Information and Cyber Security Policy

Policy Statement

The Information Systems (IS) at Southwestern Oklahoma State University support the educational,

instructional, research, and administrative activities of the University. University information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes. As a user of these services and facilities, users have access to valuable University information, to regulated data, and to internal and external networks. Users have an obligation to use the IS in a responsible, ethical, and legal manner.

This policy provides a security framework that will ensure the protection of University information from unauthorized access, loss, or damage, and establishes guidelines for acceptable use of the IS. It includes examples of what you can do and cannot do, and what rights you have. All of these guidelines are based on the underlying principles:

Information Systems are provided to support the essential mission of SWOSU.
SWOSU policies, standards, state and federal law govern the use of IS.
Users are expected to use IS with courtesy, respect and integrity.

Policy

Access to Southwestern Oklahoma State University Information Systems is predicated on user compliance with certain responsibilities and obligations including University policies, procedures, regulatory requirements, and local, state, and federal laws.

By using University Information Systems, users agree to abide by and comply with the applicable policies,

procedures, regulatory requirements, and laws. Users should understand that information created or stored on University computer resources, networks, and systems may be subject to disclosure in compliance with the Oklahoma Open Records Act, and user activity may be subject to review or monitoring in compliance with University policy or law.

User Compliance Policy

In making use of Information System resources, users MUST:

comply with all University policies, procedures, and regulatory requirements, and with federal, state, and local laws.
comply with the Mobile Device policy of the University.
use computing resources only for authorized University administrative, academic, research, clinical, or other business use.
protect user-IDs from unauthorized use and comply with regulations required under the Red Flags Rule as stated in the SWOSU Identity Theft Prevention Program.
access only information that is publicly available or to which they have been given authorized access.
protect University data that they have been authorized to access.
comply with all applicable copyright laws, licensing terms, patent laws, trademark laws, trade secret laws, and all contractual terms.
be responsible in their use of shared resources. For example, users must refrain from monopolizing systems, overloading networks, degrading services, or wasting computer time, connect time, disk space, printer paper, manuals, or other resources.
ensure their access is compliant with the principles of intellectual property, ownership of data, and system security mechanisms.
be ethical and reflect academic integrity.
Password management:
- keep passwords confidential
- avoid keeping a paper record of passwords, unless this can be stored securely
- change passwords whenever there is any indication of possible system or password compromise
- select quality passwords that meet SWOSU minimum password requirement criteria
- change passwords at regular intervals (passwords for privileged accounts should be changed more frequently than normal passwords)
- avoid reusing or cycling old passwords
- change temporary passwords at the first log-on
- not include passwords in any automated log-on process, e.g. stored in a macro or function key
- not share individual user passwords.

In making use of Information Systems resources, users MUST NOT:

auto-forward and/or auto-redirect SWOSU e-mail to non-University e-mail systems.
use another person's system, portable computing device, files, or data without express authorization.
use another individual's user-ID or password.
use computer programs to decode passwords or access control information without explicit permission from SWOSU Legal Counsel or the SWOSU Director of Information Technology Services.
attempt to circumvent system or network security.
engage in any activity that might be harmful to systems or to any information stored thereon, such as creating or propagating viruses, disrupting services, damaging files, or making unauthorized modifications to or sharing of University data.
use University Information Systems for commercial and/or private gain, such as using electronic mail to circulate advertising for products or for political candidates.
harass or intimidate another person including, but not limited to, broadcasting unapproved, unsolicited messages, repeatedly sending unwanted or threatening mail, or using someone else's name or user-ID.
waste computing resources or network resources including, but not limited to, intentionally placing a program in an endless loop, printing excessive amounts of paper, or sending chain letters or unapproved, unsolicited mass mailings.
attempt to gain access to Information System resources or any data to which they have no legitimate access rights.
take University data from Information Systems when leaving the University without approval.
use unsecured cloud or other unapproved storage or use unencrypted mobile devices for University business.
engage in any other activity that does not comply with this or any other University policy and procedure, regulatory requirement, or applicable law.

Password Policy

Passwords will be required to be a minimum of 10 characters long, containing Upper case, Lower Case, Letter, Number, and symbol
Passwords will expire in a maximum of 180 days.
Passwords will be deactivated if not used for a period of 90 days.
Passwords for a given user should not be reused in a 12 month period

Accounts Deactivation Policy

Users not using the system for 90 days will be automatically deactivated

Technology Equipment Disposal Policy: Link Here

Enforcement

Individuals using or accessing computer systems owned by the University do so subject to applicable laws and University policies.

The University considers any violation of these Acceptable Use Principles to be a serious offense and reserves the right to copy, monitor, and/or examine any files or information residing on University systems, networks, or computing resources allegedly related to unacceptable use, and to protect its systems and networks from events or behaviors that threaten or degrade operations. Violators are subject to disciplinary action including, but not limited to reprimand, temporary or permanent removal of computer and network privileges, dismissal from the University, and legal action. Offenders also may be investigated and/or prosecuted under laws including, but not limited to, the Communications Act of 1934 (amended), Family Educational Rights and Privacy Act of 1974, Computer Fraud and Abuse Act of 1986, Computer Virus Eradication Act of 1989, Interstate Transportation of Stolen Property, Digital Millennium Copyright Act, Health Insurance Portability and Accountability Act, Electronic Communications Privacy Act, Health Information Technology for Economic and Clinical Health Act, Payment Card Industry Data Security Standard, Oklahoma Open Records Act, and State Ethics Rules.

The user assumes all risk of loss of materials or data or damage thereto. The University disclaims any responsibility for or warranties related to information and materials residing on non-University systems or available over publicly accessible networks. Such materials do not necessarily reflect the attitudes, opinions, or values of the University, its faculty, staff, or students. This Policy should not be construed as a limit on any individual's rights under the Constitution of the United States or the laws of Oklahoma.

Scope

This Policy is applicable to all SWOSU faculty, staff, students, and any individual or entity granted access to SWOSU Information Systems.

Regulatory References

HIPAA 45 CFR 164.308(a)(1)(ii)(B).
16 CFR Part 314 Standards for Safeguarding Customer Information, section 501(b) of the Gramm-Leach-Bliley Act (‘‘GLB Act’’)
16 CFR Part 314 Standards for Safeguarding Customer Information, GLB Act
Payment Card Industry Data Security Standard (PCI DSS)

Authorization & Disciplinary Actions

This Policy is authorized and approved by the SWOSU President’s Executive Council, and enforced by the Director of Information Technology Services. Internal Audit and other authorized departments of the University, including but not limited to Information Technology Services, may periodically assess Business Unit compliance with any provisions of this Policy and may act on or report violations to the department and University administration and the Board of Regents. Consequences for infractions include, but are not limited to:

Verbal warnings
Revocation of access privileges
Disciplinary probation
Suspension or termination from the University
Criminal prosecution
The University reserves the right to protect its electronic IS from threats of immediate harm.

Contact Information

Contact a member of the Security Compliance Committee (Executive Compliance subcommittee) if you suspect a breach of this policy, or with questions regarding these guidelines.

Contact	Title	Phone
Dian Ray	Director of Information Technology Services & Chief Information Security Officer	580.774.3271
Jerome Wichert	Director of Student Financial Services	580.774.2786
Dr. Joel Kendall	Vice President for Academic Affairs & Provost	580.774.3771
Brenda Burgess	Vice President for Administration and Finance	580.774.3000
David Misak	Assistant Vice President for Human Resources	580./774.3275
Dr. Adam Johnson	Vice President for Student Affairs	580.774.7172
Brian Adler	Vice President for Public Relations & Marketing	580.774.3063

Revision and Approval

Revision History

Version	Date	Updates Made By	Updates Made
1.0	02/15/2018	SWOSU ITS	Baseline Version
2.0	12/15/2020