Information Systems Policy Updated, Summer 2013

Each year the Information Systems Planning Committee (ISPC) reviews the Information Systems Policy and considers any changes recommended by Information Systems leadership for approval.  Only one revision has been made this year to the policy manual, but it is significant and important for all EMU employees to understand.

A section called “Data Protection and Preservation” has been added and appears on page 15 of the policy manual.  The first paragraph of this section describes why this section has been added.

Cloud computing services (like Gmail, Dropbox, Evernote, and MobileMe) and portable devices that store data (like smartphones, tablets, USB drives and SD cards) pose unique challenges for institutions. Staff and faculty appreciate these devices’ and services’ ease of use, low cost and ubiquity. But cloud services and portable devices also move EMU data beyond the institution’s control, creating the opportunity for data theft, data breach and data loss.

The policy then describes storage requirements for confidential and non-confidential data along with examples of confidential data.  All EMU employees are expected to be familiar with the Information Systems Policy Manual and specifically read and understand this new section.

The following practices, although not a complete list, are addressed in the policy:

  • You may not store confidential data on any portable device or cloud storage service. Confidential information includes, but is not limited to, personally identifiable information about anyone associated with the university (i.e. students, employees, alumni, donors, vendors, associates, etc).
  • You may not store non-confidential university data exclusively on cloud storage or portable devices.  Non-confidential information includes operating practices, procedures, meeting notes or other documents that are relied upon by employees or students to conduct operations of the university.  Of particular concern here is data that could, for convenience of collaboration, be stored on an individual employee’s Dropbox account, shared to others which would then become inaccessible should the private owner of the account leave EMU or decide to revoke the sharing properties of the account.

If you are an employee, please take the time to read the entire “Data Protection and Preservation” section of the policy starting on page 15.  If you have any questions, please contact Jack Rutt, Director of Information Systems.  And while you have the policy open, you are encouraged to look over the Table of Contents and be aware of all that is covered in the entire policy manual.  Section 7, “Technology Resources Allocation Policy” contains many details about how technology resources deployed at EMU are described here.  You need to know this stuff!

It is worth calling special attention to item #3 in the email paragraph of section 7, especially for new employees.  Email accounts are issued by EMU to employees to use for all email communication they use to carry out their job responsibilities.  Because this kind of communication often includes data and information subject to regulations such as FERPA it is extremely important that these communications be conducted with systems controlled and administered by EMU.  For this reason, EMU employees must use their email address for their work-related email communications and they are not permitted to set their EMU email account to automatically forward all incoming email to any other email account.