Parking and Vehicle Policy

August 21, 2012

Title: Parking and Vehicle Policy
Policy Owner: Facilities Operations – Logistics
Applies to: Workforce Members, Students, Visitors
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: May 29, 2025
Effective Date: May 29, 2025
For More Information, Contact Parking Services
Contact Information: parkingservices@uconn.edu
Official Website: https://park.uconn.edu/

BACKGROUND

The University of Connecticut (“UConn”) is authorized by state law[1] to promulgate rules and regulations concerning the parking and operation of all Motor Vehicles on UConn campuses, which include its Main Campus (Storrs), its Law School (Hartford), and each of its Regional Campuses.

Facilities Operations has overall supervisory responsibility for parking and Motor Vehicle operations at UConn Storrs, UConn Law School, and Regional Campuses.  UConn Parking Services, a subdivision of Logistics, is designated to enforce these rules and regulations.

PURPOSE

To establish a framework for the allocation, regulation, and enforcement of parking and vehicle use across UConn campuses, ensuring equitable access, safety, and alignment with the University’s operational needs and mission.

APPLIES TO

Workforce members, students, and visitors on the UConn Storrs, UConn Law School, and Regional Campuses.

DEFINITIONS

Bicycle: Any wheeled vehicle that is not self-propelled and is designed to be pedaled by the rider.

Employee, Regular Payroll: UConn employees who receive UConn bi-weekly paychecks created during its regularly scheduled payroll processes and who are, therefore, eligible for pre-tax Parking Permit fee deductions and the annual extension of preexisting permit parking privileges.

Employee, Special Payroll: UConn employees whose employment periods are part-time, seasonal, or contractually limited.

Hand/Stair Rail: Any railing intended to provide physical support to a pedestrian.

Immobilization: Restricting the vehicle’s use by detaining it at the point of infraction with a UConn locking device.

Impoundment: Removing the owner’s lock, transporting the vehicle to a UConn facility and detaining it.

Motor Vehicle: A motorized conveyance designed for transportation, including but not limited to cars, trucks, motorcycles, motorbikes, motor scooters, and mopeds. Motor Vehicles are classified into the following categories based on their design, engine capacity, and/or Connecticut state law and regulatory requirements:

  1. Motorcycle: A Motor Vehicle with no more than three wheels in contact with the ground, designed with a saddle or seat for the rider or a platform for standing. Motorcycles may not be operated on sidewalks under state law. This includes:
    • Motor scooters with an engine capacity greater than 50 cubic centimeters (cc), which are classified as motorcycles under Connecticut state law and require registration and a valid motorcycle license for operation on public roadways.
    • Bicycles with an attached motor, except those classified as mopeds (bicycles with a helper motor).
  2. Motorized Personal Transportation Vehicle (MPTV): A vehicle or device used for human transport that does not require a license to operate and is propelled by a fuel- or battery-driven motor. This includes:
    • Electric bicycles
    • Electric skateboards
    • Hoverboards
    • Self-balancing electric scooters
    • Gasoline-powered scooters
    • Mopeds (bicycles with a helper motor)
      • A moped is a bicycle equipped with a helper motor with the following characteristics:
        • Engine capacity of less than 50 cubic centimeters (cc)
        • Not exceeding two brake horsepower
        • Maximum speed of 30 mph with automatic transmission
        • Not subject to registration, but operators must have a valid motorcycle license to ride on public roadways.
  3. Motor Scooter: A subset of vehicle under MPTVs or Motorcycles, depending on engine size:
    • Scooters with an engine capacity of less than 50 cc are classified as “bicycles with a helper motor” (mopeds).
    • Scooters with an engine capacity greater than 50 cc are classified as motorcycles under state law, requiring registration and a motorcycle license for operation on public roadways.

      Parking Citation (‘Citation’): The written documentation of a violated parking regulation; any associated parking fine(s) will remain due until it is either paid or an appeal is upheld.

      Parking Permit (‘Permit’): UConn Parking Permits authorize parking by the permit holder on designated areas of UConn campuses, with some restrictions. Permits are available for online purchase year-round by UConn employees and students.

      Public Safety Equipment: Any system or resource necessary for the prevention of and protection from events that could endanger the safety of the public from significant danger, injury/harm, or damage, such as crimes or disasters.  For example, fire hydrants and blue light emergency phones.

      POLICY STATEMENT

      The operation and parking of a Motor Vehicle on UConn campuses is a privilege granted by UConn. All individuals who operate or park a Motor Vehicle on UConn campuses must comply with applicable state and federal laws, as well as UConn policies. All vehicles, including Bicycles, skateboards, and MPTVs, must be operated in a manner that does not endanger pedestrians or obstruct pathways.

      The University reserves the right to restrict or regulate any transportation device that poses a safety hazard.

      Parking Permits

      Parking on UConn campuses, including Motorcycles, Mopeds, and Motor Scooters, requires a valid Parking Permit. MPTVs do not require Parking Permits but they are subject to all vehicle and traffic laws on UConn campuses.

      All workforce members and students who park on UConn campuses must register their vehicles with UConn Parking Services and display a valid UConn Parking Permit when parked on campus. Parking Permits are valid for the permit holder only as Parking Permits are not transferable. A Parking Permit grants the holder the opportunity to park within designated area(s), but it does not guarantee the availability of a parking space. Not finding a space in a preferred lot is not a valid reason for violating parking policy or regulations.

      Students enrolled at institutions other than UConn are considered visitors and must use designated visitor parking for a fee. UConn students employed by UConn are NOT eligible for the purchase of employee Parking Permits.

      Affiliated individuals who park on UConn campuses are required to purchase an Area 2 Parking Permit to be authorized to park.

      Parking Services is not authorized to issue temporary state handicap parking placards.

      UConn Parking Permit holders are responsible for keeping their vehicle information up to date. Any changes to vehicle registration must be reported to Parking Services immediately.

      Parking Services reserves the right to revoke a Parking Permit and its associated privileges before its expiration.

      Restricted Parking

      Parking of any vehicle, including Bicycles, is strictly prohibited in the following areas unless explicitly designated:

      • Sidewalks, pedestrian walkways, and crosswalks or anywhere that obstructs or negatively impacts pedestrian movement
      • Alleyways, fire lanes, driveways, loading zones, ADA parking transfer zones
      • Within 10 feet of fire hydrants or Public Safety Equipment
      • Adjacent to UConn buildings
      • Inside buildings, under overhangs, or in breezeways
      • Secured to unauthorized structures (e.g., trees, Hand/Stair Rails, bollards, fences, signposts, or Public Safety Equipment)
      • Any location or manner that creates, or has potential to create, a public safety hazard such as blocking or encumbering a building entrance or exit

      Additionally:

      • Bicycles must be parked in designated Bicycle racks.
      • Overnight parking, not specifically authorized by University Permit privileges, posted signage, or written communication from Parking Services is prohibited.
      • Severe weather may require UConn to modify or suspend normal parking operations. Vehicles that impede snow removal will be ticketed by UConn Parking Services and/or towed.
      • Vehicles abandoned or otherwise parked for an extended period in an inoperable or neglected condition may be impounded without notice by Parking Services, at the owner’s risk and expense.

      Event parking may require temporary redirection of Permit holders to alternate parking locations. Permit holders must comply with posted signage or instructions from Parking Services regarding event-related parking adjustments.

      Parking Citations

      • Failure to display a valid Parking Permit or comply with applicable laws, regulations, and policies may result in Parking Citations, towing, or revocation of parking privileges. The registered owner of the cited Motor Vehicle is responsible for the payment of the associated fines.
      • Unpaid Parking Citations after 14 days are considered delinquent, accrue late fees, and cannot be appealed.
      • Unauthorized vehicles in restricted areas may be impounded at the owner’s expense.

      ENFORCEMENT

      Parking rules and regulations are enforced year-round, including during academic recesses. University Permit parking privileges are strictly enforced in most surface lots between the hours of 7:00 a.m. and 5:00 p.m. on weekdays, unless otherwise posted. Parking garages are enforced 24/7 year-round. Although Permits are not required in most employee and student commuter lots after 5 PM, they are required in all resident and apartment lots and in other restricted locations 24/7.

      Violations of this policy or procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

      PROCEDURES

      Parking Permits

      See Parking Services/Permits for specific Parking Permit information.

      Employees

      Employee Parking Permits are available for purchase throughout the year. See: Employee Permit Parking information.

      New UConn Regular and Special Payroll Employees may register and purchase their UConn Parking Permits online or may apply for and purchase their Parking Permits at the Parking Services Office in Storrs.
      Only Regular Payroll Employees are eligible for payroll-deducted Permits.

      Special payroll Employees must pay for their Parking Permits upfront using a credit/debit card, check, or money order.

      Renewal of Permits

      The parking privileges of Regular Payroll UConn Employees are automatically extended from one Permit year to the next. Those who secure their parking privileges using payroll deductions will be given the opportunity to discontinue their deductions.  Special payroll Employees must manually renew their Parking Permit if they continue working at UConn in subsequent semesters. Permits purchased using check, money order or credit/debit card can be cancelled through Parking Services for refunds according to the prorated refund schedule.

      Students

      Permit types and eligibility are based on academic credit hours and housing status. Parking Permits are available for students living off campus (commuter); on campus (resident); or teaching assistants/graduate assistants (GA/TA). UConn annual student Parking Permits remain valid from the start of the fall semester to the end of summer recess.

      See: Student Parking Permit Product and Sales Information for the Storrs and Regional campuses.

      See: Resident Parking Permits Rates, Types, & Eligibility.

      • Resident Student Permits: Students with 54 or more earned academic credits assigned UConn housing on the Storrs or Regional campuses are eligible to purchase a Resident Parking Permit.
      • Exceptions to 54 Credit Rule for Resident Students: Exceptions for resident students with fewer than 54 credits are limited to medical needs or life events that require a resident student to have a car on campus. Documentation may be required, and parking is typically restricted to Lot J or other perimeter lots.  Off-campus employment obligations do not qualify for an exemption from the 54-earned-credit-hour prerequisite.
      • Commuter Student Permits: All Commuter students are eligible to purchase available Commuter Parking Permits.
      • Student Carpool Permits: Only commuter students are eligible to purchase Carpool Permits.

      Renewal of Permits

      Students must renew Parking Permits each academic year if they plan to park on campus. To cancel a Permit, students must notify Parking Services, and if eligible, they may receive a prorated refund based on UConn’s refund schedule.

      Visitors

      Visitors can make their own parking arrangements on all UConn campuses. On the Storrs campus, hourly self-pay parking is also available in the North and South parking garages.

      For all campuses, see: Guest and Visitor Parking.

      Accessible Accommodations and Special Requests

      Parking Services’ staff are available to discuss on-campus travel and parking accommodation for those with special circumstances at (860) 486-4930.

      Connecticut residents may visit the Connecticut Department of Motor Vehicles website to learn more about the availability and privileges associated with Connecticut’s temporary handicap parking placards.

      For Employees

      UConn Faculty and Staff with state-issued handicap placards can apply for a UConn Parking Permit and use ADA compliant spaces within their selected Permit-type area. See: UConn Accessible Parking for complete Accessible Parking information.

      For Students

      Any UConn Resident student requesting to purchase a Parking Permit based on a documented disability should register with the Center for Students with Disabilities (CSD) and follow the procedures for requesting accommodations. See: UConn Center for Students with Disabilities (CSD).

      Parking Citations & Appeals

      Parking Citations & Fines

      Payment of UConn Parking Citations can be made online, by mail, or in person at Parking Services. Acceptable payment methods include check, credit/debit card, or money order made out to the “University of Connecticut.”

      See: Paying a Ticket.

      See: Parking Citation Appeal Processes and associated forms.

       Parking Citations must be paid within 14 calendar days of issuance. Payment methods include:

      • Online: via the Parking Services website.
      • By mail: with check or money order payable to “University of Connecticut.”
      • In person: at the Parking Services Office.

      Unpaid Citations after 14 days are delinquent and subject to late fees. Delinquent Citations cannot be appealed. UConn may send Citations that are delinquent for six months or more to a collection agency. Unpaid student Citations may be posted to student fee bills. All those with delinquent Parking Citation fees will be sent up to three notifications of payment.

      Two weeks following the issuance of the third payment notification, the revocation of the payee’s UConn parking privileges may occur. If a Permit is revoked, a refund of the remaining value of the Permit may be considered.

      UConn may forward any Parking Citation fees delinquent for six months or more to a collection agency.  The overdue Parking Citation fees of UConn students can be posted to their student fee bills for payment.

      See: Paying a Ticket for full payment details.

      How to Appeal a Parking Citation

      Appeals must be submitted in writing within 14 calendar days of Citation issuance. Appeal methods Appeals may be submitted online or via the submission of a preprinted paper form, available for online download and at the Parking Services (Storrs) office. Parking Citation appeals are either “granted” or “denied”. If granted, no payment is due.  If denied, payment must be made within 14 days to avoid a late fee.

      If an appeal is denied, payment must be made within 14 days to avoid late fees. An appellant may request a verbal appeal only if new facts were omitted from the original appeal.

      The verbal appeal process may be initiated by phone at (860) 486-4930.

      See: Citation Appeals | Parking Services

      Towing and Impoundment

      Private towing contractors complete tows initiated by UConn. Any towing or storage fees must be paid directly to the towing contractor.

      All impounded Motor Scooters will be stored within a Parking Services facility until claimed by their owners or disposed of by UConn through not-for-profit donation.

      A Bicycle parked or operated in violation of these regulations may be impounded.  UConn will not compensate the owner of the Bicycle for the cost of any lock (or other security device) that is cut or otherwise damaged during the Impoundment process.

      Violations of any Bicycle or traffic regulation may result in:

      • criminal charges
      • Impoundment of the Bicycle
      • the assessment of fines

      How To Claim an Impounded Bicycle

      Proof of ownership is required before UConn will release an impounded Bicycle to a claimant. When Bicycles are impounded, they are relocated to a secure Parking Services impound facility. See: Reclaim an Impounded Bicycle.

      Event Parking

      Special event rates are typically charged during the four (4) hours that immediately precede the start of an event.

      Event Coordinators must inform Parking Services two (2) weeks in advance of any event for which five (5) or more vehicles will be parked on UConn campuses to ensure that appropriate parking arrangements can be made.

      See: Event Parking Requests & Day Permits for more information on event parking.

      Winter Storms and Emergencies

      Parking updates for winter storms and other emergencies will be communicated via the UConn Alert System and/or the Parking Services website. When UConn declares a winter parking ban, parking will not be allowed on streets, roadways or in employee or commuter lots between the hours of 1:00am and 5:00am, unless otherwise noted.  Winter storm parking plans and information are published seasonally on the Parking Services website.

      For questions or more information, please contact:

      UConn Parking Services
      3 Discovery Drive; Unit 6199
      Storrs, CT 06269-6199
      Phone: 860-486-4930
      https://www.park.uconn.edu

      POLICY HISTORY

      Policy created:  08/08/2012 (Approved by the Board of Trustees)

      Revisions:
      07/11/2017 (Approved by the President’s Cabinet)
      05/29/2025 (Approved by the Senior Policy Council and President)

       

      [1] Connecticut General Statutes section 10a-139, Traffic regulations on the grounds of The University of Connecticut and The University of Connecticut Health Center. Disposition of fines. See also, OSTA No. 170-1411-01.

      Selection of Outside Legal Counsel

      August 10, 2012

      Title: Selection of Outside Legal Counsel
      Policy Owner: General Counsel’s Office
      Applies to: Selection of Outside Legal Counsel
      Campus Applicability: All Campuses, including UConn Health
      Approval Date: October 25, 2023
      Effective Date: October 25, 2023
      For More Information, Contact: General Counsel
      Contact Information: (860) 486-5796
      Official Website: http://generalcounsel.uconn.edu/

      BACKGROUND

      Pursuant to state law, the Attorney General has “general supervision over all legal matters in which the state is an interested party” except as otherwise provided by law.[1] It has been the general practice of the Office of the Attorney General to select, and contract with, Outside Counsel for the benefit of state agencies and constituent units when such private legal counsel (“Outside Counsel”) is required.

      The University of Connecticut 2000 Act (“UConn 2000 Act”) authorizes the University to select and retain Outside Counsel directly, in consultation with the Attorney General, in connection with the construction, operation and maintenance of any UConn 2000 project. [2]  The UConn 2000 Act specifies that the Board of Trustees shall determine the effective and efficient method or methods of obtaining legal services. In addition, the Office of the Attorney General has authorized the University to select and retain Outside Counsel directly when such counsel is necessary in conjunction with labor relations matters, including collective bargaining.

      PURPOSE

      To set forth the process by which Outside Counsel is selected and retained by UConn pursuant to its authority under the UConn 2000 Act or elsewhere.[3]

      POLICY STATEMENT

      The decision whether to hire Outside Counsel for the University, pursuant to its authority under the UConn 2000 Act or elsewhere, shall be made in consultation with the General Counsel and the Executive Vice President and Chief Financial Officer or their respective successors in function. The process for selecting Outside Counsel shall be managed by the Office of the General Counsel and shall be consistent with applicable statutory requirements for the procurement of professional services. Cost of services shall be considered as one of the criteria, but cost shall not be the sole consideration.

      ENFORCEMENT

      Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and By-Laws, General Rules of Conduct for All University Employees and applicable collective bargaining agreements.

      POLICY HISTORY

      Policy Created: July 1995*
      Policy Revised: October 16, 2023, January 27, 2016, August 8, 2012*

      *Approved by the Board of Trustees

       

      [1] General Statutes § 3-125.

      [2] General Statutes §§ 10a-109d(a)(5) and 10a-109n(e)(4)(F).

      [3] This policy does not apply to the UConn Health Finance Corp, which derives its powers from General Statutes §§ 10a-253, et seq.

      Working Alone Policy

      July 30, 2012

      Title: Working Alone Policy
      Policy Owner: Division of Environmental Health and Safety
      Applies to: University Students
      Campus Applicability: Storrs, Regionals, Law School
      Effective Date: January 2013
      For More Information, Contact Environmental Health and Safety
      Contact Information: (860) 486-3613
      Official Website: http://www.ehs.uconn.edu/

      POLICY STATEMENT

      No student is permitted to Work Alone in an Immediately Hazardous Environment.

      REASON FOR POLICY

      This policy has been developed to minimize the risk of serious injury while Working Alone with materials, equipment or in areas that could result in serious injury or an immediate life-threatening hazard.

      APPLIES TO

      This policy applies to undergraduate, graduate, and post-doctoral students performing academic or research related work at the University of Connecticut Storrs, regional campuses and the Law School.

      DEFINITIONS

      Working Alone means an isolated student working with an immediately hazardous material, equipment or in an area that, if safety procedures fail, could reasonably result in incapacitation and serious life threatening injury for which immediate first aide assistance is not available.

      Immediately Hazardous Environment describes any material, activity or circumstance that could cause instantaneous incapacitation rendering an individual unable to seek assistance.  Examples include but are not limited to: potential exposure to poisonous chemicals and gases at a level approaching the IDLH (Immediately Dangerous to Life & Health); work with pyrophoric and explosive chemicals; work with pressurized chemical systems; entering confined spaces; work near high voltage equipment; work with power equipment that could pinch or grab body parts and/or clothing; etc.

      Unit Managers are managers, supervisors, principle investigators, faculty, Department Heads and others who are responsible for assigning work to students that involve potential exposure to immediately hazardous environments.

      Safety Content Expert is a safety professional from the UConn Department of Environmental Health and Safety (EHS).  EHS provides guidance to Unit Managers and their designees regarding the proper classification of campus activities as Immediately Hazardous or not; and provides safety information regarding proper procedures and personal protective equipment needed.

      Direct Observation means the assigned second person is in line of sight or close hearing range with the individual working in an Immediately Hazardous Environment.

      ENFORCEMENT

      Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements and the University of Connecticut Student Conduct Code.

      RESPONSIBILITIES

      Unit Managers are responsible for identifying the risks and conditions that may place a student in an Immediately Hazardous Environment.  If unsure about a specific task or location, Unit Managers are advised to contact EHS to assist in recognizing/evaluating risks, and to help in developing appropriate hazard controls. The Unit Manager is also responsible to see that personnel are properly trained, proper procedures are in place, and that proper personal protective equipment is readily available and use is mandatory. This is documented by means of the Workplace Hazard Assessment form.

      If the task/area is deemed a Working Alone situation, the Unit Manager must either:

      a) Assign a second person for the duration of the immediately hazardous task or for work in immediately hazardous locations (confined spaces, elevated work area, etc.); or

      b) Reschedule the work to a time when others are available to help monitor the welfare of the assigned student.

      All personnel are responsible for notifying the Unit Managers of situations that present the possibility of a student Working Alone in an immediately hazardous environment.

      Personnel assigned to keep watch must provide Direct Observation at all times while students are in an Immediately Hazardous Environment to prevent a Working Alone situation.

      Students are directly responsible for adhering to all safety procedures, wearing appropriate personal protective equipment and to be current in training requirements.  Students shall not Work Alone in an area or on tasks that have been recognized as an Immediately Hazardous Environment.

      Environmental Health & Safety (EHS) personnel shall, upon request, assist in identifying Immediately Hazardous Environments and Working Alone situations.  EHS shall assist in the anticipation, recognition and evaluation of hazards and provide expertise in developing controls to prevent injuries to personnel.  EHS will verify submitted area Workplace Hazard Assessment during routine inspections.

      Recommended Safety Information Resources

      Refer to the EH&S website for additional workplace safety requirements:

      Policies, programs and procedures

      Training

      Forms

      Human Stem Cell Research Approval

      June 26, 2012

      Title: Human Stem Cell Research Approval
      Policy Owner: Office of the Vice President for Research
      Applies to: Employees, Faculty, Students, Other
      Campus Applicability:  All Campuses
      Effective Date: May 25, 2018
      For More Information, Contact Office of the Vice President for Research
      Contact Information: (860) 486-3001
      Official Website: https://ovpr.uchc.edu/

      REASON FOR POLICY

      The purpose of this policy is to ensure that proposals for human embryonic stem cell (hESC) research and selected types of human induced pluripotent stem cell (iPSC) research are approved by the University’s Stem Cell Research Oversight (SCRO) Committee. This policy does not apply to primary cells isolated from human tissues that are not manipulated to become pluripotent.

      The role of the SCRO Committee is to ensure that human embryonic stem cell (hESC) and selected types of human induced pluripotent stem cell (iPSC) research at all University of Connecticut campuses is well-justified and that inappropriate and/or unethical research is not conducted. The SCRO Committee facilitates the collaboration between researchers across University campuses by adopting nationally and internationally accepted standards designed to protect the University’s reputation for ethical and responsible research.

      The review and approval of hESC research by the SCRO Committee (or its equivalent) is required by Connecticut law. The SCRO Committee review and approval is also required for all proposals funded by the State of Connecticut Regenerative Medicine Research Fund.

      APPLIES TO

      All University faculty, employees, students, postdoctoral fellows, residents and other trainees, and agents who supervise or conduct research involving hESCs and select types of iPSCs.

      DEFINITIONS

      Human Embryonic Stem Cell (hESC): Human embryonic stem cells are pluripotent cells that are self-replicating, derived from human embryos, and are capable of developing into cells and tissues of the three primary germ layers. Although human embryonic stem cells may be derived from embryos, such stem cells are not themselves embryos.

      Human Induced Pluripotent Stem Cell (iPSC): Human induced stem cells are a type of pluripotent stem cell that have been artificially created by reprogramming non-pluripotent human cells through techniques that do not involve oocytes or embryos, e.g., through inserting genes into a somatic cell.

      POLICY STATEMENT

      All research projects in the following categories are required to obtain SCRO Committee approval before acquiring cells or cell lines and before commencing research:

      • All research involving hESCs and their derivatives;
      • All stem cell research involving human gametes and human embryos;
      • All stem cell research projects funded by the State of Connecticut, including those that do not use hESCs;
      • All in vitro human iPSC research involving the generation of gametes, embryos, or other types of totipotent cells; and
      • All in vivo research involving implantation of human iPSCs into prenatal animals or into the central nervous system of post-natal animals.

      The SCRO Committee supplements but does not replace other University review processes (e.g., reviews by Institutional Animal Care and Use Committees (IACUC), Institutional Review Boards (IRB), Institutional Biological Safety Committees (IBC), etc.) and compliance with applicable legal requirements.

      ENFORCEMENT

      Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, the University of Connecticut Student Code, and other applicable University Policies.

      ADDITIONAL RESOURCES

      Connecticut General Statutes §§ 4-28e and 32-41jj to 32-41mm, inclusive

      NIH Stem Cell Information

      POLICY HISTORY

      Revisions: March 28, 2012; May 25, 2018 (Approved by President’s Cabinet)

      Secure Web Application Development, Information Technology

      June 21, 2012

      Title: Secure Web Application Development, Information Technology
      Policy Owner: Information Security Office
      Applies to: Students, Employees, Users
      Campus Applicability: Storrs and Regionals
      Effective Date: May 16, 2012
      For More Information, Contact Chief Information Security Officer
      Contact Information: (860) 486-8255
      Official Website: https://security.uconn.edu/

      Departments will ensure that development, test, and production environments are separated. Confidential Data must not be used in the development or test environments.

      Production application code shall not be modified directly without following an emergency protocol that is developed by the department, approved by the Data Steward, and includes post-emergency testing procedures.

      Web servers that host multiple sites may not contain Confidential Data.

      All test data and accounts shall be removed prior to systems becoming active in production.

      The use of industry-standard encryption for data in transit is required for applications that process, store, or transmit Confidential Data.

      Authentication must always be done over encrypted connections. University enterprise Central Authentication Service (CAS), Shibboleth, or Active Directory services must perform authentication for all applications that process, store, or transmit Confidential or Protected Data.

      Change sentence to “Web application and transaction logging for applications that process, store, or transmit Confidential Data or Regulated Data must submit system-generated logs to the ITS Information Security Office. For more information please view UConn’s Logging Standard.

      Departments implementing applications must retain records of security testing performed in accordance with this policy.

      Policy Created: May 16, 2012

      Business Continuity & Disaster Recovery, Information Technology

      Title: Business Continuity & Disaster Recovery, Information Technology
      Policy Owner: Information Security Office
      Applies to: Students, Employees, Users
      Campus Applicability: All University departments at all campuses except UConn Health
      Effective Date: May 16, 2012
      For More Information, Contact Chief Information Security Officer
      Contact Information: (860) 486-8255
      Official Website: https://security.uconn.edu/

      Each University department will maintain a current, written and tested Business Continuity Plan (BCP) that addresses the department’s response to unexpected events that disrupt normal business (for example, fire, vandalism, system failure, and natural disaster).

      The BCP will be an action-based plan that addresses critical systems and data. Analysis of the criticality of systems, applications, and data will be documented in support of the BCP.

      Emergency access procedures will be included in the BCP to address the retrieval of critical data during an emergency.

      The BCP will include a Disaster Recovery (DR) Plan that addresses maintaining business processes and services in the event of a disaster and the eventual restoration of normal operations. The BCP and DR Plan will contain a documented process for annual review, testing, and revision. Annual testing of the BCP will include desk audits, and should also include tabletop testing, walkthroughs, live simulations, and data restoration procedures, where appropriate. The BCP will include measures necessary to protect Confidential Data during emergency operations.

      Data Administrators are responsible for implementing procedures for critical data backup and recovery in support of the BCP. The data procedures will address the recovery point objective and recovery time objectives determined by the Data Steward and other stakeholders.

      Policy Created: May 16, 2012

      Security Awareness Training Policy, Information Technology

      Title: Security Awareness Training Policy, Information Technology
      Policy Owner: Information Technology Services / Chief Information Security Officer 
      Applies to: All faculty, staff, student employees, and volunteers   
      Campus Applicability: All campuses except UConn Health 
      Effective Date: August 30, 2021
      For More Information, Contact UConn Information Security Office 
      Contact Information: techsupport@uconn.edu or security@uconn.edu 
      Official Website: https://security.uconn.edu/

      PURPOSE 

      The Information Security Office (ISO) maintains an active Security Awareness Training program available to all faculty, staff, and student employees. This policy establishes the authority of the ISO to mandate Security Awareness training as needed and outlines the expectations for individuals and departments in assisting with ensuring the confidentiality, integrity, and availability of university systems, services, and data. 

      APPLIES TO 

      This policy applies to all University faculty, staff, student employees, and volunteers who regularly interact with or have access to confidential or protected information within the university. 

      POLICY STATEMENT  

      While the Information Security Office maintains an active information security program, faculty and staff members’ knowledge of the threats and risks to the University’s systems and data is a critical component in helping to defend the University from attack.  

      The ISO maintains an Information Security Awareness program that supports University employees’ and students’ needs for regular training. Training on important information security topics is available or communicated in multiple ways including: 

      • Online training systems with a variety of topics relevant to Information Security (available at https://security.uconn.edu/training) 
      • Communications to targeted groups by email of ongoing or imminent threats 
      • Postings on various web-based systems across the university (security.uconn.edu or techsupport.uconn.edu) 
      • Availability of ISO staff for in-person discussions on information security 

      As part of their ongoing operations and employee development, all academic and administrative departments should identify opportunities to engage faculty, staff, and student employees in Security Awareness training annually. These opportunities may include those offerings from the ISO or a tailored program for specific threats against departments or systems, which may also be included in procedural manuals or scheduled as group training opportunities. 

      The ISO is authorized to mandate Security Awareness training. In some areas, Security Awareness training may be mandatory based on federal or industry regulations. Training for these programs must be coordinated with the ISO to ensure regulatory requirements are met.  

      ENFORCEMENT  

      Failure to comply with mandatory Security Awareness training, or to coordinate training with the ISO, may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

      Questions about this policy or suspected violations may be reported to any of the following: 

      Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

      Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

      Information Security Office – https://security.uconn.edu 

      REFERENCES 

      Compliance Training Policy 

      POLICY HISTORY 

      Policy created:  May 16, 2012 

      Revisions:  August 30, 2021 [Approved by President’s Senior Team]

      Risk Management, Information Technology

      Title: Risk Management, Information Technology
      Policy Owner: Information Technology Services / Chief Information Security Officer 
      Applies to: All department and school/college system owners and IT professionals   
      Campus Applicability: All campuses except UConn Health 
      Effective Date: August 30, 2021
      For More Information, Contact UConn Information Security Office 
      Contact Information: techsupport@uconn.edu or security@uconn.edu 
      Official Website: https://security.uconn.edu/

      PURPOSE 

      As technology and capabilities change our University environment, threats against these technologies also evolve. To provide the highest level of protection for the University, department and system owners are responsible for regular assessments of risks to their technology platforms. The Information Security Office is responsible for overseeing the evaluation of IT risk across the organization. 

      APPLIES TO 

      This policy applies to all University department and school/college system owners and IT professionals.  

      DEFINITIONS  

      Confidential Data: Confidential data is institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of the Data Classification Policy. 

      Protected Data: Protected data is institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public, it will fall into the protected data category. 

      Risk Assessment: Part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.  

      Risk Assessment Tool: Risk assessment tools are available to department and school/college system owners and IT professionals to collect information about systems, services, and data that will inform efforts to continuously strengthen UConn’s information security.  

      POLICY STATEMENT  

      The Information Security Office (ISO) is authorized to administer the University’s risk management process, which includes the delegation of responsibility for ensuring that information systems are assessed for risk. 

      Due to the size and complexity of the UConn environment, each department and system owner is responsible for conducting a regular and ongoing risk assessment of the Information Technologies they are responsible for overseeing. 

      In conducting a risk assessment, departments/individuals should evaluate risks to Information Technology based on a People, Process, Technology (PPT) methodology. Using this methodology and leveraging ISO policies, including the Acceptable Use Policy, Confidential Data Policy, Data Roles and Responsibilities Policy, Security Awareness Training Policy and System and Application Security Policy (available at https://security.uconn.edu), departments must evaluate opportunities to reduce risk to the confidentiality, integrity, and availability of information technology assets. 

      Some University organizations will be required to do regular risk assessments as a regulatory or industry requirement. Organizations typically focusing on Personal Health Information or Credit Card Processing will have more formal risk assessments conducted by their leadership and review by Information Security Office on an annual basis.   

      ENFORCEMENT 

      Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

      Questions about this policy or suspected violations may be reported to any of the following: 

      Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

      Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

      Information Security Office – https://security.uconn.edu 

       

      POLICY HISTORY 

      Policy created:  May 16, 2012 

      Revisions: August 30, 2021 [Approved by the President’s Senior Team]

       

      Data Classification Policy

      Title: Data Classification Policy
      Policy Owner: Information Technology Services / Chief Information Security Officer 
      Applies to: All students, faculty, staff, volunteers, and contractors  
      Campus Applicability:  All Campuses except UConn Health
      Effective Date: August 30, 2021
      For More Information, Contact UConn Information Security Office 
      Contact Information: techsupport@uconn.edu or security@uconn.edu 
      Official Website: https://security.uconn.edu/

      PURPOSE 

      This policy defines the classifications of institutional data (i.e., the categories of data that the University is responsible for safeguarding) and the associated measures that are necessary to safeguard each classification. Institutional data commonly exists in many forms, including electronic, magnetic, optical, and traditional paper documents. Common types of electronic data include email messages, spreadsheets, word processing documents, PDF reports, and university managed databases and file storage systems. 

      APPLIES TO 

      This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to protected or confidential information. This policy covers data that is stored, accessed, or transmitted in all formats, including electronic, magnetic, optical, paper, or other non-digital formats. 

      DEFINITIONS  

      Cloud: Any environment not operated by UConn. This includes cloud-based services that provide basic infrastructure including operating system and storage or services that provide a full software stack for an intended purpose or platform offering multiple services. 

      Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of this policy. 

      Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public. 

      Public Data: Institutional information that may or must be freely available to the general public. Such information has no local, national, international, or contractual restrictions on access or usage. 

      POLICY STATEMENT  

      Through the normal course of business, many individuals at the University of Connecticut collect, maintain, transmit, and/or have access to personal information, financial data, and other information which is protected or confidential in nature. The protection of some types of data is governed by industry or governmental regulations. While other types of information may not be covered by specific legal requirements, it is in the University of Connecticut’s best interest to take steps to safeguard all university information reasonably and responsibly. 

      Except for those classes of data expressly protected by statute, contract, or industry regulation, the data classification examples presented in this policy are guidelines. Ultimate responsibility for the classification in the university environment is determined by the Data Steward, as defined in the University’s Data Roles and Responsibilities Policy, and the Office of General Counsel for any given set of data. 

      Data Protection 

      The University of Connecticut has established the following requirements and guidelines in order to protect each classification of data. 

      Public Data 

      While there are few restrictions on public data, such data should be properly secured to prevent unauthorized modification, unintended use, or inadvertent/improper distribution. It should be understood that any information that is widely disseminated within the university community is potentially available to the public at large. 

      The following guidelines are for information systems that are used to store and share the University’s public data. 

      • When practical, public data should only be shared via systems over which the University maintains full administrative control, which includes the ability to remove or modify the data in question. 
      • Information systems, such as web servers or cloud services that are used to share public data, must be properly secured to prevent the unauthorized modification of published public data. 
      • Interactive access to databases containing public data, such as online directories or library catalogs, should be properly secured using query rate limiting, CAPTCHA’s or similar technology to impede bulk downloads of entire collections. 

        Protected Data 

        Protected data requires additional levels of protection because its unauthorized disclosure, alteration, or destruction could cause damage to the University or its constituents.  

        In addition to the requirements outlined for public data, protected data must also meet these requirements: 

        • If stored in the cloud, stored only on cloud-based information systems managed or contracted by the University. 
        • Protected through the use of authenticated access in order to prevent loss, theft, or unauthorized access, disclosure or modification. 
        • Printed sensitive data including reports must be stored in a secure manner (file cabinet, closed office, or department where electronic/physical access control systems are in place) when not in use. 

        Confidential Data 

        Confidential data (see Appendix A) requires the highest level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration, or destruction of the data. Certain types of information, such as health information, may have additional requirements for protection. Wherever possible, confidential information should remain in source systems and not propagated through saved files, spreadsheets, or other file formats. Whenever storage of confidential data is required outside the source system, it should be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements. 

        In addition to the requirements for protected data, confidential data must be: 

        • Protected with strong passwords and should leverage Multi-Factor Authentication whenever such capabilities exist.  
        • Stored on devices that have appropriate protection, monitoring and encryption measures in order to protect against theft, unauthorized access and unauthorized disclosure. 
        • Transmitted using approved encryption methods. 
        • Accessed via approved remote access services such as VPN when accessed remotely.  
        • Stored on university-owned devices. Confidential data is not permitted to be stored on any personally owned devices including mobile phones, laptops, or home computers. 
        • Stored, if printed material, only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis. 

          The University’s Confidential Data may not be accessed, transmitted, or stored using public computers or via email. 

          Encryption 

          To maintain its confidentiality, all data shall be encrypted while in transit across communication networks or when stored. Stored data may only be encrypted using current encryption methodologies. To ensure that data is available when needed, each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations. 

          Service Providers  

          Departments shall take steps to ensure that third-party service providers understand the University’s Data Classification Policy and protection of the University’s Data. No user may give a third-party access to the University’s Protected or Confidential Data or to systems that store or process Protected or Confidential Data without permission from the Data Steward and a standard Confidentiality Agreement from University Procurement in place.  

          Disposal 

          Systems administrators will ensure that all data stored on electronic media is properly destroyed or wiped to current Department of Defense Data Wipe standards prior to the disposal or transfer of the equipment.  

          Confidential Data maintained in hard copy form will be properly disposed of when no longer required for business or legal purposes. 

          ENFORCEMENT 

          Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

          Questions about this policy or suspected violations may be reported to any of the following: 

          Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

          Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

          Information Security Office – https://security.uconn.edu 

          REFERENCES 

          Data Roles and Responsibilities, Policy On 

          POLICY HISTORY 

          Policy created:  May 16, 2012 

          Revisions: August 30, 2021

           

          Data Roles and Responsibilities Policy

          Title: Data Roles and Responsibilities Policy, Information Technology
          Policy Owner: Information Technology Services / Chief Information Security Officer 
          Applies to:  All students, faculty, and staff  
          Campus Applicability:  All campuses except UConn Health 
          Effective Date: August 30, 2021
          For More Information, Contact UConn Information Security Office 
          Contact Information: techsupport@uconn.edu or security@uconn.edu 
          Official Website: https://security.uconn.edu/

          PURPOSE 

          To define the responsibilities of individuals within the organization in protecting the University of Connecticut’s data assets. 

          APPLIES TO 

          This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to or have been assigned one of the roles defined in this policy. 

          POLICY STATEMENT  

          Through the normal course of operations of the University, ever increasing amounts of data are created, processed, modified, and eventually disposed of as part of daily activities. To ensure the proper management of the various data sets, the University has defined the following roles and responsibilities to ensure data is properly protected, used, and managed throughout its lifecycle. 

          Data Stewards are employees of the university responsible for the overall use and proper handling of administrative, academic, public engagement, or research data. Data Stewards must classify data according to the University’s Data Classification Policy. Data Stewards ensure that appropriate steps are taken to protect data and implement policies and agreements that define appropriate use of data.  

          The Data Steward or their designated representatives are responsible for: 

          • Ensuring the information they are responsible for is accurate 
          • Authorizing the specific use of information across the organization 
          • Working with other Data Stewards to resolve conflicting data issues 
          • Specify appropriate controls, based on data classification, to protect the data from unauthorized modification, deletion, or disclosure 
          • Ensuring access rights are evaluated on a regular basis 

            Data Administrators are usually system administrators who are responsible for applying appropriate controls to data based on its classification level and required protection level. Data Administrators are also responsible for securely processing, storing, and recovering data. The Data Administrator is accountable for: 

            • Implementing the appropriate controls specified by the Data Stewards 
            • Removing access rights to specific data resources due to a job change or separation from the University 
            • Implementing the appropriate monitoring techniques and procedures for detecting, reporting, and investigating incidents 
            • Assisting Data Stewards in evaluating the overall effectiveness of controls and monitoring  

            Data Users are individuals who receive authorization from the Data Steward/Administrator to access, enter, or update information. Data Users  must use the resource only for the purpose specified by the Data Steward, complying with controls established by the Steward, and preventing disclosure or confidential or protected information. 

            ENFORCEMENT 

            Failure to properly fulfill the roles and responsibilities articulated in this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

            Questions about this policy or suspected violations may be reported to any of the following: 

            Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

            Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

            Information Security Office – https://security.uconn.edu 

             

            POLICY HISTORY 

            Policy created:  May 16, 2012 

            Revisions: August 30, 2021 [Approved by President’s Senior Team]