IT Policies & Guidelines

I. Active Directory Membership

All Pittsburg State University computing devices purchased with university funding or whose support and maintenance is the responsibility of university technicians and that is capable of being placed in Active Directory (AD) shall be placed in the PITTSTATE.EDU Active Directory Domain using the university’s central domain controllers.  In addition, all Apple devices meeting these same criteria that are capable of being enrolled with a MAC server, shall be enrolled with the university’s central MAC server.

II. Naming Conventions

Purpose 
Provide a naming convention for all units within Pittsburg State University’s Active Directory that uniquely identifies workstations, servers, users, groups, organizational units (OUs), Group Policy Objects (GPOs) and distribution lists. PSU has thousands of objects that provide information and act as resources to many departments. The only possible way to ensure AD can be used effectively is to enforce naming standards. Aside from avoiding name collisions, naming standards will allow users and administrators to efficiently search through thousands of objects and locate their resources and data.

User Account Names 
AD user accounts have account names and distinguished names that identify them within Active Directory. The user account name shall be identical to the email address prefix assigned to the client and shall adhere the naming convention previously established for email address prefixes.

Computer Names 
It is recommended that when naming a computer object that you follow the guidelines below. 

How do we name our client machines? 
Example: SSLS-asagehorn 

How do we name our lab/kiosk workstations? 
Dept-LabID-Sequence 
Example: Const-Lab302-1

Printer Names:

It is recommended that when naming a printer object you follow the guidelines below.

How do we name our printers?
Dept-Location-PrinterType 
Example: ITS-KC158-Copier

Group Policy:
ITS will work to develop and deploy group policy templates that will be used to enable “best practice” configurations for computer workstations, lab computers, and other applicable computing devices.

Distributed Administration:
ITS will delegate certain administrative permissions within active directory to campus technicians as needed to permit effective support of the devices in their areas of responsibility.

III. Storage Policy

a. Purpose

The intent of this policy is to encourage responsible use and management of the enterprise storage services provided by PSU servers.

b. Policy

Each user and department will receive an initial allocation of Microsoft cloud storage.  Only legitimately work-related files are appropriate consumers of the dollars required to provide cloud storage.  Additional reports provide aggregate totals by file type for the entire storage pool.  Individuals or departments may be contacted to gather information and discuss storage requirements if unusual growth patterns are present.  If needed, technical assistance can be provided to relocate items to alternative storage media.

Some users, departments, or working groups may have legitimate need for additional storage in order to perform their job function.  To request an increase please contact the Gorilla Geeks (x4600 or geeks@pittstate.edu) to create a support ticket explaining the space problem being encountered.  The requestor should detail the amount of additional space they estimate will be needed, and provide information about the intended use for the increased storage requested.  ITS will process each request and may contact the requestor for additional information or to offer alternative suggestions if appropriate and share a quote for the additional storage requested.

c. Review

This policy will be reviewed annually – more often if technological developments warrant.

________________________________________________________________________

Responsible Office:  Information Technology Services

Approved by Information Technology Council:  May 16, 2013

Approved by President’s Council:  May 20, 2013 

Effective Date:  May 20, 2013

Review Cycle:  Annual 

Pittsburg State University acknowledges and upholds federal and state copyright laws. Copyright protection exist for documents and information distributed and shared via the Internet. Pittsburg State University accepts the copyright guidelines outlined in the Digital Millennium Copyright Act (DMCA). PSU is an "online service provider" to the campus community and takes these responsibilities seriously. Pittsburg State University's students, faculty and staff must adhere to ethical copyright practices.

Termination Policy for Violation of Copyright

Pittsburg State University is an "online service provider" as defined by the Digital Millennium Copyright Act (DMCA) [Public Law 105-304].

Responsibility: Users of the Internet services of Pittsburg State University are responsible for compliance with all copyright laws pertaining to information and files they place, distribute, and receive on the Internet using University facilities.

Termination of privileges: Use of the University's online services will be terminated for anyone who violates the copyright provisions of the United States Code on the third notice of violation by the University when the University is able to discern the identity of the person who committed the violations.

Designated Agent: The Pittsburg State University "Designated Agent", as provided for by the DMCA, for notification of possible violations of copyright is:

Jamie L. Brooksher
General Counsel
Pittsburg State University 
1701 S. Broadway 
Pittsburg, KS 66762-5880 
Voice: 620-235-4136 
Fax: 620-235-4080
E-mail: jbrooksh@pittstate.edu

Elements of Notification: A notification of claimed infringement must be a written communication provided to the designated agent of a service provider that includes substantially the following:

• A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
• Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
• Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
• Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
• A statement that the complaining party has made a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
• A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Take Down: To the extent reasonably possible, Pittsburg State University will expeditiously remove and/or block access to material posted by a user upon notice of infringement of copyright provided to the Designated Agent by the United States Copyright Office.

Notice: If Pittsburg State University can reasonably discern the identity of the person responsible for the violation, that person will be promptly notified by the Designated Agent and will be provided with the following information:

• Name and address of the complaining party;
• Sufficient information to identify the copyrighted work or works; and
• A statement from the copyright owner that it has a good faith belief that there is no legal basis for the use of the materials complained of.

Put Back: If the individual receiving notice of improper use believes that the material in question is being used lawfully, a "counter notice" should be provided to the Designated Agent and Pittsburg State University will restore access within 14 days of the counter notice, unless the matter has been referred to a court. The Counter Notice must contain the following:

• The individual's name, address, phone number and signature;
• Identification of the material and its location before removal;
• A statement, under penalty of perjury, that the material was removed by mistake or misidentification on the part of the complainant; and
• Consent to local Federal court jurisdiction.

Privacy Rules: Under the DMCA, Pittsburg State University may be obligated to provide names of individuals using its online services upon the order of a Federal court. The University will safeguard the privacy of a user's identity on the Internet to the full extent of the law.

Circumvention of Protection Technologies: The DMCA prohibits the "circumvention" of any effective "technological protection measure" (e.g., a password or a form of encryption) used by a copyright holder to restrict access to its material.

Further Information: Questions about compliance with the DMCA at Pittsburg State University may be addressed to the Designated Agent listed above.

Pittsburg State University
Data Classification, Access and Information Protection Policy

Purpose
Data and information are important assets of Pittsburg State University (PSU) and must be protected
from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.

Scope
This policy applies to all university colleges, departments, administrative units, and affiliated
organizations. For the purposes of this policy, affiliated organization refers to any organization that
uses university information technology resources to create, access, store, or manage University Data. For third party vendors who create, store, or maintain University Data per a contractual agreement, the agreement should include language specifying how, and to what extent the vendor is to comply with this policy.

Policy
All University Data must be classified according to the PSU Data Classification Schema. It must be
accessed with the appropriate level of permission according to PSU’s Roles and Responsibilities, and
protected according to PSU’s Security Standards. This policy applies to electronic data in all formats
and media.

Data Classification Schema
Data and information assets are classified according to the risks associated with data being stored or
processed. Data with the highest risk need the greatest level of protection to prevent compromise;
data with lower risk require proportionately less protection. Three levels of data classification will be
used to classify University Data based on how the data are used, its sensitivity to unauthorized
disclosure, and requirements imposed by external agencies. Unless otherwise indicated, Non-Public is
the default classification for data.

Level I Public (Low Sensitivity) – Data which are of interest to the general public and for which
there is no University business need or legal reason to limit access. Public data may be made
available to the general public in printed or electronic format. Anyone in the general public
may view these data using such public sources. Examples of public data include but are not
limited to:

• Campus directory data
• Course catalog
• PSU public web site
• Employee names
• Work addresses
• Work telephone numbers
• Press Releases

Level II Non-Public (Moderate Sensitivity) – Data held by the University for operational,
educational, and/or other purposes, which are not appropriate and/or readily available for
general public use. Non-public data will be available to authorized University employees for
inquiry/download only in support of the performance of their assigned roles/duties. Non-public
data may be released to individuals or groups outside of the University community only with
approval from the appropriate Data Steward, Records Custodian, or as required by law.
Examples of non-public data include but are not limited to:

• Records subject to disclosure under law including University business transactions
• Employee records not deemed public or confidential
• Student educational records not deemed public or confidential
• Financial accounting data that does not contain Confidential information

Level III Confidential (High Sensitivity) – Highly sensitive data intended for limited, specific use
by a workgroup, department, or individuals with a legitimate need-to-know. Explicit
authorization by the Data Steward is required for access because of legal, contractual, privacy
or other constraints. Examples of confidential data include but are not limited to:
 Personal Identity Information (PII) - An individual's name (first name and last name, or
first initial and last name) in combination with one or more of the following: a) Social
security number, b) driver's license number or state identification card number, or c)
financial account number, or credit or debit card number, alone or in combination with
any required security code, access code or password that would permit access to a
consumer's financial account.

• Social security number
• Passport number
• Credit card number
• Certain personnel records
• Certain student records
• Certain student financial assistance records
• Research data
• Intellectual property

Roles and Responsibilities
Everyone (employees, temporary employees, student employees, volunteers) with any level of access to University Data has the responsibility to protect that information from unauthorized access,
modification, destruction, or disclosure, whether accidental or intentional. The following roles have
specific responsibilities for protecting and managing University Data.

Any suspected loss, unauthorized access, or exposure of University Data classified as Non-Public or
Confidential must be immediately reported to the Information Security Officer, security@pittstate.edu
or 620-235-4657.

Electronic Record Retention Schedule
Pittsburg State University follows the State of Kansas record retention schedules. Schedules are
available at the following link under the heading "State General Schedule":
http://kshs.org/recmgmt/retention_schedule_entries/browse

State Resources in regard to record retention schedule language and definitions:
Government Records Preservation Act:
http://www.kslegislature.org/li/b2013_14/statute/045_000_0000_chapter/045_004_0000_article/045_004_0002_section/045_004_0002_k/

State Records Management Manual: http://www.kshs.org/p/state-records-anagementmanual/11365

Electronic Records Guidance: http://www.kshs.org/p/electronic-records/11334

Legal Hold
Retention procedures will be suspended when a record is placed on legal hold. A legal hold requires
preservation of appropriate records under special circumstances, such as litigation or government
investigations.

Records Management

1. University Data may reside in university records, be used to produce university records, or itself
   constitute university records.
2. University records need to be managed in accordance with approved records retention and
   disposition schedules consistent with University Archives records management policies and
   guidelines. Laws of the State of Kansas require that university records not be discarded or
   destroyed in advance of the authorized disposition date.

Data Classification Committee
Members must include at a minimum:

• Information Security Officer
• General Counsel
• Internal Auditor
• University Archivist
• Director of Institutional Research and Planning

Responsibilities

• Ensure that confidential data is identified
• Review the confidential data report from the Data Stewards
• Approve variances in the classification of data

University Data
University Data is information created, collected, maintained, transmitted, or recorded by or for the
university to conduct university business. It includes data used for planning, managing, operating,
controlling, or auditing university functions, operations, and mission.
________________________________________________________________________
Responsible Office: Office of Information Services
Revision Approved by Information Technology Council: 6/3/15
Revision Approved by President’s Council: 8/21/15
Original Effective Date: 8/21/15
Review Cycle: Annual

• Statement of User Responsibility:
  1. An authorized user must be currently enrolled in or employed by Pittsburg State University.
  2. PSU Computing Resources may be used in manners consistent with the appropriate usage definition given in Section II. An authorized user may utilize computer accounts created for general academic use or accounts which have been created specifically for him/her and to which he/she has been assigned ownership rights by the PSU Office of Information Services.
  3. System users are responsible for maintaining the secrecy of their account passwords. Suspected compromise of account passwords or unauthorized usage of user accounts should be reported to the supervisor of the appropriate laboratory or the director of the Information Technology Services.
• Valid Uses of Computer Resources and Examples of Misuse:
  1. Valid uses of computer resources include instructional or course activities and requirements, faculty research and professional services, and administrative support.
  2. Unauthorized copying, sending, or receiving of copyrighted files is strictly prohibited.
  3. It is a violation of Pittsburg State University policy to use the computer for promoting outside business interests. Computing resources shall not be used for private consulting or personal gain.
  4. It is in violation of Pittsburg State University policy to send obscene messages or mail.
  5. It is inappropriate to examine, or attempt to examine, another computer user's files or mail without permission.
  6. Game playing on Pittsburg State University owned equipment is on a resource available basis. If another user needs resources for a valid use (see II A above) then the user playing a game must end the game and surrender said resources. This includes MUD's, MUCK's, Personal Computer games, etc.
  7. Fraudulent use of computer accounts, networks, mail services, or other resources is a serious violation. Kansas State Law (Section 21-3755) makes unauthorized access and interference with computer systems, computer data, and other computer users illegal.
• Possible Sanctions for Misuse:
  1. If unacceptable use of the computer system is detected, anyone discovered to be hindering normal operations will be notified. It is not appropriate to use any computer resources in ways that are detrimental to the normal operation of any computer system or its users.
  2. Upon detection of an alleged violation, the Information Technology Services will disable the account and turn all pertinent information over to the appropriate university, local, state, or federal authorities.

Illegal Peer to Peer File Sharing

Pittsburg State University maintains network services for students and employees in the University community to utilize in order to further the mission of the University.

PSU is required by Federal Law (H.R. 4137, Higher Education Opportunity Act - HEOA) to make an annual disclosure informing network users that illegal sharing, distribution, and/or downloading of copyrighted materials may lead to civil and/or criminal penalties.  Pittsburg State University takes the responsibility of following this law seriously.  Therefore, the following information is provided to help the PSU community avoid breaking this law.

Copyright protection subsists, in accordance with this title, in original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device. Works of authorship include the following categories:

(1) literary works;

(2) musical works, including any accompanying words;

(3) dramatic works, including any accompanying music;

(4) pantomimes and choreographic works;

(5) pictorial, graphic, and sculptural works;

(6) motion pictures and other audiovisual works;

(7) sound recordings; and

(8) architectural works.

In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.

Therefore illegal downloading, copying, distribution, or use of games, software, music, movies, or any other digital media is considered a violation of this law.

PSU uses a variety of tools to deter such activity on campus, including:

-Bandwidth management devices

-Switch management protocols

What are the consequences of Illegal Peer to Peer File Sharing?

-PSU penalties: Use of the University's online services will be terminated for anyone who violates the copyright provisions of the United States Code on the third notice of violation by the University.

-Federal penalties:

• Civil penalties of actual damages suffered by the copyright owner from the infringement, or
• Civil penalties of statutory damages of up to $30,000.
• Civil penalties for willful infringement of up to $150,000, and
• Criminal penalties for willful criminal infringement from 1 to 5 years of imprisonment and fines of up to $25,000 for a first offense.

There are a host of legal alternatives for downloading music, movies, software, and games.  Below you will find a variety of links that could be used for such downloads:

-iTunes - Movies, Music, Audio Books: www.apple.com/itunes/

-Amazon - Music, Audio Books: https://www.amazon.com/MP3-Music-Download/

-Rhapsody - Music by Yahoo: www.rhapsody.com

-Napster - Music by Best Buy: www.napster.com

-7 Digital - Music: us.7digital.com

-Last FM- Streaming music and video:  http://www.last.fm

-Pandora - Streaming Radio: www.pandora.com

-Netflix - Streaming Movies/TV: www.netflix.com

-Audible - Audio book downloads: www.audible.com

-Hulu - Television: www.hulu.com

-Many major Networks allow various programming to be streamed at no cost.

Department of Education website:

http://www2.ed.gov/policy/highered/leg/hea08/index.html

Govtracks.us website:

http://www.govtrack.us/congress/bill.xpd?bill=h110-4137

US Government Copyright website:

http://www.copyright.gov/title17

Pittsburg State University Copyright Policy:

Click Here

Policy Purpose:
The Pittsburg State University Information Technology (IT) Lifecycle Policy
was developed to ensure the security of campus data and of campus
network services, as well as provide for satisfactory and efficient client IT
experiences.

To ensure perspectives from various areas of campus, the policy was
developed by the IT Lifecycle Committee, which is made up of 10 diverse
campus stakeholders.

Information Technology Lifecycle Committee Purpose:
The IT Lifecycle Committee was formed at the request of the Information
Technology Counsel (ITC) to develop a policy that would guide those who
manage and purchase campus technology. The goal of the policy is to
ensure the security of campus data and of campus network services, as well
as provide for satisfactory and efficient client IT experiences. The IT
Lifecycles Committee reviews all submitted IT Lifecycle Exception requests.
Exceptions to the above policy are considered in isolated circumstances.
To request an exception please complete the IT Lifecycle Exception Form
and send it to ITLifecycleException@pittstate.edu for consideration.

Membership Structure of the IT Lifecycle Committee:

• 2- Academic Tech Representation
• Support Tech Representation
• Purchasing Officer Representation
• 2-Academic Chair Representation
• Library Representation
• IT Security Officer
• Help Desk and IT Training Representation
• Chief Information Officer

IT Lifecycles Policy:

End Of Life:

Recommended Best Practices:

• Hardware/Software Replacement Plan: It is recommended that all
University departments have a written plan for updating IT resources
(hardware, software, peripherals, etc.) and aligning those updates to
budgeted funds. (Note: Industry standards indicate that updating
computer hardware every 3-4 years is current industry best practice.)

• Waterfalling Hardware: After hardware is replaced with new
hardware. The old hardware should be considered for other uses as
well as for permanent disposal. Things to consider are the age,
performance, and efficiency of the hardware as well as the computer
technician to hardware ratio in your respective area.

• Peripheral Devices: It is often difficult, and not fiscally responsible, to
replace peripheral devices (printers, projectors, monitors, keyboards,
mice, etc) as often as computer hardware and software at EOL of the
product. It is recommended to consider the replacement and
maintenance of these items carefully. It may be more efficient to
allow older peripherals to remain in place until they no longer
function with a backup plan in place when/if the device no longer
functions.

• Bulk IT Purchases: It is recommended that departments plan for
purchasing carefully and pool large IT purchases at the same time to
ensure price breaks. The coordination of bulk IT purchasing takes
place through the Office of Information Services (OIS) in July,
December, and May of each fiscal year. Additional bulk purchasing
times can be arranged by contacting the Chief Information Officer.

Developed by the IT Lifecycle Policy Committee: April 19, 2017
Adopted by Information Technology Council: April 20, 2017
Approved by President’s Council: June 19, 2017
Policy is reviewed annually by The Information Technology Committee

Multi-Factor Authentication Policy  

(Definition in Addendum) 

Purpose 

The purpose of this policy is to define the use of multi-factor authentication (MFA) for accessing Pittsburg State University (PSU) computer systems containing sensitive data from both on and off campus. The standards set forth in this policy are intended to minimize potential security risks which may result from unauthorized use of PSU computing resources. MFA adds a layer of security which helps deter the use of compromised credentials. 

Applies to 

This policy applies to all PSU faculty, staff, students and affiliate users.   

This policy applies to any system that requires an additional layer of protection as determined by Information Technology Services (ITS) in collaboration with campus data stewards. Systems requiring multi-factor authentication include those supported by ITS as well as systems administered by non-centralized departmental IT staff. Systems requiring the use of MFA include, but are not limited to, virtual private network (VPN), systems utilizing Single Sign-On (SSO), PSU applications/systems that contain sensitive data, system administration tools, and privileged accounts. 

Policy Statement 

All users must use MFA to access PSU computing resources that require MFA. If users do not use MFA, they will not be able to access these computing resources. 

ITS will regularly evaluate and prioritize applications requiring MFA, to enhance the protection of institutional data and personal information. 

Consequences 

Any individual who violates this policy may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate University policy and procedures.  

Responsible Office: Information Technology Services  

Approved by Information Technology Council: 05.01.20 

Approved by President’s Council: 05.15.20 

Original Effective Date: TBD 

Review Cycle: Annual  

Last Review: 08.23.23 

Multi-Factor Authentication Policy Addendum   

The State of Kansas Defines Multi-Factor Authentication as follows:       

A method of confirming a User’s claimed identity in which access is granted only after successfully presenting two or more different pieces of evidence (factors) to an authentication mechanism. Factors include knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is). 

Networked Systems Policy

To provide maximum uninterrupted service, effective use and security of campus bandwidth and maximum availability of all network services the Information Technology Services (ITS) has established the following policy.

Definitions: Device - Any computer or telecommunications equipment. Service - Any program or software that is intended to publicly deliver and/or receive data from network users. PSU network - All connections on the PSU campus that connect to the administrative, academic, library or Internet services. This includes services on campus and via the KANREN Internet connection.

1. All devices and services connected to the PSU Network require ITS approval and installation certification (Network Number). This covers all network cards, hubs, servers, bridges, routers, etc.
   1. ITS will specify cable requirements and routes, network operating systems, and network software.
   2. ITS will provide network software parameters from ITS Bootp or DHCP server (i.e. IP addresses, domain names, subnet mask, gateway address, etc.).
   3. ITS will provide technical support to establish a network connection to network services.
   4. ITS will be granted, upon request, access to installed equipment for inspection and maintenance.
   5. ITS retains the right to disconnect from the PSU network any equipment or network which is deem to be involved in disruptive behavior (behavior which intentionally or unintentionally threatens the security, functionality or physical integrity of the PSU network including external networks and hosts).
   6. Networked devices are not allowed to monitor, capture or analyze general network traffic.
   7. Individuals using a network connection provided in University Housing must complete and abide by the University Housing agreement.
   8. Departments wishing to provide network services from their own equipment:
      1. May be responsible for additional cost required (i.e. bridging, routing, firewall, etc.).
      2. Will identify an administrator to manage the service.
         1. The administrator is responsible for the activity and security.
         2. The administrator must provide ITS with root access.
         3. The administrator must be a full-time employee of PSU.
2. Local Area Networks (LANs) with no servers or clients attached to the PSU network are exempt from Item 1 as described in the following - unless arrangements have been made with and approved by ITS.
   1. ITS will not provide support for stand-alone LANs.
   2. ITS will not install a second network card into an existing LAN connected system. Systems found to have a second card will be taken off of the PSU network.
   3. If any stand-alone LAN server, client or peripheral is requested to be placed on the PSU network all other servers, clients, and devices connected to it are subject to the above Item 1.

Questions regarding the meaning or interpretation of the provisions of this policy and subsequent binding agreements may be directed to University's Chief Information Officer.

Password Policy* 

Policy Name:  Password Policy 

Policy Purpose:  The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password changes. 

Scope:  The scope of this policy includes:  
1) All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Pittsburg State University facility 

2) All individuals who have access to the PSU network, and 

3) All systems (where enforcement is possible) that store any non-public PSU information. 

General Policy Provisions 

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various resources at PSU, including user-level accounts, web accounts, email accounts, screen saver protection, and local switch logins. 

A poorly chosen password may result in the compromise of University systems, data, or network.  Therefore, ALL PSU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them.  Contractors, vendors, and affiliated organizations with access to University systems also are expected to observe these requirements. 

A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources.  Information Technology Services (ITS) can require a more restrictive policy in protection of confidential data.       

Password Creation  

Passwords created by users of University systems, and on systems where technology makes enforcement possible, must conform to the following guidelines: 

• Must be different than the user’s login name or the reverse of the name and must avoid use of identifiable personal information (names of family or pets, birthdates, etc.) 
• Must be a minimum of twelve (12) characters 
• Must include digits (0-9) 
• Must include both upper and lower case characters (a-z, A-Z) 
• Must use a special character (for example,* & % $) 

These provisions will be enforced electronically whenever possible. 

Changing Passwords 

• Passwords must be changed twice a year. 
• Must be different from the previous twenty-four (24) passwords. 
• The new password must differ from the old password by at least five (5) characters. 
• All default passwords must be changed to meet the current password requirements.  No default passwords shall remain in effect after the required initial usage.  Default passwords include passwords that are supplied with vendor hardware or software or passwords that are system generated. 
• Unnecessary permissions for terminated employees/contractors are revoked in a timely manner. 

Protecting Passwords  

• Passwords should be treated as confidential University information. 
• Passwords should never be written down or posted for reference. 
• Passwords should not be included in email messages or other forms of electronic communication. 
• Passwords should not be transmitted or electronically stored in clear text. 

Sharing Passwords 

• Sharing or allowing another person to use an individual account password is a violation of this policy, unless the other person is an ITS tech assisting the user with a technical problem. 
• Sharing or allowing another person to use your password will be treated as a compromised password and your password will be reset immediately. 
• ITS approval is required prior to sharing a password with a vendor (approval may be granted on a one-time or continuing basis), and this vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by ITS).  Phone communications may be necessary with external information technology vendors. 
• It is required that passwords be changed after allowing use as permitted in this section. 

Group Accounts 

Group accounts are ID’s and passwords that are shared between a specific group of people.  Group accounts are strongly discouraged and only allowed when other alternatives are not feasible.  When group accounts are necessary, then strong account protection is required.  The following ITS mandated protections apply: 

• Group accounts must be pre-approved by ITS.  Please email ITSecurity@pittstate.edu to make your group account request. 
• Group accounts will be audited regularly to ensure ownership is current, the account is still necessary, and account agreements are renewed. 
• To prevent unauthorized access to a group account, the password must be changed every time there is a change in personnel. 

Reporting Password Compromises 

Suspected compromises of passwords must be reported immediately to the IT Security Officer, extension 4657, ITSecurity@pittsate.edu.  The password in question will be reset immediately. 

ITS Responsibilities 

• ITS may require a more restrictive policy, such as stronger passwords, in some circumstances. 
• ITS may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, ITS will promptly notify the listed contact and require that the password be changed. 

Consequences 

Any individual who violates this policy may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate University policy and procedures.    

Responsible Office: Information Technology Services 

Approved by Information Technology Council:  November 19, 2019 

Original Effective Date:  January 1, 2006 

Review Cycle:  Annual 

Last Review: August 2, 2023 

Pittsburg State University

Acceptable Use Policy

Introduction

This policy outlines the expectations for the use of information technology resources at Pittsburg State University. This policy applies to faculty, staff, students, official university affiliates, and any other individuals who use University information technology resources.  Appropriate use should always be legal and ethical, reflect academic honesty and community standards, and show restraint in the consumption of shared resources. It should demonstrate respect for intellectual property; ownership of data; system security mechanisms; and individual’s rights to privacy, freedom of speech, and freedom from intimidation, and harassment.

User Responsibilities

Users of electronic systems have the following responsibilities:

1. Access to information resources is granted with the expectation that resources will be used in an ethical and lawful manner. Users will employ information technology resources consistent with the requirements of federal, state and local law and Kansas Research and Education Network (KanREN) policies. Users are responsible for using resources appropriately to maintain the integrity of the information technology resources, and where appropriate, the privacy, confidentiality, and/or security of the electronic information.
2. Individuals should not give out, loan, share, or otherwise allow anyone else to use the access privileges granted to them. Access to secured information resources is provided only with proper authorization.
3. Users are responsible for all activities that occur while using information resources assigned to them, and shall respect the intended use of these resources.
4. Users may not attempt to circumvent login procedures on any computer system or otherwise attempt to gain unauthorized access. This is not an acceptable use of information resources and may be a crime under federal, state or local law.
5. All users shall use information technology resources in a manner that does not in any way interfere with, compromise, or harm the performance, functionality, or integrity of the University’s information technology resources. This shall include the adherence to University standards regarding software updates and protections, data handling, and other policies and procedures enacted by the University.
6. Users will respect network capacity as a shared resource and therefore may not perform operations that degrade network performance for other users. Users may not send spam, chain letters, mail bombs, and or engage in other activities that infringe on the rights and/or productivity of other users.
7. Users should respect the rights of copyright owners and, when appropriate, obtain permission from owners before using or copying protected material, including but not limited to, music, movies, software, documents, images, or multimedia objects.

Please see:

• Illegal Peer to Peer File Sharing Information listed above.
• The Campus Internet Copyright Policy listed above.
• The Campus Policy on Duplicating Copyrighted Written Works as listed above.

8. Representing oneself as someone else, without previous written authorization, is not considered responsible use of information technology resources.
9. Users may not use electronic resources for activities that are illegal, threatening, and/or deliberately destructive.
10. No person, including any member of the IT Staff, is authorized to request a user’s password.

Please see: Password Policy (as listed above):

If you have questions please contact the OIS Gorilla Geeks Help Desk: Phone: 620.235.4600 Email: geeks@pittstate.edu

User Privacy

University information technology resources are state-owned and maintained. University users have a heightened responsibility to properly use information technology resources. Pittsburg State University supports a climate of trust and respect. Nonetheless, users should be aware that on occasion legitimate activities of technical staff may lead to situations where specific information could be reviewed as part of routine problem resolution procedures. The University, therefore, cannot guarantee the personal confidentiality, privacy, or security of data, email, or other information transmitted or stored on its network.  When University officials believe a user may be using information technology resources in a way that may violate University or Regents policies or local, state or federal law, or the user is engaged in activities inconsistent with the user’s University responsibilities, then technical staff may be requested to monitor the activities and inspect and record the files of such user(s) on their computers and networks, including word processing equipment, personal computers, workstations, mainframes, minicomputers, and associated peripherals and software.

User Abuse/Abuse of Policy

All users and units have the responsibility to report any discovered unauthorized access attempts or other improper usage of PSU information resources. If you observe, or have reported to you, a security or abuse problem with any University information resource, including violations of this policy, please email abuse@pittstate.edu and an administrative response to such incidents will be coordinated. In addition, you may utilize the following University Whistleblower Policy to report such incidents: https://www.pittstate.edu/president/policies/

Reports of all apparent IT policy violations will be forwarded by the PSU IT Security Officer to the CIO for disposition according to standard procedures and University policies on violation of policy.

Use of University information technology resources contrary to this policy, University policies, or applicable federal, state or local law is prohibited and may subject the user to disciplinary action including, but not limited to, suspension of the users access to the information technology resources. Users also should be aware of other possible consequences under University policies and federal, state, or local laws, particularly those related to computer crime and copyright violation. Additionally, students could be subject to disciplinary action under the Code of Student Rights and Responsibilities: https://www.pittstate.edu/studentlife/code-of-student-rights-and-responsiblities.html.

Policy Name: Virtual Private Network (VPN) Services.
Policy Purpose: This policy outlines the purpose and approved use of PSU VPN Services
Scope: This policy applies to all faculty, staff, and consultants using VPN Services at PSU.

General Policy Provisions
In an effort to increase the security of information technology (IT) systems at PSU, the
Information Technology Services (ITS) has limited access to some computing resources. The
VPN is designed to provide secure/encrypted access to computing resources on the PSU
network. It allows, among other things, a method to connect to PSU computing resources as if
the user were locally connected to the PSU network. This allows greater functionality and
security than other remote access techniques. Users should be aware that routing schemes,
network configurations, and security measures can be changed without notice by ITS or by the
user's internet service provider (ISP) that may affect the user's ability to do specific functions
with the VPN.

Use of the VPN service at PSU is a privilege, which comes with responsibilities for both
departments and users. All other policies covering the use of PSU computing resources by
authorized users are still in effect when they are accessed from remote locations, as are all
regulations (e.g., HIPAA and FERPA) which protect the confidentiality and integrity of
information entrusted to PSU's stewardship. Do not assume the confidentiality of information
traveling through the VPN.

VPN Accounts
•As with all PSU information technology resources, clients using VPN must follow the PSU
Acceptable Use Policy found at the following link.
•VPN access is for users (faculty, staff, and consultants) who need access to campus computing
resources that are not available from off campus networks.
• User accounts are created at the request of a departmental representative or the employee's
supervisor. The employee must read and accept the conditions of this policy before using the
VPN.
• VPN access for third parties (e.g., software consultants and support personnel) to support on
campus systems must be requested by a PSU employee. In addition, the third party must
complete and sign a nondisclosure agreement if required by PSU.
• VPN access can be terminated by a departmental representative, the employee's supervisor,
at the employee's request, or by ITS.

ITS Responsibilities
• VPN access to PSU computing resources will be set up and managed only by the ITS Network
and Systems group. No other department may implement VPN services.
• ITS reserves the right to monitor for unauthorized VPNs and disable access of those devices
performing non-sanctioned VPN service.
• All network activity during a VPN session is subject to PSU computing policies and may be
monitored for compliance.
• ITS will provide the VPN client software and instructions for installing the software.

User Responsibilities
• By using the VPN with personal equipment, users must understand that while they are
connected through VPN, their computers become an extension of the PSU network, and during
the time they are connected, must follow the same guidelines established for the use of PSU
owned equipment.
• Only VPN client software distributed by ITS may be used to connect to the PSU VPN.
Approved users can download the VPN client and installation instructions from GUS.
• Approved users are responsible for the installation of the VPN software.
• Users with VPN privileges must ensure that unauthorized people are not allowed access to
computing resources located on the PSU network.
• The VPN is configured not to allow the bridging of networks (split tunneling).
• All computers, including personal computers, connected to the PSU network via VPN or any
other technology must have:

1. up-to-date virus-scanning software with current virus definitions installed
2. all relevant security patches installed
3. available firewall enabled

Consequences: Failure to abide by the requirements of this policy and/or any procedures that
are developed to implement this policy may result in termination of the user's VPN privileges.

Responsible Office:
Information Technology Services

Updated By:
The Information Technology Council: October 20, 2017
Update Approved By The President’s Council: November 13, 2017

Approved by:
Information Technology Council: October 26, 2005
Signed by President Tom Bryant: January 26, 2006
Original Effective Date: January 26, 2006
Review Cycle: Annua

PDF Version of the PSU Privacy Policy

PSU Privacy Policy

Last updated: February 02, 2024

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.
• Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• Application refers to Pitt State App, the software program provided by the Company.
• Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Pittsburg State University, 1701 S Broadway, Pittsburg KS, 66762.
• Country refers to: Kansas, United States
• Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
• Personal Data is any information that relates to an identified or identifiable individual.
• Service refers to the Application.
• Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
• You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

• Email address
• First name and last name
• Phone number
• Usage Data

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Information Collected while Using the Application

While using Our Application, in order to provide features of Our Application, We may collect, with Your prior permission:

• Information regarding your location

We use this information to provide features of Our Service, to improve and customize Our Service. The information may be uploaded to the Company's servers and/or a Service Provider's server or it may be simply stored on Your device.

You can enable or disable access to this information at any time, through Your Device settings.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service, including to monitor the usage of our Service.
• To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
• For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
• To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
• To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
• To manage Your requests: To attend and manage Your requests to Us.
• For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
• For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

We may share Your personal information in the following situations:

• With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
• For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
• With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
• With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
• With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.
• With Your consent: We may disclose Your personal information for any other purpose with Your consent.

Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service.

To learn more about personal data deletion for the Pitt State App, visit the knowledge base here. Direct link:  https://pittstate.teamdynamix.com/TDClient/2021/Portal/KB/ArticleDet?ID=152673

Please note, however, that We may need to retain certain information when we have a legal obligation or lawful basis to do so.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of Users of the Service or the public
• Protect against legal liability

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Children's Privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.

If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, You can contact us:

• By email: support@pittstate.edu

The purpose of this document is to establish guidelines and regulations regarding the blackout and lockdown dates of Pittsburg State University computer labs during certain periods to ensure effective installations (hardware, software, network, etc), testing, maintenance, security, and operational efficiency by team members from the Office of Information Technology Services. This document is reviewed annually.  See the most recent B&L Date Guidelines here. 

If a department no longer needs an IT resource, several actions can be taken.  However please note the following:

• If the product is at its end of life (EOL), it should not be connected to the PSU network, and decommissioning should be recommended/considered.
• The client should submit a ticket to document their decision for inventory purposes.

Options for handling the item include:

1. Reallocation within the department: The item can be repurposed elsewhere within the department.
2. Transfer to another department: ITS can help identify another area on campus where the resource could be beneficial.
3. ITS possession: ITS can take the item for future use or salvage parts for repairs.
4. Auction: The item can be auctioned through Purchasing, with ITS ensuring it is properly prepared according to DoD (Dept of Defense) standards.
5. E-waste: The item can be disposed of as e-waste, with ITS preparing it per DoD standards. The department is responsible for covering the e-waste fee.

These are the primary options, but the client may have other creative solutions for managing their inventory.