ITS Policies & Guidelines


News	\|	ITS Search

IT Policies and Guidelines

The following IT policies govern the University of Colorado at Boulder:

Draft Policies

System:

University E-mail as Official Correspondence

Description

This policy states that university e-mail is an official means of correspondence used by the University to communicate with employees and affiliate fiscal staff and articulates the associated requirements and responsibilities.

Campus:
Available only for the CU-Boulder community. VPN required from off campus.

Allocation of Network Jacks

Description

This policy states the ITS will maintain one jack per physical location for an employee or student. Departments may request additional jacks, but the department unit head must determine if it is in the best interest of the campus.

System Administrative Policy Statements

Administrative Policy Statements provide system-wide guidance, procedures, and requirements. These policies are based on external and internal mandates, laws, and regulations. The policies are developed in the offices of the president and vice presidents.
Policies:
	Background Checks for Security-Sensitive Positions and Officers and All Other Positions Hired in Tenured and Tenured-Track Positions
	Description This policy states that each campus will develop a process and guidelines for appropriate background checks for individuals who are hired into security-sensitive positions and for officers and individual being hired in tenured and tenure-track faculty positions.
	IT Resources User Responsibilities
	Description This policy covers general information (i.e. know the responsibilities; protect the privacy of others; do not store sensitive info except when specifically needed for business purposes; keep clear desk/computer screen; protect workstations and computing devices; protect passwords, ID cards, other access devices; report security violations, malfunctions, and weaknesses; and utilize University information and IT resources for authorized purposes only.)
	IT Security in University Operations, Continuity, and Contracting
	Description This policy outlines responsibilities of Organizational Units in maintaining and submitting IT inventory, business continuity, and disaster preparedness plans; ensuring that RFPs include adequate safeguards to protect University information; communicate issues of risk to campus authorities with appropriate jurisdiction over those affected by the risks.
	Procedure: Information Classification
	Description This procedure provides a classification scheme for sensitive and critical information.
	IT Security in Personnel Job Descriptions, Responsibilities & Training
	Description This policy outlines responsibilities of personnel supervising authorities to adequately communicate, train, and document IT responsibilities as well as timely communicate any employment status changes to ITS or other appropriate IT service center.
	Procedure: Security Training, Standards and Core Topics
	Description This procedure outlines basic IT training requirements: e.g., training is either provided before, or at the time personnel are given access to University information and IT resources; regular refresher IT training is provided; provide access to IT security awareness and educational materials.
	IT Security Program Policy
	Description This policy establishes roles, responsibilities � e.g. training, and functions for IT security.
	Procedure: IT Security Program Personnel and Contact Information
	Description This procedure provides specific contact information for IT personnel with primary responsibility for IT security.
	IT Service Provider Security
	Description This policy states that IT security safeguards must be taken by every IT service provider. IT service providers must be aware that purchases of IT goods and services may be subject to a security review by the campus IT security principal or a designated campus authority.
	Providing and Using IT
	Description This policy covers copyright and outlines general policies needed for the three campuses (i.e. development of user rights and privileges, management of IT resources, creation and enforcement of provisioning, procedures for ensuring comprehensive dissemination of IT policies and procedures, procedures for reporting violations, administrative processes and sanctions to be applied in the event of a violation of campus or university policy).
	Personal Technology and Telecommunications
	Description This policy outlines the requirements and responsibilities for allowing expenses for wireless communications for employees and non-employees. Also outlined are the reimbursement restrictions and rates.
	Retention of University Records
	Description This policy explains what a university record is, how to access it, and proper disposal.
	Procedure: Record Retention Schedule
	Description This procedure references each record and the retention period.
	Use of Electronic Mail
	Description This policy states that email isn�t to be regarded as a secure medium for the communication of sensitive or confidential information or be considered private. Email may be considered a public record and subject to public inspection under Colorado's Public Records Act, C.R.S. 24-72-203. Email may be disclosed without permission of the user.

Campus-wide IT Policies

Policies:
	Security of IT Resources Through Authentication, Registration, and Routing Procedures for Email Servers
	Description This policy states that all email servers must route traffic through the central campus email router and SPAM/Virus gateway; be registered on an annual basis; and authenticate as outlined in the UCB Minimum Security Standards.
	Access and Authorization
	Description Description: This policy outlines password requirements and controls for all ITS systems. Also provides requirements for critical data and needed levels of authentication based on risk.
	Copyright Reference Page
	Description This website provides extensive information regarding fair use and copyright laws for students, faculty, and staff. This site is not intended to provide legal advice, but rather inform the university audience about copyright issues.
	Network Security Policy
	Description ITS will control network traffic access (i.e intra-campus, inbound, outbound, and DSL service). All network services must have registered IP addresses.
	Privacy Statement
	Description The University of Colorado collects the least amount of personally identifiable information necessary to fulfill its required duties and responsibilities as required by law. The State of Colorado requires that all public records be open for public inspection. �Public Records� are defined as all writings made or maintained by a state institution regardless of medium or format. The Family Education Rights and Privacy Act (FERPA) prohibits the release of students� educational records except in specific instances outlined in FERPA.
	UCB Security Standards for Networked Devices
	Description The Campus IT Security Officer shall establish standards for networked devices.
	Use of CU-Boulder's Computing and Network Resources
	Description This policy covers items such as: keeping passwords secure; respecting integrity of resources as well behavior that is not appropriate, such as: do not monitor or eavesdrop; do not use networking and computing resources for commercial use; political campaigning, harassment, violating copyright, or invade privacy. Articulates the importance of not transmitting sensitive/confidential information unless security matches appropriately.)
	Guidelines for Computer Users on CU-Boulder Campus
	Description These guidelines outline helpful information about how to maintain a secure password, use resources ethically, and handle data appropriately. It also outlines what is prohibited: don�t harass, don�t use for commercial purposes; don�t use for political campaigns; and comply with copyright. Finally it covers the importance of understanding the limitation of privacy and knowing your IT responsibilities.
	Guidelines for Bulk Email
	Description Coming soon.
	Use of Faculty/Staff Electronic Memo System
	Description This website provides helpful information regarding the four categories of the ememo service, outlines the procedures and provides pricing and contact information.
	Web Publishing Policies
	Description This comprehensive website outlines laws and requirements for any webpages within the www.colorado.edu domain or webpages prepared for any organization receiving university funds, excluding agency affiliates or any faculty, staff, and student pages on servers connected to the campus network. Categories include: use of university name, seal, and marks, accessibility, hosting, fundraising, advertising, sponsorship, and partnerships, etc.
	Web Identity Standards
	Description Information regarding design templates, required elements, custom designs and reserved designs is provided.
	Wireless Deployment and Management Policy
	Description ITS will be responsible for the deployment and management of 802.11 and related wireless access points on campus. No other departments may deploy 802.11 without coordination with ITS.

ITS Service Specific Recommendations and Standards

ITS Recommendations and Standards:
	2007 Minimum Security Standards
	Description Devices connected to the CU-Boulder electronic communications network must comply with the minimum standards for security set by the Campus IT Security Officer.
	Computing Recommendation for Faculty, Staff, and Students
	Description Coming soon.
	CU-Boulder Private Data Security Requirements
	Description Standards for systems containing private data. Data whose disclosure to unauthorized persons would be a violation of federal or state laws or University contracts. Examples include but are not limited to credit card information, social security number or associated personally identifiable information.
	CU-Boulder Restricted Data Security Requirements
	Description Standards for systems containing restricted data. Restricted data is defined as data which if disclosed without authorization could cause harm or embarrassment to the University or its faculty, students, or staff. Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. An example includes but is not limited to personnel information.
	Minimum Security Standards Implementation Guide for CSR's & System Administrators
	Description Coming soon.
	Definitions: Types of Data: Private and Restricted
	Description Coming soon.
ITS Service Expectations:
	Desktop Support (BugBusters)
	Description Coming soon.
	CULearn Service
	Description Coming soon.
	ITS-Supported Hardware and Software
	Description Coming soon.
	Service Expectation for ITS-Supported Labs
	Description Coming soon.
	Procedure: Software Additions/Modifications to ITS-supported Labs
	Description Coming soon.
	Procedure: Reporting Computer Lab Problems
	Description Coming soon.
	Telephone and Long Distance Service
	Description Coming soon.
	ITS Unix Account Allocation
	Description Coming soon.

Alphabetical List

All Policies:
	2007 Minimum Security Standards
	Description Devices connected to the CU-Boulder electronic communications network must comply with the minimum standards for security set by the Campus IT Security Officer.
	Access and Authorization
	Description Description: This policy outlines password requirements and controls for all ITS systems. Also provides requirements for critical data and needed levels of authentication based on risk.
	Allocation of Network Jacks
	Description This policy states the ITS will maintain one jack per physical location for an employee or student. Departments may request additional jacks, but the department unit head must determine if it is in the best interest of the campus.
	Background Checks for Security-Sensitive Positions and Officers and All Other Positions Hired in Tenured and Tenured-Track Positions
	Description This policy states that each campus will develop a process and guidelines for appropriate background checks for individuals who are hired into security-sensitive positions and for officers and individual being hired in tenured and tenure-track faculty positions.
	Computing Recommendation for Faculty, Staff, and Students
	Description Coming soon.
	Copyright Reference Page
	Description This website provides extensive information regarding fair use and copyright laws for students, faculty, and staff. This site is not intended to provide legal advice, but rather inform the university audience about copyright issues.
	CU-Boulder Private Data Security Requirements
	Description Standards for systems containing private data. Data whose disclosure to unauthorized persons would be a violation of federal or state laws or University contracts. Examples include but are not limited to credit card information, social security number or associated personally identifiable information.
	CU-Boulder Restricted Data Security Requirements
	Description Standards for systems containing restricted data. Restricted data is defined as data which if disclosed without authorization could cause harm or embarrassment to the University or its faculty, students, or staff. Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. An example includes but is not limited to personnel information.
	CULearn Service
	Description Coming soon.
	Desktop Support (BugBusters)
	Description Coming soon.
	IT Resources User Responsibilities
	Description This policy covers general information (i.e. know the responsibilities; protect the privacy of others; do not store sensitive info except when specifically needed for business purposes; keep clear desk/computer screen; protect workstations and computing devices; protect passwords, ID cards, other access devices; report security violations, malfunctions, and weaknesses; and utilize University information and IT resources for authorized purposes only.)
	IT Security in Personnel Job Descriptions, Responsibilities & Training
	Description This policy outlines responsibilities of personnel supervising authorities to adequately communicate, train, and document IT responsibilities as well as timely communicate any employment status changes to ITS or other appropriate IT service center.
	Procedure: Security Training, Standards and Core Topics
	Description This procedure outlines basic IT training requirements: e.g., training is either provided before, or at the time personnel are given access to University information and IT resources; regular refresher IT training is provided; provide access to IT security awareness and educational materials.
	IT Security Program Policy
	Description This policy establishes roles, responsibilities – e.g. training, and functions for IT security.
	Procedure: IT Security Program Personnel and Contact Information
	Description This procedure provides specific contact information for IT personnel with primary responsibility for IT security.
	IT Security in University Operations, Continuity, and Contracting
	Description This policy outlines responsibilities of Organizational Units in maintaining and submitting IT inventory, business continuity, and disaster preparedness plans; ensuring that RFPs include adequate safeguards to protect University information; communicate issues of risk to campus authorities with appropriate jurisdiction over those affected by the risks.
	Procedure: Information Classification
	Description This procedure provides a classification scheme for sensitive and critical information.
	IT Service Provider Security
	Description This policy states that IT security safeguards must be taken by every IT service provider. IT service providers must be aware that purchases of IT goods and services may be subject to a security review by the campus IT security principal or a designated campus authority.
	ITS Unix Account Allocation
	Description Coming soon.
	ITS-Supported Hardware and Software
	Description Coming soon.
	Minimum Security Standards Implementation Guide for CSR's & System Administrators
	Description Coming soon.
	Definitions: Types of Data: Private and Restricted
	Description Coming soon.
	Network Security Policy
	Description ITS will control network traffic access (i.e. intra-campus, inbound, outbound, and DSL service). All network services must have registered IP addresses.
	Personal Technology & Telecommunications
	Description This policy outlines the requirements and responsibilities for allowing expenses for wireless communications for employees and non-employees. Also outlined are the reimbursement restrictions and rates.
	Privacy Statement
	Description The University of Colorado collects the least amount of personally identifiable information necessary to fulfill its required duties and responsibilities as required by law. The State of Colorado requires that all public records be open for public inspection. �Public Records� are defined as all writings made or maintained by a state institution regardless of medium or format. The Family Education Rights and Privacy Act (FERPA) prohibits the release of students� educational records except in specific instances outlined in FERPA.
	Providing and Using IT
	Description This policy covers copyright and outlines general policies needed for the three campuses (i.e. development of user rights and privileges, management of IT resources, creation and enforcement of provisioning, procedures for ensuring comprehensive dissemination of IT policies and procedures, procedures for reporting violations, administrative processes and sanctions to be applied in the event of a violation of campus or university policy).
	Retention of University Records
	Description This policy explains what a university orecord is, how to access it, and proper disposal.
	Procedure: Record Retention Schedule
	Description This procedure references each record and the retention period..
	Security of IT Resources Through Authentication, Registration, and Routing Procedures for Email Servers
	Description This policy states that all email servers must route traffic through the central campus email router and SPAM/Virus gateway; be registered on an annual basis; and authenticate as outlined in the UCB Minimum Security Standards.
	Service Expectations for All ITS-Supported Labs
	Description Coming soon.
	Procedure: Software Additions/Modifications to ITS-supported Labs
	Description Coming soon.
	Procedure: Reporting Computer Lab Problems
	Description Coming soon.
	Telephone and Long Distance Service
	Description Coming soon.
	UCB Security Standards for Networked Devices
	Description The Campus IT Security Officer shall establish standards for networked devices.
	University E-mail as Official Correspondence
	Description This policy states that university e-mail is an official means of correspondence used by the University to communicate with employees and affiliate fiscal staff and articulates the associated requirements and responsibilities.
	Use of CU-Boulder's Computing and Network Resources
	Description This policy covers items such as: keeping passwords secure; respecting integrity of resources as well behavior that is not appropriate, such as: do not monitor or eavesdrop; do not use networking and computing resources for commercial use; political campaigning, harassment, violating copyright, or invade privacy. Articulates the importance of not transmitting sensitive/confidential information unless security matches appropriately.)
	Guidelines for Computer Users on CU-Boulder Campus
	Description These guidelines outline helpful information about how to maintain a secure password, use resources ethically, and handle data appropriately. It also outlines what is prohibited: don’t harass, don’t use for commercial purposes; don’t use for political campaigns; and comply with copyright. Finally it covers the importance of understanding the limitation of privacy and knowing your IT responsibilities.
	Guidelines for Bulk Email
	Description Coming soon.
	Use of Electronic Mail
	Description This policy states that email isn’t to be regarded as a secure medium for the communication of sensitive or confidential information or be considered private. Email may be considered a public record and subject to public inspection under Colorado's Public Records Act, C.R.S. 24-72-203. Email may be disclosed without permission of the user.
	Use of Faculty/Staff Electronic Memo System
	Description This website provides helpful information regarding the four categories of the ememo service, outlines the procedures and provides pricing and contact information.
	Web Publishing Policies
	Description This comprehensive website outlines laws and requirements for any webpages within the www.colorado.edu domain or webpages prepared for any organization receiving university funds, excluding agency affiliates or any faculty, staff, and student pages on servers connected to the campus network. Categories include: use of university name, seal, and marks, accessibility, hosting, fundraising, advertising, sponsorship, and partnerships, etc.
	Web Identity Standards
	Description Information regarding design templates, required elements, custom designs and reserved designs is provided.
	Wireless Deployment and Management Policy
	Description ITS will be responsible for the deployment and management of 802.11 and related wireless access points on campus. No other departments may deploy 802.11 without coordination with ITS.

Retired Policies

Policies:

University of Colorado Legal Counsel’s Quarterly Newsletter

This website addresses various legal issues University faculty and staff could encounter in the course of business at the University. Topics include recent relevant court cases, changes in state or federal law and applications of University policies and rules.