Students

Registered and Trustee Student Organizations, Policy on

Posted on by
Title: Policy on Registered and Trustee Student Organizations
Policy Owner: Division of Student Life & Enrollment
Applies to: All University Workforce Members, Students, Guests and other Third Parties that engage with student organizations
Campus Applicability: All UConn Campuses
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: Associate Vice President for Student Life
Contact Information: solid@uconn.edu or studentactivities@uconn.edu
Official Website: https://studentlife.uconn.edu/ 

BACKGROUND

The University of Connecticut recognizes the longstanding role of student organizations in fostering student engagement, leadership development, and community building across all campuses. Student organizations operate in a variety of forms, funding structures, and engage regularly with University resources, employees, and third parties.

This policy formalizes the University’s definitions, oversight, and relationship with Registered Student Organizations and Trustee Student Organizations.

PURPOSE

To establish a clear and consistent framework as it relates to the University’s working relationship with student organizations across its campuses.

APPLIES TO

All students, workforce members, and third parties that engage with student organizations.

DEFINITIONS

Registered Student Organization (RSO): A student-run entity voluntarily formed by University of Connecticut students, with a common interest, for a lawful purpose, and registered with their respective campus-based Student Activities office.

Trustee Student Organization (TSO): A Registered Student Organization formally recognized by the University’s Board of Trustees and separately funded through student-fees in accordance with Connecticut General Statutes.  TSOs are student-governed and student-managed with operational and editorial autonomy (where applicable).

Advisor: A full-time University employee, including faculty and staff, or a graduate assistant where permitted, who is officially designated through the student organization registration process or assigned as part of their University role to provide guidance and support to a RSO or TSO.

The following individuals are not eligible to serve as an Advisor for UConn Campuses:

  • Part-time employees
  • Special payroll employees
  • Student employees (except approved graduate students holding an assistantship)
  • Volunteers, alumni, contractors, or external affiliates

Only external affiliates may serve as Advisors for RSO’s at UConn Health as may be permitted by UConn Health’s specific policies or processes.

POLICY STATEMENT

Formation and Registration

The University recognizes the right of students to form voluntary organizations for any lawful purpose. Student organizations that wish to receive access to University resources and services must register with their campus-based Student Activities office. To register, a student organization must meet all minimum requirements established by the University’s Blueprints manual and, when applicable, their campus-based Student Activities office.

RSOs shall be designated into a Tier-system in accordance with University guidance and oversight from the Division of Student Life & Enrollment. TSOs shall be established in accordance with the Student Service and Activity Fee Advisory Committee (SASFAC) process.

University Oversight and Organizational Autonomy

RSOs at the University are independent entities. The University assumes no responsibility for an RSO’s decisions, operations, contracts, events, or activities, nor does it provide insurance coverage or liability protection. The actions, viewpoints, publications, invited speakers, or initiatives of RSOs are solely the responsibility of the organization and their members.

The University’s role is not to approve or disapprove of such views, but rather to uphold its educational obligation to support free expression and open discussion consistent with the constitutional rights of students and the regulations of the University.

The University does not regulate RSO’s use of independent and non-university funds raised or collected. RSOs may independently enter into contracts or agreements with external parties using these independent funds. The University does not review, approve, or assume responsibility for such agreements unless explicitly stated in University policy otherwise.

A TSO receives financial oversight and administrative support from the University. However, a TSO retains control over their internal governance, operations, and student-led initiatives, except where University intervention is required to ensure compliance with law or policy.

Advisors serve in a supportive role while TSOs and RSOs retain full authority over their organization’s actions and decisions. Advisors do not bear responsibility for the actions or conduct of organization members when fulfilling their role appropriately and in good faith.

All students remain subject to the Student Code, and thus, a TSO or RSO may be referred to the University’s Student Organization Conduct process when their activities violate University policies.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code. If violated, individuals and/or Organizations may be personally liable.

PROCEDURES/FORMS

Blueprints Manual
Trustee Student Organization Manual

REFERENCES

Connecticut General Statute § 4-52 – 57a.
Conn. Gen. Stat. § 4-165
Conn. Gen. Stat. § 5-141d
The Student Code
Student Service and Activity Fee Advisory Committee (SASFAC) Guidelines for Student Activity Fee Creation, Elimination, and Change (2025)

POLICY HISTORY

Policy created: March 4, 2026 (Approved by the Senior Policy Council and President)

Revisions:

Posting Policy

Posted on by
Title: Posting Policy
Policy Owner: Office of the Provost and Office of the Vice President for Student Life and Enrollment
Applies to: Faculty, staff, students, visitors
Campus Applicability: Storrs and regional campuses
Approval Date: June 27, 2024
Effective Date: June 28, 2024
For More Information, Contact Office of the Provost or Office of the Vice President for Student Life and Enrollment
Contact Information: provost@uconn.edu or VPSLE@uconn.edu
Official Website: https://provost.uconn.edu or https://studentlife.uconn.edu

 

PURPOSE

This Policy is intended to ensure the responsible and effective use of bulletin boards and other areas designated for the posting of Flyers, prevent littering and the defacing of or damage to University property. This Policy is not meant to supersede other existing area specific posting policies, nor is it intended to inhibit free speech or expression.  However, all Flyers must comply with established University Policies.

APPLIES TO

Storrs and Regional Campuses, not including UConn Health and UConn Law.

DEFINITIONS

Designated Posting Areas: Specific locations on campus authorized for the display of Flyers and similar materials. These areas are established to help ensure the responsible and orderly use of space for announcements and information dissemination. Designated Posting Areas are either Controlled Posting Spaces or Open Posting Spaces.

Controlled Posting Spaces: Designated posting areas managed by respective building managers and/or departmental owners. Prior approval is required to post a flyer in a controlled posting space.

Open Posting Spaces: Designated posting areas that do not require approval prior to posting.

Flyers: Posters, printed materials, and/or any other physical materials.

POLICY STATEMENT

Flyers may only be posted in Designated Posting Areas, such as bulletin boards and other designated spaces throughout the campus. Under no circumstance may Flyers be affixed in any manner on University signs, lampposts, trees, or any place that would impede ingress/egress. For safety reasons, Flyers may not be slipped under the doors of offices, classrooms, or other University spaces. Any postings in non-designated areas will be removed.

Flyers must be affixed in a manner that does not cause damage to University property. Only non-permanent methods may be used to display Flyers. Permanent or semi-permanent adhesion that may cause damage to University property must not be used. In general, only tacks on bulletin boards, and painter’s tape on non-tackable boards should be used. Individuals/organizations wishing to post Flyers should also ensure compliance with the departments/offices' policies, including those linked in the References section below.

PROCEDURES

Printed Flyers should be of a standard size (e.g. 8.5”x11”) not to exceed 11”x17”. Only one Flyer per event or notice should be posted in each Designated Posting Area. Excess Flyers and other posting materials may be removed.

Flyers should include the name of the organization/individual responsible for the posting and the date on which it was displayed.

Individuals or groups posting Flyers for events should remove them within 24 hours of the event's completion. Once the event date has passed, anyone may remove the posting.

Building managers may remove Flyers that do not have specific dated events periodically based on the date the posting is displayed (e.g. once per semester or on another schedule).

LOCATIONS

Building managers may designate Open Posting or Controlled Posting Spaces, in consultation with leadership of departments/units within the building, for the posting of Flyers that meet the standards outlined in this Policy. Classrooms are not considered Designated Posting Areas. Postings in classrooms can be used as part of instruction during class times and should be removed after the class is over.

Open Posting Spaces are areas designated for the posting of Flyers that meet the standards outlined in this Policy and do not require prior approval. Open Posting Spaces shall be clearly marked. A listing of known locations is available in the References section below.  If a space is not clearly marked as an Open Posting Space, individuals are encouraged to seek permission before posting.

Flyers must be approved prior to posting in Controlled Posting Spaces, including materials that would be placed on or in the ground in outdoor spaces. Separate posting policies, procedures or guidelines in university buildings/departments/units may have other restrictions such as size, length of posting times, and methods for affixing materials, and will follow the standards provided by this Policy.

Refer to department/unit-specific Controlled Posting Spaces guidelines prior to posting in these spaces. Flyers that have not been approved for posting in Controlled Posting Spaces may be removed. Controlled Posting Spaces shall also be clearly marked. A listing of known locations is available in the References section. Faculty office areas (e.g. doors and bulletin boards outside of their offices) and administrative spaces are at the discretion of academic departments/building managers.

In University buildings/departments/units that have separate posting policies, procedures or guidelines,  items must be posted in accordance with the standards  provided by the specific department/unit/building and this Policy.

In University buildings/departments/units that do not have a separate policy or defined Open or Controlled Spaces, postings are not allowed.

ENFORCEMENT

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

Individuals and groups can be charged with violating the University Code of Conduct or the Student Code, specifically Part III, B. 17: “Damage or misuse of property, which includes, but is not limited to, attempted or actual damage to or misuse of University property or other personal or public property”.

Individuals, departments, units, student organizations, and off-campus businesses or groups that violate this Policy will be asked to remove Flyers immediately and will be billed for any damage to University property that occurs because of improper posting.

Flyers that do not meet the standards outlined in this Policy or posted in places not designated for display may be removed at any time.

Questions about this Policy may be directed to the Office of the Provost at provost@uconn.edu or the Office of the Vice President for Life and Enrollment at VPSLE@uconn.edu.

REFERENCES

The list of departments/units with specific posting policies includes but is not limited to the following:

POLICY HISTORY

Policy created:  06/27/2024 Approved by the Senior Policy Council and the President

Financial Commitments to Institutional Training Grants and Nationally Competitive Graduate Fellowships

Posted on by
Title: Financial Commitments to Institutional Training Grants and Nationally Competitive Graduate Fellowships
Policy Owner: Vice Provost for Graduate Education and Dean of The Graduate School
Applies to: Faculty and Graduate Students
Campus Applicability: All campuses, including master’s and PhD programs at UConn Health, and excluding the UConn School of Law
Approval Date: June 27, 2024
Effective Date: July 1, 2024
For More Information, Contact Office of the Vice Provost for Graduate Education and Dean of The Graduate School
Contact Information: (860) 486-3167
Official Website: https://grad.uconn.edu/

BACKGROUND

Institutional Training Grants and Nationally Competitive Fellowships provide essential financial support for graduate students, including Stipends and partial coverage of tuition and health insurance costs. The Institutional Allowance associated with these grants and fellowships for tuition and health insurance often falls short of the total cost. This gap in funding can place a financial burden on students. The University's commitment to providing additional subsidies aims to bridge this funding gap, ensuring that graduate students can pursue their studies without financial hardship.

PURPOSE

To outline the financial commitments from the University that help ensure students supported on Institutional Training Grants or Nationally Competitive Fellowships are not responsible for tuition payments to the University and that they receive a health insurance subsidy equivalent to the subsidy available to graduate students who hold graduate assistantships.

APPLIES TO

This policy applies to all graduate students supported on an Institutional Training Grant or Nationally Competitive Fellowship and to faculty teams to whom an Institutional Training Grant is awarded.

DEFINITIONS

Institutional Allowance: Funds provided by an Institutional Training Grant or Nationally Competitive Fellowship to defray a portion of the tuition for full-time enrollment and the cost of health insurance.

Institutional Training Grant: A competitively awarded grant from an external organization or agency provided to teams of faculty for the purpose of training graduate students in specific disciplines, which often complements faculty research. These grants offer important financial support for graduate students, including Stipends.

Nationally Competitive Fellowship: A fellowship available to U.S. graduate students that is awarded by a federal agency or other external organization to individual graduate students who apply and who are selected by a review panel overseen by the awarding agency or organization.

Stipend: A Stipend is an allowance provided by either an Institutional Training Grant or a Nationally Competitive Fellowship intended to support living expenses of the graduate student supported by the award.

POLICY STATEMENT

The University may provide tuition and health insurance subsidies to bridge the gap between an Institutional Allowance associated with Institutional Training Grants or Nationally Competitive Fellowships and a graduate student’s total cost of tuition and health insurance. To qualify for the tuition and health insurance subsidies available under this policy the following conditions apply:

  1. Institutional Training Grants: Students supported on the Institutional Training Grants listed below will receive subsidies for tuition and health insurance if the Vice Provost for Graduate Education and Dean of The Graduate School has approved the Institutional Allowance in the budget request associated with the grant proposal before the grant has been submitted. The faculty member or team must apply for the maximum Institutional Allowance available under the award. Graduate students supported on Institutional Training Grants not listed below may receive subsidies at the discretion of the Vice Provost for Graduate Education and Dean of The Graduate School provided the Institutional Allowance associated with the grant covers a substantial fraction of the total cost of tuition and health insurance and the faculty applied for the maximum Institutional Allowance available under the award.
    • Department of Education – Graduate Assistance in Areas of National Need
    • National Institutes of Health – Ruth L. Kirschtein Institutional Awards (T32, )
    • National Science Foundation – National Research Traineeship
    • National Institute for Occupational Safety and Health (NIOSH) – Training Grants
    • Department of Agriculture – National Needs
  1. Nationally Competitive Fellowships: Students supported on the Nationally Competitive Fellowships listed below will receive subsidies for tuition and health insurance. Students supported on other nationally competitive fellowships may receive subsidies at the discretion of the Vice Provost for Graduate Education and Dean of The Graduate School provided the fellowship offers an annual Stipend equal to or greater than Level I graduate assistantship (9-month) Stipend as well as an Institutional Allowance determined to be adequate by the VP and Dean.
    • National Defense Science & Engineering Grad Fellowships (NDSEG)
    • National Institutes of Health - Ruth L. Kirschstein Predoctoral Individual National Research Service Award (F31)
    • National Science Foundation – Graduate Research Fellowship
  1. Notification Requirement: Faculty teams leading an Institutional Training Grant and the home departments of students holding a Nationally Competitive Fellowship must notify the Vice Provost for Graduate Education and Dean of The Graduate School of all supported students at least six weeks before the beginning of each semester.
  2. Graduate Students: Graduate students receiving subsidies must register as full-time students. They are responsible for mandatory fees associated with enrollment unless the award specifically mandates that the Institutional Allowance is intended to cover fees as well as tuition. Graduate students must also pay a portion of the health insurance premium equivalent to that charged to graduate assistants in similar circumstances.

ENFORCEMENT

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

POLICY HISTORY

Policy created:   06/27/2024 Approved by the Senior Policy Council and the President

Revisions:                         

Replaces:  Policy on Competitive Federal Graduate Fellowship Awards; Policy on Competitive Non-Federal Graduate Fellowship Awards

Academic, Scholarly, and Professional Integrity and Misconduct (ASPIM), Policy on

Posted on by
Title: Academic, Scholarly, and Professional Integrity and Misconduct (ASPIM), Policy on
Policy Owner: Graduate Faculty Council; University Senate
Applies to: All members of the University community
Campus Applicability: Storrs and Regional Campuses
Approval Date: July 11, 2023
Effective Date: August 28, 2023
For More Information, Contact: For Undergraduate Education: Director or Associate Director, Office of Community Standards (community@uconn.edu)

 

For Graduate Education: Director of Graduate Student and Postdoctoral Scholar Support, The Graduate School (gradschool@uconn.edu)
Official Website: policy.uconn.edu

BACKGROUND

The University of Connecticut is committed to fostering an intellectual community in which the highest ethical standards of academic, scholarly, and professional integrity prevail.  All members of the university community, including administrators, faculty, staff, and students, have a shared responsibility to uphold this commitment.  This commitment relates to all aspects of academic, scholarly, and professional activity, which include not only activities related to instruction, but also those related to the production and dissemination of scholarship, research, and creative works, and to professional conduct within clinical and other professional settings. Integrity in all of these activities is of paramount importance, and the University requires that the highest ethical standards in teaching, learning, research, and service be maintained. This includes “ethical aspects of scholarship that influence the next generation of researchers as teachers, mentors, supervisors, and successful stewards of grant funds” (Council of Graduate Schools, 2012).

Issues related to academic and scholarly integrity at the University of Connecticut are governed by the Academic, Scholarly, and Professional Integrity and Misconduct Policy (DATE). To recommend changes to the policy or to the implementing procedures, a committee must be convened that brings together all the above relevant stakeholders, including University Senate and Graduate Faculty Council. The committee must then bring those changes to the University Senate and Graduate Faculty Council, and each body must vote to approve any changes.

Students’ responsibilities with respect to academic and scholarly integrity are described in the following documents: Responsibility of Community Life: The Student Code.

PURPOSE

To ensure a commitment to academic, scholarly, and professional integrity in all levels of the university community.

Such a commitment ensures that:

  • all individuals accept full responsibility for their own work and ideas;
  • all academic/scholarly credit awarded to an individuals represents the work of that individual;
  • no student benefits from an unfair advantage;
  • faculty, staff, advisors and others who support the intellectual development of students are committed to fostering, guiding, and monitoring students for adherence to all principles of academic and scholarly integrity;
  • the grades earned, the degrees or certificate conferred were appropriately earned by the individual;
  • the reputation of the University with respect to academic and scholarly integrity are protected
  • faculty, staff, and students adhere to the professional standards of conduct specific to each program offered at the university;
  • this policy is used consistently across the University, including undergraduate and graduating students and schools/colleges.

APPLIES TO

This policy applies to all members of the University Community engaged in academic and scholarly efforts in, but is not limited to, the following contexts in undergraduate and graduate education:

  • courses, including online courses (e.g., assignments, exams, projects, thesis);
  • experiential and service-learning courses and activities;
  • study abroad programs;
  • clinical and practice placements, internships, and externships;
  • program assessments (e.g., comprehensive exams, thesis, program reviews);
  • research, including undergraduate, graduate, postdoctoral scholar, and faculty research; and
  • processes involving submitting information (i.e., admissions, for scholarships/fellowships, for competitions, for awards, or other university programs); and
  • professional events and conferences

All members of the University community are responsible for ensuring that the principles of academic and scholarly integrity are upheld.

This policy applies to graduate students and postdoctoral scholars, with the exception of PharmD students in the School of Pharmacy and professional students with degrees conferred by the Schools of Dental Medicine, Medicine, or Law.

This policy does not apply to legal, regulatory, or compliance requirements that fall outside the Academic and Scholarly Integrity Policy. In addition, this policy does not remove any reporting requirements to the appropriate oversight authority in instances of noncompliance or alleged noncompliance.

DEFINITIONS

Academic Integrity:  a commitment by the University Community to uphold just and ethical behaviors, which includes truthfulness, fairness, and respect (ICAI, 2021).

Scholarly Integrity: a commitment by the University community to both ”… research integrity and the ethical understanding and skill required of researchers/scholars in domestic, international, and multicultural contexts. It is also intended to address ethical aspects of scholarship that influence the next generation of researchers as teachers, mentors, supervisors, and successful stewards of grant funds.” (p. xix, Council of Graduate Schools, 2012).

Professional Integrity. Standards of behavior defined by the various professions in which students are prepared through their degree or certificate programs.

Academic, Scholarly, and Professional Integrity Misconduct is defined as unethical academic and scholarly behavior during a course (e.g., on an assignment or exam), as part of other degree requirements (e.g., requirements regarding placement, capstone or comprehensive exams, or placement exams), or at other times during undergraduate, graduate, or professional study and performance, including during engagement in fieldwork, clinical placements, or research. These behaviors include:  

  • Cheating: Unauthorized acts, actions, or behaviors in academic or scholarly areas. Examples of cheating include, but are not limited to:
    • providing or receiving help on an assignment or exam intended to reflect the individual student’s work product when not authorized to do so by the instructor. 
    • buying, selling, circulating, or using a copy of instructional materials, assignment or test, including uploading such information to online services, or using materials prepared by services that sell or provide papers or other course materials.
    • asking someone to complete an assignment, exam, or other requirement on your ones behalf or completing an assignment, exam, or requirement for another student. 
    • Failure to disclose unauthorized assistance on work submitted for evaluation, i.e., assistance obtained outside channels approved by instructors, that is used to complete a course, program, or degree requirement. This includes assistance from other students, teaching assistants, Quantitative Learning Center, Writing Center, or mediated support from the Center for Students with Disabilities.
  • Plagiarizing: Using one’s own previously published, presented, or disseminated material, or another person’s language/text, data, ideas, expressions, digital/graphic element, passages of music, mathematical proofs, scientific data, code, or other original material without authorization of the originating source or proper acknowledgement, attribution, or citation of the originating source. Examples of plagiarism include but are not limited to:
  • submitting as one’s own any work (in whole or part) completed by another individual, including any work that has been purchased from an individual, commercial research firm, or obtained from the internet.
  • submitting for evaluation or credit any work that was previously used or submitted for credit in another course or as part of a degree requirement (e.g., a thesis or dissertation) without authorization to do so from the instructor. (This includes self-plagiarism in the form of re-using, in part or whole, the content of a paper from another class or context.).
  • submitting any work prepared for or used in a previous publication, academic competition, clinic, or other activity (e.g., grant or application submission) without prior approval and full disclosure or when permitted by established editorial or other policy. (This includes self-plagiarism in the form of using, in part or whole, the content of a paper that was previously published without attribution).
  • unauthorized use of previously completed work or research for a thesis, dissertation, or publication.
  • Misrepresenting: Deliberately knowing and providing false or misleading information, including information about oneself or others. Examples of misrepresenting include but are not limited to:
    • engaging in “any omission or misrepresentation of the information necessary and sufficient to evaluate the validity and significance of research, at the level appropriate to the context in which the research is communicated” (D. Fanelli, Nature 494:149; 2013).
    • making unauthorized alterations to any document or digital file pertaining to academic or scholarly activity, including assignments, exams, and research data.
    • making up information for the purpose of deception (e.g., fabrication of data in research).
    • making false, inaccurate, or misleading claims or statements, including claims/statements made when asking for assistance (e.g., requesting an extension on an assignment), applying for admission to an undergraduate or graduate program, applying for a scholarship or an academic, scholarly, or research award, or submitting manuscripts for publications.
    • allowing someone to use one’s identity or using someone else’s identity for academic or scholarly advantage (e.g., signing in electronically for an absent student).
    • accepting credit for work for which the individual did not contribute (e.g., misrepresenting an individual’s role in a group assignments).
  • Noncompliance: Failure to conform with codified and publicly available academic, scholarly, or professional standards, processes, or protocols.Examples of noncompliance include but are not limited to:
  • not attending to the professional standards governing the professional conduct of students in particular fields (e.g., pharmacy, nursing, education, counseling, and therapy).
  • violating protocols governing the use of human or animal subjects. 
  • breaching confidentiality in academic and scholarly activity (e.g., disclosing the identity of study participants).
  • disregarding the applicable university, local, state, or federal regulations that guide academic or scholarly activities.

Instructor: any faculty, teaching assistant, or any other person (e.g., lab supervisor, clinical supervisor, professional staff) authorized by the University to provide educational services (e.g., teaching, research, advising)

POLICY STATEMENT

All members of the university community, including administrators, faculty, staff, and students, have a shared responsibility to uphold the highest ethical standards of academic, scholarly, and professional integrity and to report any violations of those standards of which they are aware.

Instructor Expectations: To foster a culture of academic integrity, instructors are responsible for communicating the expectations for academic and scholarly integrity to students and for engaging in practices that mitigate violations of this policy. Specifically, instructors are expected to:

  • include a link to the Academic, Scholarly, and Professional Integrity and Misconduct policy as part of course syllabi or documentation for any other academic/scholarly activity and include any additional unit-specific expectations.
  • review academic and scholarly integrity policy and any other disciplinary- or activity-specific expectations.
  • provide clear guidance for all assignments, activities, and assessments, including noting what resources can be used and whether collaboration is permitted.
  • ensure individuals engaged in research, creative, or professional activities understand the standards, protocols, and guidelines to which they must adhere.
  • adhere to the University processes for reporting misconduct, engaging in the review process, and assigning consequences to address violations, which should include opportunities for education and remediation.

Student Expectations:   To uphold the principle of academic and scholarly integrity in all aspects of their intellectual development and engagement at the University, students are expected to:

  • be responsible for their own work and their own actions related to all academic and scholarly endeavors.
  • assume they are to do independent work and seek clarification prior to collaborating with others or using outside resources.
  • understand and abide by the standards, protocols, and guidelines to which they must adhere in research, creative, or professional activities .

If students witness or become aware of a violation of academic or scholarly integrity, they are encouraged to communicate this to the appropriate university representative (e.g., faculty, staff, advisor).

A cumulative record is maintained of all academic or scholarly integrity violations and such record will be reviewed and considered as part of subsequent incidences. Individuals engaged in research are expected to follow all standards, rules and regulations that guide the proper conduct of research or creative activity.

ENFORCEMENT

Violations of this policy and its related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

Notes:  Student misconduct is governed by the University’s Student Code, which is administered under the direction of the Division of Student Affairs. Enforcement of its provisions is the responsibility of the Director of Community Standards (for undergraduate students), The Graduate School (for graduate students), and the Office of the Vice President for Research (for research misconduct). Identified misconduct will be routed to the appropriate unit.

Faculty misconduct is also governed by the Code of Conduct and misconduct is addressed by the appropriate university administrative unit(s) (e.g., School/College, Provost Office, Office of the Vice President of Research, Human Resources).

REFERENCES

International Center for Academic Integrity [ICAI]. (2021). The Fundamental Values of Academic Integrity. (3rd ed.) https://academicintegrity.org/images/pdfs/20019_ICAI-Fundamental-Values_R12.pdf

Council of Graduate Education (2012). Research and Scholarly Integrity in Graduate Education: A Comprehensive Approach. https://cgsnet.org/research-and-scholarly-integrity-graduate-education-comprehensive-approach-2

Responsibilities of Community Life: The Student Code

PROCEDURES/FORMS

Undergraduate Education: Academic, Scholarly, and Professional Misconduct

Graduate Education: Academic, Scholarly, and Professional Misconduct

[Note: UConn will continue to use the existing procedures administered by Community Standards for undergraduate education and The Graduate School for graduate education until such time that the university transitions to the new Procedures for Addressing Alleged Violations of the Policy on Academic, Scholarly, and Professional Integrity, which was approved by Graduate Faculty Council and the University Senate.]

POLICY HISTORY

07/11/2023 Approved by the President (06/26/2023 Approved by Senior Policy Council; 05/01/2023 Approved by University Senate; 10/26/2022 Approved by Graduate Faculty Council)

Multi-Factor Authentication Policy

Posted on by
Title: Multi-Factor Authentication Policy
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All Workforce Members, Students
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu  or security@uconn.edu
Official Website: https://security.uconn.edu/

PURPOSE

To help prevent unauthorized access to University information systems.

DEFINITIONS

Hardware Token: A small hardware device that serves as a second authentication mechanism either in place of or in addition to the an MFA mobile app.

University Information System: Devices and/or components managed or contracted by the University for collecting, storing, and processing data and for providing  information, knowledge, and/or digital products. For purposes of this policy, information technology devices and components managed exclusively by UConn Health are not considered University Information Systems.

Multi-Factor Authentication (MFA): MFA is a method of system access control in which a user is granted access only after successfully providing at least two pieces of authentication, usually including knowledge (something the user knows such as a password), possession (something the user has such as a token generator), or inherence (something the user is such as the use of biometrics).

POLICY STATEMENT

Users of University Information Systems must adhere to Multi-Factor Authentication (MFA) requirements, where available, to ensure authorized access to University Information Systems and protected or confidential data.

University Information Systems must include effective MFA protections for authentication unless granted an exception from this policy by the Information Security Office (ISO). The Information Security Office (ISO) may mandate implementation of MFA for any University Information System.

The Information Security Office is authorized to publish and maintain any necessary standards, procedures, and guidelines to effectuate and enforce this policy.

MULTI-FACTOR AUTHENTICATION PROCEDURES

User Requirements

  1. Users must maintain a device that can receive MFA authentication requests in a secure manner via a University approved mobile app or another mechanism, such as SMS, phone, or Hardware Token.
  2. When an attempt is made to access a MFA protected system or application, the system will challenge the user by requesting a second factor of authentication which may include an acknowledgement of a push notification via a University approved MFA mobile app, a code via SMS, or a Hardware Token.
  3. If users receive an MFA notification when not conducting a recent authentication, the authentication shall be denied and immediately reported to the Technology Support Center. Users shall update their NetID password, or credential associated with the authentication, if they reasonably believe their password is compromised.
  4. Users may not approve MFA requests for another user’s account or register a device for MFA which is not within their individual control.

Frequency or Type of User Challenges

The frequency with which a user may be challenged, or the type of challenge depends both on policy and use.

  • Policy based – depending on information being accessed, more frequent authentications may be required.
  • Usage based – While user challenges may be “remembered” for a period of time, use of other hardware, browsers, or other behaviors may trigger additional verification using a second factor.

Lost or Stolen Devices

If a user’s registered multi-factor device is lost, stolen, or the user has reason to suspect their UConn NetID has been compromised, the user must contact the Technology Support Center immediately. As a precaution, they should change their NetID password at netid.uconn.edu.

Off-Hours and Emergency Access to Systems and Applications

UConn Information Technology Services will maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Technology Support Center for additional information.

Use of Automated Systems

Automated systems that intend to interfere with the approval component of multi-factor authentication are hereby prohibited.

ENFORCEMENT

Users may not attempt to circumvent login procedures, including multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject individuals to disciplinary action. Financial losses incurred due to the use of multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

EXCEPTIONS

ITS will review and document any requests for exceptions to this standard. ITS will also have available solutions for the intermittent failure of various second factors, which may include the allowance of temporary access codes upon verification of an individual’s identity.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: March 29, 2023 (Approved by Senior Policy Council)

Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)

Student Athlete Name, Image, Likeness, Policy On

Posted on by
Title: Student-Athlete Name, Image, and Likeness, Policy On
Policy Owner: Athletics
Applies to: All Student-Athletes and University Employees
Campus Applicability: All UConn campuses, except UConn Health
Approval Date: March 18, 2025
Effective Date: March 19, 2025
For More Information, Contact Director of Athletics
Contact Information: (860) 486-2725
Official Website: https://uconnhuskies.com/sports/2021/7/14/uconn-nil-information

PURPOSE

To establish a policy pursuant to which University of Connecticut (“University”) Student-Athletes are permitted by the University to (1) earn Compensation through an Endorsement Contract, Revenue Sharing Agreements, or employment in an activity unrelated to an Intercollegiate Athletic Program; and (2) obtain legal or professional representation of an attorney or Sports Agent through a written agreement, provided that in each case, the Student-Athlete complies with the terms and conditions of this policy and applicable law.

DEFINITIONS

Athletics Booster: a person who directly contributes to a University athletic program.

Compensation: the receipt, whether directly or indirectly, of any cryptocurrency, money, goods, services, other items of value, in kind contributions and any other form of payment or remuneration.

Endorsement Contract: a written agreement under which a Student-Athlete is employed or receives Compensation for the use by another party of such Student-Athlete's person, name, image or likeness in the promotion of any product, service or event.

Intercollegiate Athletic Program: a program at the University for sports played at the collegiate level for which eligibility requirements for participation by a Student-Athlete are established by a national association for the promotion or regulation of college athletics.

NCAA: the National Collegiate Athletic Association or its successor.

Official Team Activities: all games, practices, exhibitions, scrimmages, team appearances, team photograph sessions, sports camps sponsored by the University and other team-organized activities, including, but not limited to, photograph sessions, news media interviews, and other related activities as specified by the University.

Prohibited Endorsements: receipt of Compensation by, or employment of, a Student-Athlete for use of the Student-Athlete's person, name, image or likeness (“NIL”) in association with any product, category of companies, brands, or types of Endorsement Contracts that are: (1) prohibited by law; (2) prohibited by this policy; or (3) prohibited under the applicable University procedures adopted in accordance with this policy.

Revenue Sharing Agreement: an agreement between the University or an entity acting on the University’s behalf, and a student athlete through which a student athlete shares a portion of the University’s revenue as Compensation.

Sports Agent: a duly licensed person who negotiates or solicits a contract on behalf of a Student-Athlete in accordance with the Sports Agent Responsibility and Trust Act, 15 USC 7801, et seq., as amended from time to time.

Student-Athlete: a student who attends or has agreed to attend the University and participates or has agreed to participate in a University Intercollegiate Athletic Program.

University Marks: the name, logo, trademarks, mascot, unique colors, copyrights and other intellectual property or defining insignia of the University.

POLICY STATEMENT

The University shall permit its Student-Athletes to (1) obtain legal or professional representation of an attorney or Sports Agent through a written agreement, provided that the Student-Athlete complies with this policy and applicable law; (2) earn Compensation through employment in an activity unrelated to an Intercollegiate Athletic Program; (3) earn Compensation through an Endorsement Contract with a third party; (4) earn Compensation through an Endorsement Contract with the University for the use of  the Student-Athlete's person, name, image or likeness in the promotion of any product, service or event; and (5) earn Compensation through a Revenue Sharing Agreement with the University.

1. Agreements for Representation by a Sports Agent or an Attorney

  1. A Student-Athlete may only enter into an agreement for representation with a Sports Agent if the Student-Athlete submits a copy of the agreement to the University.
  2. A Student-Athlete may only enter into an agreement for representation with an attorney if the Student-Athlete submits a copy of the agreement to the University

2. Agreements for Employment Activities and Endorsement Contracts with Third Parties

    1. A Student-Athlete may receive Compensation for employment in an activity unrelated to any Intercollegiate Athletic Program, provided the Student-Athlete signs a written agreement for the employment and submits a copy to the University before performing any employment activities or services.
    2. A Student-Athlete may only enter into an Endorsement Contract with a third party if:
      1. the Student-Athlete submits a copy of the contract to the University prior to the Student-Athlete performing any activity or service under the contract;
      2. the contract, or any portion thereof, does not conflict with the provisions of any agreement to which the University is a party. If a potential conflict is identified, the University shall disclose to the Student-Athlete or the Student-Athlete's attorney or Sports Agent the provisions of the University agreement that are in conflict; and
      3. the Student-Athlete is not required to participate or engage in any activity prohibited by Section IV of this policy.

    3. Endorsement Contracts and Revenue Sharing Agreements with the University

    A Student-Athlete may only enter a Revenue Sharing Agreement and/or Endorsement Contract with the University if:

    1. the Endorsement Contract is limited to the use of the Student-Athlete's person, name, image or likeness in the promotion of any product, service or event;
    2. the Student-Athlete is an independent contractor; and
    3. the Student-Athlete is not required to participate or engage in any activity prohibited by Section IV of this policy.

    4. Prohibitions

    1. No state funds appropriated to the University may be used to compensate a student athlete for an Endorsement Contract or a Revenue Sharing Agreement.
    2. Use of Marks. Student-Athletes are prohibited from using or consenting to the use of any University Marks when performing any services or activity associated with an Endorsement Contract or employment activity without prior written permission from the University or its authorized designee.
    3. University Employees. University employees are prohibited, in their individual capacity, from entering into an Endorsement Contract or a Revenue Sharing Agreement with any Student-Athlete or otherwise providing Compensation to a Student-Athlete in connection with a Student-Athlete’s participation in an Intercollegiate Athletic Program.
    4.  Student-Athletes.
      1. Student-Athletes are prohibited from performing any service or activity associated with an Endorsement Contract or employment activity that interferes with any official team activities or academic obligations.
      2. Student-Athletes are prohibited from receiving Compensation from entering an Endorsement Contract with, and/or otherwise engaging in an employment activity with companies, brands, products, conduct, and/or entertainment prohibited under University procedures adopted in accordance with this policy.

              PROCEDURES

              The President or the President’s designee may adopt procedures concerning the implementation of this policy.

              ENFORCEMENT
              Violations of this Policy or associated procedures may result in appropriate disciplinary measures in accordance with state law, University Laws and By-Laws, and Division of Athletics Student Athlete Handbook.

              POLICY HISTORY

              Policy created effective June 30, 2021 [Approved by the Board of Trustees]

              Revisions:
              May 2, 2022
              March 18, 2025 [Approved by the President’s Senior Policy Council]

              Endpoint Device Security Policy, Information Technology

              Posted on by
              Title: Endpoint Device Security Policy, Information Technology
              Policy Owner: Information Technology Services / Chief Information Security Officer
              Applies to: All faculty, staff, student employees, affiliates, and volunteers
              Campus Applicability: All UConn Campuses, except UConn Health
              Approval Date: March 4, 2026
              Effective Date: March 9, 2026
              For More Information, Contact: UConn Information Security Office
              Contact Information: techsupport@uconn.edu or security@uconn.edu
              Official Website: https://security.uconn.edu

              BACKGROUND

              Endpoints are important tools for the University, and their use is supported to advance the mission of the university. Endpoints also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, endpoints can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems.

              PURPOSE

              To ensure data and information systems security by establishing requirements for endpoint devices.

              APPLIES TO

              This policy applies to all University faculty, staff, student employees, and volunteers who use endpoint devices to access any non-public IT resources owned or managed by the University.

              DEFINITIONS

              IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution.

              Endpoint: Physical device that connects to and exchanges information with a computer or telecommunications network, often acting as the interface between a human user and the network, including but not limited to, desktops, laptops, tablet computers, and smartphones. Endpoints do not host services for other endpoints.

              Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies.

              POLICY STATEMENT

              University of Connecticut faculty, staff, student employees, affiliates, and volunteers who use endpoints, whether University-owned, externally owned, or personally owned, are responsible for any institutional data that is stored, processed, and/or transmitted via an, endpoint, mobile, or remote device and for following the security requirements set forth in this policy.

              To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements:

              Endpoint Security Requirements

              • Configure the device to require a password meeting the requirements set forth in the University Password Standard (https://security.uconn.edu/password-standards/), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 15 minutes of idle time.
              • Keep devices on currently supported versions of the operating system and remain current with all published operating system and software patches.
              • Enable and appropriately secure the device’s remote wipe feature to permit a lost or stolen device to be securely erased.
              • Securely store the device when not in use to minimize loss via theft or accidental misplacement.
              • Ensure internal hardware and external peripherals, including but not limited to USB devices, external storage, scanners, input devices, and displays, are manufacturer supported and compatible with the installed operating systems and other installed software.
              • Except when being actively used, confidential information on endpoint devices must at all times be encrypted through a mechanism approved by the University. Whole drive or whole device encryption may be deployed to meet this requirement.
              • Endpoints must have software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices. University owned endpoints must be enrolled in the university-supported endpoint detection and response (EDR) platform.
              • University owned endpoints must have Mobile Device Management software installed and enabled to facilitate device protection, including remote wipe and, if possible, device location technology for recovery. Personal devices should be configured to enable these features where possible.

              Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.University owned devices that are unable to meet these requirements must go through a security assessment prior to their use.

              STORAGE OF CONFIDENTIAL DATA

              In general, Confidential Data should not be stored on endpoints. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, Confidential Data must be stored ONLY on university-owned devices configured in compliance with this policy.

              DEVICE DECOMMISSION OR SEPARATION FROM THE UNIVERSITY

              When endpoints, including personally owned devices that may have had access to University resources or data, are no longer used, and sold, donated, given, placed in the control of or otherwise transferred to anyone else, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems.

              In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal endpoints, devices, or computers.

              EXCEPTIONS

              In certain instances, there may be a justifiable business need to operate a device that is not in compliance with this policy. In these instances, users must work with the Information Security Office to request evaluation of an exception to this policy. Exceptions are reviewed on a case-by-case basis and are approved at the discretion of the Chief Information Security Officer based on justifiable business need and assessed risk. Exceptions must be reviewed and approved prior to implementation of any solution that does not fully comply with this policy.

              ENFORCEMENT

              Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.
              Questions about this policy or suspected violations may be reported to any of the following:

              Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

              Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

              Information Security Office – https://security.uconn.edu

              REFERENCES

              Data Classification Policy

              POLICY HISTORY

              Policy created: August 30, 2021 (Approved by President’s Senior Team)

              Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)

              System and Application Security Policy

              Posted on by
              Title: System and Application Security Policy
              Policy Owner: Information Technology Services / Chief Information Security Officer
              Applies to: University Workforce Members
              Campus Applicability: All UConn Campuses, except UConn Health
              Approval Date: March 4, 2026
              Effective Date: March 9, 2026
              For More Information, Contact: UConn Information Security Office
              Contact Information: techsupport@uconn.edu or security@uconn.edu
              Official Website: https://security.uconn.edu

              PURPOSE

              To ensure the security of university data and systems by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents.

              APPLIES TO

              This policy applies to all workforce members responsible for operating or overseeing any University system or application, whether on premise or in the cloud.

              DEFINITIONS

              Academic / Research System: A system whose primary responsibility relates to individual academic work or research.

              Administrative System: Any system that is used in support of the operation of the university excluding individual Academic / Research Systems.

              ISO: Information Security Office

              ITS: Information Technology Services

              IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.

              Local Network: Network of computers and devices logically located on the same subnet.

              Software as a Service (SaaS): Cloud-based service that is delivered via the web based on either a monthly or annual subscription.

              Platform as a Service (PaaS): Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services.

              Personally Identifiable Information (PII): Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals.

              System Owner: The individual – such as a faculty member, department head, manager, or other employee – who is responsible for the planning and operation of the service. All systems must have a designated system owner.

              Vendor Risk Management (VRM): The process of identifying, assessing, and mitigating risks associated with third-party suppliers and service providers. It ensures that vendors meet security, compliance, and operational standards before and during their engagement with the University.

              POLICY STATEMENT

              The proper management, maintenance, and support of systems and applications is critical to protecting the data they store or process from a confidentiality, integrity, and availability perspective.

              System Ownership

              All systems, including cloud-based systems, supporting any aspect of the University must have an identified owner and responsible party for ensuring the implementation and operation of the controls specified in this policy.

              All software and services used to process University information are subject to an Information Security review and sign off prior to their purchase or development. Information security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The System Owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application. Maintaining security best practices is an ongoing and evolving responsibility; the System Owner shall implement additional security controls consistent with best practice, regulatory requirements, or as directed by the Information Security Office during the lifecycle of the system, server, software, or service.

              System Access

              Access to information in the possession of or under the control of the University must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved need for the information. Access to functionality shall be configured on the basis of least privilege and granted only where approved for a legitimate business purpose.

              Systems and applications shall employ best practices for authentication and authorization. System Owners are responsible for maintaining documentation of their system access controls. The use of University Single Sign On (SSO) is required unless impractical or impossible.

              Information may only be used for its intended purpose, and other uses of University information without the approval of the data owner is prohibited.

              System access shall be reviewed and altered (if applicable) as soon as possible when a relevant change in an individual’s status occurs, including but not limited to, change of role, transfer, promotion, termination, or separation.

              When an individual requires continued access to an existing system following a change of status, any access that is no longer required must be removed.

              Any shared/service accounts, encryption keys, or shared secrets that the individual had access to must have their passwords or private keys rotated following the status change unless the System Owner determines that continued access is required.

              User Management

              Information Technology Services (ITS) provides a centralized user identity and access management platform (IAM) that supports identity validation and access management using a NetID and password. UConn NetID provides for single sign on (SSO) across multiple systems. Systems and applications that rely on the University IAM platform to authenticate individuals may rely on UConn NetID for user management. System Owners are always responsible for assigning and managing roles within the system or application.

              Owners of systems and applications that cannot use the central IAM solution shall develop a formal, written plan which, at minimum, defines or identifies the following:

              • The individual(s) responsible for creating, modifying, and deleting user accounts.
              • Process and responsibility for regularly reviewing system access. System access reviews must be performed when configured users separate from the University, and not less than annually.
              • Password/multi-factor authentication requirements and reset procedures. Multi-factor authentication is required for all systems.
              • Process for validating a person’s identity when password or multifactor reset or account changes are requested.

              The authentication management plans and any plan revisions must be submitted to the Information Security Office for review and approval.

              Software Maintenance

              Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers and other individual productivity tools should be limited to the management of the system only.

              Patching, Maintenance, and Vulnerability Management

              System Owners must ensure the timely implementation of patches and required maintenance in accordance with the University’s vulnerability management standards and vendor provided guidance in order to provide for the confidentiality, integrity, and availability of the systems or data. Maintenance is considered required when the change is necessary to remediate a vulnerability, maintain the availability of a system, or align with updated industry best practices. The ongoing maintenance of systems and applications, including software and configuration maintenance, must be minimally scheduled on a quarterly basis. This includes on-premises, vendor-hosted, and cloud-hosted applications. It is the UConn System Owner’s responsibility to ensure that systems under their control remain in compliance with this policy, even when the system is managed or hosted externally.

              System and Application Lifecycle Management

              System Owners are responsible for the planning of and budgeting for system maintenance and obsolescence. Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible.  The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation.

              Software as a Service (SaaS) / Platform as a Service (PaaS)

              Patching and maintenance of cloud-based SaaS and PaaS systems is typically handled by the contracted vendor. System Owners are responsible for proper security configurations and user management associated with providing the service. A Vendor Risk Management review is necessary for all newly procured cloud-based services.

              Infrastructure as a Service (IASS)

              IaaS provides a significant amount of flexibility in the configuration and use of the platform. This requires specific expertise and management by an IT Professional. Where applicable, IaaS solutions must meet the same requirements as Administrative Systems.

              Administrative System and Application Security

              Administrative systems, due to their complexity, must be managed by an IT Professional. System Owners are responsible for ensuring they have the administrative and technical resource capacity to support this requirement.

              Administrative Systems will be required to adhere to all regulatory requirements and meet security controls and  standards as set forth by the Information Security Office based on institutional requirements.

              Encryption

              All systems housing administrative data shall be configured to provide encryption for all data in transit and all data at rest. Where possible, the encryption keys necessary to decrypt the data should reside outside of the system and/or application.

              Auditing of Systems and Application Logs

              System and application logs shall be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs. All Administrative Systems (regardless of hosting platform) and all centrally hosted systems must be configured to log both application and security events to the centralized logging and reporting platform.

              Mandatory Reporting

              All suspected policy violations, system intrusions, and other conditions that might jeopardize University information or information systems must be immediately reported to the Information Security Office.

              EXCEPTION MANAGEMENT

              The Information Security Office shall maintain a risk-based exception management program and shall review and document any requests for exceptions to this policy. The Information Security Office shall, in its sole discretion, approve or deny requested exceptions and may require mitigating controls for any approved exception.

              System and application owners shall contact the Information Security Office to initiate the exception review process when it is not possible to comply with this policy.

              ENFORCEMENT

              Systems and applications found to be non-compliant with this policy may be administratively shut down or have their access restricted. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure.

              Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

              PROCEDURES/FORMS

              Questions about this policy or suspected violations may be reported to any of the following:

              Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) or UConn Reportline (1-888-685-2637)

              Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

              Information Security Office – https://security.uconn.edu

              POLICY HISTORY

              Policy created: August 30, 2021 (Approved by President’s Senior Team)

              Revisions:
              August 30, 2023 (Approved by the Senior Policy Council and the President)
              March 4, 2026 (Approved by the Senior Policy Council and President)

              Network Access Policy, Information Technology

              Posted on by
              Title: Network Access Policy, Information Technology
              Policy Owner: Information Technology Services / Chief Information Security Officer
              Applies to: Workforce Members, Students, and Guests
              Campus Applicability: All UConn Campuses, except UConn Health
              Approval Date: March 4, 2026
              Effective Date: March 9, 2026
              For More Information, Contact: UConn Information Security Office
              Contact Information: techsupport@uconn.edu or security@uconn.edu
              Official Website: https://security.uconn.edu

              PURPOSE

              The University invests significantly in maintaining a secure network that meets the academic, research, residential, and administrative needs of the institution. To ensure compliance with applicable Federal and State laws and regulations and  protect the campus network , certain security, performance, and reliability requirements must govern the operation of these networks.

              APPLIES TO

              This policy applies to all University workforce members,  students, and guests who have access to University Networks.

              DEFINITIONS

              University Network: The university network is comprised of the network hardware and infrastructure and the services to support them, from the data jack or wireless access point to the University’s Internet Service Provider’s (ISP) connection. The university network begins at the connection to the network (wired or wireless) and ends where we connect to the Internet.

              Wired Network: The wired network consists of the physical cabling, infrastructure, and management systems that provide physical network access via an ethernet or fiber optic cable.

              Wireless Network:  The wireless network consists of access points (connected to the wired network), wireless spectrum, and management systems that provide services via the UConn provided wireless networks, including UConn Secure, Guest, EDUROAM, and other specialty networks.

              POLICY STATEMENT

              The University Network (wired & wireless) is an essential resource for the University of Connecticut students, faculty, staff, and guests. The University Network provides a variety of critical services that meet the academic, administrative, research and residential needs of the University. Due to the complex nature of the University’s network, Information Technology Services (ITS) is responsible for the overall design, installation, coordination and operation of the University’s network environment.

              Wired Networks

              • The wiring and electronic components of the network are deemed part of the basic infrastructure and utility services of the University. Installation and maintenance of that network are to be considered part of the “up front” basic required building and renovation costs and are not considered discretionary options in construction and renovation design.
              • Standards for the network wiring, electrical components, and their enclosures are defined by Information Technology Services (ITS), subject to Building and Grounds (B&G) oversight and are considered part of the University’s “building code” to which installations must conform.
              • Upgrades to our campus network will be done as part of a university-wide Network Master Plan.  This Network Master Plan will be coordinated with the University’s Building Master.
              • UConn Information Security and ITS Network Engineering operate the network security layer through firewalls, VPNs and other technologies. Units are required to work with these groups when implementing solutions involving secured networks or network segments. Units operating local firewalls and/or VPNs must give UConn Information Security and ITS Network Engineering administrative access to these devices and access into protected networks for visibility, security and diagnostic purposes. Information Security and ITS Network Engineering retain discretionary disconnect authority over all network connections.
              • Units proposing to design, install, maintain, or extend data or telecommunications networks must give ITS Network Engineering and Information Security access to/through these devices into the active network segments. This will give Network Engineering the ability to see beyond the secure points of the network for diagnosing problems potentially affecting the overall network.
              • Units wishing to design, install and maintain their own network must have their designs reviewed by ITS Network Engineering. All installations must conform to the standards set forth in the Telecommunications Design Standards published on the University Planning, Design and Construction Resources and Information page (https://updc.uconn.edu/contractors-working-at-uconn/). The requesting entity must submit technical specifications of the equipment to be used in the project, along with the logical and physical design maps, for ITS approval to ensure network compatibility and service conformance. ITS Network Engineering will provide the department with an approval letter, which can be submitted to Purchasing with the purchase request.  This requirement extends to all data and telecommunications networks operated or to be operated on any UConn campus or property (except those under the oversight of the Health Center), or operated or to be operated for any UConn purpose, whether or not the proposal includes connecting to or interconnecting with the main UConn networks or telecommunications systems

              Wireless Networks 

              • The addition of new wireless access points on the University Network must be coordinated and approved by ITS.  Wireless performance is impacted by the architectural features, building materials, and furnishings of a contemporary workspace.  Construction and renovation projects must be coordinated with ITS and include funding for additions or adjustments required to optimize performance and serviceability of impacted wireless access points and systems.
              • On an exception basis, departments and individual faculty may install and manage wireless access points for specific programmatic needs. These locally administered wireless access points must be registered and coordinated with ITS prior to deployment to prevent radio frequency (RF) interference on either wireless network.  At least one individual in the requesting department must be designated as the official contact for the access point.  The official contact is responsible for the data and network traffic that traverses through the access point and appropriate access control and security configuration, as well as the regular maintenance, software updates, and replacement.
              • Any devices either not part of or that cause significant RF interference with the University wireless network will be considered a “rogue” access point or device.  ITS will pursue all reasonable efforts to contact the owner of the rogue device, and if necessary, may disable or disconnect them from the University Network. This includes devices and equipment that operate in the frequency ranges occupied by the University Wi-Fi network.

              ENFORCEMENT

              Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

              PROCEDURES/FORMS

              Questions about this policy or suspected violations may be reported to any of the following:

              Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

              Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

              Information Technology Services CIO – https://cio.uconn.edu

              POLICY HISTORY

              This policy replaced the Wireless Network Policy (05/15/2006) and Physical Network Access Policy (11/18/2008).

              Policy created: August 30, 2021 (Approved by President’s Senior Team)

              Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)

              Firewall Policy

              Posted on by
              Title: Firewall Policy
              Policy Owner: Information Technology Services / Chief Information Security Officer
              Applies to: All students, faculty, and staff responsible for configuring firewalls
              Campus Applicability: All UConn Campuses, except UConn Health
              Approval Date: February 20, 2026
              Effective Date: March 9, 2026
              For More Information, Contact: UConn Information Security Office
              Contact Information: techsupport@uconn.edu or security@uconn.edu
              Official Website: https://security.uconn.edu

              PURPOSE

              To ensure a common set of firewall configurations across the organization to maximize their protection and detection capabilities in support of the University’s information security. Firewalls provide a valuable protection and detection capability for the organization when properly configured, managed, and monitored.

              APPLIES TO

              This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have responsibility for controlling or configuring firewalls.

              DEFINITIONS

              EOL: End of Life

              EOS: End of Support

              IANA: Internet Assigned Numbers Authority

              POLICY STATEMENT

              The University operates in a highly flexible and adaptive security environment to meet its academic, research, and administrative missions. While the ability to adapt to meet the ever-changing needs of the University is important, oversight and reporting of firewall activities are critical to the successful protection and operation of the University environment. The following firewall requirements must be satisfied:

              Firewall Configuration Standards

              • All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for EOL and EOS software/hardware and regular review (at least annually) of firewall rulesets.
              • All dedicated firewalls used in production must follow the University firewall management standard, which includes the ability to review currently configured firewall rules across the organization, identification of shadow or redundant rules and rules in conflict, and standardization of device/object names.
              • Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets, configurations and backup media must be restricted to those responsible for administration and review.

              Firewall Rules

              Firewall rules specify (either allow or deny) the flow of traffic through the firewall device. Firewall rules are typically written based on a source object (IP address/range, DNS Name, or group), destination object (IP address/range, DNS Name, or group), Port/Protocol and action.

              • All firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic.
              • Outbound traffic should be enumerated for data stores, applications, or services
              • Overtly broad rules may be allowed for specific groups of individuals (not systems). Approval must be granted by the Chief Information Security Officer or their designee.
              • The use of overly permissive firewall rules is prohibited (i.e., ANY/ANY/ALL rules).
              • Protocols defined in services and in the firewall must utilize Service Name and Protocol/Port information as assigned by IANA, unless there is a technical reason to do otherwise other than “security through obscurity” and must be commented appropriately in the ruleset.

              Firewall Logging

              Firewall log integrity is paramount to understanding potential threats to the network. Firewall devices must log the following data to a system outside of the physical firewall itself and must be regularly reviewed at least monthly or programmatically through automated means. Firewall logs may be forwarded to the ISO SIEM for retention and analysis.

              The following items must be logged as part of the operation of the firewall:

              • All changes to firewall configuration parameters, enabled services, and permitted connectivity
              • Any suspicious activity that might be an indicator of either unauthorized usage or an attempt to compromise security measures

              ENFORCEMENT

              Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

              PROCEDURES/FORMS

              Questions about this policy or suspected violations may be reported to any of the following:

              Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

              Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

              Information Security Office – https://security.uconn.edu

              REFERENCES

              Internet Assigned Numbers Authority

              POLICY HISTORY

              Policy created: August 30, 2021 (Approved by President’s Senior Team)

              Revisions: February 20, 2026 (Approved by the Senior Policy Council)