Office of the Vice Provost and Chief Information Officer

Information and Communication Technology (ICT) Accessibility Policy

Title: Information and Communication Technology (ICT) Accessibility Policy
Policy Owner: Information Technology Services
Applies to: Faculty, Staff, Students
Campus Applicability: Storrs and Regional Campuses
Effective Date: July 24, 2019
For More Information, Contact Information Technology Services-IT Accessibility Coordinator
Contact Information: itaccessibility@uconn.edu; (860) 486-9193
Official Website: accessibility.its.uconn.edu

Background and Reason for the Policy: The University of Connecticut is committed to accessibility of its digital information, communication, content, and technology for people with disabilities, in accordance with federal and state laws including the Americans with Disabilities Act, Section 504 of the Rehabilitation Act of 1973, and the State of Connecticut’s Universal Website Accessibility Policy for State Websites.

Policy Purpose: The purpose of this policy is to set expectations that digital information, communication, content, and technology be designed, developed, and procured to be accessible to people with disabilities.

Policy Applicability: This policy extends to the procurement, development, implementation, and ongoing maintenance of the University’s information and communication technologies at Storrs and Regional Campuses.

Policy Statement: The University of Connecticut is committed to achieving equal opportunity to its educational and administrative services, programs, and activities in accordance with federal and state law.  Providing an accessible information, communication, content, and technology experience for people with disabilities is the responsibility of all University administrators, faculty, staff, students and those who maintain externally facing University websites.

Procedures: See Procedures (https://accessibility.its.uconn.edu/ict-policy-procedures/).  Any issues or questions should be addressed to ITAccessibility@uconn.edu.

Exceptions: Requests for exceptions to this policy must be submitted to the IT Accessibility Coordinator. Individuals requesting an exception must provide a plan that would provide equally effective alternative access, unless such an alternative is not possible due to technological constraints or if the intended purpose of the technology (e.g., virtual reality goggles) at issue does not allow for an alternative

Policy History:

Adopted 07/24/2019 [Approved by the President’s Cabinet]

Information Security – Wireless Network Policy [#2014-08]

A.     EFFECTIVE DATE : July 9, 2018
B.     POLICY SPONSOR: Vice President & Chief Information Officer
C.      PURPOSE : To ensure wireless network security and integrity, to protect the integrity of connected computing systems, and to minimize interference between wireless networks and other electronic resources deployed throughout UConn Health.
D.     POLICY : 1.      UConn Health reserves the right to restrict the use of any and all wireless devices in UConn Health buildings and all outdoor spaces on UConn Health property, whether leased or owned.

2.      UConn Health Information Technology (IT) must be consulted for coordination of engineering, installation, maintenance, and operation of wireless networks serving, or on any property owned or leased by, UConn Health.

3.      Any independently installed wireless communications equipment, which has not been approved by UConn Health IT, is prohibited, subject to removal from service without notice, and may be confiscated.

4.      All wireless network devices, including wireless access points/routers, building monitoring systems, classroom presentation/response systems, security systems, retail systems, and wireless research endeavors must be secured, in accordance with the Wireless Network Device Secure Configuration Standards.

5.      All wireless access points that connect clients to the internal network shall require users to provide unique authentication.

6.      Wireless access point device owners are responsible for updating software, hardware and firmware of devices to address security vulnerabilities.

7.      The use of wireless networks at UConn Health shall be subject to all other policies and guidelines, as may be applicable.

E.      SCOPE : This policy applies to all UConn Health Workforce, Business Associates, Non-Workforce, and all other individuals granted access to UConn Health electronic resources. The policy applies to all computing and networking equipment owned, leased, operated, or contracted by UConn Health.
F.      PROCEDURES, GUIDELINES AND PROTOCOLS : Wireless Network Device Secure Configuration Standards – (Restricted Access – Contact Information Security Office)
G.     REFERENCES : None
H.     RELATED POLICIES : None
I.       SEARCH WORDS : Wireless, Network
J.       ENFORCEMENT: Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, the University of Connecticut Student Code, other applicable University Policies, or as outlined in the procedures document related to this policy.
K.      APPROVED : By:  Scott Jordan, Executive VP for Administration and CFO

Date:  12/05/18

 

By:  Alan Calandro, Administrative Policy Committee Chair

Date:  12/05/18

L.      REVISION HISTORY : 1.      New Policy Approved: 11/18/2014

2.      Revised: 7/9/18

3.      Revised:  12/5/18

 

[ END OF POLICY ]

Information System Activity Review [Policy #2005-07]

A.     EFFECTIVE DATE : July 9, 2018
B.      POLICY SPONSOR: Vice President & Chief Information Officer
C.      PURPOSE : To establish requirements for the creation of electronic log files required for reviewing system and user activity to detect and respond anomalous system activity and/or inappropriate access to, or use of, information systems or data in accordance with regulatory requirements applicable to the clinical enterprise.
D.     POLICY : 1.      IT resources that store, access, or transmit confidential data shall electronically log activity into created log files.

2.      Electronic log file generation, transmission, storage, analysis and disposal will be performed in accordance with UConn Health Audit and Logging Standards.

3.      Data Stewards, or their designees, are responsible for developing and implementing procedures for periodically examining information systems and log files for access control discrepancies, breaches and policy violations.

4.      System activity reviews shall be performed weekly. More frequent reviews may be required based on the system criticality and nature of data transmitted, maintained, processed or accessed on/from the electronic resource.

5.      Electronic log files will be retained in accordance with regulatory and statutory requirements.

E.      SCOPE : This policy applies to all UConn Health Workforce, Business Associates, Non-Workforce and all other individuals granted access to UConn Health electronic resources. This policy also applies to all computing and network equipment and software owned, leased, operated or contracted by UConn Health.
F.      PROCEDURES, GUIDELINES AND PROTOCOLS : Information System Audit Log Standards and Procedures – (Restricted Access – Contact Information Security Office)
G.     REFERENCES : State of Connecticut HIPAA Security Policy

45 C.F.R. § 164.308(a) (1) (ii) (D)

State of Connecticut State Agencies’ Record Schedule S6

Information System Audit Log Standards and Procedures

H.     RELATED POLICIES : UConn Health 2003-31 Data Classification and Use Policy
I.       SEARCH WORDS : Audit, Logging, Activity Review
J.       ENFORCEMENT: Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, the University of Connecticut Student Code, other applicable University Policies, or as outlined in the procedures document related to this policy.
K.      APPROVED: By:  Scott Jordan, Executive VP for Administration and CFO

Date:   12/05/18

 

By:  Alan Calandro, Administrative Policy Committee Chair

Date:  12/05/18

L.      REVISION HISTORY : 1.      New Policy Approved: 1/28/05

2.      Revised: 7/9/18

3.      Revised: 12/4/18

[ END OF POLICY ]

Secure Web Application Development, Information Technology

Title: Secure Web Application Development, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  Storrs and Regionals
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

This policy is available in the Information Security Policy Manual.

Departments will ensure that development, test, and production environments are separated. Confidential Data must not be used in the development or test environments.

Production application code shall not be modified directly without following an emergency protocol that is developed by the department, approved by the Data Steward, and includes post-emergency testing procedures.

Web servers that host multiple sites may not contain Confidential Data.

All test data and accounts shall be removed prior to systems becoming active in production.

The use of industry-standard encryption for data in transit is required for applications that process, store, or transmit Confidential Data.

Authentication must always be done over encrypted connections. University enterprise Central Authentication Service (CAS), Shibboleth, or Active Directory services must perform authentication for all applications that process, store, or transmit Confidential or Protected Data.

Change sentence to “Web application and transaction logging for applications that process, store, or transmit Confidential Data or Regulated Data must submit system-generated logs to the ITS Information Security Office. For more information please view UConn’s Logging Standard.

Departments implementing applications must retain records of security testing performed in accordance with this policy.

Policy Created: May 16, 2012

Business Continuity & Disaster Recovery, Information Technology

Title: Business Continuity & Disaster Recovery, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability: All University departments at all campuses except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

This policy is available in the Information Security Policy Manual.

Each University department will maintain a current, written and tested Business Continuity Plan (BCP) that addresses the department’s response to unexpected events that disrupt normal business (for example, fire, vandalism, system failure, and natural disaster).

The BCP will be an action-based plan that addresses critical systems and data. Analysis of the criticality of systems, applications, and data will be documented in support of the BCP.

Emergency access procedures will be included in the BCP to address the retrieval of critical data during an emergency.

The BCP will include a Disaster Recovery (DR) Plan that addresses maintaining business processes and services in the event of a disaster and the eventual restoration of normal operations. The BCP and DR Plan will contain a documented process for annual review, testing, and revision. Annual testing of the BCP will include desk audits, and should also include tabletop testing, walkthroughs, live simulations, and data restoration procedures, where appropriate. The BCP will include measures necessary to protect Confidential Data during emergency operations.

Data Administrators are responsible for implementing procedures for critical data backup and recovery in support of the BCP. The data procedures will address the recovery point objective and recovery time objectives determined by the Data Steward and other stakeholders.

Policy Created: May 16, 2012

Incident Response, Information Technology

Title: Incident Response, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  All Campuses, Except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: http://security.uconn.edu/

This policy is available in the Information Security Policy Manual.

The Information Security Office (ISO) will establish, document, and distribute an Incident Response Plan to ensure timely and effective handling of security incidents involving information technology (IT) resources.

University employees with IT responsibilities are responsible for understanding and following the University’s Incident Response Plan.

Suspected and confirmed security incidents, their resolution steps, and their outcomes shall be documented by those directly involved. The ISO will ensure that incidents are appropriately logged and archived.

Procedures

All employees must immediately report lost or stolen technology resources to the University Police Department (860-486-4800), the Information Security Office (860-486-8255), and the University’s Office of the Controller (860-486-2937).

Policy Created: May 16, 2012

Security Awareness Training, Information Technology

Title: Security Awareness Training, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  Storrs and Regionals
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

 

This policy is available in the Information Security Policy Manual.

The University Information Security Office (ISO) maintains an Information Security Awareness Training (ISAT) program that supports the University employees’ and students’ needs for regular training, supporting reference materials, and reminders to enable them to appropriately protect University information technology resources.

Data Stewards are responsible for ensuring that any user requesting access to Confidential Data has completed the ISAT program before allowing access to that data.

The ISO will provide periodic Information Security reminders and updates, posted on the University Information Security website and using email lists, where appropriate.

Users with access to Confidential Data that is protected under Federal Regulations (e.g., HIPAA, etc.) or by industry standards (e.g., PCI-DSS) must complete the ISAT program annually.

Departments shall maintain appropriate documentation of attendance/completion of the ISAT training where data security training is required by applicable regulatory or industry standards.

Policy Created: May 16, 2012.

Risk Management, Information Technology

Title: Risk Management, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  Storrs and Regional Campuses
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

 

This policy is available in the Information Security Policy Manual.

The Information Security Office (ISO) is responsible for developing a process for conducting Risk Assessments for the University’s information technology (IT) resources.

The results of the Risk Assessment will be used to determine security improvements resulting in reasonable and appropriate levels of risk acceptance and compliance for each system.

Results indicating an unacceptable level of risk shall be remediated as soon as possible, as determined by specific circumstances and the timelines decided collectively by the Chief Information Security Officer (CISO), Data Steward, and the Dean, Director or Department Head.

Results of all risk assessments shall be treated as Confidential Data and secured appropriately.

Procedures

Each department is responsible for ensuring that a Risk Assessment is performed biennially for each of the information technology resources in their respective areas. Risk Assessments will also be conducted when there is an environmental or operational change that may affect the security of Confidential Data.

Policy Created: May 16, 2012

Confidential Data, Information Technology

Title: Confidential Data, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  All University departments at all campuses, except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

This policy is available in the Information Security Policy Manual.

The University prohibits unauthorized or anonymous electronic or physical access to information technology (IT) resources that store, transmit, or process any of the following:

  • University Confidential or Protected Data
  • Personally identifiable information (PII)
  • Protected health information (PHI) or electronic protected health information (ePHI)
  • Credit Card data
  • Any other regulated data.

Storage

Confidential Data storage will be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements.

University IT resources that are used for storage of Confidential Data shall be clearly marked to indicate they are the property of the University of Connecticut. Servers that store Confidential or Protected Data shall not be used to host other applications or services.

The University prohibits the storage of encrypted or unencrypted Credit Card data in physical or electronic form. Confidential Data may not be stored on personally owned IT resources. Users of portable devices will take extra precautions to ensure the physical possession of the portable device and the protection of the University’s Confidential and Protected Data.

The University’s Confidential or Private Data may not be accessed, transmitted, or stored using public computers or via email.

System Administrators shall implement access controls on all IT resources that store, transmit, or process Confidential or Protected Data, minimally supporting the requirements defined in the Access Control Policy.

Procedures

Each calendar year, Data Users who are capable of viewing, storing, or transmitting Confidential Data shall complete the Information Security Awareness Training Program.

University employees will perform monthly scans and review results in order to locate and remove PII on each computer under their control. Storage of PII on desktop or laptop computers requires:

  1. Explicit permission from the Data Steward,
  2. Separate accounts for all users with strong passwords required for all accounts,
  3. Whole disk encryption enabled,
  4. Security logging and file auditing enabled,
  5. Computer firewall enabled and logging,
  6. Automatic operating system patching and antivirus software updates,
  7. Automatic screen lock after a period of inactivity,
  8. Restricted remote access methods, such as remote desktop and file sharing.

Encryption

To maintain its confidentiality, Confidential Data shall be encrypted while in transit across open or insecure communication networks, or when stored on IT resources, whenever possible. Stored data may only be encrypted using approved encryption utilities. To ensure that data is available when needed each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations.

Activity Logging & Review

IT resources that store, access, or transmit Confidential Data shall automatically log activity into electronic log files. Logging includes system, network, application, database, and file activity, whenever available, and includes creation, access, modification, and deletion activity.

Log files shall be retained electronically for the duration necessary to meet the requirements defined by the State Data Retention schedule S6.

Systems and devices that process, store, or transmit data that are protected by federal regulations (e.g., HIPAA) or by industry requirements (e.g., PCI-DSS) must submit system-generated logs to the Information Security Office’s central logging system.

Procedures

System administrators and/or Data Stewards shall examine electronic logs, access reports, and security incident tracking reports, minimally every 30 days, for access control discrepancies, breaches, and policy violations. Log harvesting, parsing and alerting tools can be used to meet these requirements.

Service Providers

Departments shall take steps to ensure that third-party service providers understand the University’s Confidential Data Policy and protect University’s Confidential Data. No user may give a Third Party access to the University’s Protected or Confidential Data or systems that store or process Protected or Confidential Data without a permission from the Data Steward and a Confidentiality Agreement in place. Access to these resources must be handled as defined in the University’s Access Control Policy.

Physical Security

Each University department that stores, processes, or transmits Confidential Data will maintain a Facility Security Plan that contains the processes necessary to safeguard information technology resources from physical tampering, damage, theft, or unauthorized physical access. Departments will take steps to ensure that all IT resources are protected from reasonable environmental threats and hazards, and opportunities for unauthorized physical access.

Access to areas containing Confidential Data information must be physically restricted. In departments with access to PHI or Credit Card data, all individuals in these areas must wear a University-issued identification badge on their outer garments so that both the picture and information on the badge are clearly visible.

Disposal

Systems administrators will ensure that all data stored on electronic media is permanently destroyed prior to the disposal or transfer of the equipment. The steps taken for the destruction of data will follow the University computer surplus procedures.

Confidential Data maintained in hard copy form will be properly disposed of using University-approved processes when no longer required for business or legal purposes.

Access to areas such as data centers, computer rooms, telephone equipment closets, and network equipment rooms will be restricted to authorized personnel only. Areas where Confidential Data is stored or processed shall be restricted to authorized personnel and access to these areas shall be logged.

Policy Created: May 16, 2012

Data Classification Levels, Information Technology

Title: Data Classification Levels, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  All Campuses, except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

This policy is available in the Information Security Policy Manual.

Confidential Data requires the highest level of privacy and may not be released. Confidential Data is data that is protected by either:

  • Legal or regulatory requirements (e.g., HIPAA)
  • Contractual agreements (e.g., Non Disclosure Agreements)

See the extended list of Confidential Data for common types of confidential data.

Protected Data must be appropriately protected to ensure a lawful or controlled release (e.g. Connecticut Freedom of Information Act requests). This is all data that is neither Confidential or Public data (e.g., employee email).

Public Data is open to all users, with no security measures necessary. Data is public if:

  • There is either an obligation to make the data public (e.g., Fact Sheets), or
  • The information is intended to promote or market the University, or pertains to institutional initiatives (e.g., brochures)

Policy Created: May 16, 2012