Information and Cyber Security Policy
The Information Systems (IS) at Southwestern Oklahoma State University support the educational,
instructional, research, and administrative activities of the University. University information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes. As a user of these services and facilities, users have access to valuable University information, to regulated data, and to internal and external networks. Users have an obligation to use the IS in a responsible, ethical, and legal manner.
This policy provides a security framework that will ensure the protection of University information from unauthorized access, loss, or damage, and establishes guidelines for acceptable use of the IS. It includes examples of what you can do and cannot do, and what rights you have. All of these guidelines are based on the underlying principles:
- Information Systems are provided to support the essential mission of SWOSU.
- SWOSU policies, standards, state and federal law govern the use of IS.
- Users are expected to use IS with courtesy, respect and integrity.
Access to Southwestern Oklahoma State University Information Systems is predicated on user compliance with certain responsibilities and obligations including University policies, procedures, regulatory requirements, and local, state, and federal laws.
By using University Information Systems, users agree to abide by and comply with the applicable policies,
procedures, regulatory requirements, and laws. Users should understand that information created or stored on University computer resources, networks, and systems may be subject to disclosure in compliance with the Oklahoma Open Records Act, and user activity may be subject to review or monitoring in compliance with University policy or law.
User Compliance Policy
In making use of Information System resources, users MUST:
- comply with all University policies, procedures, and regulatory requirements, and with federal, state, and local laws.
- comply with the Mobile Device policy of the University.
- use computing resources only for authorized University administrative, academic, research, clinical, or other business use.
- protect user-IDs from unauthorized use and comply with regulations required under the Red Flags Rule as stated in the SWOSU Identity Theft Prevention Program.
- access only information that is publicly available or to which they have been given authorized access.
- protect University data that they have been authorized to access.
- comply with all applicable copyright laws, licensing terms, patent laws, trademark laws, trade secret laws, and all contractual terms.
- be responsible in their use of shared resources. For example, users must refrain from monopolizing systems, overloading networks, degrading services, or wasting computer time, connect time, disk space, printer paper, manuals, or other resources.
- ensure their access is compliant with the principles of intellectual property, ownership of data, and system security mechanisms.
- be ethical and reflect academic integrity.
- Password management:
- keep passwords confidential
- avoid keeping a paper record of passwords, unless this can be stored securely
- change passwords whenever there is any indication of possible system or password compromise
- select quality passwords that meet SWOSU minimum password requirement criteria
- change passwords at regular intervals (passwords for privileged accounts should be changed more frequently than normal passwords)
- avoid reusing or cycling old passwords
- change temporary passwords at the first log-on
- not include passwords in any automated log-on process, e.g. stored in a macro or function key
- not share individual user passwords.
In making use of Information Systems resources, users MUST NOT:
- auto-forward and/or auto-redirect SWOSU e-mail to non-University e-mail systems.
- use another person's system, portable computing device, files, or data without express authorization.
- use another individual's user-ID or password.
- use computer programs to decode passwords or access control information without explicit permission from SWOSU Legal Counsel or the SWOSU Director of Information Technology Services.
- attempt to circumvent system or network security.
- engage in any activity that might be harmful to systems or to any information stored thereon, such as creating or propagating viruses, disrupting services, damaging files, or making unauthorized modifications to or sharing of University data.
- use University Information Systems for commercial and/or private gain, such as using electronic mail to circulate advertising for products or for political candidates.
- harass or intimidate another person including, but not limited to, broadcasting unapproved, unsolicited messages, repeatedly sending unwanted or threatening mail, or using someone else's name or user-ID.
- waste computing resources or network resources including, but not limited to, intentionally placing a program in an endless loop, printing excessive amounts of paper, or sending chain letters or unapproved, unsolicited mass mailings.
- attempt to gain access to Information System resources or any data to which they have no legitimate access rights.
- take University data from Information Systems when leaving the University without approval.
- use unsecured cloud or other unapproved storage or use unencrypted mobile devices for University business.
- engage in any other activity that does not comply with this or any other University policy and procedure, regulatory requirement, or applicable law.
- Passwords will be required to be a minimum of 10 characters long, containing Upper case, Lower Case, Letter, Number, and symbol
- Passwords will expire in a maximum of 180 days.
- Passwords will be deactivated if not used for a period of 90 days.
- Passwords for a given user should not be reused in a 12 month period
Accounts Deactivation Policy
- Users not using the system for 90 days will be automatically deactivated
Technology Equipment Disposal Policy: Link Here
Individuals using or accessing computer systems owned by the University do so subject to applicable laws and University policies.
The University considers any violation of these Acceptable Use Principles to be a serious offense and reserves the right to copy, monitor, and/or examine any files or information residing on University systems, networks, or computing resources allegedly related to unacceptable use, and to protect its systems and networks from events or behaviors that threaten or degrade operations. Violators are subject to disciplinary action including, but not limited to reprimand, temporary or permanent removal of computer and network privileges, dismissal from the University, and legal action. Offenders also may be investigated and/or prosecuted under laws including, but not limited to, the Communications Act of 1934 (amended), Family Educational Rights and Privacy Act of 1974, Computer Fraud and Abuse Act of 1986, Computer Virus Eradication Act of 1989, Interstate Transportation of Stolen Property, Digital Millennium Copyright Act, Health Insurance Portability and Accountability Act, Electronic Communications Privacy Act, Health Information Technology for Economic and Clinical Health Act, Payment Card Industry Data Security Standard, Oklahoma Open Records Act, and State Ethics Rules.
The user assumes all risk of loss of materials or data or damage thereto. The University disclaims any responsibility for or warranties related to information and materials residing on non-University systems or available over publicly accessible networks. Such materials do not necessarily reflect the attitudes, opinions, or values of the University, its faculty, staff, or students. This Policy should not be construed as a limit on any individual's rights under the Constitution of the United States or the laws of Oklahoma.
This Policy is applicable to all SWOSU faculty, staff, students, and any individual or entity granted access to SWOSU Information Systems.
- HIPAA 45 CFR 164.308(a)(1)(ii)(B).
- 16 CFR Part 314 Standards for Safeguarding Customer Information, section 501(b) of the Gramm-Leach-Bliley Act (‘‘GLB Act’’)
- 16 CFR Part 314 Standards for Safeguarding Customer Information, GLB Act
- Payment Card Industry Data Security Standard (PCI DSS)
Authorization & Disciplinary Actions
This Policy is authorized and approved by the SWOSU President’s Executive Council, and enforced by the Director of Information Technology Services. Internal Audit and other authorized departments of the University, including but not limited to Information Technology Services, may periodically assess Business Unit compliance with any provisions of this Policy and may act on or report violations to the department and University administration and the Board of Regents. Consequences for infractions include, but are not limited to:
- Verbal warnings
- Revocation of access privileges
- Disciplinary probation
- Suspension or termination from the University
- Criminal prosecution
- The University reserves the right to protect its electronic IS from threats of immediate harm.
Contact a member of the Security Compliance Committee (Executive Compliance subcommittee) if you suspect a breach of this policy, or with questions regarding these guidelines.
|Dian Ray||Director of Information Technology Services & Chief Information Security Officer||580.774.3271|
|Jerome Wichert||Director of Student Financial Services||580.774.2786|
|Dr. Joel Kendall||Vice President for Academic Affairs & Provost||580.774.3771|
|Brenda Burgess||Vice President for Administration and Finance||580.774.3000|
|David Misak||Assistant Vice President for Human Resources||580./774.3275|
|Dr. Adam Johnson||Vice President for Student Affairs||580.774.7172|
|Brian Adler||Vice President for Public Relations & Marketing||580.774.3063|
Revision and Approval
|Version||Date||Updates Made By||Updates Made|
|1.0||02/15/2018||SWOSU ITS||Baseline Version|