IT Policies & Plans
STRATEGIC PLAN | doc
OVERVIEW OF POLICIES
- Reason for Policy
- Policy Scope
- Policy Development and Implementation Responsibilities Defined
- Information Technology Resources Defined
POLICIES (listed on this webpage)
OTHER POLICIES (separate documents)
IT Disaster Recovery Plan 2013 on File
I. Reason for Policy
The use of communication and information technologies resources permeates every part of the teaching and business functions of Tennessee State University. The application and use of information technologies requires the awareness and enforcement of rules and regulations to safeguard the computational and communication assets that are necessary to serve the students, faculty, and staff of TSU.
II. Policy Scope
The policies listed within this document apply to all Tennessee State University Students, Faculty, Adjunct Faculty, Full-Time Staff, Part-time Staff, Guests, Vendors, Consultants, and any other individuals who utilize the University network to transmit electronic communications or utilize information technologies.
Tennessee State University requires that all of the aforementioned individuals establish and carry out policies to govern the use of communication and information technologies that are in compliance with all federal, state, and local laws and work within the structure of existing University policies.
III. Policy Development and Implementation Responsibilities Defined
The development and implementation of University policies governing electronic communication and information technologies is shared by all programs and departments at TSU. These various constituents have very specific roles in the development, communication, enforcement, and improvement of the policies outlined within this section. Each area of responsibility must adhere to and contribute constant improvement to the policies set in place to ensure the integrity of the University information systems for the management of all students, financial, and human resources records.
1. The role of Communication and Information Technologies in Policy Development and Adherence
The central support structure for all computing and information technologies at TSU shall be delivered and managed through the Communication and Information Technologies department.
2. The role of University Departments in Policy Development and Adherence
Departments at TSU, including: Finance and Business Services, Bursars Office, Office of Admissions and Records, Financial Aid, Human Resources, Purchasing, and Academic Affairs are individually responsible for the following activities needed to establish data management and procedures development within their respective areas:
<Return to Table of Contents>
This document will provide guidelines that are necessary to maintain and secure the following:
1. Electronic data including students, financial, human resources, alumni, and other data files that make up the Universities data resources.
2. Central and distributed computing systems including software, hardware, and business policies and procedures that are used in the daily administration of the University.
3. Computing systems including academic software, labs and classroom hardware, and the academic endeavors that integrate the technologies into the teaching, learning and research activities.
4. Network and electronic communication resources including the University physical network comprised of servers and network infrastructure that is used to transmit and receive electronic mail, voice communications, web pages, data files, and software resources.
5. Individual rights and privileges to have safe, secure, and equal access to University technology resources that support the mission of learning and research.
6. Intellectual rights of individuals whose property is protected under Digital Millennium Copyright Act but are vulnerable to illegal access within information technology environments.
<Return to Table of Contents>
1. Family Educational Rights and Privacy Act (FERPA)
Family Educational Rights and Privacy Act is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. More information about the FERPA law can be found at:
2. State of Tennessee Acceptable Use Policy, Network Access Rights and Obligations V-1.9
Guidelines for State-owned hardware and software, computer network access and usage, Internet and email usage, telephony, and security and privacy for users of the State of Tennessee Wide Area Network are given at:
3. TBR/TECnet Policy and Procedures for Copyright Infringement notices and the Digital Millennium Copyright Act (DMCA)
The state of Tennessee notice on copyright infringement is given at:
4. The Tennessee Board of Regents Information Technology Resources Policy
A brief description of the technology resources that must be protected during use and application in the state of Tennessee is given at:
5. The Tennessee State University Student Handbook, Code of Computing Practice
A well written, comprehensive guide to TSU students, faculty, and staff that defines unacceptable computing and electronic communications use is given in Section VII of this Handbook.
Return to Table of Contents
1. Individual Awareness of Policies and Procedures
Each member of Tennessee State University is responsible for reading, understanding, and abiding by the Computing, Electronic Communications, and Information Technologies policies and procedures described within this document.
2. University Ownership of Information Technology Resources
Individuals who use the computing and information technology resources at TSU must understand that the hardware, software, data, and procedures are owned by the University and the individuals who act in official capacity within the University are required to practice ethical behavior and individual respect in all proceedings within the information technology infrastructure including the staff who install, maintain, secure, use, promote, and benefit from the resources.
3. Individual Responsibilities in Account and Resource Management
Each user of information technologies assumes an individual responsibility through the assignment of individual user accounts. These accounts are the means by which the systems are secured and each account holder is responsible for their account management, password security, and procedure integrity.
4. Protection of Intellectual Rights and Copyrighted Materials
Electronic information technologies provide endless access to information resources and it is the responsibility of the individual to always follow and respect the intellectual rights of others concerning copyrighted materials. The illegal copying, sharing, and use of copyrighted material is strictly prohibited (such as peer-to-peer networking and audio and video downloading of copyrighted material).
5. Improper or Illegal Communications
Improper or illegal communications using the University academic communications network is strictly prohibited. Libelous and obscene messages, harassment, forgery, threats, are not allowed. All rights and freedoms afforded by the laws of the US are provided and will be protected within the Academic Freedom of the University.
6. Shared Resources Access
Individuals must use computing resources responsibly and not inhibit the use by others through excessive use of resources including processing time, disk space, network bandwidth, or any other acts that may degrade the access to resources by others.
7. Data Security
All users must be aware that they are responsible for following basic guidelines for data backup and security for University related work. The CIT department will routinely backup all central data storage resources. Users must actively participate in this backup by routinely storing data files on individual account network shares. Users must also apply CIT strategies for backup of crucial files to the function of any University office.
Users must also understand that data can persist even though deletion procedures have been applied. As such, University personnel will follow guidelines for the removal and deletion of data from computing storage devices and appropriate destruction of printed data.
8. Personal Use
As part of the electronic communication and information resources that make up the entire working and personal lives of students, faculty and staff, personal use of these resources is recognized to be part of the information age landscape. Casual use of information resources for communication and data management is permitted to the extent to which it does not hamper the daily functions of the university in meeting the goals and objectives of its mission.
9. Policy Violation Responsibilities and Punishment
Violation of any University policy described in this document requires the immediate reporting to the department head or the employee academic immediate supervisor or department head who shall then document the incident in writing to the Vice President for Communication and Information Technologies.
TSU Employees who abuse University network and computing resources may be subject to disciplinary action, up to and including, but not limited to termination.
It is the responsibility of all individuals to protect the privacy of user data stores, electronic mail, user accounts, and any data stored about them within University databases. All transactions should be processed with the highest degree of confidentiality with respect to the Family Education Rights Protection Act, and the TBR/TECnet Policy and Procedures for Copyright Infringement notices and the Digital Millennium Copyright Act (DMCA).
Employees having access to computer data and information shall not access, disseminate or share such information unless required by the employee academic assigned job duties. Employees who receive requests under the Tennessee Public Records Act should not release files, documents, or other information. All requests should be forwarded to the employee academic department head, who will review the request, contact legal counsel if needed, and supervise all disclosures.
TSU cannot promise privacy of information stored on or sent through University-owned information systems and communications infrastructure except for certain records relating to students; some types of research; proprietary, trade secret or patentable materials; and certain medical records. Employees should expect no privacy rights with respect to the contents of files transmitted or maintained on any university computer, network, or system. Employees of the university do not routinely look at files on computers assigned to employees, employee accounts, electronic mail, and data on the network.
However, the University reserves the right to view or scan all communications, files and software stored on any university computer, hard drive, peripheral device, or other media such as university-purchased and personally owned flash drives, zip drives, floppy disks, or CD or DVD ROM academic, on university systems, or transmitted over university networks. It may do so periodically, to verify that software and hardware are working correctly, to look for particular kinds of data or software (such as computer viruses), to audit the use of university resources, or for other purposes.
The university also reserves the right to preserve or inspect any information transmitted through or stored in its computers, including e-mail communications and individual login sessions, without notice when there is reasonable cause to believe the user has violated or is violating this policy, any guidelines or procedures established to implement this policy, or any other university or TBR policy; if an account appears to be engaged in unusual or excessive activity; if the user has voluntarily made information accessible to the public such as a Web page; if necessary to protect the integrity, security, or functionality of the university academic IT resources; or to protect the University from legal exposure or potential liability.
Routine maintenance and monitoring of the system may lead to the discovery and/or disclosure of personal information, non-work-related information, or violations of this policy, any other university or TBR policy, or state or federal law. Abuse of university computer or network resources, or abuse of other sites through the use of university resources may result in termination of access, disciplinary review, expulsion, termination of employment, legal action, and/or other disciplinary action. Notification will be made to the appropriate university office ( e.g ., student affairs, human resources, legal counsel, Campus Police Services) with campus jurisdiction or local and federal law enforcement agencies. Violations that come to the University academic attention will subject the employee(s) involved to disciplinary action, up to and including, but not limited to, termination.
Data on university computing systems may be copied to backup tapes periodically. The University makes reasonable efforts to maintain confidentiality, but employees who wish to ensure confidentiality of personal information are advised to refrain from using university resources for personal or non-work-related matters.
Computer files, electronic data processing files and output that are created or received pursuant to law or ordinance or in connection with the transaction of official university business are considered records under Tennessee academic Public Records Act. Any citizen of the State of Tennessee may, upon request, access university computer files unless the information is protected by a legal exemption. When agencies or sources outside the University request an inspection and/or examination of any University owned or operated communications system, computing resource, and/or files or information contained therein, the University will treat this information as confidential unless one or more of the following conditions apply:
1. When approved by the appropriate University officials ( e.g., CIT, public safety, audit, or legal counsel) or the head of the Department to which the request is directed
2. When authorized by the owner(s) of the information
3. When authorized by a recipient of the information
4. When required by federal, state, or local law
5. When required by a valid judicial or administrative subpoena or court order. When notice to the user is required by law, court order, or subpoena, computer users will receive prior notice of such disclosures.
Students are hereby notified that engaging in acts of unauthorized copying, performance and distribution of copyrighted material, including but not limited to, unauthorized peer to peer file sharing, may subject them to civil and criminal penalties in addition to institutional disciplinary sanctions. The law provides that infringers can be imprisoned and subjected to criminal fines in cases where there has been a willful infringement. The potential civil penalties as currently set forth in federal copyright law for violations of the copyright laws include, but are not limited to, imposition of an award of statutory damages for all infringements involved in the action, with respect to any one (1) work in a sum of not less than seven hundred fifty dollars ($750.00) or more than thirty thousand dollars ($30,000.00) as the court considers just and if the court finds, that infringement was committed willfully, the court in its discretion may increase the award of statutory damages to a sum of not more than one hundred fifty thousand dollars ($150,000.00). In addition, the court can also impose injunctive relief against the infringer to prevent or restrain infringement of a copyright and require forfeiture, impoundment, or destruction of the infringing articles / material in the possession of the infringer and require payment of actual damages and disgorgement of any profit; as well as payment of costs and attorney's fees. See 17 U.S.C. ÃƒÆ’Ã¢â‚¬Å¡Ãƒâ€šÃ‚Â§ 501, et. seq. Additional information is available on the Library of Congress U.S. Copyright Office Website: http://www.copyright.gov/ .
VII. Electronic Communications Policy
1. General Provisions
Electronic Communications shall include all electronic mail messages, chat, audio or video files, audio/video conferencing, voice mail, or facsimile originating from or to an individual computer system, server, camera, monitor, disk drive, web site, or any other electronic communication display or origination device on the TSU campus.
The policies governing the provision and use of electronic communications include:
1. The University will provide an electronic communications system that is maintained through a well connected, redundant, and secure computer system
2. The Communication and Information Technologies (CIT) department will hold central responsibility for the installation, maintenance, upgrading, and securing all equipment, software, and procedures that comprise the University network
3. The CIT department will provide appropriate safeguards, to the extent possible, to keep the network from interruptions in service
4. Electronic communications transmitted through the TSU network system either within the campus or to outside entities are considered to be University property
5. Electronic communications are to be used while conducting the business and academic endeavors of the University
6. Incidental usage for personal correspondence is permitted as long as it does not violate state or federal laws
7. Electronic communications cannot be made for personal gain, the promotion of political or commercial endeavors, or to promote organizations that are not directly related to the University
8. Electronic communications cannot be used to illegally transport copyrighted material
9. Electronic communications cannot be used to transmit illegal content as defined by the laws of the State of Tennessee or the United States Federal government
10. Electronic communications cannot be altered in any way to mask the messages origin or to fraudulently represent the mail originating from another individual other than the originator of the message
11. Electronic communications cannot be used to harass or hinder any employee, student, or other individual
12. Electronic communications are not to be accessed, copied, read, or modified by unauthorized individuals
13. Electronic communications accounts are to be secured by the owners with appropriate passwords and desktop security
14. Chain letters or any other communications that may cause undue stress on the system or be considered as unsolicited junk mail are strictly prohibited
15. Users of electronic communications should be aware of all current viruses and network vulnerabilities concerning e-mail
16. Individuals may store electronic communications on allotted disk storage but are encouraged to make individual backups periodically
17. All electronic communications may be inspected using documented commercial software packages for worms, viruses, and other malicious codes
18. Electronic communications may be stopped or attachments removed from an electronic communication that is determined to include malicious code
2. E-Mail Specific Policy Provisions
1. Mail Box Quotas (Approved 1/3/2007, President's Cabinet)
100 MB - User will receive a warning concerning the 200 MB quota
150 MB - User will receive e-mail, but will not be able to send
200 MB - User will not be allowed to send or receive e-mail
5 MB limit per user
<Return to Table of Contents>
VIII. TSU Code of Computing Practice
Computer resources within Tennessee State University (TSU) are available to students, faculty, and staff for authorized use in a responsible, ethical, and equitable manner. It is important that all users of the computing facilities conduct their computing activities in this manner since they have access to many valuable and sensitive resources and their computing practices can adversely affect the work of other users. Ethical standards that apply to the use of computer resources are not unique to the computer field; rather they derive directly from the standards of common sense, decency, and courtesy that apply to the use of any university resource.
The Code of Computing Practice
The following constitutes the code of computing practice to be adhered to by all computer system users. This includes all computing facilities owned, leased, or controlled by TSU.
1. Users are authorized to use the computer facilities for purposes that conform to the goals and objectives of TSU. As to students, the computer network is an academic resource.
2. Users of computing resources are expected to conduct themselves in a manner that does not constitute a danger to any person academic health or safety or interfere with or harass individuals or TSU activities.
3. Users must not misuse, damage, or misappropriate in any manner computing equipment, property, and other facilities and resources.
4. Users are responsible for the use of their computer resources; and, as such, they should take precautions against others obtaining access to their computer resources. This includes managing and controlling the use of individual passwords, operational activities, and resource utilization.
5. Users must utilize only those resources that have been authorized for their use and only for the purpose for which the authorization was granted. The fact that a resource is unprotected does not imply permission for an unauthorized person to use it.
6. Users must not attempt to modify system facilities or subvert the restrictions associated with their computer resource. Users must follow the established procedures for accessing the computing systems.
7. Users shall utilize software only in accordance with the applicable license agreement. TSU licenses the use of most of its computer software from a variety of outside companies. TSU does not own this software nor its related documentation and, unless authorized by the license, does not have the right to reproduce it.
8. Users may not access, modify, or copy programs, files, or data of any sort belonging to other users or TSU without obtaining prior authorization from the appropriate authority. Similarly, programs, subroutines, data, equipment, and other computing-related resources may not be taken from TSU to other computer installations without the proper authorization and a clearly defined understanding of the responsibilities associated with such action (e.g., security of access to the data at the other computer installation).
9. Users should minimize the impact of their work on the work of other users. Attempts should not be made to encroach on others, use of the facilities or deprive them of resources.
10. Users and non-users must not encourage, collaborate, or tolerate the misuse of computer resources or the violations of this code by any other person. It is TSU policy that anyone with knowledge of violations or suspected violations of computer security measures or controls report this information to the appropriate TSU authority
2. Disciplinary Actions Against Violators
The above code is intended to work for the benefit of all computer users by encouraging responsible conduct and use of computer resources. Disciplinary action for violating this code shall be governed by the applicable policies and procedures of the Tennessee Board of Regents. The following disciplinary sanctions outline some, but are not limited to, all actions that may be taken either singularly or in combination by TSU against violators of this code.
1. Requiring restitution to TSU for damages to or misuse of computing facilities.
2. Warning the individual that continuation or repetition of a specified conduct may cause other disciplinary action.
3. Reprimand in writing indicating further violation may result in more serious penalties.
4. Restriction of computing privileges for a specified period of time.
5. Probation status, with the associated implications, imposed on the individual.
6. Suspension or expulsion of the individual from TSU.
7. Termination of employment of the individual by TSU.
8. Interim or summary suspension until a final determination is made in regard to the charges against the individual.
In the event that other TSU regulations are violated, additional penalties may be imposed. According to the U. S. Copyright Law, illegal reproduction of software can be subject to civil damages and criminal penalties including fines and imprisonment.
Unauthorized use and/or misuse of computing resources may be in violation of federal and state laws, and the violator(s) may be subject to prosecution under these laws.
Several information technology resources accounts are available to the TSU user community. Each account will be provided where needed to accomplish the assigned duties or academic studies at the University.
The TSU network account is the primary account assigned to TSU faculty, staff, and students. This account provides access to all computing systems made available on the TSU network and the Internet. Likewise, the myTSU account is assigned to all students, faculty, and staff using the same username. This account is of special importance to students in that it provides the student e-mail, course registration, payment, and grade retrieval function.
1. Eligibility for TSU Network Accounts
The following individuals are eligible for the TSU Network account (which includes e-mail for faculty and staff), and myTSU account (including e-mail for students)
1. Students currently enrolled at the university.
2. TSU graduates for a period of three months following the graduation date
3. Full time faculty
4. Adjunct faculty by request from the employing department academic head
5. Full time employees
6. Individuals employed by the University in a special role or function by request of the sponsoring department head.
7. Other individuals conducting business on behalf of the University
8. Student organizations at the request of faculty sponsors.
9. University departments at the request of a departmental representative
10. University affiliates such as the Business and Technology Center, at the request of the affiliate representative. This may include individual accounts for employees. Affiliates may include other state or government agencies such as state auditors. Accounts of the latter type are issued when there is benefit to the University or a benefit to the working relationship between the affiliate and the University.
2. Eligibility for Blackboard/WebCT Accounts
The following individuals are eligible for Blackboard/WebCT accounts:
1. Students enrolled in Distance Education courses
2. Students enrolled in Web Enhanced courses
3. Approval is on a case by case basis and the decision is made by CIT management
4. Individuals or organizations as approved by the President or Vice President of Academic Affairs
3. Information Technology Resources Available through Network Accounts
The following account privileges and resources are provided through the individually assigned unique TSU Network accounts:
1. Access to University purchased legal software licenses
2. Access to Departmental purchased legal software licenses
3. Access to network disk space for safe and secure storage of data files
4. Access to the Internet
5. Access to shared data storage areas for departmental storage
6. Access to an electronic mail account
7. Access to Web site for the maintenance of departmental web pages
8. Access to Administrative computing resources with approved account access
9. Access to other Information Technology resources prescribed in the functions of individual departments
X. Regulations on the Use of Social Security Numbers
The purpose of this policy is to protect the confidentiality and privacy of students and employees and to ensure that steps are taken concerning the collection, use and disclosure of Social Security numbers (SSNs). Although Tennessee State University has migrated from the use of SSNs as primary personal identification numbers for students and employees to an alternate identification number, legitimate uses of SSNs remain. Therefore, University employees who have access to SSNs must comply with the following regulations:
Forms, Documents, and Records
Computers and the Internet
Mail and Email
Third Party Vendors
SSNs should not be disclosed to third parties external to the University except where required for business necessity or permitted by law. When disclosing SSNs to third parties as required or permitted by law, such disclosure should be conditioned upon a written agreement that includes terms that:
- Protect the confidentiality of the SSNs and prohibit the third parties from re-disclosing SSNs, except as required by law;
- Require such third parties to use effective security controls on record systems containing SSNs;
- Hold such third parties accountable for compliance with the terms imposed, including monitoring or auditing their practices;
- Require such third parties to immediately provide written notification to the University in the event that the security controls on records systems of the third party containing SSNs are breached and/or SSNs are subjected to unauthorized access; and
If a University employee discovers that SSNs have been disclosed or accessed inappropriately, then the employee must immediately notify the Computer Information Technology Office (CIT), which will work with the Office of University Counsel to ensure that those individuals are notified to the extent required by applicable law.
Violation of University Policy
All employees who have access to SSNs should note that inappropriate use or disclosure of SSNs may constitute violation of Tennessee Board of Regents policy or University policy, including, but not limited to:
- Tennessee Board of Regents Policy 1:08:00:00, Information Technology Resources
- Tennessee Board of Regents Policy 4:01:05:00, Preventing and Reporting Fraud, Waste Or Abuse
- Tennessee Board of Regents Policy 5:01:00:10 , Personnel Records
- Tennessee Board of Regents Policy 3:02:03:00, Confidentiality of Student Records
- Tennessee Board of Regents Policy 4:02:20:00, Disposal of Surplus Personal Property
- Tennessee Board of Regents Guideline G-070 , Disposal of Records Academic RDA 2161
Violation of any of the above policies or TSU data security policy may result in the suspension of computer access to the relevant systems and databases as well as disciplinary action, up to and including termination.
The Family Educational Records Privacy Act, 20 U.S.C. 1232g; 34 CFR Part 99
The Federal Privacy Act of 1974, 5 U.S.C. 552a
2008 Tenn. Pub. Acts, Chap. No. 688