Skip to main content

Authorized Access to Electronic Information Policy

Version 2.0

Purpose

The purpose of this policy is to inform Users of the permission required to gain access to Electronic Information stored on University IT Resources, which they may not be authorized to access in standard business operations.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Electronic Information access should only occur for legitimate University purposes.
  • The Chief Information Security Officer (CISO), Chief Information Officer (CIO), or the President can authorize access of Electronic Information without the approval from other entities.
  • Fordham IT does not monitor activities on IT Resources or Standard Software unless a cybersecurity event is triggered as outlined in the Information Security Breach Response Policy, the Wireless Use Policy, or any other activities that violate IT security or privacy policies. N.B. The Privacy section in the Acceptable Use of IT Infrastructure and Resources Policy states the following:
    • The University may exercise these rights for various reasons, including but not limited to:
      • Ascertaining whether Users are using the systems per the IT policies and other University guidelines;
      • Preventing, investigating, or detecting unauthorized use of the University's IT Resources; and
      • Ensuring compliance with applicable laws and regulations.
  • The University may access Users’ Electronic Information in connection with investigations of misconduct or violation of the Acceptable Use of IT Infrastructure and Resources Policy.
  • Electronic Information may be accessed to obtain Business-Critical Data when a User who typically has access to the files is unable or unavailable to provide consent due to:
    • An unauthorized absence where the User is unreachable/unresponsive,
    • An illness,
    • A vacation, or
    • A separation from the University.
  • Users’ Electronic Information access may be necessary to preserve and provide Electronic Information in connection with legal proceedings. Any legal or litigation requests involving a User’s Electronic Information must go through the Office of Legal Counsel (OLC), and the University Information Security Office (UISO)’s IT Security Director for processing.
  • The University may access Users’ Electronic Information to deal with urgent situations presenting threats to the safety of the campus or the life, health, or safety of any person.
  • Out-of-office messages are part of this approval request policy.
  • University interim posts or proxies may approve with written consent from the approvers noted in this policy.
  • If the Electronic Information belongs to Faculty, then the CISO in conjunction with one of the following appropriate roles: the OLC, Provost, VP of Human Resources, or Associate VP of Public Safety must approve access.
  • If the Electronic Information belongs to a Student, then the CISO in conjunction with one of the following appropriate roles: the OLC, area VP/Dean, or Associate VP of Public Safety must approve access.
  • If the Electronic Information belongs to a Staff member, then the CISO in conjunction with one of the following appropriate roles: the OLC, area VP, VP of Human Resources, or Associate VP of Public Safety must approve access.
  • If the Electronic Information belongs to Alumni, then the CISO and the OLC, area VP, or Associate VP of Public Safety must approve access.
  • If the Electronic Information belongs to a Consultant/Guest, then the CISO and the OLC, area VP/Dean, Associate VP of Public Safety, or Sponsor must approve access.
  • If the Electronic Information belongs to a Corporate entity, then the CISO and the OLC, area VP/Dean, Associate VP of Public Safety, or Sponsor must approve access.
  • A User will be given notice when their Electronic Information is accessed, except when it is not possible under the instructions from the OLC.
  • Records must be kept in the University’s IT ticketing system to enable an appropriate review of compliance with this policy. Detailed instructions are in the Authorized Access to Electronic Information Procedure.
  • Records of accessed Electronic Information are retained to justify the purposes of access through the University’s ticketing system.
  • The UISO will report the number of these requests fulfilled by class (e.g., employee, staff, student), if possible, to the Information Risk Management Board (IRMB) quarterly. If a department head wants additional information, they should contact their IRMB representative.

Definitions

Business-Critical Data is any kind of information or data that a business would not recover if it were lost. At Fordham University, that could be data or information such as contracts or student grades, based on employees’ specific work roles or job functions. Each department should identify their business-critical data.

Electronic Information refers to documents and communications, including email, voice mail, and text messages, and their associated metadata, located in files and accounts related to a particular User. Electronic Information includes information stored on licensed cloud servers, such as Blackboard®, Google Drive, and Panopto.

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Security
Approved By: CISO
Approval Date: March 25, 2019

Revision History

Version:
Date:
Description:
1.0
03/25/2019
Initial document
1.1
02/14/2020
Update to the policy statement
2.0
09/29/2020
Update to policy statement and definitions

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.