FAQs

• Misuse definition expanded to include circumventing security measures and systems not meeting minimum security standards for data classification. Network access will require minimum security.
• While university information systems are not routinely monitored for content, the university retains the right to review files, emails, and data for compliance with policy and its business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy, and consent to university review.
• University email is required for University business. No automated forwarding of University email to a non-University email account.
  • A university-provided email will be required.
    
    • This is a change for UNL to align with the practices already in place at UNK, UNMC, UNO and the Office of the President.
• Updated language/terms for “web pages” to “website, apps and digital content”
• Use of university systems is required for university business.
• Security training is mandatory annually.
• All endpoints and systems must implement access controls, participate in vulnerability and patch management, and enroll in Endpoint Management.
  • Distributed IT will utilize tools provided by ITS to support their organizations.
• New data protection requirements for removable media (external flash drives/hard drives).
• A new IT policy and standard exception process has been created.

• The university’s information systems are not monitored for general content. The university is dedicated to maintaining the same academic spirit of free and open thought, idea, and expression on its digital networks as it does on its physical campuses and classrooms.
• The university retains the right to review computer processes, files, emails, and data for compliance with federal and state laws, university policies and standards, security and business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy and consent to university review.

NU ITS employees sign a Non-Disclosure/Confidentiality Agreement annually, ensuring the confidentiality of university and personal data when it is encountered in the course of any work performed by NU ITS. These agreements cover information systems and data used for research. NU ITS employees are trained to recognize confidential information and handle it appropriately, and are required to complete additional training (e.g., HIPAA and FERPA). NU ITS partners closely with the research governance organizations at each campus, which endorse collaboration with ITS to appropriately secure information systems and data required by research. In situations where additional regulatory requirements or compliance are necessary, such as ITAR research, specified NU ITS personnel have been vetted and approved for work in these projects.

This policy applies to all administrative units of the university. The University of Nebraska System and each university campus is encouraged to provide supplemental policy guidance, consistent with this policy, designed to implement the provisions herein. Failure to comply with university IT policies may result in sanctions related to the individual’s use of IT resources or other appropriate sanctions via university personnel and student policies up to and including expulsion for students and termination of employment for employees.

• Students need to understand the definitions of misuse in the document.
• Students need to be aware of contacting instructors only at university email accounts.
• Anyone doing research that needs to access high-risk data must do so on a university-provided endpoint that meets the minimum-security controls.

Yes, the requirements from Executive Memorandum 16 do not limit what devices you can use to access publicly accessible University systems. It only comes into scope if you are locally storing medium or high risk classified University data on a non-University device. If you need to store medium or high-risk University data, you should store it in your University-provided OneDrive.

No, your personal device will not be managed. Additionally, you can use your personal device to access publicly accessible university information systems that contain medium risk data, including but not limited to: Firefly; MyBlue, MyRed, MyNCTA and MavLink; Learning Management System (Canvas); eSignature System; and Two-Factor Authentication (Duo).

Yes, the requirements from Executive Memorandum 16 do not limit what devices you can use to access and use Canvas. It only comes into scope if you are locally storing medium or high risk classified University data on a non-University device. If you need to store medium or high-risk University data, you should store it in your University-provided OneDrive.

Yes, you can download and store course materials from the Canvas learning management system on your personal device, excluding non-directory and/or FERPA protected student data.  Non-directory (page 181) and/or FERPA protected student data is classified as medium and/or high risk institutional data and is not to be stored on personal devices, per Executive Memorandum 42. 

BYOD (Bring Your Own Device) will include any device, desktops/laptops/tablets/cell phones, purchased by a faculty/staff/student with personal funds. Grant funds are university funds, and items purchased with grant funds will be treated as university-owned endpoints.

Minimum security requirements include: Supported and patched OS, Cortex XDR, Disk Encryption, and a Local Firewall.

• If you are accessing university systems to retrieve your records or information, such as your pay stub, W-2, grades, class assignments, etc, you are not required to implement the minimum-security controls on your personal device. It is still highly recommended to have your endpoint up to date and running the university-provided Antivirus.
• If you access other people's data you must comply with ALL appropriate policies and minimum-security controls outlined in EM16.

No. While you may access University email from your personal cell phone, data is stored in the Microsoft Office 365 cloud. A personal device is only in scope if it stores medium or high-risk University data.

Depending on the extent of the subpoena/FOIA the data would be provided by the individual who owns the device or the device owner could be required to provide the device to a third party for a forensic image to be created.

The personal version of Cortex, also known as "Cortex Prevent" by Palo Alto Networks, provides devices with basic malware prevention services and helps maintain a cyber-secure ecosystem at the university. Cortex Prevent does not include the advanced forensics or remediation functionality that is included on university-owned devices. A Cortex administrator can NOT initiate remote terminal sessions or view any files on a Cortex Prevent client. Cortex administrators can see basic metadata for personal devices, such as the device name, OS version, active user name, MAC address, and IP address.

A University-owned endpoint is a computing device used directly by a user. Examples include but are not limited to: desktops, laptops, and tablets.

Yes. university desktops and laptops will need to be enrolled in the appropriate management system to receive essential configurations and regular security patches. All university endpoints and systems must implement access controls, including passwords and/or biometric security.

• Yes. Managed endpoints will provide users with an opportunity to defer regular patches/updates for a period of time so that the update process can occur at a convenient time. Once the maximum deferrals have been reached, patches will be automatically installed. Details on the patch process will be made available. 
• Some patches/updates deemed immediately necessary due to the risk level could be made within minimal notification by our Information Security team. 
• Campus links to the patch process:
  • Kearney: https://services.unk.edu/service/device-security-patch-management
  • Lincoln: https://services.unl.edu/service/device-security-patch-management
  • Omaha: https://services.unomaha.edu/service/device-security-patch-management 

 

No, servers are included in the definition of “systems”.  Applicable systems, such as servers, must also enroll in the appropriate endpoint management system to receive essential security configurations and routinely patch software to address identified vulnerabilities.

Yes, any university-owned endpoint meeting the minimum security controls may store university data. Best practice would be to only store the relevant data needed to complete your job responsibilities. Data should be maintained in the system of record and should not be duplicated or replicated in other information systems.

Yes, unless using the .gov tenant. 

Respond to the message using the student or colleague’s university email address. If the sender’s university email address is unknown, it is acceptable to respond to the original email and ask the sender to provide their university email address.

Limited personal use of university information systems, including email, is acceptable if it is not used for personal financial gain, or not being used to represent oneself as a “university agent” to an outside entity. It is strongly recommended to use a personal email address for personal use.

Yes, university-business-related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.

Yes, all university employees will be required to use university email accounts for university business. 

Email will not be allowed to be automatically forwarded to other services. You are able to use non-Microsoft email clients to access your mail, e.g. Apple Mail. Note: Non-Microsoft services will need to support modern authentication to work with Microsoft 365.

Yes, university business related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.

Data for research sponsored/hosted by the University of Nebraska should be stored within approved University of Nebraska information systems. Collaborative research sponsored/hosted by another institution can be stored within said organizations approved information systems. 

No, SaaS by design runs on the provider’s infrastructure, or infrastructure that they hold the contracts for. If this SaaS solution passed the software procurement review process, you should not need to do anything else. However, if it has not been through or failed that review, it will need to be evaluated on your next renewal.

NU-ITS contracts for IaaS and PaaS information systems on behalf of the university to ensure that security, compliance, and performance requirements are met, and our scale can be leveraged to provide the best pricing. Current offerings include Amazon Web Services (AWS), Microsoft Azure, and on-premises private cloud. Any IaaS or PaaS agreements will need to be reviewed and migrated into NU-ITS information systems.

Service accounts are acceptable for use on servers, to run a specific service. But are not to be used as a general user login. Service accounts should also be unique to the service and follow applicable standards and best procedures. Service accounts are NOT shared accounts and should not be used as such.

• The licensing details should be reviewed to ensure this is an acceptable use of the software. If it is licensed on a per user basis, licenses will need to be procured for each user of the software.

• Otherwise, users should log into the shared computer with their individual university credentials.

In the spirit of running an open network and academic freedom, only services that are deemed as malicious or a threat to the university will be blocked from being accessible on the university network.

The use of non-university managed services for university business will need to be reviewed on a case-by-case basis to ensure that university data is properly protected. The Exception Committee will review these cases as they are submitted and will provide recommendations to the department chair, college dean and campus CIO.

The three most common examples are: 1) ongoing litigation; 2) public record requests; or 3) suspected misuse

Confidentiality of faculty and staff information is governed by RP 6.7

There has never been an “expectation of privacy” in data stored on University devices. All emails and documents are subject to public records – as they always have been. This is per state law and not University policy. Faculty data is only inspected if there is a proper public record request, a law enforcement subpoena, or a legitimate University interest in the search.

Unless there is a suspicion of misuse or malfeasance, faculty/employees are generally provided notice prior to a search.

For most employees, there is no requirement to use a personal device. For those employees who do choose to conduct University business on a personally owned device, this policy now clarifies that those devices may be subject to inspection, per Section 7d of EM16.

The policy does not apply to data that is only stored in cloud-based platforms such as MyRed or Canvas. It would be applicable to data that is downloaded from those platforms and then stored locally on the device. Access alone is not enough to trigger this portion of the policy.

“Incident” in this context is a security incident where there is a data breach or a threatened data breach or another violation of law or University policy.

If an employee chooses to do University business on a personal device, it is possible that device contains University data that does not exist elsewhere and the University can only access and confirm the storage of information on that device by looking at the actual device. These searches would be because of a public record request, litigation holds, subpoena, or another request where the responsive information may be locally stored on a personal device. The University must comply with state and federal law regardless of where or how information is stored. Most employees can avoid this problem by only conducting University business on University-provided devices.

This policy is not creating any new steps – it is making clear that the University must follow the law and how it would comply with those laws.

This is only applicable if users are using personal devices to conduct University business rather than using University-provided devices. It will come into play if University data is being stored locally on those devices for any amount of time. The University is required to comply with state and local laws and it could be the case that a personal device must be searched in compliance with those laws. Only responsive records would be retained or produced after those searches. This policy does not change or broaden the University’s requirements under law, it clarifies those laws and obligations to University employees.