IT Policies

I. Active Directory Membership

All Pittsburg State University computing devices purchased with university funding or whose support and maintenance is the responsibility of university technicians and that is capable of being placed in Active Directory (AD) shall be placed in the PITTSTATE.EDU Active Directory Domain using the university’s central domain controllers – currently named dc1.pittstate.edu and dc2.pittstate.edu.  In addition, all Apple devices meeting these same criteria that are capable of being enrolled with a MAC server, shall be enrolled with the university’s central MAC server – currently named ois-apple-svr.pittstate.edu.

II. Naming Conventions

Purpose 
Provide a naming convention for all units within Pittsburg State University’s Active Directory that uniquely identifies workstations, servers, users, groups, organizational units (OUs), Group Policy Objects (GPOs) and distribution lists. PSU has thousands of objects that provide information and act as resources to many departments. The only possible way to ensure AD can be used effectively is to enforce naming standards. Aside from avoiding name collisions, naming standards will allow users and administrators to efficiently search through thousands of objects and locate their resources and data.

User Account Names 
AD user accounts have account names and distinguished names that identify them within Active Directory. The user account name shall be identical to the email address prefix assigned to the client and shall adhere the naming convention previously established for email address prefixes.

Computer Names 
It is recommended that when naming a computer object that you follow the guidelines below. 

How do we name our client machines? 
Example: SSLS-asagehorn 

How do we name our lab/kiosk workstations? 
Dept-LabID-Sequence 
Example: Const-Lab302-1

Printer Names:

It is recommended that when naming a printer object you follow the guidelines below.

How do we name our printers?
Dept-Location-PrinterType 
Example: OIS-KC158-Copier

Group Policy:
ITS – in cooperation with the appropriate technicians across campus – will work to develop and deploy group policy templates that will be used to enable “best practice” configurations for computer workstations, lab computers, and other applicable computing devices.

Distributed Administration:
ITS will delegate certain administrative permissions within active directory to campus technicians as needed to permit effective support of the devices in their areas of responsibility.

III. Storage Policy

a. Purpose

The intent of this policy is to encourage responsible use and management of the enterprise storage services provided by PSU servers.

b. Policy

Each user and department will receive an initial allocation of enterprise class storage (P drive space) as outlined in the table below.  Only legitimately work-related files are appropriate consumers of the dollars required to provide enterprise class storage.  Summary reports are available showing total consumption by each user and department folder.  Additional reports provide aggregate totals by file type for the entire storage pool.  Individuals or departments may be contacted to gather information and discuss storage requirements if unusual growth patterns are present.  If needed, technical assistance can be provided to relocate items to alternative hard drive or optical storage media.

c.  Initial Allocations

All enterprise storage consumers are allocated storage by default as follows:

The amount of unused storage will appear as “free space” when viewing the contents of “P” drive or department folders.  The computer cannot allocate additional enterprise storage space when the amount of reported free space reaches zero.

Some users, departments, or working groups may have legitimate need for additional storage in order to perform their job function.  To request an increase please contact the Gorilla Geeks (x4600) to create a support ticket explaining the space problem being encountered.  The requestor should detail the amount of additional space they estimate will be needed, and provide information about the intended use for the increased storage requested.  OIS storage experts will process each request and may contact the requestor for additional information or to offer alternative suggestions if appropriate.

d. Notification

Each evening the storage system will review disk storage for each user, department, and working group.  Automatically generated emails will be sent to each user whose reported free space is at or below 15%.

e. Review

This policy will be reviewed annually – more often if technological developments warrant.

________________________________________________________________________

Responsible Office:  Information Technology Services

Approved by Information Technology Council:  May 16, 2013

Approved by President’s Council:  May 20, 2013 

Effective Date:  May 20, 2013

Review Cycle:  Annual 

Pittsburg State University acknowledges and upholds federal and state copyright laws. Copyright protection exist for documents and information distributed and shared via the Internet. Pittsburg State University accepts the copyright guidelines outlined in the Digital Millennium Copyright Act (DMCA). PSU is an "online service provider" to the campus community and takes these responsibilities seriously. Pittsburg State University's students, faculty and staff must adhere to ethical copyright practices.

Termination Policy for Violation of Copyright

Pittsburg State University is an "online service provider" as defined by the Digital Millennium Copyright Act (DMCA) [Public Law 105-304].

Responsibility: Users of the Internet services of Pittsburg State University are responsible for compliance with all copyright laws pertaining to information and files they place, distribute, and receive on the Internet using University facilities.

Termination of privileges: Use of the University's online services will be terminated for anyone who violates the copyright provisions of the United States Code on the third notice of violation by the University when the University is able to discern the identity of the person who committed the violations.

Designated Agent: The Pittsburg State University "Designated Agent", as provided for by the DMCA, for notification of possible violations of copyright is:

Jamie L. Brooksher
General Counsel
Pittsburg State University 
1701 S. Broadway 
Pittsburg, KS 66762-5880 
Voice: 620-235-4136 
Fax: 620-235-4080
E-mail: jbrooksh@pittstate.edu

Elements of Notification: A notification of claimed infringement must be a written communication provided to the designated agent of a service provider that includes substantially the following:

• A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
• Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
• Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
• Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
• A statement that the complaining party has made a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
• A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Take Down: To the extent reasonably possible, Pittsburg State University will expeditiously remove and/or block access to material posted by a user upon notice of infringement of copyright provided to the Designated Agent by the United States Copyright Office.

Notice: If Pittsburg State University can reasonably discern the identity of the person responsible for the violation, that person will be promptly notified by the Designated Agent and will be provided with the following information:

• Name and address of the complaining party;
• Sufficient information to identify the copyrighted work or works; and
• A statement from the copyright owner that it has a good faith belief that there is no legal basis for the use of the materials complained of.

Put Back: If the individual receiving notice of improper use believes that the material in question is being used lawfully, a "counter notice" should be provided to the Designated Agent and Pittsburg State University will restore access within 14 days of the counter notice, unless the matter has been referred to a court. The Counter Notice must contain the following:

• The individual's name, address, phone number and signature;
• Identification of the material and its location before removal;
• A statement, under penalty of perjury, that the material was removed by mistake or misidentification on the part of the complainant; and
• Consent to local Federal court jurisdiction.

Privacy Rules: Under the DMCA, Pittsburg State University may be obligated to provide names of individuals using its online services upon the order of a Federal court. The University will safeguard the privacy of a user's identity on the Internet to the full extent of the law.

Circumvention of Protection Technologies: The DMCA prohibits the "circumvention" of any effective "technological protection measure" (e.g., a password or a form of encryption) used by a copyright holder to restrict access to its material.

Further Information: Questions about compliance with the DMCA at Pittsburg State University may be addressed to the Designated Agent listed above.

Pittsburg State University
Data Classification, Access and Information Protection Policy

Purpose
Data and information are important assets of Pittsburg State University (PSU) and must be protected
from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.

Scope
This policy applies to all university colleges, departments, administrative units, and affiliated
organizations. For the purposes of this policy, affiliated organization refers to any organization that
uses university information technology resources to create, access, store, or manage University Data. For third party vendors who create, store, or maintain University Data per a contractual agreement, the agreement should include language specifying how, and to what extent the vendor is to comply with this policy.

Policy
All University Data must be classified according to the PSU Data Classification Schema. It must be
accessed with the appropriate level of permission according to PSU’s Roles and Responsibilities, and
protected according to PSU’s Security Standards. This policy applies to electronic data in all formats
and media.

Data Classification Schema
Data and information assets are classified according to the risks associated with data being stored or
processed. Data with the highest risk need the greatest level of protection to prevent compromise;
data with lower risk require proportionately less protection. Three levels of data classification will be
used to classify University Data based on how the data are used, its sensitivity to unauthorized
disclosure, and requirements imposed by external agencies. Unless otherwise indicated, Non-Public is
the default classification for data.

Level I Public (Low Sensitivity) – Data which are of interest to the general public and for which
there is no University business need or legal reason to limit access. Public data may be made
available to the general public in printed or electronic format. Anyone in the general public
may view these data using such public sources. Examples of public data include but are not
limited to:

• Campus directory data
• Course catalog
• PSU public web site
• Employee names
• Work addresses
• Work telephone numbers
• Press Releases

Level II Non-Public (Moderate Sensitivity) – Data held by the University for operational,
educational, and/or other purposes, which are not appropriate and/or readily available for
general public use. Non-public data will be available to authorized University employees for
inquiry/download only in support of the performance of their assigned roles/duties. Non-public
data may be released to individuals or groups outside of the University community only with
approval from the appropriate Data Steward, Records Custodian, or as required by law.
Examples of non-public data include but are not limited to:

• Records subject to disclosure under law including University business transactions
• Employee records not deemed public or confidential
• Student educational records not deemed public or confidential
• Financial accounting data that does not contain Confidential information

Level III Confidential (High Sensitivity) – Highly sensitive data intended for limited, specific use
by a workgroup, department, or individuals with a legitimate need-to-know. Explicit
authorization by the Data Steward is required for access because of legal, contractual, privacy
or other constraints. Examples of confidential data include but are not limited to:
 Personal Identity Information (PII) - An individual's name (first name and last name, or
first initial and last name) in combination with one or more of the following: a) Social
security number, b) driver's license number or state identification card number, or c)
financial account number, or credit or debit card number, alone or in combination with
any required security code, access code or password that would permit access to a
consumer's financial account.

• Social security number
• Passport number
• Credit card number
• Certain personnel records
• Certain student records
• Certain student financial assistance records
• Research data
• Intellectual property

Roles and Responsibilities
Everyone (employees, temporary employees, student employees, volunteers) with any level of access to University Data has the responsibility to protect that information from unauthorized access,
modification, destruction, or disclosure, whether accidental or intentional. The following roles have
specific responsibilities for protecting and managing University Data.

Any suspected loss, unauthorized access, or exposure of University Data classified as Non-Public or
Confidential must be immediately reported to the Information Security Officer, security@pittstate.edu
or 620-235-4657.

Electronic Record Retention Schedule
Pittsburg State University follows the State of Kansas record retention schedules. Schedules are
available at the following link under the heading "State General Schedule":
http://kshs.org/recmgmt/retention_schedule_entries/browse

State Resources in regard to record retention schedule language and definitions:
Government Records Preservation Act:
http://www.kslegislature.org/li/b2013_14/statute/045_000_0000_chapter/045_004_0000_article/045_004_0002_section/045_004_0002_k/

State Records Management Manual: http://www.kshs.org/p/state-records-anagementmanual/11365

Electronic Records Guidance: http://www.kshs.org/p/electronic-records/11334

Legal Hold
Retention procedures will be suspended when a record is placed on legal hold. A legal hold requires
preservation of appropriate records under special circumstances, such as litigation or government
investigations.

Records Management

1. University Data may reside in university records, be used to produce university records, or itself
   constitute university records.
2. University records need to be managed in accordance with approved records retention and
   disposition schedules consistent with University Archives records management policies and
   guidelines. Laws of the State of Kansas require that university records not be discarded or
   destroyed in advance of the authorized disposition date.

Data Classification Committee
Members must include at a minimum:

• Information Security Officer
• General Counsel
• Internal Auditor
• University Archivist
• Director of Institutional Research and Planning

Responsibilities

• Ensure that confidential data is identified
• Review the confidential data report from the Data Stewards
• Approve variances in the classification of data

University Data
University Data is information created, collected, maintained, transmitted, or recorded by or for the
university to conduct university business. It includes data used for planning, managing, operating,
controlling, or auditing university functions, operations, and mission.
________________________________________________________________________
Responsible Office: Office of Information Services
Revision Approved by Information Technology Council: 6/3/15
Revision Approved by President’s Council: 8/21/15
Original Effective Date: 8/21/15
Review Cycle: Annual

• Statement of User Responsibility:
  1. An authorized user must be currently enrolled in or employed by Pittsburg State University.
  2. PSU Computing Resources may be used in manners consistent with the appropriate usage definition given in Section II. An authorized user may utilize computer accounts created for general academic use or accounts which have been created specifically for him/her and to which he/she has been assigned ownership rights by the PSU Office of Information Services.
  3. System users are responsible for maintaining the secrecy of their account passwords. Suspected compromise of account passwords or unauthorized usage of user accounts should be reported to the supervisor of the appropriate laboratory or the director of the Information Technology Services.
• Valid Uses of Computer Resources and Examples of Misuse:
  1. Valid uses of computer resources include instructional or course activities and requirements, faculty research and professional services, and administrative support.
  2. Unauthorized copying, sending, or receiving of copyrighted files is strictly prohibited.
  3. It is a violation of Pittsburg State University policy to use the computer for promoting outside business interests. Computing resources shall not be used for private consulting or personal gain.
  4. It is in violation of Pittsburg State University policy to send unsolicited, annoying, or obscene messages or mail.
  5. It is inappropriate to examine, or attempt to examine, another computer user's files or mail without permission.
  6. Game playing on Pittsburg State University owned equipment is on a resource available basis. If another user needs resources for a valid use (see II A above) then the user playing a game must end the game and surrender said resources. This includes MUD's, MUCK's, Personal Computer games, etc.
  7. Fraudulent use of computer accounts, networks, mail services, or other resources is a serious violation. Kansas State Law (Section 21-3755) makes unauthorized access and interference with computer systems, computer data, and other computer users illegal.
• Possible Sanctions for Misuse:
  1. The Information Technology Services monitors the use of the computer system and will contact anyone discovered to be hindering normal operations. It is not appropriate to use any computer resources in ways that are detrimental to the normal operation of any computer system or its users.
  2. Upon detection of an alleged violation, the Information Technology Services will disable the account and turn all pertinent information over to the appropriate university, local, state, or federal authorities.

Illegal Peer to Peer File Sharing

Pittsburg State University maintains network services for students and employees in the University community to utilize in order to further the mission of the University.

PSU is required by Federal Law (H.R. 4137, Higher Education Opportunity Act - HEOA) to make an annual disclosure informing network users that illegal sharing, distribution, and/or downloading of copyrighted materials may lead to civil and/or criminal penalties.  Pittsburg State University takes the responsibility of following this law seriously.  Therefore, the following information is provided to help the PSU community avoid breaking this law.

Copyright protection subsists, in accordance with this title, in original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device. Works of authorship include the following categories:

(1) literary works;

(2) musical works, including any accompanying words;

(3) dramatic works, including any accompanying music;

(4) pantomimes and choreographic works;

(5) pictorial, graphic, and sculptural works;

(6) motion pictures and other audiovisual works;

(7) sound recordings; and

(8) architectural works.

In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.

Therefore illegal downloading, copying, distribution, or use of games, software, music, movies, or any other digital media is considered a violation of this law.

PSU uses a variety of tools to deter such activity on campus, including:

-Bandwidth management devices

-Switch management protocols

What are the consequences of Illegal Peer to Peer File Sharing?

-PSU penalties: Use of the University's online services will be terminated for anyone who violates the copyright provisions of the United States Code on the third notice of violation by the University.

-Federal penalties:

• Civil penalties of actual damages suffered by the copyright owner from the infringement, or
• Civil penalties of statutory damages of up to $30,000.
• Civil penalties for willful infringement of up to $150,000, and
• Criminal penalties for willful criminal infringement from 1 to 5 years of imprisonment and fines of up to $25,000 for a first offense.

There are a host of legal alternatives for downloading music, movies, software, and games.  Below you will find a variety of links that could be used for such downloads:

-iTunes - Movies, Music, Audio Books: www.apple.com/itunes/

-Amazon - Music, Audio Books: https://www.amazon.com/MP3-Music-Download/

-Rhapsody - Music by Yahoo: www.rhapsody.com

-Napster - Music by Best Buy: www.napster.com

-7 Digital - Music: us.7digital.com

-Last FM- Streaming music and video:  http://www.last.fm

-Pandora - Streaming Radio: www.pandora.com

-Netflix - Streaming Movies/TV: www.netflix.com

-Audible - Audio book downloads: www.audible.com

-Hulu - Television: www.hulu.com

-Many major Networks allow various programming to be streamed at no cost.

Department of Education website:

http://www2.ed.gov/policy/highered/leg/hea08/index.html

Govtracks.us website:

http://www.govtrack.us/congress/bill.xpd?bill=h110-4137

US Government Copyright website:

http://www.copyright.gov/title17

Pittsburg State University Copyright Policy:

Click Here

Policy Purpose:
The Pittsburg State University Information Technology (IT) Lifecycle Policy
was developed to ensure the security of campus data and of campus
network services, as well as provide for satisfactory and efficient client IT
experiences.

To ensure perspectives from various areas of campus, the policy was
developed by the IT Lifecycle Committee, which is made up of 10 diverse
campus stakeholders.

Information Technology Lifecycle Committee Purpose:
The IT Lifecycle Committee was formed at the request of the Information
Technology Counsel (ITC) to develop a policy that would guide those who
manage and purchase campus technology. The goal of the policy is to
ensure the security of campus data and of campus network services, as well
as provide for satisfactory and efficient client IT experiences. The IT
Lifecycles Committee reviews all submitted IT Lifecycle Exception requests.
Exceptions to the above policy are considered in isolated circumstances.
To request an exception please complete the IT Lifecycle Exception Form
and send it to ITLifecycleException@pittstate.edu for consideration.

Membership Structure of the IT Lifecycle Committee:

• 2- Academic Tech Representation
• Support Tech Representation
• Purchasing Officer Representation
• 2-Academic Chair Representation
• Library Representation
• IT Security Officer
• Help Desk and IT Training Representation
• Chief Information Officer

IT Lifecycles Policy:

End Of Life:

Recommended Best Practices:

• Hardware/Software Replacement Plan: It is recommended that all
University departments have a written plan for updating IT resources
(hardware, software, peripherals, etc.) and aligning those updates to
budgeted funds. (Note: Industry standards indicate that updating
computer hardware every 3-4 years is current industry best practice.)

• Waterfalling Hardware: After hardware is replaced with new
hardware. The old hardware should be considered for other uses as
well as for permanent disposal. Things to consider are the age,
performance, and efficiency of the hardware as well as the computer
technician to hardware ratio in your respective area.

• Peripheral Devices: It is often difficult, and not fiscally responsible, to
replace peripheral devices (printers, projectors, monitors, keyboards,
mice, etc) as often as computer hardware and software at EOL of the
product. It is recommended to consider the replacement and
maintenance of these items carefully. It may be more efficient to
allow older peripherals to remain in place until they no longer
function with a backup plan in place when/if the device no longer
functions.

• Bulk IT Purchases: It is recommended that departments plan for
purchasing carefully and pool large IT purchases at the same time to
ensure price breaks. The coordination of bulk IT purchasing takes
place through the Office of Information Services (OIS) in July,
December, and May of each fiscal year. Additional bulk purchasing
times can be arranged by contacting the Chief Information Officer.

Developed by the IT Lifecycle Policy Committee: April 19, 2017
Adopted by Information Technology Council: April 20, 2017
Approved by President’s Council: June 19, 2017
Policy is reviewed annually by The Information Technology Lifecycle Committee

Mr. BulkE

Mr. BulkE is a bulk email process that allows distribution of email messages to identifiable groups. Use it to send email notices to groups on campus with a few clicks of the keyboard. One word of caution, this system is not intended for the distribution of spam (junk email). Please use the system to enhance communication on campus and not bog it down. 

What is Mr. BulkE?
Mr. BulkE is a system that allows for the delivery of bulk email to large and small groups on campus. Mr. BulkE's advantages are that it:

1. uses dynamic lists that are maintained on the campus database so that the most timely and accurate information is processed,
2. provides easy posting of information to specific groups without maintaining local email lists,
3. assists in distributing information to the campus community while reducing paper usage and campus mail volume.

Currently Mr. BulkE is divided into several categories: Mr. BulkE Campus, Mr. BulkE Rosters, Mr. BulkE Majors/Minors, Mr. BulkE Schools, Mr. BulkE Advisees, and Mr. BulkE Special Groups.

Mr. BulkE Campus allows designated personnel in a department and other key staff to email messages to the campus at-large and groups identified below:

All Unclassified and Classified Employees

Unclassified - regular (includes temp, exempt, non-exempt & 12 month)
Unclassified - temp
Unclassified - exempt
Unclassified - non-exempt 
Unclassified - 12 month

Classified - regular (includes temp, exempt & non-exempt)
Classified - temp 
Classified - exempt 
Classified - non-exempt

Teaching Faculty
KNEA Unit 
Deans, Directors & Chairs
Deans, Directors, Chairs and Contact Person 
Timekeepers 
Deans, Directors and Chairs - President's Office
Deans, Directors and Chairs - Academic Affairs
Deans, Directors and Chairs - University Advancement
Deans, Directors and Chairs - Administration and Campus Life
Deans, Directors, Chairs, Contact Persons - President's Office
Deans, Directors, Chairs, Contact Persons - Academic Affairs
Deans, Directors, Chairs, Contact Persons - University Advancement
Deans, Directors, Chairs, Contact Persons - Administration and Campus Life

Mr. BulkE Rosters is an email delivery system that allows a faculty member to email students who are enrolled in one of that faculty member's classes. Faculty and other teaching staff can access Mr. BulkE Rosters via GUS. Each course they are teaching will be listed with links to each respective course roster. Students can be emailed individually or as a group.

Mr. BulkE Majors/Minors is a system that allows designated personnel in a department to contact all students in a given major or minor. This system is based on a student's declared major/minor and is maintained dynamically by the student information system for enrollment. Mr. BulkE Majors/Minor is available to vice-presidents, deans, major department chairs, and designated personnel in a department.

Mr. BulkE Schools is a system that allows designated personnel to contact all students in a given school.  This system is based on a student's declared major and is maintained dynamically by the student information system for enrollment.  Mr. BulkE Schools is available to vice-presidents, deans, department chairs and designated personnel in a department.

Mr. BulkE Advisees is an email delivery system that allows an advisor to email one or more of the currently enrolled students who are listed as advisees.  Mr. BulkE Advisees is available to chairs, advisors and designated personnel in the department.

Mr. BulkE Special Groups has a number of options, but is primarily used for self-selected lists of people (Mr. BulkE Savelists), special subgroups of campus students (i.e., all honors college students or all students living in university housing), and all currently enrolled students. Mr. BulkE Savelists is limited to select individuals who are able to create their own self-selected lists. Please contact ITS if you have a need for this type of service. Mr. BulkE for special subgroups is only available to the office or person who is directly in charge of that group (i.e., housing office for housing students). Mr. BulkE for all students is limited to these individuals: Administrative Specialist for the Registrar, Office of Associate VP for 
Campus Life, Director for Public Relations, Office of Enrollment Management and Student Success, Office of Provost and Academic VP, and Associate Director for Information Services.  If you have a need to email a special subgroup, please contact the person in charge of that group. If you have a need to email the entire enrolled student body, please contact one of the above listed persons.

What's the policy on using Mr. BulkE? 
Mr. BulkE is intended for the distribution of campus information and should be short and to the point.  Below are some examples of messages that Mr. BulkE is NOT intended to broadcast:

• birthday wishes
• going away parties
• personal health notices
• commercial advertisements
• rumors and gossip
• chain letters
• bake sales

Bounced Messages
Mr. BulkE messages are sometimes bounced. Bounces can occur for any number of reasons, including a bad email address, the receiving system being down, or the recipients inbox being full (quota problems). You might expect 5 - 10% of the emails sent via Mr. BulkE to students to bounce for some reason. This means that if you send out a Mr. BulkE to 1,000 currently enrolled students, you might expect to receive 50 to 100 bounces.  This number goes down when you are emailing faculty and staff, as the email addresses are more likely to be correct and quotas are less likely to be full. This number goes up when you are emailing prospective students, who, as yet, have not established a direct contact with PSU.

Receiving an excessive number of bounces may result in your own email account becoming "over quota", and as a result, other incoming messages to your account may not be received.  The email quota for individuals who send Mr. BulkE emails has been increased, but a large number of bounces could still be a problem.  In order to minimize this, please be sure to use the following suggestions:

• Only check the "Return bounced emails to me" box if you really do want to know from whom messages were bounced.
• Keep your groups small, especially if they include students who have had only minimal contact with the university.
• Keep your inbox clean by setting your email client to delete messages when pulled from the server.
• If you do not set your email client to delete messages when pulled from the server or if you use GorillaMail, delete the messages yourself, using the client, on a frequent basis.  This will result in the emails also being deleted from the server.

Email Addresses
Current university policies and procedures for changing and/or deleting regular mailing addresses should be used for email addresses.  These policies and procedures include:

1. Ask the person/student to correct the email or regular address themselves via the GUS system.
2. If that isn't possible, check with the following offices BEFORE making ANY changes:
   • Admissions for prospective students who have not been enrolled
   • Registrar for currently enrolled students or previously enrolled students
   • HRS for current staff and faculty
   • Purchasing for any vendor who has not been/is not a student or employee of the university
   • ITS for any others.  Please contact your Team Coordinator before changing or deleting any email address.

Helpful Suggestions
Mr. BulkE is best used for short messages. These messages may point to a web page which contains more detailed information if necessary.

Mr. BulkE messages can contain links to web pages and email (use the format http://xxxxx.xxx/xxx.html or and, replace the x's with a web page or email address).

Who can use Mr. BulkE? 
Mr. BulkE and Mr. BulkE Majors are designed for departmental contact people and other key information distribution points. Designated departmental contact people have access to Mr. BulkE through the GUS system. Mr. BulkE Rosters is designed for campus personnel teaching classes. Individual instructors have access to only those courses that they are currently teaching.

How do I use Mr. BulkE?
Mr. BulkE is available to approved individuals via the GUS system on the PSU homepage.

• Start your Web browser (Netscape) and click on GUS.
• Log into GUS with your ID and GusPIN.
• Select Miscellaneous Process Menu.
• Select the appropriate Mr. BulkE option. If it is not listed, call extension 4603.
• Fill out the information in Mr. BulkE.
  • Choose the group to which the message is to be sent. Note: you can preview the list of recipients.
  • Fill in the subject and message box. Information from other software can be cut and pasted into the box, but any special formatting will not be recognized.
  • If you, or someone not in the designated group, would like to receive a copy of the message you can enter the PSU ID or email address of that person.
  • If you would like to receive messages that bounce, make sure the check box marked "Send bounced emails to me" is checked.  If you would not like to receive the bounced messages, make sure the box is not checked.
• Submit it or Reset to start over. Mr. BulkE lists the intended group at the top of the message and identifies the sender.
• After submitting it, Mr. BulkE gives an option to print labels for those in the group who cannot receive email.

How can I reach all of the people on campus?
Since Mr. BulkE's intent is to reduce spam (electronic junk mail), users are encouraged to send messages only to the target group. If a message needs to be sent to the campus at-large, then we suggest:

• Send a Mr. BulkE message to all contact persons and request that they post or forward it to faculty and/or staff.
• Send a Mr. BulkE message once to the All Unclassified and Classified Employees.

Cautions
Please keep in mind that email is not guaranteed and receipt of messages may be delayed since the message could take some time to deliver.  Any time sensitive material should probably not be sent via Mr. BulkE or if sent, should be sent well ahead of the event.  DO NOT RELY ON MR. BULKE FOR EMERGENCY COMMUNICATIONS.

What happens if I abuse my Mr. BulkE privileges?
Your privileges may be revoked.

Multi-Factor Authentication Policy
(Definition in Addendum)

Purpose

The purpose of this policy is to define the use of multi-factor authentication (MFA) for accessing Pittsburg State University (PSU) computer systems containing sensitive data from both on and off campus. The standards set forth in this policy are intended to minimize potential security risks which may result from unauthorized use of PSU computing resources. MFA adds a layer of security which helps deter the use of compromised credentials.

Applies to

This policy applies to all PSU faculty, staff and affiliate users. Graduate assistants and student hourly employees may be required to use MFA based on job requirements.

This policy applies to any system that requires an additional layer of protection as determined by Information Technology Services (ITS) in collaboration with campus data stewards. Systems requiring multi-factor authentication include those supported by ITS as well as systems administered by non-centralized departmental IT staff. Systems requiring the use of MFA include, but are not limited to, virtual private network (VPN), systems utilizing Single Sign-On (SSO), PSU applications/systems that contain sensitive data, system administration tools, and privileged accounts.

Policy Statement

All users must use MFA to access PSU computing resources that require MFA. If users do not use MFA, they will not be able to access these computing resources.

ITS will regularly evaluate and prioritize applications requiring MFA, to enhance the protection of institutional data and personal information.

Consequences

Any individual who violates this policy may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate University policy and procedures.

Responsible Office: Information Technology Services
Approved by Information Technology Council: 05.01.20
Approved by President’s Council: 05.15.20
Original Effective Date: TBD
Review Cycle: Annual

Multi-Factor Authentication Policy Addendum

The State of Kansas Defines Multi-Factor Authentication as follows:
A method of confirming a User’s claimed identity in which access is granted only after successfully presenting two or more different pieces of evidence (factors) to an authentication mechanism. Factors include knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).

Networked Systems Policy

To provide maximum uninterrupted service, effective use and security of campus bandwidth and maximum availability of all network services the Information Technology Services (ITS) has established the following policy.

Definitions: Device - Any computer or telecommunications equipment. Service - Any program or software that is intended to publicly deliver and/or receive data from network users. PSU network - All connections on the PSU campus that connect to the administrative, academic, library or Internet services. This includes services on campus and via the KANREN Internet connection.

1. All devices and services connected to the PSU Network require ITS approval and installation certification (Network Number). This covers all network cards, hubs, servers, bridges, routers, etc.
   1. ITS will specify cable requirements and routes, network operating systems, and network software.
   2. ITS will provide network software parameters from ITS Bootp or DHCP server (i.e. IP addresses, domain names, subnet mask, gateway address, etc.).
   3. ITS will provide technical support to establish a network connection to network services.
   4. ITS will be granted, upon request, access to installed equipment for inspection and maintenance.
   5. ITS retains the right to disconnect from the PSU network any equipment or network which is deem to be involved in disruptive behavior (behavior which intentionally or unintentionally threatens the security, functionality or physical integrity of the PSU network including external networks and hosts).
   6. Networked devices are not allowed to monitor, capture or analyze general network traffic.
   7. Individuals using a network connection provided in University Housing must complete and abide by the University Housing agreement.
   8. Departments wishing to provide network services from their own equipment:
      1. May be responsible for additional cost required (i.e. bridging, routing, firewall, etc.).
      2. Will identify an administrator to manage the service.
         1. The administrator is responsible for the activity and security.
         2. The administrator must provide ITS with root access.
         3. The administrator must be a full-time employee of PSU.
2. Local Area Networks (LANs) with no servers or clients attached to the PSU network are exempt from Item 1 as described in the following - unless arrangements have been made with and approved by ITS.
   1. ITS will not provide support for stand-alone LANs.
   2. ITS will not install a second network card into an existing LAN connected system. Systems found to have a second card will be taken off of the PSU network.
   3. If any stand-alone LAN server, client or peripheral is requested to be placed on the PSU network all other servers, clients, and devices connected to it are subject to the above Item 1.

Questions regarding the meaning or interpretation of the provisions of this policy and subsequent binding agreements may be directed to University's Chief Information Officer.

Policy Name:  Password Policy

Policy Purpose:  The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password changes.

Scope:  The scope of this policy includes: 
1) All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Pittsburg State University facility

2) All individuals who have access to the PSU network, and

3) All systems (where enforcement is possible) that store any non-public PSU information.

General Policy Provisions

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various resources at PSU, including user-level accounts, web accounts, email accounts, screen saver protection, and local switch logins.

A poorly chosen password may result in the compromise of University systems, data, or network.  Therefore, ALL PSU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them.  Contractors, vendors, and affiliated organizations with access to University systems also are expected to observe these requirements.

A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources.  Information Technology Services (ITS) can require a more restrictive policy in protection of confidential data.      

Password Creation

Passwords created by users of University systems, and on systems where technology makes enforcement possible, must conform to the following guidelines:

• Must be different than the user’s login name or the reverse of the name and must avoid use of identifiable personal information (names of family or pets, birthdates, etc.)
• Must be a minimum of twelve (12) characters
• Must include digits (0-9)
• Must include both upper and lower case characters (a-z, A-Z)
• Must use a special character (for example,* & % $)

These provisions will be enforced electronically whenever possible.

Changing Passwords

• Passwords must be changed twice a year.
• Must be different from the previous twenty-four (24) passwords.
• The new password must differ from the old password by at least five (5) characters.
• All default passwords shall be changed to meet the current password requirements.  No default passwords shall remain in effect after the required initial usage.  Default passwords include passwords that are supplied with vendor hardware or software or passwords that are system generated.
• Unnecessary permissions for terminated employees/contractors are revoked in a timely manner.

Protecting Passwords

• Passwords should be treated as confidential University information.
• Passwords should never be written down or posted for reference.
• Passwords should not be included in email messages or other forms of electronic communication.
• Passwords should not be transmitted or electronically stored in clear text.

Sharing Passwords

• Sharing or allowing another person to use an individual account password is a violation of this policy, unless the other person is an information technology (IT) professional assisting the user with a technical problem.
• ITS approval is required prior to sharing a password with a vendor (approval may be granted on a one-time or continuing basis), and this vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by ITS).  Phone communications may be necessary with external information technology vendors.
• It is recommended that passwords be changed after allowing use as permitted in this section.

Group Accounts

Group accounts are ID’s and passwords that are shared between a specific group of people.  Group accounts are strongly discouraged and only allowed when other alternatives are not feasible.  When group accounts are necessary, then strong account protection is required.  The following ITS mandated protections apply:

• Group accounts must be pre-approved by ITS.  Please email ITSecurity@pittstate.edu to make your group account request.
• Group accounts will be audited regularly to ensure ownership is current, the account is still necessary, and account agreements are renewed.
• To prevent unauthorized access to a group account, the password must be changed every time there is a change in personnel.

Reporting Password Compromises

Suspected compromises of passwords must be reported immediately to the IT Security Officer, extension 4657, ITSecurity@pittsate.edu ; or the Gorilla Geeks, extension 4600, geeks@pittstate.edu.

The password in question should be changed immediately.

ITS Responsibilities

• ITS may require a more restrictive policy, such as stronger passwords, in some circumstances.
• ITS may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, ITS will promptly notify the listed contact and require that the password be changed.

Consequences

Any individual who violates this policy may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate University policy and procedures.   

Responsible Office: Information Technology Services

Approved by Information Technology Council:  November 19, 2019

Original Effective Date:  January 1, 2006

Review Cycle:  Annual 

Pittsburg State University

Acceptable Use Policy

Introduction

This policy outlines the expectations for the use of information technology resources at Pittsburg State University. This policy applies to faculty, staff, students, official university affiliates, and any other individuals who use University information technology resources.  Appropriate use should always be legal and ethical, reflect academic honesty and community standards, and show restraint in the consumption of shared resources. It should demonstrate respect for intellectual property; ownership of data; system security mechanisms; and individual’s rights to privacy, freedom of speech, and freedom from intimidation, and harassment.

User Responsibilities

Users of electronic systems have the following responsibilities:

1. Access to information resources is granted with the expectation that resources will be used in an ethical and lawful manner. Users will employ information technology resources consistent with the requirements of federal, state and local law and Kansas Research and Education Network (KanREN) policies. Users are responsible for using resources appropriately to maintain the integrity of the information technology resources, and where appropriate, the privacy, confidentiality, and/or security of the electronic information.
2. Individuals should not give out, loan, share, or otherwise allow anyone else to use the access privileges granted to them. Access to secured information resources is provided only with proper authorization.
3. Users are responsible for all activities that occur while using information resources assigned to them, and shall respect the intended use of these resources.
4. Users may not attempt to circumvent login procedures on any computer system or otherwise attempt to gain unauthorized access. This is not an acceptable use of information resources and may be a crime under federal, state or local law.
5. All users shall use information technology resources in a manner that does not in any way interfere with, compromise, or harm the performance, functionality, or integrity of the University’s information technology resources. This shall include the adherence to University standards regarding software updates and protections, data handling, and other policies and procedures enacted by the University.
6. Users will respect network capacity as a shared resource and therefore may not perform operations that degrade network performance for other users. Users may not send spam, chain letters, mail bombs, and or engage in other activities that infringe on the rights and/or productivity of other users.
7. Users should respect the rights of copyright owners and, when appropriate, obtain permission from owners before using or copying protected material, including but not limited to, music, movies, software, documents, images, or multimedia objects.

Please see:

• Illegal Peer to Peer File Sharing Information listed above.
• The Campus Internet Copyright Policy listed above.
• The Campus Policy on Duplicating Copyrighted Written Works as listed above.

8. Representing oneself as someone else, without previous written authorization, is not considered responsible use of information technology resources.
9. Users may not use electronic resources for activities that are illegal, threatening, and/or deliberately destructive.
10. No person, including any member of the IT Staff, is authorized to request a user’s password.

Please see: Password Policy (as listed above):

If you have questions please contact the OIS Gorilla Geeks Help Desk: Phone: 620.235.4600 Email: geeks@pittstate.edu

User Privacy

University information technology resources are state-owned and maintained. University users have a heightened responsibility to properly use information technology resources. Pittsburg State University supports a climate of trust and respect. Nonetheless, users should be aware that on occasion legitimate activities of technical staff may lead to situations where specific information could be reviewed as part of routine problem resolution procedures. The University, therefore, cannot guarantee the personal confidentiality, privacy, or security of data, email, or other information transmitted or stored on its network.  When University officials believe a user may be using information technology resources in a way that may violate University or Regents policies or local, state or federal law, or the user is engaged in activities inconsistent with the user’s University responsibilities, then technical staff may be requested to monitor the activities and inspect and record the files of such user(s) on their computers and networks, including word processing equipment, personal computers, workstations, mainframes, minicomputers, and associated peripherals and software.

User Abuse/Abuse of Policy

All users and units have the responsibility to report any discovered unauthorized access attempts or other improper usage of PSU information resources. If you observe, or have reported to you, a security or abuse problem with any University information resource, including violations of this policy, please email abuse@pittstate.edu and an administrative response to such incidents will be coordinated. In addition, you may utilize the following University Whistleblower Policy to report such incidents: https://www.pittstate.edu/president/policies/

Reports of all apparent IT policy violations will be forwarded by the PSU IT Security Officer to the CIO for disposition according to standard procedures and University policies on violation of policy.

Use of University information technology resources contrary to this policy, University policies, or applicable federal, state or local law is prohibited and may subject the user to disciplinary action including, but not limited to, suspension of the users access to the information technology resources. Users also should be aware of other possible consequences under University policies and federal, state, or local laws, particularly those related to computer crime and copyright violation. Additionally, students could be subject to disciplinary action under the Code of Student Rights and Responsibilities: https://studentlife.pittstate.edu/code-of-student-rights-and-responsiblities.html.

Policy Name: Virtual Private Network (VPN) Services.
Policy Purpose: This policy outlines the purpose and approved use of PSU VPN Services
Scope: This policy applies to all faculty, staff, and consultants using VPN Services at PSU.

General Policy Provisions
In an effort to increase the security of information technology (IT) systems at PSU, the
Information Technology Services (ITS) has limited access to some computing resources. The
VPN is designed to provide secure/encrypted access to computing resources on the PSU
network. It allows, among other things, a method to connect to PSU computing resources as if
the user were locally connected to the PSU network. This allows greater functionality and
security than other remote access techniques. Users should be aware that routing schemes,
network configurations, and security measures can be changed without notice by ITS or by the
user's internet service provider (ISP) that may affect the user's ability to do specific functions
with the VPN.

Use of the VPN service at PSU is a privilege, which comes with responsibilities for both
departments and users. All other policies covering the use of PSU computing resources by
authorized users are still in effect when they are accessed from remote locations, as are all
regulations (e.g., HIPAA and FERPA) which protect the confidentiality and integrity of
information entrusted to PSU's stewardship. Do not assume the confidentiality of information
traveling through the VPN.

VPN Accounts
•As with all PSU information technology resources, clients using VPN must follow the PSU
Acceptable Use Policy found at the following link.
•VPN access is for users (faculty, staff, and consultants) who need access to campus computing
resources that are not available from off campus networks.
• User accounts are created at the request of a departmental representative or the employee's
supervisor. The employee must read and accept the conditions of this policy before using the
VPN.
• VPN access for third parties (e.g., software consultants and support personnel) to support on
campus systems must be requested by a PSU employee. In addition, the third party must
complete and sign a nondisclosure agreement if required by PSU.
• VPN access can be terminated by a departmental representative, the employee's supervisor,
at the employee's request, or by ITS.

ITS Responsibilities
• VPN access to PSU computing resources will be set up and managed only by the ITS Network
and Systems group. No other department may implement VPN services.
• ITS reserves the right to monitor for unauthorized VPNs and disable access of those devices
performing non-sanctioned VPN service.
• All network activity during a VPN session is subject to PSU computing policies and may be
monitored for compliance.
• ITS will provide the VPN client software and instructions for installing the software.

User Responsibilities
• By using the VPN with personal equipment, users must understand that while they are
connected through VPN, their computers become an extension of the PSU network, and during
the time they are connected, must follow the same guidelines established for the use of PSU
owned equipment.
• Only VPN client software distributed by ITS may be used to connect to the PSU VPN.
Approved users can download the VPN client and installation instructions from GUS.
• Approved users are responsible for the installation of the VPN software.
• Users with VPN privileges must ensure that unauthorized people are not allowed access to
computing resources located on the PSU network.
• The VPN is configured not to allow the bridging of networks (split tunneling).
• All computers, including personal computers, connected to the PSU network via VPN or any
other technology must have:

1. up-to-date virus-scanning software with current virus definitions installed
2. all relevant security patches installed
3. available firewall enabled

Consequences: Failure to abide by the requirements of this policy and/or any procedures that
are developed to implement this policy may result in termination of the user's VPN privileges.

Responsible Office:
Information Technology Services

Updated By:
The Information Technology Council: October 20, 2017
Update Approved By The President’s Council: November 13, 2017

Approved by:
Information Technology Council: October 26, 2005
Signed by President Tom Bryant: January 26, 2006
Original Effective Date: January 26, 2006
Review Cycle: Annua