- Misuse definition expanded to include circumventing security measures and systems not meeting minimum security standards for data classification. Network access will require minimum security.
- While university information systems are not routinely monitored for content, the university retains the right to review files, emails, and data for compliance with policy and its business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy, and consent to university review.
- University email is required for University business. No automated forwarding of University email to a non-University email account.
- A university-provided email will be required.
- This is a change for UNL to align with the practices already in place at UNK, UNMC, UNO and the Office of the President.
- A university-provided email will be required.
- Updated language/terms for “web pages” to “website, apps and digital content”
- Use of university systems is required for university business.
- Security training is mandatory annually.
- All endpoints and systems must implement access controls, participate in vulnerability and patch management, and enroll in Endpoint Management.
- Distributed IT will utilize tools provided by ITS to support their organizations.
- New data protection requirements for removable media (external flash drives/hard drives).
- A new IT policy and standard exception process has been created.
Will ITS be looking at /monitoring what is going on in my computer?
- The university’s information systems are not monitored for general content. The university is dedicated to maintaining the same academic spirit of free and open thought, idea, and expression on its digital networks as it does on its physical campuses and classrooms.
- The university retains the right to review computer processes, files, emails, and data for compliance with federal and state laws, university policies and standards, security and business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy and consent to university review.
What happens to me if I am not in compliance with parts of this policy?
This policy applies to all administrative units of the university. The University of Nebraska System and each university campus is encouraged to provide supplemental policy guidance, consistent with this policy, designed to implement the provisions herein. Failure to comply with university IT policies may result in sanctions related to the individual’s use of IT resources or other appropriate sanctions via university personnel and student policies up to and including expulsion for students and termination of employment for employees.
How do these changes impact students?
- Students need to understand the definitions of misuse in the document.
- Students need to be aware of contacting instructors only at university email accounts.
- Anyone doing research that needs to access high-risk data must do so on a university-provided endpoint that meets the minimum-security controls.
- Students will be required to take security awareness training annually.
Can I use a personal computer to access university services and data?
- Low-risk University services and data can be accessed from a personally owned endpoint. Medium-risk university services and data can be accessed from personally owned endpoint if the device meets the minimum security requirements for BYOD. Accessing high-risk services and data requires specific authorization through the exception process.
- Canvas may be accessed from any endpoint for regular academic and business use such as creating or editing classes and submitting grades.
- Conducting research activities on BYOD will vary based on the risk classification of the data. Additionally, there may be specific requirements or regulations associated with the research data as determined by a grant or other funding source.
- Most administrative activities at the university require access to medium or high-risk IT systems and data such as financial information in SAP, advising and recruitment of students, and other business operations. Whenever possible, university staff should leverage their managed university endpoint to conduct university business.
Is business-related content on my personal device subject to FOIA requests?
Yes, university business related emails that are sent to or from the personal email account of a u employee are subject to disclosure pursuant to the Nebraska Public Records Act.
If data on my personal device is in scope for a subpoena or a FOIA, how is that data collected?
Depending on the extent of the subpoena/FOIA the data would be provided by the individual who owns the device or the device owner could be required to provide the device to a 3rd party for a forensic image to be created.
What is considered BYOD?
BYOD (Bring Your Own Device) will include any device, desktops/laptops/tablets/cell phones, purchased by a faculty/staff/student with personal funds. Grant funds are university funds, and items purchased with grant funds will be treated as uowned endpoints.
What can I do to protect myself while using BYOD?
Minimum security requirements Supported and patched OS, Cortex XDR, Disk Encryption, and a Local Firewall.
How does this impact me if I want to access my records or information stored on university information systems with my personal computer (BYOD)?
- If you are accessing university systems to retrieve your records or information, such as your pay stub, W-2, grades, class assignments, etc, you are not required to implement the minimum-security controls on your personal device. It is still highly recommended to have your endpoint up to date and running the university-provided Antivirus.
- If you access other people's data you must comply with ALL appropriate policies and minimum-security controls outlined in EM16.
What is an "endpoint"?
An endpoint is a computing device used directly by a user. For example: desktops, laptops, tablets, mobile devices.
Will my university-owned desktop, laptop, or mobile endpoint need to be enrolled in management?
Yes. university desktops, laptops, and mobile devices (endpoints) will need to be enrolled in the appropriate management system to receive essential configurations and regular security patches. All university endpoints and systems must implement access controls, including passwords and biometric security.
Will I have any control over when my endpoint is updated/patched?
- Yes. Managed endpoints will provide users with an opportunity to defer regular patches/updates for a period of time so that the update process can occur at a convenient time. Once the maximum deferrals have been reached, patches will be automatically installed. Details on the patch process will be made available.
- Some patches/updates deemed immediately necessary due to the risk level could be made within minimal notification by our Information Security team.
- Link to the patch process: https://services.unl.edu/service/device-security-patch-management
Are servers included in the definition of "endpoints"?
No, servers are included in the definition of “systems”. Applicable systems, such as servers, must also enroll in the appropriate endpoint management system to receive essential security configurations and routinely patch software to address identified vulnerabilities.
Can I store university data on my university-owned endpoint?
Yes, any university-owned endpoint meeting the minimum security controls may store university data. Best practice would be to only store the relevant data needed to complete your job responsibilities. Data should be maintained in the system of record and should not be duplicated or replicated in other information systems.
Can I use a personal cell phone to access university email?
Yes, unless using the .gov tenant.
What do I do if a student or colleague emails me about university business from a non-NU email address?
Respond to the message using the student or colleague’s university email address. If the sender’s university email address is unknown, it is acceptable to respond to the original email and ask the sender to provide their university email address.
Can I use my university-provided email for personal use?
Limited personal use of university information systems, including email, is acceptable if it is not used for personal financial gain, or not being used to represent oneself as a “university agent” to an outside entity. It is strongly recommended to use a personal email address for personal use.
Are business-related emails that get sent to my personal account subject to public record requests?
Yes, university-business-related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.
Do adjunct instructors have to use a university email account?
Yes, all university employees will be required to use university email accounts for u business.
How is collaborative work/research between different universities handled when the work/research is conducted at Nebraska but stored on the other university's infrastructure?
Data for research sponsored/hosted by the University of Nebraska should be stored within approved University of Nebraska information systems. Collaborative research sponsored/hosted by another institution can be stored within said organizations approved information systems.
We have purchased Software as a Service (Saas), does that have to be moved to university information systems?
No, SaaS by design runs on the provider’s infrastructure, or infrastructure that they hold the contracts for. If this SaaS solution passed the software procurement review process, you should not need to do anything else. However, if it has not been through or failed that review, it will need to be evaluated on your next renewal.
We are using Infrastructure as a Service (IaaS) and/or Platform as a Service (PaaS) environments, how are we impacted?
NU-ITS contracts for IaaS and PaaS information systems on behalf of the university to ensure that security, compliance, and performance requirements are met, and our scale can be leveraged to provide the best pricing. Current offerings include Amazon Web Services (AWS), Microsoft Azure, and on-premises private cloud. Any IaaS or PaaS agreements will need to be reviewed and migrated into NU-ITS information systems.
Can we use Service Accounts with the new policy?
Service accounts are acceptable for use on servers, to run a specific service. But are not to be used as a general user login. Service accounts should also be unique to the service and follow applicable standards and best procedures. Service accounts are NOT shared accounts and should not be used as such.
How do I get multiple people access to a piece of software that is on one computer?
- The licensing details should be reviewed to ensure this is an acceptable use of the software. If it is licensed on a per user basis, licenses will need to be procured for each user of the software.
- Otherwise, users should log into the shared computer with their individual university credentials.