University of Colorado at Boulder  
Map A to Z Index Search CU Home
ITS logo
Information Technology Services News | ITS Search
 

IT Policies and Guidelines

The following IT policies govern the University of Colorado at Boulder:

Draft Policies

System:
University E-mail as Official Correspondence
 
Description
This policy states that university e-mail is an official means of correspondence used by the University to communicate with employees and affiliate fiscal staff and articulates the associated requirements and responsibilities.
Electronic Signatures and Records
 
Description
This policy establishes when an electronic signature may replace a written signature and when an electronic record may replace a paper document in official University business.
  Procedure: Electronic Signatures in Loan Transactions
 
Description
This procedure establishes the requirements for electronic signatures in electronic loan transactions. A loan transaction means a transaction where a borrower is required to sign one of the following:
  • A promissory note or loan application
  • A forbearance agreement
  • A request and sworn statement to discharge a loan
  • A new repayment agreement
  • A request to cancel a loan
  • A request for a deferment on a loan
    •
    Campus:
    Available only for the CU-Boulder community. VPN required from off campus.
    Allocation of Network Jacks
     
    Description
    This policy states the ITS will maintain one jack per physical location for an employee or student. Departments may request additional jacks, but the department unit head must determine if it is in the best interest of the campus.

    System Administrative Policy Statements
    Administrative Policy Statements provide system-wide guidance, procedures, and requirements. These policies are based on external and internal mandates, laws, and regulations. The policies are developed in the offices of the president and vice presidents.
    Policies:
    Background Checks for Security-Sensitive Positions and Officers and All Other Positions Hired in Tenured and Tenured-Track Positions
     
    Description
    This policy states that each campus will develop a process and guidelines for appropriate background checks for individuals who are hired into security-sensitive positions and for officers and individual being hired in tenured and tenure-track faculty positions.
    IT Resources User Responsibilities
     
    Description
    This policy covers general information (i.e. know the responsibilities; protect the privacy of others; do not store sensitive info except when specifically needed for business purposes; keep clear desk/computer screen; protect workstations and computing devices; protect passwords, ID cards, other access devices; report security violations, malfunctions, and weaknesses; and utilize University information and IT resources for authorized purposes only.)
    IT Security in University Operations, Continuity, and Contracting
     
    Description
    This policy outlines responsibilities of Organizational Units in maintaining and submitting IT inventory, business continuity, and disaster preparedness plans; ensuring that RFPs include adequate safeguards to protect University information; communicate issues of risk to campus authorities with appropriate jurisdiction over those affected by the risks.
     

    Procedure: Information Classification
     
    Description
    This procedure provides a classification scheme for sensitive and critical information.
    IT Security in Personnel Job Descriptions, Responsibilities & Training
     
    Description
    This policy outlines responsibilities of personnel supervising authorities to adequately communicate, train, and document IT responsibilities as well as timely communicate any employment status changes to ITS or other appropriate IT service center.
     

    Procedure: Security Training, Standards and Core Topics
     
    bullet Description
    This procedure outlines basic IT training requirements: e.g., training is either provided before, or at the time personnel are given access to University information and IT resources; regular refresher IT training is provided; provide access to IT security awareness and educational materials.
    IT Security Program Policy
     
    bullet Description
    This policy establishes roles, responsibilities – e.g. training, and functions for IT security.
     

    Procedure: IT Security Program Personnel and Contact Information
     
    bullet Description
    This procedure provides specific contact information for IT personnel with primary responsibility for IT security.
    IT Service Provider Security
     
    Description
    This policy states that IT security safeguards must be taken by every IT service provider. IT service providers must be aware that purchases of IT goods and services may be subject to a security review by the campus IT security principal or a designated campus authority.
    Providing and Using IT
     
    bullet Description
    This policy covers copyright and outlines general policies needed for the three campuses (i.e. development of user rights and privileges, management of IT resources, creation and enforcement of provisioning, procedures for ensuring comprehensive dissemination of IT policies and procedures, procedures for reporting violations, administrative processes and sanctions to be applied in the event of a violation of campus or university policy).
    Personal Technology and Telecommunications
     
    bullet Description
    This policy outlines the requirements and responsibilities for allowing expenses for wireless communications for employees and non-employees. Also outlined are the reimbursement restrictions and rates.
    Retention of University Records
     
    bullet Description
    This policy explains what a university record is, how to access it, and proper disposal.
     

    Procedure: Record Retention Schedule
     
    bullet Description
    This procedure references each record and the retention period.
    Use of Electronic Mail
     
    bullet Description
    This policy states that email isn’t to be regarded as a secure medium for the communication of sensitive or confidential information or be considered private. Email may be considered a public record and subject to public inspection under Colorado's Public Records Act, C.R.S. 24-72-203. Email may be disclosed without permission of the user.
    Campus-wide IT Policies
    Policies:
    Security of IT Resources Through Authentication, Registration, and Routing Procedures for Email Servers
     
    bullet Description
    This policy states that all email servers must route traffic through the central campus email router and SPAM/Virus gateway; be registered on an annual basis; and authenticate as outlined in the UCB Minimum Security Standards.
    Access and Authorization
     
    Description
    Description: This policy outlines password requirements and controls for all ITS systems. Also provides requirements for critical data and needed levels of authentication based on risk.
    Copyright Reference Page
     
    Description
    This website provides extensive information regarding fair use and copyright laws for students, faculty, and staff. This site is not intended to provide legal advice, but rather inform the university audience about copyright issues.
    Network Security Policy
     
    Description
    ITS will control network traffic access (i.e intra-campus, inbound, outbound, and DSL service). All network services must have registered IP addresses.
    Privacy Statement
     
    Description
    The University of Colorado collects the least amount of personally identifiable information necessary to fulfill its required duties and responsibilities as required by law. The State of Colorado requires that all public records be open for public inspection. “Public Records” are defined as all writings made or maintained by a state institution regardless of medium or format. The Family Education Rights and Privacy Act (FERPA) prohibits the release of students’ educational records except in specific instances outlined in FERPA.
    UCB Security Standards for Networked Devices
     
    Description
    The Campus IT Security Officer shall establish standards for networked devices.
    Use of CU-Boulder's Computing and Network Resources
     
    bullet Description
    This policy covers items such as: keeping passwords secure; respecting integrity of resources as well behavior that is not appropriate, such as: do not monitor or eavesdrop; do not use networking and computing resources for commercial use; political campaigning, harassment, violating copyright, or invade privacy. Articulates the importance of not transmitting sensitive/confidential information unless security matches appropriately.)
     

    Guidelines for Computer Users on CU-Boulder Campus
     
    bullet Description
    These guidelines outline helpful information about how to maintain a secure password, use resources ethically, and handle data appropriately. It also outlines what is prohibited: don’t harass, don’t use for commercial purposes; don’t use for political campaigns; and comply with copyright. Finally it covers the importance of understanding the limitation of privacy and knowing your IT responsibilities.
     

    Guidelines for Bulk Email
     
    bullet Description
    Coming soon.
    Use of Faculty/Staff Electronic Memo System
     
    bullet Description
    This website provides helpful information regarding the four categories of the ememo service, outlines the procedures and provides pricing and contact information.
    Web Publishing Policies
     
    bullet Description
    This comprehensive website outlines laws and requirements for any webpages within the www.colorado.edu domain or webpages prepared for any organization receiving university funds, excluding agency affiliates or any faculty, staff, and student pages on servers connected to the campus network. Categories include: use of university name, seal, and marks, accessibility, hosting, fundraising, advertising, sponsorship, and partnerships, etc.
      Web Identity Standards
     
    bullet Description
    Information regarding design templates, required elements, custom designs and reserved designs is provided.
    Wireless Deployment and Management Policy
     
    bullet Description
    ITS will be responsible for the deployment and management of 802.11 and related wireless access points on campus. No other departments may deploy 802.11 without coordination with ITS.
    ITS Service Specific Recommendations and Standards
    ITS Recommendations and Standards:
    2007 Minimum Security Standards
     
    Description
    Devices connected to the CU-Boulder electronic communications network must comply with the minimum standards for security set by the Campus IT Security Officer.
    Computing Recommendation for Faculty, Staff, and Students
     
    Description
    Coming soon.
    CU-Boulder Private Data Security Requirements
     
    Description
    Standards for systems containing private data. Data whose disclosure to unauthorized persons would be a violation of federal or state laws or University contracts. Examples include but are not limited to credit card information, social security number or associated personally identifiable information.
    CU-Boulder Restricted Data Security Requirements
     
    Description
    Standards for systems containing restricted data. Restricted data is defined as data which if disclosed without authorization could cause harm or embarrassment to the University or its faculty, students, or staff. Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. An example includes but is not limited to personnel information.
    Minimum Security Standards Implementation Guide for CSR's & System Administrators
     
    Description
    Coming soon.
    Definitions: Types of Data: Private and Restricted
     
    Description
    Coming soon.
    ITS Service Expectations:
    Desktop Support (BugBusters)
     
    Description
    Coming soon.
    CULearn Service
     
    Description
    Coming soon.
    ITS-Supported Hardware and Software
     
    Description
    Coming soon.
    Service Expectation for ITS-Supported Labs
     
    Description
    Coming soon.
      Procedure: Software Additions/Modifications to ITS-supported Labs
     
    Description
    Coming soon.
      Procedure: Reporting Computer Lab Problems
     
    Description
    Coming soon.
    Telephone and Long Distance Service
     
    Description
    Coming soon.
    ITS Unix Account Allocation
     
    Description
    Coming soon.
    Alphabetical List
    All Policies:
    2007 Minimum Security Standards
     
    Description
    Devices connected to the CU-Boulder electronic communications network must comply with the minimum standards for security set by the Campus IT Security Officer.
    Access and Authorization
     
    Description
    Description: This policy outlines password requirements and controls for all ITS systems. Also provides requirements for critical data and needed levels of authentication based on risk.
    Allocation of Network Jacks
     
    Description
    This policy states the ITS will maintain one jack per physical location for an employee or student. Departments may request additional jacks, but the department unit head must determine if it is in the best interest of the campus.
    Background Checks for Security-Sensitive Positions and Officers and All Other Positions Hired in Tenured and Tenured-Track Positions
     
    Description
    This policy states that each campus will develop a process and guidelines for appropriate background checks for individuals who are hired into security-sensitive positions and for officers and individual being hired in tenured and tenure-track faculty positions.
    Computing Recommendation for Faculty, Staff, and Students
     
    Description
    Coming soon.
    Copyright Reference Page
     
    Description
    This website provides extensive information regarding fair use and copyright laws for students, faculty, and staff. This site is not intended to provide legal advice, but rather inform the university audience about copyright issues.
    CU-Boulder Private Data Security Requirements
     
    Description
    Standards for systems containing private data. Data whose disclosure to unauthorized persons would be a violation of federal or state laws or University contracts. Examples include but are not limited to credit card information, social security number or associated personally identifiable information.
    CU-Boulder Restricted Data Security Requirements
     
    Description
    Standards for systems containing restricted data. Restricted data is defined as data which if disclosed without authorization could cause harm or embarrassment to the University or its faculty, students, or staff. Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. An example includes but is not limited to personnel information.
    CULearn Service
     
    Description
    Coming soon.
    Desktop Support (BugBusters)
     
    Description
    Coming soon.
    Electronic Signatures and Records
     
    Description
    This policy establishes when an electronic signature may replace a written signature and when an electronic record may replace a paper document in official University business.
      Procedure: Electronic Signatures in Loan Transactions
     
    Description
    This procedure establishes the requirements for electronic signatures in electronic loan transactions. A loan transaction means a transaction where a borrower is required to sign one of the following:
  • A promissory note or loan application
  • A forbearance agreement
  • A request and sworn statement to discharge a loan
  • A new repayment agreement
  • A request to cancel a loan
  • A request for a deferment on a loan
    •
    IT Resources User Responsibilities
     
    Description
    This policy covers general information (i.e. know the responsibilities; protect the privacy of others; do not store sensitive info except when specifically needed for business purposes; keep clear desk/computer screen; protect workstations and computing devices; protect passwords, ID cards, other access devices; report security violations, malfunctions, and weaknesses; and utilize University information and IT resources for authorized purposes only.)
    IT Security in Personnel Job Descriptions, Responsibilities & Training
     
    Description
    This policy outlines responsibilities of personnel supervising authorities to adequately communicate, train, and document IT responsibilities as well as timely communicate any employment status changes to ITS or other appropriate IT service center.
     

    Procedure: Security Training, Standards and Core Topics
     
    bullet Description
    This procedure outlines basic IT training requirements: e.g., training is either provided before, or at the time personnel are given access to University information and IT resources; regular refresher IT training is provided; provide access to IT security awareness and educational materials.
    IT Security Program Policy
     
    bullet Description
    This policy establishes roles, responsibilities – e.g. training, and functions for IT security.
     

    Procedure: IT Security Program Personnel and Contact Information
     
    bullet Description
    This procedure provides specific contact information for IT personnel with primary responsibility for IT security.
    IT Security in University Operations, Continuity, and Contracting
     
    Description
    This policy outlines responsibilities of Organizational Units in maintaining and submitting IT inventory, business continuity, and disaster preparedness plans; ensuring that RFPs include adequate safeguards to protect University information; communicate issues of risk to campus authorities with appropriate jurisdiction over those affected by the risks.
     

    Procedure: Information Classification
     
    Description
    This procedure provides a classification scheme for sensitive and critical information.
    IT Service Provider Security
     
    Description
    This policy states that IT security safeguards must be taken by every IT service provider. IT service providers must be aware that purchases of IT goods and services may be subject to a security review by the campus IT security principal or a designated campus authority.
    ITS Unix Account Allocation
     
    Description
    Coming soon.
    ITS-Supported Hardware and Software
     
    Description
    Coming soon.
    Minimum Security Standards Implementation Guide for CSR's & System Administrators
     
    Description
    Coming soon.
      Definitions: Types of Data: Private and Restricted
     
    Description
    Coming soon.
    Network Security Policy
     
    Description
    ITS will control network traffic access (i.e. intra-campus, inbound, outbound, and DSL service). All network services must have registered IP addresses.
    Personal Technology & Telecommunications
     
    bullet Description
    This policy outlines the requirements and responsibilities for allowing expenses for wireless communications for employees and non-employees. Also outlined are the reimbursement restrictions and rates.
    Privacy Statement
     
    Description
    The University of Colorado collects the least amount of personally identifiable information necessary to fulfill its required duties and responsibilities as required by law. The State of Colorado requires that all public records be open for public inspection. “Public Records” are defined as all writings made or maintained by a state institution regardless of medium or format. The Family Education Rights and Privacy Act (FERPA) prohibits the release of students’ educational records except in specific instances outlined in FERPA.
    Providing and Using IT
     
    bullet Description
    This policy covers copyright and outlines general policies needed for the three campuses (i.e. development of user rights and privileges, management of IT resources, creation and enforcement of provisioning, procedures for ensuring comprehensive dissemination of IT policies and procedures, procedures for reporting violations, administrative processes and sanctions to be applied in the event of a violation of campus or university policy).
    Retention of University Records
     
    bullet Description
    This policy explains what a university orecord is, how to access it, and proper disposal.
     

    Procedure: Record Retention Schedule
     
    bullet Description
    This procedure references each record and the retention period..
    Security of IT Resources Through Authentication, Registration, and Routing Procedures for Email Servers
     
    bullet Description
    This policy states that all email servers must route traffic through the central campus email router and SPAM/Virus gateway; be registered on an annual basis; and authenticate as outlined in the UCB Minimum Security Standards.
    Service Expectations for All ITS-Supported Labs
     
    Description
    Coming soon.
      Procedure: Software Additions/Modifications to ITS-supported Labs
     
    Description
    Coming soon.
      Procedure: Reporting Computer Lab Problems
     
    Description
    Coming soon.
    Telephone and Long Distance Service
     
    Description
    Coming soon.
    UCB Security Standards for Networked Devices
     
    Description
    The Campus IT Security Officer shall establish standards for networked devices.
    University E-mail as Official Correspondence
     
    Description
    This policy states that university e-mail is an official means of correspondence used by the University to communicate with employees and affiliate fiscal staff and articulates the associated requirements and responsibilities.
    Use of CU-Boulder's Computing and Network Resources
     
    bullet Description
    This policy covers items such as: keeping passwords secure; respecting integrity of resources as well behavior that is not appropriate, such as: do not monitor or eavesdrop; do not use networking and computing resources for commercial use; political campaigning, harassment, violating copyright, or invade privacy. Articulates the importance of not transmitting sensitive/confidential information unless security matches appropriately.)
     

    Guidelines for Computer Users on CU-Boulder Campus
     
    bullet Description
    These guidelines outline helpful information about how to maintain a secure password, use resources ethically, and handle data appropriately. It also outlines what is prohibited: don’t harass, don’t use for commercial purposes; don’t use for political campaigns; and comply with copyright. Finally it covers the importance of understanding the limitation of privacy and knowing your IT responsibilities.
     

    Guidelines for Bulk Email
     
    bullet Description
    Coming soon.
    Use of Electronic Mail
     
    bullet Description
    This policy states that email isn’t to be regarded as a secure medium for the communication of sensitive or confidential information or be considered private. Email may be considered a public record and subject to public inspection under Colorado's Public Records Act, C.R.S. 24-72-203. Email may be disclosed without permission of the user.
    Use of Faculty/Staff Electronic Memo System
     
    bullet Description
    This website provides helpful information regarding the four categories of the ememo service, outlines the procedures and provides pricing and contact information.
    Web Publishing Policies
     
    bullet Description
    This comprehensive website outlines laws and requirements for any webpages within the www.colorado.edu domain or webpages prepared for any organization receiving university funds, excluding agency affiliates or any faculty, staff, and student pages on servers connected to the campus network. Categories include: use of university name, seal, and marks, accessibility, hosting, fundraising, advertising, sponsorship, and partnerships, etc.
      Web Identity Standards
     
    bullet Description
    Information regarding design templates, required elements, custom designs and reserved designs is provided.
    Wireless Deployment and Management Policy
     
    bullet Description
    ITS will be responsible for the deployment and management of 802.11 and related wireless access points on campus. No other departments may deploy 802.11 without coordination with ITS.
    Retired Policies
    Policies:

    University of Colorado Legal Counsel’s Quarterly Newsletter

    This website addresses various legal issues University faculty and staff could encounter in the course of business at the University. Topics include recent relevant court cases, changes in state or federal law and applications of University policies and rules.

    Reporting Misuse

    To report misuse or lodge a complaint against a a use on the colorado.edu system, visit the Reporting Abuse and Harassment Guidelines web page.

    About IT Policies and Guidelines

    Questions and concerns regarding any policy may be addressed to the IT planning and policy office at 303-735-5225 or itpolicies@colorado.edu.

    Create Your Own Policy Binder

    Step One:
    Download and print the binder cover, binder spine, and policies table of contents.

    • Binder Cover - pdf
    • Binder Spine - pdf
    • Policies Table of Contents - pdf

    Step Two:
    Print out the following IT policies govern the University of Colorado at Boulder from the list above.

    Policies:

    Step Three:
    Put all the pieces together to form your own policy binder.

     

    Get Help

    IT Service Center
    303-735-4357 (5-HELP from an on-campus phone)
    help@colorado.edu

     
           Support | Training | Facilities | About ITS | ITS Home
     

    Last reviewed: July 17, 2008

    IT Service Center: 303-735-4357 (5-HELP), help@colorado.edu, Location and Hours of Operation
    Computer Support Representative (CSR) look-up tool

    itsfeedback@colorado.edu  | Policies | Privacy
    © 2000     The Regents of the University of Colorado