- Misuse definition expanded to include circumventing security measures and systems not meeting minimum security standards for data classification. Network access will require minimum security.
- While university information systems are not routinely monitored for content, the university retains the right to review files, emails, and data for compliance with policy and its business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy, and consent to university review.
- University email is required for University business. No automated forwarding of University email to a non-University email account.
- A university-provided email will be required.
- This is a change for UNL to align with the practices already in place at UNK, UNMC, UNO and the Office of the President.
- A university-provided email will be required.
- Updated language/terms for “web pages” to “website, apps and digital content”
- Use of university systems is required for university business.
- Security training is mandatory annually.
- All endpoints and systems must implement access controls, participate in vulnerability and patch management, and enroll in Endpoint Management.
- Distributed IT will utilize tools provided by ITS to support their organizations.
- New data protection requirements for removable media (external flash drives/hard drives).
- A new IT policy and standard exception process has been created.
Will ITS be looking at /monitoring what is going on in my computer?
- The university’s information systems are not monitored for general content. The university is dedicated to maintaining the same academic spirit of free and open thought, idea, and expression on its digital networks as it does on its physical campuses and classrooms.
- The university retains the right to review computer processes, files, emails, and data for compliance with federal and state laws, university policies and standards, security and business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy and consent to university review.
How can I be sure IT professionals maintain confidentiality when working on my device or system?
What happens to me if I am not in compliance with parts of this policy?
How do these changes impact students?
- Students need to understand the definitions of misuse in the document.
- Students need to be aware of contacting instructors only at university email accounts.
- Anyone doing research that needs to access high-risk data must do so on a university-provided endpoint that meets the minimum-security controls.
Can I use a personal device to access university services and data?
If I use my personal device to access university systems, will my personal device be managed by ITS?
No, your personal device will not be managed. Additionally, you can use your personal device to access publicly accessible university information systems that contain medium risk data, including but not limited to: Firefly; MyBlue, MyRed, MyNCTA and MavLink; Learning Management System (Canvas); eSignature System; and Two-Factor Authentication (Duo).
I'm an adjunct/part-time faculty member, can I use a non-University device to access Canvas and teach my course?
As a faculty member, can I download and store my course information from the Canvas learning management system on a personal device?
Yes, you can download and store course materials from the Canvas learning management system on your personal device, excluding non-directory and/or FERPA protected student data. Non-directory (page 181) and/or FERPA protected student data is classified as medium and/or high risk institutional data and is not to be stored on personal devices, per Executive Memorandum 42.
What is considered BYOD?
What can I do to protect myself while using BYOD?
How does this impact me if I want to access my records or information stored on university information systems with my personal computer (BYOD)?
- If you are accessing university systems to retrieve your records or information, such as your pay stub, W-2, grades, class assignments, etc, you are not required to implement the minimum-security controls on your personal device. It is still highly recommended to have your endpoint up to date and running the university-provided Antivirus.
- If you access other people's data you must comply with ALL appropriate policies and minimum-security controls outlined in EM16.
If I use a personal cell phone to access my University email account, does that mean it automatically is in scope for FOIA requests?
If data on my personal device is in scope for a subpoena or a FOIA, how is that data collected?
If I install Cortex on my personal device, can the university monitor the device?
What is an "endpoint"?
Will my university-owned desktop and/or laptop need to be enrolled in endpoint management?
Will I have any control over when my endpoint is updated/patched?
- Yes. Managed endpoints will provide users with an opportunity to defer regular patches/updates for a period of time so that the update process can occur at a convenient time. Once the maximum deferrals have been reached, patches will be automatically installed. Details on the patch process will be made available.
- Some patches/updates deemed immediately necessary due to the risk level could be made within minimal notification by our Information Security team.
- Campus links to the patch process:
Are servers included in the definition of "endpoints"?
Can I store university data on my university-owned endpoint?
Can I use a personal cell phone to access university email?
What do I do if a student or colleague emails me about university business from a non-NU email address?
Can I use my university-provided email for personal use?
Are business-related emails that get sent to my personal account subject to public record requests?
Do adjunct instructors have to use a university email account?
Will I need to be granted an exception to continue forwarding my emails and using non-Office 365 products?
Is business-related content in my personal email account subject to FOIA requests?
How is collaborative work/research between different universities handled when the work/research is conducted at Nebraska but stored on the other university's infrastructure?
We have purchased Software as a Service (Saas), does that have to be moved to university information systems?
We are using Infrastructure as a Service (IaaS) and/or Platform as a Service (PaaS) environments, how are we impacted?
Can we use service accounts with the new policy?
How do I get multiple people access to a piece of software that is on one computer?
- The licensing details should be reviewed to ensure this is an acceptable use of the software. If it is licensed on a per user basis, licenses will need to be procured for each user of the software.
- Otherwise, users should log into the shared computer with their individual university credentials.
Will access to non-university managed services, such as Dropbox, be blocked from being accessible on the university network?
If my lab and research program relies on non-Microsoft products, will access to them be blocked? Will I be able to use non-Office 365 products from my work computer?
Under what conditions will a faculty member's files, email and data be reviewed?
Under what circumstances may employee data be reviewed?
There has never been an “expectation of privacy” in data stored on University devices. All emails and documents are subject to public records – as they always have been. This is per state law and not University policy. Faculty data is only inspected if there is a proper public record request, a law enforcement subpoena, or a legitimate University interest in the search.
Unless there is a suspicion of misuse or malfeasance, faculty/employees are generally provided notice prior to a search.
Under what conditions will the University inspect an employee's personally owned device? What is an "incident" in this context?
For most employees, there is no requirement to use a personal device. For those employees who do choose to conduct University business on a personally owned device, this policy now clarifies that those devices may be subject to inspection, per Section 7d of EM16.
The policy does not apply to data that is only stored in cloud-based platforms such as MyRed or Canvas. It would be applicable to data that is downloaded from those platforms and then stored locally on the device. Access alone is not enough to trigger this portion of the policy.
“Incident” in this context is a security incident where there is a data breach or a threatened data breach or another violation of law or University policy.
Why would the University be required to search my personal device when they can get the same data from University systems? (e.g. email)
If an employee chooses to do University business on a personal device, it is possible that device contains University data that does not exist elsewhere and the University can only access and confirm the storage of information on that device by looking at the actual device. These searches would be because of a public record request, litigation holds, subpoena, or another request where the responsive information may be locally stored on a personal device. The University must comply with state and federal law regardless of where or how information is stored. Most employees can avoid this problem by only conducting University business on University-provided devices.
This policy is not creating any new steps – it is making clear that the University must follow the law and how it would comply with those laws.
ITS-19 4.2.2 states that in response to legal requests such as warrants or open records requests, University users must produce records, data, or "the devices upon which they are stored" upon request of the University. When is this standard applicable?