Purpose
SUNY New Paltz provides staff with access to computing devices. Along with the privilege of using University owned computing devices comes additional responsibility to safeguard the data they contain, and to protect them from potential theft or damage. This policy addresses actions that must be taken in order to secure the University's physical property, and the data the University has been entrusted with by our students, faculty, staff, alumni, and donors. It includes end-user responsibilities, and responsibilities of the issuing department and Information Technology Services.
All University -owned computing devices are governed by this policy, including systems made available as primary workstations, assigned within a department office, or purchased through grant funds. This policy should be read and thoroughly understood prior to acquiring and using University-owned computing devices.
Scope
This policy is applicable to all current University staff, faculty, or administrators, and students who are using University Owned computing devices provided to them by a University department. This policy is not applicable to systems in computer labs.
Policy
University-owned computing devices are state property and are primarily for University work. They should not be used for personal projects or entertainment.
User Responsibilities
- The user shares responsibility for the security of all University data stored on, or carried with, the device.
- The user is responsible to make sure that operating system, application, anti-virus updates are applied in a timely manner.
- Do not install any unapproved software, or alter the hardware of the device without prior approval from New Paltz IT. Alteration includes any functional changes, upgrades, or cosmetic changes (such as application of stickers or labels).
- New Paltz IT may require access to the device, which may include leaving it with the IT staff for a period of time, for repairs, maintenance, troubleshooting, etc. If such a request is made, the user must comply within a reasonable amount of time.
- Users are responsible for keeping appropriate backups of their data. For more details, see Acceptable Uses and Privacy Policy.
- Users are responsible for notifying IT as soon as possible regarding the following:
- Physical damage
- Loss or theft
- Suspected security or malware issue(s)
- System or software errors
- With regards to mobile devices:
- Each user is responsible for the physical security of that device, regardless of whether the device is used at the office, at one's place of residence, or in any other location such as a hotel, conference room, car, or airport. Users are expected to provide reasonable care and effort to protect the device.
- The equipment may not be transported as checked luggage on public transportation. The user is to keep the equipment in their possession at all times while travelling.
- Carrying/protective cases should be used to protect the devices.
- Do not store devices in a locked car or car trunk, as severe temperatures may damage it, and the car may be broken into if the device can be seen.
- University-owned computing devices must not be taken out of the country without the explicit approval of either the Chief Information Officer or the Information Security Officer, in addition to the Chair, Director, Dean, etc, of the owning department.
- Employees who are taking administrative leave must have prior approval from Human Resources and their immediate supervisor if they are retaining any University issued device while on leave.
- Faculty members who will be on sabbatical must have approval from their Dean or the Vice President of Academic Affairs before taking the device with them on sabbatical.
- Upon resignation, termination, retirement, non-renewal or other separation of employment, any computing devices, peripherals, carrying cases, etc, must be returned to the issuing department either on or before the last day of work.
- Users are explicitly prohibited from taking any University computing device off-campus without prior approval from their department. Any removal of desktop computers from the campus must also by authorized by the CIO or their designee.
- Faculty and staff who have any removable media (USB flash or disk drives, CDs, DVDs, as well as old floppy disks) with sensitive University data can bring them to the main Information Technology Services office in HAB 50 or to Desktop Support in LC 8 for disposal. The media will be placed in the secure disposal bins which cannot be opened except by Internal Controls, and the third-party service provider. That provider provides periodic pickup - and ensures physical destruction of the media at their facilities.
IT Responsibilities
- In the case of maintenance or repairs causing an extended period where the device is unavailable, IT will provide a loaner device to minimize any disruption of work.
- Before providing the device to the end-user, IT will ensure it is securely configured.
- IT will provide support and assistance in a timely manner for any University provided hardware, or University supported software.
- Before conducting any major hardware or software maintenance or repairs, IT staff will make backups of the data on the system if possible, as per the Acceptable Uses and Privacy Policy.
- IT will implement and maintain procedures to update, maintain, and enhance the availability, integrity, security and data protection provided by the device.
- IT is responsible for ensuring that data is sanitized from hard drives of desktops, laptops, and servers. This will include software methods to ensure data is unrecoverable, or physical destruction of the devices through the third-party service contracted with through Internal Controls.
Issuing Department Responsibilities
- Computing devices have a reasonable lifetime. If a device has exceeded its reasonable lifetime (as determined by IT), the device will have to be appropriately retired. Departments may wish to consult with IT about an appropriate replacement schedule for their computing devices.
- Departments should ensure that a copy of this policy is provided to any staff members. For those who have primary or exclusive use of a mobile device, the department should retain a signed statement that acknowledges receipt and awareness of this policy.
- The issuing department must notify IT before transferring primary usage of a device to another individual. IT will review and reconfigure as appropriate.
- The department responsible for the mobile device must maintain basic records of who has which device and for what period of time.
- Upon receipt of equipment from a faculty or staff member, the department assumes all user responsibilities until the device is transferred to an end-user.
Liability
- All users are personally responsible for full repair or replacement cost if the device is damaged or made inoperable by misuse or negligence.
- Departments that have loaned devices to students or student organizations for use will be liable for the replacement cost of the device should it become stolen, lost, or damaged while in the student's possession, or if it is not returned.
- Failure to follow this policy and these procedures may result in loss of computer privileges, and/or revocation of the University issued devices.
Reporting Loss or Theft
- Report a theft immediately to the appropriate local law enforcement authority (University Police if on campus) and IT as soon as the theft has been discovered.
- A copy of the police report must be provided to IT
Definitions
University owned computing device: For the purposes of this policy, university owned computing device refers to any computing device purchased by SUNY New Paltz, purchased with grant money for the use by SUNY New Paltz sponsored programs, or by the Research Foundation of SUNY where the primary use is by SUNY New Paltz faculty or staff members.
Issuing department: This is the department which has actually purchased the device for use by their staff.
Mobile device: Includes laptops, smartphones, tablets, or any other computing device commonly brought out of the office by users.
Malware: Any malicious code including viruses, worms, trojan horses, botnets, and rootkits
Related Policies