Effective Date: Upon Passage
Date of Last Revision/Passage: October, 14,2005
Authority:
April 1, 2005
April 1, 2005
This policy is meant to define the persistence of the following Information Technology entities (please see the definitions section of this policy):
Identities, e.g., MUNet ID, Email addresses,
Privileges, e.g., levels of access to resources, and systems, and
Content, e.g., electronic files, folders, documents, media, etc..
Persistence of these items needs to be defined and controlled to insure the efficient, cost effective, reliable, and secure operation of information systems and to insure the integrity and security of the information content stored in these systems.
This policy applies to all
individuals or groups, including but not necessarily limited to, Marshall
University faculty, staff, students, contract employees, or other
related individuals who have established a relationship with the institution
and by doing so acquired an identity and access to any Information System that
stores, accesses, or processes information in which Marshall University holds
an interest.
West
Virginia State Electronic Mail Suggested Guidelines
It will be the policy of
When an identity is no longer in use it will be archived in either of two states:
Available for automatic reactivation, i.e., there is some possibility that a reactivation of this identity will be needed, e.g., returning student, faculty, staff etc., or
Not available for automatic reactivation, i.e., there is a reason that this reactivation would need administrative review, e.g. the death of an individual, a legal restriction, an administrative restriction, etc.
If a new identity is assigned to an individual the original identity will be archived as not available (reserved) and only reassigned the same individual.
It is the policy of
Privileges are created based upon the role of an individual and, for default privileges, an implicit request, e.g., application, admission, hiring, etc., or for elevated or expanded privileges, explicit administrative approval.
Privileges may be suspended for administrative proposes pending due process procedures and a final determination or by an explicit administrative request.
Privileges will be modified or deleted based upon a role change of an individual and will revert to default privileges from an implicit request, e.g., graduation, non-registration, termination, retirement, resignation, or to lowered or elevated state from an explicit administrative request and approval, e.g., transfer, acquisition of new responsibilities, etc.
It is the policy of
The retention times are summarized in the following matrix.
|
|
Administrative |
Fiscal |
General |
Ephemeral |
|
Online |
Determined by Marshall University Document Retention Policies and Practice |
90 days |
||
|
Near-online |
Determined by Marshall University Document Retention Policies and Practice |
User Responsibility |
||
|
Archived |
Determined by Marshall University Document Retention Policies and Practice |
User Responsibility |
||
|
Pending Deletion |
weekly |
weekly |
weekly |
weekly |
|
Triggering event |
Wait period |
Identity status |
Privilege status |
Ephemeral Content
status |
Administrative,
Fiscal, or General Content status |
Special
Consideration |
|
Identity Change |
immediate |
Old ID archived not available |
New ID default plus approved extensions. |
Moved by user within 30 days, old content archived for 6 months then deleted |
Unchanged, Administration retains ownership |
|
|
Identity Abandonment or unused accounts: |
If account not used for 1 year |
Identities Archived |
Network access suspended, email account suspended, myMU portal access suspended |
Content archived for 6 months then deleted |
Unchanged, Administration retains ownership |
|
|
Death |
immediate |
Identities Archived not available |
Network access suspended, email account suspended, myMU portal access suspended |
Content archived for 6 months then deleted |
Unchanged, Administration retains ownership |
Family given access to ephemeral content if requested |
|
Computer abuse investigation: |
immediate |
No change |
Network access suspended, myMU portal access suspended |
Content remains unchanged but inaccessible |
Unchanged, Administration retains ownership |
|
|
Computer abuse sanction: |
immediate |
Determined by sanction |
Determined by sanction |
Determined by sanction |
Unchanged, Administration retains ownership |
Determined by sanction |
|
Employee (faculty or staff) termination |
immediate |
No change |
Revert to default |
No change |
Unchanged, Administration retains ownership |
Role reverts to affiliate by default. Administration may change disposition based on nature of termination. |
|
Transient access (contract, part-time, student employees) no longer needed: |
immediate |
Identities Archived not available |
Network access suspended, email account suspended, myMU portal access suspended |
Content archived for 6 months then deleted |
Unchanged, Administration retains ownership |
|
|
|
|
|
|
|
|
|
|
Student “resignation” (graduation, non-registration, withdrawal, suspension): |
immediate |
No change |
Revert to default |
No change |
Unchanged, Administration retains ownership |
Role changes to Formal or informal alumnus |
|
Employee (faculty or staff) resignation |
immediate |
No change |
Revert to default |
No change |
Unchanged, Administration retains ownership |
Role reverts to affiliate |
|
Employee (faculty or staff) retirement: |
immediate |
No change |
Revert to default |
No change |
Unchanged, Administration retains ownership |
Role reverts to “emeritus” |
|
Employee (faculty or staff) transfer: |
immediate |
No change |
Revert to default. Add approved extensions |
No change |
Unchanged, Administration retains ownership |
Role changes with new assignment |
|
Employee (faculty or staff) leaves, disabilities or sabbaticals |
immediate |
No change |
No change |
No change |
Unchanged, Administration retains ownership |
Changes to identity, privilege, or content is determined case by case, default is no change |
|
|
|
|
|
|
|
|
It is the responsibility of the Vice President for Information Technology and CIO to enforce this policy. The routine enforcement of this policy has been assigned to the Assistant Vice President for Information Technology by the Vice President.
Positions:
Vice President for Information Technology and CIO
Assistant Vice President for Information Technology
Assoc Director of Systems Administration and
Security Officer
Assoc Director of Data Bases and Shared Systems
Assoc Director of Networks and Telecommunications
Assoc Director of Customer Services
Director of Human Resources
Campus Police
Deans, Department Chairs, Department Directors
Individuals (identity, privilege, or content
owners/holders)
Processes:
Security and
Protection
Backup and Recovery
Assignment of
content to a proper category and storage location
Assigning and
maintaining identities and privileges.
Etc.
Identities: For the purposes of this policy, identities include the
MU ID, MUNet ID and email address assigned to an individual who has established
a relationship with
Privileges: For the purposes of this policy, privileges include the ability to authenticate and gain access to an information system, network, or storage device and media, to access (create, read, write, modify, or delete) information on an information system, network, or storage device and media, or to manipulate (establish, modify, suspend, revoke) the privileges of yourself or others.
Roles: For the purposes of this policy, roles are generally defined by the following:
Affiliate (e.g., WVNET/MU Dialup Service External Account Holder, Contractor external collaborator, external evaluator, external auditor, etc.)
Prospective Student
Admitted Student
Enrolled Student
Formal Alumni
Informal Alumni
Full time Faculty
Part time Faculty
Faculty Emeritus
Full time Employee
Part time Employee
Retired Employee
Temporary Employee
Student Employee
Default Privileges: The default privileges afforded an assigned MUnet identity (account) are:
logon privilege to MUnet as a domain user,
a V-Drive allocation and access,
an Email account, space allocation, and access, and
myMU portal access
Content: For the purposes of this policy, content includes electronic files, folders, documents, media, etc. that are created by use of information systems. These include but are not limited to, voice mail, email, electronic documents, scanned images, music, videos, pictures, art, drawings, plans, program source, object, and executables, scripts, parameter and configuration files, data bases, etc. These content items are further categorized as administrative, fiscal, general, or ephemeral.
Administrative content is defined as any content that is related to the specific administration and operation of the institution that is essential for the continued operation of the institution and to the documentation, audit trail, and history of the institution for both legal and administrative purposes.
Fiscal content is defined as a subset of administrative content that documents or manipulates fiscal related information, policies, procedures, or records.
General content is defined as other miscellaneous content that although not essential further documents the operation and history of the institution.
Ephemeral content is anything not assigned to the three other
categories but is principally content that could be considered personal or
professional that is perhaps considered important by an individual or group but
not necessarily related to the administration of
Content can also be categorized by its location or availability state. Content can be found online, near online, archived, or pending deletion and generally moves in that order over time and possibly results in deletion or destruction.
Online content is content stored in information systems available for immediate access.
Near-online content is content stored in hierarchical storage systems for delayed access.
Archived content is content stored on archival media (or backup form) for occasional access for historical or backup restoration purposes.
Content pending deletion is content stored in a state or location, sometimes referred to as a wastebasket immediately preceding its deletion or destruction.
Appendix A
Suggested Guidelines
Adopted by WV Information Technology Council 2/17/2003
Adopted by WV
Information Technology Council 12/17/2003
Electronic Mail
(E-mail) Suggested Guidelines
INTRODUCTION
Effective:
12/17/2003
Use of the electronic mail systems
(e-mail) is an essential means of daily communications, both internally and
externally, for
ELECTRONIC
MAIL RETENTION POLICIES
Effective: 12/17/2003
A. EMPLOYEE'S/USER'S
RESPONSIBILITIES
Employees sending or receiving
e-mail must:
1. Ensure that any messages sent or
received that are deemed to be departmental transactions or "records"
are
retained in accordance with
established retention policies for similar information.
2. Retain e-mail messages or
"records" either as a printed copy or as an electronic file.
a. Store printed e-mail messages in
the relevant subject matter file as would be done with any other printed
communication.
b. Save electronic e-mail messages
to a storage medium (tape, diskette, hard-drive) on the device (personal
computer, server, etc.) as
designated by the immediate supervisor.
3. File e-mail messages or
"records" and keep them in such a manner as to ensure the message or
file is:
a. accessible;
b. protected from unauthorized
access;
c. protected from alteration of any
kind;
d. and protected from physical
damage or loss.
4. Once retained, the original
e-mail must be deleted from the e-mail server.
5. "Non-record" e-mail
should be deleted from the e-mail server regularly.
E-MAIL SYSTEM
ADMINISTRATOR'S RESPONSIBILITIES
Effective: 12/17/2003
E-Mail System Administrators must:
1. Retain general e-mail operating
system files for efficient disaster recovery of the e-mail system. Back-up
files
and disaster recovery files are for
restoring operations in the event of loss or damage to the e-mail system.
They are not intended for e-mail or
"record" retention purposes.
2. Keep e-mail back-up files for no
more than three weeks. The files (e-mail messages) on the back-up tapes,
disks, etc., can be overwritten as
a normal practice.
3. E-mail messages on the e-mail
server will be kept a maximum of 90 days unless deleted beforehand by the
receiver of the message. E-mail
messages on the server that are over 90 days old will be automatically
deleted.
C. ORGANIZATION
MANAGERS' AND SUPERVISORS' RESPONSIBILITIES
Organization managers and
supervisors will:
1. Ensure that all employees who
receive or send e-mail messages read and understand these policies as well as
any related document retention
policies.
2. Prescribe rules, if required,
for what kinds of e-mail "records" or messages must be retained as
printed copies
or must be retained as electronic
files.
3. Ensure that appropriate storage medium and storage devices are
accessible to employees and ensure that
proper security measures are in
place including the prevention of alteration of any kind and the prevention of
unauthorized access.
E-MAIL ACCESS
AND MONITORING POLICIES
Effective: 12/17/2003
A. ACCESSING OTHER
EMPLOYEE'S E-MAIL
1. The use of state computers and
the computer network are reserved for business-use only; e-mail
transmissions, messages or file
contents may be accessed by authorized personnel.
2. Agency management may request
access to the e-mail communications of employees in the
specific state agency.
a. All requests must be in writing
and signed by the requesting manager.
b. All requests must include
identification information (author, recipient, date, subject of email
needed, etc.) as well as a
justification for accessing the e-mail.
c. Immediate access, justified by
the need to conduct urgent WV state business, may be
gained to the e-mail of others by
contacting your immediate supervisor, with approval
given by both the agency’s
administration and technical authority.
3. At the direction of agency
management, the Chief of Information Systems or his/her designees
may access and disclose e-mail or
files of any employee with just cause, provided that such
access and disclosure follows any
applicable law, policies and procedures. Just cause includes:
a. the need to protect system
security,
b. the fulfillment of WV state
obligations,
c. the detection of employee
wrongdoing,
d. the compliance with legal
processes,
e. the protection of the rights or property of the state
B. MONITORING
E-MAIL
1. Neither the agency’s management
nor members of the agency’s IT department will routinely
monitor e-mail transmissions or
messages. However, these transmissions may be monitored,
without prior notification, for the
following reasons:
a. to protect system security,
b. to detect employee wrongdoing,
c. to comply with legal processes,
d. and to protect the rights or
property of the state.
2. In the event that e-mail
messages observed by the agency’s management or his/her designee
appear to have violated laws,
policies or procedures, the evidence will be referred to the proper
entity for appropriate action.
3. Agency management may request
the monitoring of e-mail communications of subordinates in
accordance with the same rules
listed in the preceding "Accessing Other Employee's E-Mail."