drink is allowed under any circumstances in ITV classrooms. Sealed containers are allowed provided that the container is not opened at any time while in the ITV classroom. If you are observed with food or drink you will be asked to remove this item from the ITV classroom.

Instructors are asked to enforce the no food or drink policy with the students in their classes. If members of a given class repeatedly violate this policy, the instructor will not be permitted to schedule the ITV classroom for future classes.

DH 2245 is configured differently and has different equipment, and as such food will be allowed in DH 2245. Any buffet set-up should be done in the adjoining kitchen area. Please ensure that all guests or meeting attendees exercise care with the food and keep the food in the table area.

For these reasons:

• No food or drink is allowed under any circumstances in ITV classrooms. Sealed containers are allowed provided that the container is not opened at any time while in the ITV classroom. If you are observed with food or drink you will be asked to remove this item from the ITV classroom.
• Instructors are asked to enforce the no food or drink policy with the students in their classes. If members of a given class repeatedly violate this policy, the instructor will not be permitted to schedule the ITV classroom for future classes.
• DH 2245 is configured differently and has different equipment, and as such food will be allowed in DH 2245. Any buffet set-up should be done in the adjoining kitchen area. Please ensure that all guests or meeting attendees exercise care with the food and keep the food in the table area.

ITV Help Information

For additional support, please contact the the Fairleigh Dickinson University Technical Assistance Center (UTAC).

Unused Teams and Groups can accumulate and become a burden to resources over time. To prevent this from happening, Fairleigh Dickinson University has implemented an expiration policy for Teams and Groups. This article will explain the expiration policy and provide you with information regarding renewal.

What is the FDU expiration policy for Teams and Groups

1. Any Team or Group inactive for 365 days or more will expire
2. Team and Group owners will be notified 30 days, 15 days, and 1 day before the team’s expiration date. If the Team or Group is not renewed before expiration, it will be deleted.

3. The expiration period of 365 days begins at the creation of the Team or Group, or the date it was last renewed

How to renew a Team or Group

There are two methods to prevent the Microsoft 365 group from being deleted.

1. The group owner can manually renew the group by clicking the button in the warning message

2. A member of the group can perform a monitored user activity:
   • SharePoint: view, edit, download, move, share, or upload files (viewing a SharePoint page does not count as an action for automatic renewal)
   • Outlook: join or edit group, read or write group messages from the group, and like a message (Outlook on the web)
   • Teams: visit a teams channel
   • Yammer: view a post within a Yammer community or an interactive email in Outlook
   • Forms: view, create, or edit forms, or submit a response to a form
3. When the team owner receives the expiration notification, go to the Team’s group “Manage team” option and click on Renew now as shown below

Whenever the Microsoft 365 group is renewed by any of the methods mentioned, the group’s lifetime will be extended for another period of 365 days.

What are Microsoft 365 Groups

Microsoft 365 groups are created from a variety of tools including Outlook, SharePoint, Planner, and Teams. Microsoft 365 groups allow you to choose a set of people to collaborate with. You can use Microsoft 365 groups to communicate with others, share files, and apply permissions to shared resources.

Who are Group Owners

When a Microsoft 365 group is created, the person creating the group is designated as the owner. After adding members to the group, the primary owner can also promote other members to owner status. We suggest that when practical, Microsoft 365 groups have at least 2 owners. This can be important as only the group owner will receive the warning messages. In some cases, the group owner may have removed themselves from the group or left the university entirely. If you find yourself a member of a Microsoft 365 group without an owner, please contact support by creating a SAMI Support Request.

Groups without Owners

Ownerless or orphaned Groups may be deleted by USAN. USAN will notify Group members prior to deletion, but if they receive no response, the Group will be deleted. If USAN deletes a Group, all the records associated with the Group’s shared space will be deleted as well

Automatic Renewal

Groups that are actively in use are renewed automatically setting the days to zero. Any of the following actions will auto-renew a group:

• SharePoint – view, edit, download, move, share, or upload files. (Viewing a SharePoint page does not count as an action for automatic renewal.)
• Outlook – join the group, read or write group messages from the group, and like a message (Outlook on the web).
• Teams – visiting the Teams channel.

Recover Deleted Teams or Groups

When the 365 days limit hits, the Microsoft 365 group will expire and be put into a “Soft-deleted” state. Which means it can still be recovered for up to 30 days. To have the Microsoft 365 group recovered please contact support by creating a SAMI Support Request and include the Microsoft 365 group or Team name to be recovered.

Where to Get Help

For assistance with Microsoft 365 groups, please contact support by creating a SAMI Support Request. We can answer questions about the expiration policy, renewing groups, and updating group owners.

Spam Quarantined Email

Microsoft 365 email has filters to protect users from spam and malicious emails like phishing scams.

Messages caught by the filters are placed in quarantine for Fairleigh Dickinson University and its users’ protection. Users will receive a Spam Notification message once a day, notifying them of any messages placed in quarantine. Any legitimate mail caught by mistake can be released directly from this message or from the quarantine portal.

Handling Quarantined Email

Legitimate messages placed in quarantine may be released into your inbox in one of two ways:

1. From the daily spam notification email message

If you receive mail that has been placed in quarantine, you’ll receive an email message from quarantine@messaging.microsoft.com. The message will look like the one below:

The following options will be available to you by clicking the respective links in the email notification or you can choose to do nothing.

• Review Message – go to the Microsoft 365 Security & Compliance Center to review it
• Release – the message is removed from quarantine and placed in your inbox
• Block Sender – add the sender to the Blocked Senders list in your mailbox

2. From the Microsoft 365 Security & Compliance Center

Quarantined email can also be handled in the Microsoft 365 Security & Compliance Center.

1. Go to Microsoft 365 Security & Compliance Center >
   
   • A list of your emails in quarantine will be displayed
     
2. Click on any message to select it, then choose from the options given:
   
   • Release message
   • Preview message
   • View message header
   • Block Sender

For more details, use this link:

Eligible FDU employees may receive reimbursement for business related expenses incurred on personally owned mobile communications devices, or, be issued a FDU owned and managed mobile communications device for business and reasonable personal use.

To view the policy in full, please visit:

As a member of our community, your FDU NetID is your passport to accessing many of Fairleigh Dickinson University’s IT services. Most important is your student, employee, or alumni FDU Email account. When using FDU Email, you are an ambassador for our institution and our expectation is that you will conduct yourself in an efficient, effective, ethical and lawful manner. Please review our Policy for Acceptable Use of Email to ensure that you are adhering to all security and decorum requirements.

Effective Date: 01/01/2018

1.0 Introduction

The purpose of this policy is to ensure the proper use of e-mail by all those assigned a Fairleigh Dickinson University (FDU) e-mail account. This policy applies to any e-mail system that FDU has or may install in the future. It also applies to employee use of personal e-mail accounts via browsers, as directed below. All users of FDU e-mail systems have the responsibility to use their e-mail in an efficient, effective, ethical and lawful manner. E-mail users must follow the same code of conduct expected in any other form of written or face-to-face business communication. FDU may supplement or modify this policy for specific employees in certain roles. This policy complements similar FDU policies such as the Acceptable Use Policy and the Written Information Security Program (WISP). Please read and follow those policies as well.

The University subscribes to the 1940 Statement of Principles on Academic Freedom and Tenure and the 1940 and 1970 Interpretive Comments issued thereon, formulated jointly by the Association of American Colleges and the American Association of University Professors. Nothing in this policy is intended to supersede those statements and principles.

2.0 Ownership of Email Data

The University owns all University email accounts in the fdu.edu domain, or any subsequent domains it may create (University Email Accounts). Subject to underlying copyright and other intellectual property rights under applicable laws and University policies , the University also owns data transmitted or stored using the University Email Accounts.

3.0 Employee Responsibilities

FDU only supports the installation and usage of approved e-mail clients.

Usernames will be assigned as part of the University’s e-mail registration process and reflect internally mandated e-mail naming conventions.

3.1 Acceptable Uses

• Communicating in a professional manner with other FDU associates about work-related matters.
• Communicating in a professional manner with parties outside FDU for business purposes.
• Personal communications that are brief and do not interfere with work responsibilities.
• Users are allowed to access personal e-mail accounts on a limited basis, without disrupting business responsibilities. Access can be gained only by using a browser. Use of e-mail-specific protocols, such as POP3 and IMAP4, is prohibited, since they require specific firewall ports to be open.
• Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending the message.

3.2 Unacceptable Uses

• Creating and exchanging messages that can be interpreted as harassing, obscene, racist, sexist, ageist, pornographic or threatening, as defined by University policies.
• Creating and exchanging information that is in violation of copyright or any other law. FDU is not responsible for an associate’s use of e-mail that breaks laws.
• Personal communication that interferes with work responsibilities.
• Opening file attachments from an unknown or untrustworthy source, or with a suspicious or unexpected subject line.
• Sending unprotected healthcare data and personally identifiable consumer data or other confidential information to unauthorized people or in violation of FDU’s Acceptable Use Policy, or the Written Information Security Program (WISP). , Health Insurance Portability and Accountability Act and/or Gramm-Leach-Bliley Act regulations. Exceptions may be authorized by the University Chief Information Security Officer working with the employee’s supervisor. Communications that strain FDU’s network or other systems unduly, such as sending large files to large distribution lists.
• Communications to distribution lists of only marginal interest to members, and replying to the entire distribution list when a personal reply is effective.
• Communications with non-specific subject lines, inarticulate language, and without clear purpose.
• Auto-forwarding e-mail messages from your University e-mail account.
• Using any e-mail system, other than FDU’s e-mail system, for FDU-related communications.
• Circulating chain letters and/or commercial offerings.
• Circulating unprotected healthcare data and personally identifiable consumer data that would violate U.S. Federal HIPAA and GLB regulations. Exceptions may be authorized by the employee’s supervisor and in conjunction with use of a University-approved e-mail encryption service.
• Altering or forging the “From” line or any other attribution of origin contained in electronic mail or postings.
• Using any of the University systems for sending what is commonly referred to as “SPAM” mail (unsolicited bulk email)

4.0 Privacy Guidelines

The University typically does not review the content of electronic messages or other data, files, or records generated, stored, or maintained on its electronic information resources; however, it retains the right to inspect, review, or retain the content of such messages, data, files, and records at any time without prior notification. Any such action will be taken for reasons the University, within its discretion, deems to be legitimate. These legitimate reasons may include, but are not limited to,

• responding to lawful subpoenas or court orders;
• investigating misconduct (including research misconduct);
• determining compliance with University policies and the law; and
• locating electronic messages, data, files, or other records related to these purposes.

FDU maintains the right to monitor and review e-mail activity to ensure compliance with this policy, as well as to fulfill FDU’s responsibilities under the laws and regulations of the jurisdictions in which it operates. Users should have no expectation of privacy.

• Except as otherwise stipulated in this policy, on termination or separation from FDU, FDU will immediately deny access to e-mail, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
• Except as otherwise stipulated in this policy, employees who leave FDU will have their mailbox deleted within six months of their termination date. The employee’s manager may request that access be given to another employee who may remove any needed information within the same six month time frame.
• FDU reserves the right to intercept, monitor, review and/or disclose any and all messages composed, sent or received on the University e-mail system. Intercepting, monitoring and reviewing of messages may be performed with the assistance of content filtering software, or by designated FDU employees and/or designated external entities. Employees designated to review messages may include, but are not limited to, an employee’s supervisor or manager and/or representatives from the HR, legal or compliance departments.
• FDU reserves the right to alter, modify, re-route or block the delivery of messages as appropriate. This includes but is not limited to:
  • Rejecting, quarantining or removing attachments and/or malicious code from messages that may pose a threat to FDU resources.
  • Rejecting or quarantining messages with suspicious content.
  • Rejecting or quarantining messages containing offensive language or topics.
  • Re-routing messages with suspicious content to designated FDU employees for manual review.
  • Appending legal disclaimers to messages.
• Electronic messages are legally discoverable and permissible as evidence in a court of law.
• Users of the University’s computing and electronic communications resources must understand that electronic messages, data, files, and other records generated, stored, or maintained on University electronic information resources may be electronically accessed, reconstructed, or retrieved by the University even after they have been deleted.

5.0 Security

As with any other type of software that runs over a network, e-mail users have the responsibility to follow sound security practices.

• Users should not use the e-mail system to transfer sensitive data, except in accordance with FDU data protection policies. Refer to the Written Information Security Program (WISP). Sensitive data passed via e-mail over the Internet could be read by parties other than the intended recipients, particularly if it is clear text. Malicious third parties could potentially intercept and manipulate e-mail traffic.
• In an effort to combat propagation of e-mail viruses, certain attachment types may be stripped at the University e-mail gateway. Recipients will be notified via e-mail when this occurs. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).
• Attachments can contain viruses and other malware. User should only open attachments from known and trusted correspondents. Suspicious attachments should be reported to the University Technical Assistance Center (UTAC).
• Spam is automatically filtered at the University gateway in a highly efficient manner. Errors, whereby legitimate e-mail can be filtered as spam, while rare, can occur. If business-related mail messages are not delivered, users should check their local spam folder or the daily spam digest. If the message is not there, users should contact University Technical Assistance Center (UTAC).
• Users will not be asked by OIRT or any other FDU group by e-mail for personal information such as usernames or passwords. Any such requests should not be responded to and should be referred to the University Technical Assistance Center (UTAC). Such approaches – known as phishing – are fraudulent approaches carried out for the purpose of unlawful exploitation.

6.0 Operational Guidelines

FDU employs certain practices and procedures in order to maintain the health and efficiency of electronic messaging resources, to achieve FDU objectives and/or to meet various regulations. These practices and procedures are subject to change, as appropriate or required under the circumstances.

• For ongoing operations, audits, legal actions, or any other known purpose, FDU saves a copy of every e-mail message and attachment(s) to a secure location, where it can be protected and stored for three years. Recovery of messages from this store is prohibited for all but legal reasons.
• To deliver mail in a timely and efficient manner, message size must be less than 25MB. Messages larger than 25MB will be automatically blocked and users will be notified of non-delivery. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).

Access to the content of electronic mail, data, files, or other records generated, stored, or maintained by any user may be requested from the University’s Associate Vice President of Technology Infrastructure for the reasons set forth below and shall be authorized as follows:

1. by the Associate Vice President of Human Resources for all University employees;
2. by either Dean of Students for students; or
3. by the General Counsel for the purposes of complying with legal process and requirements or to preserve user electronic information for possible subsequent access in accordance with this policy.

In all cases, the Office of the General Counsel must be consulted prior to making a decision on whether to grant access. In the case of a time-critical matter, if the authorizing official is unavailable for a timely response, the General Counsel may authorize access.

All full-time faculty who retire from the University may keep their email address for life if they request to do so.

All full-time faculty who leave the University for reasons other than termination for cause, may request email forwarding for up to six months.

7.0 Governance and Enforcement

This policy was created with input from the University’s Data Security Incidence Response Team (DSIRT). At the request of the University’s Chief Information Security Officer (CISO), the DSIRT will review this policy annually to ensure that FDU is in compliance with internal or external requirements. FDU faces liability if users violate the terms of this policy. Therefore, willful or repeated violations of this Acceptable Use Policy for E-mail can result in informal or formal warnings, the loss of e-mail privileges, and other sanctions including termination. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

For assistance with this policy, please contact the University’s Chief Information Security Officer (CISO).

Exceptions to this policy may be authorized by the University Chief Information Security Officer working with the employee’s supervisor.

Policy violations should be reported immediately to the University’s Associate Vice President of Technology Infrastructure

The University reserves the right to suspend an e-mail account while investigating a complaint or troubleshooting a system or network problem.

This document will be reviewed semi-annually and is available both electronically and in printed form at each of the Campus Computing Centers.

It is the user’s responsibility to remain informed about the contents of this document.

Other Related and Applicable Policies

---

---

1. Purpose: This Policy sets the standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of information covered by applicable provisions of the Gramm-Leach-Bliley Act (“GLBA”) and associated regulations. In particular, this document describes various measures being taken by FDU to (i) ensure the security and confidentiality of covered information, (ii) protect against any anticipated threats or hazards to the security of these records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience (collectively, the “Program”). The practices described in this Policy are in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, the Family Educational Rights and Privacy Act (“FERPA”).

2. Scope of Program: The Program applies to any record containing “nonpublic personal information” about a student or other individual who has a continuing relationship with the University, whether the record is in paper, electronic, or other form, and which is handled or maintained by or on behalf of the University (“covered information”).(1) This includes any information that a student or other individual provides to FDU in connection with financial aid and tuition/fee collection efforts.

---

(1) Nonpublic personal information means: (i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. “Personally identifiable financial information” means any information that a consumer provides to FDU to obtain a financial product or service, any information about a consumer resulting from a transaction involving a financial product or service between FDU and that consumer, or information that FDU otherwise obtains about a consumer in connection with the provision of a financial product or service to that consumer. A “consumer” is an individual, including a student, who obtains or has obtained a financial product or service from FDU that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. Examples include information an individual provides to FDU on an application for financial aid, account balance information and payment history, the fact that a student has received financial aid from FDU, and any information that FDU collects through an internet “cookie” in connection with a financial product or service.

3. Roles and Responsibilities: Compliance and cooperation with this Policy is the responsibility of every employee at all levels within FDU. FDU’s Vice President and Chief Information Officer (CIO), assisted by the Chief Information Security Officer (the “CISO”), has the overall responsibility for coordinating information security pursuant to this Policy. The CIO or CISO may designate other representatives of FDU to help oversee and coordinate particular elements of the Program. The team will work closely with other members of the Office of Information Resources and Technology (OIRT), the Data Security & Incident Response Team (“DSIRT”), the University Risk Manager, the Vice President for Human Resources, and the General Counsel, as well as relevant academic and administrative units throughout the University to implement the Program.

4. Risk Assessment: The CIO and CISO will help the relevant offices of FDU to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the information; and to assess the sufficiency of the safeguards in place to controls these risks. This effort will be embodied in a risk assessment document.
   
   The risk assessment is a written document that includes:
   
   (i) Criteria for the evaluation and categorization of identified security risks or threats that FDU faces;
   
   (ii) Criteria for the assessment of the confidentiality, integrity, and availability of FDU’s information systems and covered information, including the adequacy of the existing controls in the context of the identified risks or threats that FDU faces; and
   
   (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

5. Access Controls: The Program includes implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to:
   
   (i) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of covered information; and
   
   (ii) Limit authorized users’ access only to covered information that they need to perform their duties and functions, or, in the case of third parties, to access their own information.

The Program is designed to identify and help manage safeguards for the data, personnel, devices, systems, and facilities that enable FDU to achieve its mission – efforts are prioritized in accordance with our objectives and risk strategy.

FDU has adopted authentication and access controls as needed to implement the “principle of least privilege” around accessing covered data, meaning that no user should have access greater than is necessary for legitimate FDU purposes Data owners within each applicable University unit approve and periodically review access. This includes a periodic review by the Office of Enrollment Services of all users who have access to Enrollment Services security tracks in the Colleague System and a periodic review by other administrative departments that maintain students’ financial aid information regarding user access to the information.

These efforts also include employee training regarding these controls. The OIRT will coordinate with representatives in FDU’s Office of Finance, Office of Financial Aid, Enrollment Services and other offices to evaluate on a regular basis the effectiveness of the University’s training, procedures, and practices relating to access to and use of student records, including financial aid information as well as financial information. This evaluation will include assessing the effectiveness of the University’s current policies and procedures in this area. All employees are required to train in FDU’s Written Information Security Program (WISP) (training.fdu.edu), which program is incorporated by reference into this Policy.

6. Monitoring Unauthorized Users and Use: FDU has implemented policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, tampering with, covered information. Various specific measures are identified in Appendix 1.
   
   These measures will include assessing the University’s current policies and procedures relating to FDU’s Acceptable Use Policy for Computer Usage, Confidentiality Agreement and Security Policy, FDU Procedure on Handling Data on Separating Employees, Password Policy, Policy for Acceptable Use of Email, Software Compliance & Distribution Policy, and Written Information Security Program. The CISO will also coordinate with the CIO and the OIRT to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.

7. Monitoring the Effectiveness of Safeguards: FDU periodically conducts penetration tests and vulnerability assessments on its network and key information systems. These measures are designed to test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, FDU’s information systems.
   
   For those systems where continuous monitoring (or other methods to detect, on an ongoing basis, changes in information systems that may create vulnerabilities), is not practical, FDU will conduct:
   
   (i) Annual penetration testing on FDU’s information systems identified by OIRT based on relevant identified risks under the risk assessment; and
   
   (ii) Vulnerability assessments of FDU’s information systems, including systemic scans or reviews of information systems designed to identify publicly known security vulnerabilities in FDU’s information systems based on the risk assessment, at least every six months; and whenever there are material changes to FDU’s operations or business arrangements; and whenever there are circumstances that OIRT knows (or has reason to know) may have a material impact on FDU’s information security program.

8. Detecting, Preventing and Responding to Attacks: The OIRT and University Risk Manager will on a regular basis evaluate procedures for and methods of detecting, preventing, and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. The FDU Data Security Incident & Response Team implements all aspects of, oversees other Departments’ adherence to, and documents all incident response activities. Upon determination by the CISO and General Counsel that a Security Incident triggers breach notification laws, the University will report the breach to relevant federal or state regulatory authorities by their designated methods; and, where applicable, the U.S. Department of Education, including details about date of breach (suspected or known); impact of breach (e.g. number of records); method of breach (e.g. hack, accidental disclosure); information security program point of contact – email and phone details; remediation status (e.g. complete, in process); and next steps (as needed).
   
   These measures will be documented in a comprehensive incident response plan that addresses:
   
   (i) The goals of the incident response plan;
   
   (ii) The internal processes for responding to a security event;
   
   (iii) The definition of clear roles, responsibilities, and levels of decision-making authority;
   
   (iv) External and internal communications and information sharing;
   
   (v) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
   
   (vi) Documentation and reporting regarding security events and related incident response activities; and
   
   (vii) The evaluation and revision as necessary of the incident response plan following a security event.

9. Overseeing In-House Developed Applications and External Service Providers: The OIRT leadership working in collaboration with the CISO will help ensure that software applications and solutions developed in-house by FDU, including modifications to third-party programs, meet the safeguard standards of this Policy. The CIO, CISO and other appropriate OIRT leaders will also coordinate with FDU’s contract review teams to raise awareness of, and to institute methods for, selecting and retaining only those service providers that can maintain appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the CIO and CISO will work with the General Counsel and the University Risk Manager to develop and incorporate standard, contractual protections applicable to third-party service providers, which will require the providers to implement and maintain appropriate safeguards.
   
   Utilizing a variety of automated risk assessment tools such as Bitsight, OIRT periodically assesses FDU’s service providers on the risk they present and the continued adequacy of their safeguards.

10. Encryption: FDU adopts methods to protect by encryption covered information held or transmitted by the University by encrypting both in transit over external networks and at rest. To the extent that encryption of covered information, either in transit over external networks or at rest, is infeasible, FDU secures the covered information using effective alternative compensating controls reviewed and approved by the CISO.

11. Multifactor authentication: FDU has implemented multi-factor authentication for any individual accessing the University’s information systems, except where the CISO has approved in writing the use of reasonably equivalent or more secure access controls.
    
    Multi-factor authentication is defined as authentication through verification of at least two of the following types of authentication factors:
    
    (1) Knowledge factors, such as a password;
    
    (2) Possession factors, such as a token; or
    
    (3) Inherence factors, such as biometric characteristics.

12. Data Retention and Disposal Controls: FDU has in place procedures for the secure disposal of covered information in any format, consistent with the University’s operations and other legitimate business purposes, except where required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Where information is not needed to be retained, the University will take reasonable measures to include processes for disposal of covered information no later than two years after the last date the information is used for legitimate University purposes. The Program includes periodic review of our data retention policy to minimize the unnecessary retention of data.

13. Adjustments to Program: Risk assessment activities will be periodically performed to reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and to reassess the sufficiency of any safeguards in place to control these risks. The CISO is responsible for evaluating and recommending adjustments to the program based on the undertaken risk identification and assessment activities, as well as any material changes to FDU’s operations or other circumstances that may have a material impact on the Program.

14. Reports to the Board: The Vice President of OIRT will submit written reports to the Board of Trustees at least once each calendar year. The report will include the following information:
    
    (1) The overall status of the Program and FDU’s compliance with the safeguard requirements under the GLBA;
    
    (2) Material matters related to the Program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.

The CIO may approve deviations to the processes set forth in this Policy to meet changing conditions at the University, so long as such deviations are designed to achieve the safeguard goals set forth in this Policy and do not violate the GLBA and other applicable laws.

Appendix 1
Certain Additional Specific Safeguards

Periodically (generally at least once each year), leaders from applicable University departments and units are surveyed regarding their processes for safeguarding covered information, using a standard template. Results are compiled and conveyed to the CIO for review and follow-up, including adopting and incorporating results in the University-wide Risk Assessment.

The CIO will determine which departments and units should receive the assessment survey, based on their handling of covered information. Currently, the units are: OIRT, Office of Enrollment Services, Credits and Collections, Admissions, International Admissions, Financial Aid, Veteran Services, Accounts Payable, Management Information Systems, Conference & Summer Programs, School of Pharmacy, and the Controller’s Office.

The standard assessment template is as follows.

1. Designate an employee or employees to coordinate the unit’s information security program.
   
2. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:

• Unauthorized disclosure of sensitive information by employees through intentional or unintentional methods.
  
• Unauthorized access, disclosure, misuse, alteration or destruction of information on hosts.
  
• Detection and prevention of attacks on the systems.
  
• Unsecured transmission of data.
  
• Physical security of computer systems, network equipment, backups and paper materials.
  
• Managing data integrity and system failures.

3. Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

1. Unauthorized disclosure of sensitive information by employees through intentional or unintentional methods:
   
2. Unauthorized access, disclosure, misuse, alteration or destruction of information on hosts:
   
3. Detection and prevention of attacks on the systems:
   
4. Unsecured transmission of data:
   
5. Physical security of computer systems, network equipment, backups and paper materials:
   
6. Managing data integrity and system failures:

4. Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring FDU’s service providers by contract to implement and maintain such safeguards.

5. Evaluate and adjust FDU’s information security program in light of the results of the testing and monitoring required by this Policy; any material changes to FDU’s operations or business arrangements; or any other circumstances that are known or have reason to be known as having a material impact on FDU’s information security program.

The following is an example of a completed assessment survey, from OIRT:

Gramm Leach Bliley Security Program
Office of Information Resources Technology
Standards for Safeguarding Customer Information

(a) Designate an employee or employees to assist the CIO in the coordination of the Program.

In addition to the CISO, the Director of Systems and the Director of Networking are the designated employees for the Office of Information Resources Technology

(b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:

• Unauthorized disclosure of sensitive information by employees through intentional or unintentional methods.
• Unauthorized access, disclosure, misuse, alteration or destruction of information on hosts.
• Detection and prevention of attacks on the systems.
• Unsecured transmission of data.
• Physical security of computer systems, network equipment, backups and paper materials.
• Managing data integrity and system failures.

(c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

1. Unauthorized disclosure of sensitive information by employees through intentional or unintentional methods:

• Employees go through mandatory Written Information Security Program (WISP) Training
• Prior to any IT requests, User Information Is checked against WISP to ensure they are current with training
• Employees are provided training and are closely observed by managers before being given access to sensitive information. Training includes password policy and management, physical security of cabinets, storage, and equipment rooms, and recognizing fraudulent attempts to obtain sensitive information.
  • Policy, social engineering, keystrokes loggers, etc.
• All employees must sign and accept the University’s “Acceptable Use Policy” and the “Confidentiality Agreement” if applicable.
• Requests for sensitive information are directed to individuals with proper training and authority to review the request.
• Potential employees are subjected to a background check before being hired by the University.
• Updated IT Informational website that includes documentation of all policies and procedures specific to securing data.
• Use of Data Loss Prevention tool to proactively monitor and correct non-compliance issues
• Access to information is granted only to the extent required for the employee to perform their job functions.

2) Unauthorized access, disclosure, misuse, alteration or destruction of information on hosts:

• Passwords are required for access to any system with sensitive information.
• Strong password policies are in place where possible.
• Multi-factor authentication to access sensitive systems for all faculty, adjuncts, staff and students.
• Multi-factor authentication for all admin accounts.
• Auditing systems (e.g. Change Management Process, Netwrix, Microsoft ATP) are used to track and report on changes to critical files.
• Notifications of employee terminations are received prior to or on date of termination. Immediate notification is received when circumstances warrant instant suspension of access to systems.

3) Detection and prevention of attacks on the systems:

• Auditing systems (e.g., Netwrix) are used to detect attempts to breach systems or alter system configurations.
• System logs are reviewed daily for evidence of attacks.
• Policies are in place to regularly apply patches to systems.
• A firewall is in place for perimeter protection.
• Obsolete systems are being replaced by newer systems that are better supported by hardware and software vendors. Most systems include host-based firewalls.
• The wired portion of the university network is entirely switched to minimize the possibility of packet sniffing and other similar attacks.
• WPA2 Enterprise is deployed and available for wireless accessible locations.
• Endpoint protection software is in place, which automatically updates servers & clients.

4) Unsecured transmission of data:

• Connections to all systems are using modern cryptographic techniques.
• University standard practice is to use HTTPS for web services; all publicly accessible web traffic is proxied through load balancers.
• SFTP is used to transmit data to various vendors securely.
• EFax services deployed, ensuring fax transmission are encrypted both in transit and at rest.
• Virtru software for encrypted email communication of sensitive and Personally Identifiable Information
• 7-Zip is used to encrypt files being sent to and from vendors.

5) Physical security of computer systems, network equipment, backups and paper materials:

• All computer systems and core network equipment are physically secured in locked rooms or cabinets.
• Essential services are monitored for availability and alerts are sent when a system or service becomes unavailable.
• Printed material with personal information is shredded when no longer needed.
• The main datacenters and several ancillary MDF’s have heat and humidity detection systems as well as a fire suppression system.
• Alarms with motion detectors are in place in all data centers. The university department of Public Safety monitors the alarms.
• Security cameras are set and on 24 hour recording on both main data centers
• A card access system controls access to the data centers and IT administrative offices.

6) Managing data integrity and system failures:

• Daily backups of host systems are performed.
• Network hardware configurations are backed up weekly.
• Out of band capabilities exist to support network management and large-scale outages.
• Continual off-site backup of all FDU owned workstations.
• Mirroring of networked file services across campuses is occurring.
• UPS systems provide backup power to central data centers.
• Extending backup capabilities to include off-site backup of all University systems
• A backup generator is in place for the main data centers.
• A disaster recovery plan has been developed.

(d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring FDU’s service providers by contract to implement and maintain such safeguards.

Contracts require appropriate safeguarding measures be taken by the vendor. Third Party Assessment evaluation using Industry best practice tools prior to executing contracts.

(e) Evaluate and adjust FDU’s information security program in light of the results of the testing and monitoring required by this Policy; any material changes to FDU’s operations or business arrangements; or any other circumstances that are known or have reason to be known as having a material impact on FDU’s information security program.

OIRT continually performs extensive reviews of applicable written policies and has a continuous program in place to review applicable policies and procedures.

OIRT periodically (generally annually) performs an eMail Phishing test to all full-time faculty and staff. FDU uses a third party as the tool for performing the test. Individuals who fail the Phishing test are required to complete remedial training with a passing score. Supervisors are made aware of those who fail the test and are encouraged to speak with their employees.

OIRT conducts comprehensive vulnerability assessments aligned to the NIST Risk Management Framework (RMF) that included external vulnerability scanning, penetration testing, netflow analysis of our IP ranges, review of IT and cybersecurity-specific and FDU-wide documentation, and dark web footprinting.

OIRT takes action to increase the cadence of monitoring and reacting to server, desktop and mobile device alerts, ensure compliance of website configurations and deploy security measures to ensure security of email system and reduce spoofing of emails.

---

In accordance with FDU’s Acceptable Use Policy for Computer Usage, no employee shall copy or distribute software that violates copyright laws. All employees shall be aware that software and the accompanying documentation is generally owned by the manufacturer and the license only grants the user the right to use the software. Unlicensed software installations, also known as software piracy, are unacceptable at FDU.

The primary user of each computer shall take responsibility of keeping records of licenses for which software is installed. The University’s Computing Services Department shall also track licenses for software installed by the Computing Services Department though the purchase of high volume or site licenses. Users are advised that the software installed on University-owned computers may be audited internally (by the University) or externally (by software manufacturers or other anti-piracy software firms) at any time. Software found not to be in compliance with copyright laws will be removed and replaced with a licensed copy.

Computing Services will provide certain software that is commonly used by the majority of the University’s employees, including but not limited to word processing, spreadsheet, and anti-virus software. Some software manufacturers allow for non-concurrent use of a license on an office computer and an employee’s home computer. Computing Services will not provide non-concurrent licenses at off premise sites due to the inability to track these licenses.

In order to provide the best possible service and support, and to reduce the cost of software site licenses, Computing Services, in conjunction with the Center for Learning and Teaching with Technology, has standardized on Microsoft Office Professional and Symantec Endpoint Protection.

Popular Software Titles and Guidelines for Faculty and Staff to Obtain:

• Microsoft Office for Windows or Macintosh: Available through standard deployment of leased or owned equipment or by request for any University-owned PC or Mac.
• Microsoft Visual Studio: Installed in Labs. Available by request for staff and faculty machines.
• Adobe Acrobat: Available by request for staff and faculty machines.
• SAS: Installed in Labs. Available by request for staff, faculty and student machines.
• SPSS (Base): Installed in Labs. Available by request for staff and faculty machines.
• SPSS Advanced Modules: Available by request for staff and faculty machines.
• Adobe Products: Faculty and staff may purchase Adobe products at level three pricing with the University’s CLP Membership No. 4400062846.
• Symantec Endpoint Protection: Available through standard deployment of leased or owned equipment or by request for any University-owned PC or Mac.
• Other products: Faculty and staff may obtain pricing and submit orders to Purchasing. If assistance is needed, contact Computing Services.
  

Software Quality Assurance and Compliance Policy for Network Server & Lab Installations

It is no longer possible for individuals to install software on staff or faculty desktops or lab computers. Laptops or Macintosh users have administrative rights and individuals can install additional licensed software to laptops.

Instructors wishing to have a software application installed in a lab for use by 20 or more people simultaneously must provide Computing Services the original installation media, installation guide, and the appropriate proof of license. Note that the licenses for some software may limit our ability to install it on the network. These materials must be provided a minimum of sixty days before the software is needed. Because it is impossible to predict how the software will interact with our network and other software already installed, we cannot guarantee that a program will work on our system.

For programs that will be used by less than 20 people, the instructor may install the application on up to 5 machines in a lab not normally used for classroom instruction, plus an “instructor’s machine” in one of the teaching labs. If fewer licenses are owned, then only that many licenses may be installed. The instructor will be told which machines to install the program on and will be given a password which can be used to disable the security on the machine for the duration of the installation procedure. Software installed in this way will only be available on those designated machines. Computing Services will make a reasonable attempt to keep these designated systems functioning with the additional software, but in the event that the machine needs to have it’s base configuration and software restored from backup, the instructor will be contacted and will need to reinstall the application.

In all cases, software must be owned or licensed by the University, even if the application is only to be used for demonstration purposes. No software owned by an individual will be installed on the systems.

Below is the policy for departments at the University regarding the return of Cisco Desk phones that are no longer in use. This process is known as the “Phone True-Up Process.” It begins with a request from the department to Voice Services at voiceservices@fdu.edu to remove currently active phones from service.

Voice Services will coordinate the collection, inventory, and eventual shipping of the phone(s) to our vendor.

Leave these phones in place and mark them with a Post-It Note that provides the HOST/MAC address of the phone. This ensures easy identification when a technician arrives to retrieve the device.

There are two methods to find the HOST/MAC address:

1. Press the gear button on the phone and use the central navigation key to scroll to “Phone Information.”
2. Alternatively, this information is also listed on the back of the phone.

The True-Up process is carried out annually, around June, coinciding with the end of the University’s Fiscal Year. The new True-Up cycle begins on July 1st with the commencement of the new Fiscal Year. Phones can be removed at any point during the year and stored until the next True-Up. However, billing for these phones continues until the end of the Fiscal Year.

As the demand for access by on-site vendors increases, Fairleigh Dickinson University has created a Vendor Access Policy for Networking and Computing. The intent of the policy is to define the categories of non-employees that are on our campuses and provide rules and guidelines around their networking & computing needs. All business units should utilize the Contract Review Process which has been instituted by the Office of the General Counsel prior to initiating any of the below processes. Fully executed contracts that have been reviewed and approved may be requested by members of OIRT prior to providing any access for the non-employees below.

Effective Date: 3/1/2023
Last Revision: 1/14/2024

Contractors/Consultants

The University employs individuals from companies that perform work on behalf of the University and expressly for the University. Examples could be an employee from a staffing agency working within IT to augment the staff in assisting with a series of projects, or an individual hired from an agency to work within Human Resources to assist in processing forms. These individuals are hired under contracts and are held tothe terms and conditions of those contracts. In most cases, working as part of the University, these individuals need computing functionality identical to those of university hired staff, as they are acting on behalf of the University & fulfilling a role specific to the University. All work done by these individuals is part of the university’s data property, and therefore, these individuals should be provided with University issued devices such as desktop/laptop computers, landline phone extensions, etc.

Individuals hired from companies outside of the University to conduct business on behalf of the University must meet the following guidelines and are provided with the following access:

1. The hiring manager or department head must complete an HR Personal Information Notice (PIN) to begin the process.
   
2. Contractors/Consultants will always be issued a University NetID in the format of Firstinitial.Lastname@v.fdu.edu.
   
3. Once the NetID has been created & communicated to the hiring manager, a Vendor Employee Technology Form must be completed if the contractor/consultant needs access to certain FDU systems. The form to be found in the Staff and Faculty Forms tile of SAMISupport.

SAMI Support

4. All Contractors/Consultants are required to complete the Written Information Security Program (WISP) training immediately after an account is provisioned. Validation of completion is needed within the first 30 days.
   
   1. WISP training reminder on day 15
   2. WISP training daily reminder every day after day 15
   3. Disable account day 30 with an email sent to the manager
      
5. All contractors/consultants must read and accept the following additional policies:
   1. Policy for the acceptable use of email
   2. Acceptable use policy for computer usage
   3. FDU alert policy
   4. Password policy
      
6. Contractors/Consultants will be able to sign up for FDU Alert through Colleague Self-Service. Instructions can be found here:

7. Contractors/consultants issued a university managed laptop/desktop are entitled to an email address without the vendor designation at the request of the hiring manager. This would be requested by the manager through the Vendor Employee Technology Form by clicking the “Convert Vendor NetID” box.

8. Contractors/consultants must be terminated at the end of their contract using the same methodology utilized for current faculty and staff. It is the unshared responsibility of the managing department to submit termination paperwork per the HR process for any contractor/consultant who had been issued a NetID.

Volunteers

The University utilizes volunteers in non-paying positions during the school year. Examples of these roles include but are not limited to preceptors & chaplains. These individuals do not need access to any University systems with the exception of email. As such, they need access to Internet services & email but they do not require an FDU managed laptop/desktop.

Volunteers must meet the following guidelines and are provided the following access:

1. Volunteers will be issued a NetID in the format of Firstinitial.Lastname@v.fdu.edu to be able to authenticate to FDU’s wireless network (and wired network in the future).
   
2. Volunteers are required to complete the Written Information Security Program (WISP) training immediately after an account is provisioned. Validation of completion is needed within the first 30 days.
   
   1. WISP training reminder on day 15
   2. WISP training daily reminder every day after day 15
   3. Disable account day 30 with an email sent to the manager
      
3. All volunteers must read and accept the following additional policies:
   
   1. Policy for the acceptable use of email
   2. Acceptable use policy for computer usage
   3. FDU alert policy
   4. Password policy
      
4. Volunteers will be able to sign up for FDU Alert through Colleague Self-service. Instructions can be found here:

5. All volunteer accounts will expire at the end of the fiscal year and must be renewed by their FDU manager by completing a PIN form.
   
6. Volunteers must be terminated at the end of their contract using the same methodology utilized for current faculty and staff. It is the unshared responsibility of the managing department to submit termination paperwork per the HR process for any contractor/consultant who had been issued a NetID.

On-Campus Vendors

The University outsources various functions to entities (Vendors) that operate independently but work exclusively on our campuses and provide services for our faculty, staff & students. These employees are individually managed by their corporate entities and are largely held accountable by their corporate management.

While on campus, employees of these vendors might need access to the Internet to interact with their corporate websites or communicate with their corporate managers. In many cases today and in most all cases in the future, these employees will need to authenticate through the University’s network in order to conduct their business. The University has established a process whereby the Fairleigh Dickinson University department responsible for that vendor completes the Human Resource forms necessary in order to create a non-employee record within our Colleague system.

Employees of on-campus vendors must meet the following guidelines and are provided the following access:

1. Vendor employees will be issued a NetID in the format of Firstinitial.Lastname@v.fdu.edu to be able to authenticate to FDU’s wireless network (and wired network in the future).

2. Vendor employees will be able to add their contact information to FDU Alert by sending an email to fdunotify@fdu.edu
   
3. All vendor employee accounts will expire at the end of the fiscal year and must be renewed by their FDU manager by completing a PIN form.
   
4. Vendor employees must be terminated through FDU’s systems when they either are removed from their assignment at Fairleigh Dickinson University or are terminated by their employer using the same methodology utilized for current faculty and staff. It is the unshared responsibility of the managing department to submit termination paperwork per the HR process for any contractor/consultant who had been issued a NetID.

Elevated Vendor Privileges

From time to time, the employee of an on-campus vendor might have justification for having access to FDU email or a need to access systems and/or applications that reside behind FDU’s firewalls. If such a case is identified, the FDU department responsible for that vendor would need to contact the Director of Systems with a formal request for additional vendor access. The FDU department must present solid business justification for the elevated access. The Director of Systems will review each request and either approve or reject the request based on business needs and security posture. The Director of Systems might consult with the Data Security & Incident Response Team before providing an answer.

Employees of on-campus vendors approved for elevated access must meet the following guidelines and are provided the following access:

1. Vendor employees will be issued a NetID in the format of Firstinitial.Lastname@v.fdu.edu to be able to access FDU’s wireless network (and wired network in the future).
   
2. All vendor employees are required to complete the Written Information Security Program (WISP) training immediately after an account is provisioned. Validation of completion is needed within the first 30 days.
   
   1. WISP training reminder on day 15
   2. WISP training daily reminder every day after day 15
   3. Disable account day 30 with an email sent to the manager.
      
3. Vendor employees will be able to sign up for FDU Alert through self-service. Instructions can be found here:

4. All vendor employees with elevated access must read the following additional policies:
   
   1. Policy for the acceptable use of email
   2. Acceptable use policy for computer usage
   3. FDU alert policy
   4. Password policy
      
5. If the vendor employee needs to access FDU systems and/or applications, issuance of a University managed laptop/desktop may be required. This would be at the expense of the requesting department.
   
6. Upon departmental request, vendor employees will only be provided access to the specific University Systems and applications approved by the Director of Systems.
   
7. All vendor employee accounts will expire at the end of the fiscal year and must be renewed by their FDU manager by completing a PIN form.
   
8. Vendor employees must be terminated through FDU’s systems when they either are removed from their assignment at Fairleigh Dickinson University or are terminated by their employer using the same methodology utilized for current faculty and staff. It is the unshared responsibility of the managing department to submit termination paperwork per the HR process for any contractor/consultant who had been issued a NetID.

---

All employees of Fairleigh Dickinson University are responsible for conducting business in a safe and secure way. Select employees may be required to view Personal Information (PI) and Personal Health Information (PHI) as part of their daily responsibilities, while others may handle sensitive information of another nature. All employees receive correspondence from outside the University. Ensuring that our community remains safe and diligent in the face of today’s cyber landscape is vital. The policy below will provide a baseline understanding of the data security protocols in place and the expectations on FDU employees to uphold them.

Effective Date: 12/01/2022
Last Revision: 03/15/2021
Last Review: 11/28/2022

I. OBJECTIVE

The objective of Fairleigh Dickinson University (“University”) in the development and implementation of this comprehensive Written Information Security Program (“WISP”) is to create effective administrative, technical and physical safeguards for the protection of Personal Information (“PI”) and Protected Health Information (“PHI”). The WISP sets forth the University’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PI and PHI.

For purposes of this WISP, PI means:

1. User name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.

2. Someone’s name and any one of the following data elements:
   
   • Social Security number, Social Insurance number, National Insurance number, or equivalent;
     
   • Date of birth (MM/DD/YYYY),
     
   • Driver’s license number, state-issued identification card number, or provincially-issued identification card number;
     
   • Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account;
     
   • Passport number;
     
   • Medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or health insurance information; or
     
   • Student/Employee (i.e., Datatel) ID number coupled with a password or security question and answer or any portion of any item in the list above that would permit access to an online account.

For purposes of this WISP, PHI includes information that is created, received, and/or maintained by the University that is related to an individual’s health care (or payment related to health care) that directly or indirectly identifies the individual.

PI or PHI shall not include information that is lawfully obtained from publicly available information, or from federal, state, provincial or local government records lawfully made available to the general public.

Notwithstanding the above and irrespective of whether or not it’s considered PII or PHI, one should always take care and caution to use the minimum data elements necessary to perform the business function at hand.

II. PURPOSE

The purpose of the WISP is to better:

1. Ensure the security and confidentiality of PI and PHI;
   
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
   
3. Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

III. SCOPE

In formulating and implementing this WISP, the University has addressed and incorporated the following protocols:

1. identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI;

2. assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the PI and PHI;

3. evaluated the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;

4. designed and implemented a WISP that puts safeguards in place to minimize those risks, consistent with the requirements of the regulations in this document; and

5. implemented regular monitoring of the effectiveness of those safeguards.

IV. DATA SECURITY COORDINATOR

The University has designated the Chief Information Security Officer (CISO), working together with the Data Security Information Response Team (DSIRT), to implement, supervise and maintain the WISP. See Appendix II for contact information for the CISO and DSIRT. Together, they will be responsible for:

1. Initial implementation of the WISP;
   
2. Regular testing of the WISP’s safeguards;
   
3. Evaluating the ability of each of the University’s third party service providers to implement and maintain appropriate security measures for the PI and PHI to which the University has permitted them access, consistent with the regulations outlined in this document; and requiring such third party service providers by contract to implement and maintain appropriate security measures;
   
4. Reviewing the scope of the security measures in the WISP at appropriate intervals, including the review of any material change in the University’s business practices that may implicate the security or integrity of records containing PI and PHI; and
   
5. Conducting training sessions for all University employees, and independent contractors, including temporary and contract employees, who have access to PI and PHI on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with University requirements for ensuring the protection of PI and PHI.

V. INTERNAL RISKS

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

Internal Threats

1. The University shall only collect PI and PHI of students, their parents, alumni, donors, suppliers, vendors, independent contractors or employees that is necessary to accomplish the University’s legitimate need to access said records, and for a legitimate job-related purpose, or necessary for University to comply with state, provincial, or federal regulations.
   
2. Access to records containing PI and PHI shall be limited to those persons who are reasonably required to know such information in order to accomplish a University legitimate business purpose or to enable the University to comply with state, provincial or federal regulations.
   
3. All persons who fail to comply with this WISP shall be subject to disciplinary measures, up to and including termination, irrespective of whether PI and PHI was actually accessed or used without authorization. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents.
   
4. Access to PI and PHI shall be restricted to authorized University personnel only.
   
5. Any PI and PHI stored shall be disposed of when no longer needed for business purposes or required by law for storage. Paper or electronic records (including records stored on hard drives or other electronic media) containing PI and PHI shall be disposed of only in a manner that complies with the regulations outlined in this document and as follows:
   
   • Paper documents containing PI and PHI shall be shredded upon disposal so that PI and PHI cannot be practicably read or reconstructed; and
     
   • Electronic media and other non-paper media containing PI and PHI shall be destroyed or erased upon disposal so that PI and PHI cannot be practicably read or reconstructed.

6. A copy of this WISP must be distributed to each current University employee and to each new University employee at the commencement of their employment.

7. Procedures for Terminated Employees (whether voluntary or involuntary)
   
   • Terminated employees must return all records containing PI and PHI, in any form that may at the time of such termination be in the former employee’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
     
   • A terminated employee’s physical and electronic access to PI and PHI must be immediately blocked. Such terminated employee shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the firm’s premises or information. Moreover, such terminated employee’s remote electronic access to personal information must be disabled.

8. Physical Assets Protocol
   
   • All assets must be secured from theft by locking up and maintaining a secure workplace, whether that work takes place in University stores, offices, at a client site, in a car, hotel or in a home.
     
     • All University laptops shall be deployed with encryption capabilities enabled. End users may not disable such encryption. Exceptions to this policy are as follows:
       
       • With the explicit written authorization of the CISO;
         
       • May be disabled by OIRT personnel for temporary maintenance purposes only;
         
       • Loaner laptops temporarily assigned with the understanding they will not be used to store or access any information that is considered to be protected under this policy.
         
     • All laptops should be placed in the trunk of vehicle when and wherever they are parked. If no secure trunk or other storage is available, employees should, whenever possible, keep their laptops in their possession or find a way to secure and conceal it.
       
     • Laptops, PDAs, phones and other portable devices that may contain or have access to PI and/or PHI left in the office or at home over night should be kept in a locked and secure location.
       
     • Employees must have assets secured or within their physical possession while on public or private transportation, including air travel.
       
   • Files containing PI and/or PHI are not to be stored on local computer hard drives, shared drives or other external media (which include externally hosted services such as, but not limited to OneDrive, Google, and Drop Box) without prior written authorization from the CISO. If approved, the method of storage and access to the data will be determined by the CISO during the discussion and placed in writing. (See Appendix I for more detail).

9. Access Control Protocol
   
   • Access to electronically stored PI and PHI shall be electronically limited to those University employees having a unique log-in ID.
     
   • Employees must ensure that all computer systems under their control are locked when leaving their respective workspaces. Employees must not disable any logon access.
     
   • Employees must log off of the VPN or Virtual Desktop (VDI) when they are not directly using those resources.
     
   • All Ellucian (Datatel) sessions that have been inactive for 60 or more minutes shall require re-log-in.
     
   • After 5 unsuccessful log-in attempts by any Ellucian (Datatel) or MS Active Directory NetID, that user ID will be blocked from accessing those systems until access privileges are re-established by University Systems and Networking.
     
   • Employees must maintain the confidentiality of passwords and access controls:
     
     • All Ellucian (Datatel) or MS Active Directory NetID passwords are required to adhere to strong password rules.
       
     • All Ellucian (Datatel) or MS Active Directory NetID passwords are required to be changed every 3 months.
       
     • Employees must not share accounts or passwords with anyone.
       
     • Employees should not record passwords on paper or in a document or in a place where someone other than the employee might have access to it. Tip: The University has identified a password vault application (Keepass); those interested should open a ticket with the Fairleigh Dickinson University Technical Assistance Center (UTAC) requesting assistance on setting it up.
       
   • Where practical, all external or internal visitors to a department are restricted from areas where files containing PI and PHI are stored. Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing PI and PHI are stored.

VI. EXTERNAL RISKS

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

External Threats

1. Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes PI and PHI.
   
2. All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes PI and PHI.
   
3. To protect against external threats, all PI and PHI shall be handled in accordance with the protocols set forth above under “Internal Threats”.
   
4. In the event an individual inadvertently discovers he/she received PI or PHI from an external party, such PI or PHI shall be handled in accordance with the protocols set forth under “Internal Threats”.
   
5. There shall be secure user authentication protocols in place that:
   
   • Control user ID and other identifiers;
     
   • Assigns passwords in a manner that conforms to accepted security standards, or applies the use of unique identifier technologies;
     
   • Control passwords to ensure that password information is secure.
     
6. PI and PHI shall not be removed from the business premises in electronic or written form absent a legitimate business need and use of reasonable security measures, as described in this WISP.
   
   • PI and/or PHI that MUST be transmitted in electronic form shall not be sent without encryption.
     
   • PI and/or PHI in paper form must be secured.
     
7. All computer systems shall be monitored for unauthorized use or access to PI and PHI.

VII. IN CASE OF LOSS/THEFT OR SUSPECTED LOSS/THEFT

If you have reason to believe that any PI or PHI has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, you must report the incident immediately by contacting the Fairleigh Dickinson University Technical Assistance Center (UTAC). The UTAC is available 24 x 7.

VIII. OTHER APPLICABLE POLICIES

Data Security Information Response Plan (September 15, 2019, not published on Web)

IX. EXCEPTIONS

Requests for exceptions to this policy should be directed in writing to the Chief Information Security Officer. Only the Chief Information Security Officer in consultation with the DSIRT may grant such exceptions and will do so only after careful review and in writing.

X. REVIEW

This policy shall be reviewed annually by the Data Security Incident Response Team (DSIRT) at the first meeting in April.

Appendix I

Technical requirements for the storage of files containing PI or PHI regardless of where the storage occurs will include but not be limited to the following:

1. All file(s) should be secured with AES 256bit encryption unless actively open for review or modification.
   
2. It is the responsibility of the person handling the PI or PHI file to securely delete any files created as a product of the manipulation of those files. As an example, temporary files created by Microsoft Office programs or any other programs would need to be securely deleted as well as the clear text versions of the original file after the encrypted version is properly created and verified.
   
3. Programs used for Encryption/Decryption and secure file deletion must be approved by the CISO including the methods in which they are to be used.
   
4. If the complete or partial PI or PHI containing file(s) are inadvertently written to a local hard drive, it is the user’s responsibility to diligently make sure the contents are securely deleted.

Appendix II

DATA SECURITY INCIDENT RESPONSE TEAM (ROLES AND RESPONSIBILITIES)

The Data Security Incident Response Team membership includes the Chief Operating Officer, the Chief Information Officer, the Chief Information Security Officer, the Chief Academic Officer, the University General Counsel and the University Risk Manager. Each member of the Data Security Incident Response Team (DSIRT) has responsibilities related to the security of all the organization’s sensitive information. The DSIRT members listed below have specific responsibilities with regard to the reporting and handling of data security incidents. Note that one person may serve in multiple roles.

Senior Vice President for Finance & Administration: Hania Ferrara
Daytime telephones: office: 201-692-2381; Email: ferrara@fdu.edu

Chief Information Officer (CIO): Neal Sturm
Daytime telephones: office: 201-692-8689; Email: sturm@fdu.edu

Chief Information Security Officer (CISO): Kimberley Dawn Dunkerley
Daytime telephones: office: 201-692-7672; Email: ddunkerley@fdu.edu

Privacy Officer: Kimberley Dawn Dunkerley
Daytime telephones: office: 201-692-7672; Email: ddunkerley@fdu.edu

Chief Academic Officer (CAO): Michael Avaltroni
Daytime telephones: Office: 201-692-7093; Email: mavaltroni@fdu.edu

University General Counsel: Edward Silver
Daytime telephones: office: 201-692-7071; Email: esilver@fdu.edu

University Risk Manager: Gail Lemaire
Daytime telephones: office: 201-692-7083; Email: lemaire@fdu.edu

Vancouver Campus Executive: Wilfred Zebre
Daytime telephone: office: 604-648-4462; Email: wilfred_zerbe@fdu.edu

---