Ohio Admin. Code 3362-5-30 - Campus computer and network use

(A) Purpose and application

(1) The purpose of this rule is to establish the obligations of users and managers of university-provided technologies and related resources. All users and managers of university-provided and supported information technologies are required to abide by applicable federal and state laws, relevant regulations, conditions for use, and best practices to ensure the highest level of confidentiality, integrity, security, and availability of technology services that can be afforded by the university. This policy outlines the guidelines for responsible management and security of Shawnee state university's (SSU) digital resources, ensuring alignment with relevant procedures (SSU information security program and conditions for use), and compliance with applicable regulatory frameworks. It is designed to protect the integrity, confidentiality, security, and availability of SSU's technology services and applies to all individuals interacting with SSU's digital and network resources.

(2) This rule applies to all users of campus computing and network resources, whether or not employed by or affiliated with the university, and for all uses of computing and network resources whether on campus or from remote locations. Universal in scope, this policy encompasses both on-campus and remote interactions with SSU's technology resources, covering all affiliated and non-affiliated individuals.

(B) Responsibilities and authority

(1) All users are responsible for complying with this rule, conditions for use, and any laws or regulations applicable to computer systems, information security, network access, and application computing. All users are required to comply with this policy, its applicable procedures (SSU information security program and conditions for use), and relevant legal and regulatory standards.

(2) The university's chief information officer (CIO) is responsible to maintain applicable policies and to ensure the conditions for use reflect current operational expectations, incorporate best practices and technical updates, and to implement measures required for compliance with applicable laws and regulations that ensure privacy and security of data and delivery of appropriate access to network resources. The chief information security officer (CISO) is tasked with the oversight of this policy, ensuring its ongoing relevance, compliance with legal and operational standards, and the implementation of requisite security measures.

(C) Access privileges and restrictions of use Access to digital resources is predicated on authenticated identity and relevant authorizations, managed in accordance with the SSU information security program and conditions of use procedures.

(1) Access privileges are contingent upon the authentication of an identity and authorization of that identity to access specific technologies required to fulfill assigned roles or to complete the applications and activities of that identity at the university. Such access depends upon the role assigned by the department of human resources upon employment or contractual relationship with the university. Additional accesses may be managed by department supervisors in accordance with university policies.

(2) Use of the university's computing systems, resources and networks (on-site and remote) is granted solely to Shawnee state active employees and retirees with ten years of continuous service, currently enrolled students, contractual and term employees, and others who have a business or operational need for access and are designated in writing by the president or vice president for finance and administration. The university will adopt measures necessary to protect its computing systems and network including implementation of multi-factor authentication.

(3) Commercial use of the university's computing systems, resources, and networks is prohibited without prior written consent from the office of the general counsel.

(4) Once on-site and remote access to technology systems is assigned in accordance with human resources policies, any modification of that access that involves personal and shared data may be extended to or retracted from the initial authorized account users with written consent of the respective vice president and in accordance with human resource and relevant university policies.

(5) The university reserves the right to limit, restrict, extend or deny computing privileges and access to its resources.

(6) Testing and monitoring of security will be routinely conducted as well as the regular review of files or information resident on university systems to guard against unacceptable use. All accounts assigned to authorized individuals will be treated as private by university employees charged with managing university computer systems, resources, and networks.

(7) An account may be accessed without the user's permission by the appropriately assigned ITS officials upon authorization by the president or the president's designee for any employee placed on temporary or extended leave of absence, or otherwise is not reasonably available, or when there is probable suspicion of violation of university policies or evidence of criminal activity. The university reserves the right to deny access to its computer systems, resources and networks until consent to access the account is provided by the president or president's designee.

(D) Privacy expectations

(1) Users are expected to be aware that their uses of university computing systems, resources, and networks are not private. The university routinely monitors individual and campus-wide usage on a regular basis for suspicious activity and targeted threats. Service vendors often require the examination of institutional files, data transmissions, and system-generated logging files to maintain normal operations. Users should anticipate monitoring of university technology resources, in adherence to the information security program and conditions of use procedures for operational and security purposes.

(2) Shawnee state's status as a financial institution obligates the university to protect the consumer information it collects during the normal course of business. Users authorized to maintain financial information must adhere to all state and federal mandates and compliance required to meet external or internal audit requirements. SSU commits to protecting sensitive information in accordance with Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and other regulations, as outlined in the information security program procedure.

(3) As an institution of higher education, Shawnee state is obligated to protect confidential information restricted by FERPA, HIPAA, GLBA, GDPR, PCI, Ohio Revised Code and other regulatory requirements (e.g. red flag rules), and is not releasable to the public under state or federal law.

(E) Use of university computing resources

(1) Adherence to the information security program and the conditions for use procedures conditions for use is mandatory in order for users to be granted the privilege of access to the university's information technology systems.

(2) All users are responsible for complying with the conditions for use of Shawnee state's computer systems, resources, and networks. conditions for use shall be distributed to users via e-mail when substantive modifications are adopted. They shall be posted on the university information services web page and made available upon request. All users are responsible for complying with the information security program and the conditions for use procedures when accessing university resources, and networks. The information security program and the conditions for use procedures shall be posted on the university policies and the information technology services web pages and made available upon request.

(3) As a member of the Ohio academic research network (OARnet), Shawnee state is expected to ensure compliance with policies and procedures of OARnet and related networks. Therefore, users granted privileges to access OARnet and other networks must comply with the policies and procedures of those networks.

(F) Sanctions

Violation of computer use policies or non-adherence to the conditions for use may result in sanctions by the university, up to and including loss of computing privileges, termination of employment and dismissal from the university in accordance with the appropriate policies and collective bargaining agreements regarding disciplinary actions. Violations of this policy and applicable procedures will be subject to discipline according to university policies and collective bargaining agreements.

(2) The process outlined in the student handbook will determine sanctions for students.

(3) Disciplinary actions do not preclude additional civil or criminal prosecution by the appropriate authority.

Notes

Ohio Admin. Code 3362-5-30

Effective: 7/1/2024
Promulgated Under: 111.15
Statutory Authority: 3362.03
Rule Amplifies: 3362.03
Prior Effective Dates: 09/04/2007, 03/26/2020