FAQs

• Misuse definition expanded to include circumventing security measures and systems not meeting minimum security standards for data classification. Network access will require minimum security.
• While university information systems are not routinely monitored for content, the university retains the right to review files, emails, and data for compliance with policy and its business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy, and consent to university review.
• University email is required for University business. No automated forwarding of University email to a non-University email account.
  • A university-provided email will be required.
    
    • This is a change for UNL to align with the practices already in place at UNK, UNMC, UNO and the Office of the President.
• Updated language/terms for “web pages” to “website, apps and digital content”
• Use of university systems is required for university business.
• Security training is mandatory annually.
• All endpoints and systems must implement access controls, participate in vulnerability and patch management, and enroll in Endpoint Management.
  • Distributed IT will utilize tools provided by ITS to support their organizations.
• New data protection requirements for removable media (external flash drives/hard drives).
• A new IT policy and standard exception process has been created.

• The university’s information systems are not monitored for general content. The university is dedicated to maintaining the same academic spirit of free and open thought, idea, and expression on its digital networks as it does on its physical campuses and classrooms.
• The university retains the right to review computer processes, files, emails, and data for compliance with federal and state laws, university policies and standards, security and business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy and consent to university review.

This policy applies to all administrative units of the university. The University of Nebraska System and each university campus is encouraged to provide supplemental policy guidance, consistent with this policy, designed to implement the provisions herein. Failure to comply with university IT policies may result in sanctions related to the individual’s use of IT resources or other appropriate sanctions via university personnel and student policies up to and including expulsion for students and termination of employment for employees.

• Students need to understand the definitions of misuse in the document.
• Students need to be aware of contacting instructors only at university email accounts.
• Anyone doing research that needs to access high-risk data must do so on a university-provided endpoint that meets the minimum-security controls.
• Students will be required to take security awareness training annually.

• Low-risk University services and data can be accessed from a personally owned endpoint. Medium-risk university services and data can be accessed from personally owned endpoint if the device meets the minimum security requirements for BYOD. Accessing high-risk services and data requires specific authorization through the exception process.

• Examples:

• Canvas may be accessed from any endpoint for regular academic and business use such as creating or editing classes and submitting grades.

• Conducting research activities on BYOD will vary based on the risk classification of the data. Additionally, there may be specific requirements or regulations associated with the research data as determined by a grant or other funding source.

• Most administrative activities at the university require access to medium or high-risk IT systems and data such as financial information in SAP, advising and recruitment of students, and other business operations. Whenever possible, university staff should leverage their managed university endpoint to conduct university business.

Yes, university business related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.

Depending on the extent of the subpoena/FOIA the data would be provided by the individual who owns the device or the device owner could be required to provide the device to a 3rd party for a forensic image to be created.

BYOD (Bring Your Own Device) will include any device, desktops/laptops/tablets/cell phones, purchased by a faculty/staff/student with personal funds. Grant funds are university funds, and items purchased with grant funds will be treated as university-owned endpoints.

Minimum security requirements include: Supported and patched OS, Cortex XDR, Disk Encryption, and a Local Firewall.

• If you are accessing university systems to retrieve your records or information, such as your pay stub, W-2, grades, class assignments, etc, you are not required to implement the minimum-security controls on your personal device. It is still highly recommended to have your endpoint up to date and running the university-provided Antivirus.
• If you access other people's data you must comply with ALL appropriate policies and minimum-security controls outlined in EM16.

An endpoint is a computing device used directly by a user. For example: desktops, laptops, tablets, mobile devices.

Yes. university desktops, laptops, and mobile devices (endpoints) will need to be enrolled in the appropriate management system to receive essential configurations and regular security patches. All university endpoints and systems must implement access controls, including passwords and biometric security.

• Yes. Managed endpoints will provide users with an opportunity to defer regular patches/updates for a period of time so that the update process can occur at a convenient time. Once the maximum deferrals have been reached, patches will be automatically installed. Details on the patch process will be made available. 
• Some patches/updates deemed immediately necessary due to the risk level could be made within minimal notification by our Information Security team. 
• Link to the patch process: https://services.unl.edu/service/device-security-patch-management

No, servers are included in the definition of “systems”.  Applicable systems, such as servers, must also enroll in the appropriate endpoint management system to receive essential security configurations and routinely patch software to address identified vulnerabilities.

Yes, any university-owned endpoint meeting the minimum security controls may store university data. Best practice would be to only store the relevant data needed to complete your job responsibilities. Data should be maintained in the system of record and should not be duplicated or replicated in other information systems.

Yes, unless using the .gov tenant. 

Respond to the message using the student or colleague’s university email address. If the sender’s university email address is unknown, it is acceptable to respond to the original email and ask the sender to provide their university email address.

Limited personal use of university information systems, including email, is acceptable if it is not used for personal financial gain, or not being used to represent oneself as a “university agent” to an outside entity. It is strongly recommended to use a personal email address for personal use.

Yes, university-business-related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.

Yes, all university employees will be required to use university email accounts for university business. 

Data for research sponsored/hosted by the University of Nebraska should be stored within approved University of Nebraska information systems. Collaborative research sponsored/hosted by another institution can be stored within said organizations approved information systems. 

No, SaaS by design runs on the provider’s infrastructure, or infrastructure that they hold the contracts for. If this SaaS solution passed the software procurement review process, you should not need to do anything else. However, if it has not been through or failed that review, it will need to be evaluated on your next renewal.

NU-ITS contracts for IaaS and PaaS information systems on behalf of the university to ensure that security, compliance, and performance requirements are met, and our scale can be leveraged to provide the best pricing. Current offerings include Amazon Web Services (AWS), Microsoft Azure, and on-premises private cloud. Any IaaS or PaaS agreements will need to be reviewed and migrated into NU-ITS information systems.

Service accounts are acceptable for use on servers, to run a specific service. But are not to be used as a general user login. Service accounts should also be unique to the service and follow applicable standards and best procedures. Service accounts are NOT shared accounts and should not be used as such.

• The licensing details should be reviewed to ensure this is an acceptable use of the software. If it is licensed on a per user basis, licenses will need to be procured for each user of the software.

• Otherwise, users should log into the shared computer with their individual university credentials.