Authorized Access to Electronic Information Policy
The purpose of this policy is to inform Users of the permission required to gain access to Electronic Information stored on University IT Resources which they may not be authorized to access in standard business operations.
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
The Chief Information Security Officer (CISO), Chief Information Officer (CIO), or the President can authorize access of Electronic Information without the approval from other entities.
Electronic Information access should only occur for legitimate University purposes.
- The University may access Users’ Electronic Information in connection with investigations of misconduct or violation of the Acceptable Use of IT Infrastructure and Resources Policy.
- Users’ Electronic Information may be accessed to obtain business-critical data when a User is unable or unavailable to provide consent (e.g., if an employee who typically has access to the files is unavailable due to illness, vacation, unplanned absence, or separation from the University).
- Users’ Electronic Information access may be necessary to preserve and provide Electronic Information in connection with legal proceedings. Any legal or litigation requests involving a User’s Electronic Information must go through the Office of Legal Counsel (OLC), and the University Information Security Office (UISO)’s IT Security Director for processing.
- The University may access Users’ Electronic Information to deal with urgent situations presenting threats to the safety of the campus or the life, health, or safety of any person.
University interim posts or proxies may approve with written consent from the approvers noted in this policy.
If the Electronic Information belongs to Faculty, then the CISO in conjunction with one of the following appropriate roles: Provost, VP of Human Resources, or Associate VP of Public Safety must approve access.
- If the Electronic Information belongs to a Student, then the CISO in conjunction with one of the following appropriate roles: Area VP/Dean or Associate VP of Public Safety must approve access.
- If the Electronic Information belongs to a Staff member, then the CISO in conjunction with one of the following appropriate roles: Area VP, VP of Human Resources, or Associate VP of Public Safety must approve access.
- If the Electronic Information belongs to Alumni, then the CISO and the Area VP or Associate VP of Public Safety must approve access.
- If the Electronic Information belongs to a Consultant/Guest, then the CISO and the Area VP/Dean, Associate VP of Public Safety, or Sponsor must approve access.
- If the Electronic Information belongs to a Corporate entity, then the CISO and the Area VP/Dean, Associate VP of Public Safety, or Sponsor must approve access.
- A User may be given notice when their Electronic Information will be or has been accessed, when possible.
- Records must be kept in the University’s IT ticketing system to enable appropriate review of compliance with this policy.
- Records of the Electronic Information accessed are retained as needed to justify the purposes of the access through the University’s ticketing system.
- Out-of-office messages are part of this approval request policy.
Electronic Information refers to documents and communications, including email, voice mail, and text messages, and their associated metadata, located in files and accounts associated with a particular user.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources Policy
- Authorized Access to Electronic Information Procedure
- Provisioning and Deprovisioning Policy
|Responsible Person:||Director, IT Security|
|Approval Date:||March 25, 2019|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.