Image

Computer and Network Use Policies

ACCEPTABLE USE POLICY

1.0 Overview

The Office of Information System's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to CNR's established culture of openness, trust, and integrity. Information Systems is committed to protecting CNR's students, faculty, users, partners, and the College from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of CNR. These systems are to be used for approved purposes in serving the interests of the College, and of our users in the course of normal operations. Please review user policies for further details.

Effective security is a team effort involving the participation and support of every CNR user and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and to conduct their activities accordingly.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at CNR. These rules are in place to protect the user and CNR. Inappropriate use exposes CNR to risks including virus attacks, compromise of network systems and services, and legal issues.

3.0 Scope

This policy applies to students, faculty, users, contractors, consultants, temporaries, and other workers at CNR, including all personnel affiliated with authorized third parties. This policy applies to all equipment that is owned or leased by CNR as well as any third party equipment using the CNR network infrastructure for any reason.

4.0 Policy 4.1 General Use and Ownership
  1. Because of the need to protect CNR's network, management cannot guarantee the confidentiality of information stored on any network device belonging to CNR or transmitted in any way across the CNR network infrastructure.
  2. Users are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, users should be guided by departmental policies on personal use, and if there is any uncertainty, users should consult their supervisor or manager.  
  3. Any user using a privately owned computer or College-owned computer will have to register his/her computer with the College's registration system and will then have to authenticate using his/her user account in order to use any available network resource.
  4. The College has the right to allow or deny access to some or all of the network resources to any user. The final determination will be made by CNR.
  5. For security and network maintenance purposes, authorized individuals within CNR may monitor equipment, systems, and network traffic at any time.
  6. CNR reserves the right to audit networks and all systems connected to the CNR network infrastructure in any way on a periodic basis to ensure compliance with this policy.
4.2 Eligible Network Users
  1. Students must be registered at the College in order to create and maintain a network account whether or not a CNR email address is being created.
  2. Employees must be cleared and verified by Human Resources as active employees in order to create and maintain a network account.
  3. All other network users must go through their department's approval process before Information Systems will create and maintain their network account.
4.3 Security and Proprietary Information
  1. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, and user level passwords should be changed every six months.
  2. All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended.
  3. Postings by users from a CNR email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of CNR, unless posting is in the course of business duties.
  4. All hosts used by the user that are connected to the CNR Internet/Intranet/Extranet, whether owned by the user or CNR, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy.
  5. Users must excercise extreme caution when opening email attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use

The following activities are, in general, prohibited. Users may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is a student or employee of CNR authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing CNR-owned resources or infrastructure.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

  1. Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by CNR or the individual user.
  2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which CNR or the end user does not have an active license is strictly prohibited.
  3. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws. The appropriate management should be consulted prior to export of any material that is in question.
  4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  5. Revealing your account password to others or allowing use of your account by others. This includes family, colleagues, and other household members when work is being done in on- or off-campus locations.
  6. Using a CNR computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
  7. Making fraudulent offers of products, items, or services originating from any CNR account.
  8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
  9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  10. Port scanning or security scanning is expressly prohibited unless except when performed by Information Systems to assess security conditions.
  11. Executing any form of network monitoring which will intercept data not intended for the user's host, unless this activity is a part of the user's normal job/duty.
  12. Circumventing user authentication or security of any host, network or account.
  13. Interfering with or denying service to any user other than the user's host (for example, denial of service attack).
  14. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
  15. Providing information about, or lists of, CNR users to parties outside CNR.
Email and Communications Activities
  1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
  2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
  3. Unauthorized use, or forging, of email header information.
  4. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
  5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
  6. Use of unsolicited email originating from within CNR's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by CNR or connected via CNR's network.
  7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

COPYRIGHT INFRINGEMENT POLICY

1.0 Overview

1.1 Introduction

The Digital Millennium Copyright Act (DMCA) of 1998 amends the federal copyright law to provide certain liability protections for online service providers when their computer systems or networks carry material that violate (infringe) copyright law. To qualify for liability protection, the College is required to have a policy under which the computer accounts of users will be terminated if they infringe upon the copyrighted works of others. The account may be reinstated pending a judicial review.

1.2 Additional Information

For more information on United States copyright law, please consult the U.S. Copyright Office's website at http://www.copyright.gov.

2.0 Purpose

The purpose of this policy is to explain the DMCA and to establish a procedure for notifying The College of New Rochelle (CNR) of an alleged copyright infringement.

3.0 Scope

This policy applies to students, faculty, users, contractors, consultants, temporaries, and other workers at CNR, including all personnel affiliated with authorized third parties.

4.0 Policy 4.1 General

Compliance with federal copyright law is not only expected of all CNR students, faculty, and staff, it is required. "Copyright" is legal protection for creative intellectual works, which is broadly interpreted to cover almost any expression of an idea. Text (including email and Web information), graphics, arts, photographs, video and other media types, music, and software are examples of types of works protected by copyright. The creator of the work, or sometimes the person who hired the creator, is the initial copyright owner. Please consult section "4.7 How to Secure a Copyright" of this document for a further discussion of how to obtain a copyright.

4.2 Proper Use

"Use" of work is defined for copyright purposes as copying, distributing, making derivative works, publicly displaying, or publicly performing the work. You may "use" all or part of a copyrighted work only if:

  • a) you have the copyright owner's permission or
  • b) you qualify for legal exception
4.3 Violations

Copying, distributing, downloading, and uploading information on the Internet or any computer system or network may infringe upon the copyright of that information. Even an innocent, unintentional infringement violates the law. Violations of copyright law that occur on or over the College's networks or other computer resources may create liability for the College as well as the computer user.

4.4 Notification Procedure

In accordance with the DMCA, the CNR has designated an agent to receive notification of alleged copyright infringement occurring on the Web pages, computer systems, or networks in the CNR.EDU domain. The DMCA requires that all notices of alleged copyright infringement be in writing. For CNR to act on your notice, you must be authorized to enforce the copyrights that you allege have been infringed. When informing the College of an alleged copyright infringement, you should follow the procedure below:

  • a) Notify our designated agent for copyright notices:

    Senior Vice President / Academic Affairs
    Academic Affairs
    The College of New Rochelle
    29 Castle Place
    New Rochelle, NY 10805
    dmcaagent@cnr.edu
    (914) 654-5535
     
  • b) Identify the copyrighted work that allegedly has been infringed. If multiple copyrighted works at a single online site are involved, please provide a representative list of such works.
  • c) Describe the material that is claimed to be infringing and provide sufficient information to permit CNR to locate that material.
  • d) Provide your contact information, including mailing address, telephone number, and, if possible, an email address.
  • e) Certify or include a statement that you have good faith belief that the use of the copyright-protected material, in the manner complained of, is not authorized by the copyright owner, the owner's agent, or law.
  • f) Certify that the information you have provided CNR is accurate. You should attest under penalty of perjury that you are authorized to enforce the copyrights that you allege have been infringed.
  • g) Include a physical or electronic signature of a person authorized to act on behalf of the Complaining Party. As an electronic signature, CNR accepts Fax and digitalized image of signature attached to email.
  • h) NOTE: The College may not be able to act upon your complaint promptly or at all, if you do not provide this information.
4.5 Investigation Procedure

If, after consultation with legal counsel, the copyright agent finds that there may be substance to the claim of infringement, the following will occur:

  • a) The agent will notify Information Systems (IS). IS will contact the person responsible for the web page or the information concerned and arrange to have the allegedly infringing material taken down, pending an investigation.
  • b) If the person posting the material refuses to remove it pending the investigation, IS may have the page rendered unavailable or the information made inaccessible by the College's systems' staff.
  • c) Both sides may consider further legal steps. The College reserves the right to keep such pages unavailable or the information inaccessible until the matter in resolved.
  • d) Under the terms of the DMCA, CNR would most likely qualify as a service provider with limitations on its liability. CNR is not liable for pages posted on its web site or the information uploaded to its systems, which may infringe on the copyright of others, provided it follows the procedure described in this policy.
4.6 Additional Notice

If a person working for the College has independent knowledge of a copyright violation on a College computer system or network, the College may have a duty to remove the infringing material. This is true even if there is not "notice" from the copyright owner. Therefore, that person should report the violation to the designated agent, immediately.

4.7 How to Secure a Copyright

For works created after March 1, 1989, there is no need to add a copyright symbol, but it is advisable. There are certain definite advantages to copyright registration. See "Copyright Registration" as http://www.copyright.gov.

DATA CLASSIFICATION POLICY

1.0 Purpose

This policy defines how College Data is classified and how it is to be protected. Students, faculty, staff and alumni trust that the College protects their personal data as it exists in any medium – electronic as well as all forms of paper record.

The data covered in this policy includes, but is not limited to, data that is either stored or shared via any means. College-owned data includes all paper and electronic data prepared, supplied, used or retained by College employees, within the scope of their employment, or by agencies or affiliates of the College, under a contractual agreement. This policy covers all data handled by or created through all College operations.

Questions about the proper classification of a specific piece of data should be addressed to your supervisor. Questions about this policy
should be addressed to the Office of Information Systems.

2.0 Scope

This policy applies to members of the College community and affiliates who use CNR's computer and data resources and/or who have access to sensitive data stored on those resources.

This policy should be used in conjunction with the CNR Personal Private Information Policy and the Data Retention Policy.

3.0 Definitions

This policy classifies College data into two categories – restricted or unrestricted data. These categories are expected measures to protect College data and are outlined below.

Data classification categories:

Restricted data is College data that:

  • Pertains to information protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm Leach Bliley Act, FTC Red Flag Rules and any other data governed by law (federal, state, industry, or local), institutional policy, standard s and/or data that has been defined as sensitive by CNR.
  • Makes the College liable for costs or damages due to unauthorized disclosure. Also refers to data whose unauthorized access or loss could seriously or adversely affect CNR, CNR employees, a student, a partner, or the public
  • Is used primarily to conduct official College business with limited internal distribution and should be safeguarded from general access
  • Contains proprietary information, pertains to student records that are covered by the Family Educational Rights and Privacy Act (FERPA) or pertains to donor records.

Non-Restricted data is College data that:

  • Is not classified as restricted
  • Is available to the general public that can be accessed without authentication

Data Classification Table

This Data Classification table is meant to describe the confidentiality of the data in question, and does not factor in the integrity or availability requirements in its rating. This is not an exhaustive list; however, these are known restricted data
fields.

Data Classification Description Examples but not limited to:
Restricted Data governed by law, institutional policy, standards and/or data classified as sensitive by CNR. Unauthorized access or loss could
seriously or adversely affect CNR, staff, faculty, partners, and the public
Social Security Number
Driver's License Number
Bank/Financial Information
Credit/Debit Card Number
Medical/Disability Records
Electronic Protected Health Information
Critical CNR application files
Privately owned Trade Secrets
Financial Aid/Grant information/Loans
Records on private contributors
Pre-patent research data
Non-disclosure agreements
College owned data
Grades/Transcripts/Test Scores
FERPA-protected student records
Human Resources Data
Salary and Payroll information
Employee Background Checks
Workers compensation or disability claims
Affirmative Action Information
Protected Data Related to Research
Network IDs/Passwords/PINs
Payroll number
Student Identification Number
Licensed Software
Performance Reviews
Athletics recruiting Information
Student bills and payment history
Counseling treatment history
Information about Donors/prospect Donors
Detailed annual budget information
College Investment information
Other College Owned Non-Public Data
Non-Restricted All other non-public data not included in the Restricted class; all public data Campus maps
Business contact data
General access data, such as that on unauthenticated portions of www.cnr.edu
Directory information as listed on CNR web site
Press releases
Campus events
Admissions requirements
Academic program information

4.0 CNR Data Policy

Procedures

Controls

The appropriate control shall be applied to every process used to handle restricted data, according to the classification of that
data.

  1. Access
    For Restricted data, in any medium, College department heads shall use appropriate physical and electronic controls to limit access to this data to persons who need to use it to perform their College assigned duties and for whom it is legally appropriate to have access to this data. For Restricted data, it is required that data is restricted and that those given access have a "need to know."
  2. Network Transmission
    Restricted data may be transmitted over the College or external networks as required, provided that access to the data by normal means is restricted to those who must use it to perform College assigned duties. Restricted data shall not be transmitted over College or external networks, outside a data center, a firewalled network so designated by the Office of Information Systems, unless the data or the entire transmission is encrypted. Questions regarding encryption of data for external transmission should be directed to the Office of Information Systems prior to transmission.
  3. Data Processing
    The College and its employees shall employ data processing systems and procedures with appropriate safeguards to ensure that Restricted data is not lost or disclosed to unauthorized persons during or after processing.
  4. Communication
    Restricted data communicated by voice, mail, fax, or other methods must use reasonable safeguards against disclosure to unauthorized persons, as appropriate to the method of communication. Restricted data may not be communicated to third parties, except as specifically required by legal obligation or protected under contractual agreements.
  5. Storing Data
    Restricted data must be stored in physical or electronic environments where access is limited to only those who need to use the data for College assigned duties and for whom it is legally appropriate to have access to the data. Restricted data must be stored on a CNR networked server, such as a home or shared folder or in an administrative database, and such data should not be moved to a local storage device or cloud storage, such as Skydrive. Restricted data in electronic records shall be secured with strong encryption when stored outside the central College administrative database. Restricted data in all forms of physical records must either be securely locked or actively supervised in a private environment at all times.
  6. Emailing Data
    Email continues to be an official method of communication with the CNR community. Restricted data, unless encrypted, should not be sent via email. For example, final grades should not be communicated via email.
  7. Sharing Data
    Cloud storage, such as Skydrive, or local storage (USB drives, local or external hard drives) should not be used to store and share Restricted data. Such local or cloud storage should be used only to store Non-Restricted data.
  8. Retention
    Restricted data must be retained and disposed of in accordance with the College's Retention Policy.
  9. Improper Disclosure or Loss
    All faculty, staff, and students shall immediately report inappropriate disclosure or suspected loss of Restricted data to their supervisor, who should in turn report such to the Director of the Office of Information Systems.

5.0 Enforcement

Any employee found to have violated this policy may be subject to legal action in addition to disciplinary action, up to and including termination of employment.

6.0 Revision History

Revised 8.9.2012

EMAIL USE POLICY

1.0 Overview

The College of New Rochelle electronic mail service is a College facility that is intended for the use of teaching, research and administration in support of the College’s mission.  The College has set forth this policy to ensure the responsible and effective use of its electronic mail service.

2.0 Purpose

That the College’s electronic mail service is used in compliance with applicable policies and laws governing the institution as well as the US government.  The College also intends to prevent tarnishing our public image in the event that the general public views messages from The College of New Rochelle as an official policy statement.   

3.0 Scope

This policy covers appropriate use of any email sent from a College of New Rochelle email address and applies to students, faculty, users, contractors, consultants, temporaries, and other workers at CNR, including all personnel affiliated with authorized third parties.

4.0 Policy

4.1 Email and Mailbox Limit Restrictions

There are email and mailbox size limit restrictions on all College email.  Storage limit for an entire mailbox is 50GB.  When the email folder approaches the allotted size limit, warning notices will be sent from the System Administrator.  Additionally the Message Size limit for Outlook desktop is 150MB and Outlook Web Application (OWA) is 112MB, file attachment(s) size in Outlook is 150MB and OWA is 25MB.  A mailbox is permitted to send to 10,000 recipients per day with a 500 recipient limit on an individual message.  If a distribution list is used then that entry counts as one recipient.

4.2 Prohibited Use

The College of New Rochelle email system shall not to be used for the creation or distribution of any disruptive derogatory or potentially offensive messages, including but not limited to offensive comments about race, gender,  disabilities, age, sexual orientation, sexually explicit, religious beliefs and practice, national origin or any other facet that can be deem discriminatory. This statement is further supported in the College’s Anti-Harassment Policy which can be found in the College’s policy handbook.

Activities which violate this policy include, but are not limited to: deliberately interfering with the mail system, flooding mailboxes with automatically generated mail, and attempting to gain access to another person’s password, files or messages.

4.3 Mass Mailing /Spamming

Sending chain letters or joke emails from a College of New Rochelle email account is considered spam and it is prohibited.   These restrictions also apply to the forwarding of email received by a College of New Rochelle employee.  Virus or other malware warnings and mass mailings shall be approved by the College of New Rochelle’s Director of Information Systems before sending.

4.4 Personal Use

Using a reasonable amount of the College of New Rochelle resources for personal emails is acceptable.   However, The College of New Rochelle email service may not be used for commercial business or political initiatives. 

4.5 Monitoring

The College of New Rochelle employees shall have no expectation of privacy in anything they store, send or receive on the College’s email system. The College reserves the right to monitor messages without prior notice. The College is not obliged to monitor email messages. As the provider of electronic mail, the College has the role of carrier and is not responsible for the content of email messages. 

 

Revised January 2016

 

 

EMAIL RETENTION POLICY

1.0 Purpose

The Email Retention Policy is intended to help employees determine what information sent or received by email should be retained and for how long at the server level.

The information covered in these guidelines includes information that is either stored or shared via electronic mail.

All employees should familiarize themselves with the email retention topic areas that follow this introduction.

Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to Information Systems.

2.0 Scope

Any email that contains information in the scope of the Document Retention Policy is to be treated in that manner and moved to another location (print or electronic) and then deleted from email. All CNR email information is categorized into three main classifications with retention guidelines:

Tape Backups Email Server – 1 month

Messages in the deleted folder will be automatically deleted on the client side when Outlook is closed. Email messages stored in the deleted folder will be purged from the database on the server side prior to the nightly back up of the email database.

Messages in all other folders (inbox, sent, draft, etc.) will be retained until deleted by the user. Further classifications within the guidelines for employees consist of:

  • Work-critical messages
  • Non-work-critical messages

3.0 Policy

3.1 Tape Backups

All data will be purged from backup media after 30 days. These backups are for system restoration and disaster recovery purposes, and are not designed to facilitate retrieval of deleted messages.

3.2 Classification of individual email

The recipient of emails is the legal custodian of her/his messages. It is his/her responsibility to retain work-critical information received in email for as long as the retention policy requires or as long as the message is needed – whichever is later. It is also her/his responsibility to delete non-work-related messages as soon as possible.

3.3 Encrypted Email Communications

CNR encrypted communications should be used in a manner consistent with CNR Acceptable Use policy, but in general, information should be stored in a decrypted format.

3.4 Litigation Holds

When litigation is pending or threatened against CNR or its employees, the law imposes a duty upon the College to preserve all documents and records that pertain to the issues. A litigation hold directive overrides this email policy, as well as any records retention schedules that may have otherwise called for the destruction of relevant documents, until the hold is cleared.

Email and accounts of employees (active or separated) that have been placed on litigation hold status must be maintained by Information
Systems until the hold is released.

No employee who has received a litigation hold directive may alter or delete an electronic record that falls within the scope of that hold. Those employees are required to provide access to or copies of any electronic records that they have downloaded and saved or moved to some other storage account or device.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Revision History

Created Fall 2007
Revised September 2010
Revised September 2011

NETWORK AND COMPUTER SYSTEM PASSWORD POLICY

Overview

Passwords are an important aspect of computer security. They are the front line of protection for your account on our network. A poorly chosen password may undermine the safety of the CNR network and put your own online identity at risk. As such, all CNR network users are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

The purpose of this document is to explain the College of New Rochelle's password policy.

Scope

This policy applies to students, faculty, users, contractors, consultants, temporaries, and other workers at CNR, including all personnel affiliated with authorized third parties.

Policy

Creating a Valid Password

  • The password must be at least seven characters
  • The password must contain characters from each of the following categories:
    • Uppercase characters (the letters A-Z
    • Lowercase characters (the letters a-z)
    • One or more numbers from 0-9 or the following symbols (! @ # $ %)
  • The passwords cannot contain 3 or more consecutive characters from your first or last name.
  • The password cannot contain spaces

Password Examples

  • Create a password you can easily remember. For example, create a password based on a song title or other phrase. If the phrase is "I love to go to the shore," then the password could be: iL2g2tS!.
  • If you use dictionary words or the name of a pet, break up the name with numbers or symbols. For example, if your dog is Lassie and she was born in 1989, your password could be: Las89sie.

Managing your Network Account

  • Passwords should be changed every 6 months.
  • Do not use the "Remember Password" feature of programs on your computer.
  • Do not share your password, write it down, or store it online.
  • If your password is known to others, change it immediately.

Resetting your Password

  • From on-campus, log on to your computer and then press CTRL-ALT-DEL and click CHANGE PASSWORD. You will be prompted to enter your current password and then enter your new password twice.
  • From off-campus, an account management program is available to all CNR network users via a web page that is located on the Intranet. Select Quick Links, Virtual Help Desk. Click Change Password and follow the steps to change your password. Please note: If you receive this notification and you have not requested a change, contact the Help Desk immediately.

Please note that the Office of Information Systems does not have access to any user passwords.  If your identity cannot be verified over the phone, and you are at the main campus, you will be required to come to the Office of the Information Systems in person and present a valid CNR ID.  If you are a SNR student, you are required to go to your campus library in person and present a valid CNR ID.

Questions regarding this policy should be directed to the Director of Information Systems.

Please forward any queries to the Help Desk at (914) 654-5012.

NETWORK FOLDER POLICY

1.0 Overview

The intentions of the Office of Information Systems for publishing a Network Folder Policy are not to impose restrictions that are contrary to CNR's established culture of openness, trust, and integrity. CNR is the owner of all electronic data containing nonpublic information pertaining to its current or perspective students, faculty, staff, alumnae or the College, that is handled or maintained by or on behalf of the College or its affiliates. The Office of Information Systems is committed to protecting CNR's data particularly sensitive/confidential data and personal private information. CNR faculty and staff are required to abide by this policy to ensure that all confidential personal private information is secured.

2.0 Purpose

The purpose of this policy is to outline where files are stored and the actions users must follow to protect CNR's data. College network drive resources are provided to ensure safe and secure locations where employees of the College must store work-related documents. Failure to abide by this policy exposes the Institution and its employees and students to risks including virus attacks, identity theft, compromise of network systems and services and legal issues. It is the responsibility of every computer user to know these guidelines and
abide by them accordingly.

Questions about these guidelines should be addressed to the Office of Information Systems.

3.0 Scope

This policy applies to all staff who work with any College data and in particular all those who work with critical CNR data and with
confidential/personal private information.

4.0 Policy

4.1 General

The Office of Information Systems provides centralized data storage for all departments within the College. This policy covers two types of folders – Departmental and Individual Network folders.

4.2 Ownership and Responsibilities

Departmental Network folders: Departmental network folders are centrally stored network folders that must be utilized for storing files that need to be viewed or maintained by multiple users. The folders are assigned a drive letter, for example drive Z, and remain available to the users when logged onto the network at a physical CNR location or through the VPN. All College data that need to be viewed / maintained by multiple users must be stored in departmental network folders.

  • The Office of Information Systems is responsible for setting up network folders to accommodate sharing of files among users within business defined work units. Folders will be created in such a way as to restrict unauthorized access.
  • Departmental network folders are restricted to faculty/staff and those users that have been given permission to view folders by
  • department heads/supervisors.
  • Department supervisors will be responsible for designating those users who will be granted permissions to access specific folders. Supervisors are also responsible for requesting additions, modifications and deletions to the user list.
  • Users with ability to modify folders can create subfolders, etc., within the folder structure. Folders and subfolders within departmental space can be further restricted to certain users.
  • Student workers may be granted limited access for the specific work assigned to them. They may not use their student account but must use
  • a specific user account created for the student worker to access network resources. The hiring manager will be responsible for
  • determining the level of access and keeping the list of student workers active.

Individual Network Folders – Drive H: In addition to departmental network folders, individual network folders also referred to as Home folders will be provided for all staff. By default each staff will be automatically assigned space (quota) on this drive.

  • Only the named user will have the permission to access the files on that user's home folder. No other user will be able to access the files on someone else's drive H:\. If other users log onto the network from someone else's PC, they will have access to their own drive H:\
  • and not the user whose PC they are logged onto.
  • The home folders (drive H:\) must be used for storing files relating to specific job functions. No work-related data will exist on the local hard drives of a computer or removable drives such as flash or thumb drives.
  • All contents relating to college business located in the My Documents folder or other folders on the local hard drive of a computer must be moved to the Home folder.
  • Technical staff will not have automatic rights to this folder but may obtain access when necessary in their duty of supporting the user of this account. This type of action requires consent of the individual or a written directive by the Area Vice President and the Director of Information Systems
  • Users will have the ability to create and maintain subfolders within their personal folder

Local Hard Drive – Drive C:

  • The local hard drive will continue to remain accessible to the user but must not contain any college-related data
  • The Office of Information Systems will not perform backups on the contents of the local drive.

4.3 Maintenance

Network storage space is limited. The Office of Information Systems will be responsible for managing network drive space including setting quotas. Individuals with justification may request a quota increase by submitting a request to Helpdesk@cnr.edu. Before submitting a request for additional network space, non-essential or obsolete data must be deleted.

  • In accordance with CNR's document retention policy, network folder users have a responsibility for managing folder space including deleting non-essential or obsolete files to keep space utilization at a minimum
  • All files stored in departmental or home folders are assumed to be the property of the College.
  • Copyrighted and non-licensed materials including all forms of multimedia data such as music and video files are not allowed on the network.

5.0 Enforcement

Any network folder may be removed or disabled at the discretion of the Executive Vice President or designee, if found to violate CNR's network folder policy. In addition, any employee found to have violated this policy may be subject to disciplinary action.

6.0 Backup/Recovery

The Office of Information Systems is responsible for performing regular routine backups.

  • Network backups will include all directories including personal home folders (H:) and departmental shared folders (Z:, Q:, etc)
  • At a minimum, backups will occur daily of all files that have been modified or added since the last full backup.
  • Full backups will be kept in accordance with CNR's backup policy
  • Users are responsible for all backups and any information stored on the local hard drive. Users are responsible for regularly backing up any important files kept on the local hard drive. Local hard drives may not contain college-related data.
  • Peripheral devices such as thumb drives (other names include jump drives or flash drives) are not recommended and will not be backed up.
  • Warning: The Office of Information Systems cannot recover a file that is created then accidentally deleted on the same day. This is because the day's backup tapes are created at night.

WIRELESS COMMUNICATION POLICY

1.0 Purpose

This policy prohibits access to The College of New Rochelle (CNR) networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by Information Systems are approved for connectivity to CNR networks.
      
2.0 Scope

This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of CNR's internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to CNR networks do not fall under the purview of this policy.
        
3.0 Policy

3.1 Register Access Points and Cards

All wireless Access Points / Base Stations connected to the College network must be registered and approved by The Office of Information Systems (OIS). These Access Points / Base Stations are subject to periodic security tests and audits and if it is determined that wireless devices are interfering with the CNR wireless network and/or its users, OIS will require that the device be removed. All wireless Network Interface Cards (i.e., PC cards) used in laptops, desktop computers and other network devices must be registered with OIS.

3.2 Approved Technology

All wireless LAN access must use OIS-approved vendor products and security configurations.

3.3 VPN Encryption and Authentication

All computers on CNR's wireless network must be configured with WPA encryption with PEAP authentication or be configured with the Odyssey Client in order to function on the network. All computers with wireless LAN devices must utilize the CNR Virtual Private Network (VPN) when conducting official College business on an external network. To comply with this policy, wireless implementations must maintain point to point hardware encryption of at least 56 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. All implementations must support and employ strong user authentication which checks against an external database such as TACACS+, RADIUS or something similar.    
        
4.0 Sanctions for Policy Violations

Violations of these policies will be dealt with in the same manner as violations of other College policies and may result in disciplinary review by the College as well as a private cause of action. By such a review, the full range of disciplinary sanctions is available, including the loss of computer use privileges and dismissal from the College.

PERSONAL PRIVATE INFORMATION POLICY

1.0 Purpose

The CNR Personal Private Information (PPI) Policy is intended to help employees determine what information can be disclosed to
employees and / or non-employees, and also help to determine the relative sensitivity of information that should not be disclosed outside of CNR without proper authorization.

The information covered in this policy includes, but is not limited to, information that is either stored or shared via any means. This inc ludes: electronic information, information on paper, and information shared orally or visually (including, but not limited to,telephone and video conferencing).

Questions about the proper classification of a specific piece of information should be addressed to your supervisor. Questions about th
is policy should be addressed to the Office of Information Systems.

2.0 Scope

2.1 Overview

All CNR information that can lead to the identification of a person is covered by this policy. This type of information will be
defined as 'Personal Private Information.'

2.2 Definition of Personal Private Information

"Personal Private Information" is defined as an individual's first name or first initial and last name linked with any one or more of the following data elements:

  1. Bank Account Numbers, Benefit Information, Citizenship Status, Country of Citizenship, Criminal Record, Date/Location of Birth, Disability Information, Discipline Information, Driver's License, Ethnicity, Gender, Grievance Information, Health Information, Home Address, Leave of Absence Reason, Marital Status, Military Status, National ID Number, Social Security Number, Tax Information (We, W4, 1099), or Visa Permit Data.
  2. Medical records, Financial records, or Studies or surveys using personally identifiable data; or
  3. Financial institution account number or credit/debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
  4. CNR account login information that would permit access to the CNR network, an individual's CNR computer or telephone voice mail account.
  5. All data that has been declared 'private and personal knowledge' by CNR.
  6. All student education records covered under the Family Educational Rights and Privacy Act (FERPA), a federal law that protects the privacy interests of parents and students in student education records. An "education record" is any record that is maintained by the institution and is personally identifiable to the student. NOTE: CNR's PPI and FERPA policies differ; while the Federal FERPA regulations allow for most Directory Information to be released, CNR's PPI policy is more restrictive and more in line with New York state's PPI regulations. Please refer to the CNR FERPA policy for more information.

This type of data is information that has been entrusted to CNR and can lead to the identification of a person and may be required either by law or by regulation to be protected.

For the purposes of this policy, Personal Private Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. Examples of publicly available data include, but are not limited to:

  • Information contained on the public-facing CNR website, such as Employee Email addresses, job titles and phone numbers, student testimonials that contain name and graduation date, or CNR news (NOTE: Only the specific data items that are publicly available via the CNR web site can no longer be considered PPI, meaning that if only Student A is written about in a testimonial for the web site, then only the specific data released in the testimonial for Student A will be considered Publicly Available. Student A's remaining PPI
  • and all of the other CNR student information must still be treated as PPI).
  • Information that has been printed in the press or has been published by the local, state or federal governments. Once a piece of data appears in a newspaper, it no longer has to be treated as PPI.
  • If a student speaks to a reporter about his or her own PPI and the report airs on television or an employee posts a home movie on the internet that releases his or her own PPI to the public, the released PPI will be considered 'widely distributed by the media' and it no longer has to be treated as PPI.

All employees are required to familiarize themselves with this policy. CNR personnel are encouraged to use common sense judgment in securing Personal Private Information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager.

3.0 Policy

3.1 Overview

The policy below provides details on how to protect sensitive data. If there are any questions about how to proceed, the department head should contact the Office of Information Systems.

3.2 PPI Policy

  • Employee Responsibility
    It is the responsibility of the person handling this data to 'know' that the data they are handling or using is classified as Personal Private Information. If the person is not sure, it is their responsibility to ask either their supervisor or to ask Information Systems.
  • Data Ownership
    CNR is the owner of all of the data that it has been entrusted with and much of it is classified as PPI. While CNR is the owner, each department handles, uses, and processes various pieces of PPI. Accordingly, each department head will act as the 'steward' of that PPI.
  • Release of PPI
    PPI is NOT to be released, either intentionally or accidentally, without written authority to do so. If there is a legitimate need, as determined by the steward of the data, the data may be shared between employees of CNR. Otherwise, this data is NOT to be released without express written authorization from the head of the department that is acting as the steward of the data. A copy of the signed authorization form must be on file in the department head's office.
  • General PPI Requirements
    • Physical Document Marking: Marking is at the discretion of the steward of the data. If marking is desired, the words "CNR Personal Private Information" may be written or designated in a conspicuous place on or in the information in question.
    • Access: CNR non-employees with signed non-disclosure agreements who have a business need to know. Non-employees must sign a non-disclosure agreement prior to being given access to CNR PPI.
    • Distribution within CNR: For Standard Interoffice mail, the envelope must be stapled or taped and marked with "Personal and Private – to be opened by the addressee only." For electronic distribution, only approved methods are allowed (electronic mail and most electronic file transmission methods are forbidden). For approved electronic distribution methods, please see below. If you have any questions, please contact the Office of Information Systems.
    • Distribution outside of CNR internal mail: If PPI has to be sent outside of CNR, preference should be given to approved electronic transmission methods. For each new distribution requirement, the Office of Information Systems should be contacted to determine the most appropriate methods. However, there will be times when the data must be sent using a non-electronic format. For those approved recipients only, the data may be sent via U.S. mail or approved private carriers.
    • Electronic distribution: No restrictions to approved recipients within CNR, but should be encrypted. Users who work with PPI should have a copy of the PGP encryption software installed on their computer. Please contact the Office of Information Systems for any issues regarding PGP. For distribution outside of CNR, please refer to Distribution outside of CNR internal mail above.
    • Storage: PPI should be stored on a CNR networked server. PPI should not be moved to a local storage device or a local PC unless the business process requires it. Individual access controls are highly recommended for electronic PPI if the data is removed from the server. If you have any questions, please contact Office of Information Systems.
    • Disposal/Destruction: It is essential that all documents regardless of media type that include PPI be destroyed. Never dispose of PPI paper documents in wastebaskets or unsecured recycle bins. Each department should have its own cross shedder for the disposal/destruction of PPI in paper, CD or DVD format. Electronic data should be expunged/cleared. The PGP software includes an electronic shredder that can be used to expunge unneeded data. Reliably erase or physically destroy media. Digital media can be brought to Information Systems for destruction (refer to the Destruction and Disposal Procedures document).
    • Penalty for deliberate or inadvertent disclosure: Deliberate or inadvertent disclosure of PPI will result in disciplinary action.

3.3 Overlapping Types of Data Mixed Together

If PPI data and non-PPI data are mixed together, either in physical or electronic form, all of the data will be treated as PPI. For example, if a report or CD contains both Public and PPI data, it must be treated as PPI. This guideline will ensure that the data in need of protection will receive the appropriate protection.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Revision History

11/04/2009

NON-DISCRIMINATION AND ANTI-HARASSMENT POLICY

1.0 Overview

1.1 Introduction

The College of New Rochelle is committed to a work environment in which all individuals are treated with respect and dignity. Each individual has the right to work in a professional atmosphere that promotes equal employment opportunities and prohibits discriminatory practices, including harassment. Therefore, The College of New Rochelle expects that all relationships among persons in the workplace will be business-like and free of bias, prejudice, and harassment.  

1.2 Additional Information - Equal Employment Opportunity

It is the policy of The College of New Rochelle to ensure equal employment opportunity without discrimination or harassment on the basis of race, color, national origin, religion, sex, age, disability, citizenship, marital status, sexual orientation, or any other characteristic protected by law. The College of New Rochelle prohibits and will not tolerate any such discrimination or harassment.

2.0 Purpose

The purpose of this document is to explain The College of New Rochelle's policy on discrimination and harassment.   

3.0 Scope

  1. These policies apply to all applicants and employees, and prohibit harassment, discrimination, and retaliation whether engaged in by fellow employees, by a supervisor or manager, or by someone not directly connected to The College of New Rochelle (e.g., an outside vendor, consultant, or customer.)
  2. Conduct prohibited by these policies is unacceptable in the workplace and in any work-related setting outside the workplace, such as during business trips, business meetings, and business-related social events.

4.0 Policy

4.1 Retaliation is Prohibited

The College of New Rochelle prohibits retaliation against any individual who reports discrimination or harassment or participates in an investigation of such reports. Retaliation against an individual for reporting harassment or discrimination or for participating in an investigation of a claim of harassment or discrimination is a serious violation of this policy and, like harassment or discrimination itself, will be subject to disciplinary action.

4.2 Reporting an Incident of Harassment, Discrimination or Retaliation

  1. The College of New Rochelle strongly urges the reporting of all incidents of discrimination, harassment, or retaliation, regardless of the offender's identity or position. Individuals who believe they have experienced conduct that they believe is contrary to The College of New Rochelle's policy or who have concerns about such matters should file their complaints with the Director of Human Resources or Assistant Vice President for Student Services. Individuals should not feel obligated to file their complaints with their immediate supervisor first, before bringing the matter to the attention of one of The College of New Rochelle's other designated representatives identified above.
  2. Employees who have experienced conduct they believe is contrary to this policy have an obligation to take advantage of this complaint procedure. An employee's failure to fulfill this obligation could affect his or her rights in pursuing legal action.
  3. Early reporting and intervention have proven to be the most effective method of resolving actual or perceived incidents of harassment. Therefore, while no fixed reporting period has been established, The College of New Rochelle strongly urges the prompt reporting of complaints or concerns so that rapid and constructive action can be taken.
  4. The availability of this complaint procedure does not preclude individuals who believe they are being subjected to harassing conduct from promptly advising the offender that his or her behavior is unwelcome and requesting that it be discontinued.

4.3 The Investigation

  1. Any reported allegations of harassment, discrimination, or retaliation will be investigated promptly. The investigation may include individual interviews with the parties involved and, where necessary, with individuals who may have observed the alleged conduct or may have other relevant knowledge.
  2. Confidentiality will be maintained throughout the investigatory process to the extent consistent with adequate investigation and appropriate corrective action.
  3. Non-Discrimination and Anti-Harassment Procedures can be found in Appendix A of the Employee Benefits Guide.

4.4 Responsive Action

  1. Misconduct constituting harassment, discrimination, or retaliation will be dealt with appropriately. Responsive action may include, for example, training, referral to counseling, and/or disciplinary action such as warning, reprimand, withholding of a promotion or pay increase, reassignment, temporary suspension without pay, or termination, as The College of New Rochelle believes appropriate under the circumstances.
  2. Individuals who have questions or concerns about these policies should talk with the Director of Human Resources.
  3. Finally, these policies should not, and may not, be used as a basis for excluding or separating individuals of a particular gender, or any other protected characteristic, from participating in business or work-related social activities or discussions in order to avoid allegations of harassment. The law and the policies of The College of New Rochelle prohibit disparate treatment on the basis of sex or any other protected characteristic, with regard to terms, conditions, privileges, and prerequisites of employment. The prohibitions against harassment, discrimination, and retaliation are intended to complement and further these policies, not to form the basis of an exception to them.

5.0 Definitions of Harassment

Sexual harassment constitutes discrimination and is illegal under federal, state, and local laws. For the purposes of this policy, sexual harassment is defined, as in the Equal Employment Opportunity Commission Guidelines, as unwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature when, for example: (i) submission to such conduct is made either explicitly or implicitly a term or condition of an individual's employment; (ii) submission to or rejection of such conduct by an individual is used as the basis for employment decisions affecting such individual; or (iii) such conduct has the purpose or effect of unreasonably interfering with an individual's work performance or creating an intimidating, hostile, or offensive working environment.

Sexual harassment may include a range of subtle and not so subtle behaviors and may involve individuals of the same or different gender. Depending on the circumstances, these behaviors may include, but are not limited to: unwanted sexual advances or requests for sexual favors; sexual jokes and innuendo; verbal abuse of a sexual nature; commentary about an individual's body, sexual prowess, or sexual deficiencies; leering, catcalls, or touching; insulting or obscene comments or gestures; display or circulation in the workplace of sexually suggestive objects or pictures (including through e-mail); and other physical, verbal, or visual conduct of a sexual nature.

Harassment on the basis of any other protected characteristic is also strictly prohibited. Under this policy, harassment is verbal or physical conduct that denigrates or shows hostility or aversion toward an individual because of his/her race, color, religion, sex, sexual orientation, marital status, national origin, age, disability, citizenship, or any other characteristic protected by law or that of his/her relatives, friends or associates, and that: (i) has the purpose or effect of creating an intimidating, hostile or offensive work environment; (ii) has the purpose or effect of unreasonably interfering with an individual's work performance; or (iii) otherwise adversely affects an individual's employment opportunities.

Harassing conduct includes, but is not limited to: epithets, slurs, or negative stereotyping; threatening, intimidating, or hostile acts; denigrating jokes and display or circulation in the workplace of written or graphic material that denigrates or shows hostility or aversion toward an individual or group (including through e-mail.) 

GUEST NETWORK ACCOUNT POLICY

The Office of Information Systems is charged with maintaining the confidentiality, integrity, and availability of the college's multi-campus data network. Access to this network is controlled and audited through individual user accounts and use is restricted to the
CNR community. In addition, OIS maintains a guest network for visitors conducting business with CNR that require wireless internet access. Access to the guest network is managed separately and is granted on the guest's device for the defined period and is not available to "walk-ins." All visitors or guests who require network access (use of public machines, access to library or classroom computers, wireless access for personal devices, etc.) to conduct business with CNR will need to be approved at the department level and a request for network access should be emailed to helpdesk@cnr.edu at least two days prior to the person's arrival on campus. Where access is required for larger groups (e.g. conferences, summer programs, etc.), two weeks advance notice is required.

CNR Guest Network Account Procedure

Group Accounts

Guest Network Account set up for groups should be emailed to helpdesk@cnr.edu allowing for two weeks advance notice and must include the all of the following information:

  • First and last name of individual requesting access
  • Email and/or phone contact information for new user
  • 2 unique pieces of identifying information
  • Date and time access should begin
  • Special access requirements (e.g. laptop wireless setup)
  • Date and time access should end

*Group accounts must predetermine what specific unique indentifying information for each user will be used. Examples of acceptable unique identifying information include: last four digits of phone number, zip code, month and day of birth. These two established unique identifiers will allow individuals within the group to activate their user account through the Virtual Help Desk from any locale, on campus or off-campus. Support can be provided through email and phone.

Individual Accounts

Guest Network Account setup for an individual should be emailed to helpdesk@cnr.edu at least two days prior to the person's arrival on campus and must include all of the following information:

  • First and last name of individual requesting access
  • Email and/or phone contact information for new user
  • Date and time access should begin
  • Special access requirements (e.g. laptop wireless setup)
  • Date and time access should end

The individual should come to the Help Desk during operating hours (see below) to activate their account and complete wireless setup if necessary. Please instruct them to arrive at least 30 minutes before their appointments elsewhere on campus.

Support is provided for these accounts during the hours that the Help Desk is open, for example:

  • Monday – Thursday, 9 a.m. to 7 p.m; Friday, 9 a.m. to 5 p.m. (Fall and Spring semesters)
  • Monday – Friday, 9 a.m. to 5 p.m. (Summer hours)

If support is required outside of these hours, OIS can arrange for coverage with advance notice at a standard rate (currently $40 per hour per technician).

Please Note: Support for visitors and guests is limited to account creation, wireless configuration, and network troubleshooting. Assistance is not provided for operating system updates that are prerequisites of wireless configuration.

PROCEDURE FOR RECOVERING COLLEGE ASSETS WHEN AN EMPLOYEE LEAVES

The following procedures are to be followed when an employee resigns, is terminated, changes departments, or retires. Supervisors should
set aside time to work with the employee to recover the following items before the employee leaves the college.

Please note that employee access is disabled at the date and time specified by Human Resources, and the Office of Information Systems will delete all electronic assets belonging to the employee – such as H: drive, voicemail, and email – one week after the effective date. The computer's hard drive will also be wiped of any data at this time.

If the employee is considered a primary contact for any outside vendors or agencies, supervisors should work with the Help Desk to make arrangements to avoid missing future notifications from those contacts.

College Asset Action items
H: drive

 

Supervisors should work with the employee to review the contents of the employee's H: drive and determine what needs to be retained according to the College's Document Retention policy. These items should be moved to a departmental share and the remainder should be deleted.

Shared Folders / Departmental shares Access to shared folders is disabled when an employee leaves. Prior to the employee leaving, supervisors should work with the employee to make sure that any college related data is moved from personal storage, H: drive and email to departmental shares.
Email – including contacts and calendar sharing Direct access by supervisors to their employee's mailbox is not permitted. Exceptions to this policy are only allowed with VP approval. Supervisors should encourage the employee to clean their mailbox and save to departmental shares any items relevant to the functioning of the department. If applicable, supervisors should contact the Help Desk for assistance regarding preserving contact lists and calendar sharing.
Phone and Voicemail Supervisors must make arrangements with the Help Desk to discuss the best procedure for handling incoming calls to the employee's extension.
Computer – Laptops, Desktops, Tablets (e.g. iPad), Printers Supervisors should encourage the employee to remove any personal information from college-owned equipment. They should work with the
employee to review the contents of the employee's hard drive and determine what needs to be retained according to the College's Document
Retention policy. These items should be moved to a departmental share and the remainder should be deleted. The employee must return all
college owned computers and peripherals to their supervisor. The supervisor must notify the Help Desk of the returns.
Cell Phones The employee must return any college-owned cell phones to their supervisor. The supervisor will bring the items to the Help Desk for wiping
and provisioning.