Chapter 3342-9 | Technology

(A) Policy statement. The division of information technology shall serve as the responsible office for implementation, development, administration, security and support of university computer, network, application, telecommunications, or other information technology resources.

(B) The vice president for information technology and CIO is responsible for developing and implementing technology policies, standards and practices in furtherance of the university's mission.

(A) Purpose: to outline the acceptable use of university computer, network, application, telecommunications, data in digital form, or other information technology resources (hereinafter called technology resources) in order to ensure that all members of the campus community understand their responsibilities when using or accessing technology resources and to safeguard these resources.

(B) Policy statement: All users of university technology resources, whether or not affiliated with the university, and notwithstanding geographical location are responsible for their appropriate use, and by their use, agree to use them in an ethical, responsible manner and will comply with applicable federal, state and local laws and university policies. An attempt to engage in a prohibited activity is considered a violation whether the attempt is successful or not.

(C) Users with access to university technology resources must agree to and accept the following:

(1) Use of university supplied technology resources shall be for purposes that are consistent with the mission of the university. Ability to access university resources not otherwise supplied does not, by itself, imply authorization to do so.

(2) Be accountable for and only use accounts, passwords, and/or authentication credentials that they have been authorized to use for their role at the university.

(3) Only share data with others as allowed by applicable policies and procedures, and dependent on their assigned role.

(4) Comply with the security and privacy controls on all information technology resources used for university business, including but not limited to mobile and computing devices, whether university or personally owned.

(5) Comply with intellectual property rights, licensing and contractual agreements related to information technology resources.

(6) Respect the rights and privacy of others.

(7) Take responsibility for the content of their personal communications.

(8) Take reasonable care to safeguard equipment entrusted to them.

(9) Acknowledge that the principle of academic freedom shall apply to public communication in all these forms of communication, as well as in the transmission of information in both the physical and virtual classrooms.

(10) Acknowledge that the university may access data files in the course of its normal supervision of the network or system (i.e., backing up of electronic messaging material), when exigent circumstances arise (i.e., evidence of reported violations of policies or laws), or when the university receives requests pursuant to section 149.43 of the Revised Code (the Ohio Public Records Act).

(11) Acknowledge that the university cannot guarantee the absolute security and privacy of data stored on university technology resources.

(D) Unacceptable use includes and is not limited to the following list. Users are not permitted to:

(1) Share authentication details or provide access to their university accounts with anyone else (e.g., sharing the password).

(2) Impersonate another person, misrepresent their affiliation with another person or entity, engage in fraud, or hide or attempt to hide their identity.

(3) Circumvent, attempt to circumvent, or assist another in circumventing the security controls in place to protect technology resources and data.

(4) Knowingly download or install software onto university technology resources or use software applications, which may interfere or disrupt service, or do not have a clear administrative, academic, research or scholarly use.

(5) Engage in activities that interfere with or disrupt users, equipment or service; distribute viruses or other malicious code; or install software, applications, or hardware that permits unauthorized access to technology resources.

(6) Conduct unauthorized scanning of university technology resources.

(7) Engage in inappropriate use, including but not limited to:

(a) Activities that violate state or federal laws, regulations, technology resource licensing, or university policies.

(b) Harass, discriminate or defame others.

(c) Widespread dissemination of unsolicited and unauthorized electronic communications.

(8) Engage in excessive use of enterprise technology resources, including but not limited to network capacity or enterprise server storage and computing capacity. Excessive use means use that is unrelated to academic or employment-related needs, or that interferes with other authorized uses.

(9) Use any means to view, gain access to, intercept data or network traffic, use facilities, accounts, access codes, privileges or technology resources not intended for their viewing or use.

(10) Use the university's technology resources for commercial or for financial gain not related to the university's administrative operations, academic, research, and scholarly pursuits.

(11) Represent personal electronic communications as being an official position of the university.

(E) Incidental personal use of technology resources, including email, is permitted provided that this use does not interfere with university operations, violate university policies, create an inappropriate atmosphere for employees in violation of law or university policy, generate incremental identifiable costs to the university, and/or negatively impact the user's job performance.

(F) Enforcement and administration

(1) Determination of violations shall be made in accordance with established applicable due process procedures (i.e., student code of conduct, collective bargaining agreement, academic and administrative grievances and appeals policies, as appropriate).

(2) Users who violate this policy may be denied access to university technology resources and may be subject to other penalties and disciplinary action, both within and outside of the university. The university may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of university or other technology resources or to protect the university from liability. The university may also refer suspected violations of applicable law to appropriate law enforcement agencies.

(3) The vice president for information technology and CIO is responsible for administering this policy.

(A) Purpose. To ensure compliance with the university policy on responsible use of information technology, Kent state university establishes the following administrative policy which supplements university policy and any guidelines or regulations developed by individual units of the university, as well as applicable federal and state laws.

(B) User responsibilities.

(1) University assigned accounts ("UserID"), computer and network access accounts are for the personal use of that individual only. Accounts are to be used for the university-related activities for which they are assigned.

(2) Sharing of access. Computer accounts, passwords, and other types of authorization are assigned to individual users and should not be shared with others. Individual users are responsible for the use of their accounts. If an account is shared or the password divulged, the holder of the account may lose all account privileges and be held personally responsible for any actions that arise from the misuse of the account.

(3) Unauthorized access. Individual users may not run or otherwise configure software or hardware to intentionally allow access by unauthorized users.

(4) Termination of access. When individual users cease being a member of the campus community (i.e., withdraw, graduate, or terminate employment or otherwise leave the university), or if an individual user is assigned a new position and/or responsibilities within Kent state university, access authorization may be reviewed. Users must not use facilities, accounts, access codes, privileges or information for which they are not authorized.

(5) Circumventing security. Users are prohibited from attempting to circumvent or subvert any system's security measures. Users are prohibited from using any computer program or device to intercept or decode passwords or similar access control information.

(6) Breaching security. Deliberate attempts to degrade the performance of a computer system or network or to deprive authorized personnel of resources or access to any Kent state university computer or network is prohibited. Breach of security includes, but is not limited to, the following:

(a) Creating or knowingly propagating viruses;

(b) Hacking;

(c) Password cracking;

(d) Unauthorized viewing of others' files;

(e) Willful modification of hardware and software installations.

(7) Abuse of campus computer resources is prohibited and includes, but is not limited to:

(a) Unauthorized monitoring. A user may not use computer resources for unauthorized monitoring of electronic communications.

(b) Spamming. Posting a personal or private commercial message to multiple list servers, distribution lists or news groups with the intention of reaching as many users as possible is prohibited.

(c) Private commercial purposes. The computing and networking resources of campus shall not be used for personal or private commercial purposes or for financial gain

(C) Enforcement. Users who violate this policy may be denied access to university computing resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Violations will normally be handled through the university disciplinary procedures applicable to the relevant user. The university may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of university or other computing resources or to protect the university from liability. The university may also refer suspected violations of applicable law to appropriate law enforcement agencies.

(D) Reporting. Anyone who learns of misuse of software, hardware, or networks may report the activity by contacting the helpdesk at 330-672-HELP (4357) or helpdesk@kent.edu. The call will be referred to the appropriate unit.

(A) Purpose. To establish guidelines for the provisioning, use, maintenance, and closure of student email accounts.

(B) Scope. This policy applies to all individuals who have been accepted for admission, and enrolled students.

(C) Procedures

(1) A university email account will be provisioned for each student upon acceptance to the university. Students will receive information regarding access to and use of the account as part of their onboarding process.

(2) Email is the official university means of electronic communication.

(3) The student email account is intended primarily for:

(a) Receiving official communications from the university.

(b) Corresponding with faculty, advisors, and administrative offices regarding academic and administrative matters.

(c) Participating in academic coursework and university-sponsored activities.

(4) The email account will remain active during the admissions process and through the student's period of enrollment at the university.

(5) The university will maintain the email account for a period of up to two years post-graduation or post discontinuance of coursework. After this two-year period, the email account and all associated data may be permanently deleted.

(6) Former students may request closure of their university email account at any time after graduation or withdrawal by submitting a formal request in writing to security@kent.edu.

(7) Mass and targeted electronic communication. The distribution of mass communication to all students or targeted communication to a specific subset of students shall be restricted to Kent state university departments and university partners for university business. External requests will not be honored.

(8) Educational uses of email. Faculty may determine how email and other electronic communications will be used in their classes and it is recommended that faculty expectations of all electronic communication requirements be specified in their course syllabus. Faculty should expect that students are accessing official electronic communications and should use such communications for their courses accordingly.

(D) Responsibilities

(1) Students are responsible for adhering to rules 3342-9.02 and 3342-9.02-1 of the Administrative Code.

(2) The university may also use other forms of electronic communication, including but not limited to text-messaging, information portals, and messaging tools in learning management systems. It is expected that students will review all messages sent to their university assigned email account on a regular and timely basis. The university cannot guarantee that messages sent to their assigned email account will be forwarded to third party platforms (e.g. personal email accounts).

(E) Implementation. The vice president for information technology shall be responsible for the implementation of this policy.

(A) Introduction. This policy applies to all Kent state university web sites and web pages that are available generally through the worldwide web or the internet. This policy applies to all web pages and sites except those: (1) primarily intended for instruction or research; (2) primarily used in support of student, faculty or staff organizations; and (3) personal web sites.

(B) Procedural standards. Members of the university community are expected to follow all policies, rules, procedures and guidelines established to manage web resources. The divisions of university relations and development and information services are jointly responsible for promulgating the rules, procedures and guidelines outlined in this policy.

(C) Guidelines for implementation.

(1) University relations and development will develop and maintain guidelines called guide to web standards to govern web publications covered by this policy. University relations and development will work closely with information services, faculty and other appropriate stakeholders in developing these guidelines.

(2) To achieve the overall advancement of Kent state university's unique institutional brand identity, as defined in the Kent state university positioning platform, web sites and web pages covered by this policy are governed by the guide to web standards.

(3) It is Kent state university's policy that all web sites and web pages covered by this policy will be compliant with the Americans with Disabilities Act.

(4) The university, through university relations and development and information services, is responsible for maintaining web resources (including but not limited to: site development and design, style guidelines, logo libraries, on-campus training and information about compliance with the Americans with Disabilities Act) for the university community.

(5) University relations and development and information services will assist departments, divisions and all units covered by this policy in identifying noncompliant elements and will provide help to departments to bring departmental web sites into compliance with this policy.

(6) University relations and development, along with information services, will be responsible for securing ongoing, appropriate technical support for Kent state university's institutional web site and departmental web sites that are housed on the university server. Those departments choosing to maintain web sites on independent servers are responsible for the security and maintenance of the servers and web sites.

(7) Copyright and ownership of internet materials, whether original or derived works, created or developed by Kent state university staff, faculty or students are prescribed by Kent state university contractual agreements or policies regarding intellectual property.

(8) No web page can contain any copyrighted or trademarked material without permission except as permitted by law. Photographs, drawings, video clips or sound clips may not be used on a page without permission of the person who created them or the entity owning the rights except as permitted by law.

(9) Limited commercial sponsorship is permitted on web sites covered by this policy if all of the following conditions are met:

(a) The commercial entity must be sponsored by a department or unit of the university;

(b) A commercial sponsorship agreement must be signed by the commercial entity, approved at the vice presidential level and reviewed by university counsel;

(c) Commercial sponsorship must meet the requirements set forth in the appropriate section of the guide to web standards.

(d) Use of logos, trademarks or other identifying elements not associated with the university should be avoided except as noted in paragraphs (C)(9)(a) to (C)(9)(c) of this Administrative Code. Hosting of commercial sponsor's web pages or web sites is prohibited.

(10) Other than basic identification information described in the guide to web standards, this policy is not intended to specify content.

(11) All requirements and restrictions in any other Kent state university policies remain in force and are not considered superseded by this policy.

(A) Purpose: to ensure that all members of the campus community understand their responsibilities to protect the security of technology resources and preserve reliability, integrity, and availability of information.

(B) Policy statement: The university requires the use of technologies and data in digital form in order to carry out its teaching, research, and administrative missions. The university, through the division of information technology, will develop and publish policies and practices designed to secure university information resources.

(C) Responsibilities: Implementation of information security policies is delegated to the vice president for information technology and CIO. The vice president may delegate certain responsibilities for implementation of policies and practices in furtherance of this rule to the chief information security officer (CISO) or other appropriate delegate. The appropriate delegate will have primary responsibility for:

(1) Oversight of information security.

(2) Implementation and enforcement of this policy.

(3) Development, revision, approval, and oversight of information security policies, procedures, and guidelines pursuant to this policy.

(4) Educating the university community about information security responsibilities.

(A) Purpose. The purpose of this policy is to enable the use of innovative technology by members of the university community while utilizing available resources to mitigate the risk of unauthorized access or disclosure. All computer systems either accessing or storing institutional data or operating on the university network must meet the information security standards as defined or otherwise referenced in this rule.

(B) Definitions.

(1) Application. A set of one or more computer programs designed to permit users to perform a group of coordinated functions, tasks, or activities. Examples of applications include but are not limited to: student support systems, administrative support systems, databases, and other application programs installed by the user or administrator on a device or server. For the purpose of this rule, covered applications are limited to those applications running or installed on university-owned information technology, on any server and/or storage device used to hold or transmit institutional data, or any cloud-based server and/or storage device.

(2) Physical server. A dedicated physical computer on a network that is capable of accepting requests from multiple university clients and providing responses accordingly.

(3) Virtual server. A server created through the use of software known as a hypervisor that allows a single physical computer to be partitioned into multiple server computing units.

(4) Storage device. A device used for recording and storing information (i.e. institutional data).

(5) Network attached storage device. A computer connected to a network that provides only file-based data storage services to other devices on the network.

(6) Firewall. A part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

(7) Institutional data. All data created, collected, maintained, recorded or managed by the university, its staff, and agents working on its behalf. It includes data used for planning, managing, operating, controlling, auditing and reporting on university functions. When appropriate, institutional data may also include research data that contains personally identifiable subject information, or proprietary university information.

(C) Scope. This policy applies to all student employees, faculty, staff, (collectively "university stakeholders") and third parties acting on behalf of Kent state university as well as any other university affiliate authorized to access or is in possession of Kent state university institutional data and IT resources. This policy applies but is not limited to all computer systems (applications, physical servers, virtual servers, and storage devices) that process or store university information. The policy applies both to computer systems that are run locally at Kent state university campuses and those that are hosted or maintained by outside vendors. Exceptions to this policy must be approved by the vice president for information technology and formally documented. Exceptions will be reviewed on a periodic basis and may be withdrawn at the discretion of the vice president for information technology.

(D) Procedures.

(1) The division of information technology ("IT" or "information technology") is responsible for documenting the required security standards, updating on a periodic basis, and posting to the IS website at security.kent.edu. (a) Such security standards as adopted and maintained by the division of information technology are intended to ensure adherence to the standards set forth by existing laws and regulations, such as but not limited to: sections 1349.19 and 149.43 of the Revised Code; the Family Educational Rights and Privacy Act; and the Health Insurance Portability and Accountability Act.

(2) Existing computer systems (applications, servers, and storage devices) will be audited against the current standards.

(3) All new requests for computer systems (applications, servers, and storage devices) must be reviewed by information technology to ensure the proposed system meets the security standards.

(4) University stakeholders must receive prior approval from the division of information technology before utilizing externally managed services, applications, and servers.

(a) Vendors of externally managed services and applications shall be required to complete the vendor security checklist prior to engagement of such resources or transmission of institutional data. Such checklists must be reviewed by IS.

(b) Service agreements and terms of use shall be submitted by the requesting university stakeholder for review by information technology and other university stakeholders as required under rule 3342-5-04.1 of the Administrative Code.

(c) Any storage of institutional data with external service providers requires the prior approval of information technology.

(5) Servers and network-attached storage devices operating on the Kent state university network shall be secured according to the risk they pose to institutional data, to critical university processes, or to the ongoing compliance of the university to state, federal or other regulations.

(a) Servers and network-attached storage devices will be located in the data center if they:

(i) Contain sensitive personal identifiable information (PII);

(ii) Fall under state, federal, or other regulatory compliance obligations;

(iii) Directly integrate with other servers located in the data center;

(iv) Provide mission-critical functions to departmental faculty, staff, or to students; or

(v) Provide or impact financial-related processes.

(b) Access to the data center shall be controlled by IS operations staff.

(c) All data center devices shall reside behind IS-managed firewalls.

(d) Remote access shall be approved and managed by IS office of security and access management.

(6) All applications are subject to vulnerability assessments by IT. In the event of the identification of a critical vulnerability, IT shall require remediation in order for the user and/or server/storage device to remain on the network.

(7) The use or storage of sensitive institutional data (including but not limited to personally identifiable information, or other information protected from unauthorized disclosure by law, regulations or policy) on any server or storage device for any purpose must adhere to the processes, standards, and requirements as directed by IT office of security and access management.

(8) Domain names other than kent.edu acquired by university stakeholders for the operation of applications must be obtained and registered through information technology.

(9) Violations of this policy may result in suspension or loss of the user's access to computing, storage, or network resources, with respect to institutional data and university-owned information technology.

(A) Policy statement. The university requires the use of institutional data in order to carry out its teaching, research, and administrative missions. The university, through the division of information technology, will develop and publish policies designed to protect and use institutional data in a manner that is ethical, efficient, and supports the university's strategic goals.

(B) Responsibilities. Implementation and enforcement of institutional data handling policies is delegated to the vice president for information technology and CIO. The vice president may delegate certain responsibilities of the policies and practices in furtherance of this rule to the chief data officer (CDO) and other appropriate delegate, which may include:

(1) Oversight of data handling. "Data handling" is defined as the secure collection, storage, transmission, and disposal of institutional data.

(2) Oversight of data privacy. "Data privacy" is defined as the adherence to regulatory and industry standards regarding handling personal protected information and other forms of institutional data.

(3) Oversight of data classification. "Data classification" is defined as the process of defining and categorizing institutional data.

(4) Development, revision, approval, and oversight of data handling policies, procedures, and guidelines pursuant to this policy.

(5) Educating the university community about ethical use of data, safeguarding data, and data management responsibilities.