Staff

Multi-Factor Authentication Policy

Title: Multi-Factor Authentication Policy
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All employees, students
Campus Applicability:  All Campuses
Effective Date: March 29, 2023
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

To help prevent unauthorized access to University information systems.

DEFINITIONS  

DUO: A Universityapproved Multi-Factor Authentication (MFA) application That provides an added layer of protection to help prevent unauthorized access to university information systems. DUO can be loaded on individual devices including smartphones and tablets. It can also provide multi-factor authentication through the sending of SMS codes directly to phones and through the use of pre-generated codes.

Fob: A small hardware device that serves as a second authentication mechanism either in place of in addition to the DUO mobile app.

University Information System: Devices and/or components managed by the University for collecting, storing, and processing data and for providing information, knowledge, and digital products. For purposes of this policy, information technology devices and components managed exclusively by UConn Health are not considered University Information Systems.

 Multi-Factor Authentication (MFA): MFA is a method of system access control in which a user is granted access only after successfully providing at least two pieces of authentication, usually including knowledge (something the user knows such as a password), possession (something the user has such as a token generator), or inherence (something the user is such as the use of biometrics).

POLICY STATEMENT  

Users of University Information Systems must adhere to Multi-Factor Authentication requirements, where available, to ensure authorized access to University Information Systems and protected or confidential data.

PROCEDURES

User Requirements

  1. Users must maintain a device that can receive DUO authentication requests in a secure manner via the DUO mobile app or another mechanism, such as SMS, phone, or token.
  2. When an attempt is made to access a DUO enabled system or application, the system will challenge the user by requesting a second factor of authentication which may include an acknowledgement of a push notification via the DUO app, a 6-digit code via SMS, or a Fob.
  3. If users receive a DUO notification when not conducting a recent authentication, the authentication should be denied and reported to the Technology Support Center

Frequency of User Challenges

The frequency with which a user may be challenged depends both on policy and use.

  • Policy based – depending on information being accessed, more frequent authentications may be required.
  • Usage based – While user challenges may be “remembered” for a period of time, use of other hardware, browsers, or other behaviors may trigger additional verification using a second factor.

Lost or Stolen Devices

If a user’s registered device is lost, stolen, or the user has reason to suspect their UConn NetID has been compromised, the user must contact the Technology Support Center immediately. As a precaution, they should change their NetID password at netid.uconn.edu

Off-Hours and Emergency Access to systems and applications

UConn Information Technology Services will maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Support Desk for additional information.

Use of Automated Systems

Automated systems that intend to interfere with the approval component of multi-factor authentication are hereby prohibited.

ENFORCEMENT 

Users may not attempt to circumvent login procedures, including DUO multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject individuals to disciplinary action. Financial losses incurred due to the use of DUO multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy.

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.

EXCEPTIONS

ITS will review and document any requests for exceptions to this standard. ITS will also have available solutions for the intermittent failure of various second factors, which may include the allowance of temporary access codes upon verification of an individual’s identity.

Questions about this policy or suspected violations may be reported to any of the following:

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY 

Policy created:  March 29, 2023 (Approved by Senior Policy Council)

 

 

Guideline for the Employment of Graduate Students

GUIDELINE FOR THE EMPLOYMENT OF GRADUATE STUDENTS

Revised February 1, 2017

Purpose

The purpose of this guideline is to clarify federal regulations, state law, and university policy pertinent to the employment of graduate students at the University of Connecticut. Units that seek to employ graduate students should be careful to use the appropriate employment mechanism considering the nature of the work and the tax implications for the student.

Existing Law and Policy

The University defines graduate assistants as graduate students “who provide teaching or research support to the University that is a part of his/her academic program,” and requires that all assistantships be administered through an academic department. (See https://grad.uconn.edu/wp-content/uploads/sites/2114/2016/05/Definitions-GA.pdf.)

This definition is intended to align with the federal Tax Code Section 117(c), which provides that scholarships and tuition reductions are taxable income to the student (and thus potentially subject to withholding like wages) when they represent “payment for teaching, research or other services by the student required as a condition for receiving” the scholarship or tuition reduction.

That statute also, however, provides a narrow and specific exception for a graduate student at a college or university “who is engaged in teaching or research activities for such organization” (§ 117(d)(5)). This provision allows the University to provide Research Assistants and Teaching Assistants their tuition waivers tax-free. In cases where Graduate Assistants are not engaged in teaching or research activities for the University, IRS guidance requires the University to withhold extra taxes from these Graduate Assistants’ paychecks as though they were paid the waiver in cash, less an allowable exclusion of $5,250 per calendar year.

In addition, state law requires the University to waive tuition for Graduate Assistants (Conn. Gen. Stat. Sec. 10a-105).

Employment of graduate students

There are several mechanisms by which units can employ graduate students at the University of Connecticut. The following chart illustrates the appropriate mechanism for hiring a graduate student, as described in more depth below, along with guidance about when each is appropriate.

 

 

Title Function Timeframe Payroll
Graduate Assistant (GEU-UAW) Graduate students who provide teaching or research support to the University as part of his/her academic program Academic Year Graduate Payroll
Graduate Special Payroll Lecturer (GEU-UAW) Graduate students who are serving as the instructor of record. Summer and Winter Intersession Special Payroll
Graduate Instructional Specialists (GEU-UAW) Graduate students who are appointed to work in an instructional support capacity Summer and Winter Intersession Special Payroll
Graduate Student Technician (GEU-UAW) Graduate students who are performing research activities for the University Summer and Winter Intersession Special Payroll
Student Labor Graduate students who are performing a wide-range of functions (administrative, social services, library, maintenance, etc) At any point Student Payroll
Work Study Graduate students who are participating in the federal need-based financial aid work program. At any point Student Payroll
Interns and Fellows Graduate students who perform work as part of their academic programs typically outside the University and typically for course credit in their program of study Academic Year Graduate Payroll

 

Graduate assistantships – Academic Year

During the academic year, Graduate Assistants receive a tuition waiver, a stipend, and health insurance in exchange for performing teaching, research, or other duties for the university. Graduate Assistants are members of the GEU-UAW bargaining unit and their employment is governed by the collective bargaining agreement effective July 1, 2015.

Graduate Assistants are expected to work an average of twenty hours per week (considered a “full GA,” or a 100% appointment). Occasionally, units may appoint a Graduate Assistant for less than twenty hours per week, typically fifteen hours (a 75% appointment) or ten hours (a 50% appointment). Under state law, these Graduate Assistants receive a full waiver of their tuition despite their reduced work hours, and thus the University expects units to use these partial appointments very judiciously only to meet special needs, such as to align with the timeline of a research grant or to cover an unexpected teaching need.

As a consequence of the University’s definition of a Graduate Assistant, it is the University’s expectation that all Graduate Assistants will have assignments that substantially involve work that supports the teaching or research missions of the University, or both. Thus, Graduate Assistants are usually assigned as Teaching Assistants or Research Assistants or a combination of the two. Since the University’s teaching mission involves a large array of activities beyond traditional classroom instruction, Graduate Assistants may also be assigned to support implementation of instructional technologies, advising programs, cultural programs, learning communities, and other co-curricular activities.

Graduate assistantships – Summer and Winter Intersession

Graduate students who perform teaching or research activities for the University as part of an academic program during the summer months or the winter intersession are also governed by the GEU-UAW collective bargaining agreement and are hired through special payroll. Graduate Assistants in the summer or intersession who serve as the instructor of record should be hired as Graduate Special Payroll Lecturers. Graduate Assistants who are providing various levels of instructional support should be hired as Graduate Instructional Specialists. Graduate Assistants who are providing research functions should be hired as Graduate Student Technicians. Detailed information about summer graduate student titles is available at: http://hr.uconn.edu/special-payroll-manual-offer-letters-forms.

Graduate assistantships – Not Substantially Related to Meeting Teaching and Research Missions

When a unit seeks to offer work to a graduate student that is not substantially related to meeting teaching or research needs, the University expects units to use one of the mechanisms described below (student labor, or work study,) to employ that student. In particular, work that is predominantly administrative in nature should be accomplished through these means.

There may be exceptional cases when a unit determines that a graduate assistantship is the best means to appoint a student even though the student’s work will not substantially involve teaching or research. While inconsistent with University definitions and expectations, Federal regulations do not prohibit Graduate Assistants from performing duties other than as Teaching Assistants or Research Assistants. If a unit seeks to employ a Graduate Assistant for work other than teaching or research, the unit must obtain permission to do so from the Dean of the Graduate School. Further, the unit must inform the student in the appointment offer letter that the tuition waiver they will receive is likely to be taxable, and thus their stipend will be subject to withholding. Units should also be aware that these Graduate Assistants will be members of the GEU-UAW bargaining unit and thus covered by the collective bargaining agreement.

Student labor

According to the University’s policies and procedures related to student employment, graduate students may be employed as temporary, non-exempt hourly workers. These graduate students are not considered Graduate Assistants, and should not be coded or compensated as GAs, RAS, or TAs, and are not covered by the collective bargaining agreement. They may fulfill positions requiring various levels of skill and experience, from trainee-level jobs to supervisory and highly technical jobs. These jobs may support a wide range of University functions, including research, administration, information technology, fiscal management, library, maintenance, recreation/athletics, social services, academic services, public services, and the arts. The job duties, work hours, and schedules of graduate students employed on the student labor payroll are set by the hiring department. Levels of pay follow a set schedule depending on job requirements. Students on student labor receive bi-weekly paychecks for hours worked. Generally, it is expected that full-time students work no more than twenty hours per week, except during breaks when it is expected they will work no more than forty hours per week. Detailed information about student employment is available at http://studentjobs.uconn.edu/employment-guide/.

Work-study

Work-study is a federal need-based financial aid work program that allows students (including graduate students) to earn money to meet educational expenses as temporary, non-exempt hourly workers. These graduate students are not considered Graduate Assistants, and should not be coded or compensated as GAs, RAS, or TAs, and are not covered by the collective bargaining agreement. The jobs and levels of pay are the same as those available through student labor, but these are funded 75 percent by financial aid awards made by Office of Student Financial Aid Services and 25 percent is centrally funded. Work hours and schedules depend on job requirements and are set by the hiring department, and work-study students receive bi-weekly paychecks for hours worked. The total number of hours a work-study student has available to work is dictated by the pay rate associated with their job and the amount of the student’s work-study award. Once the award is exhausted, a unit may continue to fund and employ the student in the same job on the student labor payroll. Detailed information about student employment is available at http://studentjobs.uconn.edu/employment-guide/.

Interns and fellows

As defined in University policy, an internship is an experiential job placement designed to enhance the knowledge, skills, and abilities of a student and enhance their employability. Interns perform work as part of their academic programs, typically in an entity outside the university and typically for course credit in their program of study. Graduate students appointed as interns are not Graduate Assistants, and should not be coded or compensated as GAs, RAs, or TAs. To aid graduate interns in the pursuit of their studies, the University may provide scholarships to cover their tuition and/or health insurance. Additionally, interns may occasionally receive compensation for services they perform for their host organization, which, when administered by the University, is paid through Payroll and subject to tax withholding.

A fellowship is awarded to a graduate student to pursue his or her academic program, but does not require the student to do work for the University. Graduate fellows may receive funding from the University or another source that may cover their tuition and provide stipends and health insurance.

Under certain conditions, scholarships (including health insurance subsidies) provided to interns and fellows may be taxable. In cases where a student is provided a scholarship or tuition waiver that is not connected to employment, however, the University is has no general obligation to report the scholarship income or withhold any tax, except in limited cases involving international students. For the majority of students, it is entirely up to the student to claim scholarship income on his or her tax return.

Student Athlete Name, Image, Likeness, Policy On

Title: Student-Athlete Name, Image, and Likeness, Policy On
Policy Owner: University Athletics
Applies to: All Student-Athletes and University Employees
Campus Applicability: All Campuses
Effective Date: June 30, 2021
Last Review Date: May 2, 2022
For More Information, Contact Director of Athletics
Contact Information: (860) 486-2725
Official Website: https://uconnhuskies.com/sports/2021/7/14/uconn-nil-information

PURPOSE

To establish a policy pursuant to which University of Connecticut (“University”) student-athletes are permitted by the University to (1) earn compensation through an endorsement contract or employment in an activity unrelated to an intercollegiate athletic program; and (2) obtain legal or professional representation of an attorney or sports agent through a written agreement, provided that in each case, the student-athlete complies with the terms and conditions of this policy and applicable law.

APPLIES TO

All student-athletes and University Employees.

DEFINITIONS

Athletics booster means a person who directly contributes to a University athletic program.

Compensation means the receipt, whether directly or indirectly, of any cryptocurrency, money, goods, services, other items of value, in kind contributions and any other form of payment or remuneration.

Endorsement contract means a written agreement under which a student-athlete is employed or receives compensation for the use by another party of such student-athlete's person, name, image or likeness in the promotion of any product, service or event.

Intercollegiate athletic program means a program at the University for sports played at the collegiate level for which eligibility requirements for participation by a student-athlete are established by a national association for the promotion or regulation of college athletics.

NCAA means the National Collegiate Athletic Association or its successor.

Official team activities means all games, practices, exhibitions, scrimmages, team appearances, team photograph sessions, sports camps sponsored by the University and other team-organized activities, including, but not limited to, photograph sessions, news media interviews, and other related activities as specified by the University.

Prohibited endorsements means receipt of compensation by, or employment of, a student-athlete for use of the student-athlete's person, name, image or likeness (“NIL”) in association with any product, category of companies, brands, or types of endorsement contracts that are: (1) prohibited by law; (2) prohibited by this policy; or (3) prohibited under the applicable University procedures adopted in accordance with this policy.

Sports agent means a duly licensed person who negotiates or solicits a contract on behalf of a student-athlete in accordance with the Sports Agent Responsibility and Trust Act, 15 USC 7801, et seq., as amended from time to time.

Student-athlete means a student enrolled at the University who participates in an intercollegiate athletic program.

University marks means the name, logo, trademarks, mascot, unique colors, copyrights and other intellectual property or defining insignia of the University.

POLICY STATEMENT

The University shall permit its student-athletes to (1) earn compensation through an endorsement contract or employment in an activity unrelated to an intercollegiate athletic program and (2) obtain legal or professional representation of an attorney or sports agent through a written agreement, provided that the student-athlete complies with this policy and applicable law.

I. Agreements for Representation by a Sports Agent or an Attorney

    1. A student-athlete may only enter into an agreement for representation with a sports agent if the student-athlete submits a copy of the agreement to the University.
    2. A student-athlete may only enter into an agreement for representation with an attorney if the student-athlete submits a copy of the agreement to the University.

II. Endorsement Contracts and Agreements for Employment Activities

A student-athlete may only enter into an endorsement contract or agreement for other employment activities if:

    1. the student-athlete discloses the existence of the agreement to the University;
    2. the student-athlete submits a copy of the agreement to the University prior to the student-athlete performing any activity or service under the agreement;
    3. the agreement, or any portion thereof, does not conflict with the provisions of any agreement to which the University is a party. In the event that a potential conflict is identified, the University shall disclose to the student-athlete or the student-athlete's attorney or sports agent the provisions of the University agreement that are in conflict; and
    4. the student-athlete is not required to participate or engage in any activity prohibited by Section III of this policy.

 III. Prohibitions

    1. Student-athletes are prohibited from using or consenting to the use of any University marks when performing any services or activity associated with an endorsement contract or employment activity without prior written permission from the University or its authorized designee.[1]
    2. Student-athletes are prohibited from performing any service or activity associated with an endorsement contract or employment activity that interferes with any official team activities or academic obligations.
    3. University employees are prohibited, in their individual capacity, from entering into endorsement contracts with any student-athlete or otherwise providing compensation themselves to a student-athlete in return for NIL services.
    4. University employees, students, and athletic boosters are, to the extent required under NCAA rules, prohibited from creating or facilitating NIL compensation opportunities for prospective student-athletes as a recruiting inducement or current student-athletes as an inducement to remain enrolled at the University.
    5. Student-athletes are prohibited from receiving compensation from, entering into an endorsement contract with, and/or otherwise engaging in an employment activity with companies, brands, products, conduct, and/or entertainment prohibited under University procedures adopted in accordance with this policy.

IV. Procedures

University of Connecticut Student-Athlete’s Name, Image, and Likeness Procedures

ENFORCEMENT
Violations of this Policy or associated procedures may result in appropriate disciplinary measures in accordance with state law, University Laws and By-Laws, and Division of Athletics Student Athlete Handbook.

POLICY HISTORY

Policy created effective June 30, 2021 [Approved by the Board of Trustees]

Revisions: May 2, 2022 [Approved by President’s Senior Policy Council]

[1] In accordance with Connecticut law, the University is prohibited from providing any student with written permission until July 1, 2022.

[2] This prohibition extends to communication with family members and others affiliated with prospective students.

Recruitment of Students, Policy On

Title:  Recruitment of Students, Policy On 
Policy Owner: The Division of Enrollment Planning & Management 
Applies to: University Employees, Volunteers, Trainees and Others 
Campus Applicability: All Campuses 
Effective Date: August 23, 2021
For More Information, Contact Office of the Vice President for Enrollment Planning & Management 
Contact Information: (860) 486-1463 
Official Website: https://epm.uconn.edu/

PURPOSE

To ensure compliance with federal laws and regulations regarding ethical recruitment and enrollment activities conducted at the University. Specifically, Section 487(a)(20) of the Higher Education Act (HEA) and its implementing regulations at 34 C.F.R. 668.14, as well as the University’s Memorandum of Understanding with the Department of Defense.

APPLIES TO

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UConn, is under the direct control of UConn, whether or not they are paid by UConn. 

DEFINITIONS

Commission, Bonus, Incentives means a sum of money or something of value, other than a fixed salary or wages, paid to or given to a person or an entity for services rendered.  

Securing enrollments or the award of financial aid means activities that a person or entity engages in at any point in time through completion of an educational program for the purpose of the admission or matriculation of students for any period of time or the award of financial aid to students.

These activities include contact in any form with a prospective student, such as, but not limited to – contact through preadmission or advising activities, scheduling an appointment to visit the enrollment office or any other office of the institution, attendance at such an appointment, or involvement in a prospective student’s signing of an enrollment agreement or financial aid application.

These activities do not include making a payment to a third party for the provision of student contact information for prospective students provided that such payment is not based on: (1) any additional conduct or action by the third party or the prospective students, such as participation in preadmission or advising activities, scheduling an appointment to visit the enrollment office or any other office of the institution or attendance at such an appointment, or the signing, or being involved in the signing, of a prospective student’s enrollment agreement or financial aid application; or (2) the number of students (calculated at any point in time of an educational program) who apply for enrollment, are awarded financial aid, or are enrolled for any period of time, including through completion of an educational program. 

“Entity or person engaged in any student recruitment or admission activity or in making decisions about the award of financial aid” means (1) with respect to an entity engaged in any student recruitment or admission activity or in making decisions about the award of financial aid, any institution or organization that undertakes the recruiting or the admitting of students or that makes decisions about and awards Title IV, HEA program funds; and (2) with respect to a person engaged in any student recruitment or admission activity or in making decisions about the award of financial aid, any employee who undertakes recruiting or admitting of students or who makes decisions about and awards Title IV, HEA program funds, and any higher level employee with responsibility for recruitment or admission of students, or making decisions about awarding Title IV, HEA program funds. 

Enrollment means the admission or matriculation of a student into an eligible institution. 

Inducement means any gratuity, favor, discount, entertainment, hospitality, loan, transportation, lodging, meals, or other item have a monetary value or more than a de minimis amount to any individual, entity, or its agents including third party lead generators or marketing forms. 

Service Member means a current or former member of the uniformed services which includes (a) the armed forces; (b) the commissioned corps of the National Oceanic and Atmospheric; and (c) the commissioned corps of the Public Health Service. 

POLICY STATEMENT

The University of Connecticut prohibits the award of any commission, bonus or other incentive payment based in any part, directly or indirectly, upon success in securing enrollments or the awarding of financial aid, to any person or entity who is engaged in any student recruitment, admission activities, or making decisions regarding the awarding of financial assistance.   In accordance with the HEA, this restriction does not apply to the recruitment of foreign students residing in foreign countries who are not eligible to receive Federal student assistance. 

In addition, in accordance with the Department of Defense Memorandum of Understanding, the University will refrain from high-pressure recruitment tactics aimed at Service Members, which includes making multiple unsolicited contacts (3 or more) including contacts by phone, email, or in-person, and engaging in same-day recruitment and registration for the purpose of securing Service Member enrollments. 

ENFORCEMENT
Violations of this policy or associated procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, and applicable collective bargaining agreements.

PROCEDURES/FORMS
Contact the Division of Enrollment Planning and Management with questions 

POLICY HISTORY

Policy created effective: August 23, 2021 [Approved by President’s Senior Team]

Revisions:  November 11, 2021 [Approved by the President]

 

Mobile and Remote Device Security Policy

Title: Mobile and Remote Device Security, Information Technology 
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All faculty, staff, student employees, and volunteers   
Campus Applicability: All campuses except UConn Health 
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

To ensure data and information systems security by establishing requirements for mobile and remote devices.  Mobile and remote devices are important tools for the University, and their use is supported to advance the mission of the university. Mobile and remote devices also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, mobile and remote devices can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems. 

APPLIES TO 

This policy applies to all University faculty, staff, student employees, and volunteers who use mobile or remote devices to access any non-public IT resources owned or managed by the University. 

DEFINITIONS 

IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution. 

Mobile Electronic Device: Includes telecommunication and portable computing devices which can execute programs or store data, including but not limited to laptops, tablet computers, smartphones, and external storage devices. Generally, a device capable of using the services provided by a public/private cellular, wireless, or satellite network. 

Remote Device: Personal computer used off-site 

POLICY STATEMENT  

University of Connecticut faculty, staff, student employees, and volunteers who use mobile or remote devices are responsible for any institutional data that is stored, processed, and/or transmitted via a mobile or remote device and for following the security requirements set forth in this policy. 

To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements: 

All users of a mobile electronic device used to access non-public university systems must take the following measures to secure the device: 

  • Configure the device to require a password (minimum of 10 characters), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 5 minutes of idle time. 
  • Keep devices on currently supported versions of the operating system and remain current with published patches. 
  • Enable the device’s remote wipe feature to permit a lost or stolen device to be securely erased. 
  • Securely store electronic devices at all times to minimize loss via theft or accidental misplacement. 

    Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.  

    STORAGE OF CONFIDENTIAL DATA 

    In general, confidential data should not be stored on mobile devices, including laptops. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, confidential data must be stored on university-owned devices ONLY with the following requirements: 

    • Except when being actively used, confidential information must at all times be encrypted on any device through a mechanism approved by the University. Alternatively, whole drive encryption software may be deployed to meet this requirement. 
    • Mobile devices must have university-supported software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices. 
    • Devices must have Mobile Device Management software installed to facilitate device protection, including remote wipe and, if possible, device location technology for recovery. 

    DEVICE DECOMISSION OR SEPARATION FROM UNIVERSITY 

    When mobile devices, specifically personally owned devices that may have had access to University resources or data, are no longer used, and donated, or given to anyone, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems. 

    In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal devices or computers. 

    ENFORCEMENT 

    Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

    Questions about this policy or suspected violations may be reported to any of the following: 

    Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

    Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

    Information Security Office – https://security.uconn.edu 

     

    POLICY HISTORY 

    Policy created:  August 30, 2021 [Approved by President’s Senior Team] 

    System and Application Security Policy

    Title: System and Application Security Policy 
    Policy Owner: Information Technology Services / Chief Information Security Officer 
    Applies to: All students, faculty, and staff  
    Campus Applicability: All campuses except UConn Health 
    Effective Date: August 30, 2021
    For More Information, Contact UConn Information Security Office 
    Contact Information: techsupport@uconn.edu or security@uconn.edu 
    Official Website: https://security.uconn.edu/

    PURPOSE 

    To ensure the security of university data by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents. 

    APPLIES TO 

    This policy applies to all individuals responsible for operating or overseeing any University system or application, whether on premise or in the cloud. 

    DEFINITIONS  

    ITS: Information Technology Services 

    SaaS: Cloud-based service that is delivered via the web based on either a monthly or annual subscription 

    PaaS:  Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services 

    PII (Personally Identifiable Information):  Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals 

    POLICY STATEMENT  

    The proper maintenance and review of systems and applications is critical to protecting the data they store or process. While requirements may vary as to the administration and operation of any system or application, the following are required of any individual responsible for a system or application related to the University of Connecticut’s computing environment, whether on-premise or in the cloud. 

    System Ownership 

    All systems supporting any aspect of the University must have an identified owner and responsible party for ensuring the controls specified in this document. For a system that is fully cloud-based, a UConn faculty or staff member is responsible for overseeing that the following controls are appropriately applied and adhered to by the cloud provider.  

    System and Application Security 

    All software and services used to process University of Connecticut information are subject to an Information Security review and sign off prior to their purchase or development. Information Security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The system owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application. 

    Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers should be limited to the management of the system only. 

    System Access 

    Access to information in the possession of or under the control of the University of Connecticut must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved business need for information. Information may only be used for its intended purpose, and other uses of university information without the approval of the data owner is not allowed.  

    Patching and Maintenance 

    All individuals, including faculty, staff, or students, who have taken on or been assigned the responsibility of managing any system or application attached to the University of Connecticut network or any cloud system that holds a relationship to the University of Connecticut or holds University of Connecticut data, must ensure the timely implementation of operating systems and application patches to provide for the confidentiality, integrity, and availability of said systems or data. The ongoing maintenance of applications and the application of software updates is an activity that must be regularly scheduled on a minimum quarterly basis. ITS and many other parts of the University maintain systems to simplify the patching of operating systems. 

    Cloud-based SaaS and PaaS systems typically remove the requirement for patching and maintenance, as the responsibility for this is handled by the vendor. 

    User Management 

    University of Connecticut Information Technology Services (ITS) provides centralized user identity and access management that supports identity validation and access management (IAM) using a NetID and password. Systems and applications that rely on the University IAM platform for authenticating individual access rights can forgo the need for user management outside that of assigning any roles within the system or application, as necessary. 

    Systems and applications that do not use the central IAM solution must have a written plan and designated individual responsible for the creation, modification, and deletion of user IDs. User IDs, including student accounts, must be reviewed when faculty, staff, or students separate from the University at least annually. This includes a process for ensuring the secure creation of passwords and a secure password reset process for validating an individual’s identity prior to resetting the password. 

    Systems where individuals have access to a significant amount of the PII of other constituents, including students, faculty, staff, alumni, and vendors, or significant amounts of regulated data should leverage multi-factor authentication wherever possible. 

    Auditing of Systems and Application Logs 

    System and application logs should be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs. 

    System and Application Lifecycle Management 

    Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible. The proper update of systems and applications is critical to protecting the confidentiality, integrity and availability of the system or application and its data. The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation. 

    Protection of Regulated Data 

    Certain classes of information stored within University of Connecticut systems and applications have additional regulatory requirements associated with their storage and/or transmission. This data includes but is not limited to: Personally Identifiable Information (PII), including certain combinations of data regarded as sensitive PII; Personal Health Information (PHI), Payment Card Industry (PCI) information, or any information subject to the Family Educational Rights and Privacy Act (FERPA).  The University must also comply with any additional protections of information or datasets contractually required by other agencies or organizations.  

    Mandatory Reporting 

    All suspected policy violations, system intrusions, and other conditions that might jeopardize University of Connecticut information or information systems must be immediately reported to the Information Security Office. 

    ENFORCEMENT 

    Systems and applications that do not follow the standards set forth in this policy may be administratively shut down or have access restricted to on-campus or individual personnel only. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure. 

    Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

    PROCEDURES/FORMS 

    Questions about this policy or suspected violations may be reported to any of the following: 

    Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

    Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

    Information Security Office – https://security.uconn.edu 

     

    POLICY HISTORY 

    Policy created: August 30, 2021 [Approved by President’s Senior Team]

     

    Network Access Policy

    Title: Network Access Policy, Information Technology
    Policy Owner: Information Technology Services / Chief Information Security Officer 
    Applies to: All students, faculty, staff, volunteers, and contractors  
    Campus Applicability: All campuses except UConn Health 
    Effective Date: August 30, 2021
    For More Information, Contact UConn Information Security Office 
    Contact Information: techsupport@uconn.edu or security@uconn.edu 
    Official Website: https://security.uconn.edu

    PURPOSE 

    The University invests significantly in maintaining a secure network that meets the academic, research, residential, and administrative needs of the institution. To ensure compliance with applicable Federal and State laws and regulations, and to protect the campus network and the ability of the University community to use it, certain security, performance, and reliability requirements must govern the operation of these networks. 

    APPLIES TO 

    This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to university networks. 

    DEFINITIONS  

    University Network: The university network is comprised of the network hardware and infrastructure and the services to support them, from the data jack or wireless access point to the University’s Internet Service Provider’s (ISP) connection. The university network begins at the connection to the network (wired or wireless) and ends where we connect to the Internet. 

    Wired Network:  The wired network consists of the physical cabling, infrastructure, and management systems that provide physical network access via an ethernet or fiber optic cable. 

    Wireless Network:  The wireless network consists of the access points (connected to the wired network), wireless spectrum, and management systems that provide services via the UConn provided wireless networks, including UConn Secure, Guest, EDUROAM, and other specialty networks. 

    POLICY STATEMENT  

    The University network (wired & wireless) is an essential resource for the University of Connecticut students, faculty, staff, and guests. The University network provides a variety of critical services that meet the academic, administrative, research and residential needs of the University. Due to the complex nature of the University’s network, Information Technology Services (ITS) is responsible for the overall design, installation, coordination and operation of the University’s network environment. 

    Wired Networks 

    • The wiring and electronic components of the network are deemed part of the basic infrastructure and utility services of the University. Installation and maintenance of that network are to be considered part of the “up front” basic required building and renovation costs and are not considered discretionary options in construction and renovation design. 
    • Standards for the network wiring, electrical components, and their enclosures are defined by Information Technology Services (ITS), subject to Building and Grounds (B&G) oversight and are considered part of the University’s “building code” to which installations must conform. 
    • Upgrades to our campus network will be done as part of a university-wide Network Master Plan.  This Network Master Plan will be coordinated with the University’s Building Master. 
    • Units that would like to use their own funding to install wired/wireless technology or change the programmatic function or use of a room to newly include a wired/wireless activity must work directly with ITS Network Engineering for design services and standards requirements. ITS Network Engineering will thereby ensure that all changes to the wired network conform to applicable standards. 
    • Units choosing to install and establish their own security using local firewalls and/or VPNs must give ITS Network Engineering and Information Security access to/through these devices into the active network segments. This will give Network Engineering the ability to see beyond the secure points of the network for diagnosing problems potentially affecting the overall network. 
    • Units wishing to design, install and maintain their own network must have their designs reviewed by ITS Network Engineering. All installations must conform to the standards set forth in the ITS Design Guide and Standards. Before equipment is purchased, the requesting entity must submit technical specifications of the equipment to be used in the project, along with the logical and physical design maps, for ITS approval to ensure network compatibility and service conformance. ITS Network Engineering will provide the department with an approval letter, which can be submitted to Purchasing with the purchase request. 

      Wireless Networks 

      • The addition of new wireless access points on the University network must be coordinated and approved by ITS.  Wireless performance is impacted by the architectural features, building materials, and furnishings of a contemporary workspace.  Construction and renovation projects must be coordinated with ITS and include funding for additions or adjustments required to optimize performance and serviceability of impacted wireless access points and systems. 
      • On an exception basis, departments and individual faculty may install and manage wireless access points for specific programmatic needs. These locally administered wireless access points must be registered and coordinated with ITS prior to deployment to prevent radio frequency (RF) interference on either wireless network.  At least one individual in the requesting department must be designated as the official contact for the access point.  The official contact is responsible for the data and network traffic that traverses through the access point and appropriate access control and security configurationas well as the regular maintenance, software updates, and replacement. 
      • Any devices either not part of or that cause significant RF interference with the University wireless network will be considered a “rogue” access point or device.  ITS will pursue all reasonable efforts to contact the owner of the rogue device, and if necessarymay disable or disconnect them from the University network. This includes devices and equipment that operate in the frequency ranges occupied by the University Wi-Fi network. 

      ENFORCEMENT 

      Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

      Questions about this policy or suspected violations may be reported to any of the following: 

      Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

      Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

      Information Technology Services CIO – https://cio.uconn.edu  

       

      POLICY HISTORY 

      Policy created:  This policy replaces the Wireless Network Policy (05/15/2006) and Physical Network Access Policy (11/18/2008). Approved by President’s Senior Team 8/30/2021. 

       

      Firewall Policy

      Title: Firewall Policy 
      Policy Owner: Information Technology Services / Chief Information Security Officer 
      Applies to: All students, faculty, and staff responsible for configuring firewalls 
      Campus Applicability: All campuses except UConn Health 
      Effective Date: August 30, 2021
      For More Information, Contact UConn Information Security Office 
      Contact Information: techsupport@uconn.edu or security@uconn.edu 
      Official Website: https://security.uconn.edu/

      PURPOSE 

      To ensure a common set of firewall configurations across the organization to maximize their protection and detection capabilities in support of the security of the University. Firewalls provide a valuable protection and detection capability for the organization when properly configured, managed, and monitored.  

      APPLIES TO 

      This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have responsibility for controlling or configuring firewalls. 

      DEFINITIONS 

      EOL: End of Life 

      EOS: End of Support 

      IANA: Internet Assigned Numbers Authority (iana.org)  

      POLICY STATEMENT  

      The University operates in a highly flexible and adaptive security environment to meet its academic, research, and administrative missions. While the ability to adapt to meet the ever-changing needs of the University is important, oversight and reporting of firewall activities are critical to the successful protection and operation of the University environment. The following firewall requirements must be met: 

      Firewall Configuration Standards 

      • All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for EOL and EOS software/hardware and regular review (at least annually) of firewall rulesets. 
      • All dedicated firewalls used in production must follow the University firewall management standard, which includes the ability to review currently configured firewall rules across the organization, identification of shadow or redundant rules and rules in conflict, and standardization of device/object names.  
      • Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets, configurations and backup media must be restricted to those responsible for administration and review. 

      Firewall Rules 

      Firewall rules specify (either allow or deny) the flow of traffic through the firewall device. Firewall rules are typically written based on a source object (IP address/range, DNS Name, or group), destination object (IP address/range, DNS Name, or group), Port/Protocol and action. 

      • All firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic. 
      • Outbound traffic should be enumerated for data stores, applications, or services 
      • Overtly broad rules may be allowed for specific groups of individuals (not systems). Approval must be granted by the Chief Information Security Officer or their designee. 
      • The use of overly permissive firewall rules is prohibited (i.e., ANY/ANY/ALL rules). 
      • Protocols defined in services and in the firewall must utilize Service Name and Protocol/Port information as assigned by IANA, unless there is a technical reason to do otherwise other than “security through obscurity” and must be commented appropriately in the ruleset.  

        Firewall Logging 

        Firewall log integrity is paramount to understanding potential threats to the network. Firewall devices must log the following data to a system outside of the physical firewall itself and must be regularly reviewed at least monthly or programmatically through automated means. Firewall logs may be forwarded to the ISO SIEM for retention and analysis. 

        The following items must be logged as part of the operation of the firewall: 

        • All changes to firewall configuration parameters, enabled services, and permitted connectivity 
        • Any suspicious activity that might be an indicator of either unauthorized usage or an attempt to compromise security measures 

        ENFORCEMENT 

        Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

        Questions about this policy or suspected violations may be reported to any of the following: 

        Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

        Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

        Information Security Office – https://security.uconn.edu 

         

        POLICY HISTORY 

        Policy created: August 30, 2021 [Approved by President’s Senior Team]

        Mandatory Workforce COVID-19 Vaccination Policy

        Title: Mandatory Workforce COVID-19 Vaccination Policy
        Policy Owner: Human Resources
        Applies to: All employees, including volunteers and contractors
        Campus Applicability: All campuses, excluding UConn Health
        Effective Date: August 18, 2021
        For More Information, Contact Human Resources
        Contact Information: HR@uconn.edu
        Official Website: https://hr.uconn.edu/

        PURPOSE 

        UConn is committed to protecting our students, employees, and our communities from COVID-19. Toward that goal, and in consideration of guidance released by the state of Connecticut, the U.S. Centers for Disease Control and Prevention (CDC), and a variety of public health authorities and professional organizations, UConn is implementing a mandatory vaccination policy for its workforce.

        APPLIES TO

        The Mandatory Workforce COVID-19 Vaccination Policy applies to all Workforce members (see definition below)[1]. This policy applies to Workforce members regardless of whether they work on-site or remotely, unless the individual qualifies for an exemption as provided herein. Exemptions may be granted to Workforce members (1) who have certain medical conditions; or (2) on the basis of a strong religious or sincerely held belief. Workforce members who are denied an exemption shall have ten (10) days from the date of the notice of the denial to receive the vaccine (either a single dose vaccine or first dose of the 2-dose vaccine). Deferral of the receipt of the vaccine may be granted to Workforce Members (1) who have certain medical conditions; (2) who are on approved block FMLA or supplemental leave; (3) due to a positive COVID test or treatment; or (4) due to current pregnancy or breastfeeding.

        DEFINITIONS

        Workforce Members: All UConn employees, volunteers, and any contracted individuals.

        COVID-19: COVID-19 is a respiratory disease caused by SARS-CoV-2, a new coronavirus discovered in 2019. The virus is thought to spread mainly from person to person through respiratory droplets produced when an infected person coughs, sneezes, or talks.

        Fully Vaccinated: Individuals are considered fully vaccinated 1) two weeks after their second dose in a 2-dose series (such as the Pfizer or Moderna vaccines); or 2) two weeks after a single-dose vaccine (such as Johnson & Johnson’s Janssen vaccine).

        International employees shall be considered in compliance with the COVID-19 vaccine requirement if they have been vaccinated with a COVID-19 vaccine that has either been authorized for emergency use in the United States by the Food and Drug Administration (FDA) or been authorized for emergency use outside of the United States by the World Health Organization (WHO).

        POLICY STATEMENT

        All Workforce members are required to have or obtain a COVID-19 vaccination as a term and condition of employment at UConn, unless an exemption or deferral has been approved. All Workforce members shall be required to report their vaccine status and to provide approved documentation as proof of vaccination.  All current employees shall be required to report their status not later than September 10, 2021.  All new Workforce members shall be required to provide proof of their vaccination status prior to the start of their employment.  All records of vaccinations and approved exemptions will be maintained by Human Resources. Such records will not be included in Workforce members’ personnel files.

        ENFORCEMENT

        Violations of this policy or associated procedures may result in appropriate disciplinary measures, up to an including dismissal, in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, other applicable University Policies, or as outlined in any procedures document related to this policy.

        PROCEDURES/FORMS

        Procedures and forms associated with this policy are available on the Human Resources website.

        REFERNCES

         

        [1] Workforce members represented by bargaining units under the jurisdiction of the State’s Office of Labor Relations (OLR-OPM) are not currently subject to mandatory vaccination requirements of this policy until negotiations have concluded. They are subject to the mandatory reporting, testing and health and safety requirements if unvaccinated.

        Information and Communication Technology (ICT) Accessibility Policy

        Title: Information and Communication Technology (ICT) Accessibility Policy
        Policy Owner: Information Technology Services
        Applies to: Faculty, Staff, Students
        Campus Applicability: Storrs and Regional Campuses
        Effective Date: July 24, 2019
        For More Information, Contact Information Technology Services-IT Accessibility Coordinator
        Contact Information: itaccessibility@uconn.edu; (860) 486-9193
        Official Website: accessibility.its.uconn.edu

        Background and Reason for the Policy: The University of Connecticut is committed to accessibility of its digital information, communication, content, and technology for people with disabilities, in accordance with federal and state laws including the Americans with Disabilities Act, Section 504 of the Rehabilitation Act of 1973, and the State of Connecticut’s Universal Website Accessibility Policy for State Websites.

        Policy Purpose: The purpose of this policy is to set expectations that digital information, communication, content, and technology be designed, developed, and procured to be accessible to people with disabilities.

        Policy Applicability: This policy extends to the procurement, development, implementation, and ongoing maintenance of the University’s information and communication technologies at Storrs and Regional Campuses.

        Policy Statement: The University of Connecticut is committed to achieving equal opportunity to its educational and administrative services, programs, and activities in accordance with federal and state law.  Providing an accessible information, communication, content, and technology experience for people with disabilities is the responsibility of all University administrators, faculty, staff, students and those who maintain externally facing University websites.

        Procedures: See Procedures (https://accessibility.its.uconn.edu/ict-policy-procedures/).  Any issues or questions should be addressed to ITAccessibility@uconn.edu.

        Exceptions: Requests for exceptions to this policy must be submitted to the IT Accessibility Coordinator. Individuals requesting an exception must provide a plan that would provide equally effective alternative access, unless such an alternative is not possible due to technological constraints or if the intended purpose of the technology (e.g., virtual reality goggles) at issue does not allow for an alternative

        Policy History:

        Adopted 07/24/2019 [Approved by the President’s Cabinet]