New Policy in September 2022

September 22, 2022

Academic Affairs Policies and Protocols Policy (New): The purpose of this new policy is to establish clear and concise standards for the development, approval, decommissioning, and revision of Academic Affairs policies and protocols. It will apply to the Storrs, Regional and UConn Health campuses, and set the standard for all Academic Affairs units (i.e., school/college, campus, department, division, and other units therein). This policy aims to ensure that all formatting and presentation of policies is consistent, a complete set of Academic Affairs policies exists, and practices used in all Academic Affairs units and UConn campuses are transparent.

Academic Affairs Policies and Protocols, Policy on

June 13, 2022

Title:	Academic Affairs Policies and Protocols, Policy On
Policy Owner:	Office of the Provost
Applies to:	All units that report to the Provost Office
Campus Applicability:	UConn (Storrs & Regional Campuses) and UConn Health
Effective Date:	June 13, 2022
For More Information, Contact	Office of the Provost
Contact Information:	(860) 486-4037, provost@uconn.edu
Official Website:	http://provost.uconn.edu/

BACKGROUND

The policy bolsters the University Policy on Policies, by setting standards for Academic Affairs units (i.e., school/college, campus, department, division, and other units therein) to develop policies. The aim is to ensure that:

each Academic Affairs unit has an established and documented process for developing, approving, revising, promulgating, decommissioning, and archiving policies.
the format and presentation of policies is consistent;
conflicts between policies are minimized;
all policies required by the UConn-AAUP Collective Bargaining Agreement or the Provost’s Office are up to date and represent best practices;
a complete set of Academic Affairs policies exists; is reviewed regularly, and is accessible to the UConn, unit-specific, or campus-specific community;
policies are archived; and
practices used in all Academic Affairs units and UConn campuses are transparent.

PURPOSE

To establish standards for the development, approval, revision, decommissioning of Academic Affairs policies and protocols administered by units (e.g., schools/colleges, regional campuses, department, divisions, centers, and institutes) that report to the Provost Office.

DEFINITIONS

Policy Owner: The unit, unit head (e.g., Dean, Campus Director), and/or designee (e.g., Associate Dean, Department Head, director) responsible for authoring, implementing, maintaining and monitoring a policy. This may include more than one units. However, generally, it should not exceed two.

Academic Affairs Unit Policy: An Academic Affairs unit policy guides the decisions and actions of a unit that reports to the Provost Office. It may supplement a University Policy. It outlines requirements and restrictions and establish standards, rights, and responsibilities that generally apply to the members under its specific charge (e.g., school/college, campus, department, or division/unit). These policies meet the following criteria:

The unit head has sanctioned it;
It has broad application within the unit.
It is a governing principle for both established and future activities of the unit;
It references, adheres to, and does not conflict with policies established by the University or an upper-administrative level; and
It is published in an official university venue that is accessible to the members of the unit as well as members of upper-level administration.

Unit policies are developed in accordance with the University Policy Template.

Policy/Protocol Promulgation: To publish or officially announce the adoption of a particular policy or protocol to the community. A policy is promulgated by publication to the official venue for posting approved policies.

Protocol: Establishes standards methods for implementing approved policies. If a policy is “what” the institution or unit does, its protocols are “how” it carries out a policy’s requirements. Three types of protocols are defined below.

Guideline: Recommended guidance or additional information used to support policies and procedures, industry best practice, or intended to educate the workforce on how to achieve a desired outcome.
Process: A high-level overview that provides a road map for how a task will be accomplished.
Procedures: Operational processes established for the implementation of policies. If a policy is “what” the institution does, its procedures are “how” it carries out the requirements of a policy. Non-compliance with, or violation of, procedures may result in disciplinary action. Procedures
- outline required actions by objective and/or job function;
- state clearly and succinctly the step-by-step instructions that must be followed to implement policy effectively;
- specify the structure to enforce the policy.

Revision, Editorial: Includes modifications related to spelling, grammar, format, and updates to hyperlinks or URLs, contact information, references, titles of individuals and organizations.

Revision, Non-substantive: Includes modifications intended to enhance clarity without changing the intent of the policy, such as adding or modifying definitions, rearranging or re-wording sentences without changing their meaning or the policy’s requirements for compliance.

Revision, Substantive: Includes significant modifications to the nature and/or scope of the policy that affect its requirements, principles, or intent.

Stakeholders: Member of the unit with the expertise in the subject matter of the policy, or whose operations will be significantly affected by the policy.

POLICY STATEMENT

All Academic Affairs units that report to the Provost Office shall establish a process to develop, maintain record of, revise, decommission, and archive unit-specific policies and protocols to guide the conduct of the unit and to promulgate policies to appropriate stakeholders. All policies must be in writing, utilizing the University’s Policy Template, and must be posted on the official venue for posting approved policies. All approved unit-specific policies are in effect until they are officially revised or decommissioned, and archived.

In rare circumstances, the Units may determine that it is appropriate to make exceptions to a policy on a case-by-case basis, in which event the Unit is not required to make the same exception again. However, records of exceptions, including their justification, must be maintained.

All concerns or questions regarding consistency of unit-specific policies with university-wide academic policies or conflicts between existing policies should be directed to the Office of University Compliance for clarification or resolution. Until such time that identified conflicts are resolved, the upper-level policy will govern.

ENFORCEMENT

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

Guideline and Provost’s Office Procedures for the Policy on Academic Affairs Policies and Protocols

REFERENCES

University Policy on Policies

Policy Template

POLICY HISTORY

Policy created: June 13, 2022 [Approved by President’s Senior Policy Council]

Student Athlete Name, Image, Likeness, Policy On

May 6, 2022

Title:	Student-Athlete Name, Image, and Likeness, Policy On
Policy Owner:	Athletics
Applies to:	All Student-Athletes and University Employees
Campus Applicability:	All UConn campuses, except UConn Health
Approval Date:	March 18, 2025
Effective Date:	March 19, 2025
For More Information, Contact	Director of Athletics
Contact Information:	(860) 486-2725
Official Website:	https://uconnhuskies.com/sports/2021/7/14/uconn-nil-information

PURPOSE

To establish a policy pursuant to which University of Connecticut (“University”) Student-Athletes are permitted by the University to (1) earn Compensation through an Endorsement Contract, Revenue Sharing Agreements, or employment in an activity unrelated to an Intercollegiate Athletic Program; and (2) obtain legal or professional representation of an attorney or Sports Agent through a written agreement, provided that in each case, the Student-Athlete complies with the terms and conditions of this policy and applicable law.

DEFINITIONS

Athletics Booster: a person who directly contributes to a University athletic program.

Compensation: the receipt, whether directly or indirectly, of any cryptocurrency, money, goods, services, other items of value, in kind contributions and any other form of payment or remuneration.

Endorsement Contract: a written agreement under which a Student-Athlete is employed or receives Compensation for the use by another party of such Student-Athlete's person, name, image or likeness in the promotion of any product, service or event.

Intercollegiate Athletic Program: a program at the University for sports played at the collegiate level for which eligibility requirements for participation by a Student-Athlete are established by a national association for the promotion or regulation of college athletics.

NCAA: the National Collegiate Athletic Association or its successor.

Official Team Activities: all games, practices, exhibitions, scrimmages, team appearances, team photograph sessions, sports camps sponsored by the University and other team-organized activities, including, but not limited to, photograph sessions, news media interviews, and other related activities as specified by the University.

Prohibited Endorsements: receipt of Compensation by, or employment of, a Student-Athlete for use of the Student-Athlete's person, name, image or likeness (“NIL”) in association with any product, category of companies, brands, or types of Endorsement Contracts that are: (1) prohibited by law; (2) prohibited by this policy; or (3) prohibited under the applicable University procedures adopted in accordance with this policy.

Revenue Sharing Agreement: an agreement between the University or an entity acting on the University’s behalf, and a student athlete through which a student athlete shares a portion of the University’s revenue as Compensation.

Sports Agent: a duly licensed person who negotiates or solicits a contract on behalf of a Student-Athlete in accordance with the Sports Agent Responsibility and Trust Act, 15 USC 7801, et seq., as amended from time to time.

Student-Athlete: a student who attends or has agreed to attend the University and participates or has agreed to participate in a University Intercollegiate Athletic Program.

University Marks: the name, logo, trademarks, mascot, unique colors, copyrights and other intellectual property or defining insignia of the University.

POLICY STATEMENT

The University shall permit its Student-Athletes to (1) obtain legal or professional representation of an attorney or Sports Agent through a written agreement, provided that the Student-Athlete complies with this policy and applicable law; (2) earn Compensation through employment in an activity unrelated to an Intercollegiate Athletic Program; (3) earn Compensation through an Endorsement Contract with a third party; (4) earn Compensation through an Endorsement Contract with the University for the use of the Student-Athlete's person, name, image or likeness in the promotion of any product, service or event; and (5) earn Compensation through a Revenue Sharing Agreement with the University.

1. Agreements for Representation by a Sports Agent or an Attorney

A Student-Athlete may only enter into an agreement for representation with a Sports Agent if the Student-Athlete submits a copy of the agreement to the University.
A Student-Athlete may only enter into an agreement for representation with an attorney if the Student-Athlete submits a copy of the agreement to the University

2. Agreements for Employment Activities and Endorsement Contracts with Third Parties

A Student-Athlete may receive Compensation for employment in an activity unrelated to any Intercollegiate Athletic Program, provided the Student-Athlete signs a written agreement for the employment and submits a copy to the University before performing any employment activities or services.
A Student-Athlete may only enter into an Endorsement Contract with a third party if:
1. the Student-Athlete submits a copy of the contract to the University prior to the Student-Athlete performing any activity or service under the contract;
2. the contract, or any portion thereof, does not conflict with the provisions of any agreement to which the University is a party. If a potential conflict is identified, the University shall disclose to the Student-Athlete or the Student-Athlete's attorney or Sports Agent the provisions of the University agreement that are in conflict; and
3. the Student-Athlete is not required to participate or engage in any activity prohibited by Section IV of this policy.

3. Endorsement Contracts and Revenue Sharing Agreements with the University

A Student-Athlete may only enter a Revenue Sharing Agreement and/or Endorsement Contract with the University if:

the Endorsement Contract is limited to the use of the Student-Athlete's person, name, image or likeness in the promotion of any product, service or event;
the Student-Athlete is an independent contractor; and
the Student-Athlete is not required to participate or engage in any activity prohibited by Section IV of this policy.

4. Prohibitions

No state funds appropriated to the University may be used to compensate a student athlete for an Endorsement Contract or a Revenue Sharing Agreement.
Use of Marks. Student-Athletes are prohibited from using or consenting to the use of any University Marks when performing any services or activity associated with an Endorsement Contract or employment activity without prior written permission from the University or its authorized designee.
University Employees. University employees are prohibited, in their individual capacity, from entering into an Endorsement Contract or a Revenue Sharing Agreement with any Student-Athlete or otherwise providing Compensation to a Student-Athlete in connection with a Student-Athlete’s participation in an Intercollegiate Athletic Program.
Student-Athletes.
1. Student-Athletes are prohibited from performing any service or activity associated with an Endorsement Contract or employment activity that interferes with any official team activities or academic obligations.
2. Student-Athletes are prohibited from receiving Compensation from entering an Endorsement Contract with, and/or otherwise engaging in an employment activity with companies, brands, products, conduct, and/or entertainment prohibited under University procedures adopted in accordance with this policy.

PROCEDURES

The President or the President’s designee may adopt procedures concerning the implementation of this policy.

ENFORCEMENT
Violations of this Policy or associated procedures may result in appropriate disciplinary measures in accordance with state law, University Laws and By-Laws, and Division of Athletics Student Athlete Handbook.

POLICY HISTORY

Policy created effective June 30, 2021 [Approved by the Board of Trustees]

Revisions:
May 2, 2022
March 18, 2025 [Approved by the President’s Senior Policy Council]

University Policy on Policies

April 7, 2022

Guideline: Recommended guidance or additional information used to support policies and procedures, industry best practice, or intended to educate the workforce on how to achieve a desired outcome. Allows end-user discretion in interpretation, implementation, or use. Non-compliance with, or violation of, guidelines does not create the same level of risk.

Policy Owner: The unit, senior institutional official and/or designee responsible for authoring, implementing, maintaining, and monitoring a policy.

University Senior Policy Council: The University Senior Policy Council is a standing committee whose role is to review and approve new and revised University policies. The Senior Policy Council is comprised of the University President; Executive Secretary to the Board of Trustees; Chief of Staff; General Counsel; Chief Compliance Officer, Chief Human Resources Officer, Provost, and the Vice President for Finance and Chief Financial Officer. Others may be invited, as necessary.

Procedures: Operational processes established for the implementation of policies. If a policy is “what” the institution does, its procedures are “how” it carries out the requirements of a policy. Non-compliance with, or violation of, procedures may result in disciplinary action.
Procedures

outline required actions by objective and/or job function;
state clearly and succinctly the step-by-step instructions that must be followed to implement policy effectively;
specify the structure to enforce the policy;
University Policy procedures shall not be revised without consultation with the Office of University Compliance.

Revision, Editorial: Includes modifications related to spelling, grammar, format, and updates to hyperlinks or URLs, contact information, references, titles of individuals and organizations.

Revision, Substantive: Includes significant modifications to the nature and/or scope of the policy that affect its requirements, principles, or intent.

Senior Institutional Official (SIO): The appropriate University officer (Vice President, Vice Provost, or similar) who has authority and responsibility for the area or activity to which a policy may apply.

Stakeholder: University members with expertise in the subject matter of the policy, or whose operations will be significantly affected by the policy.

University Policy: An official statement expressing the position of the University on an issue of university-wide importance. A university policy

is a governing principle that mandates or constrains actions, establishes rights or obligations, or guides the decisions and actions of the University;
has broad application;
exists to achieve compliance with applicable laws, regulations, and organizational requirements; to promote operational efficiencies; to enhance the University’s mission; to reduce institutional risk; and/or to promote ethical standards, integrity and accountability;
is approved by the administrative authority of the University and/or the Board of Trustees

Policies that do not fit the criteria of a University Policy, such as individual unit policies, should be vetted through the appropriate Dean or Director for approval to ensure consistent application and to avoid conflict with any University or unit policies. Unit policies, procedures and guidelines shall not subvert, supersede, or contradict University Policies. Units should use a similar policy review process as outlined in this document. Please contact the Office of University Compliance or refer to the Policy website for assistance.

All University Policies shall be developed, approved, revised, and decommissioned in accordance with the procedures outlined in this Policy. In rare circumstances, exceptions to this process may be approved by the President in consultation with the University Senior Policy Council and notification to the Board of Trustees as may be warranted.

Individual units (e.g., colleges, schools, centers, institutes, departments) may create, communicate, maintain, and enforce policies that are applicable to their respective authority, as long as these are not in conflict with official University Policies.

I. New University Policy
II. Revising a University Policy
III. Decommissioning a University Policy
IV. Archiving University Policy
V. Expedited (Emergency) Policy Approvals

I. New University Policy

1. Determine Need

University Policies should only be created when they define University values, institutional objectives or mandates; address federal or state law, regulations, or rules; or manage potential risk or liability.
Any individual or unit may identify the need for a new University Policy. However, a Senior Institutional Official, in consultation with the Office of University Compliance, must confirm the need for the policy considering

- whether the proposed policy meets the criteria of a University Policy as defined;
- if an alternative such as workforce guidance or procedures is the most effective and efficient approach;
- if existing University policy addresses or resolves the identified need;
- implications of the policy including risks and costs (i.e., will adoption of the proposed policy require new resources or reassignment of existing resources?)

2. Development

If a proposed policy involves matters within the purview of more than one senior institutional official, they will ensure consultation and coordination among appropriate leadership.
The Senior Institutional Official may assign the development and administration of the policy to a responsible office or individual (Policy Owner).
The Policy Owner is responsible for developing a draft policy in consultation with key stakeholders and University governance groups (e.g., University Senate, Deans Council). It is advisable that the Policy Owner convene a stakeholder policy development group to provide initial vetting of the proposed policy.
University policy

- must follow the Policy Template [link];
- should be written so that it is clear and concise with sufficient information on the subject without being excessive in length or complexity;

3. Engage the Office of University Compliance

Early in the development stages, the individuals or groups developing the policy must notify the Office of University Compliance.
University Compliance is responsible for

- stewardship of the policy development process to ensure consistency with existing policies, language, clarity, format and appropriate vetting and approval;
- engaging the Office of the General Counsel as appropriate;
- reviewing stakeholder and partner input;

4. Approval

Although the development or administration of a policy may be delegated, the SIO is responsible for ensuring all necessary approvals are obtained.
Once the SIO is satisfied with the final policy draft, it must be forwarded along with a list of stakeholder reviewers to University Compliance at policy@uconn.edu. University Compliance may consult with the Office of General Counsel for final review.
For policies that apply to the Storrs, Regional and UConn Health campuses, University Compliance will coordinate review and approvals with the appropriate UConn Health policy committees before advancing the policy to the Office of the President.
University Compliance will work with the Office of the President and the SIO to present the draft policy to the University Senior Policy Council for their review and recommendation to the President. There may be occasions when a University Policy requires review and approval by the Board of Trustees prior to adoption.
The President, in consultation with the Senior Policy Council, will make the final determination regarding when a University Policy shall be presented to the Board of Trustees for approval. If so, the proposed policy will typically be assigned to one or more standing Board committees to review and approve before the proposed policy goes to the full Board for final approval.
University Policies that advance to the Board for approval are often those that relate to:

- University governance and describe the composition, powers, and duties of the Board of Trustees, the President, or University Senate;
- University By-Laws (e.g., academic appointment and tenure; grievances; leaves of absence; naming of facilities; intellectual property; the establishment of new regional campuses,
  schools or colleges; expressions of dissent; and student residency);
- Code of Conduct;
- high-level university financial operations such as investments and the establishment of, or significant changes in existing, major University fiscal policies (e.g., capital expenditures).

5. Publication & Notification

Once the University Policy has been approved, the SIO will collaborate with University Compliance to ensure the policy is posted to policy.uconn.edu (and health.uconn.edu/policies where
applicable.
The SIO shall oversee the communication, implementation, training, administration, and maintenance of the University Policies within their purview. The SIO must publicize and distribute the policy to the University community members to whom it applies and to offices with implementation requirements.
Policies published to the University’s Policy site are the official and current versions.
Members of the University community are responsible for familiarizing themselves and complying with University Policies.
All new University Policies not requiring Board approval shall be shared with the Board of Trustees at the next regularly scheduled meeting as an informational item.

II. Revising a University Policy

Regularly reviewing policies and procedures ensures that the University’s operations and administration are

in compliance with new laws and regulations;
current with new systems or technology;
consistent with best practices.

1. Review

Policies must be reviewed at least once every three (3) years, or sooner if legal or regulatory requirements or changes in operational processes deem necessary. The senior institutional official,
or designee, must ensure the periodic review and revision of policies related to their areas of responsibility.
University Compliance monitors policies for compliance with the required review schedule.
The senior institutional official must notify University Compliance at policy@uconn.edu
- of necessary changes by providing a strikethrough or “redline” copy of the policy with proposed revisions;
  OR
- if review was conducted and there are no necessary changes.
The date of review, even in the absence of revision, shall be noted in the Policy History of the document.

2. Revision Approvals

University Compliance, in conjunction with the senior institutional official, will determine if the proposed revisions are editorial, non-substantive or substantive.

Editorial revisions will be completed by University Compliance.
Non-substantive revisions will be completed by University Compliance after notifying the University Senior Policy Council.
Substantive revisions must follow the same review and approval process as a new policy.

III. Decommissioning a University Policy

When a policy is no longer needed or is more effectively combined with another policy, the responsible office will submit a formal request to the senior institutional official responsible for the policy. The senior institutional official shall confer with applicable University governance groups and subject matter experts as appropriate to ensure overall impact is considered. The senior institutional official will collaborate with University Compliance to seek formal decommissioning approvals. If there is disagreement as to whether a policy should be decommissioned, the University Senior Policy Council will decide.

University Compliance will remove decommissioned policies from the policy.uconn.edu website and inform the Senior Policy Council quarterly of decommissioned policies.

IV. Archiving a University Policy

University Compliance will work with University Archives to properly maintain the record. Policy Owners are strongly encouraged to retain policy records.

V. Expedited (Emergency) Policy Approvals

The expedited policy approval process is reserved for policies that the President or the Senior Policy Council deem crucial for the health and safety of the University community, the continuity of University operations, to address legal requirements or significant institutional risk and, therefore, must be processed in a shorter time than possible through the established approval process.

In such cases,

the President or the Board of Trustees identifies an emergency policy need and assigns a senior institutional official;
the stakeholder review process may be bypassed, but the draft policy must be reviewed by the Senior Policy Council;
the Senior Policy Council shall consider any immediate and significant impact on operations;
emergency policies that apply to UConn Health shall be provided to the appropriate policy committees for expedited review and approval.

Unless a duration is specified in the Expedited Policy, all Expedited Policies will be reviewed in one (1) year by the Senior Policy Council to determine whether the policy should be extended, made permanent, or decommissioned.

Code Compliance for University Events and Projects, Policy on

Title:	Code Compliance for University Events and Projects, Policy on
Policy Owner:	Division of University Safety
Applies to:	The University workforce, students, others
Campus Applicability:	All Campuses
Effective Date:	April 6, 2022
For More Information, Contact	Fire Marshal and Building Inspector’s Office
Contact Information:	buildinginspector@uconn.edu
Official Website:	https://firemarshal.universitysafety.uconn.edu/

BACKGROUND

The Fire Marshal and Building Inspector’s Office (FMBIO) provides regular inspection, incident investigation, construction and/or event permitting, as well as consultation on matters relevant to design, construction, renovation, maintenance, and use of structures, systems, and related assets. CGS 29-252a (h) and State Building Code (SBC) 105.2.4 exempt a state agency from being required to obtain a building permit from the local building official, however, the University of Connecticut and the State Building Inspector have determined that any University of Connecticut work which is subject to building permit by the SBC shall be permitted through the Fire Marshal and Building Inspector’s Office.

PURPOSE

To provide a safe environment through the enforcement of building and fire safety codes in compliance with the University’s Memoranda of Understanding (MOU) with the Department of Administrative Services (DAS), Connecticut General Statutes and State Building Code.

DEFINITIONS

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.

POLICY STATEMENT

Members of the workforce, including contractors or subcontractors, who intend to perform any of the following must contact the FMBIO to determine if code compliance is applicable and if a permit is required:

construct, enlarge, alter, repair, move, demolish, or change the occupancy of a building or structure;
perform any work related to electrical, gas, mechanical or plumbing systems;
organize an indoor or outdoor event, activity, or assembly attended by fifty (50) or more people in a space outside the scope of its intended use[1], or that involves tents, pyrotechnics, amusement rides, open flames, cooking and/or heating food, or alcohol.

In addition to the above-listed instances in which FMBIO review is required, it is recommended that the University and its agents contact the building inspector regarding all work to buildings and structures before that work commences.

ENFORCEMENT

PROCEDURES

Contact the FMBIO prior to initiating work or organizing events, activities or assemblies attended by fifty (50) or more people.

The building inspector may make a determination as to whether proposed work is subject to a building permit based on submission of a brief description of the work. If a review of the State Building Code determines that a building permit is not required for the proposed work, a letter indicating such will be returned with the submitted documents.

The Fire Marshal may make a determination regarding whether indoor or outdoor events, activities, or assemblies of 50 or more people require a permit based on submission of a brief description of the activity.

REFERENCES

CGS Chapter 541 Part II

CGS 29-252a

POLICY HISTORY

Policy created: April 06, 2022 [Approved by President’s Senior Policy Council

Revisions:

[1] Existing spaces are permitted and approved for specific capacity and intended use during construction. Therefore, when any space of an existing building is used as it was originally intended, a new permit is not required (e.g., holding a class in a classroom). If an activity is planned in a space that requires increased capacity or added features such as enhanced technology, lighting, installation of a stage, amplification of sound, use of displays, etc., then a permit is required.

Recruitment of Students, Policy On

September 22, 2021

Title:	Recruitment of Students, Policy On
Policy Owner:	The Division of Enrollment Planning & Management
Applies to:	University Employees, Volunteers, Trainees and Others
Campus Applicability:	All Campuses
Effective Date:	August 23, 2021
For More Information, Contact	Office of the Vice President for Enrollment Planning & Management
Contact Information:	(860) 486-1463
Official Website:	https://epm.uconn.edu/

PURPOSE

To ensure compliance with federal laws and regulations regarding ethical recruitment and enrollment activities conducted at the University. Specifically, Section 487(a)(20) of the Higher Education Act (HEA) and its implementing regulations at 34 C.F.R. 668.14, as well as the University’s Memorandum of Understanding with the Department of Defense.

APPLIES TO

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UConn, is under the direct control of UConn, whether or not they are paid by UConn.

DEFINITIONS

Commission, Bonus, Incentives means a sum of money or something of value, other than a fixed salary or wages, paid to or given to a person or an entity for services rendered.

Securing enrollments or the award of financial aid means activities that a person or entity engages in at any point in time through completion of an educational program for the purpose of the admission or matriculation of students for any period of time or the award of financial aid to students.

These activities include contact in any form with a prospective student, such as, but not limited to – contact through preadmission or advising activities, scheduling an appointment to visit the enrollment office or any other office of the institution, attendance at such an appointment, or involvement in a prospective student’s signing of an enrollment agreement or financial aid application.

These activities do not include making a payment to a third party for the provision of student contact information for prospective students provided that such payment is not based on: (1) any additional conduct or action by the third party or the prospective students, such as participation in preadmission or advising activities, scheduling an appointment to visit the enrollment office or any other office of the institution or attendance at such an appointment, or the signing, or being involved in the signing, of a prospective student’s enrollment agreement or financial aid application; or (2) the number of students (calculated at any point in time of an educational program) who apply for enrollment, are awarded financial aid, or are enrolled for any period of time, including through completion of an educational program.

“Entity or person engaged in any student recruitment or admission activity or in making decisions about the award of financial aid” means (1) with respect to an entity engaged in any student recruitment or admission activity or in making decisions about the award of financial aid, any institution or organization that undertakes the recruiting or the admitting of students or that makes decisions about and awards Title IV, HEA program funds; and (2) with respect to a person engaged in any student recruitment or admission activity or in making decisions about the award of financial aid, any employee who undertakes recruiting or admitting of students or who makes decisions about and awards Title IV, HEA program funds, and any higher level employee with responsibility for recruitment or admission of students, or making decisions about awarding Title IV, HEA program funds.

Enrollment means the admission or matriculation of a student into an eligible institution.

Inducement means any gratuity, favor, discount, entertainment, hospitality, loan, transportation, lodging, meals, or other item have a monetary value or more than a de minimis amount to any individual, entity, or its agents including third party lead generators or marketing forms.

Service Member means a current or former member of the uniformed services which includes (a) the armed forces; (b) the commissioned corps of the National Oceanic and Atmospheric; and (c) the commissioned corps of the Public Health Service.

POLICY STATEMENT

The University of Connecticut prohibits the award of any commission, bonus or other incentive payment based in any part, directly or indirectly, upon success in securing enrollments or the awarding of financial aid, to any person or entity who is engaged in any student recruitment, admission activities, or making decisions regarding the awarding of financial assistance. In accordance with the HEA, this restriction does not apply to the recruitment of foreign students residing in foreign countries who are not eligible to receive Federal student assistance.

In addition, in accordance with the Department of Defense Memorandum of Understanding, the University will refrain from high-pressure recruitment tactics aimed at Service Members, which includes making multiple unsolicited contacts (3 or more) including contacts by phone, email, or in-person, and engaging in same-day recruitment and registration for the purpose of securing Service Member enrollments.

ENFORCEMENT
Violations of this policy or associated procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, and applicable collective bargaining agreements.

PROCEDURES/FORMS
Contact the Division of Enrollment Planning and Management with questions.

POLICY HISTORY

Policy created effective: August 23, 2021 [Approved by President’s Senior Team]

Revisions: November 11, 2021 [Approved by the President]

Mobile and Remote Device Security Policy

August 30, 2021

Title:	Mobile and Remote Device Security, Information Technology
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All faculty, staff, student employees, and volunteers
Campus Applicability:	All campuses except UConn Health
Effective Date:	August 30, 2021
For More Information, Contact	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE

To ensure data and information systems security by establishing requirements for mobile and remote devices. Mobile and remote devices are important tools for the University, and their use is supported to advance the mission of the university. Mobile and remote devices also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, mobile and remote devices can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems.

APPLIES TO

This policy applies to all University faculty, staff, student employees, and volunteers who use mobile or remote devices to access any non-public IT resources owned or managed by the University.

DEFINITIONS

IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution.

Mobile Electronic Device: Includes telecommunication and portable computing devices which can execute programs or store data, including but not limited to laptops, tablet computers, smartphones, and external storage devices. Generally, a device capable of using the services provided by a public/private cellular, wireless, or satellite network.

Remote Device: Personal computer used off-site

POLICY STATEMENT

University of Connecticut faculty, staff, student employees, and volunteers who use mobile or remote devices are responsible for any institutional data that is stored, processed, and/or transmitted via a mobile or remote device and for following the security requirements set forth in this policy.

To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements:

All users of a mobile electronic device used to access non-public university systems must take the following measures to secure the device:

Configure the device to require a password (minimum of 10 characters), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 5 minutes of idle time.
Keep devices on currently supported versions of the operating system and remain current with published patches.
Enable the device’s remote wipe feature to permit a lost or stolen device to be securely erased.
Securely store electronic devices at all times to minimize loss via theft or accidental misplacement.

Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.

STORAGE OF CONFIDENTIAL DATA

In general, confidential data should not be stored on mobile devices, including laptops. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, confidential data must be stored on university-owned devices ONLY with the following requirements:

Except when being actively used, confidential information must at all times be encrypted on any device through a mechanism approved by the University. Alternatively, whole drive encryption software may be deployed to meet this requirement.
Mobile devices must have university-supported software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices.
Devices must have Mobile Device Management software installed to facilitate device protection, including remote wipe and, if possible, device location technology for recovery.

DEVICE DECOMISSION OR SEPARATION FROM UNIVERSITY

When mobile devices, specifically personally owned devices that may have had access to University resources or data, are no longer used, and donated, or given to anyone, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems.

In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal devices or computers.

ENFORCEMENT

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance – https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: August 30, 2021 [Approved by President’s Senior Team]

System and Application Security Policy

Title:	System and Application Security Policy
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All students, faculty, and staff
Campus Applicability:	All campuses except UConn Health
Approval Date:	August 30, 2023
Effective Date:	August 31, 2023
For More Information, Contact:	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE

To ensure the security of university data and systems by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents.

APPLIES TO

This policy applies to all individuals responsible for operating or overseeing any University system or application, whether on premise or in the cloud.

DEFINITIONS

Academic / Research System: A system whose primary responsibility relates to individual academic work or research

Administrative System: Any system that is used in support of the operation of the university excluding individual Academic / Research Systems.

Client Network: A client network is a computer network where individual machines are connected. Client networks consume services and do not offer services to the general population

ITS: Information Technology Services

IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.

Local Network: The local network is those computers logically located in the same subnet

SaaS: Cloud-based service that is delivered via the web based on either a monthly or annual subscription

PaaS: Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services

PII (Personally Identifiable Information): Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals

Public Availability: Services offered publicly include services offered outside of the local network

Regulated Data: Any data that has regulations around its protection prescribed either by law or contract is automatically considered administrative data. Examples include: Personally Identifiable Information (PII), Payment Card Information (PCI), Personal Health Information (PHI) and FERPA (Family Educational Rights and Privacy Act)

System Owner: The individual who is responsible for the planning and operation of the service. All systems must have a designated system owner.

POLICY STATEMENT

The proper management, maintenance and support of systems and applications is critical to protecting the data they store or process from a confidentiality, integrity, and availability perspective.

Basic Requirements (all systems including academic, administrative and research)

System Ownership

All systems including cloud-based systems supporting any aspect of the University must have an identified owner and responsible party for ensuring the controls specified in this policy.

All software and services used to process University information are subject to an Information Security review and sign off prior to their purchase or development. Information Security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The system owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application.

System Access

Access to information in the possession of or under the control of the University must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved need for the information. For most applications, this requires the use of proper authentication methodologies and the use of Single Sign On (SSO) is encouraged.

Information may only be used for its intended purpose, and other uses of university information without the approval of the data owner is prohibited.

Patching and Maintenance

All system owners must ensure the timely implementation of operating systems and application patches to provide for the confidentiality, integrity, and availability of the systems or data. The ongoing maintenance of applications and the application of software updates is an activity that must be minimally scheduled on a quarterly basis.

System and Application Lifecycle Management

System owners are responsible for the planning of and budgeting for system maintenance and obsolescence. Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible. The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation.

Cloud based systems

Software as a Service / Platform as a Service

While patching and maintenance of Cloud-based SaaS and PaaS systems is typically handled by the vendor, identified individuals are responsible for proper security configurations and user management associated with providing the service. A Vendor Risk Management review is necessary for all newly procured services.

Infrastructure as a Service (IASS)

IAAS provides a significant amount of flexibility in the configuration and use of the platform. This requires additional expertise that requires management by an IT Professional and where applicable must meet the same requirements as Administrative Systems.

Administrative Systems

System and Application Security

Administrative systems due to their complexity must be managed by an IT Professional.

Administrative systems will be required to adhere to all regulatory requirements and meet security controls / standards as set forth by the Information Security Office based on institutional requirements.

Encryption

All systems housing administrative data are expected to have data encrypted in transit and at rest to protect data. Where available, encryption keys should reside outside of the application.

User Management

University of Connecticut Information Technology Services (ITS) provides centralized user identity and access management that supports identity validation and access management (IAM) using a NetID and password providing for single sign on (SSO) across multiple systems. Systems and applications that rely on the University IAM platform for authenticating individual access rights can forgo the need for user management outside that of assigning any roles within the system or application, as necessary. The use of SSO for all systems is highly recommended.

Systems and applications that do not use the central IAM solution must have a written plan and designated individual responsible for the creation, modification, and deletion of user IDs. User IDs, including student accounts, must be reviewed when faculty, staff, or students separate from the University at least annually. This includes a process for ensuring the secure creation of passwords and a secure password reset process for validating an individual’s identity prior to resetting the password.

Systems where individuals have access to a significant amount of the PII of other constituents, including but not limited to students, faculty, staff, alumni, and vendors, or significant amounts of regulated data require two-factor authentication wherever possible.

Software Maintenance

Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers and other individual productivity tools should be limited to the management of the system only.

Auditing of Systems and Application Logs

System and application logs must be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs. All administrative systems must log to the centralized logging and reporting platform events related to login activity and security event data.

Mandatory Reporting

All suspected policy violations, system intrusions, and other conditions that might jeopardize University information or information systems must be immediately reported to the Information Security Office.

ENFORCEMENT

Systems and applications that do not follow the standards set forth in this policy may be administratively shut down or have access restricted. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure.

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct, applicable collective bargaining agreements, and the Student Code.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance – https://compliance.uconn.edu (860-486-2530) or UConn Reportline (1-888-685-2637)

Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: August 30, 2023 (Approved by the Senior Policy Council and the President)

Network Access Policy

Title:	Network Access Policy, Information Technology
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All students, faculty, staff, volunteers, and contractors
Campus Applicability:	All campuses except UConn Health
Effective Date:	August 30, 2021
For More Information, Contact	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu

PURPOSE

The University invests significantly in maintaining a secure network that meets the academic, research, residential, and administrative needs of the institution. To ensure compliance with applicable Federal and State laws and regulations, and to protect the campus network and the ability of the University community to use it, certain security, performance, and reliability requirements must govern the operation of these networks.

APPLIES TO

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to university networks.

DEFINITIONS

University Network: The university network is comprised of the network hardware and infrastructure and the services to support them, from the data jack or wireless access point to the University’s Internet Service Provider’s (ISP) connection. The university network begins at the connection to the network (wired or wireless) and ends where we connect to the Internet.

Wired Network: The wired network consists of the physical cabling, infrastructure, and management systems that provide physical network access via an ethernet or fiber optic cable.

Wireless Network: The wireless network consists of the access points (connected to the wired network), wireless spectrum, and management systems that provide services via the UConn provided wireless networks, including UConn Secure, Guest, EDUROAM, and other specialty networks.

POLICY STATEMENT

The University network (wired & wireless) is an essential resource for the University of Connecticut students, faculty, staff, and guests. The University network provides a variety of critical services that meet the academic, administrative, research and residential needs of the University. Due to the complex nature of the University’s network, Information Technology Services (ITS) is responsible for the overall design, installation, coordination and operation of the University’s network environment.

Wired Networks

The wiring and electronic components of the network are deemed part of the basic infrastructure and utility services of the University. Installation and maintenance of that network are to be considered part of the “up front” basic required building and renovation costs and are not considered discretionary options in construction and renovation design.
Standards for the network wiring, electrical components, and their enclosures are defined by Information Technology Services (ITS), subject to Building and Grounds (B&G) oversight and are considered part of the University’s “building code” to which installations must conform.
Upgrades to our campus network will be done as part of a university-wide Network Master Plan.  This Network Master Plan will be coordinated with the University’s Building Master.
Units that would like to use their own funding to install wired/wireless technology or change the programmatic function or use of a room to newly include a wired/wireless activity must work directly with ITS Network Engineering for design services and standards requirements. ITS Network Engineering will thereby ensure that all changes to the wired network conform to applicable standards.
Units choosing to install and establish their own security using local firewalls and/or VPNs must give ITS Network Engineering and Information Security access to/through these devices into the active network segments. This will give Network Engineering the ability to see beyond the secure points of the network for diagnosing problems potentially affecting the overall network.
Units wishing to design, install and maintain their own network must have their designs reviewed by ITS Network Engineering. All installations must conform to the standards set forth in the ITS Design Guide and Standards. Before equipment is purchased, the requesting entity must submit technical specifications of the equipment to be used in the project, along with the logical and physical design maps, for ITS approval to ensure network compatibility and service conformance. ITS Network Engineering will provide the department with an approval letter, which can be submitted to Purchasing with the purchase request.

Wireless Networks

The addition of new wireless access points on the University network must be coordinated and approved by ITS. Wireless performance is impacted by the architectural features, building materials, and furnishings of a contemporary workspace. Construction and renovation projects must be coordinated with ITS and include funding for additions or adjustments required to optimize performance and serviceability of impacted wireless access points and systems.
On an exception basis, departments and individual faculty may install and manage wireless access points for specific programmatic needs. These locally administered wireless access points must be registered and coordinated with ITS prior to deployment to prevent radio frequency (RF) interference on either wireless network. At least one individual in the requesting department must be designated as the official contact for the access point. The official contact is responsible for the data and network traffic that traverses through the access point and appropriate access control and security configuration, as well as the regular maintenance, software updates, and replacement.
Any devices either not part of or that cause significant RF interference with the University wireless network will be considered a “rogue” access point or device. ITS will pursue all reasonable efforts to contact the owner of the rogue device, and if necessary, may disable or disconnect them from the University network. This includes devices and equipment that operate in the frequency ranges occupied by the University Wi-Fi network.

ENFORCEMENT

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance – https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)

Information Technology Services CIO – https://cio.uconn.edu

POLICY HISTORY

Policy created: This policy replaces the Wireless Network Policy (05/15/2006) and Physical Network Access Policy (11/18/2008). Approved by President’s Senior Team 8/30/2021.

Firewall Policy

Title:	Firewall Policy
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All students, faculty, and staff responsible for configuring firewalls
Campus Applicability:	All campuses except UConn Health
Effective Date:	August 30, 2021
For More Information, Contact	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE

To ensure a common set of firewall configurations across the organization to maximize their protection and detection capabilities in support of the security of the University. Firewalls provide a valuable protection and detection capability for the organization when properly configured, managed, and monitored.

APPLIES TO

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have responsibility for controlling or configuring firewalls.

DEFINITIONS

EOL: End of Life

EOS: End of Support

IANA: Internet Assigned Numbers Authority (iana.org)

POLICY STATEMENT

The University operates in a highly flexible and adaptive security environment to meet its academic, research, and administrative missions. While the ability to adapt to meet the ever-changing needs of the University is important, oversight and reporting of firewall activities are critical to the successful protection and operation of the University environment. The following firewall requirements must be met:

Firewall Configuration Standards

All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for EOL and EOS software/hardware and regular review (at least annually) of firewall rulesets.
All dedicated firewalls used in production must follow the University firewall management standard, which includes the ability to review currently configured firewall rules across the organization, identification of shadow or redundant rules and rules in conflict, and standardization of device/object names.
Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets, configurations and backup media must be restricted to those responsible for administration and review.

Firewall Rules

Firewall rules specify (either allow or deny) the flow of traffic through the firewall device. Firewall rules are typically written based on a source object (IP address/range, DNS Name, or group), destination object (IP address/range, DNS Name, or group), Port/Protocol and action.

All firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic.
Outbound traffic should be enumerated for data stores, applications, or services
Overtly broad rules may be allowed for specific groups of individuals (not systems). Approval must be granted by the Chief Information Security Officer or their designee.
The use of overly permissive firewall rules is prohibited (i.e., ANY/ANY/ALL rules).
Protocols defined in services and in the firewall must utilize Service Name and Protocol/Port information as assigned by IANA, unless there is a technical reason to do otherwise other than “security through obscurity” and must be commented appropriately in the ruleset.

Firewall Logging

Firewall log integrity is paramount to understanding potential threats to the network. Firewall devices must log the following data to a system outside of the physical firewall itself and must be regularly reviewed at least monthly or programmatically through automated means. Firewall logs may be forwarded to the ISO SIEM for retention and analysis.

The following items must be logged as part of the operation of the firewall:

All changes to firewall configuration parameters, enabled services, and permitted connectivity
Any suspicious activity that might be an indicator of either unauthorized usage or an attempt to compromise security measures

ENFORCEMENT

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance – https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: August 30, 2021 [Approved by President’s Senior Team]