Chapter 3342-9 Administrative Policy on Technology

3342-9-01 University policy on responsible use of information technology.

(A) Purpose. Access to modern information technology is essential to Kent state university's mission of providing the students, faculty and staff with educational services of the highest quality. The pursuit of the missions of teaching, research and public service is greatly enhanced by the use of computing systems and software, access to the world wide web, and other technology resources that are available to the entire campus community. The preservation of those resources for the community requires that each faculty member, staff member, student or other authorized user comply with institutional policies, applicable federal and state laws and responsible use of technical resources.

(B) Operational procedure.

(1) Authorized users of campus computing and network resources shall be faculty, staff, student and other affiliated individuals or organizations authorized by the vice president for information services.

(2) Notwithstanding the geographical location of the user, authorized use of campus-owned or operated computing and network resources shall be consistent with the teaching, research and public service mission of Kent state university and consistent with this policy.

(3) Information technology provides important means for both public and private communication. Users and systems administrators shall respect the privacy of person-to-person communications in all forms including telephone, electronic mail and file transfers, graphics and television to the fullest extent possible under applicable law and policy. The principle of academic freedom shall apply to public communication in all these forms of communication, as well as in the transmission of information in both the physical and virtual classrooms, subject to the limitations set forth hereinafter.

(4) Subject to requirements of network administration, Kent state university shall not monitor or restrict the content of material posted on university-owned computers, or transported across its networks. However, Kent state university reserves the right to:

(a) Limit access to its networks; and

(b) Remove or limit access to content or to material residing on or transmitted on university-owned computers or networks when exigent circumstances arise (i.e., evidence of a reported violation of applicable university policies, contractual).

(5) Determination of violations shall be made in accordance with established applicable due process procedures (i.e., student code of conduct, collective bargaining agreement, academic and administrative grievances and appeals policies, as appropriate).

(6) In the normal course of system maintenance, both preventative and troubleshooting, staff members operating the computer systems may be required to view files. Staff shall be required to maintain the confidentiality and privacy of information in such files unless otherwise required by law or university policy.

(7) Kent state university reserves the right, upon reasonable cause for suspicion, to access all aspects of its computing systems and networks, including individual login sessions to determine if a user is violating this policy or state or federal laws.

(8) This policy may be supplemented with additional guidelines or regulations developed by units and companies that operate their own computers or networks, provided they are consistent with this policy.

(9) A university member who stores or distributes copyrighted material must be the copyright holder or have the permission of the copyright holder as required under law. This includes duplication of audiotapes, videotapes, photographs, illustrations, computer software, and all other information for educational use or any other purpose.

(10) No user may, under any circumstances, use Kent state university computing equipment, software or networks to harass or defame any other person.

(C) Security and privacy of e-mail.

(1) Access. The university recognizes the private nature of electronic mail communications. The university may access such files in the course of its normal supervision of the network or system (i.e., backing up of electronic messaging material), or when exigent circumstances arise (i.e., evidence of reported violations of policies or laws). Accordingly, the private nature of electronic mail communications sent or received by users on any computer system owned or operated by the university shall be maintained, subject to the technology limitations of the university's electronic systems and in a manner consistent with university polices, state and federal laws.

(2) Public records request. From time to time the university may receive requests pursuant to section 149.43 of the Revised Code (the Ohio Public Records Act). When such requests are for access to a user's e-mail files, the university will make a good faith effort to notify the affected user. A good faith effort may include, though not be limited to, an e-mail message sent to the affected user's university e-mail address or telephone notice, including a message left on the university-based voice mail system.

(3) Security. Kent state university employs various measures to protect the security of its computing resources and its users' accounts. Users should be aware, however, that the university cannot guarantee the absolute security and privacy of data stored on university computing facilities. Users should therefore engage in safe computing practices including but not limited to establishing appropriate access restrictions for their accounts, guarding their passwords, changing them regularly, and by backing up critical files when appropriate.

Replaces: 3342-9-01

Effective: 3/1/2015
Promulgated Under: 111.15
Statutory Authority: 3341.01
Rule Amplifies: 3341.01 , 3341.04
Prior Effective Dates: 3/14/2002, 9/19/2005, 6/1/2007

3342-9-01.1 Administrative policy on responsible use of information technology.

(A) Purpose. To ensure compliance with the university policy on responsible use of information technology, Kent state university establishes the following administrative policy which supplements university policy and any guidelines or regulations developed by individual units of the university, as well as applicable federal and state laws.

(B) User responsibilities.

(1) University assigned accounts ("UserID"), computer and network access accounts are for the personal use of that individual only. Accounts are to be used for the university-related activities for which they are assigned.

(2) Sharing of access. Computer accounts, passwords, and other types of authorization are assigned to individual users and should not be shared with others. Individual users are responsible for the use of their accounts. If an account is shared or the password divulged, the holder of the account may lose all account privileges and be held personally responsible for any actions that arise from the misuse of the account.

(3) Unauthorized access. Individual users may not run or otherwise configure software or hardware to intentionally allow access by unauthorized users.

(4) Termination of access. When individual users cease being a member of the campus community (i.e., withdraw, graduate, or terminate employment or otherwise leave the university), or if an individual user is assigned a new position and/or responsibilities within Kent state university, access authorization may be reviewed. Users must not use facilities, accounts, access codes, privileges or information for which they are not authorized.

(5) Circumventing security. Users are prohibited from attempting to circumvent or subvert any system's security measures. Users are prohibited from using any computer program or device to intercept or decode passwords or similar access control information.

(6) Breaching security. Deliberate attempts to degrade the performance of a computer system or network or to deprive authorized personnel of resources or access to any Kent state university computer or network is prohibited. Breach of security includes, but is not limited to, the following

(a) Creating or knowingly propagating viruses;

(b) Hacking;

(c) Password cracking;

(d) Unauthorized viewing of others' files;

(e) Willful modification of hardware and software installations.

(7) Abuse of campus computer resources is prohibited and includes, but is not limited to:

(a) Unauthorized monitoring. A user may not use computer resources for unauthorized monitoring of electronic communications.

(b) Spamming. Posting a personal or private commercial message to multiple list servers, distribution lists or news groups with the intention of reaching as many users as possible is prohibited.

(c) Private commercial purposes. The computing and networking resources of campus shall not be used for personal or private commercial purposes or for financial gain.

(C) Enforcement. Users who violate this policy may be denied access to university computing resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Violations will normally be handled through the university disciplinary procedures applicable to the relevant user. The university may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of university or other computing resources or to protect the university from liability. The university may also refer suspected violations of applicable law to appropriate law enforcement agencies.

(D) Reporting. Anyone who learns of misuse of software, hardware, or networks may report the activity by contacting the helpdesk at 330-672-HELP (4357) or helpdesk@kent.edu. The call will be referred to the appropriate unit.

Replaces: 3342-9- 01.1

Effective: 3/1/2015
Promulgated Under: 111.15
Statutory Authority: 3341.01
Rule Amplifies: 3341.01 , 3341.04
Prior Effective Dates: 3/14/2002, 9/19/2005, 6/1/2007

3342-9-01.2 Administrative policy regarding electronic communications for students.

(A) Introduction. Kent state university is committed to using the most advanced technology available to communicate with students and recognizes an expanding reliance on electronic communication among students, faculty, staff, and the administration due to the convenience, speed, cost-effectiveness, and environmental advantages of using electronic communication. Therefore, the electronic communications student policy will provide procedures and regulations to govern the use of electronic communications between the university and the students. Electronic communications may include, but are not limited to, electronic mail, electronic bulletin boards, and information portals. Please refer to rule 3342-9-01 of the Administrative Code (Kent state university responsible use of information technology policy) and rule 3342-9-01.1 of the Administrative Code (administrative policy on responsible use of information technology), for additional information and guidelines regarding electronic communication.

(B) Procedural standards.

(1) University use of electronic mail. A university-assigned student email account shall be an official university means of communication with all students at Kent state university. Students are responsible for all information sent to them via their university assigned email account. If a student chooses to forward their university email account, he or she is responsible for all information, including attachments, sent to any other email account.

(2) Assignment of student email accounts. New students will be assigned an email account when they participate in the "PASS" program for new freshmen or register for classes. Once an email account is established, the address will be added to web for students at wfs.kent.edu and the student on-line directory at kent.edu/phonedirectory.

(3) Expectations regarding student use of university electronic communications, which include, but are not limited to, email and information portals. To stay current with university information, students are expected to check their official university email account and other electronic communications on a frequent and consistent basis. Recognizing that some communications may be time-critical, the university recommends that electronic communications be checked minimally twice a week.

(4) Maintenance of student email accounts. Kent state university will maintain a students' email account for the life of the student to facilitate communication as an alumnus, or until such time that a former student requests that the account be closed.

(5) Mass and targeted electronic communication. The distribution of mass communication to all students or targeted communication to a specific subset of students shall be restricted to Kent state university departments for university business. External requests will not be honored.

(6) Educational uses of email. Faculty may determine how email and other electronic communications will be used in their classes and it is recommended that faculty expectations of all electronic communication requirements be specified in their course syllabus. Faculty should expect that students are accessing official electronic communications and should use such communications for their courses accordingly.

(C) Guidelines for implementation. The vice president for enrollment management and student affairs and the vice president for information services shall establish guidelines for the implementation of this policy.

Replaces: 3342-9-01.2

Effective: 3/1/2015
Promulgated Under: 111.15
Statutory Authority: 3341.01
Rule Amplifies: 3341.01 , 3341.04
Prior Effective Dates: 12/30/2005, 9/19/2005, 6/1/2007

3342-9-01.3 Administrative policy regarding web publishing.

(A) Introduction. This policy applies to all Kent state university web sites and web pages that are available generally through the worldwide web or the internet. This policy applies to all web pages and sites except those:

(1) Primarily intended for instruction or research;

(2) Primarily used in support of student, faculty or staff organizations; and

(3) Personal web sites.

(B) Procedural standards. Members of the university community are expected to follow all policies, rules, procedures and guidelines established to manage web resources. The divisions of university relations and development and information services are jointly responsible for promulgating the rules, procedures and guidelines outlined in this policy.

(C) Guidelines for implementation.

(1) University relations and development will develop and maintain guidelines called guide to web standards to govern web publications covered by this policy. University relations and development will work closely with information services, faculty and other appropriate stakeholders in developing these guidelines.

(2) To achieve the overall advancement of Kent state university's unique institutional brand identity, as defined in the Kent state university positioning platform, web sites and web pages covered by this policy are governed by the guide to web standards.

(3) It is Kent state university's policy that all web sites and web pages covered by this policy will be compliant with the Americans with Disabilities Act.

(4) The university, through university relations and development and information services, is responsible for maintaining web resources (including but not limited to: site development and design, style guidelines, logo libraries, on-campus training and information about compliance with the Americans with Disabilities Act) for the university community.

(5) University relations and development and information services will assist departments, divisions and all units covered by this policy in identifying noncompliant elements and will provide help to departments to bring departmental web sites into compliance with this policy.

(6) University relations and development, along with information services, will be responsible for securing ongoing, appropriate technical support for Kent state university's institutional web site and departmental web sites that are housed on the university server. Those departments choosing to maintain web sites on independent servers are responsible for the security and maintenance of the servers and web sites.

(7) Copyright and ownership of internet materials, whether original or derived works, created or developed by Kent state university staff, faculty or students are prescribed by Kent state university contractual agreements or policies regarding intellectual property.

(8) No web page can contain any copyrighted or trademarked material without permission except as permitted by law. Photographs, drawings, video clips or sound clips may not be used on a page without permission of the person who created them or the entity owning the rights except as permitted by law.

(9) Limited commercial sponsorship is permitted on web sites covered by this policy if all of the following conditions are met:

(a) The commercial entity must be sponsored by a department or unit of the university;

(b) A commercial sponsorship agreement must be signed by the commercial entity, approved at the vice presidential level and reviewed by general counsel;

(c) Commercial sponsorship must meet the requirements set forth in the appropriate section of the guide to web standards.

(d) Use of logos, trademarks or other identifying elements not associated with the university should be avoided except as noted in paragraphs (C)(9)(a) to (C)(9)(c) of this rule. Hosting of commercial sponsor's web pages or web sites is prohibited.

(10) Other than basic identification information described in the guide to web standards, this policy is not intended to specify content.

(11) All requirements and restrictions in any other Kent state university policies remain in force and are not considered superseded by this policy.

Replaces: 3342-9- 01.3

Effective: 3/1/2015
Promulgated Under: 111.15
Statutory Authority: 3341.01
Rule Amplifies: 3341.01 , 3341.04
Prior Effective Dates: 10/7/2003, 9/19/2005, 6/1/2007

3342-9-01.4 Administrative policy on electronic information security.

(A) Purpose. The purpose of this policy is to enable the use of innovative technology by members of the university community while utilizing available resources to mitigate the risk of unauthorized access or disclosure. All computer systems either accessing or storing institutional data or operating on the university network must meet the information security standards as defined or otherwise referenced in this rule.

(B) Definitions.

(1) Application. A set of one or more computer programs designed to permit users to perform a group of coordinated functions, tasks, or activities. Examples of applications include but are not limited to: Blackboard, Drupal, Empower, and other application programs installed by the user or administrator on a device or server. For the purpose of this rule, covered applications are limited to those applications running or installed on university-owned information technology, on any server and/or storage device used to hold or transmit institutional data, or any cloud-based server and/or storage device.

(2) Physical server. A dedicated physical computer on a network that is capable of accepting requests from multiple university clients and providing responses accordingly.

(3) Virtual server. A server created through the use of software known as a hypervisor that allows a single physical computer to be partitioned into multiple server computing units.

(4) Storage device. A device used for recording and storing information (i.e. institutional data).

(5) Network attached storage device. A computer connected to a network that provides only file-based data storage services to other devices on the network.

(6) Firewall. A part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

(7) Institutional data. All data created, collected, maintained, recorded or managed by the university, its staff, and agents working on its behalf. It includes data used for planning, managing, operating, controlling, auditing and reporting on university functions. When appropriate, institutional data may also include research data that contains personally identifiable subject information, or proprietary university information.

(C) Scope. This policy applies to all student employees, faculty, staff, (collectively "university stakeholders") and third parties acting on behalf of Kent state university as well as any other university affiliate authorized to access or is in possession of Kent state university institutional data and IT resources. This policy applies but is not limited to all computer systems (applications, physical servers, virtual servers, and storage devices) that process or store university information. The policy applies both to computer systems that are run locally at Kent state university and those that are hosted or maintained by outside vendors. Exceptions to this policy must be approved by the vice president for information services and formally documented. Exceptions will be reviewed on a periodic basis and may be withdrawn at the discretion of the vice president for information services.

(D) Procedures.

(1) The division of information services ("IS" or "information services") is responsible for documenting the required security standards, updating on a periodic basis, and posting to the IS website at www.kent.edu/is/security.

(a) Such security standards as adopted and maintained by the division of information services are intended to ensure adherence to the standards set forth by existing laws and regulations, such as but not limited to: Sections 1349.19 and 149.43 of the Revised Code; the Family Educational Rights and Privacy Act; and the Health Insurance Portability and Accountability Act.

(2) Existing computer systems (applications, servers, and storage devices) will be audited against the current standards.

(3) All new requests for computer systems (applications, servers, and storage devices) must be reviewed by information services to ensure the proposed system meets the security standards.

(4) University stakeholders must receive prior approval from the division of information services before utilizing externally managed services, applications, and servers.

(a) Vendors of externally managed services and applications shall be required to complete the vendor security checklist prior to engagement of such resources or transmission of institutional data. Such checklists must be reviewed by IS.

(b) Service agreements and terms of use shall be submitted by the requesting university stakeholder for review by information services and other university stakeholders as required under rule 3342-5-04.1 of the Administrative Code.

(c) Any storage of institutional data with external service providers requires the prior approval of information services.

(5) Servers and network-attached storage devices operating on the Kent state university network shall be operated in the university secure data center.

(a) Access to the data center shall be controlled by IS operations staff.

(b) All devices shall reside behind IS-managed firewalls.

(c) Remote access shall be approved and managed by IS access management.

(6) All applications are subject to vulnerability assessments by IS. In the event of the identification of a critical vulnerability, IS shall require remediation in order for the user and/or server/storage device to remain on the network.

(7) The use or storage of sensitive institutional data (including but not limited to personally identifiable information, or other information protected from unauthorized disclosure by law, regulations or policy) on any server or storage device for any purpose must adhere to the processes, standards, and requirements as directed by IS access management.

(8) Domain names other than kent.edu acquired by university stakeholders for the operation of applications must be obtained and registered through information services.

(9) Violations of this policy may result in suspension or loss of the user's access to computing, storage, or network resources, with respect to institutional data and university-owned information technology.

Effective: 8/1/2015
Promulgated Under: 111.15
Statutory Authority: 3341.04
Rule Amplifies: 3341.01, 3341.04