Purchase College Broadcast E-mail Policy

Email is a convenient way to communicate information to the campus community, and as a result there are a tremendous number of requests for campus-wide broadcast e-mail messages. 

Email is popular because you can push your message into peoples mailbox, reaching a larger audience than you would by posting your message to a web site where people have to actively seek it out (websites are a pull channel.) However, the convenience of pushing email at everyone has to be balanced against the burden this places on the time and attention of the College community.  Their time and attention is too precious a resource to subject to a fire-hose of poorly targeted email that is not timely, relevant, and of interest to the recipient. We have all heard complaints about the volume of messages we receive - and we have all heard others say they don’t read any of our broadcast messages – and who miss important information as a result.

It is essential to avoid overuse of broadcast email that diminishes the effectiveness of this channel.

As Stamats notes, sending out an email message does not mean you have effectively communicated your message. Effective communication requires that you say the right thing, at the right time, to the right audience.

The college offers a variety of push/pull communication channels including email, distribution lists, and our web site. It is important that we avoid over-reliance on email broadcasts and employ the right mix of channels, messages, and audiences to communicate effectively with the campus community.

Broadcast Message Volume over the last 10 years has increased by 500%

• July 2007 to June 2008:    311 Broadcast Messages
• July 2008 to June 2009:    745 Broadcast Messages
• July 2009 to June 2010:    884 Broadcast Messages
• July 2010 to June 2011: 1,086 Broadcast Messages
• July 2011 to June 2012: 1,339 Broadcast Messages
• July 2012 to June 2013: 1,365 Broadcast Messages
• July 2013 to June 2014: 1,179 Broadcast Messages
• July 2014 to June 2015: 1,300 Broadcast Messages
• July 2015 to June 2016: 1,450 Broadcast Messages
• July 2016 to June 2017: 1,553 Broadcast Messages

By far the highest monthly volume of broadcast email is during April and September – just when people are busiest, we are bombarding them the most.  So while it is easy to use email as a communication channel, it is also easy to see why people tune it out.

It is critical that the messages we send are relevant, they are clearly written, they are accurate the first time, and they are sent to the right recipients (and not just “everyone.”) 

Broadcast Email Etiquette

Campus-wide e-mails should be sent out to inform the campus of important announcements, events, or alerts that affect the entire campus.

Campus broadcasts should only occur if there is a reasonable expectation that the message would be of interest to a significant portion of the college community. If your weekly meeting of the Obscure Society typically draws the same ten dedicated souls and meets in a small windowless room, sending an invitation to 10,000 people doesn’t really make sense – they won’t all come, they won’t all fit, and most likely you’re just annoying 9,990 of them with yet another piece of spam they have to delete.

Select your target audience carefully - with laser focus if possible. The time and attention of the campus community is a precious a resource. 

Avoid sending Corrections and Reminders – take the time to get the message right the first time, and promote your deadline or event using the Master Calendar, web site, portal, and distribution list.  

Broadcast email should only be used for official College purposes. Broadcast email should NOT be used to promote products, activities or services that have not been endorsed by the appropriate unit within the College (Job Fairs should be endorsed by Career Development, Overseas Programs should be endorsed by the Office of International Programs, etc.) It should go without saying that broadcast email is not the place to sell your car or rent an apartment.

Start and promote a Distribution List (DL) for those who have participated in similar activities or who have expressed an interest – and allow people to Opt-in and opt-out of your weekly message to that list – and work to make sure that it is a source of valuable information. When you send your broadcast message, use the Distribution List as the destination address, include instructions at the bottom for unsubscribing, and honor those requests in a timely fashion. Promote your distribution list as a source of valuable information on your website, Facebook page, etc.  

In any case, high quality content is far more important than how many copies you are distributing.

Tell us what is in the message and why we should look at it

E-mail messages should always include a descriptive subject line. This serves to entice people to open your message and read further, as well as to relieve them form opening the message if it clearly isn’t something they are interested in. Subject line “News from CTS” – Ho-Hum… Subject line “Your email account will be purged Tuesday at 4:00” - uh-oh.

Tell us who it is from

Marketing studies also say that people are far more likely to open a message when it comes from a real person i.e. “Bill Junor” - than when it comes from an institutional address like “(CTS.Director)” - delete.

Broadcast email Definition:

Any message transmitted to the entire “campus Community” or to an entire cohort (all students, all faculty, all staff) or to any combination thereof is considered a “broadcast message” requiring workflow approval.

School and divisional distribution lists (i.e. LAS students, NS Majors, Sociology Department, a specific class list,  etc.) are NOT considered broadcast messages since the heads of each area already have the necessary rights to distribute those messages themselves, without workflow approval.

Similarly, off campus distribution lists (i.e. Friends of Music, Friends of the Library, etc.), are NOT considered broadcast messages since the heads of each area already have the necessary rights to distribute those messages themselves, without workflow approval.

Who can request a campus-wide e-mail message?

Any member of the Purchase College community can request that a campus-wide message be sent out by submitting a request through the Broadcast Email Messaging (BEM) System. Broadcast requests are automatically routed to the department head for approval, and to the appropriate Vice President or College Officer. Only the VPs/Officers can authorize broadcast emails.

For broadcast requests created by Students, those requests are routed to Student Affairs for workflow approval.

Who will receive a campus-wide broadcast e-mail message?

Campus-wide messages can be sent to all campus-wide e-mail server users. Campus-wide messages can also be sent to other e-mail servers or to external e-mail addresses if the requestor includes external addresses (individuals or Distribution Lists) as part of their request.

The request must specify the audience to receive the message. Broadcast messages can be sent to   1) all faculty 2) all staff, or 3) to all students. These three categories (and others such as residents by wing or students by division) can be combined as necessary to reach the desired audience.

The BEM system allows the originator to specify as many destination addresses as necessary, and those addresses can be a combination of campus addresses and off campus addresses.

Please note that Deans/Directors/Chairs of academic divisions already have the ability to send messages to students and/or faculty/staff within their division themselves.

What can be sent out in a BEM e-mail message?

The BEM system allows creation of rich media messages that are compact and efficient. You can embed graphics, links, and attachments as necessary. In addition, the BEM system contains a variety of general and specific graphical templates for various campus organizations that help to create an attractive presentation wrapper for your message.

Please note that many email servers on the recipient end restrict attachment size to 10mb.

When should I use Email versus the website, the Portal, and the Master Calendar?

To communicate effectively, you should use all these channels in a coordinated fashion.

The New York State Department of Environmental Conservation has determined that non-working and obsolete computer products must be treated as hazardous waste. Monitors and terminals contain from 4 to 8 pounds of lead and fail the NYS DEC TCLP test for toxicity. Circuit boards of both computers and printers contain lead solder, mercury and cadmium, and often also fail the TCLP test. These items should be disposed of in an environmentally sound manner.

The key points of NYS DEC Regulations are:

1. All non-working /obsolete computer products should be disposed of in an environmentally sound manner

2. Monitors and terminals are always a hazardous waste (or household hazardous waste, if from household use).

3. Other components of a computer system (e.g., circuit boards, keyboards, mice) could be hazardous depending on their lead, mercury, or cadmium content, which can vary from product to product.

4. The recycling facility must be on file with the DEC.

5. A C7 Notification Letter must be filed with the DEC that a legitimate recycler is processing the product.

6. The generator continues to be responsible for product improperly disposed of through non-recycling channels.

7. Donated equipment must be operational and for continued use.

8. Storage for over 90–180 days may be a violation.

9. Substantial penalties may apply for non-compliance.

Additional information is also available at the New York State Department of Environmental Conservation website.  The current rates for disposal are about $15 for a PC, monitor, and printer.

Campus agencies must arrange to have their old computer equipment removed by an authorized disposal service that complies with all city, state and federal regulations. You may want to contact our campus Environmental Health and Safety Officer, Ed Musal, at x6917 for further information on hazardous waste removal. One authorized recycling vendor is Per Scholas, who can be reached at (718) 991-0362.

CTS will continue to dispose of old computers that are being replaced with new ones on an individual basis, and properly dispose of them as we have done in the past. However, CTS cannot accept bulk disposal or removal of old computer equipment on behalf of other departments.

Please keep in mind that all departments must fill out a Property Control System – Request for Disposal or Surplus Form.pdf – when disposing of old computer equipment (see attached). The original will go to the department head, a copy should be taped to the item being disposed of, and a copy must go to our campus inventory control coordinator in Purchasing and Accounts Payable. Please call x6920 if you have any questions about using this disposal form.

The Purchase College information technology infrastructure includes a private network of secure services for the exclusive use of our students, faculty, staff, and administrators. Other IT services include open access to college information for the general public and the world at large. To utilize private secure services for students, faculty, and staff, you must authenticate with a Purchase College user name and password. 

Users of computer systems and networks at Purchase College must read, understand,  comply with, and electronically sign the Purchase College computer ethics policy when you activate your account. You are responsible for your actions. That responsibility exists regardless of what security mechanisms are in place. Unauthorized use of computing facilities will lead to suspension or loss of privilege, and may lead to more serious penalties. All rules and policies must be adhered to by all users of Campus Technology Services at Purchase College. 

Appropriate use

All users are expected to use these services in a responsible fashion. Student use of all computing resources and services is subject to the Student Code of Conduct. Faculty and staff use of computing resources and services is subject to the Policies of the SUNY Board of Trustees and to campus supervisory oversight.

The college provides a variety of services that are public within the college community, and others that are public to the world. These services include (but are not limited to) our portal, ePortfolios, student web publishing directories, sections of our website, and Brightspace, among others. Materials posted to any college site or service must be respectful and appropriate; offensive materials or speech may be removed and/or referred to Student Affairs or the appropriate college supervisor.

Security for Your Account

Do not consider email private or secure. Purchase College does not encrypt email.  Mail can be easily intercepted at any machine that it passes through. lt can be altered and copies can be made and forwarded. Messages sent to nonexistent or incorrect addresses may be delivered to an unintended destination.

The systems administrator(s) at Purchase College have the right to monitor computer systems. The systems administrator(s) have the right to examine user files to diagnose system problems or investigate security breaches.

The internet is not secure. If you are going to transmit sensitive data or files across the internet, you must take precautions to protect it on your own. Data and files can easily be intercepted, read, altered, misused, or destroyed at any machine they pass through. In addition, machines attached to the internet are vulnerable. Do not assume your data is safe on your computer if it is directly connected to the internet.  Do not store valuable or privileged information on these systems without applying security. If you can’t afford to lose it, back it up. If it is information that should never see the light of day, don’t store it on a networked computer.

Backup Your Important Data

Keep all valuable disks and tapes in a secure place. Secure backup copies of valuable files or data off site. When throwing out old disks or tapes, make sure no sensitive information can be found on them.

Intellectual Property and Piracy

Whenever you are shipping software from one place to another, you must consider intellectual property and license issues. The internet is a global network, and the importing and exporting of software may fall under the jurisdiction of the United States Department of Commerce. Exporting anything may require a license. A general license covers anything that is not explicitly restricted and is readily available in public forums in the United States. The exportation of networking code or encryption code is restricted. You may not allow access to a restricted machine to persons or entities outside of the United States. Please be aware, when posting information to a bulletin board, that data will probably cross the border. If you have any questions on the legality of transmissions over the borders of the United States, please seek legal counsel.

Purchase College has joined the internet via an educational connection. Use of the internet for commercial purposes is not allowed.

The following are considered unacceptable uses of computer systems, and are strictly prohibited

1. Deceiving a machine (i.e., mimicking, imitating, or attempting to use an ID other than your own)

2. Computer fraud (with and without intent to deceive)

3. Computer damage or destruction

4. Offenses against computer users including, but not limited to, harassment

5. Unauthorized use of any system

6. Modification or destruction of programs or data other than your own personal files

7. Use of computer to commit crime (embezzlement, harassment, blackmail, etc.)

8. Tampering or alteration of computer, computer systems, programs, or files

9. Unauthorized access or attempted unauthorized access to a computer or network

10. Causing denial of computer services (e.g., run a virus that renders a network unusable)

11. Preventing others from using computer services

12. Causing deterioration of system performance (e.g. playing Doom over a network)

13. Computer trespass. This includes remote systems as well as secured areas of this system

14. Theft of computer-related materials

15. Theft of computer services. For example, you may not use any pay service without paying

16. Computer invasion of privacy—unauthorized examination of files

17. Computer-caused physical injury

18. Copying licensed software

19. Violation of any interstate laws applying to electronic transmissions

20. Violation of any import/export laws applying to electronic transmissions

21. Posting confidential information such as Social Security numbers or phone numbers

22. Cracking passwords

23. Even if a file is readable, do not assume you may read it unless explicitly granted authority to do so

24. Even if a file is able to be updated , do not modify it unless explicitly granted authority to do so

25. You may not share your account

26. You may not use any computer resource without prior permission

27. If a Purchase College systems administrator asks you to cease an activity on the computer, you must stop that activity immediately

Password Policy

Your password is the only means you have of keeping your account and files secure.  The algorithm that encrypts passwords has not been broken. However, it is possible for your password to be stolen when using the Internet so you are encouraged to change it often. More than 80 percent of computer break-ins are because passwords can be easily derived by hackers.

The following requirements must be met when choosing a password:

1. Your password must be kept secret and changed often.

2. Your password must contain at least 12 keystrokes, including the following in any order;

   choose at least 1 character from 3 of the four groups below:

   • One or more uppercase letters (‘A’ through ‘Z’)

   • One or more lowercase letters (‘a’ through ‘z’)

   • One or more numerals (0 through 9).

   • One or more non-alphanumeric keystrokes (Special Characters), including punctuation marks

     (including ` ~ ! @ # $ % ^ & * ( ) _ - [ ] { } ’ ” ~ / ? , . < > | ).

     (it is best to include both numerals and punctuation marks.)

3. The space may be used in creating a password, or pass phrase.  The space is not required and does not count as a special character, but does improve the complexity of a password. Most people find it easier to remember pass phrases than complex passwords. Combining words, spaces, digits and special characters can make a pass phrase that is both easy to remember and hard to guess.

   We encourage users to not use dictionary words.

4. Select a secure password that you are guaranteed to remember.  An easy way to accomplish this is to join unrelated words, syllables, and/or letters that have special meaning only to you. Place non-alphabetic keystrokes between parts of words, syllables, or letters in your password. For example, “my Dog likes to eat Bananas and Strawberries” (note capitalized nouns) becomes “myD@wgl2eB&S”.

5. Do not use consecutive keys on the keyboard to form any significant part of a password (e.g. “ASD”, “qwerty”, “1234abcd”, “!@#”).

6. Do not use your login name to form any part of a password, nor use any common name, such as the name of a person or pet, nor any personal information (date, license number, etc.). Reversing these words is ineffective as well (e.g., the password “John.Smith” and “htimS.nhoJ” are equally ineffective, as is “1491/7/ceD”, or any form of a date).

Data Policy

Individuals who are authorized to access sensitive or institutional data are prohibited from divulging that data to any other individual, unless that individual is also authorized to use the data. Individuals are only permitted to access data as authorized.

Game Playing Policy

Game playing is allowed on college computers as long as:

1. It does not deteriorate system performance

2. The computer is not needed for school work, research, or any other legitimate purpose

Hardware Policy

1. You may not move or take any hardware without explicit permission from the designated owner of that hardware.

2. You may not destroy or vandalize any hardware, cable, or service provided by the campus.

Denial of Service

1. You may not disable the network by means of any computer program.

2. You may not disable the network by rendering any equipment unusable.

Security Policy

You are responsible for the security of your account. Please read the policy on passwords. The following are symptoms of unauthorized trespass of your account. If you become aware of the following, please contact CTS at x6465.

1. New or unexplained files found in your directory

2. Changes in file lengths or dates

3. Unexplained data modification or deletion

4. Unable to login to your account

5. Suspicious beeps, messages, or pictures

VIOLATION OF THESE POLICIES WILL LEAD TO SUSPENSION OR LOSS OF PRIVILEGE, AND MAY LEAD TO MORE SERIOUS PENALTIES

Purchase College Computer Replacement Cycle Policy - 2019

A computer that is able to run current versions of various software is an essential component of today’s learning, teaching, and working environment. To ensure that students, faculty and staff have access to the computers and services they need to fulfill their roles, the College has instituted a variety of policies and programs to ensure that computers are maintained and replaced on a regular basis.

Computer Labs:

The faculty Instructional Technology Advisory Committee (ITAC) is responsible for managing the  replacement cycle for the ~75 computer labs around campus. Each year, approximately $350,000 in ITAC funding is provided to ensure that the academic computer labs are maintained and upgraded so that they meet the teaching needs of our academic programs.

Each spring ITAC issues a call for proposals to the faculty and academic divisions. Proposals for ITAC funding must be endorsed by the Department Chair, the academic unit Director, and the Dean. During the spring semester ITAC reviews and prioritizes the proposals it receives, making award decisions by the end of the spring semester so that upgrade/replacement implementation can occur over the summer. 

Faculty/Staff in the College of Liberal Arts and Sciences and the School of the Arts:

Faculty Support and development are the responsibility of Academic Affairs. Every faculty and staff member in the College of Liberal Arts and Sciences (LAS) and the School of the Arts (SotA) should have a computer for communications with students and colleagues, for use with Brightspace, for research, and administrative tasks like advising and grading. Faculty and staff in LAS and SotA will be provided with one reasonably current desktop PC to ensure basic connectivity and access.

Each spring the Deans offices review Device Assignment and Tracking (DAT) information for their areas. DAT shows all computers, with out-of-warranty computers highlighted. Computers will be considered for replacement 5 years after their original purchase date.

The Deans may also invite proposals for non-standard PC upgrades from their faculty. The Deans assemble a list of upgrade requests – including any non-standard computers that they approve, which is sent to Academic Affairs for funding. CTS orders the computers and arranges their delivery to individual faculty members. 

Faculty or Staff who are receiving a new computer must turn in the old computer to CTS for disposal and recycling.

Typical Computers:

New York State negotiates contracts with major computer vendors each year. The current contract holder for PCs is HP, which offers a standard desktop PC for $928, including a 5-year warranty. 

Since the purpose of the college-owned computer is basic access, Apple computers will only be purchased with additional justification provided to the Dean.

Faculty/Staff in the Library and LSCE

The Director of the Library and the Director of LSCE will review Device Assignment and Tracking (DAT) information for their areas. DAT shows all computers, with out-of-warranty computers highlighted. The Directors may also invite proposals for non-standard PC upgrades from their faculty. The Directors submit their upgrade requests – including any non-standard computers that they approve, and send it to Academic Affairs for funding.

Following administrative review and Academic Affairs funding allocation, CTS orders the computers and arranges their delivery to individual faculty members. 

Faculty or Staff who are receiving a new computer must turn in the old computer to CTS for refurbishment and/or recycling.

Part-Time and Adjunct Faculty Replacement Computers:

Adjunct and part-time faculty computers remain the responsibility of the individual unit managers. Academic units should ensure that part-time and adjunct faculty also have access to appropriate computers.

There is no central funding pool for adjunct or part-time faculty computers. Individual unit managers should plan and budget for computers appropriate to their employees needs.

College Staff Replacement Computers:

Outside of LAS and SotA, college staff computers are the responsibility of their unit managers. Individual units should ensure that part-time and student staff have access to computers appropriate to their needs.

There is no central funding pool for staff computers. Individual unit managers should plan and budget for computers appropriate to their employees needs. Staff receiving a new computer must turn in their old computer to CTS for disposal and recycling. 

The College will provide HP PCs by default. Faculty requests for Apple computers must be accompanied by written justification for the additional expense, endorsed by the chair/director, and sent to the Academic Dean’s office. Non-standard PCs will only be bought with the Dean’s approval. 

Typical Software:

The College provides both Microsoft and Apple Operating systems and licenses for Microsoft Office desktop productivity software (Word, Excel, Powerpoint, Outlook.) In addition, the College provides concurrent licenses for Adobe Creative Cloud (Photoshop, Acrobat, Illustrator, Premier, etc.), SPSS, and many others via our Sassafras license server. Any other software needed by an individual employee is the responsibility of their administrative unit.

Typical Computer Warranties:

HP, Dell and Apple computers purchased through Purchase College are typically purchased with a 3 to 5 year warranty covering hardware replacement and next-day on-site service.

While out of warranty computers may be functioning and still serve the user’s needs, these computers become a liability due to increasing cost in time and labor as they age. 

Purchase College considers 5 years to be the useful lifespan for a computer and recommends replacing computers at the 5-year mark.

All Computers are College Property:

Whether purchased by the College, Research Foundation, or individual units, all computers and the software they contain remain College Property, and will be managed by CTS. In addition, appropriate use of these devices is governed under the NYS Cyber-security Policy, the Purchase College Computer Ethics Policy, the Purchase College Computer Privacy Policy, and the Purchase College Mobile Device Policy.

Computer Recycling:

Whether new computers are provided by the College or the unit, the computers being replaced will revert to CTS for disposal and recycling as computers are classified as hazardous waste due to the heavy metals they contain.

(Updated October 2019)

Purchase College is committed to protecting the privacy and confidentiality of information contained in the multiple databases and print files maintained by the college in the regular course of business. Personal information that is confidential in nature will be used only in accordance with Purchase College Information Security Program, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) regulations, and all applicable SUNY, state, and federal regulations.

 Policy

Employees at Purchase College by nature of their positions will gain access to private personal information about students, faculty, staff, alumni, and other constituents of the college. Employees are obligated to maintain the confidentiality of any such private personal information that is encountered.

Purchase College expects all employees with access to personal information to deal with that information in a respectful and professional manner. As a matter of policy, the college restricts access to personal information to only those employees who have a legitimate “job-related reason” in the performance of their duties for gaining access. Access and release of any student educational records must be in accordance with FERPA regulations.

Access and release of any health records must be in accordance with HIPAA regulations. Any personal information viewed or accessed by an employee through college systems or records is not to be shared or released to others unless there is a legally permissible purpose for doing so. In addition, in accordance with Section 203-d of the New York Labor Law, Purchase College will not:

• Publically post or display anyone’s Social Security number;

• Visibly print a Social Security number on an identification badge, including any time card;

• Place Social Security numbers in files with open access; or

• Communicate an employee’s personal “identifying information” to the general public.

Personal Identifying information (PII) is defined by NYS as including an employee’s Social Security number, financial account number and PIN, or driver’s license number. Access to PII will be restricted to those with a demonstrable need for access.

Inappropriate disclosure of information pertaining to students, faculty, staff, and other college constituents may violate applicable law and is considered a violation of ethics and a breach of trust placed in employees by the college. Upon finding of a breach of this policy by an employee in a collective bargaining unit, the college may initiate disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

Employees who deal with confidential material on a regular basis will be required to sign a confidentiality statement and to complete annual information security training. Each campus manager will determine employees required to have access to PII who must receive training and sign confidentiality statements.

Guidelines

Employee, student, financial, and medical information contained within Purchase College information systems (electronic and physical files) and external SUNY systems is considered confidential. Access to information made confidential by law or campus practice is limited to those individuals (employees, consultants, adjunct professors, third-party vendors, etc.) whose position legitimately requires use of this information.

The employees (Purchase College faculty, staff, student employees, and volunteers appointed by the college) understand that by virtue of their work for Purchase College they may have access to data that are confidential, and therefore understand they may not disclose such confidential data to any person or entity without appropriate authorization, subpoena, or court order.

Examples of confidential PII information include the following:

• Social Security numbers (SSN)

• Motorist identification number

• Bank account numbers and PIN

In addition, FERPA regulations cover

• Educational records

• Information (including directory information) made confidential by written request.

In order to access confidential information, employees agree to adhere to the following guidelines:

1. Employees understand and acknowledge that improper or inappropriate use of data in the college’s information systems is a violation of college policy, and it may also constitute a violation of federal and/or state laws.

2. Employees will not provide confidential information to any individual or entity without proper authorization.

3. Employees will not access, use, copy or otherwise disseminate information or data that is not relevant and necessary to perform their specific job-related duties.

4. Employees will not remove confidential information from college facilities except as specifically authorized to do so.

5. Employees will not share their user ID and password with anyone.

6. Employees will not use the data for personal or commercial purposes.

7. Employees will refer all requests for educational records from law enforcement governmental agencies and other external entities to the vice president for student affairs for matters related to students and to the FOIL Officer for all other requests.

8. Employees will refer external requests for all college statistical, academic or administrative data to the Office of Institutional Research, Office of Human Resources, or those departments that have been authorized to respond to such requests.

9. Employees will not communicate any Purchase College employee’s personal identifying information to the general public.

10. Employees will report any unauthorized access to confidential data immediately to their supervisor and to the Chief Information Officer.

11. Employees understand that any improper or inappropriate use of data in the college’s information systems may result in disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

12. Employees are not permitted to store Social Security numbers, credit card numbers, motorist/non-driver IDs or bank account numbers on individual staff computers, or portable media such as external hard drives, USB thumb drives, CDs, DVDs, tapes, etc. without express authorization from the Chief Information Officer. Storing any other confidential data on individual staff computers or any type of portable media is strongly discouraged.

13. Employees storing confidential data on college servers must on an operational basis remove files containing confidential data when no longer needed.

14. Employees who are uncertain about what constitutes legitimate use or release of information should always err on the side of confidentiality and refer their questions about the appropriateness of a request for personal information from college systems or records to their supervisor before releasing the information.

Procedures

1. Supervisors are required to review the Information Security Policy Regarding Confidential Information with each new employee assigned to their department. During the department orientation process, supervisors should provide each employee with a description of the type(s) of confidential information his or her specific position will work with in the performance of his or her duties.

2. Employees in areas of the college that deal with confidential material will be required to sign a confidentiality statement to be stored in the employee’s personnel file. Each vice president in conjunction with their managers will determine employees required to sign confidentiality statements.

3. Supervisors shall review the policy on Information Security Policy Regarding Confidential Information on an annual basis and confirm in writing that each employee in the unit reviewed and understood the policy.

CTS Service Interaction Identification Policy

Policy :

To protect the identity and privacy of all members of the campus community, CTS employees will identify themselves and may request verification of identity for all persons at the start of any service interaction. CTS will provide support services to students, faculty and staff. For all others, assistance will be provided as appropriate.

All requests for student Directory Information or employee information will be redirected to the Office of the Registrar for students or Human Resources for employees.

A cybersecurity investigation is to be conducted only with the prior approval of the director of Campus Technology Services and senior campus executives. Each Security Investigation must be fully and completely documented. Nonemergency investigations must have approval of two senior college administrators (president or vice presidents).

Documentation of security investigations must include:

• Report of DMCA violation (nonemergency investigation)

• Other “due cause” documentation (emergency or nonemergency)

• Identification of security threat type

• Risk analysis – severity of threat and potential exposure

• Log files from threatened/compromised system

• Steps taken to contain threat

• Steps taken to contain possibility of exposure of sensitive materials or private information

• Steps necessary to prevent recurrence

The following policy pertains to all Security Investigations:

• In an emergency, the Privileged User conducting the investigation may view, copy, modify, or delete data placed on a computer or network by another user – and not normally shared - if and only if the Privileged User has documented probable cause that the contents of the data poses an immediate threat to the system or network. Examples of an immediate threat would include a “Root Kit” or other “Trojan Horse” back door, a worm or virus, or other materials or activities that pose a threat to the normal operation of college computer networks or systems.

• The Privileged User conducting the investigation may view, copy, modify, or delete data placed on a computer or network by another user if the Privileged User has documented that there is probable cause that the account is being used for illegal purposes (copyright violation, commerce, harassment, piracy or other crime) and has a completed Security Investigation Clearance Form.

• The Privileged User conducting the investigation may not erase or tamper with any system log file for any reason other than to archive the log file. If it is necessary to remove a log file from the system due to storage limitations, then the log file must be archived to tape for permanent storage. The archived records must provide an uninterrupted history of events on the system for auditing purposes. Exceptions must be approved in writing by the director of Campus Technology Services and IT security personnel.

Security Investigation Clearance Form

The security and integrity of the ccollege’s computer systems and data network is our collective responsibility. As we all increasingly rely on electronic forms of communication and electronic access to important information, we must ensure their reliability and protect our network against ever more sophisticated security threats. 

College-Owned Devices:

The personal computers (PCs) and other devices used in offices and computer labs throughout the campus are purchased and owned by the college. This includes department or unit-funded devices, as well as Research Foundation or grant-funded devices.

All college-owned devices (servers, PCs, laptops, tablets, etc.) must be registered in the centralized CTS Workstation Database per the college’s Device Assignment Policy. When a device is transferred from one employee to another—for any reason—the device must be returned to CTS for refreshment and reassignment. Failure to register a device may result in denial of all network services for that device.

All college-owned devices must run a current and secure operating system. A current and secure operating system is one that is actively being supported and patched by its vendor (Microsoft, Apple, Linux).

All college-owned devices must be joined to the campus network domain, and must require the use of Active Directory login credentials to access the computer. Secure administrative access to college computers (admin rights) will be administered by CTS.

These machines must be part of the campus network; the software running on these machines must be legally purchased and approved by CTS before installation.

Personally Owned Devices:

Personally owned devices brought to campus will not be joined to the College Network Domain, will not use Active Directory Credentials for logon access, and therefore will only be able to obtain public network access (services available to the world at large. Individual owners are solely responsible for the operation and security of their device.

Ports and Wiring Infrastructure:

The wired data ports and wireless networks throughout the college are purchased and owned by the college, and are operated and managed by Campus Technology Services (CTS). No connections to college ports are allowed without prior written approval from CTS.

CTS is responsible for the management and administration of all data and telecommunication networking ports, components, and infrastructure serving the campus. No network modifications of any type, including minor renovations, will be permitted without written advance approval from CTS.

Contractors working on any part of the college‘s data and telecommunication infrastructure must have prior written approval from CTS, and work must be coordinated and monitored by CTS.

Any wiring, ports, or devices that are not approved will be disabled, removed, or seized as they present an unwarranted security risk.

Servers

All college servers will be operated by CTS or their designated agents (vendor or proprietary systems). Servers will only be run on appropriate hardware. CTS and CTS alone will act as system administrators to manage the server operating system and network environment. At their discretion, CTS may grant “application administrator” rights to configure and manage specific software applications on a server to appropriately trained individuals outside of CTS.

Any servers found to be in violation will be disabled, removed, or seized as they present an unwarranted security risk.

Other Network Devices

No network devices (data port switches, routers, Wi-Fi, storage systems, etc.) may be installed by anyone other than CTS. Installation of any network device must be approved in advance by CTS.

Any devices found to be in violation will be disabled, removed, or seized as they present an unwarranted security risk.

The security and integrity of the college’s computer systems and data network is our collective responsibility. As we increasingly rely on electronic communication and access to information, we must ensure its security and protect our network against ever more sophisticated threats. A single weak machine that is not adequately patched and maintained can wreak havoc with the college’s network, interfering with administrative operations, and disrupting access for thousands of people on campus.

Desktop Computer Access: The PCs in offices and computer labs throughout the campus are purchased and owned by the college. The college’s standard operating systems, Windows 7 and Windows 10, and Apple OSX, contains security features that require you to log on before you can use the computer. All software running on college-owned machines must be legally purchased and approved before installation.

All college employees receive “user” accounts that allow them to run all software on the machines. User-level accounts do not allow you to modify system settings or install software. Secure administrative access to XP and OSX workstations is restricted to CTS staff and selected divisional technology support personnel.

The college is using Windows and domain-wide Group Policy settings to centrally manage security patches and settings for Windows machines and for anti-virus software. For Windows machines and for anti-virus software, the college runs a local Windows update server; Apple OSX machines are set to retrieve updates directly from Apple. It is imperative that the college ensures that security patches are applied and that anti-virus profiles are up to date. 

Restricting changes to desktop computers also greatly simplifies college-wide management of its technology infrastructure and support services. CTS support personnel make use of Remote Desktop or VNC to connect to your computer in real time when you call for support, and are on duty Monday through Thursday 8am-7:45pm, and Fridays 8am-4:45pm.

Laptop Computer Access

All college employees receive “user” access to their College laptop.  Administrative rights are restricted by NYS and SUNY cyber security policies, and by industry best practices.   All audits ask about administrative access, and it influences our skyrocketing cyber insurance premiums.  Any programs or software will be installed by CTS via remote assistance or prior to pickup of a new machine.   CTS cannot install illegal copies of software, nor adjust settings for security patches and remote access.  Refrain from adjusting any settings that you do not fully understand, and you are expected to refrain from allowing anyone other than yourself access to your credentials or to use your laptop while you are logged on. 

Please call the CTS Helpdesk at (914) 251-6465 if you have questions or need assistance.

Purpose

This policy covers assignment and tracking of college-owned computers and devices commonly assigned to college employees: desktop computers, laptops, tablets, and mobile devices.

The Device Assignment and Tracking (DAT) form is available online. 

What’s covered by this document?

This document is applicable to all College staff, faculty, or administrators who are using college-owned computing devices issued or loaned to them by a College department. All College-owned computing devices are governed by this policy, including systems made available as primary workstations, assigned within a departmental office, or purchased through grant dollars for specific projects.

All college-owned computers, systems, and mobile devices are covered by the Purchase College Privacy Policy which provides protection for individual privacy appropriate for an academic environment.  See also the Purchase College Mobile Device Policy for additional guidelines and procedures covering mobile devices.

Acquisition

For Staff: Administrative units provide their staff with computers, laptops, and mobile devices as necessary.

• Administrative units must order computing devices in collaboration with CTS to ensure the devices are registered on the college domain, tracked in the college database, loaded with college software, and are compatible with college systems.

For Faculty: Academic Affairs provides faculty computers, laptops and mobile devices for all faculty as necessary.

• Academic units must order computing devices in collaboration with CTS to ensure the devices are registered on the college domain, tracked in the college database, loaded with college software, and are compatible with college systems.

• Each year, CTS produces a report for Academic Affairs showing all full-time faculty computers as recorded in the Workstation Database.

• The CTS report shows all faculty computers (desktops and laptops), with “replace” recommendations where an individual’s only workstation is outdated or out of warranty, or where all of that individuals computers are outdated or out of warranty. Replacements are for a like device (desktops replaced with desktops).

• A report is issued to the Provost with an overall cost estimate based on a current quotation for machines included in the “replace” recommendations. Academic Affairs edits the recommendations.

• Academic Affairs may solicit input from Chairs/Directors regarding pending personnel changes and/or the appropriateness of each “replace” recommendation.

• Chairs/Directors may get feedback from faculty within their unit.

• Academic Affairs returns a final “replace” recommendation containing the names and types of devices (Mac or PC, desktop or laptop) to CTS for ordering.

Inventory and Property Control

• Administrative and Academic units are responsible for tracking computers assigned to the individuals within their unit in their Property Control inventory.

• CTS Applies Property Control Stickers to devices as part of “preparation for use.”

• CTS sends Property Control sticker #, device and purchase information to both the Internal Control Officer; Academic Affairs, and to the unit.

• Property Control audits are the responsibility of administrative and academic units.

Preparation for use:

• Upon delivery, computing devices must be sent to CTS for preparation.

• CTS prepares the devices - joining them to the domain and loading College software.

• CTS will affix the appropriate Property Control sticker(s) to the device.

• CTS prepares the electronic “Device Assignment Form” and sends the form to the individual’s supervisor for their digital signature.

• CTS notifies each employee when their device is ready for delivery or pickup.

• Employees may ONLY take delivery of their device (or pick it up) with a completed Device Assignment Form.

• The Device Assignment and Tracking (DAT) form is available online. 

• Upon delivery/pickup of a new device, the device being replaced must be returned to CTS. Data can be transferred to the new device during the handoff.

• Administrative access is provided for all mobile device holders, allowing them to access the mobile device when it is not connected to the college network (offsite), change settings, install software, apply updates, etc.

• College credentials (CTS) will exist on all College-owned devices to enable CTS staff to provide support and maintenance services as needed.

Transfer of Devices

• Devices that are being re-assigned to another individual must be returned to CTS. Devices are refreshed, and a new electronic Device Assignment Form is prepared.

• Devices may NOT be handed off to others without being returned to CTS first.

• Upon departure from College service, all computing devices MUST be returned to CTS for reassignment and/or disposal.

• All data is wiped from computing devices prior to re-assignment or disposal.

Liability/Reporting Loss

• Departments should not loan college-owned devices to students, student organizations, or other outside parties. CTS maintains a loan pool of equipment for this type of use, and requests should be referred to CTS.

• In case of theft or loss, the employee must file a report with the University Police.

Report a theft immediately to:

• The appropriate local law enforcement authority and Purchase University Police

• CTS (Helpdesk 914.251.6465) as soon as the theft has been noticed. Please provide CTS with a copy of the police report.

Failure to comply with this policy may result in disciplinary and or legal action.

See Device Assignment Form

Purchase College / State University of New York

As a community of artists, writers, musicians, filmmakers, and scholars whose careers will be spent creating intellectual property, we encourage our entire community to respect the property of others. Downloading anything onto your machine from untrustworthy P2P (peer-to-peer) sources or websites not only exposes you to viruses, worms, and spyware, but often violates the copyright laws and can lead to suspension of network privileges, or to lawsuits from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or the Business Software Alliance (BSA). Please remember that theft is a crime, and that nothing in cyberspace is truly anonymous.

Copyright protections are created when words are put on paper, transmitted via email, when music is recorded, software is written, or when an image is created.  Once done, the work is protected by copyright—no formal copyright registration or seal is required for copyright protection to be in effect. If someone else wants to use the work, they must get permission from its creator.

Copyrighted material includes almost all forms of original expression fixed in tangible medium even if no formal copyright notice is filed or attached. However, you cannot copyright any idea, process, system, method of operation, concept or principle, regardless of the form in which it is described. 

Copyright infringement is any reproduction (download), display, distribution (upload), creation of derivative works, or public performance of copyrighted work without permission of the copyright owner.

Federal copyright law and college policy prohibit the copying and/or distribution of copyrighted material without the permission of the copyright owner. Copyrighted materials include but are not limited to text, graphics, art, photographs, music, film, and software. 

Peer-to-peer (P2P) software such as BitTorrent that is often used to share music, movies and other media may lead to violation of copyright laws. Most P2P software automatically shares anything that you download by default—so if you downloaded the latest Hollywood blockbuster to watch it, you would also be helping to distribute an illegal copy to others by sharing the contents of your machine with the world.

If you use any P2P software for legitimate purposes, as a security precaution, you should disable its file sharing component. There is an IU website with details on disabling file-sharing for most P2P software.

Digital Millennium Copyright Act (DMCA)

Here is A Review of the DMCA.

Here is An overview of the DMCA Act. 

To report alleged copyright infringements on Purchase College computers, please contact the college’s designated DMCA agent:

Bill Junor
Director of Campus Technology  Services 
Purchase College, SUNY
735 Anderson Hill Rd.
Purchase, NY 10577
Tel. 914.251.6461
Fax 914.251.6476

 
Purchase College DMCA Notification Policy / Procedure for DMCA Infringement Reports - September 2008

Pursuant to the provisions of the Digital Millennium Copyright Act, Purchase College receives DMCA Copyright Infringement Notices alleging that computer(s) registered to Purchase College IP addresses are allegedly illegally infringing on copyrighted materials belonging to others. Infringement of copyright is a violation of Federal law, and the violator is subject to both substantial fines and civil damages.

Under the DMCA, as an Internet Service Provider (ISP), the college is obligated to expeditiously remove or disable the allegedly infringing material and notify the subscriber of its actions in what is referred to as “notice and take down procedure.”  The Purchase College DMCA infringement procedure is as follows: 

1. RIAA, MPAA and various agents report alleged copyright infringements to the college’s named DMCA agent, CTS.

2. CTS identifies the computer, the room, and the owner of the computer, and records the DMCA case number, name, other information in a DMCA incident report ticket.

3. CTS places the computer in question into a restricted network

4. The computer owner’s name is forwarded to the vice president for student affairs and to the Office of Community Standards in the form of a DMCA Violation Letter that includes the specific information contained in the Violation Notice received by the college.

5. Student Affairs refers student to the Office of Community Standards for possible disciplinary action.

6. VP Student Affairs or the Office of Community Standards will notify CTS if/when the individual’s computer should be removed from the restricted network once the Office of Community Standards has completed its process.

The college also recommends  that all students take the University of Texas Copyright Crash Course or their Copyright Tutorial, or take other appropriate steps to further their understanding of copyright infringement.

 Counter Notice

Under the DMCA, the college is obligated to inform you of certain requirements of that Act. You have the right under the Act to send a counter notice that you are not in violation or that the violation has ceased. That notice must be in the form required by the Act, and you are advised to seek legal counsel at your expense for appropriate advice on the form of any counter-notice. The specific statutory language is as follows: (17 USC 512(g)(3)): Contents of Counter-Notification: To be effective under this subsection, a counter notification must be a written communication provided to the service provider’s designated agent that includes substantially the following:

(A)          A physical or electronic signature of the subscriber.
(B)           Identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access to it was disabled.
(C)           A statement under penalty of perjury that the subscriber has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material to be removed or disabled.
(D)          The subscriber’s name, address, and telephone number, and a statement that the subscriber consents to the jurisdiction of Federal District Court for the judicial district in which the address is located, or if the subscriber’s address is outside of the United States, for any judicial district in which the service provider may be found, and that the subscriber will accept service of process from the person who provided notification under subsection ©(1)© or an agent of such person.

The above is provided for your information only, not as advice, nor is it an attempt at stating the law or your responsibility.  You should review the entire Act with your attorney. 

College Computer Network Users: if you lose access due to an alleged violation

If you receive an official notice from the college of an alleged copyright violation and have had your network access restricted, please contact the Office of Student Affairs to find out how you can have your network access restored:

Office of the Vice President
for Student Affairs
Student Services 316L
Purchase College
735 Anderson Hill Rd.
Purchase, NY 10577-1400
(914) 251-6030
Fax: (914) 251-6034
Email

Overview
A domain name is an identification string consisting of a series of alphanumeric “words” separated by “dots.” A “human‐friendly” domain name that is typically typed into a browser is translated to a numeric IP address for routing traffic between servers on the internet. Examples of domain names include “purchase.edu” and “google.com.” Domain names are defined and translated through the Domain Name System (DNS).

Domain names have multiple levels. For example, purchase.edu is a second‐level name, while brightspace.purchase.edu is a third‐level name. Domain names are resolved to an IP address, like 199.79.168.97.

Campus Technology Services (CTS) is solely responsible for administering and maintaining DNS records and DNS name assignments for the purchase.edu domain obtained through Educause.

Custom Name Requests
A school, conservatory, or department outside of CTS may request a third-level name (example.purchase.edu) for an application, site, or server if it is hosted with and administered by CTS. All name creation requests require the approval of the head of the requesting unit. CTS management is responsible for final approval. Requested names should be unambiguous and clearly identify the content of the site. For example, humanresources.purchase.edu would clearly identify a site for the Office of Human Resources, but pink.purchase.edu would not. Custom names are not permitted for applications, sites, or servers that are not managed by or hosted by CTS.

Redirects to External Services
If a third-level domain name cannot be granted (i.e., an external service), a local redirect may be provided at the discretion of CTS. For example, http://www.purchase.edu/ExternalResourceName could be used to promote a college-affiliated service that exists on an external server—and that link can redirect traffic to the external service.

Purchase College Electronic and Information Technology Accessibility Policy and Procedures

(last updated July 31, 2019)

Policy

Purchase College - State University of New York (PC) is committed to ensuring that people with disabilities have an opportunity equal to that of their nondisabled peers to participate in the College’s programs, benefits, and services, including those delivered through electronic and information technology.

This Electronic and Information Technology Accessibility (EITA) policy covers all electronic information used to promote and deliver the college’s programs and services. The policy applies to procurement, development, implementation, training, and ongoing maintenance of all online or electronic materials.

Benchmarks All online and electronic information used to promote and deliver the college’s programs and services must be in compliance with federal and state laws. The accessibility of online materials and functionality will be measured according to the current ratified versions of W3C’s Web Content Accessibility Guidelines (WCAG) Level AA and the Web Accessibility Initiative Accessible Rich Internet Applications Suite (WAI-ARIA) for web content, which are incorporated by reference. 

Ensuring equal and effective electronic and information technology access is the responsibility of all College administrators, faculty, and staff.

Procedures

The purpose of these procedures is to provide processes by which College administrators, faculty, and staff will create, obtain, and maintain all electronic and information technology (EIT) in a manner that ensures that EIT is accessible to individuals with disabilities.

This policy and procedure applies to the following areas:

1. Web Accessibility
2. Instructional Materials Accessibility
3. Document Accessibility
4. Electronic Media Accessibility
5. Software, Hardware, and Systems Accessibility
6. Procurement

Definitions

“Accessible” means that individuals with disabilities are able to independently acquire the same information, engage in the same interactions, and enjoy the same services within the same timeframe as individuals without disabilities with substantially equivalent ease of use.

 “Disability” is defined by the ADA as a physical or mental impairment that substantially limits one or more major life activities.

“Electronic and information technology” or “EIT” includes information technology and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information. The term “electronic and information technology” includes, but is not limited to:

1. The internet and intranet websites,
2. Content delivered in digital form,
3. Content management systems,
4. Electronic books and electronic book reading systems,
5. Financial management systems,
6. Databases,
7. Learning management systems,
8. Classroom technology and multimedia,
9. Classroom equipment such as podiums, control systems, computers, etc.

Electronic and information technology also includes any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, creation, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.  This term includes telecommunication products (such as telephones), information kiosks, Automated Teller Machines (ATMs) transaction machines, access control systems, security systems, computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

“Equally effective” means that the alternative format or medium communicates the same information in as timely a fashion as does the original format or medium.

Within the Purchase College governance structure, the Accessibility Committee (AC) is charged with improving awareness and compliance with accessibility requirements, providing training to the campus community, and managing Barrier Reports used by the campus community to report accessibility issues, and assists in developing policies and procedures to improve the College’s accessibility posture. The Accessibility Committee is Chaired by the College’s Chief Diversity Officer, and includes representatives from Campus Technology Services (CTS), Office of Disability Resources (ODR), the Library, and others.

 1. Web Accessibility

• Scope

These procedures apply to all Purchase College - State University of New York (PC) web pages and programs used to conduct PC business and activities including web resources used in courses.

• Standards

All web pages, websites and web-based software published, hosted or used (including remotely hosted sites and software) by the College will meet the standards and guidelines outlined in the Web Content Accessibility Guidelines (WCAG)  published by the W3C. All materials will meet Level AA guidelines with limited exceptions allowed where technology does not permit. All College websites will link to the College’s main Accessibility page which includes a statement of commitment to Web accessibility.

• Responsibility

All Administrative Departments and Academic Programs:

• Will comply with the accessibility standards when creating content, web sites, and application programs or services. 
• Will ensure that online activities are hosted in accessible environments and that online content follows standards outlined by this policy.

Campus Technology Services and Communications and Creative Services:

• Will ensure that the CMS and other web production or web object creation software will itself be accessible and will produce accessible Web pages.
• Will coordinate instruction and support for campus community members creating online content so that all individuals who author web content will do so in accordance with required standards.
• Will ensure that support is available for faculty and staff creating accessible content.

Campus Accessibility Committee:

• Will compile and maintain data to track compliance with the policy and procedures and make recommendations to the campus ADA Compliance Officer for addressing problems.
• Implementation
• These procedures will ensure that all new or modified content and services are accessible and meet the WCAG Level AA standard.
• Upon a specific request for access by an individual with a disability, the College will update legacy documents to be in compliance with the WCAG Level AA standard or the College will otherwise make the content available to the individual in a timely manner and in an equally effective accessible format.

 2. Instructional Materials Accessibility

• Scope

These procedures apply to all electronic instructional materials (syllabi, textbooks, presentations, handouts, etc.).  This includes electronic instructional materials delivered within the College’s learning management system, in face-to-face classes, or in an alternate fashion (email, blogs, etc.) and electronic instructional activities (online collaborative writing, web conferencing, etc.).  If the curriculum includes student production of shared media or documents, students should be encouraged to follow these same standards.

• Standards

All electronic instructional materials, optional and required, will be accessible and as effective and useable for persons with disabilities as they are for persons without disabilities. Instructional materials and activities will be made available to all students at the same time.

All instructional materials should meet all applicable standards (see 1.2) and guidelines outlined in this policy.

• Responsibility

All Academic and Administrative Departments and Programs:

• Will ensure that instructional materials comply with all requirements outlined in this policy.
• Will ensure that all resources provided for student use will have assistive technologies not limited to but including accessible computer stations, screen reading software, and screen magnification.

Faculty and instructional staff:

• Will create and present accessible courses and instructional material including but not limited to: documents that meet WCAG standards, images with alternative text, media with appropriate captioning, presentations with alternative text for embedded images, etc.
• Reading systems and software that are used for textbook delivery should meet these guidelines “Accessibility Screening Methodology Guidelines and Checklist.”

Teaching, Learning, and Technology Center:

• Will provide instruction and support for campus community members creating accessible online courses and online instructional content.
• Will facilitate hosting of online activities in an accessible learning management system and related hosted systems that are accessible.
• Will ensure that third party plug-ins or add-ons for learning management systems are accessible.

Library:

• Will perform regularly scheduled “accessibility scans” on library collections, including, but not limited to, e-journals, databases, and e-books to ensure that library materials meet accessibility standards. This will include 3^rd party vendors of programs and platforms for information to house and deliver these collections. For internal systems, software and/or resources accessibility scans will be conducted within a reasonable and responsive timeframe, prioritized by the educational activities of the college and the academic calendar. For third party and external vendor systems accessibility scans will be conducted as outlined in their contract.
• Will report to vendors and the Accessibility Subcommittee of the DEIC any issues discovered that impact accessibility of the collections or platforms on which collections reside.

Campus Technology Services:

• Will ensure that all applications developed on campus are accessible and meet the WCAG AA level, WAI-Aria and ATAG standards.
• Will ensure that computer labs have assistive technologies including, but not limited to, accessible workstations, screen reading software, and screen magnification.
• Will collaborate with Capital Facilities Planning to develop classrooms providing accessible electronic and information technology.
• Will support distributed campus units needing assistance with accessibility in departmentally supported technology classrooms.
• Will publish - within existing lists of equipment and software - the accessibility programs, services, and features for each smart classroom and computer lab.
• Will work with the Office of Disability Resources as a clearing house for information about assistive technology and modifications recommended for departmental computer labs.

Capital Facilities Planning / Office of Disability Resources

• Will collaborate with Campus Technology Services, Facilities Maintenance, and other campus offices to ensure that all new and renovated campus spaces use accessible electronic and information technology.

Campus Accessibility Committee:

• Will compile and maintain data to track compliance with the policy and procedures and make recommendations to the ADA Compliance Officer for addressing issues as they arise.

3. Document Accessibility

• Scope

These procedures apply to all College-produced and maintained or distributed electronic documents.  Electronic documents include, but are not limited to word processing documents, PDFs, presentations, publications, and spreadsheets which are scanned, uploaded, posted, or otherwise published or distributed electronically.  Legacy documents must be updated and made accessible as needed or when reused.

• Standards

Electronic documents must be accessible.  Electronic interaction with College policies, procedures, notifications, and other documents must be accessible and as effective and useable for persons with disabilities as they are for persons without disabilities.

Electronic documents must meet the standards and guidelines outlined in the Guidance on Applying WCAG to Non-Web Information and Communications Technologies, published by the W3C as the Working Draft 13 December 2012.

• Responsibility

All departments and programs and all College employees:

• Will follow the accessibility requirements outlined in this policy when creating and using electronic documents. 

Library / TLTC:

• The Library will implement procedures for ensuring that documents digitized or hosted by the Library for research purposes are accessible to individuals with disabilities.
• The Library and TLTC will provide training and support for production of accessible instructional materials.

Campus Technology Services / Office of Disability Resources / Communications and Creative Services:

• Will provide accessible document instruction and support for campus community members.
• Implementation Summary
• All new documents (including but not limited to PDF, Word, Excel and PowerPoint files) will be accessible.
• Legacy documents must be updated and remediated as they are used.

4. Electronic Media Accessibility

• Scope

All media resources used in College programs and activities must be accessible. For example, this includes, but is not limited to: instructional, directional/informational, and promotional media.

• Standards

Media resources will be closed captioned and audio-described and audio resources will be transcribed.  Transcripts may be provided as an alternative accommodation for media resources that the College does not have rights to caption.

• Responsibility

All departments, programs, instructors, and employees:

• Will use only captioned versions of audiovisual media whenever possible.  Will ensure that all other media that will be used on the web or in instruction is accurately captioned or transcribed.
• Will update any non-transcribed audio and any non-captioned/non-described video that is in current use whenever possible.
• Will produce or use only communications and promotional materials that are captioned, audio-described or transcribed.
• Will produce live-streamed events that are captioned, audio-described or transcribed.

Library:

• Will collect transcribed audio and captioned video resources that are available for faculty, staff, and student use.
• Will (upon request) assist patrons in identifying materials that are captioned whenever available.

Teaching, Learning, and Technology Center:

• Will incorporate captioning and media accessibility information into any relevant training.
• Will maintain and continue to provide instructions on media accessibility (such as captioning and audio-describing media and transcribing audio).

Campus Technology Services and Production Services:

• Will incorporate information about accessibility into training on equipment.
• Will incorporate captioning and media accessibility information into any relevant training.
• Will produce live-streamed events that are captioned, audio-described, or transcribed.

Communications and Creative Services:

• Will ensure that internal and external electronic promotion of college programs, services and events makes use of accessible channels and materials.
• Will incorporate information about accessibility into all training, such as website content management or customer relation management systems.

Campus Accessibility Committee:

• Will advocate for campus-wide captioning and transcribing solutions that:
  • Provide assistance with obtaining permission to caption and audio-describe.
  • Disseminate information to the College community about college protocols related to accessible electronic media including a list of approved vendors to perform captioning.

• Implementation Summary

• All media (professionally or internally produced) used in courses and shared on campus websites or media storage sites will be captioned or transcribed according to recommended Described and Captioned Media Program (DCMP) standards.
• For publicly facing archives, which contain too many items to remediate at once:
• a note about accessibility must be provided:

Accessibility of Archived Materials:  Purchase College is working to ensure that all materials stored in college archives are fully accessible.  If you encounter materials that you are interested in using that are not accessible please write us a note using the “Report Accessibility Barriers” form. Please be sure to name and list the materials you are interested in, and we will prioritize conversion of those items for you, taking into account the timing of your need for the instructional materials. You will be notified when your requested archive files are converted and your request is completed. 

• Items will be prioritized for remediation based on frequency of use.
• a form will be offered to prioritize captioning upon request

5. Software, Hardware, and Systems Accessibility

• Scope

All software, hardware, and systems used or acquired by the college must be accessible and compatible with assistive technology.   Examples include, but are not limited to:

• learning management systems,
• content management systems,
• library systems,
• email systems,
• kiosk information systems,
• administrative systems including but not limited to recruiting, student information systems, finance, and human resources, procurement, advancement, tutoring, career development, etc.

Software includes:

• 3^rd party software that is hosted or on premise,
• Internally developed software and systems,
• freeware,
• shareware,
• desktop,
• enterprise,
• plug-ins,
• add-ons,
• mobile apps.

Software accessed through a web browser must also be accessible and is discussed under section 1 of these procedures.

• Standards

Purchase College will use the following standards to determine accessibility:

US Access Board’s Guide 508 Standards - Software Applications and Operating Systems

• Responsibilities

All Departments and Units:

• Will ensure that any software, hardware, services, or local interfaces and modifications that they procure or provide are accessible.

Campus Technology Services:

• Will ensure that assistive technologies are immediately available to the campus community working in campus labs or on publicly-accessed campus computers.
• Will install assistive technologies in a timely manner for campus employees including student employees.
• Will develop applications (web, desktop, etc.) that are accessible and meet WCAG, WAI-Aria, and ATAG standards (extrapolated as needed for non-web environments).

Instructional Technology Advisory Committee (ITAC):

• Will consider accessibility when weighing proposals for funding to ensure accessibility where appropriate as per this policy.
• Will assist in communicating accessibility standards and requirements to ensure that existing and new instructional technology services and facilities are accessible.

Campus Accessibility Committee

• Will develop and coordinate campus “best practices” for ensuring campus software, hardware and software systems are accessible.

6. Procurement

• Scope

This process applies to all College purchases of Electronic and Information Technology (EIT) software, hardware and services.

• Standards

Purchase orders and contracts for software, services, and hardware will include the following clause:

“Vendor acknowledges New York State Information Technology Policy: Accessibility of Web-Based Information and Applications (NYS-P08-005), and acknowledges that equipment and software being provided enable equal and effective access to all individuals in accordance with federal and state laws and regulations, including, but not limited to W3C’s Web Content Accessibility Guidelines (WCAG) Level AA and the Web Accessibility Initiative Accessible Rich Internet Applications Suite (WAI-ARIA) for web content, the Americans with Disabilities Act of 1990 (ADA), Section 504 of the Rehabilitation Act of 1973, and Section 508 of the 1973 Rehabilitation Act.”

• Responsibility

All Departments, units and college employees:

• Must purchase or otherwise acquire accessible EIT, in accordance with these procedures, whenever possible.
• Procurement recommendations that are vetted through ITAC should include information on accessibility compliance.

Governance of Administrative Systems and Processes:

• The Governance of Administrative Systems and Processes (GASP) committee that provides oversight and coordination for administrative systems will serve as a resource for guiding purchases of accessible administrative systems, services, and hardware.
• GASP will institute procedures to ensure that all new and modified systems are evaluated to ensure that they meet accessibility requirements.

Library:

• Will institute procedures to ensure that EITs purchased for research support are evaluated for accessibility requirements.

Purchase College Association (Auxiliary Service)s:

• Will institute procedures to ensure that all electronic technology systems and services purchased are evaluated and meet accessibility requirements.

Purchasing Department:

• Will provide written justification for all provisional-use waivers that are granted.
• Will share all provisional-use waivers with the Accessibility Subcommittee for posting on the accessibility website to invite public comment through the barrier report form. 
• Will forward requests for exceptions and provisional-use waivers to the College ADA Compliance Officer for public comment and will include the written comments from all parties in a written recommendation to the President for consideration on requests for exceptions and provisional-use waivers.

7. Adoption

The Purchase College Electronic Information Accessibility Policy and Procedures becomes effective immediately upon the signature of the College President below.

Purchase College email is the “official communication channel” for Purchase College. All faculty and staff email addresses published on our public-facing website, and those are their official purchase.edu addresses.

When faculty and staff are hired, their legal name is used for the HR appointment transaction. Completed hiring transactions are fed into the Banner system overnight, and an account is automatically created based upon the name used for the HR transaction.

For full-time matriculated students, the legal name provided on their application is used as the basis for the account name. For CE students, the name provided on their registration form is used as the basis of the account name.

The automated account provisioning process will first try to use the full First.Last legal name to create the account – but there are several conditions that may impact that:

1. If the derived First.Last account name is already in use,

   1. the system will try appending the Middle Initial and a dash ahead of Last name –or-

   2. the system will try appending a sequence number and a dash ahead of Last name (if Middle Initial is Missing, or already taken)

2. If the name is too long, the system will use the first character of the first name + complete last name.

   1. the system will try appending the Middle Initial and a dash ahead of Last name –or-

   2. the system will try appending a sequence number and a dash ahead of Last name (if Middle Initial is Missing, or already taken)

3. Other conditions that impact account name assignment: grandfathered account names from the 90’s - which are phased out as employees retire.

Faculty and Staff Account Names

The account naming process is fully automated. HR paperwork must be completed using your actual legal name. an automated process generates your account name from that legal name. 

The chosen name policy for employees allows for the email/account name to be changed completely.

The procedure is:

1. Employee (or HR) update their chosen name in the Employee Data Sheet in HRETS.
2. HR approves
3. 24 hours to sync to Banner
4. Employee (or HR) request account name change via CTS work order. Normal email naming conventions apply but “olivia.coleman” is available.
5. Account/email name change completed within 1 week (usually sooner).

For faculty and staff wishing to change their account name, please file a CTS Work Order. 

Your account name is used for everything from email to banner to Brightspace to SUNY Time and Attendance systems. 

Changing Account Names:

1. We do accommodate any actual legal name change

   1. If there is a legal name change, we change the account name.

We do accommodate bad data fixes (typos, misspellings, etc.)

1. With the Registrar’s approval, we accommodate transitioning individuals with account name changes in advance of the legal name change

Aliases:

In cases of a legal name change (marriage, etc.) upon request we will establish a temporary forwarding alias from the old account name to the new for a period of 90 days to allow previous contacts to acclimate to the new account name.

Other than legal name changes, we cannot entertain any permanent aliases for a variety of reasons. Aliases multiply the namespaces occupied by one individual, and exponentially complicate management of our email system.

Earnest.Employee (legal name) may prefer to be called Ernie.Employee – but when another person arrives with an actual legal name “Ernie.Employee” – the account creation process fails.  

Allowing aliases also invites abuse – some would like to have an alias of “Little.Kitty@purchase.edu” that would clearly not be appropriate, and CTS cannot adjudicate what is and isn’t appropriate.

Rare exceptions to the “no aliases” rule are possible – but must be kept to a minimum (there are only 2 aliases in use today.)

HRETS makes no accommodation for “professional/preferred name” so – automation is not possible at this time.

Within Banner, the Registrar’s office can accommodate Professional/Preferred names for Faculty, but these only effect how the Faculty’s name will appear within myHeliotrope (SSB).

Professional name would also have the same constraints as legal name – it may be in use already; too long, etc. Professional/Preferred name occupies an additional account namespace (legal name is still the account name, alias is a second name)

Account names exist in perpetuity, so any name that is used – ever - is gone - forever.  This applies to anyone who becomes a student or an employee.  (The only exception is for Accepted applicant accounts – which are purged completely and the namespace recovered if they never actually enroll.)

Use of Off-Site Email for Official Business is prohibited

College accounts are for College business – personal accounts are for personal business. Our policies and recommendations cannot contradict or even muddy that basic distinction.

A faculty member using their @purchase.edu address is clearly identifying themselves as a member of the College community on official business. In contrast, Floaty@aol.com is likely to end up ignored and deleted.

Blanket forwarding of email to off-site accounts is disabled. Email often may contain personal, private, and sensitive information about students or about college operations. Blanket forwarding puts official records outside of Purchase College, and is legally problematic.  

Email Forwarding Policy

Longstanding Enrollment Services policy identifies College email as the “official communication channel.” No blanket forwarding of College email to off-campus accounts is permitted for faculty and staff.

A faculty member using their @purchase.edu address is clearly identifying themselves as a member of the College community on official business. In contrast, Floater@aol.com sounds like poo in the pool, and is likely to end up ignored and deleted (that is/was an actual faculty member’s off-site email address.)

All faculty email addresses published on our public-facing website are their official purchase.edu addresses.

We all have off-site addresses, but we don’t publish those, and we should all be using our official college accounts for official business.

In the course of investigating an incident we discovered someone who set up automatic forwarding of all messages to an external account. That is dangerous since email (despite all our warnings) sometimes contains personal, private, and sensitive information about students or about college operations. Blanket forwarding also puts official records beyond the reach of legal discovery in the event of an HR investigation.  

College accounts are for College business – personal accounts are for personal business. Our policies and recommendations cannot contradict or even muddy that basic distinction.

Once the automatic forwarding was identified, we looked to see how many people had set up forwarding rules.  Out of 1,000 employees, only 39 individuals were identified as having automatic forwarding. Out of those 39 people, only 25 are faculty – and almost all of those are Adjuncts.

Each of the 39 was individually notified in Mid-July that the forwarding rule would be disabled. Email messages can still be individually forwarded as necessary – only automatic blanket forwarding was disabled.

Primary and Required Official Channel 

Email is the College’s primary means of communication between students, faculty, and staff.  Messages regarding course information, important deadlines, missing documents and official correspondence is sent to your Purchase email account.   

All faculty, staff, and students are required to use Purchase College email system when conducting College business. The College expects that official email communications will be received and read in a timely fashion.   

Do Not Forward 

It is important that messages sent to your official Purchase email account are delivered to the intended recipient.  It is important that official and sensitive College communications remain secure, and therefore Purchase College does not support automatic forwarding or redirection of email messages to external email accounts. 

Storing Important and Sensitive materials 

Important and sensitive materials should not be kept in your email account. With fragmented discussions and out‐of‐band replies, Email makes a terrible filing cabinet. If you send or receive important or sensitive materials via Email, save those materials in a secure location (Departmental file share or your Home Directory) and delete them from your Email. 

Think of your Email account like the mailbox bolted to the front of your house – you would never think of storing anything sensitive or important there – it serves as a drop‐off location only, and you empty it regularly. 

Email Retention 

Per the Purchase College Email Retention Policy, Email messages are automatically purged at the end of our 3‐year retention period.  

Legal Discovery 

All College records are subject to legal discovery. If a particular email message has been flagged for legal hold preservation, those messages are automatically exempted from the 3‐rear retention purge. 

In accordance with SUNY and NYS record retention policies, Purchase College email systems will automatically retain messages for three years on active email servers. After three years, email messages will be automatically purged from the system. This automatic deletion policy applies to messages within all folders (inbox, sent, draft file folders, etc.) on Purchase College email servers.

In addition, Purchase College email systems are also configured to purge items in the “deleted items” after 90 days. Items in the “deleted Items” folder are messages that were marked for deletion by the recipient.

All Purchase College email system users are expected to:

• Regularly check for new messages;
• Move messages with lasting value to dedicated storage on departmental/office networked file system; and to
• Delete transitory messages as quickly as possible.

I. Policy

The policy provides Purchase College with an email management policy that brings us into compliance with legal and regulatory requirements, and improves the College’s operational efficiency and effectiveness. This email retention policy applies to:

1. All Purchase College email systems

2. All users and account holders of Purchase College email accounts

3. All email sent or received using Purchase College email systems

Transitory Messages

These email messages are normally created for purposes of routine communication or information exchange, and as such, they are not considered official College records. These messages should be considered transitory messages that do not have lasting value (defined below) and should be:

1. Read and promptly deleted; or

2. Read and retained on the active server for no longer than the default retention period (defined below) or until their usefulness has ended (whichever occurs first), and then promptly deleted; or

3. Read and moved off the active server when job requirements necessitate retention for periods longer than the default retention period, and then promptly deleted when their usefulness has ended.  

Examples of transitory messages:

• Announcements, notices about meetings or events, etc.
• Internal requests for information
• An inquiry about department course offerings or scheduling issues

Lasting Value Messages

Email is not a record retention or document management system, so messages with lasting value:

1. Should be moved to dedicated storage on departmental/office networked file systems; and

2. Should not be stored exclusively within individual users’ email folders/files.

These email messages exhibit one or more of the following characteristics that imply lasting value:

Have operational value (required by a department to perform its primary function)

• Administrative actions taken or planned
• Assignment of work or tasks to employees
• Distribution of reports or recommendations  
• Distribution of policies, procedures, guidelines, rubrics, or templates

Have legal or evidentiary value (required to be kept by law or of value in prosecution of a claim)

• Falls within a litigation hold or internal investigation (see “Litigation Holds” below)

Have fiscal value (related to the financial transactions of the campus)

• Required for financial reporting and audits

Has historical significance (of long term value to document past events)

• Relating to an exceptional and/or significant event

Contain vital information critical to maintaining operational continuity after a disruption or disaster

Vital records or information may fall into any one of the above value categories

Examples of Lasting Value messages:

Announcement of or change to college or departmental policy

A message assigning an employee to perform a task

Responsibility for Retention of Messages with Lasting Value

Only the departments responsible for retention of specific types of records need to store and control the disposition of that information. For example,  

1. If a department issues a policy change announcement via broadcast email, then that department is responsible for retaining that record (and not every recipient);  

2. If a department manager was cc’d on a message that Purchasing used to send an electronic copy of a Purchase Order to a vendor, then the department manager does not need to retain a copy of the Purchase Order record; the Purchasing Office is responsible for retention of all purchasing records.

II. Purpose

Electronic mail (email) messages enable us communicate internally with the Purchase College community and externally with prospective students, applicants, prospective employees, alumni, vendors, and colleagues across the world. The 2006 amendment to the Federal Rules of Civil Procedure addressing the discovery of electronically stored information requires institutions to establish email retention policies. New York State also has specific Records Retention Policies. This Purchase College Email Retention Policy establishes the default retention period for email stored on college email servers. This policy also identifies roles and responsibilities for litigation holds with respect to materials stored on college email servers.  

III. Scope

Under normal circumstances, official records (policy documents, personnel records, financial transactions, etc.) will exist outside of the college’s email messaging system, and are retained in those source locations rather than in email messaging systems. For this reason, email messages are not normally considered “official records.” While official records are often transmitted through email messaging systems, copies of those official records must be retained by the office which originated the records.

The responsibility for determining whether a specific message has lasting value falls to the holder of the message. Senders and recipients should not retain messages any longer than necessary for their respective job purposes. When that need no longer exists, the messages should be destroyed.  

For messages that the holder determines are of lasting value, the holder should store those messages outside of the messaging system – to a file folder in a personal home directory or a departmental file share. Messages can be moved to a file folder by drag-and-drop (to preserve message header information).

Questions about the proper classification (transitory or lasting value) of a specific message, record, or piece of information should be directed to the employee’s unit head, manager, or department chair.

New York State Records Retention Policy ‐ Default Retention Periods:

New York State Records Retention Policy states that normal business materials should be retained for three business cycles (three years), and financial records should be retained for seven business cycles (seven years.) At the end of that retention period, the records should be destroyed.  

Backup Files

Backup copies of Purchase College email system files are kept for six months. These backups are for system restoration and disaster recovery purposes, and are not designed to or intended to facilitate retrieval of deleted messages.    

Litigation Holds

While email may be considered transitory or of lasting value, the contents of email are subject to discovery when a litigation hold is issued. When litigation against the college or its employees is pending or reasonably expected, the college may receive a litigation hold notice from SUNY legal counsel instructing us to preserve all documents and records relevant to the matter being litigated.  

A litigation hold directive overrides this email retention policy, as well as any record retention schedules that may have otherwise called for the transfer, disposal or destruction of relevant documents, until the hold has been cleared.

Email and account contents of separated employees that have been placed on litigation hold status must be maintained by the Campus Technology Services (CTS) until the hold is released.

No employee who has received a litigation hold notice may alter or delete an electronic record that falls within the scope of that notice. A litigation hold may also cover access to electronic records that the subject has downloaded, saved, or moved to other storage accounts or devices.

IV. ROLES & RESPONSIBILITIES

Campus Technology Services (CTS) will:

• Establish and publish standards for email account administration, storage allocations, and automatic archiving of messages (that must be retained for periods longer than the default retention period) to users’ local computer folders/files
• Provide facilities and instructions for moving messages with lasting value to dedicated storage on departmental/office networked file systems
• Manage technical implementations of litigation holds that are issued by SUNY counsel
• Suspend automatic deletion processes as necessary to preserve specific electronic messages, records and information that fall within the scope of the litigation hold, and that reside on active servers.

Department heads and unit managers are responsible for reviewing records retention policies and providing guidance to staff and faculty within their respective units. The guidance provided must be in accordance with this policy.

Originators of electronic messages, records, and information that have lasting value are responsible for:

• Appropriately identifying and retaining such records in accordance with this policy and
• Seeking assistance from management when unsure about how to categorize specific messages.

College employees who have been notified by management of a litigation hold are responsible for preserving all messages, records, and information that fall within the scope of the hold that they have downloaded and/or stored locally, and must provide copies of all records related to the litigation hold to HR.

Human Resources (HR) will:

Moderate review of records that may be relevant to HR investigation or litigation hold requests

Act as custodian for records that are deemed relevant to HR investigation or litigation hold requests

V. Related Information:

See:

SUNY Record Retention Schedule

NYS Records Retention Schedule   

Federal Rules of Civil Procedure 

Introduction

As an academic institution, Purchase College recognizes that it is absolutely
critical that faculty, staff, and other college employees have confidence that
their privacy will be respected and protected when they are using college
computing resources.

This policy describes the Purchase College privacy practices regarding
information collected by faculty, staff, or other college employees, including
temporary appointees, on college-owned workstations and servers.

This policy covers the college email accounts that are assigned to employees
(faculty and staff), personal “home directories” that are created for individual faculty and staff members, and the contents of college-owned desktop and laptop computers that may be assigned to individual employees.

This policy specifically does not cover information stored in departmental file shares on a server—even if that departmental file share contains a subfolder that may be in the individual’s name. Departmental file shares are specifically set up to be used to store shared documents, and unit supervisors have access to all materials stored in a departmental file share.

Supervisors should note that departmental file shares are the preferred
storage method for official college-related business. Employees should be
strongly discouraged from storing official college-related business (memos,
reports, policies, spreadsheets, or official correspondence) in any place other than a departmental file share.

College Email, Personal Home Directories, and Desktop or Laptop Disk Drives

The entire contents of each individuals email account, personal home directory, and desktop or laptop disk drive(s) are considered private.

No other college employees will access or view the contents of these for any
reason without specific written approval from a minimum of two of the
following:
• President
• Vice president or equivalent college officer (CFO, COO)
• SUNY legal counsel
• Chief of University Police

Specific written approval should be in the form of a completed Security
Investigation Clearance Form (Security Investigation Clearance Form.doc). In emergency circumstances, specific written authorization may be provided via email, but is still required as stated above.

Supervisors seeking access to departed employee materials must obtain
approval as noted above—the individual’s right to privacy does not expire on
their last workday.

Contact Information
For questions regarding this Internet privacy policy, please contact:
Contact Bill Junor Via email
Via regular mail:
Bill Junor
Director of Campus Technology Services
Purchase College
735 Anderson Hill Road
Purchase, NY 10577

CTS loan policies and procedures are enforced to ensure the security of equipment and the equal opportunity for usage by all students.  

CTS maintains a pool of equipment available to students, faculty and staff, by request through the CTS Work Order System.  

We do our best to accommodate all requests - including the last-minute ones.  Equipment should be reserved in advance to increase the likelihood of availability.  Equipment is primarily reserved for academic purposes, and priority is given to students over faculty and staff.  Equipment is reserved in the order in which it is received, but special circumstances may be accommodated.  Equipment may be borrowed over breaks, but permission from the instructor through the work order system or by email is needed for students to borrow equipment between semesters.   

Most equipment can be borrowed at any time for a period of one week. Requests for longer than one week will be assessed on a case by case basis and will be granted or denied based on academic need, the student demand, and equipment availability of the requested items.  The “Comments” section of the work request should briefly give the reason for the loan request as priority will be given to requests for academic purposes. 

Reserved equipment can be picked up and returned at the CTS Helpdesk (Social Sciences Room 0025) anytime during our normal business hours. 

Those unable to pick up requested equipment by the specified date should notify CTS by phone or through the work order system.  CTS will hold the equipment an extra day upon request, but then the equipment will be returned to the loan pool, and a new request must be submitted.  

CTS may decline or cancel requests for a variety of reasons including reasons of misuse, damage, lost, late return - or for other reasons at the discretion of CTS. 

The borrower assumes full responsibility of the equipment.  Students who do not return the equipment on time or returned damaged (at the discretion of CTS) may have the full dollar amount of the item charged to their student account.  Equipment not returned on time will be marked as late and may (again at the discretion of CTS) incur charges daily starting at $1 a day per item up to $5 a day per item.  Amount of late fee is determined by the value and popularity of the item.  The final charge will be calculated on the day the late equipment is returned.  For lost or broken equipment, the borrower will be charged the full replacement or repair cost of the items in question. 

 CTS will inspect equipment before pick up and upon return.  The individual borrowing the equipment should check the equipment and report any missing and/or damaged pieces before leaving CTS with the equipment.  Also, if any equipment is damaged or broken while out, it should be reported to CTS upon return.  Equipment should be checked for presence of equipment reserved and general condition of equipment.

All electronic communications for equipment requests from CTS are done through the CTS Work Order System and will appear in the requestor’s Purchase email account Inbox from “Purchase College Work Order System” with the subject line “CTS Work Order Status Report”.

 Individuals are advised not to give equipment to others while it is signed out to them.

 All equipment must be returned in the same condition in which it was loaned out.

Under the provost’s faculty computer replacement cycle, full-time faculty will receive a new computer approximately every five years. Computers for part-time faculty are the responsibility of the individual academic unit managers, but they should should also receive a new computer approximately every five years. 

Computers for college staff are the responsibility of the individual unit.

New computers will be imaged, joined to the domain, and loaded with college-provided software, including:  

• The current operating system (Windows or Mac OS)
• Antivirus software (Windows/Essentials/Defender or Mac/X-Protect/Clam)
• Office productivity suite: word processor, spreadsheet, Powerpoint, etc. (MS-Office)
• Adobe products (Creative Suite and/or Acrobat)
• Other

When new computers are provided by the college or the unit, the old out-of-warranty computers must revert to CTS for disposal and recycle. (Computers are classified as hazardous waste due to the lead, mercury, and heavy metals they contain.)

Warranties

Prior to July 2008, Dell and Apple computers purchased through Purchase College were purchased with a three-year warranty covering hardware replacement, all peripherals, and on-site service. As of June 2010, we are purchasing computers with a five-year warranty through Hewlett Packard or Dell. Since July 2008, all Dell and HP computers purchased through the college carry a five-year warranty. Apple computers will carry a three-year warranty. In accordance with the state contract with Dell and HP, the warranty is included in the price of the computer. If you are purchasing an Apple, you should add (at extra expense) the AppleCare warranty. 

Replacing Computers at the End of Their Service Warranties

When out of warranty, computers may be functioning and still serve the user’s needs, but these computers often become a liability and cost the college a great deal of money in time and labor. When hardware problems arise with out-of-warranty computers (and experience tells us they will), and they are no longer under contract to be serviced by Dell, HP, or Apple, they take an inordinate amount of time and effort to repair. Even worse, it is only a matter of time before a hard drive failure causes the loss of important data that may be next to impossible to replace. CTS technicians often are left with no choice but to put an enormous amount of time and effort to recover data and fix computers that are out of warranty and that should have been replaced. In many cases, the cost in personnel time keeping old hardware running exceeds the cost of a new computer.

When CTS is unable to recover important data, an outside agency may be required in a final attempt at recovering the lost data. The cost to the machine’s owner can be thousands of dollars. Out-of-warranty, slow computers are often brought to CTS for troubleshooting because the departments to which they belong are reluctant to spend money to purchase a new computer if they can get a little more time out of their old and obsolete computers. This contributes to inefficient use of college resources. The cost in time and labor almost always exceeds the amount of money the department saves by delaying the purchase of a new computer. Inevitably, the old computers still do not function as well as the owners hope, and a more calls are again placed to the CTS for service. 

While we understand each department’s desire to save money by holding onto a computer that is still running, we would like to make you aware that your decision to keep your old computer comes with a steep price and yields less than adequate results. CTS may decline to provide service in cases where the computer is out of warranty and we determine that providing the necessary service is inadvisable. In addition, the “old computer” problem is often compounded by cascading upgrades —we are asked to give the old computer to so-and-so, and so-and-so’s old computer goes somewhere else—multiplying the workload.

Many people who were using a computer beyond the three-year replacement cycle will suddenly find themselves with a computer that will no longer work because it does not meet the minimum specifications to run the latest Windows operating system.

It is strongly advised that all departments replace computers at the end of their service warranty. Once a new computer is delivered, it will replace the out of warranty computer which will then be brought back to CTS for disposal and recycle.

How to Order a New Computer or Replace an Old One

Please submit a work request through The CTS Work Order System for the type of computer you wish to purchase and CTS will get back to you with options.

Students:

Students are granted Purchase College Credentials upon Admission to the college, or upon registration for a course as an LSCE student, summer camp participant, or other non-application-based programs. An active email box is granted along with student credentials (UserID and Password).

Use of Student Credentials:

Students must use this account to interact with college systems – class DL’s, Brightspace assignments, etc. All official communications from the college to students will be sent to the college email account.

Persistence of Student Credentials:

Student email accounts persist for 18 months after their last course/activity registration. However, Student credentials persist forever – their email mailbox is eliminated 18 months after their last registration, but their UserID and Password remain active so that they can request transcripts, register for additional classes, etc.

If a student whose email mailbox has been retired registers for another class, a new (and empty) mailbox will be created and associated with their existing credentials (UserID and password.) This is a manual process.

Extended Access to College Systems for students: 

If a student requests continued access to college systems beyond the 18-month grace period following their last registration, an academic department/BOS can create a P-Dash volunteer transaction for the student.

Parents/Guardians:

Students may choose to grant parent/guardian credentials with specific privileges through the Banner Self-Service Proxy function. Parent Guardian credentials are created within the Banner database (no more sub-domain.) No Purchase College email is created for parent/guardian accounts – P/G accounts are associated with an external email where notifications are sent.

Use of Parent/Guardian Credentials:

Parents/Guardians must use this account to interact with college systems.  Students typically grant P/G access to pay their Purchase College bills, view grades, and view schedules – all of which are available through the self-service Banner menu.

Persistence of Parent/Guardian Credentials:

Students grant P/G credentials, and can renew their access as necessary while the Student credential remains valid.

Faculty and Staff Credentials:

All faculty and staff are granted Purchase College Credentials and a campus email mailbox upon their appointment to a position at the college. This group includes all full and part-time faculty and staff, adjunct faculty, and all other persons appointed via PAF in the HRETS system.

Use of Faculty and Staff Credentials:

Faculty and staff use their Purchase College credentials to interact with Purchase College and SUNY systems. Faculty and staff must use their Purchase College email account for conducting all official college business. Faculty and staff are discouraged from using their Purchase College email account for personal business.

Persistence of Faculty and Staff Credentials:

Faculty and Staff credentials persist through their last day of service to the college*. The last day of service is considered to be the “End of Service” date specified on a terminal PAF. For Adjunct or Temporary Service PAF’s, the end-of-service date is the ending date for that Temporary Service appointment, unless the originating PAF TS appointment includes an “extend email privileges until” date. (* A 60-day grace period is applied for employee accounts.)

Extended Access to College Systems for Faculty and Staff:

There is a process for requesting extended account privileges beyond the last day of college service, with executive approval. In cases where a faculty or staff member is a former student, on their last day of service, their group membership will be updated to reflect an alumni only role, and their mailbox will be disabled – but their credentials will remain  - as they would for any student.

Volunteers, Contractors, Vendors, Guests, and other “Affiliated” Community Members:

Upon sponsorship of their role at the college using the HRETS Person Data Sheet (P-Dash), persons in this category are granted College Credentials and an email mailbox.

Campus supervisors use the P-Dash form to sponsor persons to a specific role at the college for a specific period of time.  Persons in this category may be active in multiple and even simultaneous sponsored roles at the College, but will receive one active credential.

Use of Affiliate Credentials:

Persons in the affiliated category use their Purchase College credentials to interact with college and SUNY systems. Persons in the affiliated category must use their Purchase College email account for conducting official College business, and are discouraged from using the account for personal business.

Persistence of Affiliate Credentials:

For persons in the affiliate category who are provisioned via the P-Dash form, credentials persist through their last day of service to the college. The last day of service is the end-of-service date listed on their P-Dash form. Note that there is no automatic grace period as there is for regular college employees. However, the affiliate – and their sponsoring supervisor – will receive notification of the pending expiration of the P-Dash account 30 days before its ending date, and again at 20 days and 10 days.

Extended Access to College Systems for Affiliates: 

There is no process for requesting extended account privileges beyond the last day of college service for affiliate credentials. However, a sponsoring office can choose to re-appoint the affiliate using another P-Dash transaction for an additional period of time. In cases where an affiliate is a former student, their group membership will be updated to reflect an alumni only role, and their mailbox will be disabled – but their credentials will remain - as they would for any student.

This policy describes the Information Privacy and Accessibility Policies in use on the College’s Web Site.

Accessibility 
The Purchase College website is designed to comply with web accessibility guidelines. You can adjust the site in a number of ways to fit your needs. We aim to create an environment that enables anyone to participate fully in the mainstream of college life.  The website is built according to WCAG (Web Content Accessibility Guidelines issued by the World Wide Web Consortium). 

Customize the Site to Fit Your Needs

To make the Purchase College website easier to read and navigate, you can change the display settings, such as:

• Text size

• Color and contrast

• Screen magnification

• Style sheets

The BBC website “My Web My Way” offers a useful guide to adjusting these and other features in your specific operating system and browser.

Information Privacy

This website is designed to make it easier and more efficient for individuals and businesses to interact with the Purchase College. Purchase College recognizes that it is critical individuals and businesses to be confident that their privacy is protected when they visit the Purchase College website.

Consistent with the provisions of the Internet Security and Privacy Act, the Freedom of Information Law, and the Personal Privacy Protection Law, this policy describes the Purchase College privacy practices regarding information collected from users of this website. This policy describes what information is collected and how that information is used. 

For purposes of this policy, “personal information” means any information concerning a natural person, which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person. Purchase College does not collect any personal information about you unless you provide that information voluntarily by sending an email, responding to a survey, or completing an online transaction.

Information Collected Automatically When You Visit this Website
When visiting this website, Purchase College automatically collects and stores the following information about your visit:

1. User client hostname. The hostname or Internet Protocol address of the user requesting access to a Purchase College website.

2. HTTP header, “user agent.” The user agent information includes the type of browser, its version, and the operating system on which that the browser is running.

• HTTP header, “referrer.” The referrer specifies the Web page from which the user accessed the current Web page.

1. System date. The date and time of the user’s request.

2. Full request. The exact request the user made.

3. The status code the server returned to the user.

• Content length. The content length, in bytes, of any document sent to the user.

• The request method used.

1. Universal Resource Identifier (URI). The location of a resource on the server.

2. Query string of the URI. Anything after the question mark in a URI.

3. The transport protocol and the version used.

None of the foregoing information is deemed to constitute personal information. The information that is collected automatically is used to improve this website’s content and to help the Purchase College understand how users are interacting with the website. This information is collected for statistical analysis, to determine what information is of most and least interest to our users, and to improve the utility of the material available on the website. The information is not collected for commercial marketing purposes, and Purchase College is not authorized to sell or otherwise disclose the information collected from the website for commercial marketing purposes. As a campus of the State University of New York, Purchase College does report application information to SUNY, and that information may include information collected through the Purchase College website.

Cookies
Cookies are simple text files stored on your web browser to provide a means of distinguishing among users of this website. The use of cookies is a standard practice among Internet websites.

To better serve you, we may use “session cookies” to enhance or customize your visit to this website. Session cookies can be created automatically on the device you use to access the Purchase College website do not contain personal information and do not compromise your privacy or security. We may use the cookie feature to store a randomly generated identifying tag on the device you use to access this website. A session cookie is erased during operation of your browser or when your browser is closed.

If you wish, you may complete a registration to personalize this website and permit a “persistent cookie” to be stored on your computer’s hard drive. This persistent cookie will allow the website to recognize you when you visit again and tailor the information presented to you based on your needs and interests. The Purchase College website uses persistent cookies only with your permission.

The software and hardware you use to access the website allows you to refuse new cookies or delete existing cookies. Refusing or deleting these cookies may limit your ability to take advantage of some features of this website.

Information Collected When You Email This Website or Complete a Transaction 
During your visit to this website, you may send an email to Purchase College. Your email address and the contents of your message will be collected. The information collected is not limited to text characters and may include audio, video, and graphic information formats included in the message. Your email address and the information included in your message will be used to respond to you, to address issues you identify, to improve this website, or to forward your message to another state agency for appropriate action. Your email address is not collected for commercial purposes and Purchase College is not authorized to sell or otherwise disclose your email address for commercial purposes.

During your visit to this website, you may complete a transaction such as a survey, registration, or order form. The information, including personal information, volunteered by you in completing the transaction is used by the Purchase College to operate Purchase College programs, which include the provision of goods, services, and information. The information collected by Purchase College may be disclosed by Purchase College for those purposes that may be reasonably ascertained from the nature and terms of the transaction in which the information was submitted.

Purchase College does not knowingly collect personal information from children or create profiles of children through this website. Users are cautioned, however, that the collection of personal information submitted in an email will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access. The Agency strongly encourages parents and teachers to be involved in children’s Internet activities and to provide guidance whenever children are asked to provide personal information online.

Information and Choice
As noted above, Purchase College does not collect any personal information about you unless you provide that information voluntarily by sending an email, responding to a survey, or completing an online form. You may choose not to send us an email, respond to a survey, or complete an online form. While your choice not to participate in these activities may limit your ability to receive specific services or products through this website, it will not normally have an impact on your ability to take advantage of other features of the website, including browsing or downloading information.

Disclosure of Information Collected Through This Website 
The collection of information through this website and the disclosure of that information are subject to the provisions of the Internet Security and Privacy Act. Purchase College will only collect personal information through this website or disclose personal information collected through this website if the user has consented to the collection or disclosure of such personal information. The voluntary disclosure of personal information to Purchase College by the user, whether solicited or unsolicited, constitutes consent to the collection and disclosure of the information by Purchase College for the purposes for which the user disclosed the information to Purchase College, as was reasonably ascertainable from the nature and terms of the disclosure.

However, Purchase College may collect or disclose personal information without consent if the collection or disclosure is: (1) necessary to perform the statutory duties of the Purchase College, or necessary for Purchase College to operate a program authorized by law, or authorized by state or federal statute or regulation; (2) made pursuant to a court order or by law; (3) for the purpose of validating the identity of the user; or (4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.

Further, the disclosure of information, including personal information, collected through this website is subject to the provisions of the Freedom of Information Law and the Personal Privacy Protection Law.

Purchase College may disclose personal information to federal or state law enforcement authorities to enforce its rights against unauthorized access or attempted unauthorized access to Purchase College’s information technology assets.

Retention of Information Collected Through this Website
The information collected through this website is retained by Purchase College in accordance with the records retention and disposition requirements of the New York State Arts & Cultural Affairs Law. See here for Information on the requirements of the Arts & Cultural Affairs Law.  In general, the Internet services logs of Purchase College, comprising electronic files or automated logs created to monitor access and use of services provided through this website, are retained for one week and then destroyed. Information, including personal information, that you submit in an email or when you complete a survey, registration form, or order form is retained in accordance with the records retention and disposition schedule established for the records of the program unit to which you submitted the information. Information concerning these records retention and disposition schedules may be obtained through the Internet privacy policy contact listed in this policy.

Access to and Correction of Personal Information Collected Through This Website
Any user may submit a request to the Purchase College privacy compliance officer to determine whether personal information pertaining to that user has been collected through this website. Any such request shall be made in writing and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification. The address of the privacy compliance officer is:

Bill Junor
Campus Technology Services
Purchase College, SUNY
735 Anderson Hill Rd.
Purchase, NY 10577
bill.junor@purchase.edu

The privacy compliance officer shall, within five (5) business days of the receipt of a proper request, provide access to the personal information; deny access in writing, explaining the reasons therefore; or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not be more than thirty (30) days from the date of the acknowledgment.

In the event that Purchase College has collected personal information pertaining to a user through the website and that information is to be provided to the user pursuant to the user’s request, the privacy compliance officer shall inform the user of his or her right to request that the personal information be amended or corrected under the procedures set forth in section 95 of the Public Officers Law.

Confidentiality and Integrity of Personal 
Information Collected Through This Website
Purchase College is strongly committed to protecting personal information collected through this website against unauthorized access, use or disclosure. Consequently, Purchase College limits employee access to personal information collected through this website to only those employees who need access to the information in the performance of their official duties. Employees who have access to this information follow appropriate procedures in connection with any disclosures of personal information.

In addition, Purchase College has implemented procedures to safeguard the integrity of its information technology assets, including, but not limited to, authentication, monitoring, auditing, and encryption. These security procedures have been integrated into the design, implementation, and day-to-day operations of this website as part of our continuing commitment to the security of electronic content as well as the electronic transmission of information.

For website security purposes and to maintain the availability of the website for all users, the Agency may employ software to monitor traffic to identify unauthorized attempts to upload or change information or otherwise damage this website.

Disclaimer
The information provided in this privacy policy should not be construed as giving business, legal, or other advice, or warranting as fail proof, the security of information provided through this website.

External Internet Site Disclaimer
The Purchase College website may contain hyperlinks to other World Wide Web/Internet sites. These linked sites are created and maintained by other public and/or private organizations, and are in no way connected to, under the control of, or associated with Purchase College. Purchase College neither endorses nor maintains these linked sites, and is therefore not responsible in any way for any content, advertising, products, services, or information on or available from them. Because Purchase College has no control over linked sites’ content, it makes no guarantees, and accepts no liability, regarding it, including, but not limited to, its availability, accuracy, currency, content, quality, or lack of objectionable or offensive content. This disclaimer also applies to any other websites that those sites may link to.

External linked websites are not provided as a benefit to the linked party. Inclusion of the linked websites does not imply or constitute an endorsement or promotion by SUNY or Purchase College of any persons or organizations sponsoring the displayed websites.

If you decide to visit any linked site, you do so at your own risk and it is your responsibility to take all protective measures to guard against viruses or other destructive elements inherent on the internet.

Feedback
We continuously make improvements and enhancements to our accessibility features. Please let us know of any problems you may have encountered, or of any features that you have found particularly useful. 

You can contact the Helpdesk at:

• Helpdesk Email

• (914) 251-6465

For questions regarding this policy, please contact:

Bill Junor
Director of Campus Technology Services
Purchase College
735 Anderson Hill Road
Purchase, NY 10577
Bill Junor Email

• Purpose

The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Purchase College without proper authorization.

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).   All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect confidential information. The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the College’s Information Security Officer (ISO).

• Scope

All Purchase College information is categorized into two main classifications:

• Public Information

• Confidential Information

Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any adverse consequences. As a public institution, the College publishes a wide range of information including enrollment statistics, strategic planning information, operational procedures, etc. As an educational institution, the College seeks open communication and participation from its community students, faculty and employees, and the public we serve.

Confidential information contains all other information, and is  a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Confidential information should be protected closely, and includes various types of information:

• All personally identifiable information on students, employees, or other individuals;

• College information of a sensitive nature (vendor evaluations and selection processes; contingency plans; confidential meeting minutes, etc) and other information integral to the success of the College should be considered “confidential” within common sense guidelines. This information is intended for use by College employees only, and for official business only. Following the principle of academic freedom and open communication, this information may be shared within the college community, but it should not be publicly available.

• Also included in confidential information is other information that is less critical, such as telephone directories, general information, personnel information, enrollment strategies, targets, and statistics etc., which does not require as stringent a degree of protection. Inquiries regarding this information from outside the College should be directed to supervisors.

• Another subset of confidential information is ” Third Party Confidential” information. This is confidential information belonging or pertaining to another entity which has been entrusted to Purchase College by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from vendor lists, customer lists, and supplier information. Information in this category ranges from extremely sensitive relatively open, and again, common sense should apply, with referrals to supervisors if there is any doubt.

In all cases, Purchase College personnel are encouraged to use common sense judgment in securing confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor.

• Policy

The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as information in each category may necessitate more or less stringent protection depending upon the circumstances and the nature of the confidential information in question.

• Minimal Sensitivity: General College information; some personnel and technical information

Marking guidelines for information in hardcopy or electronic form: Marking is at the discretion of the owner or custodian of the information. If marking is desired,  “Confidential” may be written or designated in a conspicuous place on or in the information in question. Even if no marking is present, College information is presumed to be “Confidential” unless expressly determined to be Public information by a Purchase College employee with authority to do so.

Access:  Purchase College employees, contractors, people with a business need to know.

Distribution within Purchase College:  Standard interoffice mail, College electronic mail and electronic file transmission methods.

Distribution outside of Purchase College internal mail:  U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods.

Electronic distribution:  No restrictions except that it be sent to only approved recipients.

Storage:  Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.

Disposal/Destruction:  Deposit outdated paper information in specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

• More Sensitive: Business, financial, technical, and most personnel information

Marking guidelines for information in hardcopy or electronic form: As the sensitivity level of the information increases, you may, in addition or instead of marking the information “Confidential” or “Proprietary”, wish to label the information ” Purchase College Internal Use Only” or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times.

Access:  Purchase College employees and non-employees with signed non-disclosure agreements who have a business need to know.

Distribution within Purchase College:  Standard interoffice mail, College electronic mail and electronic file transmission methods.

Distribution outside of Purchase College internal mail:  Sent via U.S. mail or approved private carriers.

Electronic distribution:  No restrictions to approved recipients within Purchase College, but should be encrypted or sent via a private link to approved recipients outside of Purchase College premises.

Storage: Individual access controls are highly recommended for electronic information.

Disposal/Destruction:  In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

• Most Sensitive: marketing, operational, personnel, financial, source code, & technical information integral to the success of the College

Marking guidelines for information in hardcopy or electronic form: To indicate that Purchase College Confidential information is very sensitive, you may should label the information “Purchase College Internal: Registered and Restricted”, ” Purchase College Eyes Only”, “Purchase College Confidential” or similar labels at the discretion of your individual business unit or department. Once again, this type of  confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.

Access:  Only those individuals (Purchase College employees and non-employees) designated with approved access or non-disclosure agreements.

Distribution within Purchase College:  Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods.

Distribution outside of Purchase College internal mail:  Delivered direct; signature required; approved private carriers.

Electronic distribution:  No restrictions to approved recipients within Purchase College, but it is highly recommended that all information be strongly encrypted.

Storage:  Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer.

Disposal/Destruction:  Strongly Encouraged: In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

• Enforcement

Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment.

• Terms and Definitions

Appropriate measures

To minimize risk to the College from an outside connection or individual. Purchase College computer use by unauthorized personnel must be restricted so that, in the event of an attempt to access Purchase College corporate information, the amount of information at risk is minimized.

Configuration of Purchase College-to-other business connections

Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.

Delivered Direct; Signature Required

Do not leave in interoffice mail slot, call the mail room for special pick-up of mail.

Approved Electronic File Transmission Methods

Includes supported FTP clients and Web browsers.

Envelopes Stamped Confidential

You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and mark it confidential.

Approved Electronic Mail

Includes the campus mail system supported by CIS only. If you have a business need to use other mail services contact the appropriate support organization.

Approved Encrypted email and files

Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms.

Purchase College Information System Resources

Purchase College Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.

Expunge

To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, such as that supplied as a part of Norton Utilities. Otherwise, the PC or Mac’s normal erasure routine keeps the data intact until overwritten.

Individual Access Controls

Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner.

Insecure Internet Links

Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of Purchase College.

Physical Security

Paper Information: Sensitive information should be secured in locking fireproof cabinets, locked cabinets, or locked and alarmed offices depending on the nature of the information. Visitors should be escorted when in areas containing confidential information. Confidential information should not be left unattended or in plain sight in publicly accessible areas. Confidential information that is outdated or no longer needed, and for which retention schedules have expired should be stored in appropriately marked containers until shredded.

Electronic information: Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.

Identity Verification:

Individuals or organizations requesting confidential information should be challenged to provide appropriate credentials and their identity verified before releasing confidential information to them. 

AppLocker Policy

Overview

AppLocker is a Microsoft technology that allows administrators to control which applications are allowed to run in order to prevent the launching or installation of malicious software.

Policy

AppLocker will be used to secure college-managed computers that have a supported version of the Windows Operating System. AppLocker rules will be configured to block malware and allow applications required for academic and business purposes. A best effort will be made to allow other applications requested by users if the application does not pose a security risk and if a rule to allow it can be configured in a secure manner.

Procedures

If you receive the message “Your system administrator has blocked you from running this program”, it is most likely because the application does not match an AppLocker rule that would allow it to run. If you receive the message, please open a work order or call the helpdesk to let us know.

If you do not recognize the program name and location, your computer could have malicious software or it could simply be a benign application, like an auto-updater, trying to run.

If the application is something you are trying to open and want, please provide us some details so we can determine if we can create a rule to allow it. Basic information like the name of the software, its purpose, why you need it, and any other information you believe to be relevant is enough to begin a review.

Considerations

Applications that run from standard locations, like the Program Files or Windows directories, are automatically permitted to run, so do not require any special permissions. However, applications that run from any location within a user directory need to have a rule created to allow them to run (e.g. C:\Users\first.last\AppData\). Most publishers now sign their applications with a digital certificate that can be used to verify that the software comes from a legitimate developer. Signed applications that are not malicious can usually be granted permission to run. However, some developers do not sign their applications. If an application is unsigned and its executables reside within a user-writable directory, it might not be possible to securely configure a rule to allow it, so a request to allow it may have to be denied.

1. Purpose

Purchase College has always been responsible for complying with various information demands made upon it by the public, oversight agencies, and the courts.  Such demands may arise in the context of litigation, administrative proceedings, audits, investigations, and Freedom of Information Law requests.  With the proliferation of electronic information storage capabilities and systems, the task of compliance with the requests has become ever more complicated and challenging.  The purpose of this Policy is to provide guidance and directives to aid various University constituencies and officers in their efforts to comply with those “e-discovery” responsibilities and demands. 

1. Summary

Custodians must understand the basic operations of electronic storage systems and programs and must manage records and ESI according to applicable laws, regulations, policies, retention schedules, and best practices.  This includes the duty to notify Counsel of potential Triggering Events. 

The SUNY Office of General Counsel will make the ultimate determination of what constitutes a ‘Triggering Event’ and after such determination is made, will order Legal Holds accordingly.  Counsel will also direct the production of ESI, if necessary.    

Key Persons must cooperate with Counsel to identify, preserve, maintain, and produce ESI that is subject to a Legal Hold issued by the General Counsel’s Office.  

III.       Definitions

“E-Discovery” is a short hand term for the process of preserving and exchanging electronically-stored information (ESI) in the context of modern litigation or other legal processes. 

A “Legal Hold” is a process by which the Office of General Counsel (“OGC”) directs the preservation of certain records, information, and data, for the purpose of complying with an information request or other legal obligation. 

“Counsel” means any member of the University’s Office of General Counsel.

A “Custodian” is any officer, employee, or agent of the Univeristy that possesses, controls, or maintains any record, information, or data of the University. 

A “Key Person” is any officer, employee, or agent of the Univeristy that possesses, controls, or maintains any record, information, or data that is subject to a Legal Hold.  A Key Person may also be someone who is in a position of leadership over a subject program or department (HR, Student Affairs, Facilities, etc.), or someone who has been designated as a campus liaison to Counsel.

“IT Personnel” means the Chief Information Officer of any campus or the designee thereof. 

A “Triggering Event” is any event or set of circumstances that cause Counsel to reasonably anticipate litigation or another legal process which could give rise to a preservation obligation.  Factors to consider in determining whether a Triggering Event has occurred include:

1. Likelihood of litigation or other legal processes;

2. History of the institution;

3. Location, durability, and control of potential ESI;

4. Media coverage;

5. Seriousness or magnitude of potential legal action;

6. Relative burdens and costs of preservation effort;

7. Common sense and professional judgment. 

A “Legal Preservation Notice” or “LPN” is a set of written instructions sent from Counsel to Key Persons.  A LPN may be issued electronically; however, it should include an appropriate acknowledgment.  At a minimum, a LPN should include information related to:

1. The nature of the event giving rise to the Legal Hold;

2. The ESI or other records that are subject to the Legal Hold;

3. A brief recitation of the legal obligations related to Legal Holds in general;

4. Instructions for preserving the relevant ESI (including any transfer instructions);

5. Contact information for both legal and IT advice.

“Electronically Stored Information” or “ESI” means any information, record, document, file or data stored on any University program, system, device, or server of any kind.  ESI can also reside on the personal devices and in the personal accounts of university officers, employees, and agents if such devices and accounts are used for conducting University business.  ESI may include documents, audio recordings, videotape, e-mail, instant messages, word processing documents, spreadsheets, databases, calendars, telephone logs, contact information, Internet usage files, metadata, and all other electronic information created, received, and/or maintained on computer systems.  

1. Specific Duties

Counsel

1. Be familiar with campus ESI systems, including e-mail, word processing, spreadsheets and databases, student information, backup and archival systems, and websites.

1. Issue Legal Hold upon the occurrence of the following events:

   1. Receipt of EEOC Complaint;

   2. Receipt of SDHR Complaint;

   3. Receipt of OCR Complaint;

   4. Receipt of NOI, Claim or Summons and Complaint;

   5. Catastrophic events involving injury to persons or property.

1. Consider issuing at Legal Hold upon the occurrence of any event giving rise to a reasonable anticipation of litigation or another legal process for which ESI may be relevant. Such events may include:

   1. Initiation of investigation by state or federal law enforcement;

   2. Initiation of investigation by Inspector General;

   3. Receipt of Attorney Demand Letter;

   4. Injury to persons or property;

   5. Major employment actions, such as tenure denial or the filing of a disciplinary grievance;

   6. Major contract actions, such as breach or early termination;

   7. Major student actions, such as dismissal or interim suspension;

   8. Receipt of FOIL request;

   9. Audit engagement;

   10. Receipt of a subpoena.

1. Once it is determined that a Triggering Event has occurred, work with applicable campus leadership to identify Key Persons.

1. Describe litigation facts and issues sufficiently to aid in identification of relevant documents or information. This may include determination on an on-going basis of appropriate search terms or key words for use in search tools/software.

1. Identify a retrospective time period for Legal Hold.

1. Define scope/types of ESI for recipients of LPN. This determination should be based, in part, on reasonable proportionality determinations.  The more likely or serious the potential case or action, the more extensive the Legal Hold should be. 

1. Work with IT Personnel to determine appropriate method for preserving ESI.

1. Issue instructions with respect to future communications (i.e. limit use of e-mail; save relevant emails in particular folder).

1. Monitor compliance with LPN.

1. Issue periodic reminders that LH is still in effect.

1. Set review parameters and participate in ESI review process to the extent necessary to ensure appropriate determinations are made regarding relevance, privilege, and other factors.

1. Manage any necessary production in consultation with IT Personnel, Records Management Officers, the Attorney General, and other appropriate parties.

Custodians/Key People

1. Understand the basic operations of electronic storage systems and programs.

1. Manage records and ESI according to applicable laws, regulations, policies, retention schedules, and best practices. This includes limiting the amount of ESI that is stored on systems and devices under your control that does not have a legal, operational, or historical value to the University.

1. Notify counsel of threats of legal action and other potential Triggering Events.

1. If you are a “Key Person” and receive an LPN, you have a duty to preserve relevant information (define relevant, define types of information/ESI), no matter where it may be located (e.g., home computer, personal phone).

1. You must provide counsel with information on the sources, locations, nature of relevant ESI, and other records in your possession or control.

1. You must not delete, destroy, purge, overwrite, or otherwise modify existing relevant ESI (or newly created relevant ESI) even if it is a duplicate, draft or “personal”.

1. You must give access to relevant information in order that it can be preserved and retrieved if needed.

IT Personnel

1. Educate Counsel and Custodians on basic operations of systems, devices, and programs under their control.

1. Monitor use of IT systems to ensure Custodians comply with applicable policies, including those related records management.

1. Contract and work with capable, responsible vendors. This may include vendors responsible for e-discovery services.

1. Cooperate with Counsel in identifying ESI sources.

1. Work with Counsel and Key Persons to implement Legal Holds. This may include having direct responsibility over ESI collection and preservation activities, pursuant to the direction of Counsel. 

1. When receive LPN, take steps to preserve relevant ESI (define types); be aware of names, locations of Key Persons.

1. Work with Key Persons to ensure preservation of new relevant data, if any.

1. Be prepared to help Counsel review, produce and explain relevant ESI during any related legal proceedings.

1. Other Policy Determinations

1. All electronic storage systems, devices, and programs purchased or used by the University should be capable of meeting the obligations described herein. Generally, in the least, this means that they should be capable of long-term retention of ESI.  It is considered preferable if such systems, devices, and programs also allow for the easy searching and sorting of ESI. 

1. Failure by any party to follow this policy may result in discipline and expose him or her to legal sanctions.

1. All officers, employees, and agents of the University should familiarize themselves with potential Triggering Events and communicate the occurrence of such events to Counsel through appropriate channels.

1. The exact scope, parameters, and features of a Legal Hold should be custom fit to the circumstances of the Triggering Event and proportional to the risk presented.

1. Campus policies should allow for administrative access and control of all University systems, programs, and devices. These policies should make clear to all employees that they have no privacy interest in University records and ESI, regardless of where it is stored.

1. All University officers should endeavor to document the steps they take pursuant to this policy and provide such documentation to Counsel.

1. Campuses must make compliance with this policy a priority and provide adequate resources to ensure that compliance is readily achievable.

1. OGC will provide routine guidance to University leadership and constituencies.

1. The University will at all times strive to coordinate its efforts with applicable vendors, unions, and the Attorney General’s Office to meet its E-Discovery obligations.

1. Custodians should work to eliminate multiple copies/drafts of records and other documents, and delete unnecessary email on a routine basis. ESI that does not have a legal, operational, or historical value to the Univeristy should not be retained and stored on Univeristy systems.

1. Back-ups systems at Univeristy campuses should generally be used for the purpose of disaster recovery only. Time frames, or cycles of such systems should be gauged accordingly. 

1. The Records Management Officer on each campus shall be charged with ensuring compliance with this policy, unless the President makes another designation.

1. Each campus should consider creating policies to supplement this in order to better fit its local environment and organizational structure.

1. Supervisors and IT Personnel are jointly responsible for managing records and ESI that are associated with a separated employee in accordance with University policies and procedures.

Other Related Information

SUNY Policy 6609 – Records Retention and Disposition 

SUNY Policy 6608 – Information Security Guidelines 

Forms

Legal Preservation Notice

Questionnaire/Interview Outline to Prepare for E-Discovery 

Authority

NY Education Law 353 

Appendices

Introduction to the SUNY Records Retention and Disposition Schedule

From:              Counsel

To:                  Campus / IT Personnel

Subject:          Notice to Preserve Information Related to [Case] – A/C Privilege

Dear [Campus / IT Personnel],

Please forward the following message to [known Key Persons] and anyone else that might have information regarding the recent [describe Triggering Event]:

“You are receiving this message because a [litigation/investigation/audit] involving a [campus name] program is anticipated and the College has determined that you are likely to be in possession of data, documents, or information that may become part of the College’s response to this [litigation/investigation/audit].  [Campus] has an urgent legal obligation to preserve this information.

You are required to take all reasonable steps to identify and preserve any and all emails, hard copy files, electronically-stored information or other records in your possession that relate to [Triggering Event].  Relevant information may be in paper files, on campus IT systems, hand held devices, removable media such as CDs or flash drives, laptop computers, back-up tapes, personal computers (if SUNY business was conducted utilizing a personal or home computer), or any other storage medium.

Immediately halt all deletion efforts including routine destruction and deletion or modification of such information, documents or evidence.  You must maintain this information, as well as any new information/evidence (hard copy or electronic) created after receipt of this message, in the form which it now exists.  Please contact [IT Personnel] if you need help collecting or preserving information responsive to this request.

If you identify and preserve any documents or other materials identified as a result of this communication, please contact [Counsel] and inform him/her that you are in possession of such materials.  Further instructions will be forthcoming once the scope of the [litigation/investigation/audit] becomes more apparent.  

As this obligation is continuing, you must also save any new information/evidence that you create or receive until the Office of General Counsel notifies you we are no longer under a duty to preserve it.  However, future communications involving this matter should be limited to formal discussions involving [Counsel].

Please confirm by return email that you have received this communication and are in the process of complying with the directives herein.  Any questions regarding this matter should be directed to [Counsel].  Thank you for your cooperation.”

Questionnaire/Interview Outline to Prepare for E-Discovery

Overview of Computing Environment

            Types of computers:  How many and how are they used?

                       IT-managed computers:  

                                   Centralized mainframes and mid-range processors

                                   IT-managed servers

                                              Application servers   

                                              Email servers

                                              File servers

                       Departmental servers: How many, what uses, relationship to IT?

                       Desktop computers

                       Mobile computers (including sub-computing devices)

                       Hosted services

                       Other

            Storage devices and media:  What policies and practices govern their use?

                       Hard drives

                                   Network drives:  How many and what uses?

                                   Local hard drives

                       Removable media

                                   Magnetic tapes (other than backup tapes)

                                   CD / DVD drives

                                   Other: flash drives, etc

            Backup practices

                       Backup schedule for incremental and full backups

                       Backup media: magnetic tapes and other

                       Number of backup copies produced

                       Storage locations for backup media:  onsite and offsite

                       Retention / recycling practices for backup media

                       Organization and accessibility of backup tapes

                       Is real-time backup in use or planned?

Database Applications

                       Survey of databases likely to be relevant for e-discovery

                                   Purpose: business functions that database supports

                                   Software that creates and maintains database

                                              Current status

                                              Plans for upgrading / replacement

                                   Computer system on which software operates

                                   Database retention policy

                                   Archiving practices for older database records

                       Legacy database applications: current status and usability

Email

            Type of email software in use

            Number and location of email servers

            Number and types of email users

            Retention practices for email

Limitations on mailbox size

Automatic deletion after a specified time

            Transfer of email to other files:  Is it permitted and/or encouraged?

            Backup practices for email (if different from general backup practices)

                       Backup schedule: incremental and full

                       Storage locations for backup media

                       Accessibility of backup media

            Use of non-SUNY email for SUNY business

File Shares:  Departmental and Other

                       Network storage locations

                       Retention practices

                       Backup practices

         State University of New York Records Retention and Disposition Schedule 

Introduction 

1. Purpose

This new State University of New York (University) Records Retention and Disposition Schedule (RR&D Schedule) indicates the minimum length of time that campus and University officials must retain the records covered by this schedule before the records may be disposed of legally. Schedule items have been reviewed by the NYS Offices of the Attorney General and State Comptroller and approved by the New York State Archives for use by the University, pursuant to provisions of Sect. 57.05, Arts and Cultural Affairs Law and 8 NYCRR Part 188. This new RR&D Schedule replaces and supersedes the 1977 Records Retention and Disposition Schedule formerly issued by the University. It also replaces and supersedes any other retention authorizations and guidance that campus and University officials may have adopted for specific records. It must be noted that the University also follows the New York State Archives’ General Retention and Disposition Schedule for New York State Government Records (State Schedule) to the extent that a category of records is not covered by the University’s own retention schedule. University and campus officials should determine first if there is a specific record category applicable from the RR&D Schedule. That schedule will supersede retention periods for similar items in the State Schedule. Records not covered by the RR&D Schedule will be governed by the State Schedule.

All University records must be retained in accordance with the retention periods and guidelines specified in this new RR&D Schedule and in any related policies, procedures, guidelines, or directives that the University has issued or may issue in the future. See Section 5 of this Introduction for suggestions regarding the disposition of records that no longer need to be retained.

The purposes of this new RR&D Schedule are to:

• ensure that records are retained as long as needed for administrative, legal, and fiscal purposes;

• ensure that state and federal records retention requirements are met;

• ensure that records with enduring historical and other research value are identified and retained permanently; and

• encourage and facilitate the systematic disposal of unneeded records.

2. Records Management Officer at the State University of New York

Pursuant to NYS Arts and Cultural Affairs Law §57 (Divisions of History and Public Records) and 8 NYCRR §188 (State Government Archives and Records Management), the University has designated a University Records Management Officer to coordinate the proper retention and disposition of records throughout University campuses and at the System Administration Office. It is suggested that each campus also designate a records management officer.

All inquiries about records management should be referred to the University Records Management Officer (518-320-1311) and, whenever necessary, the Office of University Counsel & Vice Chancellor for Legal Affairs for resolution. The University Records Management Officer and the Office of University Counsel & Vice Chancellor for Legal Affairs will also be responsible for referring, whenever necessary or appropriate, any questions on records management issues to the State Archives.

3. How to Use the RR and D Schedule

3.1 Interpreting the RR&D Schedule Items

Many of the items on this RR&D Schedule are broad and describe the purpose or function of records rather than identifying individual documents and forms.

Specific items are listed in sixteen (16) tables with functional headings (e.g., Academic Affairs, Athletics, Student Accounts) which are arranged alphabetically.  Using the Subject Index at the end of the RR&D Schedule, campus and University officials should match the records in their offices with the descriptions on the RR&D Schedule to determine the appropriate retention periods. Records whose content and function are substantially the same as an item described on the RR&D Schedule should be considered to be covered by that item. Campus and University officials should check with the University Records Management Officer when they are uncertain regarding coverage of a function.

In situations where campus and University officials have combined related types of records covered by different items on the RR&D Schedule into a single file, it may be impractical to separately apply the retention periods of the various applicable RR&D Schedule items to the individual records in the file. In such situations, officials may find it more convenient to dispose of the entire set of records by using the applicable retention item with the longest retention period.

Retention periods on the RR&D Schedule apply to one “official” copy designated by the campus or the University, regardless of physical form or characteristic (paper, microfilm, computer disk or tape, or other medium), unless otherwise stated. No matter what the medium, campus and University officials must ensure that the information will be retained for the specified retention period.  The time identified as the minimum retention period begins with the creation of the record, unless otherwise specified.  When original records are migrated to different media, unless pre-approved in the RR&D Schedule, approval of the State Archives is needed to destroy the original records prior to the expiration of the assigned retention period even when the new media versions will be retained for that period. 

3.2 Records Disposition Authorization (RDA) Number

In addition to the consecutive numbering of items within each section of the RR&D Schedule, each item is assigned a Records Disposition Authorization (RDA) number by the State Archives.  The Subject Index at the end of the RR&D Schedule refers to items by their RDA numbers.

4. Special Situations

4.1 Legal Actions

Some records may be needed for use in legal actions involving a campus and/or the University. Records that are identified in or relevant to such actions must be retained for the entire period of the action, including any appeals, or the period for making an appeal,  plus an additional year, even if their retention period has expired. Prior to disposing of records related to or retained for a legal action, campus and University officials should consult with the University Records Management Officer, who will work with the Office of University Counsel & Vice Chancellor for Legal Affairs to verify that no new legal actions or appeals have been initiated that would require longer retention of the records.

4.2 Electronic Records

While items on the RR&D Schedule for the most part cover records regardless of the physical form in which they are maintained, they do not cover all records relevant to the operation of electronic information systems.  For guidance on the disposition of records of the design, development and operation of IT systems, refer to the Information Technology section of the State Archives’ General Retention and Disposition Schedule for New York State Government Records. Contact the University Records Management Officer if you have any questions or problems or if you need additional information on the disposition of electronic records.

Generally, records transmitted through e-mail systems have the same retention periods as records in other formats that are related to the same function or activity. E-mail records should be scheduled for disposition in conjunction with any other records related to that function or activity. Campus and University officials may delete, purge, or destroy e-mail records if the records have been retained for the minimum retention period established in the RR&D Schedule and are not being retained for a legal action or otherwise subject to a litigation hold or for an audit. Transitory messages may be destroyed when no longer needed.  For further guidance on the disposition of e-mail messages and attachments, see item 90369 in the State Archives’ General Retention and Disposition Schedule for New York State Government Records.  Contact the University Records Management Officer for additional information.

4.3 Drafts and Personal Working Papers

When drafts are created in the preparation of University records, the final version is considered the official copy for retention purposes.  Temporary drafts that were not reviewed, circulated or used to make decisions may be discarded when no longer needed.  This should be done at the earliest opportunity following approval of the final version.  This policy applies to drafts in all forms, including word processing files, spreadsheet files, and other computer files.

Personal working papers, including notes, may be developed during the transaction of University business or during the preparation of University records. Most personal working papers, such as notes taken at a meeting or annotations on a draft record that is ultimately superseded by a final version, have no legal, operational, or research value that warrants retaining them beyond their moment of immediate usefulness. These records should be discarded at the earliest opportunity, generally within one (1) year after the purpose for which they were created has been fulfilled. This policy applies to personal working papers in all formats, including word processing files, spreadsheet files, and other computer files.

4.4 Additional Retention Requirement for Licensed Health Professionals Other Than Physicians

The State Education Department’s Office of the Professions oversees the professional conduct of licensed health professionals other than physicians (e.g., athletic trainers, nurses and mental health practitioners, etc.). Paragraph 3 of subdivision a of 8 NYCRR §29.2 (Regulations of the Commissioner of Education) states that “unprofessional conduct” includes “failing to maintain records for each patient which accurately reflects the evaluation and treatment of the patient” and that, unless otherwise provided by law, records of minor patients must be retained for at least six years, and until one year after the patient reaches the age of 21 years.

Some health-related items on the RR&D Schedule contain minimum legal retention periods that permit disposition of records after a minor attains age 21. In these instances, certain records pertaining to minors must also be retained for an additional year if the records are subject to the Section 29.2 requirements for health professionals other than physicians, if these professionals are employed by or associated with a campus or the University. For additional information on this situation, contact the University Records Management Officer.

4.5 Audits

Program and fiscal audits and other needs of state and federal agencies are taken into account when retention periods are established in the RR&D Schedule. However, in some instances agencies with audit responsibility and authority may formally request that certain records be kept beyond the retention periods. If such a request is made, these records must be retained beyond the retention periods until the campus or the University receives the audit report or until the need is satisfied.

4.6 Archival Records

Archival records are records that campuses and the University must keep permanently to meet their fiscal, legal, or administrative needs or that campuses and the University retain because they contain historically significant information. Records do not have to be old to be archival; campus and University officials create and use archival records daily in their offices. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains.

When the State Archives has determined that a record item has enduring historical or other research significance, the item has been given a permanent designation on the RR&D Schedule. However, the State Archives cannot identify all record items with historical or research significance. Knowledge of people, places, or events in each campus community and the unique circumstances of each campus will determine which records are significant. Campus and University officials will need to appraise records with non-permanent retention periods for potential research or historical value before destroying them.

The usefulness of archival records depends on the ability of the campuses and the University to preserve them, retrieve the information they contain, and make that information available to researchers.

4.7 Appraising Records for Historical or Research Significance

A campus or University record has historical or other research importance if it provides significant evidence of how the campus or University functions and/or if it provides significant information about people, places, or events that involve the campus or the University. Since each campus community has its own unique history, the importance or value of a record item may vary from campus to campus.

Campus and University records may contain a tremendous amount of information about the people, buildings, and sites in the campus or University community, as well as important time periods or significant events that affected the people associated with the campus or the University. This information can be very valuable to staff, researchers, and the public, but only if the information itself is significant. The significance of the records will depend on:

• When the records were created. Records created during a time of momentous change, which are scarce, or which cover a long period of time tend to be more significant.

• What kind of information the records contain. Records that contain more in-depth information are more likely to have enduring value.

• Who created the records. Records that reflect an employee’s perspective or individual point of view may be more significant.

• What other records exist. If the information in the records exists in other records within a campus or the University or elsewhere, then the records are less likely to be significant.

• The unique history of the campus or the University. Records created during important time periods or events can provide clues to how the events affected the development of the campus or the University and the community it serves.

4.8 Records Not Listed on the RR&D Schedule and Non-Existent Records

The RR&D Schedule covers the majority of all records of the campuses and the University. For any record not listed, the custodian of the records should contact the University Records Management Officer, who will then contact the Office of University Counsel & Vice Chancellor for Legal Affairs for assistance. If the record is not covered by an item on the RR&D Schedule or an applicable item on the State Schedule, it must be retained until a revised edition of or addendum to the RR&D Schedule is issued containing an item covering the record in question and providing a minimum legal retention period for it.

Conversely, the State Archives has no legal authority to require a campus or the University to create records where no records exist, even if the records in question are listed on the RR&D Schedule. Although there may be laws, regulations, or other requirements that certain records must be created, the mere fact that a particular record is identified on the RR&D Schedule should not be interpreted as a requirement that the record must be created.

4.9 Public Access to Records/Confidentiality

The RR&D Schedule does not address the issue of public access to records. Access issues are covered by the Freedom of Information Law (NYS Public Officers Law §§84 – 90), Personal Privacy Protection Law (NYS Public Officers Law §§91– 99) and Access to Personal Information Maintained by State University of New York (8 NYCRR § 315), as well as by the federal Family Educational Rights and Privacy Act (FERPA). Campus and University officials should consult with their Records Access Officer on questions related to public access to records.

Records on the RR&D Schedule may or may not be confidential, depending on what information they contain and on the possible effect of disclosure of that information. In approaching issues of confidentiality and access, it may be helpful to consider the following:

• What was the purpose for which the records were created?

• What information do they contain? What subjects are covered?

• How are the records used?

• How do they relate to other records that may have similar information?

• What would be the likely effect of disclosure of the information in the records?

Campus and University officials should consult their Records Access Officer with questions related to public access to records that may contain confidential information.

4.10 Migration of Records to Different Media, i.e., digitizing of records

The majority of the tables within the RR & D Schedule have been pre-approved for migration of original paper records into electronic formats.  This means that once paper records are scanned and reformatted as electronic records, the original paper records maybe destroyed even if the assigned retention period has not expired.  The new electronic records must be retained for the remainder of the applicable retention period.  The University was given authorization for migration of paper records into electronic formats under the following conditions.

(1) the images will accurately and completely reproduce all the information in the records being imaged;

(2) the imaged records will not be rendered unusable due to changing or proprietary technology before their retention and preservation requirements are met;

(3) the imaging system will not permit additions, deletions, or changes to the images without leaving a record of such additions, deletions, or changes; and

(4) designees of  the State University  of New York will be able to authenticate the imaged records by competent testimony or affidavit which shall include the manner or method by which tampering or degradation of the reproduction is prevented.

Accordingly, campuses planning to replace original records with electronic or imaged copies for retention purposes must ensure that all conditions listed above are met and that a campus official will be able to attest to the manner in which replacement of records occurred to fulfill these conditions.

Before undertaking any replacement of paper records as described above, the campus records management officer should determine if pre-approval exists for the category of records involved and if not, must seek specific approval from the State Archives, through the University Records Management Officer. 

5. Suggestions for Records Disposition

Records without historical value must be disposed of continually as they meet their stated minimum retention periods. The advantages of a program for systematic, legal disposal of obsolete records are that it:

•     Demonstrates routine, good faith operation of the records retention system;

• Ensures that records are retained as long as they are actually needed for administrative, fiscal, legal, or research purposes;

• Ensures that records are promptly disposed of after they are no longer needed;

• Frees storage space and equipment for important records and for new records as they are created;

• Eliminates time and effort required to service and sort through superfluous records to find needed information;

• Eliminates the potential fire hazard from storage of large quantities of valueless records; and

• Facilitates the identification and preservation of archival records.

Suggestions for systematically approaching the disposition process include the following:

• Disposition should be carried out regularly, at least once a year. It should not be deferred until records become a pressing storage problem.

• Since State law does not prescribe the physical means of destruction of most records, records may be destroyed in any way prescribed by the University Records Management Officer. Disposition through consignment to a paper recycling plant is often the best choice as it helps conserve natural resources and may also yield revenue for the campus or the University. For records containing confidential information (e.g., Social Security numbers, credit card numbers, personnel evaluations, salary levels), disposition should be carried out in a way that ensures that the confidentiality of individuals named in the records is protected.

• A record should be kept of the identity, inclusive dates, and approximate quantity of records that are disposed. Sample disposition forms designed by the State Archives are available from the University Records Management Officer.

The official who carries out disposition at your campus will describe what has been done to dispose of records during the year in an annual report to the University Records Management Officer.

6. Reminders

• No records may be disposed of unless they are listed on the RR&D Schedule, or their disposition is covered by the State Schedule or other state laws.

• Records are listed in sections with a functional heading. You should use the Subject Index at the end of the RR&D Schedule to match the records in your office with the description on the RR&D Schedule to determine the appropriate retention period. You should check with your Records Management Officer if you are uncertain regarding coverage of a function.

• Records being used in legal actions or otherwise subject to a litigation hold must be retained for one year after the legal action (and any appeals period) ends, or until their scheduled retention period has expired, whichever is longer. Consult the Office of University Counsel & Vice Chancellor for Legal Affairs before disposing of any such records.

• Any record listed on the RR&D Schedule for which a Freedom of Information (FOIL) request has been received should not be destroyed until that request has been answered and until any potential appeal is made and resolved, even if the scheduled retention period of the record has expired.

• Records being kept beyond the established retention periods for audit and other purposes at the request of state or federal agencies must be retained until the campus or the University receives the audit report, or the need is satisfied.

• Retention periods on the RR&D Schedule apply to one “official” copy designated by the campus or the University, unless otherwise stated.

• The minimum retention period begins with the creation of the record, unless otherwise specified.

• The retention periods listed on the RR&D Schedule pertain to the information contained in records, regardless of physical form or characteristic (paper, microfilm, computer disk or tape, or other medium).

• Duplicate copies of records prepared for administrative convenience, including copies maintained in different media (paper, electronic, etc.) may be disposed of at any time, except where retention is specified elsewhere on the RR&D Schedule. When original records are migrated to different media, unless pre-approved in the RR&D Schedule, approval of the State Archives is needed to destroy the original records prior to the expiration of the assigned retention period even when the new media versions will be retained for that period. There is no requirement for campuses or the University to create records where no records exist, even if the records in question are listed on the RR&D Schedule.

• The RR&D Schedule cannot identify all record items with historical significance for individual campuses or the University. Campus and University officials will need to appraise records with non-permanent retention periods for potential research or historical value before destroying them.

• Certain records may need to be retained for one year longer than the RR&D Schedule dictates if those records are subject to the requirements stated in 8 NYCRR29.2 for health professionals other than physicians, if these professionals are employed by or associated with a campus or the University.

• The RR&D Schedule does not address confidentiality of records. Confidentiality of records is often dependent upon what information they contain. Campus and University officials should address such questions to the Office of University Counsel & Vice Chancellor for Legal Affairs.

Mail Management Policy

Purchase College provides a standard 1 gigabyte storage allocation for faculty and staff mailboxes. That 1GB of space is enough to store thousands of messages – unless those messages contain unnecessary bloated attachments.

We can and do provide additional mailbox space - in smaller increments - but there are a lot of visible and hidden costs for runaway mailbox space needs, and we depend on faculty and staff to have some discipline in managing their storage space.

No matter how much space we provide, anyone who doesn’t practice basic organizational discipline and basic mailbox discipline will very quickly outrun their allocation. Anyone who says they have to spend “a tremendous amount of time” managing their files or their mailbox is doing something wrong.

Everyone practices some level of basic organizational discipline – related files go into project folders – or whatever suits their needs. Given that practice, managing mailbox space use should take no more than 5 or 10 minutes per week – at most – and is a simple process.

CTS can arrange a quick training session for managing mailbox and file space. There are a number of simple techniques that will help to contain runaway needs.

In addition, everyone should recognize that mailboxes make the absolute WORST filing cabinet ever invented. Large mailboxes invariably contain multiple copies of the same bloated attachments in multiple and fragmented conversation threads – making it impossible to locate the latest version – or to locate anything for that matter. Think of your mailbox like the one attached to the front of your house – stuff gets dropped off there, and you take it inside and file it away. Nobody uses that mailbox to store things – for obvious reasons. The same obvious reasons apply to email - Phishers download the entire contents your mailbox as soon as they get your credentials – we have seen that happen all too often here – and it happens to tech-savvy individuals too.

Aside from best practices, there are a lot of hidden costs, which nobody cares about – that is - until they do care. Storage space is expensive. Backup software licensing fees are expensive too – and we pay for every gigabyte we back up. SUNY Legal counsel advises limiting everyone’s total storage footprint and mailbox size – so they don’t have to search through a tremendous amount of material when a legal hold is placed – and that happens far more often than anyone would like as well.

Our faculty/staff email storage footprint today is 2.5 times the size it was 4 years ago. If we have to restore that 20 terabytes of data from backup, it will take 4 or 5 DAYS to do that restore, and during that restoration period, nobody will have email, and everybody will be screaming. It is reasonable to assume that a majority of that storage footprint – and to assume that a majority of that 4/5 days of recovery time - is ‘wasted’ on unnecessary material and multiple copies of bloated attachments that has accumulated in everyone’s mailbox.

Only the mailbox/storage owner can determine what is important enough to keep. We ask that you keep the important materials that land in your mailbox inside the house, and not in the mailbox outside your front door. Doing that will help you be more organized, find things faster, and find inner peace and tranquility.

Email space management tips:

1. Avoid sending or forwarding bloated attachments to committees or large groups of campus persons. Instead, use SharePoint links to documents instead of attachments - or use the Broadcast Email system (which provides server links rather than bloated attachments.)

2. Use the “Size” column in Outlook to float the bloat to the top, and then cut it out.

3. Save the attachments you do receive in your mailbox as they arrive – I put a tag into the subject line to record their original presence and their file storage location - “<\path\Filename.type>”

4. If you do SEND OUT an attachment via email, that means you already have that document stored somewhere, so cut it out of your sent items, and put in a “<\path\Filename.type>” placeholder note to record its presence in your sent message.

Purpose

This policy offers some best practices regarding the use and safekeeping of laptops, tablets, and mobile computing devices, and governs the use of and liability for College-owned mobile devices.

What’s covered by this document?

All College-owned mobile computing devices are governed by this policy, including systems made available as primary workstations, assigned within a departmental office, or purchased through grant dollars for specific projects.

All college-owned computers, systems, and mobile devices are covered by the Purchase College Privacy Policy which provides protection for individual privacy appropriate for an academic environment. 

Scope

This document is applicable to all College staff, faculty, or administrators who are using mobile computing devices issued or loaned to them by a College department.

College-owned mobile devices may be used for any work-related tasks, including:

• as your primary workstation.

• on a College trip, conference, or workshop.

• for research, creative production, or any work-related purpose.

General Use

• You will receive user credentials for your device.

• Feel free to change user settings to your liking

• Please be sure to safeguard the device - log off or “lock” the device when it is not in use.

Physical Protection and Reasonable Care  

• Password protect all mobile devices

• Secure your mobile device and keep it with you.

Reporting Loss

• Report a theft immediately to:

  • The appropriate local law enforcement authority

  • Purchase College University Police

  • CTS (Helpdesk 914.251.6465) as soon as the theft has been noticed. Provide CTS with a copy of the police report.

 General information on Faculty Computers and Mobile Devices

Acquisition

• College units provide their staff with computers, laptops, and mobile devices as necessary.

Inventory, Reporting, and Replacement

• All Computers are College Property. Whether purchased by the College, Research Foundation, or individual units, all computers and the software they contain remain College Property and will be managed by CTS.

• Managers will use the Device Assignment and Tracking (DAT) system to manage their unit’s fleet of computers.  

• Computers should be replaced approximately every 5 years. Computers that are unable to support a current version of an operating system will be disabled and must be replaced. 

Preparation for use:

• Upon arrival, CTS prepares the machines by joining them to the college network and loading college software onto them.

• CTS notifies the individual when their device is ready for delivery or pickup.

• Upon delivery/pickup of a new device, the device being replaced must be returned to CTS. Data can be transferred to the new device during the handoff.

• College credentials (CTS) will exist on all College-owned devices to enable CTS staff to provide support and maintenance services as needed.
• Administrative access may be provided for mobile device holders upon request.
• Upon resignation or departure from College service, all College-owned equipment –must be returned to CTS for inventory purposes, reassignment and/or disposal. All data is wiped from computing devices prior to disposal.

Physical Protection and Reasonable Care

• Every mobile computing device must be password-protected

• Each user of a College-owned mobile device is responsible for the security of that device, regardless of whether it is used in the office, at one’s place of residence, or in any other location such as a hotel, conference room, car or airport. Users are expected to provide reasonable care and effort to protect the mobile device.

• The equipment may not be transported as checked luggage on public transportation (airplanes, trains, and buses). The user will keep the equipment in their possession at all times while traveling.

• Carrying cases and mobile devices should be labeled accordingly so in the event of a loss the equipment might be returned. All mobile devices must have a College asset tag.

• Special care should be taken with the security of the mobile device. Equipment must not be left unattended in public areas. Do not leave your office unattended and unlocked, even for a brief time, if your mobile device is not secured in the office.

• Do not store mobile devices in a locked car or car trunk, as severe temperatures may damage it and the car may be broken into if the mobile device can be seen.

Liability

Along with the privilege of using a College owned mobile device comes the responsibility to safeguard the device and any data it contains.

• Individuals are personally responsible for the security and safety of the mobile device.

• Departments should not loan college-owned mobile devices to students, student organizations, or other outside parties. CTS maintains a distinct pool of equipment for this type of use, and requests should be referred to CTS.

• In case of theft or loss, the employee must file a report with the University Police.

• A theft must be reported immediately to:

  • The appropriate local law enforcement authority

  • Purchase College University Police

  • CTS (Helpdesk 914.251.6465) as soon as the theft has been noticed. Provide CTS with a copy of the police report.

• If a mobile device is damaged, lost or stolen and it is determined that reasonable care and protection guidelines were not followed, the person to whom the mobile device was may be subject to disciplinary action. The determination of responsibility will be made by a College Officer, in consultation with the unit supervisor, UPD, CTS and the Property Control Officer.

• Failure to follow this policy and these procedures may result in loss of computer privileges.

• Failure to return the mobile device may result in disciplinary or legal action.

Data Security

Data Security policies apply to all computing devices used for College business. Since mobile computing devices are more susceptible to loss or theft, it is important that you do not store any Personal Private Sensitive Information (PPSI) on mobile devices, and that you maintain current backups of any important files that you do have on the mobile device.

Why avoid storing personal, private, and sensitive information? Mobile devices are particularly susceptible to loss or theft. If Personal Private Sensitive Information (PPSI) is stored on a device that is lost or stolen, the individuals whose information was compromised may face long lasting ramifications from the improper use of their personal and financial information. In addition, New York State law may require that the college publicly disclose the loss of such PPSI and notify all individuals whose information was potentially compromised.  As a result, we highly recommend that you do not store any sensitive data on mobile computing devices.

What is Personal, Private, and Sensitive Information (PPSI)?

Per NYS Cyber-Security Policy P02, PPSI is considered a combination of any three of the following personally identifiable information items: Name, Address, SSN, account number, credit card number, maiden name, and date of birth.

To Secure Data on Your Device:

• Ensure that virus protection updates, operating system updates and virus scans are performed regularly (these are default CTS settings.)

• When using your mobile device in a public place, use encrypted network connections (via HTTPS on Wi-Fi or VPN) to ensure your communications remains secure.

• Avoid using “remember me” for websites that require an account log on. This avoids storing your ID/password for that site in cookies and browser cache files.

• Do not download, store, or record data that includes any personally identifiable information such as: student/faculty/staff/alumni/vendor Name, Address, SSN, account number, credit card number, etc. If the mobile computing device is lost or stolen, this data could be used for Identity theft. The user is responsible for the security of all College data stored on, or carried with, the mobile device.

• Do not alter any system software or hardware configuration unless instructed to do so by someone from Campus Technology Services.

• Additional application software may not be loaded onto the mobile device unless approved by Campus Technology Services.

• Safe guard the device and data by ensuring the mobile device is “locked” or the user is logged off when not in use.

Inventory Tracking and Disposal

• Upon termination of college employment, the mobile device, peripherals, and carrying case need to be returned either to the issuing department or to the CTS Helpdesk on or before the last day of work.

• Do not give the mobile device to anyone else for use. Doing so will be considered misuse of the equipment.

• The department responsible for the mobile device must maintain records of who has which mobile device for what period of time. The department responsible for the mobile device should retain a copy of each Mobile Device Authorization Form they issue.  If the mobile device does not have a barcode, then the unique identifying number (e.g. a serial number or service tag number) should be used to identify the equipment.

• When a mobile device reaches the end of its useful life, it must be returned to the CTS Help Desk for disposal. They will ensure that the device is wiped clean before the unit leaves campus.

Failure to comply with this policy may result in disciplinary and or legal action.

Thank you for reading this document.

Acknowledgement of Mobile Computing Device Usage Policy

Purchase College / State University of New York

authorize (name) to receive a mobile computing device.

         (Supervisor’s name)                                                (Employee’s name)

Mobile computing device information: 

Laptop       Tablet           Other 

Manufacturer                     Model

Serial #   Original cost:               Date of purchase:

SUPERVISOR

I approve the issuance of a Mobile Computing Device to the employee:               

                 (Supervisor signature / date)

COLLEGE OFFICER

I approve the issuance of a Mobile Computing Device to the employee:                     

                            (College Officer’s signature / date)

EMPLOYEE:

I have read and agree to follow the Mobile Computing Device Usage Policy:    

                 (Employee signature / date)

Submit form to Campus Technology Services. A copy should also be retained by the issuing department.

This information has been recorded in the computer inventory database: 

       (CTS Reviewer / date)

   
NYS-S14-009
State Capitol P.O. Box 2062
Albany, NY 12220-0062
www.its.ny.gov

1.0 Purpose and Benefits of the Standard
Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices that are only used within a State Entity’s (SE) facilities and on the SE’s networks.

This standard outlines the additional protections required for the use of mobile devices by SEs.

2.0 Enterprise IT Policy/Standard Statement
Section 2 of Executive Order No. 117 provides the State Chief Information Officer, who also serves as director of the Office of Information Technology Services (ITS), the authority to oversee, direct and coordinate the establishment of information technology policies, protocols and standards for State government, including hardware, software, security and business reengineering.  Details regarding this authority can be found in NYS ITS Policy NYS-P08-002, Authority to Establish State Enterprise Information Technology (IT) Policy, Standards and
Guidelines.

Except for terms defined in this standard, all terms shall have the meanings found in the IT New York Glossary.


3.0 Scope
This standard covers all mobile devices managed by the State or which are used by the State workforce to store SE information.

Mobile devices are computing devices in a small form factor that have at least one network connection interface, non-removable and/or removable storage, and is portable (i.e., nonstationary).  These devices come in the forms such as: smartphones, PDAs, smart watches, tablets, laptops, and wearable devices.

4.0 Information Statement
4.1. Mobile devices must follow all requirements of the NYS Information Security Policy.
4.2. As per the state Encryption Standard, all mobile devices that access or contain any SE information must be encrypted.
4.3. For State issued mobile devices or personal mobile devices with direct access to NYSmanaged networks (see NYS Bring Your Own Device Standard), only those applications which are approved by the SE may be installed and or run on the mobile devices. Applications must be restricted through the use of whitelisting (preferable) or blacklisting.  Applications must be digitally signed to ensure that only applications from trusted entities are installed on the device and that code has not been modified.
4.4. State information must be removed or rendered inaccessible from mobile devices after no more than 10 incorrect authentication attempts.
4.5. Mobile devices must automatically lock after being idle for a period not to exceed 10 minutes.
4.6. Mobile devices which directly connect to NYS-managed private networks, virtually connect to NYS-managed private networks in a manner consistent with a directly connected device, or which contain or could contain SE information, including e-mail data, must be managed by a Mobile Device Management (MDM) or other centralized management solution.
4.7. Use of synchronization services, such as backups, for mobile devices (e.g., local device synchronization, remote synchronization services, and websites) must be controlled by the SE through an MDM or other centralized management solution.
4.8. Mobile devices may not access NYS private networks unless their operating environment integrity is verified (including whether the device has been rooted/jailbroken).
4.9. SEs must manage all mobile devices by:
a. Implementing device policies and configurations as appropriate to the use of the device.
b. Developing and implementing processes which check for upgrades and patches to the software components, and for appropriately acquiring, testing, and deploying the updates to State issued devices.
c. Reconfiguring access control features as needed based on factors such as policy changes, technology changes, audit findings, and new security needs.
d. Detecting and documenting anomalies which may indicate malicious activity or deviations from policy and procedures. Anomalies should be reported to other systems’ administrators as appropriate.
e. Providing training and awareness activities for mobile device users on threats and recommended security practices which can be incorporated into the SE’s security and awareness training.

5.0 Compliance
This standard shall take effect upon publication. The Policy Unit shall review the standard at least once every year to ensure relevancy. The Office may also assess agency compliance with this standard. To accomplish this assessment, ITS may issue, from time to time, requests for information
to covered agencies, which will be used to develop any reporting requirements as may be requested by the NYS Chief Information Officer, the Executive Chamber or Legislative entities.

If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, SEs shall request an exception through the Enterprise Information Security Office exception process.

6.0 Definitions of Key Terms

Mobile Device
A computing device in a small, portable form factor that has at least one network connection interface, non-removable and/or removable storage, including but not limited to smartphones, Personal Digital Assistants (PDAs), tablets, laptops, smart watches, and wearable devices.

7.0 ITS Contact Information
Submit all inquiries and requests for future enhancements to the standard owner at:

Standard Owner
Attention: Enterprise Information Security Office
New York State Office of Information Technology Services
1220 Washington Avenue – Bldg. 7A, 4th Floor
Albany, NY 12242
Telephone: (518) 242-5200
Facsimile: (518) 322-4976

Questions may also be directed to your ITS Customer Relations Manager at:
Customer.Relations@its.ny.gov
See here for The State of New York Enterprise IT Policies.

8.0 Review Schedule and Revision History

04/18/2014 Original Standard Release Thomas Smith, Chief
Information Security Officer
05/15/2015 Minor clarifications, added link to the BYOD standard and
removed optional language pertaining to MDM 

Deborah A. Snyder,
Deputy Chief
Information Security
Officer

04/18/2016 Scheduled Standard Review

9.0 Related Documents

 NIST Special Publication 800-124, Guidelines for Managing and Securing Mobile Devices in the Enterprise
 NIST Special Publication 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices
 Federal CIO Council and Department of Homeland Security Mobile Security Reference Architecture

To all faculty, staff, and administrators:

New York State Security Compromise Disclosure Law On December 7, 2005, the “NYS Information Security Breach and Notification Act” went into effect. It was signed August 9 by the governor. This new law requires that “entities conducting business in NY who own or license computerized data which includes private information” disclose any breach of private data to NY residents (and nonresidents) whose personal information was stored on any system that may have been compromised. The law defines personal information as “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.”

What does this mean to me? Identity theft has become a major problem over the last few years. More than 51 million Americans have had their personal information compromised since February 2005 (including more than three million NYS residents —see the CSCIC list at the end). Criminals —and organized crime in particular —have found it to be a very lucrative business. With a few key pieces of personal information—a name, SSN, birth date and address—they can use your identity to open new credit card and financial accounts, take out a mortgage on your house, and generally plunder your financial accounts for huge amounts of money before you even realize it is happening. Repairing the damage to your credit rating takes years, and is difficult if not impossible. On a personal level, we all understand and support this legislation because we all would want to know if our personal information has fallen into the wrong hands.

What does this mean for Purchase College? Purchase College computer systems store data on tens of thousands of current and former students and employees. We have all seen press reports of other schools that have been hacked or lost a laptop containing personal information. New York has now followed California’s lead in implementing a notification law. Prior to this, compromises were often kept quiet.  Under the new law, if there is “reason to believe” that a system has been or may have been compromised, we are required to notify all individuals whose information was stored on the compromised system, and to notify the Consumer Protection Board or the press if more than 5,000 records are involved. Obviously, this would have a disastrous effect on the college’s public image and our recruiting and enrollment efforts, not to mention the potential damage to the individuals whose information may have been compromised.

What is the college doing to protect our systems and data? Campus Technology Services (CTS), the central technology and support organization serving the campus, provides centralized administrative systems that serve faculty, staff, and students.  CTS also supports and maintains all college-owned faculty and staff workstations. The most common way that systems are compromised is through known exploits on machines that are not properly patched.

What should you do? Review practices regarding use of computer systems within your unit—particularly those systems that are not stored, managed, and maintained by CTS. If you have a local MS Access database on a machine in your office, or any locally stored database of students, clients, constituents, or employees, you should contact CTS to discuss options for securing that data.

Data should never be stored on local workstations—not only is that data not part of any backup and recovery process, but local workstations can be (and are) stolen. The college provides file servers accessible through the network that provide secure storage for all of your data files.

Any stolen or lost computers (desktops or laptops) should be reported to the University Police immediately. You should keep a record of all of your unit’s computer hardware (make, model, serial number and MAC address) in the event that it is stolen or lost.

The proliferation of external USB/Firewire disk drives and USB memory keys is another threat. These portable devices can also store large amounts of data that is easily lost or stolen. Again, data should only be stored on centralized college servers.

If your unit is not already using a centralized file share on a CTS server, chances are your employees are using local or removable storage that is not secure. Please call CTS at x6465 to set up a file share for your office.

It is critical that when an employee leaves your unit, please notify CTS so that their access to college systems can be terminated. Former employees can retain email privileges where necessary, but should not have access to other college systems after they leave.

Take stock of physical security within your unit. Are the offices and cabinets where sensitive paper records are stored secure and accessible to authorized personnel only? Are there alarm systems covering these areas?

Most importantly, you need to raise awareness among everyone within your unit about the seriousness of cybersecurity threats.  Understanding the issues and the ramifications of a compromise—personally and institutionally—is the only thing that will make someone think twice about downloading that data file onto their laptop or USB key. Have your people check the contents of their computers and storage devices and eliminate anything that doesn’t need to be there. Remind everyone not to email confidential data files or SSNs.

If a compromise is suspected: If you suspect that a computer system in your unit has been compromised, or if any laptop or college-owned desktop computer is lost or stolen, please notify CTS and the University Police immediately. We will work with you to determine whether or not a compromise has occurred, and what actions need to be taken.

If a compromise occurs: The law requires us to notify three NYS offices:

• NYS Attorney General
• NYS Office of Cyber Security & Critical Infrastructure Coordination (CSCIC)
• Consumer Protection Board (CPB)

More Information:

The summary and text of the Assembly bill signed August 9 by the governor:

The Privacy Rights Clearinghouse website.

At Purchase College, students in online courses must use a secure log-in to the campus learning management system, using their Purchase College username and password. This is required for students to register for courses and to participate in them online.

Student privacy rights are strictly protected. Only those enrolled in the course have access to the course. The outside community does not have access to the coursework, nor do students who are not enrolled in the specific course.

All students are informed of the academic integrity policy in course syllabi. Upon registering, all students formally agree to the college’s Student Code of Conduct, which include the academic integrity policy.

Campus Technology Services (CTS) also has a computer ethics and usage policy, which outlines clear expectations, including maintaining security of accounts, not sharing account access, and the strong password use enforced by the campus system.

Faculty members are encouraged to use video tools (i.e., Skype, Adobe Connect), in addition to phone conversations with students as needed. Instructors are encouraged to use activities in the online course for students to, once again, actively agree to the college’s policies on academic integrity and on computer ethics and usage.

As additional means of addressing student authentication become available, Purchase College will research possible adoption of such resources.

Online services for Faculty and Students in case of school closure

As you are probably aware, the Swine flu pandemic continued to produce cases in the US throughout its off-season, and flu season returns this fall. While it has had a fairly mild effect in the vast majority of cases to date, it does spread like wildfire. Schools across the country are bracing for flu season this fall, including Purchase.

In a worst case scenario, if the campus were to close due to pandemic pandemonium or other emergency during the semester for a period of several weeks or more, there are a variety of tools that could help the faculty and students continue their studies and complete the semester. These tools include both low-tech (email!) and hi-tech options, and the college’s Teaching Learning and Technology Center (TLTC) is offering a series of faculty workshops over the next few weeks that may help you get started.

Some course activities translate more easily than others into an online environment. It is easy to see how writing assignments, discussions, and even tests can be conducted through the internet without too much effort – but a  painting or dance class is another matter entirely. Whatever your discipline, we encourage all faculty to begin considering their options and strategizing on how to cope with a disruptive campus closing during the semester.

The services below are available to faculty and students, and are listed in low-tech to high-tech order:

Purchase College Email
Each faculty and staff member is assigned an email account. You can use your account from any computer with an Internet connection and a standard Web Browser (Internet Explorer, Firefox, Safari, Chrome, etc.) by going to the Purchase Home Page and following the email link in the page footer.  Your account is used for official communications to and from the College and students, and it provides access to self-service web applications (grades, class lists, etc.) Your account also provides access to online Library resources and reserved readings, and to the Brightspace and Blackboard course management systems.

Class Lists:
CTS automatically creates an email distribution list for each class, with the faculty member as the list manager.  The new Banner system introduces changes in the term format, the course numbering format, and eliminates section numbers.  The format for summer 2014 classes and beyond is YYYY-TERM-Subject-Code-CRN@purchase.edu or for example 2014-40-WRl1105-40115@purchase.edu.  Faculty do not have to create their own lists.

(Banner Term codes are 20=Summer, 40=Fall, 55=Winter, 60=Spring)

Each faculty advisor has a distribution list containing their advisees:adv.faculty.FirstName.LastName@purchase.edu.
If you are the head of a Board of Study there is a list of your majors (i.e. hum.faculty.womens-studies@purchase.edu ).

There is a faculty listserve  Faculty.Discuss@purchase.edu open to all faculty members. This list is moderated by the Faculty at Large President, and is for discussion of faculty matters.

All Purchase College email distribution lists can be used from any email account, on or off campus using the format List.Name@purchase.edu.
 
Purchase College Voice Mail and Unified Messaging
Purchase College provides Voice Mail for each campus phone, and has an option for Unified Messaging service which forwards all of your campus voice-mail to your College email account as sound files. To sign up for Unified Messaging, contact CTS at x6465 or submit a request through the CTS Work Order System. This is an excellent way to get your voice mail messages when you are away from your office.

Remote Access VPN, File Servers and Remote Desktop
Purchase also has a Virtual Private Network (VPN) service available for faculty and staff. The VPN connects your home computer or remote laptop to the campus network – and optionally to your office computer by remote desktop session. This means you have access to all the programs and data that you are accustomed to on your office computer – from home. The VPN also provides access to your Home Directory and other file shares on our servers.  The VPN is very cool and very convenient, and it could make a very big difference if you cannot come into your office – but you must set it up in advance. If you want to use the VPN, call CTS at 251-6465 or submit a request through the CTS Work Order System.

Brightspace
The college has the Brightspace online Learning Management System (LMS). A LMS is basically a web site for each class. Brightspace includes a wide variety of tools and plug-ins that provide rich functionality for students and faculty administrative services such as quizzes and gradebooks. Contact the Teaching, Learning and Technology Center to find out about Brightspace workshops and other training opportunities.

Online Testing
Online quizzes can be created at any time, and posted during a certain window of opportunity. You can alert students to an upcoming quiz via email. Students can use their Purchase credentials to log in and take the quiz.

Brightspace contains “online Quiz” functions and allows faculty to create quizzes that contain text and multiple choice style tests, and allow you to embed/link to various media. For instance, you can embed an audio file or a picture and ask students to provide a context or analysis of it.

The College’s ClassApps Web survey tool (available on the Portal Page) can also be used to administer tests online. The ClassApps Web Survey provides a rich array of question types, branching functions, and other features that allow you to create elaborate tests. There is even a built-in response scoring function for non-text (multiple choice) answers. Surveys can be authenticated with Purchase college student credentials,  and you can release the URL via email and close it at the end of the testing window (which can be as long or as short as you want).

Web 2.0 Tools
CTS also runs a Wiki Server.  This can be used for classes or as a collaboration tool.

Zoom Videoconferencing
The college has Zoom videoconferencing available.  Zoom can be used to connect a group of dispersed individuals with laptops webcams in a unified group with a shared whiteboard and document workspace. This works reasonably well for small groups – you can see and hear each person in a thumb nail video, and share documents.

Skype
Skype is an internet based telephone application that also includes video if you have a webcam on your computer. While Skype is best for one-to-one video connections, it also supports small groups for conference activities, and provides tools for white-boarding and sharing documents.

Software for your home computer
The College has a Microsoft Campus Agreement that provides work-at-home rights for MS Office (Word, Excel, Outlook Email, PowerPoint, and Access Database) for all faculty and staff home computers. The software is free, but must be ordered on media or download costing about $15 per copy. The order form is linked from the Downloads Page.  The College also provides Anti-Virus work-at-home licenses for all faculty and staff home computers. That  software can be downloaded directly from the Downloads page.

Administrative Computing Services for Faculty
The Web Portal contains the Master Calendar of Events, Announcements from College Officers, Deans and Directors, and links to the Employee Services site.

The Employee Services site is where Faculty and staff self-service web applications such as class lists, grades, enrollment reports, committee web sites, and other resources can be found.

Support Services
The Campus Technology Services (CTS) provides telephone and on-site support services for network access and standard applications. The CTS Service Center in SS0025 is open 8 am to 6:45pm Monday through Thursday, and to 4:45pm Friday when classes are in session and Monday-Friday 8am-4:45pm when classes are not in session.  You can also contact us via Zoom Chat.

CTS uses Remote Assistance to troubleshoot and resolve most problems. The Technical Support staff strives to provide responsive on-the-spot or same-day service for faculty and staff.

College-owned computers are provided for all full-time faculty, and are running Windows 10 or the latest Mac OSX.

Other Faculty Technology Resources

The Teaching, Learning and Technology Center  (TLTC) provides extensive support for faculty and staff using the Web based Brightspace course management systems. the TLTC is located in the Purchase college Library. For more information, contact the TLTC at 251-6440.

Please keep in mind that if the campus closes, CTS and TLTC staff may not be on campus either, the helpdesk may not be fully staffed to answer calls, etc.  We encourage everyone to plan ahead to avoid delays. 

Policy: New York State Policy on Security Training for employees:

New York State Policy on Information-Security NYS-P03-002 updated 2017-03-10 states:

“The State Entity (SUNY) workforce must receive general security awareness training, to

include recognizing and reporting insider threats, within 30 days of hire.

Additional training on State Entity specific security procedures, if required, must be completed before access is provided to specific SE sensitive information not covered in the general security training.

All security training must be reinforced at least annually and must be tracked by the State Entity.”

The objective of this Policy is to ensure that each campus has designed and implemented a Program that educates users on their responsibility to protect the confidentiality, availability, and integrity of SUNY data and information; and assess compliance with aspects of: 

• Federal Gramm-Leach-Bliley Act (GLBA), 
• New York State Acceptable Use of Information Technology Resources Policy and New York State Information Security Policy (NYS IT Policies) as authorized under the New State Technology Law, and 
• SUNY Information Security Policy #6900. 

Testing the Effectiveness of Awareness Training 

In addition to conducting awareness training, testing the effectiveness of that training is also required. To test the program’s effectiveness, Purchase College will develop and perform phishing simulations to identify whether improvements to the Awareness Training Program are needed to address certain areas and to identify individuals who may require additional training. 

Purchase College Information Security Awareness Training Program

Purchase College meets the Policy requirements stated above through an Information Security Awareness Training Program (separate document.) That Program is a formal management function, with written goals and charges, that seeks to address the full range of information security training issues that affect the College. The Program seeks to provide training that covers best practices in Information Security and compliance with all applicable laws, regulations, policies, and standards over an extended period of organizational and technical development. The Purchase College Information Security Awareness Training Program Team will establish, document, manage, maintain, and upgrade an ongoing Information Security training program for all college employees and persons with Purchase College electronic accounts. This document covers the Purchase College Policy and Procedure for Internal Phishing to test the effectiveness of the Awareness Training program.

Procedure:

Security Awareness Testing Program: Pro-Active Phishing Campaigns

1. On a periodic basis the college will conduct broad-based and targeted spear-phishing campaigns that mimic the general and Spear-Phishing campaigns the college is regularly subjected to. 

1. Phishing Campaign content will be refreshed regularly, and each campaign will have new content. 

1. Phishing Simulation campaigns and results will be maintained for review and improvement.

1. General security awareness messaging will be distributed at least once per semester and will include Phish Testing procedures and consequences. 

1. Phish Testing will occur on a frequent but irregular basis.

1. Phish Testing Preparation: The team will work with Director of Unit/Area to be used as clickbait on the content and timing of the campaign. Phishing Content will be rotated for each campaign and will use content and lures similar to those found in the wild - IT services, direct deposit changes, salary reports, supervisor availability inquiries, etc.

1. Notification: The testing team will provide advance notification to the email administrator and to the network administrator. Both positions use tools that actively monitor and block phishing attempts. The purpose of this advance notification is so that they do not interfere with these internal Phishing Campaigns. 

1. Notification: When a college employee “fails” a Phishing test (clicking a link or entering credentials) the individual - and their supervisor - will be notified of the failure by email. This notification will include an illustration of the “red flags” contained in the message. The notice will also include the requirement that the individual complete additional Security Awareness Training within 21 days. 

1. The individual account will be Flagged for Password Reset. Accounts will be flagged during regular business hours so that the individual can quickly get assistance from CTS in reactivating their account. (Important Note: In cases where an individual falls for an external Phish, the account is immediately suspended as well as flagged for password reset. This is to prevent any malicious use of the account while we wait for the individual to contact CTS.)

1. Additional anti-phishing training will be required for any Phishing failures and must be completed within 21 days.

1. The Training Program Team will conduct an annual review of the Testing Program and make necessary adjustments to improve the effectiveness of the Testing Program. 

Phishing Platform:

The Security Awareness Testing Procedure may use a variety of tools at any given time. Currently the College uses KnowB4 as our Phishing platform. The platform includes templates for Phishing Campaigns and allows the college to create its own custom phishing templates. 

All employees are subject to Phishing campaigns. KnowB4 tracks and reports on individual actions and responses to Phishing campaigns created by the College. 

Information Security Awareness Training Program Team

The Program Team (see Information Security Awareness Training Program Team Assignmentsdocument) continuously monitors what the College should be doing to improve or maintain information security awareness testing. The Team plans, designs, and recommends campaigns and content, and monitors their effectiveness. 

The Team contains members with sufficient power to make consistent progress in meeting its charge. It contains members capable of representing the full range of college units. The Team activity is part-time, but it continuously oversees projects in this field of operations as well as identifying and prioritizing next projects. 

Program Charge and Scope

The Chief Information Officer charges and authorizes the Information Security Awareness Training Program Team with the responsibility and authority to develop, document, conduct, analyze, test, and report on the effectiveness of Information Security Awareness Training. 

The Team will conduct ongoing Phishing Testing and report these results in writing to the College Cabinet.

The Team will work to coordinate testing schedules and content with other College units as appropriate.

Documents 

Formal documents, such as this, are significant components of the Program. Program documents provide specific policy and procedures and provide controls and documentation of key actions and positions of the Team, such as: statements of standards; risk assessments planned and completed; training programs planned and completed; oversight of service providers and contracts; Team evaluations of the Program.

These documents must be controlled as highly sensitive information with limited authorizations. These documents’ locations and security are maintained by the College’s Chief Information Officer (the Team Leader). 

Program Origin

The Information Security Awareness Training Program was formally established December 2022 under the authority of the Chief Information Officer. Prior to December 2022, the college had an informal training program in place for many years. While the informal program was highly successful, a Training Audit in 2022 recommended that formal Program Documentation and Assignments be created. 

One of the Audit findings was a recommendation to “develop and perform phishing simulations to identify whether improvements to the Awareness Training Program are needed to address certain areas and to identify individuals who may require additional training.” 

Change Log:

2023-04-27 Created - modelled on other ISP Program Authorizations/policies

Definition: The phrase “Change Management” incorporates any addition, modification, or removal of systems, software, or hardware that may have an impact on institutional operations. In our highly interconnected environment, the impact of a change may have unintended or unanticipated consequences, and must be carefully planned and communicated in advance to avoid disrupting normal operations. 

Scope:

This policy addresses how change management is handled for systems, applications and devices in the Purchase College Domain. 

The change management process involves:

• Logging change requests.
• Assessing the impact, cost, benefits, and risk of requested changes.
• Providing approval or rejection.
• Overseeing the change implementation.
• Monitoring and reporting the status of changes.
• Closing change requests and conducting post-implementation reviews.

Tools:

Purchase College uses NNT Change Tracker to apply and archive changes as they are applied to servers and network devices. For text-based configuration changes, NNT tracks which lines of configuration were impacted by a given patch or update.  For computer workstations, CTS makes use of SCCM, Munki, and group policy to deploy software, updates, and patches. 

Classification and Categorization of Changes

There are three different categories of changes:

1. Normal Change – Any service change that is not a standard change or an emergency change.
2. Emergency Change – A change that must be implemented as soon as possible; for example, to resolve a major incident or implement a security patch.
3. Standard Change – A preauthorized change that is low risk, relatively common, and follows a procedure or work instruction.

In addition to the change categories, changes can be classified as major, significant, or minor, depending on the level of cost and risk involved, and on the scope and relationship to other changes. The detail procedures for each group should address this classification. 

Emergency Changes

A change that must be made before a Change Advisory Board (CAB) can be convened to review and approve it due to a repair or error in an IT service that is causing a negative impact. Incident resolution may sometimes require emergency changes. Examples include a critical service-down that requires a quick hardware swap-out, or a late-night system emergency when the change manager or others may not be available.

An emergency change must follow these steps:

• If time allows, the change initiator must make a good-faith effort to contact their manager or the appropriate change manager to give them the opportunity to approve the change prior to making it.

• Once the change is deployed and the incident is resolved, the change initiator must document the change in Help.HSC as an emergency change.

• The change manager and the CAB will review all emergency changes at their next scheduled meeting. 

Change Planning:

When any change is being considered—a new device, new system, OS upgrade, software version upgrade, security patch—or the elimination of a resource or service is being considered, it is critical that careful consideration be given to the potential impact of the change, and to the process for implementing the change. It is also critical that the implications be carefully communicated to any stakeholders that may be affected by the change.

The change initiator is responsible for the ensuring that the analysis and communication are conducted during the planning phase. The change initiator is often a business unit (e.g., Office of Admissions) without IT expertise, and they may have to rely on technical staff—or on other staff from other units—to determine the full impact and implications of the change they wish to initiate. Since a change may affect more than one area—or even the entire institution—a Change Advisory Board (CAB) will also be used to ensure the implications are widely understood. The composition of the CAB may vary depending on the change being proposed.

The composition of the CAB will be determined by the change initiator and the director of CTS. The change initiator is responsible for convening the CAB in a timely fashion and obtaining their approval for the change.

Change Request:

The change initiator must complete a Change Request Form providing information on the change they are proposing. The Change Request Form will be reviewed by the director of CTS and the Change Advisory Board. The Change Advisory Board may add additional information before approving or rejecting the change request.

• Business reason for change (process improvement, regulatory requirement, etc.)
• All costs associated with making this change (new version of software cost, re-training, etc.)
• Other units that may be affected by the change 

Risk and Impact Analysis

The change initiator must complete a risk and impact analysis form for the change they are proposing. See the Appendix for the Risk and Impact Analysis template.

Change Communication

The change initiator is responsible for communicating the change to the proper audiences. Once the initiator is notified of the change approval, they should initiate necessary communications about the change prior to the change being made. See guidelines for when change notifications should be sent and to whom they should be sent.

Approved changes that have a broad impact, such as the entire college community, may require additional communications, such as notification by broadcast email, signage, or other methods. For changes with broad impact, the change initiator should work with his or her management to ensure the necessary notifications are being completed.

Standard and Routine IT Maintenance Changes, IT Roles

Servers

All college servers are assigned a primary system administrator. A secondary (and tertiary) system administrator is also assigned for each server in the event the primary system administrator is not available for any reason. Collectively, these individuals are referred to as the system administrator (SA).

The SA is responsible for reviewing and applying operating system (OS) patches and updates as soon as is practical, and for maintaining their systems at the most current state possible. The SA is responsible for advising management when a server cannot be updated due to hardware or software incompatibility. Patches and point releases are considered normal and routine changes—and do not require CAB approval. Operating system upgrades do require CAB approval.

 Documentation for all patches and upgrades should be carefully reviewed before applying any change to any system. For patches, no approval beyond the SA is required. For OS upgrades, written approval should be obtained in advance from the assistant director for networks and systems – as well as from any application administrator (see below) responsible for applications on the server.

 For servers where a TEST environment is available (i.e. Banner, SQL-Server, Web Server), the patches and upgrades will be applied to the TEST instance of the server first to help determine any undocumented adverse impact of the change. 

Applications

For many applications residing on college servers, an application administrator (AA) is assigned to configure and manage the operation of a specific application (i.e. Moodle, Genetec.) The application administrator is often an individual with functional expertise for that application. The application administrator may also be the same person as the system administrator (SA). The application administrator has elevated privileges allowing them to change configuration settings and to manage the application through whatever back-end console the application may provide. The AA is expected to work closely with the SA for the server where his or her application is hosted. 

The AA is responsible for reviewing and applying application patches and updates as soon as is practical, and for maintaining the application at the most current state possible. The AA is responsible for advising his or her system administrator (and management) when an application cannot be updated due to hardware or operating system incompatibility.

Devices

All college network devices (firewalls, routers, switches, load balancers, storage arrays and sub-systems, appliances, etc.) are assigned a primary system administrator. A secondary (and tertiary) system administrator is also assigned for each device in the event the primary system administrator is not available for any reason. Collectively, these individuals are referred to as the system administrator (SA).

The SA is responsible for reviewing and applying vendor patches and updates as soon as practical, and for maintaining his or her devices at the most current state possible. The SA is responsible for advising management when a server cannot be updated due to hardware, software, or firmware incompatibility.

For instances where devices are deployed in a resilient fashion, patches and upgrades will be applied to one of the devices first—and then evaluated to determine whether there is any undocumented adverse impact of the change before it is applied to the other device.

Workstations

All college workstations (desktop computers, laptops) place CTS in the desktop system administrator (DSA) role. All college workstations must be joined to the domain and must be accessible for application of software patches and system updates. The CTS DSAs use SCCM, Munkee, and group policy to distribute patches and updates to Apple and Windows workstations. 

Patches and point releases of common software are considered normal and routine changes—and do not require CAB approval. Operating system upgrades do require CAB approval. 

Change Management Roles and Responsibilities

Roles associated with the change management process are defined in the context of the management function and are not intended to correspond with organizational job titles.

Role  and Responsibilities

Change Initiator
Business or IT representative who initiates a request for change. This person is responsible for filling out the Request for Change (RFC) form ensuring that all required information is included, submitting it according to this procedure, and notifying change manager.

Change Process Owner
Senior manager who provides management control and guidance for the process in the IT department. Accountable for process design, operation, and improvement. Approves process rollout and changes to the process. Coordinates with change process owners in other departments to ensure common practices where appropriate.

Change Manager
This person has overall operational responsibility for the change management process in the IT department. Accountable for vetting the change request to ensure accuracy and completeness and sufficient information for the CAB to approve or reject the proposal. May make the determination regarding categorization and classification of the request.

Change Advisory Board
The CAB is a cross-functional team responsible for assessing change requests in terms of business need, cost/benefit, viability, and potential impacts to existing systems or processes. The CAB instructs the change manager to approve, defer, return, reject, or cancel changes. Also, the CAB makes recommendations related to change implementation. After changes are complete, the CAB reviews them for success/failure and lessons learned.

Emergency CAB (ECAB)
This team (or individual) is a subset of the CAB that is responsible for dealing with Emergency changes. The ECAB must be able to respond on very short notice and authorize or reject Emergency changes.

Technical Review Board
An ad-hoc group of subject manner experts and technical experts who are convened by a CAB to do an in-depth review of a change.

Service Owner
Represents one or more services in IT leadership and CAB meetings. Understand customer service requirements. Authorizes changes to the service.

Component Manager
Represents one or more service components in the CAB. Understands the technical structure of the component and subcomponents, and how they support the service.

Stakeholder
Any individual with an interest in types of changes or in a particular change. 

Appendix – Risk and Impact and Analysis Template

Risk Assessment                                                                                              Risk Score: Low/Medium/High

1. How often has this change been successfully made?

1 Routinely        2 Occasionally   3 Never

2. What is the degree of difficulty to implement this change? (Consider the complexity of the change, number of devices involved, number of steps in the process, time pressure and number of people involved to accomplish it.)

1 Low                 2 Medium          3 High

3. Has this change been successfully tested, or will it be, prior to implementation?

1 Yes                  2 No

4. Which test environment have you, or will you, use for this change?

1 Separate/duplicate     2 Shared            3 Partial             4 Production/none

5. Have the recovery procedures ever been successfully tested?

1 Yes/NA                         2 No

6. What type of support is available if external technical assistance is needed?

1 On site            2 Remote           3 On call            4 Not available

7. What is the degree of difficulty and effort for the Vendor/Partner, if needed, to return the system/component to an operational state?

1 NA                   2 Low                 3 Medium          4 High

8. What is the probability of this system/component failing?

1 Never/low      2 Medium          3 High

9. What is the probability of this change negatively affecting any of the applications, databases, servers or infrastructure components supporting a the application?

1 Low/NA          2 Medium          3 High

Appendix – Risk and Impact and Analysis Template

Impact Assessment                                                                           Impact Score: Low/Medium/High

1. What amount of downtime will the user experience, outside of the regularly scheduled maintenance window?

1 None               2 Less than an hour       3 Greater than 1 hour               4 Greater than 4 hours

2. What is your recovery capability if this change fails?

1 Easy backout or alternate/fail-over is available and will provide almost immediate service

2 An alternate is available, but needs to be brought online

3 No alternate system/component or spare is available

3. Could Patient Safety/Care potentially experience a negative impact due to this change?

1 Yes                  2 No

4. Could providers or mission-critical programs (e.g., academic classes, offices) potentially experience a negative impact due to this change?

1 Yes                  2 No

5. Is end user training required, prior to implementation?

1 Yes                  2 No

6. If the change were to fail, what is the worst case scenario? (In or outside of the regularly scheduled maintenance window)

1 None               2 Slowdown      3 Partial or full outage

7. If a partial or full outage is possible, has the business successfully tested their manual/contingency procedures, should the change fail?

1 NA/Yes           2 I don’t know                3 No

8. How many IT services/business applications are impacted by this change?

1 None               2 One or two                  3 Three or more               4 All

9. Approximately how many users/workstations will be negatively impacted during the change implementation?

Number of users/workstations

Print Management Policy - August 2021

In July 2020, SUNY launched an initiative to manage printing across all campuses, with a goal of saving $12m/year SUNY wide. To achieve this, they aim to reduce print volume by half, and eliminate inefficient and costly desktop printers. SUNY has identified Purchase College’s share of that savings target as $127,627. A local Print Management Team has been tasked by Purchase College leadership to promote efficiency and realize those savings through reductions in print volume and supplies.

During the last full year prior to the pandemic, Purchase College spent $322,708, printing well over 2.2m pages (a figure that excludes desktop printers.)

The pre-pandemic print cost of $322,000 is enough to cover the full cost of 10 full-time NYS resident students living on campus. Every year.

Sustainability

Over the course of one year, 2.2 million pieces of paper were not printed - equivalent to saving 26 trees. Making paper uses a lot of energy and chemicals that have been avoided in addition to the savings in transportation and recycling costs. The College has signed onto working towards United Nations 17 Sustainable Development Goals which responsible production and consumption is one of the goals.

Don’t Start Printing Again

As we return to campus, we encourage everyone to avoid returning to old printing habits. Most of us haven’t printed at all for the last 18 months - finding ways to use electronic documents instead.

Before printing, please remember to follow best practices, when possible.

• Use available collaboration tools and digital documents (Contact CTS for assistance)
• If you must print
  
  • Print B&W (grayscale)
  • Print double-sided (duplex)

What can Faculty do?

Assignments and handouts can be distributed through Email, Web and Brightspace. Encourage students to turn in assignments and papers electronically through Email or Brightspace

When documents are distributed electronically, there are no more lost handouts or assignments. Students will always have access to a digital version. Every course has a Brightspace space.

Use the Comments function or change-tracker to do electronic markup of student work instead of a red pen on paper.

Academic Printing

The SUNY Print Initiative covers all documents printed in standard sizes (letter, legal, and tabloid.) The SUNY Print Initiative does not cover specialty printing – which is explicitly defined as “label printers, bar code printers, wide-format (plotters), or 3d printing.” The SUNY Initiative also does not address creative printing - where the printed artifact is an essential curricular requirement - Graphic Design being one obvious example.

We will need to “explicitly identify, acknowledge, and protects students’ access to specialty printing of studio artworks necessary to fulfill their curricular work and degree requirements” as our faculty suggest. Those creative printing needs are supported by Course Fees that must be calibrated to the amount of printing required to complete the assignments and achieve the documented Student Learning Outcomes (SLOs).

When a student registers for a course that includes creative printing assignments, their print allocation for that class must match the amount required to cover the print assignments.

We will need assistance from individual faculty and academic program leaders to identify these curricular printing requirements for each class.

Need Print-Avoidance ideas?

If you have a task that you think requires printing any meaningful number of pages, please reach out to the Print Management Team or to the CTS Helpdesk. Together we may be able to come up with a print-avoidance strategy that meets your needs.

Accessibility

Our new Strategic Plan calls for renewed emphasis on inclusivity and accessibility. Electronic documents can be made accessible to the visually impaired, paper documents cannot.

If you do end up distributing a paper document, you also need to make an electronic version available for the visually impaired.

Best Practice – Use digital documents

Handouts for meetings can be shared online through Zoom and MS Teams, and through collaboration tools like SharePoint Libraries that hold all Purchase College committee, Department, and Task Force materials. Email is a last option for sharing documents (but still better than printing).

All Purchase College Committees, Task Forces and Departments should use SharePoint to securely store, share, and collaborate using electronic documents. Committees and workgroups documenting their agendas, meeting notes, procedures, and annual reports in SharePoint also promotes transparency and participation – and provides an invaluable archive for periodic accreditation reviews like Middle States and for Strategic Planning efforts.

Print if you must

We encourage everyone to continue using electronic documents wherever possible, and to only print things that must be on paper. For example, legal contracts must be signed with a wet ink signature by our CFO.

Some things do still have to be printed – for now. One of those things - for the time being - is Procurement documents (Requisitions, POs, Invoices, and P-Card Plot Sheets) which must be submitted on paper with wet ink signatures. We are pursuing another SUNY Initiative to implement the Jaeggar electronic procurement system, but that will take some time. Look for Jaeggar news updates in 2022.

Print Management Oversight

In fall 2020, SUNY required all campuses to install the Pharos Beacon print monitoring client. This cloud-based Beacon system collects meta-data on print activity (user, page count, print type) visible to SUNY and the campus, and will be used to monitor our progress.

This fall, a new local print management client will be rolled out to all Purchase College workstations. For twenty years, Purchase has used Paper Cut to manage student printing in the library and computer labs. When you print a document, the client shows you the actual cost of the print job - and prompts you to choose double-sided and B/W with option to change color and duplex settings, if needed.

What’s my print allocation - and how do I get more?

Each employee will receive an annual “Print Allocation” that will be enough to print what they need. The Print Management system tracks print usage, and usage reports will be circulated to department heads.

Since print needs vary, department heads will be able to request print allocation increases when needed. For example, a staff assistant responsible for Purchasing/Procurement documentation may need a larger allocation - as well as some faculty engaged in research with higher print requirements.

Shared Printers and QR-Code Print Release

Later this year, a reduced number of multi-function scanner/fax/copier/printers will be retained and/or purchased for each building, and placed in shared locations for faculty/staff usage.

Privacy concerns are a priority, therefore, each shared printer will provide security through QR codes for Print Release. Your document will only print once you arrive at the printer and scan the printer’s QR code on your smartphone.

There’s an upside to the QR codes too. When you send something to a printer, the Print Management Client uses a cloud-based universal print driver. Since the print job is not directed to a specific printer, you can scan the QR code to print on any printer that you happen to be near.

QR-Code Security

QR codes have become popular recently due to their “touchless” nature. But like everything else today, “Eyes Wide Open” is the rule. QR Codes simply take you to a website that is encoded in the image. Just like in an email link, you have to look at the URL and think before you click.

On Android phones, when you point your phone camera at a QR code it will display the website destination and ask you to tap the screen if you want to proceed. For Purchase College Print Services, the URL should be “vsprint01.purchase.edu”.

Careful:

You have to watch the URL you tap on so that you don’t get sent to an inappropriate or dangerous website - you can get “Rick-Rolled” or worse if you’re not paying attention.

Apple:

I-Phones only show the domain “purchase.edu” (without the server name “VSPrint01”).

Careful:

There are a variety of Phone “Apps” for Android and Apple that can read QR codes – but some of them may eliminate the verification tap to proceed, which could be dangerous. Skip the app and stick to the camera.

Elimination of Desktop Printers

Desktop printers are convenient, but they are the most expensive way to print, costing about $0.50 or more per single-sided page. In contrast, SUNY’s goal for Multi-function printers in the new contract is $0.01 per B/W double-sided page. Due to that dramatic difference, the SUNY Initiative calls for the elimination of all desktop printers (there will be Accessibility Waivers for those with mobility issues).

If you would like to retire your desktop printer and start saving now, contact CTS for pick up.

Thank You for Your Support
We appreciate your cooperation with this SUNY initiative that will save Purchase College money while improving our sustainability posture and preserving our shared natural resources (trees, water, CO2, electricity, and ink.)

The Print Management Team

As an educational institution, and in the spirit of academic freedom, Purchase College recognizes that it is essential that faculty, students, staff, and other college employees have some degree of confidence that their privacy will be respected and protected when using college computing resources for collaboration, research, scholarship, and administrative purposes. Purchase College considers information privacy a very serious matter, and therefore the college has established local policies and procedures to safeguard and protect each individual’s privacy. 

This document describes the Purchase College and New York State (NYS) policies and practices regarding information privacy for students, faculty, staff, or any other persons using college-owned devices and systems.

Purchase College, as a part of  the State University of New York (SUNY)—a state agency—is governed by NYS policies on information security. New York State Information Security Policy P03-002 covers the privacy of materials on state-owned computers in the following statements:

Monitoring:

Consistent with applicable law, employee contracts and state entity policies, the state entity reserves the right to monitor, inspect, and/or search at any time all state entity information systems. Since computers and networks are provided for business purposes, staff members shall have no expectation of privacy in the information stored in or sent through these information systems. State entity management additionally retains the right to remove from its information systems any unauthorized material.

This policy is applicable to state entities, staff and all others, including outsourced third parties, which have access to or manage state entity information. Where conflicts exist between this policy and a state entity’s policy, the more restrictive policy will take precedence. 

Covered by this Policy:

This policy covers the individual email accounts that are assigned to students, faculty, staff and other employees; the personal “home directories” that are created for individual students, faculty and staff members; contents of college-owned desktop computers, laptop computers and mobile computing devices assigned to individual employees; and materials stored in college-owned servers (file servers, web servers, collaboration servers, etc.)

The Purchase College Privacy Policy:

For college email, personal home directories, and information stored on desktop or laptop computers, tablets, mobile devices, and servers, the contents of each individuals email account, personal home directory, server directory, desktop or laptop drives or mobile storage devices are considered to be for college business purposes. However, the materials contained therein will only be accessed by the college under specific circumstances—and with explicit written approval from a minimum of two of the following:

• President

• Vice Presidents

• SUNY Legal Counsel

Supervisors seeking access to departed employee materials must obtain approval as noted above.  

Process:

Approval: Specific written approval will include: Written justification for accessing the materials, the name of the individual whose materials will be accessed, the location of the materials to be accessed, who they are to be accessed by, and a time period for access sufficient to achieve the stated goal (locating messages, files, or other materials.)

This written approval must be provided to the Director of CTS/ISO. In emergency circumstances (electronic intrusion, malware, etc.) verbal approval may be granted, but specific written authorization must be provided as soon as is practical. Without written approval as described, no college employee may access any other individuals’ electronic materials for any reason—and any such access will be considered a violation of the college’s computer ethics policy. 

Procedure: Upon receipt of written approval from two or more college officers to access an individual’s materials, CTS information security staff will notify the director of Human Resources (HR) to arrange supervised access to the materials, and secure an electronic copy of the materials in question for the supervised review.  Human Resources will then arrange a time and location for the supervised review. During the supervised review, a senior Human Resources staff member will be present to supervise the review, and CTS information security staff may be present to provide any needed assistance in accessing the materials. In cases where large volumes of material are subject to review, HR, CTS, and the reviewer may convene more than once during the stated review period. The duration of the period for which access is to be granted must be reasonable and will not be open ended.

Justification:

Written approval to access electronic materials will only be granted in cases where:

• There is an open and active Human Resources investigation

• There is an open and active law enforcement investigation

• There is reasonable cause to believe that the computing resource is being used in violation of the college’s computer ethics policy, a contractual obligation, or state or federal law.

• The individual is not available to grant access due to illness or extended absence and there is a demonstrable business need to access materials believed to be in their possession

Exclusions:

• This policy specifically does not cover information stored in collaborative or departmental file share folders that are normally used as repositories for shared materials—even if that departmental file share contains a subfolder that may be in an individual’s name. Collaborative file sharing folders are specifically set up to be used to store shared documents, and unit supervisors routinely have access to all materials stored in departmental file-share folders. Supervisors and employees should take note that departmental file -hare folders are the preferred storage method for official college-related business. Employees should be strongly discouraged from storing official college-related business (memos, reports, policies, spreadsheets, or official correspondence) in any place other than a departmental file-share folder. Likewise, employees should be strongly discouraged from storing materials they consider personal or private in any shared file folders.

• Similarly, this policy does not cover course-related file shares, drop boxes, or other shared resources that are specifically set up for classes or instructors. Materials placed into academic shared resources are not considered private, and the instructor will routinely have access to these materials.

Contact
For questions regarding this Email and Computer Privacy Policy, please contact:

Kathleen Farrell                                             Ricardo Espinales
Director of Human Resources               Assistant Director of Human Resources
Purchase College                                          Purchase College
735 Anderson Hill Road                            735 Anderson Hill Road
Purchase, NY 10577                                    Purchase, NY 10577
Email                                                     Email

Bill Junor
Director of CTS/Information Security Officer
Purchase College
735 Anderson Hill Road
Purchase, NY 10577
Email

Use a Strong Password and Never Share it with Anyone

• Use a strong password for all of your accounts – a mix of upper and lowercase letters, numbers and special characters –at least 8 characters or longer. Review the College’s Password Policy and complexity requirements.

• Never reuse passwords for different accounts. 
• On your home computer, turn OFF the guest account - or limit access privileges for that account.

• NEVER write a password down, and NEVER share it with anyone. Purchase College will never ask you to verify your credentials or your password.  ​Your password is your identity, and should never be shared with anyone for any reason.

Never Leave the Computer Unattended in Public Locations

• While security cable locks may serve as a theft deterrent, many have been shown to be ineffective against a determined thief.

• Never leave your computer unattended.

• If you need to leave your computer unattended in your car, place it in the trunk or in some location where it is not visible to a passerby.

• Use anti-theft software on laptops and mobile devices to help protect your data in the event of a theft.

Keep My Computer’s Software Up to Date

• Configure your computer to download and install system and application updates automatically. Due to the number of patches, it is quite cumbersome to manage patches manually.

• Patch software on your personal computer and check whether you are running the latest version of your browser and browser plug-ins like Java and Adobe Reader.

Safeguard My Computer with Anti-virus Software and a Personal Firewall

• Configure your computer’s antivirus software to update automatically every day. New viruses are being discovered on a regular basis, which puts your computer and information at risk if the antivirus on your computer is not updated regularly.

• Most operating systems, including Windows and Macintosh OS X, have firewall software built in.

Check to ensure that this software is enabled. This will help stop attempts to break into your computer.

Safeguard Purchase College Data, SUNY Data, and My Own Personal Data

• Do not store sensitive data on CDs, DVDs, USB thumb drives, and other types of removable media that can be easily misplaced or stolen. If storing sensitive data on such media is necessary, make sure that the data is encrypted.

• Be familiar with the College and SUNY policies regarding Use of IT Resources, acceptable and unacceptable uses and email guidelines. See Computer Ethics and Usage Policy.

• Perform regular backups of your data.

Think Before I Click

• Never open unexpected email attachments. If in doubt, verify authenticity by phone or email before opening the message or the attachment.

• Don’t get lured in by phishing emails. Learn how to recognize telltale signs of phishing emails.

• When in doubt, ask someone at CTS whether the message is a phishing attempt, or a legitimate message.

• Take the Phishing test, and see how you fare.

Use Caution When Dealing with Email and Other Forms of Electronic Communication

• Avoid transmitting sensitive data via email and other insecure means of communication. If it is​ ​necessary to send sensitive data via insecure means, ensure that the data is encrypted.

• Never provide your password or other sensitive information in an email or in a response to an email.  A request to do so is likely to be a phishing attempt.

Treat My Mobile Device Like Any Other Computer

• Smart phones, tablets, and other mobile devices are just small computers - and they suffer the same security issues as traditional computers. Your pledge to maintain cyber security applies to mobile devices and tablets too.

• Configure a password or passcode on your device.

• Install antivirus software and a firewall, if available.

• Ensure that you’re running the latest version of your device’s operating system.

• Ensure that you’re running the latest version of any applications installed on your mobile device.

• Disable or uninstall applications that you don’t use.

• Disable wireless and Bluetooth if not in use.

• Enable encryption mechanisms, if available.

• Regularly backup any data on your mobile device.

• Follow secure mobile device disposal practices.

Report Suspected Security Concerns Immediately

• If you suspect your computer has been compromised, contact the CTS Help Desk at 914-251-6465 or email us.

• If you suspect any other type of breach in the security of Purchase College Computing resources,​ contact the University Police at 914-251-6911.

Help Promote Cyber Security Awareness

• Share the Cybersecurity Pledge with your friends and colleagues.

• Raise awareness of good security practices among your friends and colleagues, and keep an eye out for poor security practices (e.g. a password written on a sticky note and in plain sight, a computer left unattended in a public location, etc.).

• Do your best to assist your friends and colleagues with cybersecurity, and know where to direct them if you’re unable to assist.

• Protect yourself from identity theft and learn what to do if your information is compromised.

The computer settings mentioned in this document are the Standard configuration for Purchase College provided desktops and laptops, and many of these settings are not subject to change by anyone outside of CTS.

Check your home computer to ensure that it also contains similar anti-malware software and configuration settings, and use STRONG passwords or passphrases for ALL of your online accounts.

Cyber Security Questions?

We encourage you to contact CTS if you have any cybersecurity questions. You can reach us by phone at 914-251-6465, by email, or through a Work Order.

Campus Technology Services

Purchase College, SUNY

Tel 914.251.6465​

Email

Work Orders

In 2010, SUNY issued new regulations regarding records retention. This policy revision is the first since 1977, and is intended, in part, to address the storage and retention of electronic records.

NYS and SUNY require all campuses to adhere to these record retention policies, and plan to conduct random audits to ensure each campus is compliant. These policies cover all records stored in any format (paper and electronic).

In addition, the college is now required to submit annual verification confirming the appropriate retention and destruction of records by all departments.

Please review these policies on records retention by via the links below.

2010 SUNY Records Retention Policy

New York State Record Retention Policy

Darrell Perkins serves as the college’s Records Management Officer. If you have questions specific to your area, feel free to contact darrell.perkins@purchase.edu.

Remote Assistance: Remote assistance allows a CTS technician to connect to a user’s computer remotely for the purpose of providing technical support and resolving issues. The CTS technician gains remote access after the user gives authorization via connect invitation sent through a messenger screen. Remote assistance is provided while the user is present at their computer, and both user and CTS technician can control the mouse and view what’s being done. Once remote assistance has been provided, the CTS technician ends the session and disconnects from the user’s computer.

Remote Desktop: Remote desktop is performed after hours when the user is not present at their computer. The user or department head must give advance authorization which would be noted in the work order along with the service call date and time. The computer should be logged off but not shut down during the time of the scheduled service call for remote desktop
to work. The CTS technician can then connect to the computer to perform the scheduled service. Once the service call is completed, the CTS technician ends the session and disconnects from the user’s computer.

Remote Assistance/Remote Desktop Policy
1. CTS technicians are not permitted to perform remote assistance/remote desktop without authorization from the user or department head.
2. User authorization for remote assistance/remote desktop is given via connect invitation message (for remote assistance) or verbal authorization as noted in the work order (for remote desktop).
3. CTS provides remote assistance/remote desktop services only to Purchase College owned computers that are on campus and connected to the Purchase College network.
4. The CTS technician will disconnect from the user’s computer once technical support has been provided and the remote session has been completed.

ResNet Wi-Fi Services Policy

If you live in any campus housing facility, your residence complex already has Wi-Fi service. Installing personally owned Wi-Fi routers is prohibited since they may interfere with college provided Wi-Fi services.

All of your devices must be registered for campus Wi-Fi service. “Devices” include smart phones, tablets, Laptops, Game Consoles, etc.

Unregistered devices that attempt to connect will denied service.

See page to register devices.

We will do our best to help everyone with Wi-Fi service, but there can be no guarantee regarding speeds over wireless due to the nature of Wi-Fi service. 

Please remember that all residential rooms contain wired internet ports which provide 100mbps service - which is faster than Wi-Fi - and which is not shared or subject to interference. 

New York State Policy on Security Training for employees:

New York State Policy on Information-Security NYS-P03-002 updated 2017-03-10 states:

“The State Entity (SUNY) workforce must receive general security awareness training, to
include recognizing and reporting insider threats, within 30 days of hire. Additional training on State Entity specific security procedures, if required, must becompleted before access is provided to specific SE sensitive information notcovered in the general security training.

All security training must bereinforced at least annually and must be tracked by the State Entity.”

Purchase College Procedure:

Purchase College meets the NYS and SUNY requirement stated above in a variety of ways. On an individual basis, security and FERPA training is conducted before access is provided to Banner, our Websites, Admissions, financial and other systems.

All employees are automatically enrolled in the KnowB4 training campaigns for security awareness. KnowB4 is widely used in SUNY and tracks individual progress through the interactive training modules contained into the system or created by the College. Purchase college conducts two rounds of Security Awareness Training per year at the start of the spring and fall semesters. KnowB4 reports are provided to campus executives for follow up.

Why do we have this policy and require regular training?

We all receive phishing messages touting a way to make easy money - and asking people to respond with their private email address or phone.

While these are usually fairly obvious ruses, some folks inevitably engage the culprit in communication before we can block the phisher’s address.

There is also constant stream of fairly obvious fake messages from employee’s supervisors asking for a favor - or for cell phone numbers. Unfortunately people continue to fall for those too - after all, we’re conditioned to want to keep our boss happy. There is a way to make them happy - don’t fall for social engineering tricks!

It is more than email and text. There have been elaborate social engineering scams run here on campus that involved email, phone calls - and physically walking into offices on campus. Social engineering works best when we allow ourselves to be rushed without paying careful attention.

What can you do to prepare yourself so that you’re not next?

Don’t let yourself get rushed into completing even what seem like routine tasks. Pause and ask yourself if there’s anything unusual about a hurried request - and trust your instincts.
Remind yourself that nothing good is easy, and nothing good is free - and if something sounds too good to be true, it probably is.

Complete the Training: The online training does a good job covering examples of the types of social engineering scams we are seeing regularly.

If you have not already completed your mandatory training, please visit the training dashboard to begin. This training can be completed from the office or from home - at any time.

The link to the training also appears in the “Quick Links” section of the Faculty/Staff Portal page. Protect yourself – complete the training - and think twice before you click. You and your supervisor will start getting reminders after the due date if you have not completed the training. New York State and SUNY require all employees to complete annual Security Awareness training.

Do it for me, do it for your supervisor - or do it just so that you’re not next. Please - take the training and learn to protect yourself, and all of us, from this tidal wave of scams.

Purpose:

Purchase College, SUNY, encourages the appropriate use of social media as a method for communicating ideas and information, and as part of our educational mission.

This policy governs employees of Purchase College, specifically the behavior of individuals as they utilize a variety of social media technologies and is not limited to any specific media format.

Social Media Defined:

For the purpose of this policy, social media is defined as Web-based and mobile technologies that enable the exchange of user-generated content and conversation.

Policy:

1. College-Related Social Media: Official Purchase College social media channels may allow members of the public to comment or react to posted content and information. Individuals, including employees of Purchase College acting in their personal capacity, may post or comment anonymously or identifiably. In general, Purchase College invites discussion of important ideas and issues through social media. However, Purchase College reserves the right to remove posts of comments that are obscene, defamatory, offensive, contain threats of violence, abusive, spam or advertising, or unrelated to the content or information. Purchase College also reserves the right to remove posts of comments that violate applicable laws including, but not limited to, copyright and trademark, or those that violate the use policies promulgated by the applicable social media provider.

   1. If authorized and in keeping with Purchase College policy, college departments may use social media to promote the educational mission of the college. Uses may include recruitment of new students, communications with accepted and registered students, fundraising and alumni relations.

   2. Departments may use the College’s name, address, telephone numbers and logo for social networking purposes.

   3. Departments must identify an individual faculty/staff member who will be responsible for the maintenance of social media sites.

   4. The Official College website and College-sanctioned social media sites, College-wide or departmental, shall not include links to personal sites.

   5. In any communications on social media, all faculty/staff must identify themselves by name and title with the College.

   6. In any use of social media, College departments, including all faculty/staff of such departments, shall not violate any laws and/or college policies including, but not limited to those regarding:

      1. inappropriate language;

      2. Inappropriate pictures of any sort or kind;

      3. Posting or promoting illegal activity or proof of illegal activity;

      4. Harassing or discriminating against any person;

      5. Posting defaming comments or remarks against any person;

      6. Copyright and trademark.

      7. Posting any personal opinions of any sort or kind regarding the College without a disclaimer that such opinions are not the official position of the College and/or

      8. Posting unprofessional or rude comments, responses or postings of any sort or kind about the College or its employees

Personal Social Media (using campus resources):

1. Any use of or access to personal social media done during business hours on College computing and networking resources shall be consistent with the College’s Information Technology Resources Acceptable Use Policy, including personal incidental use.

2. In any personal use of social media, the use of any College logos, trademarks, letterhead, pictures, address and/or telephone numbers is strictly prohibited.

3. Do not use the College’s name to promote or endorse any product, cause or political party or candidate.

4. The Official College website or College-sanctioned social media sites, College-wide or departmental, shall not include links to personal sites.

5. College-issued email addresses should not be used for personal social media use.

6. There is no right or expectation of privacy in the personal use of the College’s computing and networking resources.

7. By using the College’s computing and networking resources, the faculty/staff member is consenting to monitoring of the use by the College without further notice to the faculty/staff member.

8. In any personal use of social media, the user shall not violate any laws and/or college policies, including but not limited to those regarding:

   1. Inappropriate language;

   2. Inappropriate pictures of any sort or kind;

   3. Posting or promoting illegal activity or proof of illegal activity;

   4. Harassing or discriminating against any person; v. Posting defaming comments or remarks against any person;

   5. Copyright and trademark.

   6. Posting any personal opinions of any sort or kind regarding the College without a disclaimer that such opinions are not the official position of the College and/or

   7. Posting unprofessional or rude comments, responses or postings of any sort or kind about the College or its employees.

Personal Use of Social Media (using personal resources):

1. While faculty/staff may identify themselves as an employee of the College, they should be clear that they are not representing the view of the College.

2. The use of any College logos, trademarks, and letterhead, pictures, address and/or telephone numbers is strictly prohibited.

3. Do not use the College’s name to promote or endorse any product, cause or political party or candidate.

4. The Official College website or College-sanctioned social media sites, College-wide or departmental, shall not include links to personal sites.

5. College-issued email addresses should not be used for personal social media.

6. If it is generally accessible, employers can look at social media sites.

7. Individuals can be held liable for what they write online. Individuals have been held liable for commentary deemed to be proprietary, copyrighted, defamatory, libelous or obscene (as defined by the courts).

8. Employees can be disciplined for content or images that are defamatory, pornographic, harassing, and libelous or are otherwise in violation of the law and that impact work.

Guidance:

1. Be responsible

2. Be authentic, factual, respectful

3. Be careful

4. Avoid engaging in on-line disputes

5. Add value

6. Be explicit that your views are your own

7. Keep work out of it

8. Be cautious when engaging students through social media

Remember—the Internet is permanent–don‘t write anything that you wouldn’t want to see attached to your name forever!

Sanctions:

Violations of this policy may result in disciplinary action in accordance with appropriate Agreements between the State of New York and the various bargaining units.

Procedures for Establishing and Using Purchase College Social Media Channels:

To post on behalf of a College office or department:

1. Notify the Office of Communications and Creative Services. Departments or offices that have a social media page or would like to start one must contact the Office of Communications and Creative Services so the office can keep track of College-represented pages and link new pages to official social media pages in addition to training social media managers on college policies including accessibility. Please note all faculty, staff, and interns with access to post or manage a college page or account must go through C&CS.  (NOTE that faculty, staff, and students using official Purchase College accounts may not solicit for donations to outside organizations or use the platforms to advocate or campaign for parties or individuals running for political office.  
2. Have a backup administrator – Purchase College’s Media team in the Office of Communications and Creative Services must have administrative rights to your social media content, in case of emergency or employee turnover.

3. Have a plan - Develop a strategy for keeping information on social media sites up to date and interesting.

4. Protect the institutional voice - Posts on social media sites should protect the College’s institutional voice by remaining professional in tone and in good taste.

Cloud Services Policy:

All College departments and operations must follow SUNY guidelines on the use of cloud services in order to protect sensitive data contained in college systems. Many services widely used across SUNY are cloud services: Slate for Admissions, Starfish for Advising, and Degree-Works for academic progress are three well known examples. These contracts are negotiated by SUNY and incorporate the guidelines. 

Vendors increasingly offer cloud-services only. Individual offices or departments seeking to engage a new cloud-based software system must review the SUNY Cloud Services Guidelines and make sure that the system meets those SUNY guidelines, as well as ADA Accessibility requirements.

Most importantly, individuals interested in a new cloud-based system should discuss their needs with CTS first. We can help evaluate the vendor and the system - and most importantly - how it interacts with other upstream and downstream college systems. 

See the SUNY-Cloud-Services-Guidelines

The Telecommunications Office maintains the telephone services for the campus community, including desktop and residential telephones. There are no charges for on-campus telephone calls. For faculty and staff, the College funds telephone services centrally and there are no charge backs to individuals or departments for work related telephone calls.

Faculty and staff who make off-campus calls from their desktop telephones and receive a monthly statement must read and certify the “Acknowledgement of College Telephone Policy” on their monthly invoice.

Purchase College provides employees with the use of desk telephones for official College related business. Access to telephone services – and the type of service to be provided (Local, Tri-State, Regional) - is provided at the discretion of their unit supervisor. Outbound calls for desk telephones can be limited to on-campus calling only, local (NYC Metro area) calling only, and in appropriate cases, nationwide and international calling.

Business / Personal Calls Defined
Business calls are telephone calls that are necessary to accomplish your job or professional activities. A call home to communicate a change in the status of your State work schedule (e.g. that you must work late because of unscheduled overtime or offices are closing due to a blizzard) is also considered a business call. Any other call that is not related to your professional activities on behalf of Purchase College, local or long distance is considered to be a personal call.

New York State Executive Order #1, issued January 18th 2007: State telephones may not be used for non-governmental long-distance calls, other than toll-free calls, collect calls and calls billed to a personal account. State telephones may be used for incidental and necessary personal calls, limited in number and duration, which do not interfere with an employee’s public duties.

Faculty and staff who make off-campus calls from their desktop telephones must read and acknowledge the College Telephone Policy listed below. All College employees must review and certify their monthly statement.

This policy describes the assignment, use and management of desk and cell telephones by employees of Purchase College, State University of New York.

All College employees must read and certify the “Acknowledgement of Desktop and Cellular Telephone Policy” on their monthly statement. 

State Audit Procedures

Due diligence is required of all supervisors and employees to ensure that employees respect and adhere to these telephone policies and procedures. State auditors have identified telephone usage as an area of potential high risk / exposure. When State auditors perform reviews of Telecommunications equipment and telephone usage, they look for areas of abuse or misuse.

Included are calls made

1) After hours late night,

2) For long periods of time,

3) To high risk area codes, (Area Codes 900, 809, 284, etc.)

4) On weekends,

5) During holidays, and

6) To frequently called numbers for excessive periods of time.

Desktop Telephone Policy

All supervisors are responsible for monitoring telephone usage within their units. Supervisors shall determine what type of telephone access is required for each employee. Desktop telephone equipment will be provided by Campus Technology Services. Monthly statements for desktop phones are paid by the College, and invoice will be sent to faculty/staff for review. The unit’s supervisor will have the ability to review usage and compliance within their unit where appropriate.

Unit supervisors are responsible for reviewing the all statements and to ensure that all invoices are certify for the desktop phone assigned to each employee. Supervisors are responsible for making sure that personnel within their unit are aware of and in compliance with this policy, and that actual telephone usage within their units falls within appropriate parameters. Each employee is responsible for reviewing his or her desktop telephone usage, and for reimbursing the College for personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3). The unit supervisor will monitor and correct excessive telephone usage - both in terms of financial expense and the amount of time spent on the phone.

I. Desktop Phone Reimbursements

All employees assigned a desktop telephone must review/certify their monthly invoice regardless of whether reimbursement is due or not [See Attachment C].

Pay Invoices by credit card online.

1. Default is total amount due. Partial invoice payments are allowed, with any remaining balance carried forward to the next invoice.
2. To pay an invoice, the TBS system asks for: Name on Card, Card #, Expiration Date (MM/YYYY) amount, zip code.  
3. To avoid processing credit card transactions for tiny amounts of money, if your balance due for a monthly invoice is less than $5.00, that balance due amount due will be rolled forward to the next time a new invoice is generated. 
4. Payments are processed through a secure PCI-DSS Compliant 3rd party payment gateway – no credit card information is ever stored on any College servers.
5. Once payment authorization is received, the invoice is marked paid.
6. An Email confirmation of payment is sent to Faculty/Staff/.

Telephone Billing System (TBS)

The Telephone Billing System (TBS) is a self-service web application for faculty, staff, and rental clients who are receiving telephone service. The system allows you to review telephone usage, file the required monthly certification of work/personal calls, and pay personal telephone usage charges online.

For supervisors the system provides the ability to review usage and compliance within their unit.

The TBS system collects call detail data from our telephone system – the number called, date, time, call duration etc. and generates monthly telephone invoices for college employees and rental clients based on the telephone extensions assigned to them.

As each new monthly invoice is posted, an individual email notification will be sent to each faculty, staff, and rental client receiving telephone service from the College.

Faculty, staff, and rental clients can use the TBS to:

 View paid an unpaid invoices

• Review detailed call history by monthly invoice  (Extension, day/time, #called, city, state, charge) 
• Complete the required monthly certification of personal/work-related calls (employees.)
• For office phone extensions, a check box to identify personal/work is provided for each call.
• For work-related calls, amount is subtracted from amount due.
• Rental clients (including staff/faculty phones in residential apartments) do not have the option to declare work/personal calls, and are expected to pay the invoice in full.

Calling Cards

As an alternative to reimbursing the College for personal calls, we encourage employees to consider using their personal calling cards when they make personal calls. Whether you use a calling card or not, all employees are still required to certify their monthly statement [see Attachment C].

Desk Telephone Controls

To comply with State Regulations, the following controls have been implemented to guard against misuse of State telephones for non-State and personal calls.

1. Each month, CTS sends a statement of local and long distance telephone calls, by extension, to faculty/staff to their purchase email address. Supervisors are expected to review the statement of their staff, ensuring invoices are review and certify for personal/business related telephone calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3).
2. In addition, CTS monitors telephone activity reports for detection of abuse. If, in the monitoring process conditions arise that cause concern, the Director of Campus Technology Services will bring the issue to the Unit Supervisor suggesting that the Supervisor review the activity with the employee involved and ensure the college is reimburse for personal phone calls as appropriate per Executive Order 1 (See P. 3).
3. All telephone activity using desktop or College-owned cellular phones is subject to audit procedures at any time.
4. All College employees must review their statement [Attachment C] each month to certify that the calls made were for official College business and that the charges are just and proper. The monthly statement must identify any personal phone calls that were made. To avoid processing credit card transaction for small amounts of money, if balance due for a monthly invoice is less than $5.00. The balance due and amount due will be rolled forwarded to the next invoice. All charges includes actual cost of all personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3).

II. CTS handling of Telephone Reimbursements

Campus Technology Services will processes telephone reimbursements as follows:

1. Since individual College units are not charged for telephone usage, reimbursements for personal calls made using Desktop Telephones will be deposited into the CTS Telecommunications IFR account to offset the cost of providing telephone service to the campus.
2. If it is a reimbursement for personal calls made on a College-owned Cellular Telephone which is paid by the unit through its procurement card, CTS and Purchasing will issue a quarterly “Refund of Appropriation” to credit the state or IFR account that the cell phone is charged against.

III. Cellular Telephone Policy

Purchase College recognizes that it is important for key service personnel and administrators to be available 24x7x365 so that they are accessible in the event of emergency, off-hours, or while they are working in the field.

Purchase College provides two options for employees who fall into that category:

• Option 1:A College-owned cell phone charged to the Unit Supervisor’s Procurement Card
• Option 2: A Quarterly reimbursement allowance to defray the ongoing cost of official College business calls made from a personally owned cell phone. 

Quarterly-Cell-Reimbursement-Request

If a supervisor determines that an employee has a need for a cellular phone, the College encourages the use of Option 2, a reimbursement allowance. The College makes this recommendation due to the time involved in tracking personal calls, ensuring that monthly paperwork and reimbursements are submitted in a timely manner, and due to the overhead and audit requirements associated with College-owned phones.

Appropriate Use of Cell Phones

Cell phones should NOT be used as a replacement for a desktop telephone. Calls made using a cell phone are significantly more expensive than calls made using desktop land lines. Use a desktop phone whenever possible, and only use the cell phone when no desk telephone is available.

When you are trying to contact someone, call the desk telephone number first before resorting to the cell number.

Assigned cellular telephones should be used for official business-related activities. Personal use of an assigned unit shall be occasional, incidental, or for emergencies.

Each employee assigned a cellular telephone shall be primarily responsible for the security and maintenance of the unit, and must immediately report theft, loss or vandalism.

The responsibility for assigned cellular telephones cannot be transferred to another employee. When an employee to whom a cellular telephone has been assigned terminates employment, the unit must be returned to their supervisor in appropriate working condition, prior to the employee’s last day at work.

Cellular Telephone Use While Driving

It is illegal to operate a motor vehicle in New York State while using a cell phone without a hands-free device. New York State strongly encourages its employees not to use hand-held cellular telephones while driving a motor vehicle, and to use care while using any cellular telephone while driving.

Cell Phone Controls

Any employee assigned a College-owned cellular telephone or who receives a reimbursement allowance for his or her personal cell phone and who fails to comply with the State University’s desk/cellular telephone policy may have her or his privileges suspended or revoked and may be subject to disciplinary action.

1. If it is determined that call volume does not warrant the expense of the cell phone, the unit supervisor may terminate the reimbursement authorization or ask the employee to return the College-owned phone at any time.
2. If cellular telephone usage is extremely high and not due to excessive personal calls, their supervisor may contact the service provider and upgrade the service plan.
3. Each College Officer/Supervisor must annually re-authorize all employees who are receiving a reimbursement allowance for a personally-owned cell phone. This reauthorization must accompany the supervisor’s estimated encumbrance for cell phone reimbursement allowances at the start of each fiscal year. (See P. 8)

College-Owned Cell Phone Inventory

The Director of CTS will maintain a current inventory of all College-owned cell phones. This inventory will include manufacturer, model, calling plan, telephone number, and the name of the employee to whom it is assigned.

Option 1: College-Owned Cellular Phones

The acquisition of cellular telephones and service plans shall be in accordance with the State University of New York Administrative Procedures Manual Item 300 Purchasing and Contract Procedures. The equipment and billing for cell phones will be charged to each unit’s procurement card.

Supervisors may request College-owned cellular telephones for specific employees where there is a demonstrable need for immediate or off-hours access. This is typically for service personnel who are in the field and away from their desk, on call during non-business hours, or for key supervisory personnel.

All requests for cell phones must be made and approved in writing by the sector Officer using the “Cell Phone Authorization Form” [See Attachment A]. The Cell Phone Authorization Form requires a brief justification for assignment of the instrument, specifies what type of service(s) are needed (Voice/text/data), the calling plan to be provided, and the type of cellular instrument to be provided.

An annual roster of campus cell phones will be provided to each College Officer for review. Each College Officer will review his or her roster periodically to ensure compliance with this policy.

To Obtain a College-owned Cellular Phone for an Employee

1. The employee’s supervisor will submit a “College Cell Phone Authorization Form” [See Attachment A] to the appropriate College Officer, who must sign the form before a cellular phone can be purchased and assigned to the staff member.
2. The College Officer will notify the requestor and CTS that an authorization for a cell phone or reimbursement allowance has been approved and to whom.
3. The supervisor will contact CTS and provide their Procurement Card information to purchase the device and service plan. Since there are many different types of instruments available, the supervisor should also indicate how much they want to allow for the initial purchase of the instrument.

Billing for College-owned Cell Phones

Monthly bills for College-owned cellular phones will be automatically charged to each unit’s Procurement Card.

Verizon Wireless and Nextel Communications have set up Web sites for employees and their supervisors to review detailed monthly billing information. CTS will provide an ID/Password to each supervisor and employee for access to the appropriate Web site.

All employees with College-owned cellular phones and supervisors who authorize College-owned cellular phones for their employee(s) are required to review the monthly statements to ensure that the utilization is appropriate.

Employees with College-owned Cellular Phones must submit a Monthly College-Owned Cellular Telephone Usage Statement [Attachment D] to The Telecommunications Office SS0007 certifying that the calls made were for official College business and that the charges are just and proper. The monthly statement must identify any and all personal phone calls that were made using the cell phone, and the submittal must include a reimbursement to the College for personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3) at a rate of $0.45 per minute.

Reimbursement checks should be made payable to “Purchase College, State University of New York” and forwarded to the CTS Office in the basement of the Social Science Building SS0025.

Please note that a Monthly College-Owned Cellular Telephone Usage Statement must be submitted whether any reimbursement is due or not.

Option 2: Quarterly Reimbursement Allowance for Personally-Owned Cell Phones

Supervisors may request that specific employees receive a monthly allowance for their personally owned cellular phones where there is a demonstrable need for immediate or off-hours access. This is typically for service personnel who are either on call during non-business hours, in the field and away from their desk, or for key supervisory personnel.

The personally-owned cell phone must be for the exclusive use of the employee, and in his or her possession at all times. Recognizing the prevalence of “Family Plans” that are often held in the name of a significant other, the personal account does not need to be in the employee’s name, as long there is a cell phone instrument for her or his exclusive use.

Participants in the reimbursement allowance program will receive quarterly reimbursement checks through the Purchasing and Accounts Payable office. Participants must submit a copy of their monthly cell phone bill to the Purchasing Office to obtain their quarterly reimbursement allowance.

This submittal is the Personal Cell Telephone Reimbursement Request Form [Attachment E] along with the cover page of the monthly statements showing the employees name, phone number, and statement date. The submittal is intended to demonstrate that the individual still has the phone in active service, it does not need to (and should not) include the detailed call log portion of the monthly statement.

To obtain a Cell Phone Reimbursement Allowance for an employee

1. Each fiscal year the employee’s supervisor will submit a “Cell Phone Reimbursement Allowance Request Form” [See Attachment B] specifying for what services (Voice/Text/Data) the employee is to receive a reimbursement for. The form must be approved and signed by the appropriate College Officer.
2. The College Officer will notify the requesting supervisor that an authorization for a cell phone or reimbursement allowance has been approved and to whom.
3. The supervisor will ask the employee to read and sign the ‘College Cellular Phone Use Policy.’ [Attachment B]
4. At the start of each Fiscal Year, the unit supervisor will submit to the Purchasing Office:
5. A Purchase Requisition for “Estimated Encumbrance for Cellular Telephone Services” to cover the cost of all cellular phone reimbursements for their unit
6. Attached to the Requisition must be a copy of the fully executed annual Personal Cell Telephone Reimbursement/Allowance Form for each employee who is authorized to receive a reimbursement.
7. Supervisors are NOT expected to review monthly statements for employees who choose the Monthly Allowance option for a personally owned cellular phone. However, supervisors are expected to periodically assess whether the monthly allowance continues to be appropriate in each case where it is granted.

Obtaining Quarterly Reimbursement Allowance checks

The Purchasing and Accounts Payable Office will issue quarterly reimbursement checks (the maximum reimbursement frequency) for employees authorized to receive a cell phone allowance. Reimbursements will not be entertained for any statement submitted more than 12 months after the service was provided (the minimum reimbursement frequency).

To obtain a quarterly reimbursement employees must submit a copy of the Personal Cell Telephone Reimbursement Request Form [Attachment E] to the Purchasing and Accounts Payable Office along with the cover page of each monthly cell phone statement showing the date of service, carrier, subscriber name, address, and cell phone number. Regardless of the amount due, the employee will receive the standard reimbursement rate authorized by their supervisor for each monthly cell phone bill that is submitted. The check will be made payable to the authorized employee and mailed to his or her home address.

Monthly Cellular Telephone Usage Statements are NOT required for employees using the Reimbursement Allowance Option. However, supervisors are encouraged to regularly assess whether reimbursement continues to be appropriate throughout the year and supervisors have the right to terminate reimbursement allowances at any time for any reason.

Acknowledgement of College Telephone Policy

Purchase College / State University of New York

Users of College-owned desk and cellular telephones must read, understand, and comply with the Purchase College State University of New York Desk and Cellular Telephone Policy. By using the telephone, you agree to comply with all rules, regulations, and policies of Purchase College and any applicable local, state, federal and international laws, guidelines, and regulations. This responsibility exists regardless of what monitoring mechanisms may be in place. Violation of these policies may lead to suspension, loss of service or privilege, and may lead to even more serious sanctions.

Do not consider desk or cellular telephone bills private or secure because the bill contains your name and billing address. Purchase College, State University of New York has the right to monitor telephone bills and usage to determine if misuse or abuse exists.

Users must review their desk and cellular telephone bills and remit reimbursements for any personal calls at the end of each quarter.

Payments [check or money order] made payable to Purchase College for desk/cellular telephone reimbursement should relate to the monthly period for which the reimbursement applies and should be accompanied by the Purchase College, State University of New York Desk/Cellular Telephone Monthly Reimbursement Report.

Desk or Cellular telephones may not be used to defame, harass, intimidate or threaten any other person(s).

Do not allow others to use your phone, as you will be ultimately responsible for payment of charges.

Purchase College / State University of New York

College-owned cellular phones should NOT be used as a replacement for a desktop telephone. Calls made using a cellular phone are significantly more expensive than calls made using desktop land lines. College-owned cellular phones are only to be assigned to employees where either:

1. a) The employee must be accessible and normally works in the field and is not near a fixed land line
2. b) The employee is engaged in providing a critical or emergency service for the College community and must be accessible at all times

I,  authorize to receive a state-owned (Supervisor’s name) (Employee’s name) cellular telephone for their use in conducting official business for Purchase College. I have communicated the College’s policy governing the use of cellular telephones to him/her, and he/she has agreed to comply with the policy.

The employee has agreed to reimburse the College at the end of each month for any personal calls made using this cellular phone at the rate of $0.45 per minute whether those calls are within plan minutes or not.

The employee has acknowledged that failure to comply with these policies could result in the phone being revoked and other disciplinary measures.

Submit this form to the Purchasing and Accounts Payable Office.

Personal Cellular Telephone Reimbursement/Allowance Form

Purchase College / State University of New York

Cellular phones should NOT be used as a replacement for a desktop telephone. Calls made using a cellular phone are significantly more expensive than calls made using desktop land lines. This reimbursement/Allowance program should only to be assigned to employees where either:

1. c) The employee must be accessible and normally works in the field and is not near a fixed land line
2. d) The employee is engaged in providing a critical or emergency service for the College community and must be accessible at all times

I, (Supervisor’s name) authorize (Employee’s name) to receive a quarterly  reimbursement allowance for their personally-owned cellular phone for the period, that is to be used to conduct official business for Purchase College. I have (Date range) communicated the College’s policy governing the use of Cell telephones to them, and they have agreed to comply with the policy.

The employee agrees to submit the cover pages of their monthly cellular telephone statements to the Purchasing and Accounts Payable Office to obtain his/her allowance reimbursement check on a quarterly basis.

The employee has acknowledged that failure to comply with Purchase College Telephone Policies could result in disciplinary measures.

Submit this form to the Purchasing and Accounts Payable Office. 

Quarterly Desktop Telephone Usage Statement

Purchase College State University of New York

1. Instructions on Completing This Form: Please send this form at the end of each quarter to the CTS Office (Social Sciences Building SS0025) along with your credit card authorization, check or money order made payable to Purchase College for any personal calls.

NOTE: All employees must submit a quarterly report whether or not a reimbursement is due to Purchase College. If no reimbursement is due for personal calls made during the period (see P 3, Executive Order #1 for guidelines), insert a zero in item II.B. Thank you for your prompt attention to this matter.

I certify that:

1. I have reviewed a copy of the desktop telephone bill for the period below to determine if any reimbursement is due for personal calls.
2. The amounts represented on this report reflect reimbursement for personal calls.
3. All calls not reimbursed are just and proper calls relating to official State University business.

Name: __________________________________

Department: ___________________________

Signature: _________________________

Date: ______________

1. DESKTOP TELEPHONE REIMBURSEMENT

Monthly College-Owned Cellular Telephone Usage Statement

Purchase College / State University of New York

1. Instructions on Completing This Form:Please send this form at the end of each month to the CTS Office (Social Sciences Building SS0025) along with your credit card authorization, check or money order made payable to Purchase College for any personal calls.

NOTE: You are to submit a report whether or not a reimbursement is due to Purchase College. If no personal calls were made during the period, insert a zero in item II.B. Thank you for your prompt attention to this matter.

I certify that:

4. I have reviewed a copy of the cellular telephone bill for the period below to determine if any reimbursement is due for personal calls.
5. The amounts represented on this report reflect reimbursement for personal calls.
6. All calls not reimbursed are just and proper calls relating to official State University business.

Name: __________________________________

Department: ___________________________

Signature: _________________________

Date: ______________

Account No: ______________

1. CELLULAR TELEPHONE REIMBURSEMENT

Quarterly Personal Cell Telephone Reimbursement Request Form

Purchase College / State University of New York

Cell phones should NOT be used as a replacement for a desktop telephone. Calls made using a cell phone are significantly more expensive than calls made using desktop land lines. This reimbursement allowance program should only to be assigned to employees where either:

1. e) The employee must be accessible and normally works in the field and is not near a fixed land line
2. f) The employee is engaged in providing a critical or emergency service for the College community and must be accessible at all times

My signature below certifies that this Reimbursement Allowance is for conducting official business on behalf of Purchase College, and that I have read and agree to comply with the College’s policy governing the use of cellular telephones.

I have attached the cover page for each monthly cellular telephone statement showing the date of service, carrier, subscriber name and address, and cell phone number.

I understand that I will be reimbursed at the standard allowance rate for each approved service type that was in effect at the time that the service was provided.

Submit this form to the Purchasing and Accounts Payable Office.

Purchasing and Accounts Payable Review

I have reviewed the authorization documentation on file and the attached submittal and approve the issuance of a Reimbursement Allowance Check to the above employee:

 (PAP Reviewers signature date) 

All telephone bills are reviewed for accuracy before they are sent to departments, residents and renters. If you find an error on your bill, please contact CTS at (914) 251-6465 as soon as possible! You must report the call(s) in question BEFORE payment is submitted. Once an error is reported, CTS will check the call against our long distance carrier bills in order to validate the claim.

For international and domestic calls of 1 minute or less, a credit can be applied immediately. Calls over 1 minute must be checked against the bill of the carrier to assess whether or not the call was completed. If it is confirmed that the call was completed, the charge will remain on the bill.

If your PIN has been lost or stolen, or unauthorized calls are being made from your office phone, you must report this to CTS. You are responsible for all calls made before you reported your PIN or unauthorized calls to CTS. In such cases, if you wish to dispute the charges, you MUST file a report with University Police. Otherwise, you will still be responsible for additional calls made with your PIN or from your office phone. CTS will cooperate with University Police and provide any information they need for their investigation.

Please note that refunds will appear as a credit to the account. A refund check will be issued only if service has been terminated or you are no longer employed by the College.

This is a Nondisclosure Agreement made as of _______________________ (“Effective Date”) between State University of New York College at Purchase, an educational corporation organized and existing under the New York State Education Law, hereinafter referred to as “Purchase College, SUNY, a New York State Public higher education institution with its principal place of business at 735 Anderson Hill Road, Purchase NY 10577, and _______________ (“Company”), a ______________ corporation with its principal place of business at _______________________________________________________<address> for the purpose of protecting and preserving the confidential and/or proprietary nature of information to be disclosed or made available by Purchase College to the Company under this Agreement.  For purposes of this Agreement Purchase College and Company are sometimes collectively referred to as the “Parties” and individually referred to as a “Party”.  As used herein, “Recipient” shall mean the Party who has been given “Confidential Information” (as hereinafter defined) by and of the other Party.  Discloser shall mean the Party who gives Confidential Information to the other Party.

1. The Parties agree to use the Confidential Information received hereunder solely for the purpose of performing the service or services for which the Company and Purchase College have made an agreement (“Purpose”), and only to the extent necessary for the stated Purpose. The Recipient agrees that it will not provide Confidential Information to any third parties or business partners without prior written agreement from Purchase College.

2. “Confidential Information” means any business and/or personally identifiable information  relating to Purchase College’s students, employees or other parties contained in files or storage systems to which the Company will be provided access by Purchase College.

3. “Confidential Information” shall include, without limitation, printed or electronically recorded matter, personally identifiable information, customer and employee information, business information, and other information of a non-public nature. Confidential Information also includes information generated as a result of the activities of the parties hereunder, and information whether disclosed in writing or orally, that is marked “confidential” or should be deemed by its nature to be confidential. 

4. All Confidential Information shall remain the property of Purchase College. No rights or license therein is granted except a limited right to use the Confidential Information solely for the Purpose.

5. The Company agrees that for Confidential Information it shall use the same degree of care and means it utilizes to protect its own information of a similar nature, but in any event not less than reasonable care and means, to prevent unauthorized use or disclosure of such Confidential Information to third parties. The Confidential Information may be disclosed only to employees or contractors of the Recipient with a “need to know” who are subject to written confidentiality agreements sufficient to carry out the intent of this Agreement. 

6. This Agreement shall be effective on the date of its full execution by the Parties. Upon request of Purchase College, the Company shall promptly return all copies of the Confidential Information, in whatever form or media, to Purchase College, or certify the destruction of all such Confidential Information.

7. All notices shall be in writing and delivered by hand or sent by certified or registered mail, return receipt requested, or reputable overnight courier service to the above address of the other party, to the attention of the Recipient’s Legal Department unless otherwise directed in writing by Recipient, and shall be deemed received on the earlier of actual receipt or five days after deposit in the mail.

8. If any of this Agreement is held to be unenforceable, such unenforceable part shall be deemed modified or eliminated to the extent necessary to make the remaining parts enforceable. Any waiver of a default in performance hereunder shall be deemed a waiver of the particular instance only and shall not be deemed consent to continuing default.

9. Company agrees that there may not be an adequate remedy at law for any breach of the obligations hereunder and upon any such breach or any threat thereof by Company, Purchase College shall be entitled to seek appropriate equitable relief without necessity of posting bond, in addition to whatever other remedies it might be entitled

10. This Agreement shall be governed by and construed in accordance with the laws of the state of New York, without regard to its conflict of law provisions. Neither Party may assign its rights or delegate its duties or obligations under this Agreement without the other Party’s prior written consent.  This Agreement constitutes the entire agreement of the Parties with respect to the subject matter and supersedes all prior agreements or understandings, written or oral, between the Parties with respect thereto.

In Witness Whereof, the Parties have caused this Agreement to be signed by their duly authorized representatives.

Purchase College Virtual Private Network (VPN) Policy

1.0 Purpose
The purpose of this policy is to provide guidelines for Remote Access Virtual Private Network (VPN) connections to the Purchase College network.

2.0 Scope
This policy applies to all Purchase College employees, contractors, consultants, and other workers including all personnel affiliated with third parties utilizing VPNs to access the Purchase College network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator.

3.0 Policy
Approved Purchase College employees, affiliates, and authorized third parties (vendors, etc.) may utilize the VPN. The user is responsible for coordinating installation, installing any required software, and paying any associated fees.

Additionally:

• • The user is responsible for ensuring that unauthorized users are not allowed access to Purchase College VPN.
  • VPN use is to be controlled using either a Purchase College credential and Multi-Factor authentication.
  • VPN gateways are set up and managed by Purchase College.
  • All computers connected to Purchase College via VPN or any other technology must have up-to-date anti-virus software, and up-to-date operating system and software patches.
  • VPN users will be automatically disconnected from Purchase College’s network after 24 hours. The user must then logon again to reconnect to the network.
  • Only Purchase College approved VPN clients may be used.
  • Users of computers that are not Purchase College-owned equipment must configure the equipment to comply with Purchase College’s VPN and Network policies. (AV and Patches.)
  • By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Purchase College’s network, and as such are subject to the same rules and regulations that apply to Purchase College-owned equipment, i.e., their machines must be comply with AV and Patch requirements.

4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions
Term Definition

6.0 Revision History

Posting information to the Purchase College Website requires the association of your Purchase College credentials with specific groups and privileges in the website’s Content Management System (CMS.)

If you are assigned as a content manager for a section of the website, or to post news and events: 

• Full-time professional staff are recommended by their department head and approved by the sector vice president.

• Student employees are “sponsored” by a full-time professional staff member, recommended by their department head, approved by the sector vice president.

• The vice president informs CCS Web Development of the employee’s approval.

• The College will schedule a training session (1 hour) with the approved staff/student.

• Training includes:

  1. Discussion of copyright infringement

  2. Discussion of Web accessibility

  3. Privacy of student data

  4. Sharing of account credentials is prohibited. Each user must be trained and given access individually.

  5. Sensitive or confidential State information must not be made available through a server that is available to a public network.

     Definition of sensitive information will be taken to mean:

     1. information related to systems, structures, individuals and services essential to the security, government, or economy of the State, including telecommunications (including voice and data transmission and the Internet);

     2. electrical power, gas and oil storage and transportation;

     3. banking and finance;

     4. water supply;

     5. emergency services (including medical, fire, and police services);

     6. Sensitive information includes, but is not limited to:

        1. data that identifies specific structural, operational, or technical information, such as: maps, mechanical or architectural drawings, floor plans, operational plans or procedures, or other detailed information relating to electric, natural gas, steam, water supplies, nuclear or telecommunications systems or infrastructure, including associated facilities;

        2. training and security procedures at sensitive facilities and locations;

        3. descriptions of technical processes and technical architecture;

        4. plans for disaster recovery and business continuity;

        5. inventory/depictions/photographs/locations of physical equipment, assets and infrastructure;

        6. reports, surveys, or audits that contain sensitive information; 

        7. other subject and areas of relevant concerns as determined by the state government entity.

CTS Policy – Working in Residential Spaces

By Individual Appointment:

CTS support staff regularly visit residential spaces to perform service by appointment with the occupant. This occurs through regular service interactions when residents contact the Helpdesk.

Large-scale Project work:

For larger scale non-individual work involving an entire housing complex, the Residential License Agreement (pseudo-lease for occupants) specifically grants all college employees the right to work in residential spaces.

When working in non-individual residential spaces, CTS will:

1. Notify Residents at least 24 hours in advance via email – stating that CTS employees and/or contractors will be working in the complex, stating a half-day window in which the work will occur.
2. Affix service announcement hang-tag or notice to all individual rooms that will need to be entered in the course of the work – 24 hours in advance – stating the half-day window in which the work will occur.
3. CTS staff and contractors will display identification in a prominent fashion - via College ID card on lanyard – or painted onto their forehead.
4. When ready to enter the residence, CTS staff will knock and announce loudly. If there is no answer, the employee will key into the room – opening the door slightly – and announcing loudly again – “Name, from CTS, here to do xyz” – before physically entering the space.
5. The “buddy system” will be employed – a minimum of two persons is required to enter a residential space. (i.e. One college employee and one contractor)
6. CTS employees and Contractors will not move or handle any personal belongings for any reason. The specific location where work is to be done (i.e. the closet, north wall, etc.) will be identified in the work to be done notifications whenever possible, along with a request that residents clear personal belongings from that area. If personal belongings obstruct the area where work is to be performed, a note asking the belongings be removed will be left, and the work team will return at another time to complete the necessary work.
7. Upon completion of the work, another hangtag/notice will be placed on the exterior of the residence door stating “CTS was here on 99/99/99 at TIME to perform task, which has now been completed” 

The security and integrity of the college’s computer systems and data network is our collective responsibility. As we increasingly rely on electronic forms of communication and access to information, we must ensure its security and protect our network against ever more sophisticated threats. A single weak machine that is not adequately patched and maintained can wreak havoc with the college’s network, interfering with administrative operations and disrupting access for thousands of people on campus.

The machines in offices and computer labs throughout the campus are purchased and owned by the college. The college’s standard operating system, Windows 10, contains security features that require you to log on before you can use the machine.  All software running on college-owned machines must be legally purchased and approved by CTS before installation. All college employees receive “User” accounts that allow them to run all software on the machines, but does not allow them administrative rights to modify system settings or install other software. Secure administrative access to workstations is retained by CTS.  The college is using Windows 7/Windows 10 and domain-wide Group Policy settings to centrally manage these machines and ensure that security patches are applied and that anti-virus profiles are up to date.  Windows 7 also dramatically improves the Helpdesk’s ability to troubleshoot and repair problems remotely when you run into difficulty.

Please call the Helpdesk at 914-251-6465 if you have any questions or if you need assistance.