PURPOSE
To remain competitive, better service our customers, and give our talented workforce the best tools to do their jobs, Cardinal Stritch University continues to adopt and make use of new means of communication and information exchange. This means that many of our Employees have access to one or more forms of electronic media and services, including computers, e-mail, telephones, University provided cell phones, voice mail, fax machines, external electronic bulletin boards, wire services, on-line services, the Internet, and the World Wide Web.

Cardinal Stritch University encourages the use of these media and associated services to enable more efficient and effective communication and to have valuable sources of information about vendors, customers, technology, and new products and services. However, all Employees and everyone connected with the University should remember that electronic media and services provided by the University are Cardinal Stritch University property and their purpose is to facilitate and support University business.

This policy cannot establish rules to cover every possible situation. Instead, it is designed to express the University’s philosophy and set forth general principles Employees should apply when using electronic media and services. The following procedures apply to all electronic media and services that are: • Accessed on or from any University site, including all satellite locations; • Accessed using University computer equipment or via University-paid access methods; or • Used in a manner that identifies the individual with the University.

PERSONAL USE
Cardinal Stritch University provides electronic media and services primarily for Employee’s business use. Limited, occasional, or incidental use of electronic media (sending or receiving) for personal, Acceptable Use Policy business purposes is understandable and acceptable. However, Employees are expected to demonstrate a sense of responsibility and not abuse this privilege. Cardinal Stritch University allows incidental personal use of its electronic media and services subject to the following conditions and restrictions during work hours:

Personal use must be infrequent and must not:
• Involve any prohibited activity;
• Interfere with the productivity of the Employee or his or her co-workers;
• Consume system resources or storage capacity on an ongoing basis, or
• Involve large file transfers or otherwise deplete system resources available for University business purposes.

Using electronic media and services to participate in any newsgroup, mailing list, bulletin board, or other type of discussion forum that is not job related is not incidental use and is strictly prohibited.

Employees should not have any expectations of privacy with respect to personal e-mail sent or received on Cardinal Stritch University's e-mail system.

Employees should delete personal messages as soon as they are read or replied to. Employees should not store copies of the personal messages they have sent. Because e-mail is not private, Employees should avoid sending personal messages that are sensitive, confidential, or containing any questionable content.

PROHIBITED ACTIVITIES
Employees are strictly prohibited from using any of the University electronic media and services in connection with any of the following activities:

• Engaging in illegal, fraudulent, or malicious activities;
• Engaging in activities on behalf of organizations with no professional or business affiliation with Cardinal Stritch University (for example, University resources, including email, are not to be used for home based businesses such as Avon, Pampered Chef or Stanley Products)
• Sending or storing offensive, obscene, or defamatory material;
• Annoying or harassing other individuals;
• Sending uninvited e-mail of a personal nature;
• Using another individual's account or identity without explicit authorization;
• Attempting to test, circumvent, or defeat security or auditing systems without prior authorization;
• Permitting any unauthorized individual to access Cardinal Stritch University’s electronic media systems, or
• Distributing or storing chain letters, jokes, solicitations or offers to buy or sell goods, or other non-business material of a trivial or frivolous nature.

ACCESS TO EMPLOYEE COMMUNICATIONS
Electronic information created and/or communicated by an Employee using e-mail, word processing, utility programs, spreadsheets, voice mail, telephones, Internet and bulletin board system access, and similar electronic media generally is not monitored by the University. We respect our Employees’ desire to work without us looking over their shoulder. However, the following condition should be noted: Employees should not have any expectation of privacy with respect to messages or files sent, received, or stored on Cardinal Stritch University's electronic media systems. E-mail messages and files, like other types of correspondence and Cardinal Stritch University documents, can be accessed and read by authorized Employees or authorized individuals outside the University. Authorized access to Employee correspondence by other Employees or outside individuals includes, but is not limited to, the following:

a. Access by the system administration staff during the course of system maintenance or administration;
b. Access approved by the Employee, the Employee's supervisor, or officer of Cardinal Stritch University when there is an urgent business reason to access the Employee's communications - for example, if an Employee is absent from the office and the supervisor has reason to believe that information relevant to the day's business is located in the Employee's e-mail inbox, voice mail, etc.
c. Access approved by the Employee's supervisor, Cardinal Stritch University's Human Resources Department, or officer of Cardinal Stritch University when there is reason to believe the Employee is using electronic media and services in violation of Cardinal Stritch University's policies;
d. Access approved by an officer of Cardinal Stritch University or Cardinal Stritch University's Human Resources Department or in response to Cardinal Stritch University's receipt of a court order or request from law enforcement officials for disclosure of an Employee's communications or files.

Electronic media and services should not be used to communicate sensitive or confidential information1 

“Sensitive or confidential information” is defined as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol address, or routing code. . Employees should anticipate that such communications might be disclosed to or read by individuals other than the intended recipient(s), since messages can be easily forwarded to other individuals. In addition, while Cardinal Stritch University endeavors to maintain the reliability of its electronic media, Employees should be aware that a variety of human and system errors have the potential to cause inadvertent or accidental disclosures of electronic communications. SECURITY/APPROPRIATE USE Employees must respect the confidentiality of other individuals’ electronic communications.

Except in cases in which explicit authorization has been granted by University management, Employees are prohibited from engaging in, or attempting to engage in:
• Monitoring or intercepting the files or electronic communications of other Employees or third parties;
• Hacking or obtaining access to systems or accounts they are not authorized to use;
• Using other people’s log-ins or passwords; and
• Breaching, testing, or monitoring computer or network security measures. No e-mail or other electronic communications can be sent that attempt to hide the identity of the sender or represent the sender as someone else.

Electronic media and services should not be used in a manner that is likely to cause network congestion or significantly hamper the ability of other people to access and use the system. Anyone obtaining electronic access to other companies’ or individuals’ materials must respect all copyrights and cannot copy, retrieve, modify, or forward copyrighted materials except as permitted by the copyright owner.

PASSWORDS
Each user accesses the University supported e-mail system by means of a log-in name and password.

a. Passwords are intended to keep unauthorized individuals from accessing messages stored on the system. From a systems perspective and from the perspective of an e-mail recipient, passwords also establish the identity of the person sending an e-mail message. The failure to keep passwords confidential can allow unauthorized individuals to read, modify, or delete e-mail messages, circulate e-mail forgeries; and download or manipulate files on other systems.
b. The practice of using passwords should not lead Employees to expect privacy with respect to messages sent or received (see Access to Employee Communications)
c. Employees must choose new passwords every six months. Passwords will be a minimum of 8 characters, a combination of letters, numbers and symbols and should never consist of a proper name or a common word. Passwords should never be given out over the phone, included in email messages, posted, or kept within public view. Acceptable Use Policy Page 5 of 7
d. Employees are prohibited from disclosing their password, or those of any other Employee, to anyone who is not an Employee of Cardinal Stritch University. Employees also should not disclose their password to other Employees, except when required by an urgent business matter. Employees should change their password as soon as possible after the urgent business matter has been resolved.

E-MAIL STORAGE POLICY
Cardinal Stritch University strongly discourages the storage of a large number of e-mail messages. Retention of messages takes up a large amount of space on the mail server and can impact system performance. In addition, because e-mail messages can contain Cardinal Stritch University's confidential information, it is desirable to limit the number, distribution, and availability of such messages.

a. Deletion by Users As a general rule, if a message does not require a specific action or response, it should be deleted after it is read. If the content of the message needs to be saved for more than two weeks, it should be archived to a local hard disk or diskette or printed out and saved to an appropriate file. Employees should review their messages weekly and delete those that are not needed.
b. Deletion by System Administrator Deletion of e-mail messages by the system administrator will be performed on a case by case basis, when the need arises, to maintain system integrity.

ENCRYPTION
Encrypting messages or documents sent, stored or received on Cardinal Stritch University's systems is encouraged when it further protects the privacy of sensitive and confidential information. However, employees are prohibited from using or installing any encryption software without permission from Cardinal Stritch University's Office of Information Technology. Employees with a business need to encrypt messages should submit a written request to the Office of Information Technology with a copy sent to their supervisor. Employees who use encryption on files stored on a University computer must provide the Office of Information Technology with a sealed hard copy record (to be retained in a secure location) of all of the passwords and/or encryption keys necessary to access the files.

PARTICIPATION IN ON-LINE FORUMS
Employees should remember that any messages or information sent on Cardinal Stritch University provided facilities to one or more individuals via an electronic network—for example, Internet mailing lists, bulletin boards, and on-line services—are identifiable and attributable to Cardinal Stritch University. Acceptable Use Policy Page 6 of 7 Cardinal Stritch University recognizes that participation in some forums might be important to the performance of an Employee’s job. For instance, an Employee might find the answer to a technical problem by consulting members of a newsgroup devoted to the technical area. Employees should include the following disclaimer in all of their postings to public forums: “The views, opinions, and judgments expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Cardinal Stritch University.” Employees should note that even with a disclaimer a connection with Cardinal Stritch University exists and a statement could be imputed legally to Cardinal Stritch University. Therefore, employees should not rely on disclaimers as a way of insulating Cardinal Stritch University from the comments and opinions they contribute to forums. Instead, employees must limit their discussion to matters of fact and avoid expressing opinions while using Cardinal Stritch University systems or a Cardinal Stritch University provided account. Communications must not reveal information about Cardinal Stritch University processes, techniques, trade secrets, or confidential information and must not otherwise violate this or other Cardinal Stritch University policies.

CONFIDENTIAL INFORMATION
While the University has moved away from generally issuing cell phones, there are limited employees that must use cell phones to conduct their assigned tasks. Be aware the University does not permit the use of cell phones to conduct business while an employee is operating a motor vehicle, unless the employee All Employees are expected and required to protect Cardinal Stritch University's confidential information. Cardinal Stritch University's confidential information should never be transmitted or forwarded to outside individuals or companies not authorized to receive the information. Employees must exercise greater care when transmitting Cardinal Stritch University confidential information using e-mail than with other communication means because e-mail makes it easier to redistribute or misdirect confidential information to unauthorized individuals. Cardinal Stritch University also requires its Employees to use electronic media and services in a way that respects the confidential and proprietary information of others. Employees are prohibited from copying or distributing copyrighted material - for example, software, database files, documentation, or articles - using the electronic media systems. CELL PHONES 2 *“Sensitive or confidential information” is defined as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol address, or routing code has safely pulled out of traffic and has turned off the vehicle or placed it into park. Further cell phone conversations are not secure, private conversations and employees should not transmit confidential University information in a public setting.

POLICY VIOLATIONS
Employees who abuse the privilege of University-facilitated access to electronic media or services are subject to corrective action and risk having the privilege removed for themselves and possibly other employees. Employees violating the Electronic Communications Policy are subject to discipline, up to and including termination. Employees using electronic media and services for defamatory, illegal, or fraudulent purposes and Employees who break into unauthorized areas of Cardinal Stritch University's computer system also are subject to civil liability and criminal prosecution. All University employees are responsible for reviewing and adhering to the published computer related policies found on the web .

OVERVIEW

Cardinal Stritch University requires that all individuals accessing University electronic resources or using University systems to access non-University electronic resources abide by the standards of acceptable use set forth in this policy. The University cannot be held accountable for actions which an individual takes which are contrary to this or any other University policy, are contrary to the mission and goals of the University or are contrary to generally acceptable actions. The University cannot be responsible for content or actions which originate on non-University systems. The University reserves the right to change any portion of this policy at any time and to limit or restrict use of its electronic resources including but not limited to limiting or restricting access to non-University electronic resources accessed through University systems.

PURPOSE
The purpose of this policy is to outline acceptable use of computer and electronic resources at the University which is both reasonable and responsible. Responsible use of resources is necessary to ensure that resources are available to all when they are needed and that the individual and the University are protected from harm.

SCOPE
This policy applies to all individuals who use, access or control University electronic resources. This includes but is not limited to students, faculty, staff, contractors, vendors, guests, visitors and any other user who uses University owned or controlled electronic resources.

POLICY
This policy sets forth general expectations regarding the use of University electronic resources, systems, data and information. This policy does not override applicable international, federal, state, local or other statutes. Individuals who access University resources are responsible for exercising good judgment regarding acceptable use. General

• No University resource may be used in a manner or for a purpose that violates University policies or which is illegal or unethical.
• Use of University resources and systems for commercial purposes, except where explicitly approved, are strictly forbidden.
• Any action which would result in loss of data, corruption of data, loss of use or degradation of performance of any University resource or system or which in any way would have negative impact on other individuals or the University will not be tolerated. Network
• Any device that attempts to circumvent security measures, mask the identity of the user, cause disruption of service, scan network ports, discover and/or exploit vulnerabilities of other devices on the network or capture or view data not intended for the recipient is strictly prohibited.
• The individual in control of any device connected to the network is responsible for the security of and traffic generated by that device regardless of origin. Any device which is generating unwanted traffic will be removed from the network and may not be reconnected to the network until all issues have been resolved.
• University networks may not be used to gain unauthorized access to non-University systems or to access systems or materials which are illegal or otherwise prohibited. Computers • University owned computers for student use are available in computer labs and public spaces throughout the University.
• Use of non-public University owned computers, including but not limited to staff computers, faculty computers, servers and control systems by non-authorized users is prohibited.
•  All computers which are connected to University networks or systems, including but not limited to student and privately owned computers, are required to have all current operating system and software patches installed, to have University approved anti-virus software installed and operating with the latest virus definitions and to be in good working condition.
• Loss, damage or theft of University owned equipment must be immediately reported to appropriate University staff. Email
• Any activity which can be reasonably assumed to be offensive including but not limited to sending unsolicited email (SPAM, junk mail or Phishing Attempts), harassing or threatening email, creating or forwarding chain letters is prohibited.
• Unauthorized use or access of other users email, forging or manipulation of email headers or falsely representing the University or other individuals in any manner is forbidden.
• Sending or storing excessive amounts of email or emails of excessive size is not allowed.
• Extreme caution should be used when accessing email from unknown senders, particularly when there are attachments or links within the message. Messages such as these often contain viruses or other malicious code.
• Always be skeptical of offers that seem to be too good to be true and of requests for personal information. You should never provide account login information, passwords, social security numbers, bank account numbers or other highly confidential personal information via email or via web links from email.

Phone
• Use of University owned or controlled phone numbers to conduct non University business, including but not limited to solicitation of funds, sales and support is prohibited. • Making non-emergency calls to 911 or other emergency services is strictly prohibited.
• Any call which may be deemed harassing or prank calls of any kind are prohibited.

FAX
• FAX machines must be setup to display the correct phone number of the FAX machine on all outgoing FAX.
• FAX machines cannot be used to transmit sensitive data, including but not limited to personally identifiable information.

Data
• Unauthorized access of University data is prohibited. Authorized use of data is covered in the Data Access Policy.
• It is the responsibility of each user to protect their own data, including making local backups of critical files where central backups are not already being made; ensuring that systems are routinely scanned for virus, malware and other malicious programs; and ensuring that systems are up to date with relevant security patches and updates.
• Sensitive data, including but not limited to personally identifiable information may not be backed up or stored on local machines or media. See the Data Access Policy for further restrictions.
• Sensitive data, including but not limited to personally identifiable information may not be transmitted over insecure methods, including but not limited to FAX and unencrypted email.

Security and Privacy
• It is the responsibility of each individual to protect privacy and information.
• Passwords should be changed every six months and should be secure, easy to remember and hard to guess. Secure passwords are passwords that are at least 8 characters long which contain a combination of upper and lower case letters, numbers and special characters and which do not contain recognizable words, phrases, dates or other guessable combinations. Authorized users are responsible for the security of their passwords and accounts.
• Only authorized users will have administrative access on University machines.
• Attempts to access accounts for which you are not authorized is strictly prohibited. In the event that a system administrator needs to access private information or another account such activity will be documented and subject to review.

Copyright
• Copying, storing, displaying or distributing copyrighted material using University resources or systems without the express permission of the copyright owner, except as otherwise allowed under copyright laws, is prohibited.

ENFORCEMENT
Violations of these policies may result in the immediate suspension and possible revocation of access to University IT resources and systems. Serious violations will be referred directly to the appropriate University or outside authorities. Unauthorized use of University resources is a criminal offense. Penalties may range from suspension or dismissal from the University to civil or criminal prosecution.
 

As our world becomes increasingly digital, we need everyone to pitch in to help protect our University’s resources. By following a few simple steps and developing good security habits, you can minimize opportunities to inadvertently expose sensitive data or information.

What is sensitive data? “Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.” For example: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, government passport number, employer or taxpayer identification number, unique electronic identification number or a routing code. Review Acceptable Use Policy.

• Good habit: Do not store sensitive information such as student records, credit card numbers or social security numbers on your computer unless it is absolutely required by your job. If required, contact the Office of Information Technology (OIT) for assistance with properly safeguarding the information. Do not share sensitive data via email at any time, and be particularly careful on the internet to make sure a site is secure by looking for a url that begins with ‘https’ or look for a logo such as: VeriSign.

Email: Email, chats, instant messengers, Facebook, etc. are not secure and should never be used to send any information you do not want exposed to the public. Social networking sites are playgrounds for criminals. Limit what information you share. Avoid email with embedded links and attachments from sources you don’t recognize. Many email messages and viruses look like valid messages. Be aware of phishing which is a high-tech scam that either asks for your credit card, bank account, passwords, or social security numbers OR leads you to a web site that looks official and asks for the same type of information.

• Good habit: If you can’t post the information comfortably on the closest billboard, think before sending it via email. If you don’t recognize the sender, delete it—they will send the message again if it is real or call instead.

Passwords: A password is the first line of defense. Choose ‘strong’ passwords with at least eight characters, using a combination of numbers, upper and lowercase letters and at least one special character (!#@^%*). Remember to change your passwords frequently. Remember, OIT will never request your log in, password, birth date, etc. via email.

• Good habit: Do not share your password with others and do not post it in an obvious place (like a post it on the computer or in the top drawer of your desk).

Back up your work: You have just spent a significant portion of your time creating a lesson plan, lecture notes, preparing a grant, writing an article…..remember to save it and go one step further – back up all of your personal work on a weekly basis to a CD/DVD or other external media.

• Good habit: Set aside a portion of time each Friday to back up your work and clean up your email. Once you have your data backed up, be sure to test it to ensure it can be retrieved. Store your back ups in a safe location.

Love your computer: Log off or use the keyboard locking function when stepping away from your computer. If you don’t, others can easily access your email or other documents. If you are using a laptop, run a virus check before connecting it to the Stritch network. Make sure your computer is always up to date with security patches and virus protection.

• Good habit: Learn how to run the virus check if you have a laptop—if you need help, call x4600. If your computer starts acting ‘funny’ – call before trying to fix it yourself unless you have good computer troubleshooting and diagnostic skills.

Shred your documents: Remember to shred sensitive documents in the office and at home. People with a malicious intent will search through trash to get what they want.

• Good habit: Share your good habits with others and stay safe.

General Information
The University does not permit the use of cell phones to conduct business while an employee is operating a motor vehicle, unless the employee has safely pulled out of traffic and has turned off the vehicle or placed it into park.

Acquisition methods
There are two acquisition methods for cellular phones detailed below or as separately negotiated. In the majority of instances, the respective Dean or Vice President decides which method is appropriate for each eligible employee.

Method One:  University‐Provided Device (reserved for leadership team)
The respective University official determines that an employee’s duties necessitate the prevision of a communications device. The communications device must be essential for the employee to properly perform his or her required duties and will be used exclusively for business purposes.

After submitting a Cell Phone Authorization Request and obtaining approval, the employee would be given a University‐owned cellular phone issued through the Office of Information Technology. The monthly service fee will be paid by the University. The device is the property of the University. The University owned cell phone must be used only for University related business calls. If a personal call is inadvertently made or received, restitution must be made to the University prior to the next billing cycle.

Employees are responsible for the safekeeping, care and custody of the communications device assigned to them. Cellular phones may not be transferred to any other individual. In the event of a reported loss, stolen or fraudulent use of the assigned phone, the employee must immediately notify the Office of Information Technology for further action.

Employees assigned University owned communications devices, are warned that call details records generated from assigned devices are considered business records of the University. All charges for communications devices provided by the University are subject to audit for personal use. Audits may be conducted periodically and will be unannounced. It is the responsibility of the employee to substantiate business use.   Accordingly, the employee will be required to review each monthly itemized statement for the University owned communications device assigned to him or her and certify that all phone calls made or received during the period covered by the statement were for University business use.  

Cardinal Stritch University reserves the right to terminate the employee’s cell phone or to switch an employee to the allowance method (Method Two) if excessive personal calls are made. Use of University owned equipment is based on the employee’s job duties and may be discontinued if the employee’s responsibilities change. The employee must return the device to the University when it is no longer needed and/or the employee ends employment with the department.

Method Two: Allowance Method
Cardinal Stritch University realizes that communication devices can enhance the job performance of certain employees. Because the IRS substantiation requirements are time‐consuming and administratively costly, eligible employees will receive a taxable allowance for an individually owned cell phone or device. Administrators and staff whose positions require the frequent need for communications device may receive a taxable allowance to cover the business related costs associated with owning the device.

The allowance will be paid quarterly after the approval of the respective Dean or VP.  Allowances will be paid as part of the employee’s regular paycheck and the cost will be charged to the employee’s respective departmental account. The allowance is taxable income. Therefore, the employee will be taxed in accordance with IRS regulations. Payment of such taxes is the responsibility of the employee. The allowance is supplemental pay and is not part of the employee’s base pay.

The phones are the property of the employee and the plan with the carrier is between the carrier and the employee, not the University. Since these phones are the property of the employee, they may be used for personal calls. Termination of employment with the University does not release the employee of their financial obligation to the carrier. Under this method there will be no monthly documentation requirement for the employee to track and substantiate business versus personal use.   

Administration of Allowance
The respective Dean/VP should use his/her knowledge of the employee’s duties and budget considerations to determine if an employee is eligible for a cell phone allowance. All allowances must be covered by the department’s budget and all allowances are taxable. An annual review should be performed by each Dean/VP to determine if existing allowances should be continued.

Cardinal Stritch University reserves the right to discontinue an employee’s allowance if there is insufficient budget to meet the cost of the quarterly allowances or if the employee’s duties no longer qualify for a cell phone allowance. 

If a Dean/VP deems it appropriate for an employee in his/her department to receive a cell phone allowance, the Dean/VP is to provide written authorization (see form attached). Each employee must provide a copy of a recent (no older than two months) cell phone invoice to document an existing cell phone plan.

The completed and signed Allowance Form/Agreement should be submitted by the department to the Payroll Department for processing. The employee will be paid a quarterly stipend (paid on March 31, June 30, September 30 and December 31) at the Tier level noted on the form. The quarterly stipend will be reviewed and determined annually.    (Reminder: appropriate payroll taxes on the amount of the allowance will be withheld from the employee’s paycheck and the amount of the allowance will be included as wages on the employee’s year end W‐ 2). The department should keep a copy of the form in their files and forward the original to Payroll.

PURPOSE
Cardinal Stritch University is presenting this policy to help guide our faculty, staff and students in the legal use of copyright material and to provide detail about the Universities enforcement, as well as potential civil and legal implications, for individuals who violate copyright laws.

SCOPE
This policy applies to all individuals who use, access or control Univeristy electronic resources to store, access or share copyrighted materials or materials owned or created by another person or entity. This includes, but is not limited to: students, faculty, staff, contractors, vendors, business partners, guests, visitors and any other user who uses University owned or controlled electronic resources.

POLICY
It is illegal, and therefore prohibited on any Stritch system or network, to store, access or share any material which is copyrighted or owned by a third party for which you have not obtained current legal permission from the copyright owner, or for which there is not an existing exception provided for within copyright law, to use in the manner and for the purpose in which you are using the material. Doing so violates the United States Copyright Act and potentially other laws or regulations and exposes you to civil, criminal and or University sanctions.

COPYRIGHT POLICY
When obtaining permission to store, access or share copyrighted material you should ensure that you receive permission in writing, that it clearly states what material is covered, the purpose and method that you intend to use the material, any limitations to your permission, including but not limited to valid dates and proof that the provider is the legal owner of the material along with any other relevant or legally required documentation. You may be asked to provide this at any time to University officials, law enforcement or others with a legal right to this information.

If you are using an existing exception, such as Fair Use, it is your responsibility to ensure and document compliance with any and all relevant laws. In exorcising an exception to gaining explicit permission from the copyright owner, you take on full responsibility and may be subject to civil, criminal and/or University sanctions if your use is determined to not qualify for the exception.

The University will comply with any reasonable and lawful requests regarding violation or potential violation of existing copyright law in legal and responsible manner.

UNIVERSITY ENFORCEMENT
[To be determined by the proper University resource]

SUMMARY OF CIVIL AND CRIMINAL PENALTIES FOR VIOLATION OF FEDERAL COPYRIGHT LAWS
The following information is not meant to be a complete list of all penalities but rather a simple summary to provide a general idea of current penalties at the time this policy was last reviewed.

Copyright infringement is the act of exercising, without permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code). These rights include the right to reproduce or distribute a copyrighted work. In the file-sharing context, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement.

Penalties for copyright infringement include civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or “statutory” damages affixed at not less than $750 and not more than $30,000 per work infringed. For “willful” infringement, a court may award up to $150,000 per work infringed. A court can, in its discretion, also assess costs and attorneys’ fees. For details, see Title 17, United States Code, Sections 504, 505. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. For more information, please see the website of the U.S. Copyright Office which is listed below.

ADDITIONAL RESOURCES
• U.S. Copyright Office website - www.copyright.gov
• Recording Industry Association of America (RIAA) - www.riaa.com
• Copyright for Student Use (Cardinal Stritch University) - www.stritch.edu/Library/DoingResearch/Copyright/Copyright-for-Students/

Identity and Accounts Policy
Effective Date:    January 8, 2018
Revised:               
Status:                                                                                   Responsible University Officer:
__   Draft                                                                              Provost; CIO
__  Under Review
_X_ Approved                                                                    Responsible Coordinating Office:
__ Obsolete                                                                          Academic Affairs; Office of Information Services
 
Version 1.2
 
REVISION HISTORY
November 22, 2013 - Initial draft
January 8, 2018 – HEOA clarification revision

OVERVIEW
Cardinal Stritch University requires that all individuals who are accessing protected or private information or University systems and resources provide a unique username and password which has been assigned to that individual and which will act as their electronic identity.

PURPOSE
The purpose of this policy is to establish a unique, traceable electronic identity for every individual using Cardinal Stritch University electronic resources to ensure that access to information can be limited to only those who need access and to ensure that the individual accessing the resources is the intended party.

SCOPE
This policy applies to all individuals who use, access or control University electronic resources.  This includes but is not limited to students, faculty, staff, contractors, vendors, guests, visitors and any other user who uses University owned or controlled electronic resources.

POLICY
Wherever possible, all access to electronic systems, information or resources will be authenticated against the University Active Directory database.  Accounts for all students, faculty, staff, vendors and visitors are created utilizing an automated process which pulls data from our SIS/ERP system, Jenzabar EX, based on a set of rules defined around the relationship that the individual has with the University.  This includes but is not limited to: creating accounts for students only after they have been accepted to the University; creating accounts for employees only after they have been fully hired by the University; creating accounts for vendors as employees only if they have a specific need for access and then only during the time that they are actively working on University business.
Active Directory accounts are tied back to the individual by their SIS/ERP ID number, are unique to the individual, and after initial setup only the individual has access to their password.
When it is not possible to directly tie authentication back to Active Directory, an intermediary system such as ADFS utilizing SAML, custom SAML code, AD LDS or other systems may be used.  When this occurs, every effort must be made to tie the account back to a specific individual. 
All University owned, controlled, operated, rented, leased or otherwise engaged systems which a student uses to submit course work or which represent the student in any academic endeavor in relation to the University must have an account which ties back to the student using either their SIS ID number or their Active Directory login.

REVIEW
The Provost’s Office is responsible for developing and ensuring compliance with this policy in the University’s various Colleges, Schools and administrative units.  The Provost’s Office will inform the deans and administrative officers when changes to the policy are made.  The Office of Information Services (OIS), is responsible for ensuring that university-level system and processes remain in compliance with this policy.
 
ADDENDUM
HEOA COMPLIANCE
 
This policy applies to all credit-bearing distance education courses or programs offered by the Cardinal Stritch University, beginning with the application for admission and continuing through to a student’s graduation, transfer, or withdrawal from study. The policy is used to design and implement systems to ensure that Cardinal Stritch University operates in compliance with the provisions of the United States Federal Higher Education Opportunity Act (HEOA) concerning the verification of student identity in distance education.
 
The HEOA requires that institutions offering distance education or correspondence courses or programs have processes in place to ensure that the student registering for a course is the same student who participates in the course or receives course credit. The Act requires that institutions use one of the following three methods:
• A secure login and pass code;
• Proctored examinations; and
• New or other technologies and practices that are effective in verifying student identification.
 
To satisfy the current requirements, Cardinal Stritch University requires all students to use their official University provided account / ID and password (a secure login and pass code) for purposes of identity verification for distance learning.

PURPOSE
The following guidelines have been created to help protect you and the University from accidently losing or exposing sensitive information while using portable electronic devices, including but not limited to notebook computers, personal digital assistants (PDA), cell phones, smart phones, flash drives and other media which contains personal or University data. It is the responsibility of each employee to follow these guidelines and any other reasonable steps to protect information and equipment.

DEFINITIONS
Sensitive information consists of but is not limited to:
• Identity information (names, addresses, birth dates, id numbers or other information linking back to an individual).
• Transactional data (student records, financial transactions, loan information, etc.).
• Access and authorization information (account names, passwords, etc.).
• Any information which would potentially harm or impact the University’s ability to do business.

GUIDELINES
Social security numbers and credit card numbers must NEVER be stored on local computers, portable electronic devices, or media. Refer to the Remote Access Policy for policies and information on how to access this and other types of information appropriately.

When you first receive a portable electronic device or media make sure that you write down the relevant manufacturer, model, serial number and physical description. Store this information in a secure location separate from the device or media so that you will have it should it be needed later.

You should take a  copy of this information with you when you travel, but make sure that you keep it in a separate location from the device or media. You are responsible for maintaining current software versions and updates (i.e. virus software, operating system updates, and application software such as Jenzabar, PowerFaids, Infomaker, etc.), on any laptop in your possession. When reconnecting a laptop to the University’s network, it is imperative you confirm that you are running the latest software versions.

You should always make sure that you have physical possession of any device or media that contains sensitive information when you travel.
• Do not check these devices or media, instead take them as carry-on items.
• When you need to put these devices or media down (while conducting business, eating, riding in a vehicle, etc.) try to keep physical contact if possible and if not ensure that you can visually see the device or media at all times.
• When relinquishing possession of the device or media (while going through airport security, loading bags into a taxi, etc.) make sure that you can visually see the device as much as possible and take possession as soon as possible afterwards.
• When leaving the device or media unattended (such as in a hotel room, conference room, office, etc.) make sure that you secure it in a locked location or leave it with a trusted source. When returning to the room, make sure that you take possession and ensure that no one has removed or accessed the device or media immediately. Never leave the device unattended in an unlocked or unsecured location.
• You should avoid leaving the device or media in a vehicle, but when you need to do so, make sure that you put it out of sight, preferably in the trunk of the vehicle, and that the vehicle is locked. Check to ensure that the device or media is still in the vehicle immediately upon returning.

You should always make sure that you have a current, secure and reliable backup of any sensitive data contained on the device or media.
• It is not possible for the University to centrally backup data contained on flash drives, CDs, PDAs, cell phones, smart phones, etc. at anytime.
• It is not possible for the University to centrally backup data on a notebook when it is not physically on our network.
• You are responsible for making sure that you back up your data frequently and that you store the backups in a secure location separate from the device or media being backed up.
• You must protect the physical access to and contents of these backups with the same level of regard as the originals.

You should encrypt or password-protect any device or media containing sensitive data.
• Every device needs to have a password enabled in order to access the data on the device. You should lock the device so that it requires this password every time you turn it off or put it down.
• If the device or media has the ability to be encrypted, this feature needs to be turned on.
• Passwords should be difficult to crack but easy for you to remember. Good passwords are never recognizable words, phrases, names or dates and should always contain a mixture of upper and lower case letters, numbers and punctuation and should be at least 8 characters long if the device allows. Some devices, such as cell phones or PDAs may limit password length and content. When this is the case, use your best judgment to create as secure a password as possible.
• Passwords should be changed frequently (at least once every 6 months).
• Do not ever store passwords on the device or media or have them written down with the device or media. If you need to write a password down, try writing a hint for yourself rather than the actual password.

If a device or media containing sensitive data is lost or stolen, immediately report the incident to the local authorities and notify the helpdesk with the following information. Delays may increase the risks to the University.
• Device or media manufacturer, model, serial number and physical description.
• What sensitive information is stored on the device or media.
• When, where and under what circumstance the device or media was lost or stolen.

If you have questions or if a device has been lost or stolen, please contact the Helpdesk at:
Phone: (414) 410-4600
Email: support@stritch.edu

OVERVIEW
Cardinal Stritch University (“Stritch”) developed this Peer-to-Peer (“P2P”) File Sharing policy as a result of the serious legal implications of violating copyright laws by sharing certain materials using P2P File Sharing. This policy also focuses on the security risks and negative impact P2P File Sharing applications can have on network capacity. The policy was developed with oversight and approval of the Office of Information Technology and the University Leadership Team.

PURPOSE
The purpose of this policy is to provide guidance in the legal and responsible use of P2P technologies.

SCOPE
This policy applies to all individuals who use, access or control University electronic resources to store, access or share copyrighted materials or materials owned by a third party. This includes, but is not limited to, students, faculty, staff, contractors, vendors, guests, visitors and any other user who uses University owned or controlled electronic resources.

POLICY
While Stritch recognizes the potential academic purpose of file sharing and peer-to-peer applications and does not automatically ban their use on our networks and systems at this time, from time to time some or all P2P services may be limited or completely blocked as deemed appropriate by the Office of Informatio n Services. This policy sets forth general expectations in legal and responsible use of P2P technologies.

This policy does not override applicable international, federal, state or local laws. Individuals storing, accessing or sharing files on Stritch owned and/or controlled systems are personally responsible for their actions and are subject to all applicable laws.

Copyright
• See the University Copyright Policy
• Only files and content which can legally be shared via P2P are allowed to be shared via P2P technologies.

Impact to Network and Systems
• Improper use or overuse of P2P applications can cause significant degradation of performance on the network or the systems on which the P2P applications are running. The University reserves the right to block or shutdown any service which negatively impacts our systems without warning. It is the responsibility of the user to ensure that P2P technologies are used responsibly and with respect for other users.

Security
• P2P applications copy files from unknown sources to your computer. This puts the computer you are using at risk of having computer viruses, malware or spyware installed without your knowledge. Malware (Malicious Software) and Spyware (an application that collects, records and transmits private information including but not limited to anything typed on the computer, any activity performed on the computer, any location visited from the computer and any information contained on the computer) can expose your personal identity with others as well as provide access to University systems to identity thieves and others with nefarious intentions.
• P2P applications share files from your computer to unknown sources. This puts any information stored on the computer at risk of being disclosed outside of the University or to parties to which it should not have been shared. It is imperative that you understand what your application is sharing and that you take proper steps to insure that you are not exposing confidential or sensitive information or inadvertently sharing copyrighted material.
• No files containing personal identity information or other sensitive, proprietary or protected information should ever be shared using P2P applications. Systems containing such information should not have P2P applications installed on them and should not use P2P technologies.

LEGAL ALTERNATIVES
Educause has compiled and maintains a list of legal sources of online content. That list can be viewed at www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-andpositions/intellectual-property/legal-sources-onli

ENFORCEMENT
Cardinal Stritch University does not, at this time, prohibit and or block the use of peer-to-peer applications in general on its network, though any specific service may be blocked at any time and al l P2P sharing may be blocked if necessary. The University understands that there are potentially legitimate academic uses for such applications. However, use of these applications has been known to cause problems, which can affect the entire University community. Cardinal Stritch University expects that all computers and networks on the campus will be used in a manner consistent with the Acceptable Use Policy and compliant with applicable law. The University is under no obligation to protect a user from a complaint or action arising from violation, or alleged violation, of the law. Users should understand that while material is available for free on the Internet, it does not mean that accessing such material is authorized by third party rights-holders. Cardinal Stritch University prohibits the use of peerto-peer applications on its networks to transmit or exchange any music, software or other materials, when the intellectual property is held by a third party. Any use of our network in violation of this policy will be subject to discipline.

The University will continue to see that the Stritch community is not adversely affected by the use of peer-to-peer programs. When such programs are seen to affect the network in a manner not consistent with University policies or are degrading the performance of the network, appropriate action will be taken.

The community should be aware that peer-to-peer applications are not always harmless and in using them one may inadvertently consume excessive network bandwidth, violate copyright and/or other laws, share confidential information or jeopardize computer security. Disproportionate bandwidth usage and copyright and other third party infringement are violations of the University's Acceptable Use Policy1. Any such violations, intentional or otherwise, are the sole responsibility of the individual whos computer or account is being used.

Examples of P2P programs are: Napster and Gnutella Skype Kazaa BitTorrent

REFERENCES
• United States Copyright Office - www.copyright.gov
• Recording Industry Association of America (RIAA) - www.riaa.com
 

Privacy Policy

Cardinal Stritch University is committed to respecting your privacy as a customer. Our privacy policy is clear: We collect no information about you, other than information automatically collected and stored (see below), when you visit our website unless you choose to provide that information to us.

 

Information Automatically Collected

When you browse through any website, certain personal information about you can be collected. We automatically collect and temporarily store the following information about your visit:

- the date and time of your visit;
- the pages you visited; and
- the address of the website from which you came.

We use this information for statistical purposes and to help us make our site more useful to visitors. Unless it is specifically stated otherwise, no additional information is collected about you.

 

Portions of the Cardinal Stritch University website use Google Analytics, a web metrics service of Google, Inc. ("Google"). Google Analytics uses cookies, which are commonly used text files stored in your browser, to help analyze how users use the site. This cookie information (including your IP address and the Cardinal Stritch University web pages you visit) will be collected by Google and stored on Google servers. Google will use this information to help Cardinal Stritch University understand and evaluate your use of the website. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do disable cookies, you may not be able to use the full functionality of portions of the Cardinal Stritch University website (e.g. the MU Connect online alumni community). By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

 

Personally Provided Information

Cardinal Stritch University does not require you provide to personal information to visit our website; however, you may choose to provide us with personal information through an e-mail message, form, survey, etc. This information is used only to fulfill the stated purpose of your communication and/or participation.

 

Disclosure

Cardinal Stritch University does not disclose, give, sell or transfer any personal information about our online visitors to third parties except as required by law.

 

Endorsement Disclaimer

Our website has links to many other non-profit, educational, and governmental institutions, and in a few cases, private organizations. You are subject to that site's Privacy Policy when you leave this site. Reference in this website to any specific service, company, or organization does not constitute its endorsement or recommendation by Cardinal Stritch University. Cardinal Stritch University is not responsible for the contents of any "off-site" Web page referenced from this server.