Skip to main content
Back To Top Top Back To Top
This website publishes administrative rules on their effective dates, as designated by the adopting state agencies, colleges, and universities.

Chapter 3349-9 | Information Technology

 
 
 
Rule
Rule 3349-9-05 | Acceptable use of computing resources.
 

(A) Purpose

The purpose of this rule is to outline the acceptable use of computer equipment at university without inhibiting the use of the information technology environment that is intended for the greater benefit of university community. Inappropriate use exposes university to risks including virus attacks, compromise of network systems and services, and legal issues.

(B) Scope

The scope of this rule includes all authorized users who have access to the university network, are responsible for an account on any system that resides at any university facility, and/or store any university information on university equipment or systems.

This rule applies to all equipment and systems that are owned or leased by university, including, but not limited to: computers, laboratories, lecture theaters, and video conferencing rooms across the university together with the use of all associated networks, internet access, e-mail, hardware, virtual private network, data storage, computer accounts, software, telephony services, and voicemail.

(C) Definitions

(1) "Information Technology Facilities" includes but is not limited to university computers, servers, networks, phones, printers and software.

(2) "Users/Community" refers to all university employees, students, alumni, and authorized external users for legitimate university purposes (including contractors and vendors with access to university systems).

(D) Body of the rule

(1) General use and ownership

(a) Users should be aware that the data they create on university systems remains the property of university.

(b) Each user is responsible for using the information technology facilities in an ethical and lawful way, in accordance with university policies and relevant laws.

(c) Each user is responsible for cooperating with other users of the information technology facilities to ensure fair and equitable access to the facilities.

(d) Each user is responsible for exercising good judgment regarding the reasonableness of personal use. The university accepts no responsibility for the integrity or confidentiality of personal files stored on university's information technology facilities.

(e) University reserves the right to audit networks, systems, and equipment on a periodic basis.

(2) Security and proprietary information

(a) Users should take all necessary steps to prevent unauthorized access to any information stored on university's systems.

(b) Each user is responsible for the unique computer accounts which the university has authorized for the user's benefit. Authorized users are responsible for the security of their passwords and accounts.

(c) All devices that are connected to the university network, whether owned by the user or university, shall execute a real time virus scanning software with a current virus definition file.

(d) University recommends that any information that users consider sensitive or vulnerable be encrypted before sending it outbound electronically or on magnetic media.

(3) Confidentiality and privacy information

Use of the university network and systems is restricted to authorized users only. All users accessing this system:

(a) Must maintain high levels of security & confidentiality;

(b) Must preserve the privacy required for these data;

(c) Will access records only as required to perform assigned duties;

(d) Will not access or release private information without proper authorization; and

(e) Will not publicly discuss data in a way that might identify a person.

Unauthorized use is a violation of applicable university policies and state/federal laws and regulations (such as Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338, Family Educational Rights and Privacy Act, 20 U.S.C Section 1232g; 34 C.F.R Part 99 and Health Insurance Portability and Accountability Act of 1996 Pub. L. No. 104-191, 110 Stat. 1936) and will be subject to criminal, civil and/or administrative action.

(4) Prohibited activities constituting unacceptable use

(a) The following activities are strictly prohibited on university information technology facilities:

(i) Unauthorized access to accounts, data, or files

(ii) Using of the university's name, seal, and/or logo on personal web pages, e-mail, or other messaging facilities unless expressly authorized by the university

(iii) Procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction

(iv) Accessing, creating or distributing pornographic material

(v) Running a personal business on university equipment

(vi) Making fraudulent offers of products, items, or services originating from any university account

(vii) Making statements about warranty, expressly or implied, unless it is a part of normal job duties

(viii) Effecting security attacks or disruptions of network service. Security attacks include, but are not limited to:

(a) Disruptive activities, such as denial of service attacks, packet spoofing, and forging information for malicious purposes

(b) Introduction of malicious programs into the network or server (example, viruses, worms, trojan horses, phishing attacks, etc.)

(c) Port scanning or vulnerability scanning

(d) Executing any form of network monitoring which will intercept data not intended for the user's host, unless this activity is a part of the user's normal job/duty

(ix) Providing information about, or lists of, university employees directly to parties outside university without proper authorization.

(b) The following email and communications activities are strictly prohibited:

(i) Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (commonly known as 'spam')

(ii) Sending defamatory, aggressive or rude e-mail messages

(iii) Sending threatening, harassing, or hate-related communications to another person via email or telephone, whether through language, frequency, or size of messages

(iv) Sending sexually explicit material

(v) Propagating chain mail (e-mail sent to a number of people asking the recipient to send copies of the e-mail with the same request to a number of recipients)

(vi) Impersonating another person by sending a message which appears to have come from another person's computer or represent themselves as being of a different gender, race, age, etc. (e.g., in a chat session or electronic conference)

Users are entitled to use the university's e-mail and messaging facilities for private purposes, provided such use is lawful. Messaging facilities may include chat sessions, newsgroups, and electronic conferences. University reserves the right to withdraw this permission in the event that such use places the information technology facilities at risk or poses a security or other threat. Users must respect the privacy and personal rights of others.

(5) Copyright violations

(a) Violations of the rights of any person or institution protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by university is strictly prohibited.

(b) Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of text and/or photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which university or the end user does not have an active license is strictly prohibited.

(c) Original multimedia works are protected by copyright. The copyright act's exclusive rights provision gives developers and publishers the right to control unauthorized exploitation of their work. Multimedia works are created by combining content, music, text, graphics, illustrations, photographs, and software.

(d) Authorized users are expressly forbidden to make digital files of any commercially available multimedia works including, but not limited to, recordings, music albums, album covers, and videos, without permission of the copyright owner. Investigative bodies are able to detect infringing activities of a student, faculty, or staff member. Individual members of the university community may be held liable for damages and costs if a copyright owner takes action for infringement of copyright.

(e) Distribution of music/film files for the purpose of trade or any other purpose which affects the copyright owner prejudicially, making music files available for downloading free of charge on an internet website, is a criminal offense.

(6) Enforcement

(a) Login access to the information technology facilities is a privilege that is granted by the department of information technology. An individual's access may be restricted on the grounds that the user is in breach of this rule. Any user found to have violated this rule may be subject to disciplinary action, up to and including termination of employment.

(b) For security and network maintenance purposes, authorized individuals within university may monitor equipment, systems and network traffic at any time. The university does not generally monitor e-mail, personal web sites, files, and data stored on the university's computers or traversing the university's network. However, the university reserves the right to access and monitor e-mail, web sites, server logs and electronic files and any computer or electronic device connected to the university network, should it determine that there is reason to do so. Such reason would include, but not be limited to, suspected or reported breaches of this rule, or breach of any statutes, regulations or policies of the university, or suspected illegal activity.

(c) Unlawful use will breach this rule and will be dealt with as a discipline offense. Unlawful use of the information technology facilities may also lead to criminal or civil legal action being taken against the individual. This could result in serious consequences such as a fine, damages and/or costs being awarded against the individual or even imprisonment. The university will not defend or support any client of the network who uses the information technology facilities for an unlawful purpose.

Supplemental Information

Authorized By: 111.15
Amplifies: 111.15
Rule 3349-9-15 | Information security.
 

(A) Purpose

Northeast Ohio medical university ("NEOMED") has instituted the following information security rule to establish the overarching, university-wide approach to information security and as a measure to protect the confidentiality, integrity and availability of university data and systems.

(B) Scope

This rule applies to university data and systems; university students, faculty, staff, and alumni; and authorized external users for legitimate university purposes (e.g., volunteers, tenants, vendors, contractors, consultants, guests and/or visitors).

(C) Definitions

(1) "Access control" refers to the process of regulating specific requests to obtain and use university data and systems.

(2) "Authorization" refers to the granting of permission to an identified individual to use university data or system(s) and to explicitly accept the risk to university operations, individuals, and assets based on extending such permission. Acceptance of authorization to use university data and systems establishes an obligation on the part of the individual to use those resources responsibly.

(3) "Availability" refers to the ensuring of timely and reliable access to and use of data or systems. Additionally, it describes the importance of access when the data or system is needed, and the impact on the organization if it is not available. A loss of availability is the disruption of access to or use of data or systems (e.g., hard drive failure, destruction of a system, system unresponsiveness, denial of service attack).

(4) "Confidentiality" refers to the preservation of authorized restrictions on data access and disclosure, including means for protecting personal privacy and proprietary data. A loss of confidentiality is the unauthorized disclosure of data (e.g., compromised by hackers; released or published publicly without authorization).

(5) "Data" refers to any instance of information, regardless of form or storage medium, that is categorized by an organization or by a specific law or regulation.

(6) "Information security" refers to the protection of university data and systems from unauthorized access, use, disclosure, disruption, modification and destruction with the intent to provide confidentiality, integrity and availability to such data and systems.

(7) "Integrity" refers to the guarding against improper data or system modification or destruction and ensuring authenticity and non-repudiation in the use of data or systems. A loss of integrity is the unauthorized modification or destruction of data or systems where such resources can no longer be trusted for use, are not complete, or incorrect.

(8) "Risk," with respect to the university, refers to the effect of uncertainty, either negative or positive, on the university's strategy and its strategic objectives.

(9) "Security incident" refers to an adverse event that results in a suspected or known unauthorized disclosure, misuse, alteration, destruction, or other compromise of university data or systems. A security incident is caused by the failure of a security mechanism or an attempted or threatened breach of these mechanisms through nonelectronic means (e.g., a violation of applicable university rules, mishandled documents, the theft or loss of a system, verbal or visual disclosure of personal information) and electronic means (e.g. hacking, malware, ransomware, phishing).

(10) "System" refers to an information technology resource that can be classified, may have security controls applied, and are organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of university data. Example of systems are, but not limited to: desktop, laptop, or server computers; mobile devices (e.g., iphones; ipads; android; blackberry) to the extent that they interact with university data and systems, such as university email; university network(s); software; applications; and databases.

(11) "University data" refers to data that is created, collected, stored and/or managed in association with fulfilling the university's mission or its required business functions. University data may or may not constitute a public record (as defined within section 149.43 of the Revised Code).

(12) "University account" refers to a user's username and password combination for a university system (e.g., university email).

(13) "University email", also known as "NEOMED email", refers to the university's approved microsoft-based email system used to transmit and receive electronic messages.

(14) "User" refers to any individual or entity that has received authorization, if applicable, to access university data or systems.

(D) Rule statement

(1) Overview

(a) The ability for the university to meet the regular needs of its academic, administrative, and research communities is facilitated, in large part, by using university data and systems. While these technologies are important assets of the university and are fundamental to the carrying out of its mission, they also introduce risk, which are increasing in both number and variety (e.g., phishing, identity fraud, misuses of university data and systems). As a result, the university has established an overarching information security rule to serve as the basis for the safeguarding of its data and systems.

(b) NEOMED will ensure that users are aware of their specific information security responsibilities in the use and management of university data and systems. By being aware, NEOMED expects users to use appropriate physical, electronic, and procedural safeguards to protect the confidentiality, integrity and availability of university data and systems, as outlined herein and throughout the university's information technology rules and procedures. While the safeguards utilized by the university are expansive and thorough, the university cannot guarantee absolute security; therefore, all users share responsibility to minimize risk and to secure university data and systems within their control. Any suspected misuse or other information security incidents must be reported, in accordance with the information security incident response plan rule.

(c) This overarching rule is supplemented and supported by other information technology rules and procedures that are created to support information security elements not outlined herein. All information security rules and procedures shall ensure compliance with all applicable federal and state security-related laws and regulations. These rules and procedures shall consider risk within their design and be written to recognize the risk severity and resource constraints of university.

(2) Information security elements

The following is an overview of the overarching components that provide the basis for the university's information security measures and corresponding safeguarding requirements. These components are adapted from the national institute of standards and technology (NIST) risk management framework and corresponding NIST security controls which are further developed within other university information technology rules and procedures.

(a) Confidentiality, integrity and availability: the university shall ensure that its information security rules and procedures address the basic security elements of confidentiality, integrity, and availability.

(b) Management and governance: the university shall implement an institutional governance structure for the management of its information security framework.

(c) Classification of university data and systems: the university shall implement classification requirements that protect university data and systems in the most appropriate manner.

(d) Risk management: the university shall apply risk management procedures to make informed decisions on appropriate information security safeguards and to aid in designing and implementing any additional information technology rules and procedures.

(e) Access control and authorization: the university shall implement information security rules and procedures regarding access control and authorization required to protect university data and systems.

(f) Audit logging: the university shall implement an information security audit logging capability for university systems, including computers and network devices.

(g) Identify, protect, detect, respond, and recover: information security rules and procedures shall include methods to identify, protect against, detect, respond to, and recover from threats and vulnerabilities to university data and systems.

(h) Rule and procedure management: rules and procedures created to supplement and support this overarching information security rule shall be reviewed by university information security personnel before being installed. These rules and procedures will be implemented with consideration of the business impacts and resource constraints for all university areas tasked with their implementation.

(3) Enforcement

(a) The university respects the privacy of individuals and keeps university data on university systems as private as possible. The university also does not generally monitor university email, systems, and university data stored on university systems or traversing the university's network; however, the university reserves the right to monitor, access, and disclose university data created, sent, received, processed, or stored on university systems to protect the confidentiality, integrity, and availability of university data and systems or for any reason to ensure compliance with university rules and federal, state, or local laws and regulations. University personnel will have the right to review and/or confiscate any university equipment connected to or using university data and systems. University personnel also reserve the right, without notice, to limit or restrict any individual's university data and systems access and to inspect, remove, or otherwise alter any university data or system that may compromise the information security of the university. University data and systems are the property of NEOMED and not the personal property of the individual.

(b) Access to university data and systems is a privilege that is granted by the university; therefore, non-compliance or violation of related university rules may result in disciplinary action, which could include, but is not limited to: suspension or loss of the user privileges related to university data and systems; mandatory information security training; written warnings, suspension with or without pay, or termination; or any other remedy available by law.

(c) The university will not defend or indemnify any user who utilizes university data and systems for an unlawful purpose or in contravention of university rules.

Supplemental Information

Authorized By: 111.15
Amplifies: 3350.12
Rule 3349-9-18 | Classification of university data systems.
 

(A) Purpose

To establish a classification framework based upon the sensitivity and regulatory requirements for safeguarding university data and systems.

(B) Scope

This rule applies to all university data and systems and to those responsible for classifying or using university data and systems.

(C) Definitions

(1) "Authorization" refers to the granting of permission to an identified individual to use university data or system(s) and to explicitly accept the risk to university operations, individuals, and assets based on extending such permission. Acceptance of authorization to use university data and systems establishes an obligation on the part of the individual to use those resources responsibly.

(2) "Availability" refers to the ensuring of timely and reliable access to and use of data or systems. Additionally, it describes the importance of access when the data or system is needed, and the impact on the organization if it is not available. A loss of availability is the disruption of access to or use of data or systems (e.g., hard drive failure, destruction of a system, system unresponsiveness, denial of service attack).

(3) "Confidentiality" refers to the preservation of authorized restrictions on data access and disclosure, including means for protecting personal privacy and proprietary data. A loss of confidentiality is the unauthorized disclosure of data (e.g., compromised by hackers; released or published publicly without authorization).

(4) "Data" refers to any instance of information, regardless of form or storage medium, that is categorized by an organization or by a specific law or regulation.

(5) "Integrity" refers to the guarding against improper data or system modification or destruction and ensuring authenticity and non-repudiation in the use of data or systems. A loss of integrity is the unauthorized modification or destruction of data or systems where such resources can no longer be trusted for use, are not complete, or incorrect.

(6) "Internal university data" as defined within paragraph (D)(2)(a)(ii) of this rule.

(7) "Private university data" as defined within paragraph (D)(2)(a)(iii) of this rule.

(8) "Public university data" as defined within paragraph (D)(2)(a)(i) of this rule.

(9) "Record" refers to any document, device, or item, regardless of physical form or characteristic that is created, received by, or comes under the jurisdiction of an organization which serves to document the organization, its functions, rules, decisions, procedures, operations or other activities. University data may reside in university records, be used to produce university records, or may of itself be a university record.

(10) "Restricted university data" as defined within paragraph (D)(2)(a)(iv) of this rule.

(11) "Risk," with respect to the university, refers to the effect of uncertainty, either negative or positive, on the university's strategy and its strategic objectives.

(12) "System" refers to an information technology resource that can be classified, may have security controls applied, and are organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of university data. Example of systems are, but not limited to: desktop, laptop, or server computers; mobile devices (e.g., iphones; ipads; android; blackberry) to the extent that they interact with university data and systems, such as university email; university network(s); software; applications; and databases.

(13) "University data" refers to data that is created, collected, stored and/or managed in association with fulfilling the university's mission or its required business functions. University data may or may not constitute a public record (as defined within section 149.43 of the Revised Code).

(14) "User" refers to any individual or entity that has received authorization, if applicable, to access university data or systems.

(D) Rule statement

(1) Overview

(a) Northeast Ohio medical university is committed to protecting the privacy of its students, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of university data and systems that are important to the achievement of the university's mission and ongoing operations.

(b) The university uses risk assessment methodologies to translate university data and system considerations into an appropriate risk classification. This is done by assessing the adverse effects that could be expected by a loss of confidentiality, integrity, and availability of university data or systems and then determining a severity level for each resource. If a need for confidentiality, integrity, or availability is higher or stronger than the other two measures, the overall classification of that university data or system will reflect that highest or stronger need.

Example: if a specific university data was assessed with a high need for confidentiality, but low needs for integrity and availability, the university data will be classified based upon the high need for confidentiality (classifications further detailed below).

(c) Based upon the classification, authorization to access university data or systems will vary and security controls for access and protection will be applied, in accordance with the university's information technology rules.

(d) Proper classification is a prerequisite to enable compliance with legal and regulatory requirements, and university rules and procedures.

(e) Regardless of classification, university data may reside within university records, be used to produce university records, or itself constitute a university record. University records are generally available to the public under the state of Ohio's public records law. Some records are protected by federal or state law or are otherwise exempt from disclosure.

(f) Any questions regarding the classification of university data and systems should be referred to the appropriate data steward, system steward, or to the office of compliance and risk management.

(2) Classification of university data

(a) The four university data classifications are, from least to most restrictive:

(i) Public

(a) Public university data is university data that is intended and accessible for public use and is not restricted by federal, state, local, or international regulations regarding disclosure or use.

(b) The potential loss of confidentiality, integrity, and availability of public university data could be expected to have no adverse effects on university operations, university assets, or individuals.

(ii) Internal

(a) Internal university data is university data used to conduct university business for which access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection. This university data is not intended for public dissemination, but its disclosure is not restricted by federal or state law or regulation.

(b) The potential loss of confidentiality, integrity, and availability of internal university data could be expected to have limited adverse effects on university operations, university assets, or individuals.

(i) The need for confidentiality is low/optional;

(ii) The need for integrity is low/optional as the university data is easily reproducible; and/or

(iii) The need for availability is low/optional as the university data provides an informational/non-critical service.

(iv) Access to and management of internal university data may only be available to users whose role, function, or assignment requires it.

(iii) Private

(a) Private university data is university data used to conduct university business for which access must be guarded due to legal, regulatory, administrative, and contractual requirements, in addition to proprietary, ethical, or privacy considerations.

(b) The potential loss of confidentiality, integrity, and availability of private university data could be expected to have serious adverse effects on university operations, university assets, or individuals.

(i) The need for confidentiality is moderate/recommended;

(ii) The need for integrity is moderate/recommended as the university data is internally trusted by or dependent on other university data or systems; and/or

(iii) The need for availability is moderate/recommended as the university data provides a normal or important service.

(c) Access to and management of private university data requires authorization and is only granted to those users as permitted under applicable law, regulation, contract, rule, and/or role.

(iv) Restricted

(a) Restricted university data is university data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, industry standards, or rule requirements.

(b) The potential loss of confidentiality, integrity, and availability of private university data could be expected to have severe or catastrophic adverse effects on university operations, university assets, or individuals.

(i) The need for confidentiality is high/required;

(ii) The need for integrity is high/required as the university data is internally trusted by or dependent on other university data or systems; and/or

(iii) The need for availability is high/required as the university data provides a critical or university-wide service.

(c) Access to and management of restricted university data is strictly limited and determined by data stewards, as unauthorized use or disclosure could substantially or materially impact the university's mission, operations, reputation, finances, or result in potential harm to members of the university community (e.g., identity theft).

(b) The classification of university data is subject to change as the attributes, considerations, or regulatory requirements of that data change.

(c) The following rules should be applied when classifying university data:

(i) When a set or collection of university data includes data of more than one classification, the set or collection of university data should be classified based on the most restrictive classification found in the set or collection.

For example, if a database contains both private and restricted university data, the database should be classified as restricted.

(ii) University data may be classified at a more restrictive classification; however, if this occurs, such data must meet the minimum-security measures for the more restrictive classification.

(3) Classification of university systems

(a) The three university system classifications are, from least to most risk:

(i) Low risk

(a) The system processes and/or stores public university data;

(b) The system is easily recoverable and reproducible; and/or

(c) The system provides an informational/non-critical service.

(ii) Moderate risk

(a) The system processes and/or stores internal university data;

(b) The system is internally trusted by or dependent on other university systems and its university data; and/or

(c) The system provides a normal or important service.

(iii) High risk

(a) System processes and/or stores private or restricted university data;

(b) System is highly trusted by or dependent on other university systems and its university data; and/or

(c) System provides a critical or university-wide service.

(b) University systems may be classified at a more restrictive classification; however, if this occurs, such systems must meet the minimum-security measures for the more restrictive classification.

(c) The classification of university systems is subject to change as the attributes, considerations, or regulatory requirements of those systems change.

Supplemental Information

Authorized By: 111.15
Amplifies: 3350.12
Rule 3349-9-20 | Computer equipment and software support.
 

(A) Purpose

The purpose of this rule is to define standards for hardware, software, and support at the university.

(B) Scope

The scope of this rule includes all personnel at university.

(C) Definitions

(1) "Authorized User" or "User" is a person who has been provided with a username and password, for their use only through legitimate university process after verification of identification by the university's information technology department.

(2) "Information Technology" is the administrative unit responsible for supporting university owned or leased hardware and software.

(3) A computer lab is defined as three or more computers used by faculty, staff, or students for general use, research, in a classroom setting, or as a component of a class.

(D) Rule

In order to make the best use of university resources, standard hardware and software specifications have been developed and are defined in the information technology standards and timelines. Employees are responsible for familiarizing themselves with this document. Non-standard hardware/software will not be supported by information technology, nor will computers that are not owned by university.

Hardware

New hardware

Supplemental Information

Authorized By: 111.15
Amplifies: 3350.12