data

Effective Date: 11/07/2023
Last Revision: 11/01/2013

Select employees of Fairleigh Dickinson University may be required to engage with confidential University data. The FDU Confidentiality Agreement and Security Policy defines your obligations under Federal and State guidelines to preserve the security and confidentiality of this information.

Confidentiality Agreement and Security Policy

Fairleigh Dickinson University regards the security and confidentiality of data and information to be of utmost importance. Each individual granted access to electronic and/or hard copy data holds a position of trust and must preserve the security and confidentiality of the information to which he/she is granted access to. Therefore, it is the intent of this policy to ensure that University data, in any format, is not divulged outside of Fairleigh Dickinson University without explicit approval to do so by an Associate Vice-President of the University or higher who has responsibility for the data in question. As such, the University requires all users of data to follow the procedures outlined below:

Policy on Confidential Information

Users of University data are required to abide by all applicable Federal and State guidelines and University policies regarding confidentiality of data, including the Family Education Rights and Privacy Act (“FERPA”) and, as applicable, The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For more information, see: FDU’s General Confidentiality Policy, FERPA and HIPAA. 

Confidential Information shall be defined as:

• regarding student, faculty or staff: any personally-identifiable records, financial records (including social security and credit card numbers), health records; contracts, research data; alumni and donor records; personnel records other than an individual’s own personnel record; 

• regarding the University: University financial data; computer and system passwords, University issued PINS, University proprietary information/data; and 

• any other information for which access, use, or disclosure is not authorized by: 1) federal, state, or local law; or 2) University policy.

The individual receiving the Confidential Information shall have no obligation under this Policy with respect to Confidential Information which:

• is or becomes publicly available without breach of this Policy by the recipient;
• is rightfully received by the recipient without obligations of confidentiality; or
• is developed by the recipient without breach of this Policy; provided, however, such Confidential Information shall not be disclosed until thirty (30) days after written notice of intent to disclose is given to the University officer who has responsibility for the data in question, along with the asserted grounds for disclosure;
• is disclosed in accordance with any “whistle blower” action as provided in the U.S. False Claims Act, the New Jersey Conscientious Employee Protection Act (“NJCEPA”), or similar legislation.  (Brief overview of the NJCEPA is available here.

Any individual with authorized access to the Confidential Information is given access solely for the business of the University and must not divulge the Confidential Information outside of the University except for University business requirements approved by the President of the University or the division head responsible for the data in question. Specifically, with respect to Confidential Information, individuals must:

1. Access Confidential Information solely in order to perform his/her job responsibilities.
2. Not seek personal benefit or permit others to benefit personally from any Confidential Information that has come to them throughout their work assignments.
3. Not make or permit unauthorized use of any Confidential Information in the University’s information system or other records.
4. Not enter, change, delete or add data to any information system or files outside of the scope of their job responsibilities.
5. Not include or cause to be included in any record or report, a false, inaccurate or misleading entry known to the user as such.
6. Not alter or delete or cause to be altered or deleted from any records, report or information system, a true and correct entry.
7. Not release Confidential Information other than what is required in completion of job responsibilities which is consistent with this Policy.
8. Not exhibit or divulge the contents of any record, file or information system to any person unless it is necessary for the completion of their job responsibilities.

It is the individual’s responsibility to immediately report, as outlined under “Information Security Breach and Violation Reporting” at the end of this Policy, if the individual has violated this Policy. Additionally, given the potential harm that the University may suffer with the release of any Confidential Information, all employees are strongly encouraged to report any suspected violation of this policy or any other action, which violates confidentiality of data, as outlined at the end of this policy.

Security Measures and Procedures

All users of University information systems, including Datatel, MS File shares and FDU Office 365 email accounts, are supplied with an individual user account to access the data or systems necessary for the completion of their job responsibilities. Users of the University information systems are required to follow the procedures outlined below:

1. All transactions, processed by a user ID and password, or PIN, are the responsibility of the person to whom the user ID was assigned. The user’s ID, password, and PIN must remain confidential and must not be shared with anyone.
   • Using someone else’s user ID, password or PIN is a violation of policy, no matter how it was obtained.
   • Your user ID, password or PIN provides access to information that has been granted specifically to you.  To reduce the risk of shared passwords – remember not to post your password or PIN on or near your workstation or share your password or PIN with anyone.
   • It is your responsibility to change your password immediately if you believe someone else has obtained it.

NOTE: If you need your Password or PIN changed, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) immediately.

2. Access to any student or employee information (in any format) is to be determined based on specific job requirements. The appropriate Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President is responsible for ensuring that access is granted only to authorized individuals, based on their job responsibilities. Written authorization must be received by the Computer Center prior to granting system access.
   • You are prohibited from viewing or accessing additional information (in any format) unless you have been authorized to do so.  Any access obtained without written authorization is considered unauthorized access.
   • In order to prevent unauthorized use, the user shall log off of all applications that provide access to confidential information, or lock their computer when leaving their workstation. This is especially important during breaks and lunch. Unless there is a specific business need, all workstations should be shut down at the end of the workday.

NOTE:  If you require assistance in establishing your workstation password, please access the screensaver documentation or contact the Fairleigh Dickinson University Technical Assistance Center (UTAC).

3. If you have any reason to believe your password or PIN has been compromised or revealed inadvertently, you should change your password and immediately notify one of the individuals as outlined under “Information Security Breach and Violation Reporting” at the end of this policy.

NOTE: All University’s computer system will periodically prompt you to change your password.

4. Upon termination or transfer of an employee, Human Resources will notify University Systems and Security, who in turn will notify the appropriate areas in the Computer Center.

5. Generally, students, temporary employees and consultants should not have access to the University record system. Written approval by the Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President in charge of the respective area is required if it is determined that access is required. The student, temporary employee or consultant is to be held to the same standards as all University employees, and must be made aware of their responsibilities to protect student and employee privacy rights and data integrity. Written authorization must be received by the Computer Center prior to granting system access.

6. You agree to properly secure and dispose of any outputs or files you create in a manner that fully protects the Confidential Information.

Additionally, I understand that if granted access to process transactions via Datatel data entry screens, any information I enter or change will be effective immediately. Accordingly, I understand that I am responsible for any changes made using my ID.

I understand that my access to University data is for the sole purpose of carrying out my job responsibilities and Confidential Information is not to be divulged outside of The University, except as previously stated. Breach of confidentiality, including aiding, abetting, or acting in conspiracy with any other person to violate any part of this policy, may result in sanctions, civil or criminal prosecution and penalties, employment and/or University disciplinary action, and could lead to dismissal, suspension or revocation of all access privileges. I understand that misuse of University data and any violation of this policy or the FERPA, HIPAA or GLB policies are grounds for disciplinary action, up to and including dismissal. This Agreement shall not abridge nor supersede any rights afforded faculty members under the Faculty Handbook.

Information Security Breach and/or Policy Violation Reporting

If you suspect an Information Security Data Breach or a violation of this policy, report such an event to your department chair or staff supervisor and send an immediate email to violation@fdu.edu. If you do not have immediate access to email, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC); do not provide details but request a ticket be opened with University Systems & Security due to an information security data breach or policy violation requesting an immediate callback. When practical, also send an email to violation@fdu.edu.

---

Backup Alert Email Notifications

CrashPlan Backup will send users an email alert notifying them of any incomplete backups of their devices.

• The CrashPlan Backup email alert will be sent from “CrashPlan <noreply@crashplan.com>”
• The Subject line of the email will be labeled with: “[External]Critical: [Name of Device] not backed up“

Backup Alert

You will receive an alert when your computer hasn’t backed up to CrashPlan for 5 calendar days. The email will look like the example below:

What to do if you get a backup alert

After receiving a CrashPlan Backup alert email, you should locate the device the email specifies in need of backup. The CrashPlan Backup device name will be listed in the Subject: line and Computer Name: line of the CrashPlan backup alert email.

To locate the name of a CrashPlan Backup device:

1. Click the CrashPlan Backup icon in the Windows System Tray, also referred to as the notification area.

CrashPlan Backup icon

1. Click “Run Backup now“

Ensure the CrashPlan backup application displays the same name as the CrashPlan Backup alert email you received.

After locating the correct specified device stated in the CrashPlan backup alert email, force a backup of the device by performing the following:

1. Click the “CrashPlan Backup” System Tray or macOS menu bar Icon

CrashPlan Backup Icon

2. Click “Run Backup now“

CrashPlan is a backup agent that will back up all data on a university device under the primary owner’s profile. The backup sets can be used for restoring data to a machine, whether it has been reformatted, replaced, or compromised. This document will outline the steps needed to install, activate, and restore data to a new or existing device.

Section – Basics

Part : About CrashPlan

About CrashPlan

CrashPlan Policy

CrashPlan is required on all University provided desktops and laptops to backup all University Business data to prevent data loss.

Who Can use CrashPlan?

CrashPlan is presently licensed for full-time faculty and full-time staff only. The University mandates CrashPlan for proper data security practices. If a user has personal data that they wish to exclude from being backed up, a folder labeled “Personal Documents” can be found and utilized in your “Documents” folder. This folder and its contents will be ignored by CrashPlan when your system is being backed up.

Personal Documents folder locations:

Windows PC	C:\users\username\Documents\Personal Documents\
macOS	/users/username/documents/Personal Documents/

Is My Data Secure?

CrashPlan uses AES-256 encryption is used when storing your backups and can only be accessed by the CrashPlan account owner and administrators.

What is Backed Up?

All data found in a user profile will be backed up by CrashPlan.

Location of User Profile:

Windows PC	C:\users\UserName\
macOS	/users/username/

Section – Installation

Part : How to Install on a Windows PC

How to Install on a Windows PC

To install CrashPlan on your Windows PC, please follow the instructions below.

Before Installing CrashPlan, you must be logged in as the owner of the machine using your NetID Credentials.

1. Open FDU Self Service Portal for Software on your University PC
2. Click on CrashPlan Backup and then click “Install” on the right-hand side

The entire process will take approximately 5-7 minutes, depending on your internet speed. Once CrashPlan is installed, your account is automatically provisioned in the CrashPlan system, and your backup will begin shortly.

Part : How to Install on macOS

How to Install on macOS

To install CrashPlan on your macOS device, please follow the instructions below.

1. Locate the FDU Self Service Portal in your applications folder or locating the icon on your dock
2. Locate CrashPlan Backup and click “Enroll”

3. After the package installs, you will be prompted to enter your FDU email address and then click “OK“

The entire process will take approximately 5-7 minutes, depending on your internet speed. Once CrashPlan is installed, your account is automatically provisioned in the CrashPlan system, and your backup will begin shortly.

Part : How to Replace or Add a Second Device

How to Replace or Add a Second Device

This process is used when someone will be assigned a second device and wishes to have it backed up or if the CrashPlan needs to be re-installed on the same device. Because an account already exists, it cannot be provisioned automatically. It must be manually setup either to replace an existing device or create a new backup set on the second computer.

1. Click on the CrashPlan app in the system tray (PC) or Menu bar (macOS) and then click “Setup Device”

2. If prompted, log in to the FDU NetID Portal and proceed through the FDU single sign-on process
3. Click “Replace Existing”

4. Click “Start” to continue with the replace existing device process

5. Select the device from the list you are replacing and click “Continue”

6. Click “Select Files” on the following window

7. Select and Choose which files you wish to replace by placing a checkmark next to each. When finished, click “Restore Files”

8. The next window will allow you to select how you wish to restore your files. Make your selections and click “Go”

9. The next window will display download progress for the restore process. You can continue forward by clicking “Continue” at the bottom

10. The next window Downloads the Files to your device. When the transfer is completed, click “Next”

11. Your Transfer is now complete, click “Finish“

Part : Verifying Backup Progress

Verifying a Backup Instructions

If you are unsure if you have CrashPlan installed and backing up your system, this quick guide will help give you some comfort.

1. Click on the CrashPlan icon from the system tray on Windows and the menu bar on macOS

CrashPlan Icon

2. The Progress will be displayed like in the Figure below

Section – Managing Backups

Part : How to Manage Backups

How to Manage Backups

CrashPlan allows you to manage your backup sets. If you want to review your backup set or request assistance, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) to initiate a service request.

Part : How to Restore Files

How to Restore Files

Accidentally deleted or unable to find a file? CrashPlan can help. Please follow the following guidelines in restoring lost or previous versions of files.

1. Click the CrashPlan System Tray or macOS menu bar Icon

CrashPlan Icon

2. Left-click on the gear symbol and left-click on “Open CrashPlan….”

3. If prompted, log in to the FDU Single sign-on Portal and proceed through the FDU DUO Multifactor authentication procedures
4. Click “Restore Files”
5. Select the device you wish to restore from

6. You can select a date range from when you wish to restore from on the right-hand side
7. Navigate to the folder(s) and/or file(s) you wish to restore and place a check next to each one
8. Click “Restore Files”

9. Select how CrashPlan will restore your files. Click “Go” when finished

The time it takes to restore your files will depend on how much data is being restored, available system resources, and available bandwidth.

Part : How to Add Backup Sets

How to Add Backup Sets

Using CrashPlan you can create backup sets that will back up your data to additional devices utilizing a schedule. This is useful to have immediate access to critical files in the event of data loss.

This guide is only needed if you wish to have a local backup of your data.

1. Click the CrashPlan System Tray or macOS menu bar Icon

CrashPlan Icon

2. Left-click on the gear symbol and left-click on “Open CrashPlan….”

3. If prompted, log in to the FDU Single Sign-on Portal and proceed through the FDU DUO Multi-factor authentication procedures
4. From the CrashPlan console window, click the “Dropdown Arrow” symbol next to your device name to drop down a menu, then click “Add Backup Set…”

• The next window will be the Add Backup Set configuration window.

6. Click “Rename” to label your backup set
7. Changing Selected Files, click “Change”, and select the files and folders you wish to backup to a local destination

8. When finished click “Save“
9. Click “Change” to set your destination for your backup

10. Select your destination by clicking “Add Local Destination (usually an external hard drive) and click “Save“

11. Click “Add Set” to finalize the setup and start backing up to a local location

Your new back upset is finished and will begin backing up as configured.

Section – Troubleshooting

Part : Backup Alert Email Notifications

Backup Alert Email Notifications

CrashPlan will send users an email alert notifying of any incomplete backups of their devices.

• The CrashPlan email alert will be sent from CrashPlan for Enterprise <noreply@crashplan.com>
• The Subject line of the email will be labeled with: Critical: [Name of Device] not backed up

Backup Alert

You will receive an alert when your computer hasn’t backed up to CrashPlan for 5 calendar days. The email will look like the example below:

What to do if you get a backup alert

After receiving a CrashPlan backup alert email, you should locate the device the email specifies in need of backup. The CrashPlan device name will be listed in the Subject: line and Computer Name: line of the CrashPlan backup alert email. To locate the name of a CrashPlan device, left-click the CrashPlan “C” symbol icon in the Windows System Tray, also referred to as the notification area.

For macOS users left-click CrashPlan symbol icon on the macOS icon menu bar. The CrashPlan device name will be displayed in the console. Ensure the CrashPlan application displays the same name as the CrashPlan backup alert email you received.

CrashPlan Symbol Icon

CrashPlan Device Name

After locating the correct specified device stated in the CrashPlan backup alert email, force a backup of the device by performing the following:

1. Left-click the “CrashPlan” System Tray or macOS menu bar Icon

CrashPlan Icon

2. Left-click “Run backup now“

Part : Getting Support

Getting Support

I. OBJECTIVE

Create a standard procedure by which Manager’s and their employee’s transfer University data during the period of time from when an employee makes their intention clear that they are separating from the University or the transfer of University data at the time of an employee’s involuntary separation from the University.

II. PRODUCURES

Voluntary Separation

It is the manager or direct supervisor’s responsibility to work with the separating employee to extract any data or files that reside locally on their computer that would be needed for business continuity. The supervisor should also ensure they understand what shared drives the separated employee used and have access to those drives if need be.

Using appropriate security precautions, the manager should meet several times with the separating employee to ensure all information is transferred over either email, a shared drive, One Drive or a thumb drive.

During the separation process, through the Employee Separation Checklist, the employee’s manager can select the ability to access the separating employee’s email for up to 30 days and/or forward emails addressed to the separated employee for up to 60 days.

Upon receiving the separation notice, Computing Services will validate through our Backup system that the separating employee’s complete laptop or desktop Image has been backed up.

Computing Services will manually trigger an additional backup within three days of separation.

Immediately upon the effective date of the separation, the separating employee’s manager is responsible for turning over the separating employees’ computer to Computing Services.

Computing Services will store the computer for 14 days as a precaution, and then wipe the data from that computer, reimage the computer, and shelf the computer for redistribution.

If it is discovered that information that resided on the separated employee’s computer was missed during the separation process and needs to be retrieved at a later point, the supervisor would need to contact the Vice President of Human Resources and request the specific data that would need to be recovered from our Backup system.

Involuntary Separation

Upon the dismissal of the individual, Human Resources, would immediately engage Computing Services as well as the direct supervisor to view and extract any data that might be needed by the department to ensure business continuity. This would take place as soon as possible from the date of dismissal.

If a legal hold is required, Computing Services and USAN would be notified and the existing processes of extracting and encrypting the hard drive as well as protecting all email correspondence would be executed. Computing Services would then remove the computer.

If a legal hold is not required, Computing Services will validate through our Backup system that the dismissed employee’s Image has been properly backed up and remove the computer.

Computing Services will store the computer for 14 days as a precaution, and then wipe the data from that computer, reimage the computer, and shelf the computer for redistribution.

If it is discovered that information that resided on the separated employee’s computer was missed during the separation process and needs to be retrieved at a later point, the supervisor would need to contact the Vice President of Human Resources and request the specific data that would need to be recovered from our Backup system.

III. IN CASE OF QUESTIONS

Questions regarding this procedure can be directed to the Vice President of Human Resources.

---

As a member of our community, your FDU NetID is your passport to accessing many of Fairleigh Dickinson University’s IT services. Most important is your student, employee, or alumni FDU Email account. When using FDU Email, you are an ambassador for our institution and our expectation is that you will conduct yourself in an efficient, effective, ethical and lawful manner. Please review our Policy for Acceptable Use of Email to ensure that you are adhering to all security and decorum requirements.

Effective Date: 01/01/2018

1.0 Introduction

The purpose of this policy is to ensure the proper use of e-mail by all those assigned a Fairleigh Dickinson University (FDU) e-mail account. This policy applies to any e-mail system that FDU has or may install in the future. It also applies to employee use of personal e-mail accounts via browsers, as directed below. All users of FDU e-mail systems have the responsibility to use their e-mail in an efficient, effective, ethical and lawful manner. E-mail users must follow the same code of conduct expected in any other form of written or face-to-face business communication. FDU may supplement or modify this policy for specific employees in certain roles. This policy complements similar FDU policies such as the Acceptable Use Policy and the Written Information Security Program (WISP). Please read and follow those policies as well.

The University subscribes to the 1940 Statement of Principles on Academic Freedom and Tenure and the 1940 and 1970 Interpretive Comments issued thereon, formulated jointly by the Association of American Colleges and the American Association of University Professors. Nothing in this policy is intended to supersede those statements and principles.

2.0 Ownership of Email Data

The University owns all University email accounts in the fdu.edu domain, or any subsequent domains it may create (University Email Accounts). Subject to underlying copyright and other intellectual property rights under applicable laws and University policies , the University also owns data transmitted or stored using the University Email Accounts.

3.0 Employee Responsibilities

FDU only supports the installation and usage of approved e-mail clients.

Usernames will be assigned as part of the University’s e-mail registration process and reflect internally mandated e-mail naming conventions.

3.1 Acceptable Uses

• Communicating in a professional manner with other FDU associates about work-related matters.
• Communicating in a professional manner with parties outside FDU for business purposes.
• Personal communications that are brief and do not interfere with work responsibilities.
• Users are allowed to access personal e-mail accounts on a limited basis, without disrupting business responsibilities. Access can be gained only by using a browser. Use of e-mail-specific protocols, such as POP3 and IMAP4, is prohibited, since they require specific firewall ports to be open.
• Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending the message.

3.2 Unacceptable Uses

• Creating and exchanging messages that can be interpreted as harassing, obscene, racist, sexist, ageist, pornographic or threatening, as defined by University policies.
• Creating and exchanging information that is in violation of copyright or any other law. FDU is not responsible for an associate’s use of e-mail that breaks laws.
• Personal communication that interferes with work responsibilities.
• Opening file attachments from an unknown or untrustworthy source, or with a suspicious or unexpected subject line.
• Sending unprotected healthcare data and personally identifiable consumer data or other confidential information to unauthorized people or in violation of FDU’s Acceptable Use Policy, or the Written Information Security Program (WISP). , Health Insurance Portability and Accountability Act and/or Gramm-Leach-Bliley Act regulations. Exceptions may be authorized by the University Chief Information Security Officer working with the employee’s supervisor. Communications that strain FDU’s network or other systems unduly, such as sending large files to large distribution lists.
• Communications to distribution lists of only marginal interest to members, and replying to the entire distribution list when a personal reply is effective.
• Communications with non-specific subject lines, inarticulate language, and without clear purpose.
• Auto-forwarding e-mail messages from your University e-mail account.
• Using any e-mail system, other than FDU’s e-mail system, for FDU-related communications.
• Circulating chain letters and/or commercial offerings.
• Circulating unprotected healthcare data and personally identifiable consumer data that would violate U.S. Federal HIPAA and GLB regulations. Exceptions may be authorized by the employee’s supervisor and in conjunction with use of a University-approved e-mail encryption service.
• Altering or forging the “From” line or any other attribution of origin contained in electronic mail or postings.
• Using any of the University systems for sending what is commonly referred to as “SPAM” mail (unsolicited bulk email)

4.0 Privacy Guidelines

The University typically does not review the content of electronic messages or other data, files, or records generated, stored, or maintained on its electronic information resources; however, it retains the right to inspect, review, or retain the content of such messages, data, files, and records at any time without prior notification. Any such action will be taken for reasons the University, within its discretion, deems to be legitimate. These legitimate reasons may include, but are not limited to,

• responding to lawful subpoenas or court orders;
• investigating misconduct (including research misconduct);
• determining compliance with University policies and the law; and
• locating electronic messages, data, files, or other records related to these purposes.

FDU maintains the right to monitor and review e-mail activity to ensure compliance with this policy, as well as to fulfill FDU’s responsibilities under the laws and regulations of the jurisdictions in which it operates. Users should have no expectation of privacy.

• Except as otherwise stipulated in this policy, on termination or separation from FDU, FDU will immediately deny access to e-mail, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
• Except as otherwise stipulated in this policy, employees who leave FDU will have their mailbox deleted within six months of their termination date. The employee’s manager may request that access be given to another employee who may remove any needed information within the same six month time frame.
• FDU reserves the right to intercept, monitor, review and/or disclose any and all messages composed, sent or received on the University e-mail system. Intercepting, monitoring and reviewing of messages may be performed with the assistance of content filtering software, or by designated FDU employees and/or designated external entities. Employees designated to review messages may include, but are not limited to, an employee’s supervisor or manager and/or representatives from the HR, legal or compliance departments.
• FDU reserves the right to alter, modify, re-route or block the delivery of messages as appropriate. This includes but is not limited to:
  • Rejecting, quarantining or removing attachments and/or malicious code from messages that may pose a threat to FDU resources.
  • Rejecting or quarantining messages with suspicious content.
  • Rejecting or quarantining messages containing offensive language or topics.
  • Re-routing messages with suspicious content to designated FDU employees for manual review.
  • Appending legal disclaimers to messages.
• Electronic messages are legally discoverable and permissible as evidence in a court of law.
• Users of the University’s computing and electronic communications resources must understand that electronic messages, data, files, and other records generated, stored, or maintained on University electronic information resources may be electronically accessed, reconstructed, or retrieved by the University even after they have been deleted.

5.0 Security

As with any other type of software that runs over a network, e-mail users have the responsibility to follow sound security practices.

• Users should not use the e-mail system to transfer sensitive data, except in accordance with FDU data protection policies. Refer to the Written Information Security Program (WISP). Sensitive data passed via e-mail over the Internet could be read by parties other than the intended recipients, particularly if it is clear text. Malicious third parties could potentially intercept and manipulate e-mail traffic.
• In an effort to combat propagation of e-mail viruses, certain attachment types may be stripped at the University e-mail gateway. Recipients will be notified via e-mail when this occurs. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).
• Attachments can contain viruses and other malware. User should only open attachments from known and trusted correspondents. Suspicious attachments should be reported to the University Technical Assistance Center (UTAC).
• Spam is automatically filtered at the University gateway in a highly efficient manner. Errors, whereby legitimate e-mail can be filtered as spam, while rare, can occur. If business-related mail messages are not delivered, users should check their local spam folder or the daily spam digest. If the message is not there, users should contact University Technical Assistance Center (UTAC).
• Users will not be asked by OIRT or any other FDU group by e-mail for personal information such as usernames or passwords. Any such requests should not be responded to and should be referred to the University Technical Assistance Center (UTAC). Such approaches – known as phishing – are fraudulent approaches carried out for the purpose of unlawful exploitation.

6.0 Operational Guidelines

FDU employs certain practices and procedures in order to maintain the health and efficiency of electronic messaging resources, to achieve FDU objectives and/or to meet various regulations. These practices and procedures are subject to change, as appropriate or required under the circumstances.

• For ongoing operations, audits, legal actions, or any other known purpose, FDU saves a copy of every e-mail message and attachment(s) to a secure location, where it can be protected and stored for three years. Recovery of messages from this store is prohibited for all but legal reasons.
• To deliver mail in a timely and efficient manner, message size must be less than 25MB. Messages larger than 25MB will be automatically blocked and users will be notified of non-delivery. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).

Access to the content of electronic mail, data, files, or other records generated, stored, or maintained by any user may be requested from the University’s Associate Vice President of Technology Infrastructure for the reasons set forth below and shall be authorized as follows:

1. by the Associate Vice President of Human Resources for all University employees;
2. by either Dean of Students for students; or
3. by the General Counsel for the purposes of complying with legal process and requirements or to preserve user electronic information for possible subsequent access in accordance with this policy.

In all cases, the Office of the General Counsel must be consulted prior to making a decision on whether to grant access. In the case of a time-critical matter, if the authorizing official is unavailable for a timely response, the General Counsel may authorize access.

All full-time faculty who retire from the University may keep their email address for life if they request to do so.

All full-time faculty who leave the University for reasons other than termination for cause, may request email forwarding for up to six months.

7.0 Governance and Enforcement

This policy was created with input from the University’s Data Security Incidence Response Team (DSIRT). At the request of the University’s Chief Information Security Officer (CISO), the DSIRT will review this policy annually to ensure that FDU is in compliance with internal or external requirements. FDU faces liability if users violate the terms of this policy. Therefore, willful or repeated violations of this Acceptable Use Policy for E-mail can result in informal or formal warnings, the loss of e-mail privileges, and other sanctions including termination. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

For assistance with this policy, please contact the University’s Chief Information Security Officer (CISO).

Exceptions to this policy may be authorized by the University Chief Information Security Officer working with the employee’s supervisor.

Policy violations should be reported immediately to the University’s Associate Vice President of Technology Infrastructure

The University reserves the right to suspend an e-mail account while investigating a complaint or troubleshooting a system or network problem.

This document will be reviewed semi-annually and is available both electronically and in printed form at each of the Campus Computing Centers.

It is the user’s responsibility to remain informed about the contents of this document.

Other Related and Applicable Policies

---

FDU’s VPN Client Software, is also known as the “Cisco AnyConnect Secure Mobility Client”.

1. Use any web browser (Google Chrome, Mozilla Firefox, Safari) to navigate to vpn.fdu.edu. Please refrain from using the Internet Explorer web browser when installing the FDU VPN Client

2. Select your role within the University from the Group pulldown menu and enter your NetID Information in the username and password fields (user@fdu.edu)

3. On the left-hand side menu, click on “AnyConnect“, then click on “Start AnyConnect”

4. Download the VPN applet by clicking on “Download for Windows” or “Download for macOS” depending on your operating system. The browser will then download the VPN software client. When finished downloading, click on the file and select “open” within your browser

Chrome

Firefox

Safari

The browser will open a new window asking for permission to download the applet, click on “Allow”. When finished downloading, double click on the file to open the installation package and start the installation process.

5. Follow the steps prompted to accept all changes and grant requested permissions to install FDU VPN software. Note, Java Runtime Environment software may also need to be installed. A copy of the software download will be prompted to be installed or can be accessed at java.com/en/download/

6. The installation will continue, and an icon for the “Cisco AnyConnect Secure Mobility Client” with a “lock” icon will appear in your system tray once the installation is complete

1. Log into your computer

2. Launch the Cisco AnyConnect Secure Mobility Client from the Start Menu. Ensure the address “vpn.fdu.edu” is entered into the corresponding text box and then press the “Connect” button

3. Select your correct Group name on the dropdown menu, then enter your FDU NetID username and current FDU NetID password in the corresponding boxes. Click “OK“

4. Ensure a successful connection was made by checking on your system tray at the bottom right portion of your screen, or if on macOS, the client application window will display a screen check over the lock icon

The following instructions are the same for both Windows and macOS users.

1. Register with Duo MFA

• If you are an existing Duo user, please skip to Step 2
• For new Duo users, please follow the guide below for registering your DUO Account

2. Launch the “Cisco AnyConnect Secure Mobility Client” from the Start Menu or your Mac’s application folder if on macOS

3. Ensure the address “vpn.fdu.edu” is entered into the corresponding text box and then click the “Connect” button

4. Select your correct Group name on the dropdown menu

5. Enter your FDU NetID username and current FDU NetID password in the corresponding boxes. Click “OK”

6. In response, you’ll receive the Duo challenge dialog box. To use the preferred method type push in the Answer: dialog box, then click “Continue“

7. Tap “Approve” on the Duo login request received at your phone

8. Ensure a successful connection was made by checking on your system tray at the bottom right portion of your screen, or if on macOS, the client application window will display a screen check over the lock icon

Additional DUO Information

Users with multiple registered Duo devices will need to enter push1 for their primary device or push2 for their backup device. If you are unsure which device is your primary or secondary device, open the Duo Mobile app on your mobile device, click Fairleigh Dickinson University and enter the passcode displayed.

Additional DUO Authentication Options

Type	Instructions
Push (Preferred)	Push a login request to your phone (if you have Duo Mobile installed and activated on your iOS or Android device). Review the request and tap “Approve” to log in.
Passcode	Open the Duo Mobile App. Tap “Fairleigh Dickinson University” and the passcode will be displayed, or call the Fairleigh Dickinson University Technical Assistance Center (UTAC) for a passcode.
Phone	Have Duo call your phone to authenticate your login.(Users with multiple devices will need to include a number indicating desired device i.e. Phone2). This option is only available to Faculty, Staff and approved Students.
SMS	Have Duo text a passcode to your phone. (Users with multiple devices will need to include a number indicating desired device i.e. SMS2). NOTE: This option is only available to Faculty, Staff and approved Students.

Additional Resources for Cisco DUO

All employees of Fairleigh Dickinson University are responsible for conducting business in a safe and secure way. Select employees may be required to view Personal Information (PI) and Personal Health Information (PHI) as part of their daily responsibilities, while others may handle sensitive information of another nature. All employees receive correspondence from outside the University. Ensuring that our community remains safe and diligent in the face of today’s cyber landscape is vital. The policy below will provide a baseline understanding of the data security protocols in place and the expectations on FDU employees to uphold them.

Effective Date: 12/01/2022
Last Revision: 03/15/2021
Last Review: 11/28/2022

I. OBJECTIVE

The objective of Fairleigh Dickinson University (“University”) in the development and implementation of this comprehensive Written Information Security Program (“WISP”) is to create effective administrative, technical and physical safeguards for the protection of Personal Information (“PI”) and Protected Health Information (“PHI”). The WISP sets forth the University’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PI and PHI.

For purposes of this WISP, PI means:

1. User name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.

2. Someone’s name and any one of the following data elements:
   
   • Social Security number, Social Insurance number, National Insurance number, or equivalent;
     
   • Date of birth (MM/DD/YYYY),
     
   • Driver’s license number, state-issued identification card number, or provincially-issued identification card number;
     
   • Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account;
     
   • Passport number;
     
   • Medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or health insurance information; or
     
   • Student/Employee (i.e., Datatel) ID number coupled with a password or security question and answer or any portion of any item in the list above that would permit access to an online account.

For purposes of this WISP, PHI includes information that is created, received, and/or maintained by the University that is related to an individual’s health care (or payment related to health care) that directly or indirectly identifies the individual.

PI or PHI shall not include information that is lawfully obtained from publicly available information, or from federal, state, provincial or local government records lawfully made available to the general public.

Notwithstanding the above and irrespective of whether or not it’s considered PII or PHI, one should always take care and caution to use the minimum data elements necessary to perform the business function at hand.

II. PURPOSE

The purpose of the WISP is to better:

1. Ensure the security and confidentiality of PI and PHI;
   
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
   
3. Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

III. SCOPE

In formulating and implementing this WISP, the University has addressed and incorporated the following protocols:

1. identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI;

2. assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the PI and PHI;

3. evaluated the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;

4. designed and implemented a WISP that puts safeguards in place to minimize those risks, consistent with the requirements of the regulations in this document; and

5. implemented regular monitoring of the effectiveness of those safeguards.

IV. DATA SECURITY COORDINATOR

The University has designated the Chief Information Security Officer (CISO), working together with the Data Security Information Response Team (DSIRT), to implement, supervise and maintain the WISP. See Appendix II for contact information for the CISO and DSIRT. Together, they will be responsible for:

1. Initial implementation of the WISP;
   
2. Regular testing of the WISP’s safeguards;
   
3. Evaluating the ability of each of the University’s third party service providers to implement and maintain appropriate security measures for the PI and PHI to which the University has permitted them access, consistent with the regulations outlined in this document; and requiring such third party service providers by contract to implement and maintain appropriate security measures;
   
4. Reviewing the scope of the security measures in the WISP at appropriate intervals, including the review of any material change in the University’s business practices that may implicate the security or integrity of records containing PI and PHI; and
   
5. Conducting training sessions for all University employees, and independent contractors, including temporary and contract employees, who have access to PI and PHI on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with University requirements for ensuring the protection of PI and PHI.

V. INTERNAL RISKS

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

Internal Threats

1. The University shall only collect PI and PHI of students, their parents, alumni, donors, suppliers, vendors, independent contractors or employees that is necessary to accomplish the University’s legitimate need to access said records, and for a legitimate job-related purpose, or necessary for University to comply with state, provincial, or federal regulations.
   
2. Access to records containing PI and PHI shall be limited to those persons who are reasonably required to know such information in order to accomplish a University legitimate business purpose or to enable the University to comply with state, provincial or federal regulations.
   
3. All persons who fail to comply with this WISP shall be subject to disciplinary measures, up to and including termination, irrespective of whether PI and PHI was actually accessed or used without authorization. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents.
   
4. Access to PI and PHI shall be restricted to authorized University personnel only.
   
5. Any PI and PHI stored shall be disposed of when no longer needed for business purposes or required by law for storage. Paper or electronic records (including records stored on hard drives or other electronic media) containing PI and PHI shall be disposed of only in a manner that complies with the regulations outlined in this document and as follows:
   
   • Paper documents containing PI and PHI shall be shredded upon disposal so that PI and PHI cannot be practicably read or reconstructed; and
     
   • Electronic media and other non-paper media containing PI and PHI shall be destroyed or erased upon disposal so that PI and PHI cannot be practicably read or reconstructed.

6. A copy of this WISP must be distributed to each current University employee and to each new University employee at the commencement of their employment.

7. Procedures for Terminated Employees (whether voluntary or involuntary)
   
   • Terminated employees must return all records containing PI and PHI, in any form that may at the time of such termination be in the former employee’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
     
   • A terminated employee’s physical and electronic access to PI and PHI must be immediately blocked. Such terminated employee shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the firm’s premises or information. Moreover, such terminated employee’s remote electronic access to personal information must be disabled.

8. Physical Assets Protocol
   
   • All assets must be secured from theft by locking up and maintaining a secure workplace, whether that work takes place in University stores, offices, at a client site, in a car, hotel or in a home.
     
     • All University laptops shall be deployed with encryption capabilities enabled. End users may not disable such encryption. Exceptions to this policy are as follows:
       
       • With the explicit written authorization of the CISO;
         
       • May be disabled by OIRT personnel for temporary maintenance purposes only;
         
       • Loaner laptops temporarily assigned with the understanding they will not be used to store or access any information that is considered to be protected under this policy.
         
     • All laptops should be placed in the trunk of vehicle when and wherever they are parked. If no secure trunk or other storage is available, employees should, whenever possible, keep their laptops in their possession or find a way to secure and conceal it.
       
     • Laptops, PDAs, phones and other portable devices that may contain or have access to PI and/or PHI left in the office or at home over night should be kept in a locked and secure location.
       
     • Employees must have assets secured or within their physical possession while on public or private transportation, including air travel.
       
   • Files containing PI and/or PHI are not to be stored on local computer hard drives, shared drives or other external media (which include externally hosted services such as, but not limited to OneDrive, Google, and Drop Box) without prior written authorization from the CISO. If approved, the method of storage and access to the data will be determined by the CISO during the discussion and placed in writing. (See Appendix I for more detail).

9. Access Control Protocol
   
   • Access to electronically stored PI and PHI shall be electronically limited to those University employees having a unique log-in ID.
     
   • Employees must ensure that all computer systems under their control are locked when leaving their respective workspaces. Employees must not disable any logon access.
     
   • Employees must log off of the VPN or Virtual Desktop (VDI) when they are not directly using those resources.
     
   • All Ellucian (Datatel) sessions that have been inactive for 60 or more minutes shall require re-log-in.
     
   • After 5 unsuccessful log-in attempts by any Ellucian (Datatel) or MS Active Directory NetID, that user ID will be blocked from accessing those systems until access privileges are re-established by University Systems and Networking.
     
   • Employees must maintain the confidentiality of passwords and access controls:
     
     • All Ellucian (Datatel) or MS Active Directory NetID passwords are required to adhere to strong password rules.
       
     • All Ellucian (Datatel) or MS Active Directory NetID passwords are required to be changed every 3 months.
       
     • Employees must not share accounts or passwords with anyone.
       
     • Employees should not record passwords on paper or in a document or in a place where someone other than the employee might have access to it. Tip: The University has identified a password vault application (Keepass); those interested should open a ticket with the Fairleigh Dickinson University Technical Assistance Center (UTAC) requesting assistance on setting it up.
       
   • Where practical, all external or internal visitors to a department are restricted from areas where files containing PI and PHI are stored. Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing PI and PHI are stored.

VI. EXTERNAL RISKS

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

External Threats

1. Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes PI and PHI.
   
2. All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes PI and PHI.
   
3. To protect against external threats, all PI and PHI shall be handled in accordance with the protocols set forth above under “Internal Threats”.
   
4. In the event an individual inadvertently discovers he/she received PI or PHI from an external party, such PI or PHI shall be handled in accordance with the protocols set forth under “Internal Threats”.
   
5. There shall be secure user authentication protocols in place that:
   
   • Control user ID and other identifiers;
     
   • Assigns passwords in a manner that conforms to accepted security standards, or applies the use of unique identifier technologies;
     
   • Control passwords to ensure that password information is secure.
     
6. PI and PHI shall not be removed from the business premises in electronic or written form absent a legitimate business need and use of reasonable security measures, as described in this WISP.
   
   • PI and/or PHI that MUST be transmitted in electronic form shall not be sent without encryption.
     
   • PI and/or PHI in paper form must be secured.
     
7. All computer systems shall be monitored for unauthorized use or access to PI and PHI.

VII. IN CASE OF LOSS/THEFT OR SUSPECTED LOSS/THEFT

If you have reason to believe that any PI or PHI has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, you must report the incident immediately by contacting the Fairleigh Dickinson University Technical Assistance Center (UTAC). The UTAC is available 24 x 7.

VIII. OTHER APPLICABLE POLICIES

Data Security Information Response Plan (September 15, 2019, not published on Web)

IX. EXCEPTIONS

Requests for exceptions to this policy should be directed in writing to the Chief Information Security Officer. Only the Chief Information Security Officer in consultation with the DSIRT may grant such exceptions and will do so only after careful review and in writing.

X. REVIEW

This policy shall be reviewed annually by the Data Security Incident Response Team (DSIRT) at the first meeting in April.

Appendix I

Technical requirements for the storage of files containing PI or PHI regardless of where the storage occurs will include but not be limited to the following:

1. All file(s) should be secured with AES 256bit encryption unless actively open for review or modification.
   
2. It is the responsibility of the person handling the PI or PHI file to securely delete any files created as a product of the manipulation of those files. As an example, temporary files created by Microsoft Office programs or any other programs would need to be securely deleted as well as the clear text versions of the original file after the encrypted version is properly created and verified.
   
3. Programs used for Encryption/Decryption and secure file deletion must be approved by the CISO including the methods in which they are to be used.
   
4. If the complete or partial PI or PHI containing file(s) are inadvertently written to a local hard drive, it is the user’s responsibility to diligently make sure the contents are securely deleted.

Appendix II

DATA SECURITY INCIDENT RESPONSE TEAM (ROLES AND RESPONSIBILITIES)

The Data Security Incident Response Team membership includes the Chief Operating Officer, the Chief Information Officer, the Chief Information Security Officer, the Chief Academic Officer, the University General Counsel and the University Risk Manager. Each member of the Data Security Incident Response Team (DSIRT) has responsibilities related to the security of all the organization’s sensitive information. The DSIRT members listed below have specific responsibilities with regard to the reporting and handling of data security incidents. Note that one person may serve in multiple roles.

Senior Vice President for Finance & Administration: Hania Ferrara
Daytime telephones: office: 201-692-2381; Email: ferrara@fdu.edu

Chief Information Officer (CIO): Neal Sturm
Daytime telephones: office: 201-692-8689; Email: sturm@fdu.edu

Chief Information Security Officer (CISO): Kimberley Dawn Dunkerley
Daytime telephones: office: 201-692-7672; Email: ddunkerley@fdu.edu

Privacy Officer: Kimberley Dawn Dunkerley
Daytime telephones: office: 201-692-7672; Email: ddunkerley@fdu.edu

Chief Academic Officer (CAO): Michael Avaltroni
Daytime telephones: Office: 201-692-7093; Email: mavaltroni@fdu.edu

University General Counsel: Edward Silver
Daytime telephones: office: 201-692-7071; Email: esilver@fdu.edu

University Risk Manager: Gail Lemaire
Daytime telephones: office: 201-692-7083; Email: lemaire@fdu.edu

Vancouver Campus Executive: Wilfred Zebre
Daytime telephone: office: 604-648-4462; Email: wilfred_zerbe@fdu.edu

---