Information Technology
MSU Collage Image

Technology Security Policy
Policy PG-55

Purpose


To establish the general standards of conduct expected of Morehead State University administrators faculty, staff, students, members of the Board of Regents, volunteers, and sponsored guests using University Technology resources.

Policy

Morehead State University supports adherence to security policies, standards and procedures to protect its technology resources from unauthorized, prohibited, accidental, intentional, or malicious modification, destruction, or disclosure. The protection of these technology resources relating to the conduct of business is a basic management responsibility.
Definitions

Technology User Morehead State University employees, students, directors, officers, volunteers and holders of sponsored guest accounts, including all persons providing contractor services to Morehead State University, who use, process or store computerized data relevant to University business and to technology resources made available to individuals to assist in the pursuit of educational goals.

Technology Resources include, but are not limited to, University data files, software, computers, networks, email, telephone systems, voice mail systems and cable television systems.

Authorized Access permission granted to a technology user by a data custodian and/or appropriate supervisor to access technology resources for instructional, educational, research or employment-related responsibilities. Authorized access may be granted though, but not limited to, the issuance of passwords or keys to a technology resource.

University Need includes, but is not limited to University administration's determination that probable cause exists that computer security laws, University policies, standard or regulations have been or are being violated. Need may also include the retrieval of official University correspondence or information received electronically by an employee during an extended absence from duty.

Data Custodian MSU employee assigned management responsibility for oversight of official University data that could include but is not limited to student records, financial records, personnal records, alumni records, inventory or facility information. For example, the Registrar is that Data Custodian for official student records maintained on the University's student information system.

Prohibited Conduct

 The following conduct is prohibited (this list is not intended to be all inclusive):

  1. Copying University-owned or licensed software or University-owned data to another computer system for personal or external use without prior written approval by the University and/or licensee.
  2. Attempting to copy or modify University-owned or licensed software or official University-owned data files without prior written approval by the data custodian or other individual or office responsible for its maintenance.
  3. Attempting to damage or disrupt operation of computing equipment, data communications equipment, or data communications lines. Unauthorized capture of network traffic from the local area network or backbone.
  4. Using University technology resources for purposes other than those intended by granting access to these technology resources to unauthorized persons, even if those persons are members of the University community.
  5. Using University technology resources in external consulting unless authorized in accordance with University policy and procedures. Technology users may not use University technology resources to advertise for any commercial purposes.
  6. Using University technology resources in external self-employment activities unless authorized in accordance with University policy and procedures.
  7. Failing to protect an account from unauthorized access by sharing of user id's and associated passwords or deliberately leaving a logged in account unattended.
  8. Installing illegal software, as defined by the official software license agreement, on MSU computer equipment.
  9. Using MSU technology resources to gain unauthorized access to other technology resources or in the commission of any illegal activity (criminal or intellectual property violations); or violation of any regulations specified in the Personnel Policies or the Student Handbook.
  10. Sending e-mail with false return addresses or ids.
  11. Harassing any user by sending unwanted messages.
  12. Operating an unauthorized server.
  13. Failing to protect an account from unauthorized access.
  14. Sending chain mail or unauthorized or unsolicited mass mailings.
  15. Attempting access or accessing unauthorized technology resources.

Scope

This policy applies to all Morehead State University technology users. It is expected that technology users will cooperate with each other so as to promote the most effective use of technology resources and will respect each other's ownership of work even though it is in electronic rather than printed form.

Individuals and organizations will be held no less accountable for their actions involving technology resources than they would be in the protection of other University property and situations.
Administration of Policy

The Office of Information Technology is responsible for the maintenance of this policy.


Standards

All technology users shall adhere to the following standards:

  1. Every effort shall be made to restrict technology resources to those people with authorized access. Administrative data base managers and data custodians have primary responsibility for insuring that access to data in the modules under their control and responsibility is restricted to those people with authorized access.
  2. The flow of information/data shall be protected from unauthorized access or prohibited conduct which could have serious adverse, economic, legal or personal consequence.
  3. University computer-based information and equipment shall be reserved for the official educational and administrative/ business goals of Morehead State University.
  4. Requests for official University information in electronic format from non-University personnel shall be routed through the appropriate supervisory chain of command to assure conformance to privacy, security standards, and the Commonwealth of Kentucky Open Records Act and/or the Freedom of Information Act. This excludes requests for electronic information from library holdings available through the University library system(s).
  5. Technology resource access is based on judicious and responsible use. Technology resources are valuable, and their abuse can have a serious impact on everyone who uses those resources.

Monitoring/Management

To properly maintain and manage the University computer programs, databases, files, and E-mail records, the University may exercise its right to inspect, record, transfer, and/or remove all information contained therein that is in conflict with University policies, standards, or regulations and take other appropriate action if inadequate, unauthorized or improper usage is determined. However, such inspection, recording or removing could also be done on the basis of University need.

Any access of a technology users e-mail or other electronic records by an Information Technology or Internal Audit staff member shall only be done at the request of, or with prior written approval by, the technology user, a Vice President, University General Counsel or the President.

The University has the right to extend, limit, restrict, or deny access to its technology resources.

Morehead State University is the owner of the e-mail systems and all mail that resides on those systems.


Notification

To the extent practical, University employees, officers, directors, students, and volunteers, and sponsored guests will be made aware that their electronic communications may be inspected within the guidelines of this policy.

Violations

Suspected violations of computer security laws, University policies, standards or regulations shall be reported at once to the Assistant Vice President for Information Technology and the Director of Internal Audits.

Those found to have violated the technology security policy or other policies regarding technology usage may have their electronic access suspended and/or be suspended from employment with or without pay or be dismissed from employment, enrollment or association with the University in accordance with University policies. The University reserves the right to impose charges for the expenses incurred in such actions.