Authorized Access to Electronic Information Policy
Version 2.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to inform an individual or proxy how to temporarily gain access to another user’s Electronic Information stored on University IT Resources, which they may not be authorized to access in their standard business operations.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Electronic Information access should only occur for legitimate University purposes.
- The Chief Information Security Officer (CISO), Chief Information Officer (CIO), or the President can authorize access to Electronic Information without approval from other entities.
- The Office of Information Technology may not monitor activities on IT Resources or Standard Software unless a cybersecurity event is triggered as outlined in the Information Security Breach Response Policy, the Wireless Use Policy, or any other activities that violate IT security or privacy policies. NB. The Privacy section in the Acceptable Use of IT Infrastructure and Resources Policy states the following:
- The University may exercise these rights for various reasons, including but not limited to:
- Ascertaining whether Users are using the systems per the IT policies and other University guidelines;
- Preventing, investigating, or detecting unauthorized use of the University's IT Resources; and
- Ensuring compliance with applicable laws and regulations.
- The University may exercise these rights for various reasons, including but not limited to:
- The University may access Users' Electronic Information in connection with investigations of misconduct or violation of the Acceptable Use of IT Infrastructure and Resources Policy.
- Electronic Information may be accessed to obtain Business-Critical Data when a User who typically has access to the files is unable or unavailable to provide consent due to:
- An absence where the User is unreachable/unresponsive,
- An illness,
- A vacation, or
- A separation from the University.
- Users' Electronic Information access may be necessary to preserve and provide Electronic Information in connection with legal proceedings. Any legal or litigation requests involving a User's Electronic Information must go through the Office of Legal Counsel (OLC) and the Senior Director of IT Security and Assurance for processing.
- The University may access Users' Electronic Information to deal with urgent situations threatening campus-wide, personal safety, or well-being.
- Out-of-office messages may be part of this approval request policy.
- University interim posts or proxies may approve with written consent from the approvers noted in this policy.
- If the Electronic Information belongs to Faculty, then the CISO, in conjunction with one of the following appropriate roles: the OLC, Provost, VP of Human Resources, or Associate VP of Public Safety, must approve access.
- If the Electronic Information belongs to a Student, then the CISO, in conjunction with one of the following appropriate roles: the OLC, area VP/Dean, or Associate VP of Public Safety, must approve access.
- If the Electronic Information belongs to a Staff member, then the CISO, in conjunction with one of the following appropriate roles: the OLC, area VP, VP of Human Resources, or Associate VP of Public Safety, must approve access.
- If the Electronic Information belongs to Alumni, then the CISO and the OLC, area VP, or Associate VP of Public Safety must approve access.
- If the Electronic Information belongs to a Consultant/Guest, then the CISO and the OLC, area VP/Dean, Associate VP of Public Safety, or Sponsor must approve access.
- If the Electronic Information belongs to a Corporate entity, then the CISO and the OLC, area VP/Dean, Associate VP of Public Safety, or Sponsor must approve access.
- A User will be given notice when their Electronic Information is accessed, except when it is not possible under the instructions from the OLC.
- Records must be kept in the University's IT ticketing system to enable an appropriate review of compliance with this policy. Detailed instructions are in the Authorized Access to Electronic Information Procedure.
- Records of accessed Electronic Information are retained to justify the purposes of access through the University's ticketing system.
- Information Security and Assurance monthly reports the number of requests fulfilled by class (e.g., employee, staff, student) to the Information Risk Management Board (IRMB). A department head should contact their IRMB representative if they want additional information.
Definitions
Business-Critical Data is any information or data that a business would not recover if lost. At Fordham University, that could be data or information such as contracts or student grades, based on employees' specific work roles or job functions. Each department should identify its business-critical data.
Electronic Information refers to documents and communications, including email, voice mail, and text messages, and their associated metadata, located in files and accounts related to a particular User. Electronic Information includes information stored on licensed cloud servers, such as Blackboard®, Google Drive™, and Panopto™.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources Policy
- Authorized Access to Electronic Information Procedure
- Provisioning and Deprovisioning Policy
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | March 25, 2019 |
Revision History
|
Version:
|
Date:
|
Description:
|
|---|---|---|
|
1.0
|
03/25/2019
|
Initial document
|
|
1.1
|
02/14/2020
|
Updated the policy statement
|
|
2.0
|
09/29/2020
|
Updated policy statement and definitions
|
|
2.1
|
08/04/2023
|
Updated policy statement
|
|
2.2
|
03/04/2024
|
Updated policy purpose, disclaimer
|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.