|Broadcast Email Policy|
Purchase College Broadcast E-mail Policy
Email is a convenient way to communicate information to the campus community, and as a result there are a tremendous number of requests for campus-wide broadcast e-mail messages.
Email is popular because you can push your message into peoples mailbox, reaching a larger audience than you would by posting your message to a web site where people have to actively seek it out (websites are a pull channel.) However, the convenience of pushing email at everyone has to be balanced against the burden this places on the time and attention of the College community. Their time and attention is too precious a resource to subject to a fire-hose of poorly targeted email that is not timely, relevant, and of interest to the recipient. We have all heard complaints about the volume of messages we receive - and we have all heard others say they don’t read any of our broadcast messages – and who miss important information as a result.
It is essential to avoid overuse of broadcast email that diminishes the effectiveness of this channel.
As Stamats notes, sending out an email message does not mean you have effectively communicated your message. Effective communication requires that you say the right thing, at the right time, to the right audience.
The college offers a variety of push/pull communication channels including email, distribution lists, and our web site. It is important that we avoid over-reliance on email broadcasts and employ the right mix of channels, messages, and audiences to communicate effectively with the campus community.
Broadcast Message Volume over the last 10 years has increased by 500%
By far the highest monthly volume of broadcast email is during April and September – just when people are busiest, we are bombarding them the most. So while it is easy to use email as a communication channel, it is also easy to see why people tune it out.
It is critical that the messages we send are relevant, they are clearly written, they are accurate the first time, and they are sent to the right recipients (and not just “everyone.”)
Broadcast Email Etiquette
Campus-wide e-mails should be sent out to inform the campus of important announcements, events, or alerts that affect the entire campus.
Campus broadcasts should only occur if there is a reasonable expectation that the message would be of interest to a significant portion of the college community. If your weekly meeting of the Obscure Society typically draws the same ten dedicated souls and meets in a small windowless room, sending an invitation to 10,000 people doesn’t really make sense – they won’t all come, they won’t all fit, and most likely you’re just annoying 9,990 of them with yet another piece of spam they have to delete.
Select your target audience carefully - with laser focus if possible. The time and attention of the campus community is a precious a resource.
Avoid sending Corrections and Reminders – take the time to get the message right the first time, and promote your deadline or event using the Master Calendar, web site, portal, and distribution list.
Broadcast email should only be used for official College purposes. Broadcast email should NOT be used to promote products, activities or services that have not been endorsed by the appropriate unit within the College (Job Fairs should be endorsed by Career Development, Overseas Programs should be endorsed by the Office of International Programs, etc.) It should go without saying that broadcast email is not the place to sell your car or rent an apartment.
Start and promote a Distribution List (DL) for those who have participated in similar activities or who have expressed an interest – and allow people to Opt-in and opt-out of your weekly message to that list – and work to make sure that it is a source of valuable information. When you send your broadcast message, use the Distribution List as the destination address, include instructions at the bottom for unsubscribing, and honor those requests in a timely fashion. Promote your distribution list as a source of valuable information on your website, Facebook page, etc.
In any case, high quality content is far more important than how many copies you are distributing.
Tell us what is in the message and why we should look at it
E-mail messages should always include a descriptive subject line. This serves to entice people to open your message and read further, as well as to relieve them form opening the message if it clearly isn’t something they are interested in. Subject line “News from CTS” – Ho-Hum… Subject line “Your email account will be purged Tuesday at 4:00” - uh-oh.
Tell us who it is from
Marketing studies also say that people are far more likely to open a message when it comes from a real person i.e. “Bill Junor” - than when it comes from an institutional address like “(CTS.Director)” - delete.
Broadcast email Definition:
Any message transmitted to the entire “campus Community” or to an entire cohort (all students, all faculty, all staff) or to any combination thereof is considered a “broadcast message” requiring workflow approval.
School and divisional distribution lists (i.e. LAS students, NS Majors, Sociology Board of Study, a specific class list, etc.) are NOT considered broadcast messages since the heads of each area already have the necessary rights to distribute those messages themselves, without workflow approval.
Similarly, off campus distribution lists (i.e. Friends of Music, Friends of the Library, etc.), are NOT considered broadcast messages since the heads of each area already have the necessary rights to distribute those messages themselves, without workflow approval.
Who can request a campus-wide e-mail message?
Any member of the Purchase College community can request that a campus-wide message be sent out by submitting a request through the Broadcast Email Messaging (BEM) System. Broadcast requests are automatically routed to the department head for approval, and to the appropriate Vice President or College Officer. Only the VPs/Officers can authorize broadcast emails.
For broadcast requests created by Students, those requests are routed to Student Affairs for workflow approval.
Who will receive a campus-wide broadcast e-mail message?
Campus-wide messages can be sent to all campus-wide e-mail server users. Campus-wide messages can also be sent to other e-mail servers or to external e-mail addresses if the requestor includes external addresses (individuals or Distribution Lists) as part of their request.
The request must specify the audience to receive the message. Broadcast messages can be sent to 1) all faculty 2) all staff, or 3) to all students. These three categories (and others such as residents by wing or students by division) can be combined as necessary to reach the desired audience.
The BEM system allows the originator to specify as many destination addresses as necessary, and those addresses can be a combination of campus addresses and off campus addresses.
Please note that Deans/Directors/Chairs of academic divisions already have the ability to send messages to students and/or faculty/staff within their division themselves.
What can be sent out in a BEM e-mail message?
The BEM system allows creation of rich media messages that are compact and efficient. You can embed graphics, links, and attachments as necessary. In addition, the BEM system contains a variety of general and specific graphical templates for various campus organizations that help to create an attractive presentation wrapper for your message.
Please note that many email servers on the recipient end restrict attachment size to 10mb.
When should I use Email versus the website, the Portal, and the Master Calendar?
To communicate effectively, you should use all these channels in a coordinated fashion.
|Computer Equipment Disposal|
The New York State Department of Environmental Conservation has determined that non-working and obsolete computer products must be treated as hazardous waste. Monitors and terminals contain from 4 to 8 pounds of lead and fail the NYS DEC TCLP test for toxicity. Circuit boards of both computers and printers contain lead solder, mercury and cadmium, and often also fail the TCLP test. These items should be disposed of in an environmentally sound manner.
The key points of NYS DEC Regulations are:
Additional information is also available at the New York State Department of Environmental Conservation website. The current rates for disposal are about $15 for a PC, monitor, and printer.
Campus agencies must arrange to have their old computer equipment removed by an authorized disposal service that complies with all city, state and federal regulations. You may want to contact our campus Environmental Health and Safety Officer, Ed Musal, at x6917 for further information on hazardous waste removal. One authorized recycling vendor is Per Scholas, who can be reached at (718) 991-0362.
CTS will continue to dispose of old computers that are being replaced with new ones on an individual basis, and properly dispose of them as we have done in the past. However, CTS cannot accept bulk disposal or removal of old computer equipment on behalf of other departments.
Please keep in mind that all departments must fill out a Property Control System – Request for Disposal or Surplus Form.pdf – when disposing of old computer equipment (see attached). The original will go to the department head, a copy should be taped to the item being disposed of, and a copy must go to our campus inventory control coordinator in Purchasing and Accounts Payable. Please call x6920 if you have any questions about using this disposal form.
|Computer Ethics Policy|
The Purchase College information technology infrastructure includes a private network of secure services for the exclusive use of our students, faculty, staff, and administrators. Other IT services include open access to college information for the general public and the world at large. To utilize private secure services for students, faculty, and staff, you must authenticate with a Purchase College user name and password.
Users of computer systems and networks at Purchase College must read, understand, comply with, and electronically sign the Purchase College computer ethics policy when you activate your account. You are responsible for your actions. That responsibility exists regardless of what security mechanisms are in place. Unauthorized use of computing facilities will lead to suspension or loss of privilege, and may lead to more serious penalties. All rules and policies must be adhered to by all users of Campus Technology Services at Purchase College.
All users are expected to use these services in a responsible fashion. Student use of all computing resources and services is subject to the Student Code of Conduct. Faculty and staff use of computing resources and services is subject to the Policies of the SUNY Board of Trustees and to campus supervisory oversight.
The college provides a variety of services that are public within the college community, and others that are public to the world. These services include (but are not limited to) our portal, ePortfolios, student web publishing directories, sections of our website, and Moodle, among others. Materials posted to any college site or service must be respectful and appropriate; offensive materials or speech may be removed and/or referred to Student Affairs or the appropriate college supervisor.
Security for Your Account
Do not consider email private or secure. Purchase College does not encrypt email. Mail can be easily intercepted at any machine that it passes through. lt can be altered and copies can be made and forwarded. Messages sent to nonexistent or incorrect addresses may be delivered to an unintended destination.
The systems administrator(s) at Purchase College have the right to monitor computer systems. The systems administrator(s) have the right to examine user files to diagnose system problems or investigate security breaches.
The internet is not secure. If you are going to transmit sensitive data or files across the internet, you must take precautions to protect it on your own. Data and files can easily be intercepted, read, altered, misused, or destroyed at any machine they pass through. In addition, machines attached to the internet are vulnerable. Do not assume your data is safe on your computer if it is directly connected to the internet. Do not store valuable or privileged information on these systems without applying security. If you can’t afford to lose it, back it up. If it is information that should never see the light of day, don’t store it on a networked computer.
Backup Your Important Data
Keep all valuable disks and tapes in a secure place. Secure backup copies of valuable files or data off site. When throwing out old disks or tapes, make sure no sensitive information can be found on them.
Intellectual Property and Piracy
Whenever you are shipping software from one place to another, you must consider intellectual property and license issues. The internet is a global network, and the importing and exporting of software may fall under the jurisdiction of the United States Department of Commerce. Exporting anything may require a license. A general license covers anything that is not explicitly restricted and is readily available in public forums in the United States. The exportation of networking code or encryption code is restricted. You may not allow access to a restricted machine to persons or entities outside of the United States. Please be aware, when posting information to a bulletin board, that data will probably cross the border. If you have any questions on the legality of transmissions over the borders of the United States, please seek legal counsel.
Purchase College has joined the internet via an educational connection. Use of the internet for commercial purposes is not allowed.
The following are considered unacceptable uses of computer systems, and are strictly prohibited
Your password is the only means you have of keeping your account and files secure. The algorithm that encrypts passwords has not been broken. However, it is possible for your password to be stolen when using the Internet so you are encouraged to change it often. More than 80 percent of computer break-ins are because passwords can be easily derived by hackers.
Individuals who are authorized to access sensitive or institutional data are prohibited from divulging that data to any other individual, unless that individual is also authorized to use the data. Individuals are only permitted to access data as authorized.
Game Playing Policy
Game playing is allowed on college computers as long as:
Denial of Service
You are responsible for the security of your account. Please read the policy on passwords. The following are symptoms of unauthorized trespass of your account. If you become aware of the following, please contact CTS at x6465.
VIOLATION OF THESE POLICIES WILL LEAD TO SUSPENSION OR LOSS OF PRIVILEGE, AND MAY LEAD TO MORE SERIOUS PENALTIES
|Computer Replacement Cycle|
Purchase College Computer Replacement Cycle Policy - 2019
A computer that is able to run current versions of various software is an essential component of today’s learning, teaching, and working environment. To ensure that students, faculty and staff have access to the computers and services they need to fulfill their roles, the College has instituted a variety of policies and programs to ensure that computers are maintained and replaced on a regular basis.
The faculty Instructional Technology Advisory Committee (ITAC) is responsible for managing the replacement cycle for the ~75 computer labs around campus. Each year, approximately $350,000 in ITAC funding is provided to ensure that the academic computer labs are maintained and upgraded so that they meet the teaching needs of our academic programs.
Each spring ITAC issues a call for proposals to the faculty and academic divisions. Proposals for ITAC funding must be endorsed by the Board of Study Head, the academic unit Chair/Director, and the Dean. During the spring semester ITAC reviews and prioritizes the proposals it receives, making award decisions by the end of the spring semester so that upgrade/replacement implementation can occur over the summer.
Faculty/Staff in the College of Liberal Arts and Sciences and the School of the Arts:
Faculty Support and development are the responsibility of Academic Affairs. Every faculty and staff member in the College of Liberal Arts and Sciences (LAS) and the School of the Arts (SotA) should have a computer for communications with students and colleagues, for use with the Moodle LMS, for research, and administrative tasks like advising and grading. Faculty and staff in LAS and SotA will be provided with one reasonably current desktop PC to ensure basic connectivity and access.
Each spring the Deans offices review Device Assignment and Tracking (DAT) information for their areas. DAT shows all computers, with out-of-warranty computers highlighted. Computers will be considered for replacement 5 years after their original purchase date.
The Deans may also invite proposals for non-standard PC upgrades from their faculty. The Deans assemble a list of upgrade requests – including any non-standard computers that they approve, which is sent to Academic Affairs for funding. CTS orders the computers and arranges their delivery to individual faculty members.
Faculty or Staff who are receiving a new computer must turn in the old computer to CTS for disposal and recycling.
New York State negotiates contracts with major computer vendors each year. The current contract holder for PCs is HP, which offers a standard desktop PC for $928, including a 5-year warranty.
Since the purpose of the college-owned computer is basic access, Apple computers will only be purchased with additional justification provided to the Dean.
Faculty/Staff in the Library and LSCE
The Director of the Library and the Director of LSCE will review Device Assignment and Tracking (DAT) information for their areas. DAT shows all computers, with out-of-warranty computers highlighted. The Directors may also invite proposals for non-standard PC upgrades from their faculty. The Directors submit their upgrade requests – including any non-standard computers that they approve, and send it to Academic Affairs for funding.
Following administrative review and Academic Affairs funding allocation, CTS orders the computers and arranges their delivery to individual faculty members.
Faculty or Staff who are receiving a new computer must turn in the old computer to CTS for refurbishment and/or recycling.
Part-Time and Adjunct Faculty Replacement Computers:
Adjunct and part-time faculty computers remain the responsibility of the individual unit managers. Academic units should ensure that part-time and adjunct faculty also have access to appropriate computers.
There is no central funding pool for adjunct or part-time faculty computers. Individual unit managers should plan and budget for computers appropriate to their employees needs.
College Staff Replacement Computers:
Outside of LAS and SotA, college staff computers are the responsibility of their unit managers. Individual units should ensure that part-time and student staff have access to computers appropriate to their needs.
There is no central funding pool for staff computers. Individual unit managers should plan and budget for computers appropriate to their employees needs. Staff receiving a new computer must turn in their old computer to CTS for disposal and recycling.
The College will provide HP PCs by default. Faculty requests for Apple computers must be accompanied by written justification for the additional expense, endorsed by the chair/director, and sent to the Academic Dean’s office. Non-standard PCs will only be bought with the Dean’s approval.
The College provides both Microsoft and Apple Operating systems and licenses for Microsoft Office desktop productivity software (Word, Excel, Powerpoint, Outlook.) In addition, the College provides concurrent licenses for Adobe Creative Cloud (Photoshop, Acrobat, Illustrator, Premier, etc.), SPSS, and many others via our Sassafras license server. Any other software needed by an individual employee is the responsibility of their administrative unit.
Typical Computer Warranties:
HP, Dell and Apple computers purchased through Purchase College are typically purchased with a 3 to 5 year warranty covering hardware replacement and next-day on-site service.
While out of warranty computers may be functioning and still serve the user’s needs, these computers become a liability due to increasing cost in time and labor as they age.
Purchase College considers 5 years to be the useful lifespan for a computer and recommends replacing computers at the 5-year mark.
All Computers are College Property:
Whether new computers are provided by the College or the unit, the computers being replaced will revert to CTS for disposal and recycling as computers are classified as hazardous waste due to the heavy metals they contain.
(Updated October 2019)
|Confidential Information Policy|
Purchase College is committed to protecting the privacy and confidentiality of information contained in the multiple databases and print files maintained by the college in the regular course of business. Personal information that is confidential in nature will be used only in accordance with Purchase College Information Security Program, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) regulations, and all applicable SUNY, state, and federal regulations.
Employees at Purchase College by nature of their positions will gain access to private personal information about students, faculty, staff, alumni, and other constituents of the college. Employees are obligated to maintain the confidentiality of any such private personal information that is encountered.
Purchase College expects all employees with access to personal information to deal with that information in a respectful and professional manner. As a matter of policy, the college restricts access to personal information to only those employees who have a legitimate “job-related reason” in the performance of their duties for gaining access. Access and release of any student educational records must be in accordance with FERPA regulations.
Access and release of any health records must be in accordance with HIPAA regulations. Any personal information viewed or accessed by an employee through college systems or records is not to be shared or released to others unless there is a legally permissible purpose for doing so. In addition, in accordance with Section 203-d of the New York Labor Law, Purchase College will not:
Personal Identifying information (PII) is defined by NYS as including an employee’s Social Security number, financial account number and PIN, or driver’s license number. Access to PII will be restricted to those with a demonstrable need for access.
Inappropriate disclosure of information pertaining to students, faculty, staff, and other college constituents may violate applicable law and is considered a violation of ethics and a breach of trust placed in employees by the college. Upon finding of a breach of this policy by an employee in a collective bargaining unit, the college may initiate disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.
Employees who deal with confidential material on a regular basis will be required to sign a confidentiality statement and to complete annual information security training. Each campus manager will determine employees required to have access to PII who must receive training and sign confidentiality statements.
Employee, student, financial, and medical information contained within Purchase College information systems (electronic and physical files) and external SUNY systems is considered confidential. Access to information made confidential by law or campus practice is limited to those individuals (employees, consultants, adjunct professors, third-party vendors, etc.) whose position legitimately requires use of this information.
The employees (Purchase College faculty, staff, student employees, and volunteers appointed by the college) understand that by virtue of their work for Purchase College they may have access to data that are confidential, and therefore understand they may not disclose such confidential data to any person or entity without appropriate authorization, subpoena, or court order.
Examples of confidential PII information include the following:
In addition, FERPA regulations cover
In order to access confidential information, employees agree to adhere to the following guidelines:
|CyberSecurity Investigation Clearance Form|
A cybersecurity investigation is to be conducted only with the prior approval of the director of Campus Technology Services and senior campus executives. Each Security Investigation must be fully and completely documented. Nonemergency investigations must have approval of two senior college administrators (president or vice presidents).
Documentation of security investigations must include:
• Report of DMCA violation (nonemergency investigation)
• Other “due cause” documentation (emergency or nonemergency)
• Identification of security threat type
• Risk analysis – severity of threat and potential exposure
• Log files from threatened/compromised system
• Steps taken to contain threat
• Steps taken to contain possibility of exposure of sensitive materials or private information
• Steps necessary to prevent recurrence
The following policy pertains to all Security Investigations:
• In an emergency, the Privileged User conducting the investigation may view, copy, modify, or delete data placed on a computer or network by another user – and not normally shared - if and only if the Privileged User has documented probable cause that the contents of the data poses an immediate threat to the system or network. Examples of an immediate threat would include a “Root Kit” or other “Trojan Horse” back door, a worm or virus, or other materials or activities that pose a threat to the normal operation of college computer networks or systems.
• The Privileged User conducting the investigation may view, copy, modify, or delete data placed on a computer or network by another user if the Privileged User has documented that there is probable cause that the account is being used for illegal purposes (copyright violation, commerce, harassment, piracy or other crime) and has a completed Security Investigation Clearance Form.
• The Privileged User conducting the investigation may not erase or tamper with any system log file for any reason other than to archive the log file. If it is necessary to remove a log file from the system due to storage limitations, then the log file must be archived to tape for permanent storage. The archived records must provide an uninterrupted history of events on the system for auditing purposes. Exceptions must be approved in writing by the director of Campus Technology Services and IT security personnel.
|Data Infrastructure Policy|
The security and integrity of the ccollege’s computer systems and data network is our collective responsibility. As we all increasingly rely on electronic forms of communication and electronic access to important information, we must ensure their reliability and protect our network against ever more sophisticated security threats.
College-Owned Devices :
The personal computers (PCs) and other devices used in offices and computer labs throughout the campus are purchased and owned by the college. This includes department or unit-funded devices, as well as Research Foundation or grant-funded devices.
All college-owned devices (servers, PCs, laptops, tablets, etc.) must be registered in the centralized CTS Workstation Database per the college’s Device Assignment Policy. When a device is transferred from one employee to another—for any reason—the device must be returned to CTS for refreshment and reassignment. Failure to register a device may result in denial of all network services for that device.
All college-owned devices must run a current and secure operating system. A current and secure operating system is one that is actively being supported and patched by its vendor (Microsoft, Apple, Linux).
All college-owned devices must be joined to the campus network domain, and must require the use of Active Directory login credentials to access the computer. Secure administrative access to college computers (admin rights) will be administered by CTS.
These machines must be part of the campus network; the software running on these machines must be legally purchased and approved by CTS before installation.
Personally Owned Devices :
Personally owned devices brought to campus will not be joined to the College Network Domain, will not use Active Directory Credentials for logon access, and therefore will only be able to obtain public network access (services available to the world at large. Individual owners are solely responsible for the operation and security of their device.
Ports and Wiring Infrastructure :
The wired data ports and wireless networks throughout the college are purchased and owned by the college, and are operated and managed by Campus Technology Services (CTS). No connections to college ports are allowed without prior written approval from CTS.
CTS is responsible for the management and administration of all data and telecommunication networking ports, components, and infrastructure serving the campus. No network modifications of any type, including minor renovations, will be permitted without written advance approval from CTS.
Contractors working on any part of the college‘s data and telecommunication infrastructure must have prior written approval from CTS, and work must be coordinated and monitored by CTS.
Any wiring, ports, or devices that are not approved will be disabled, removed, or seized as they present an unwarranted security risk.
All college servers will be operated by CTS or their designated agents (vendor or proprietary systems). Servers will only be run on appropriate hardware. CTS and CTS alone will act as system administrators to manage the server operating system and network environment. At their discretion, CTS may grant “application administrator” rights to configure and manage specific software applications on a server to appropriately trained individuals outside of CTS.
Any servers found to be in violation will be disabled, removed, or seized as they present an unwarranted security risk.
Other Network Devices
No network devices (data port switches, routers, Wi-Fi, storage systems, etc.) may be installed by anyone other than CTS. Installation of any network device must be approved in advance by CTS.
Any devices found to be in violation will be disabled, removed, or seized as they present an unwarranted security risk.
|Desktop Computer Privileged Access Policy|
The security and integrity of the college’s computer systems and data network is our collective responsibility. As we increasingly rely on electronic communication and access to information, we must ensure its security and protect our network against ever more sophisticated threats. A single weak machine that is not adequately patched and maintained can wreak havoc with the college’s network, interfering with administrative operations, and disrupting access for thousands of people on campus.
Desktop Computer Access: The PCs in offices and computer labs throughout the campus are purchased and owned by the college. The college’s standard operating systems, Windows 7 and Windows 10, and Apple OSX, contains security features that require you to log on before you can use the computer. All software running on college-owned machines must be legally purchased and approved before installation.
All college employees receive “user” accounts that allow them to run all software on the machines. User-level accounts do not allow you to modify system settings or install software. Secure administrative access to XP and OSX workstations is restricted to CTS staff and selected divisional technology support personnel.
The college is using Windows and domain-wide Group Policy settings to centrally manage security patches and settings for Windows machines and for anti-virus software. For Windows machines and for anti-virus software, the college runs a local Windows update server; Apple OSX machines are set to retrieve updates directly from Apple. It is imperative that the college ensures that security patches are applied and that anti-virus profiles are up to date.
Restricting changes to desktop computers also greatly simplifies college-wide management of its technology infrastructure and support services. CTS support personnel make use of Remote Desktop or VNC to connect to your computer in real time when you call for support, and are on duty Monday through Thursday 8am-7:45pm, and Fridays 8am-4:45pm.
If you believe that you have a legitimate need for elevated privileges to your desktop operating system, you can submit a Request for Administrator Level Desktop Access.
Laptop Computer Access
All college employees receive “local administrator” access to their laptop computer. This level of access is required for machines that need to be used away from the campus (home, travel). Local administrator access allows you to run all software on the machines, and allows you to modify system settings or install software. However, you are expected to refrain from installing illegal copies of software, from adjusting settings for security patches and remote access, from adjusting any settings that you do not fully understand, and you are expected to refrain from allowing anyone other than yourself access to your credentials or to use your laptop while you are logged on.
Please call the CTS Helpdesk at (914) 251-6465 if you have questions or need assistance.
|Device Assignment and Tracking Policy|
This policy covers assignment and tracking of college-owned computers and devices commonly assigned to college employees: desktop computers, laptops, tablets, and mobile devices.
The Device Assignment and Tracking (DAT) form is available online.
What’s covered by this document?
This document is applicable to all College staff, faculty, or administrators who are using college-owned computing devices issued or loaned to them by a College department. All College-owned computing devices are governed by this policy, including systems made available as primary workstations, assigned within a departmental office, or purchased through grant dollars for specific projects.
For Staff: Administrative units provide their staff with computers, laptops, and mobile devices as necessary.
For Faculty: Academic Affairs provides faculty computers, laptops and mobile devices for all faculty as necessary.
Inventory and Property Control
Preparation for use:
Transfer of Devices
Report a theft immediately to:
Failure to comply with this policy may result in disciplinary and or legal action.
Purchase College / State University of New York
|Digital Millennium Copyright Act (DMCA)|
As a community of artists, writers, musicians, filmmakers, and scholars whose careers will be spent creating intellectual property, we encourage our entire community to respect the property of others. Downloading anything onto your machine from untrustworthy P2P (peer-to-peer) sources or websites not only exposes you to viruses, worms, and spyware, but often violates the copyright laws and can lead to suspension of network privileges, or to lawsuits from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or the Business Software Alliance (BSA). Please remember that theft is a crime, and that nothing in cyberspace is truly anonymous.
Copyright protections are created when words are put on paper, transmitted via email, when music is recorded, software is written, or when an image is created. Once done, the work is protected by copyright—no formal copyright registration or seal is required for copyright protection to be in effect. If someone else wants to use the work, they must get permission from its creator.
Copyrighted material includes almost all forms of original expression fixed in tangible medium even if no formal copyright notice is filed or attached. However, you cannot copyright any idea, process, system, method of operation, concept or principle, regardless of the form in which it is described.
Copyright infringement is any reproduction (download), display, distribution (upload), creation of derivative works, or public performance of copyrighted work without permission of the copyright owner.
Federal copyright law and college policy prohibit the copying and/or distribution of copyrighted material without the permission of the copyright owner. Copyrighted materials include but are not limited to text, graphics, art, photographs, music, film, and software.
Peer-to-peer (P2P) software such as BitTorrent that is often used to share music, movies and other media may lead to violation of copyright laws. Most P2P software automatically shares anything that you download by default—so if you downloaded the latest Hollywood blockbuster to watch it, you would also be helping to distribute an illegal copy to others by sharing the contents of your machine with the world.
If you use any P2P software for legitimate purposes, as a security precaution, you should disable its file sharing component. There is an IU website with details on disabling file-sharing for most P2P software.
Digital Millennium Copyright Act (DMCA)
Here is A Review of the DMCA.
Here is An overview of the DMCA Act.
To report alleged copyright infringements on Purchase College computers, please contact the college’s designated DMCA agent:
Pursuant to the provisions of the Digital Millennium Copyright Act, Purchase College receives DMCA Copyright Infringement Notices alleging that computer(s) registered to Purchase College IP addresses are allegedly illegally infringing on copyrighted materials belonging to others. Infringement of copyright is a violation of Federal law, and the violator is subject to both substantial fines and civil damages.
Under the DMCA, as an Internet Service Provider (ISP), the college is obligated to expeditiously remove or disable the allegedly infringing material and notify the subscriber of its actions in what is referred to as “notice and take down procedure.” The Purchase College DMCA infringement procedure is as follows:
The college also recommends that all students take the University of Texas Copyright Crash Course or their Copyright Tutorial, or take other appropriate steps to further their understanding of copyright infringement.
Under the DMCA, the college is obligated to inform you of certain requirements of that Act. You have the right under the Act to send a counter notice that you are not in violation or that the violation has ceased. That notice must be in the form required by the Act, and you are advised to seek legal counsel at your expense for appropriate advice on the form of any counter-notice. The specific statutory language is as follows: (17 USC 512(g)(3)): Contents of Counter-Notification: To be effective under this subsection, a counter notification must be a written communication provided to the service provider’s designated agent that includes substantially the following:
(A) A physical or electronic signature of the subscriber.
The above is provided for your information only, not as advice, nor is it an attempt at stating the law or your responsibility. You should review the entire Act with your attorney.
College Computer Network Users: if you lose access due to an alleged violation
If you receive an official notice from the college of an alleged copyright violation and have had your network access restricted, please contact the Office of Student Affairs to find out how you can have your network access restored:
Office of the Vice President
|Domain Names Policy|
Domain names have multiple levels. For example, purchase.edu is a second‐level name, while moodle.purchase.edu is a third‐level name. Domain names are resolved to an IP address, like 220.127.116.11.
Campus Technology Services (CTS) is solely responsible for administering and maintaining DNS records and DNS name assignments for the purchase.edu domain obtained through Educause.
Custom Name Requests
Redirects to External Services
|Electronic Information Technology Accessibility (EITA)|
Purchase College Electronic and Information Technology Accessibility Policy and Procedures
(last updated July 31, 2019)
Purchase College - State University of New York (PC) is committed to ensuring that people with disabilities have an opportunity equal to that of their nondisabled peers to participate in the College’s programs, benefits, and services, including those delivered through electronic and information technology.
This Electronic and Information Technology Accessibility (EITA) policy covers all electronic information used to promote and deliver the college’s programs and services. The policy applies to procurement, development, implementation, training, and ongoing maintenance of all online or electronic materials.
Benchmarks All online and electronic information used to promote and deliver the college’s programs and services must be in compliance with federal and state laws. The accessibility of online materials and functionality will be measured according to the current ratified versions of W3C’s Web Content Accessibility Guidelines (WCAG) Level AA and the Web Accessibility Initiative Accessible Rich Internet Applications Suite (WAI-ARIA) for web content, which are incorporated by reference.
Ensuring equal and effective electronic and information technology access is the responsibility of all College administrators, faculty, and staff.
The purpose of these procedures is to provide processes by which College administrators, faculty, and staff will create, obtain, and maintain all electronic and information technology (EIT) in a manner that ensures that EIT is accessible to individuals with disabilities.
This policy and procedure applies to the following areas:
“Accessible” means that individuals with disabilities are able to independently acquire the same information, engage in the same interactions, and enjoy the same services within the same timeframe as individuals without disabilities with substantially equivalent ease of use.
“Disability” is defined by the ADA as a physical or mental impairment that substantially limits one or more major life activities.
“Electronic and information technology” or “EIT” includes information technology and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information. The term “electronic and information technology” includes, but is not limited to:
Electronic and information technology also includes any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, creation, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. This term includes telecommunication products (such as telephones), information kiosks, Automated Teller Machines (ATMs) transaction machines, access control systems, security systems, computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
“Equally effective” means that the alternative format or medium communicates the same information in as timely a fashion as does the original format or medium.
Within the Purchase College governance structure, the Accessibility Committee (AC) is charged with improving awareness and compliance with accessibility requirements, providing training to the campus community, and managing Barrier Reports used by the campus community to report accessibility issues, and assists in developing policies and procedures to improve the College’s accessibility posture. The Accessibility Committee is Chaired by the College’s Chief Diversity Officer, and includes representatives from Campus Technology Services (CTS), Office of Disability Resources (ODR), the Library, and others.
1. Web Accessibility
These procedures apply to all Purchase College - State University of New York (PC) web pages and programs used to conduct PC business and activities including web resources used in courses.
All web pages, websites and web-based software published, hosted or used (including remotely hosted sites and software) by the College will meet the standards and guidelines outlined in the Web Content Accessibility Guidelines (WCAG) published by the W3C. All materials will meet Level AA guidelines with limited exceptions allowed where technology does not permit. All College websites will link to the College’s main Accessibility page which includes a statement of commitment to Web accessibility.
All Administrative Departments and Academic Programs:
Campus Technology Services and Communications and Creative Services:
Campus Access ibility Committee:
2. Instructional Materials Accessibility
These procedures apply to all electronic instructional materials (syllabi, textbooks, presentations, handouts, etc.). This includes electronic instructional materials delivered within the College’s learning management system, in face-to-face classes, or in an alternate fashion (email, blogs, etc.) and electronic instructional activities (online collaborative writing, web conferencing, etc.). If the curriculum includes student production of shared media or documents, students should be encouraged to follow these same standards.
All electronic instructional materials, optional and required, will be accessible and as effective and useable for persons with disabilities as they are for persons without disabilities. Instructional materials and activities will be made available to all students at the same time.
All instructional materials should meet all applicable standards (see 1.2) and guidelines outlined in this policy.
All Academic and Administrative Departments and Programs:
Faculty and instructional staff:
Teaching, Learning, and Technology Center:
Campus Technology Services:
Capital Facilities Planning / Office of Disability Resources
Campus Access ibility Committee:
3. Document Accessibility
These procedures apply to all College-produced and maintained or distributed electronic documents. Electronic documents include, but are not limited to word processing documents, PDFs, presentations, publications, and spreadsheets which are scanned, uploaded, posted, or otherwise published or distributed electronically. Legacy documents must be updated and made accessible as needed or when reused.
Electronic documents must be accessible. Electronic interaction with College policies, procedures, notifications, and other documents must be accessible and as effective and useable for persons with disabilities as they are for persons without disabilities.
Electronic documents must meet the standards and guidelines outlined in the Guidance on Applying WCAG to Non-Web Information and Communications Technologies, published by the W3C as the Working Draft 13 December 2012.
All departments and programs and all College employees:
Library / TLTC:
Campus Technology Services / Office of Disability Resources / Communications and Creative Services:
4. Electronic Media Accessibility
All media resources used in College programs and activities must be accessible. For example, this includes, but is not limited to: instructional, directional/informational, and promotional media.
Media resources will be closed captioned and audio-described and audio resources will be transcribed. Transcripts may be provided as an alternative accommodation for media resources that the College does not have rights to caption.
All departments, programs, instructors, and employees:
Teaching, Learning, and Technology Center:
Campus Technology Services and Production Services:
Communications and Creative Services:
Campus Accessibility Committee:
Accessibility of Archived Materials: Purchase College is working to ensure that all materials stored in college archives are fully accessible. If you encounter materials that you are interested in using that are not accessible please write us a note using the “Report Accessibility Barriers” form. Please be sure to name and list the materials you are interested in, and we will prioritize conversion of those items for you, taking into account the timing of your need for the instructional materials. You will be notified when your requested archive files are converted and your request is completed.
5. Software, Hardware, and Systems Accessibility
All software, hardware, and systems used or acquired by the college must be accessible and compatible with assistive technology. Examples include, but are not limited to:
Software accessed through a web browser must also be accessible and is discussed under section 1 of these procedures.
Purchase College will use the following standards to determine accessibility:
All Departments and Units:
Campus Technology Services:
Instructional Technology Advisory Committee (ITAC):
Campus Accessibility Committee
This process applies to all College purchases of Electronic and Information Technology (EIT) software, hardware and services.
Purchase orders and contracts for software, services, and hardware will include the following clause:
“Vendor acknowledges New York State Information Technology Policy: Accessibility of Web-Based Information and Applications (NYS-P08-005), and acknowledges that equipment and software being provided enable equal and effective access to all individuals in accordance with federal and state laws and regulations, including, but not limited to W3C’s Web Content Accessibility Guidelines (WCAG) Level AA and the Web Accessibility Initiative Accessible Rich Internet Applications Suite (WAI-ARIA) for web content, the Americans with Disabilities Act of 1990 (ADA), Section 504 of the Rehabilitation Act of 1973, and Section 508 of the 1973 Rehabilitation Act.”
All Departments, units and college employees:
Governance of Administrative Systems and Processes:
Purchase College Association (Auxiliary Service)s:
The Purchase College Electronic Information Accessibility Policy and Procedures becomes effective immediately upon the signature of the College President below.
|Email Account Naming Policy|
Purchase College email is the “official communication channel” for Purchase College. All faculty and staff email addresses published on our public-facing website, and those are their official purchase.edu addresses.
When faculty and staff are hired, their legal name is used for the HR appointment transaction. Completed hiring transactions are fed into the Banner system overnight, and an account is automatically created based upon the name used for the HR transaction.
For full-time matriculated students, the legal name provided on their application is used as the basis for the account name. For CE students, the name provided on their registration form is used as the basis of the account name.
The automated account provisioning process will first try to use the full First.Last legal name to create the account – but there are several conditions that may impact that:
Faculty and Staff Account Names
The account naming process is fully automated. HR paperwork must be completed using your actual legal name. an automated process generates your account name from that legal name.
However, there is a “preferred name” available for faculty and staff, so professional names can be associated with your email account.
For faculty and staff wishing to change their account name, please file a CTS Work Order.
Your account name is used for everything from email to banner to moodle to SUNY Time and Attendance systems.
Changing Account Names:
We do accommodate bad data fixes (typos, misspellings, etc.)
In cases of a legal name change (marriage, etc.) upon request we will establish a temporary forwarding alias from the old account name to the new for a period of 90 days to allow previous contacts to acclimate to the new account name.
Other than legal name changes, we cannot entertain any permanent aliases for a variety of reasons. Aliases multiply the namespaces occupied by one individual, and exponentially complicate management of our email system.
Earnest.Employee (legal name) may prefer to be called Ernie.Employee – but when another person arrives with an actual legal name “Ernie.Employee” – the account creation process fails.
Allowing aliases also invites abuse – some would like to have an alias of “Little.Kitty@purchase.edu” that would clearly not be appropriate, and CTS cannot adjudicate what is and isn’t appropriate.
Rare exceptions to the “no aliases” rule are possible – but must be kept to a minimum (there are only 2 aliases in use today.)
HRETS makes no accommodation for “professional/preferred name” so – automation is not possible at this time.
Within Banner, the Registrar’s office can accommodate Professional/Preferred names for Faculty, but these only effect how the Faculty’s name will appear within myHeliotrope (SSB).
Professional name would also have the same constraints as legal name – it may be in use already; too long, etc. Professional/Preferred name occupies an additional account namespace (legal name is still the account name, alias is a second name)
Account names exist in perpetuity, so any name that is used – ever - is gone - forever. This applies to anyone who becomes a student or an employee. (The only exception is for Accepted applicant accounts – which are purged completely and the namespace recovered if they never actually enroll.)
Use of Off-Site Email for Official Business is prohibited
College accounts are for College business – personal accounts are for personal business. Our policies and recommendations cannot contradict or even muddy that basic distinction.
A faculty member using their @purchase.edu address is clearly identifying themselves as a member of the College community on official business. In contrast, Floaty@aol.com is likely to end up ignored and deleted.
Blanket forwarding of email to off-site accounts is disabled. Email often may contain personal, private, and sensitive information about students or about college operations. Blanket forwarding puts official records outside of Purchase College, and is legally problematic.
|Email Forwarding Policy|
Email Forwarding Policy
Longstanding Enrollment Services policy identifies College email as the “official communication channel.” No blanket forwarding of College email to off-campus accounts is permitted for faculty and staff.
A faculty member using their @purchase.edu address is clearly identifying themselves as a member of the College community on official business. In contrast, Floater@aol.com sounds like poo in the pool, and is likely to end up ignored and deleted (that is/was an actual faculty member’s off-site email address.)
All faculty email addresses published on our public-facing website are their official purchase.edu addresses.
We all have off-site addresses, but we don’t publish those, and we should all be using our official college accounts for official business.
In the course of investigating an incident we discovered someone who set up automatic forwarding of all messages to an external account. That is dangerous since email (despite all our warnings) sometimes contains personal, private, and sensitive information about students or about college operations. Blanket forwarding also puts official records beyond the reach of legal discovery in the event of an HR investigation.
College accounts are for College business – personal accounts are for personal business. Our policies and recommendations cannot contradict or even muddy that basic distinction.
Once the automatic forwarding was identified, we looked to see how many people had set up forwarding rules. Out of 1,000 employees, only 39 individuals were identified as having automatic forwarding. Out of those 39 people, only 25 are faculty – and almost all of those are Adjuncts.
Each of the 39 was individually notified in Mid-July that the forwarding rule would be disabled. Email messages can still be individually forwarded as necessary – only automatic blanket forwarding was disabled.
Primary and Required Official Channel
Email is the College’s primary means of communication between students, faculty, and staff. Messages regarding course information, important deadlines, missing documents and official correspondence is sent to your Purchase email account.
All faculty, staff, and students are required to use Purchase College email system when conducting College business. The College expects that official email communications will be received and read in a timely fashion.
Do Not Forward
It is important that messages sent to your official Purchase email account are delivered to the intended recipient. It is important that official and sensitive College communications remain secure, and therefore Purchase College does not support automatic forwarding or redirection of email messages to external email accounts.
Storing Important and Sensitive materials
Important and sensitive materials should not be kept in your email account. With fragmented discussions and out‐of‐band replies, Email makes a terrible filing cabinet. If you send or receive important or sensitive materials via Email, save those materials in a secure location (Departmental file share or your Home Directory) and delete them from your Email.
Think of your Email account like the mailbox bolted to the front of your house – you would never think of storing anything sensitive or important there – it serves as a drop‐off location only, and you empty it regularly.
Per the Purchase College Email Retention Policy, Email messages are automatically purged at the end of our 3‐year retention period.
All College records are subject to legal discovery. If a particular email message has been flagged for legal hold preservation, those messages are automatically exempted from the 3‐rear retention purge.
|Email Retention Policy|
In accordance with SUNY and NYS record retention policies, Purchase College email systems will automatically retain messages for three years on active email servers. After three years, email messages will be automatically purged from the system. This automatic deletion policy applies to messages within all folders (inbox, sent, draft file folders, etc.) on Purchase College email servers.
In addition, Purchase College email systems are also configured to purge items in the “deleted items” after 90 days. Items in the “deleted Items” folder are messages that were marked for deletion by the recipient.
All Purchase College email system users are expected to:
The policy provides Purchase College with an email management policy that brings us into compliance with legal and regulatory requirements, and improves the College’s operational efficiency and effectiveness. This email retention policy applies to:
1. All Purchase College email systems
2. All users and account holders of Purchase College email accounts
3. All email sent or received using Purchase College email systems
These email messages are normally created for purposes of routine communication or information exchange, and as such, they are not considered official College records. These messages should be considered transitory messages that do not have lasting value (defined below) and should be:
1. Read and promptly deleted; or
2. Read and retained on the active server for no longer than the default retention period (defined below) or until their usefulness has ended (whichever occurs first), and then promptly deleted; or
3. Read and moved off the active server when job requirements necessitate retention for periods longer than the default retention period, and then promptly deleted when their usefulness has ended.
Examples of transitory messages:
Lasting Value Messages
Email is not a record retention or document management system, so messages with lasting value:
1. Should be moved to dedicated storage on departmental/office networked file systems; and
2. Should not be stored exclusively within individual users’ email folders/files.
These email messages exhibit one or more of the following characteristics that imply lasting value:
Have operational value (required by a department to perform its primary function)
Have legal or evidentiary value (required to be kept by law or of value in prosecution of a claim)
Have fiscal value (related to the financial transactions of the campus)
Has historical significance (of long term value to document past events)
Contain vital information critical to maintaining operational continuity after a disruption or disaster
Vital records or information may fall into any one of the above value categories
Examples of Lasting Value messages:
Announcement of or change to college or departmental policy
A message assigning an employee to perform a task
Responsibility for Retention of Messages with Lasting Value
Only the departments responsible for retention of specific types of records need to store and control the disposition of that information. For example,
1. If a department issues a policy change announcement via broadcast email, then that department is responsible for retaining that record (and not every recipient);
2. If a department manager was cc’d on a message that Purchasing used to send an electronic copy of a Purchase Order to a vendor, then the department manager does not need to retain a copy of the Purchase Order record; the Purchasing Office is responsible for retention of all purchasing records.
Electronic mail (email) messages enable us communicate internally with the Purchase College community and externally with prospective students, applicants, prospective employees, alumni, vendors, and colleagues across the world. The 2006 amendment to the Federal Rules of Civil Procedure addressing the discovery of electronically stored information requires institutions to establish email retention policies. New York State also has specific Records Retention Policies. This Purchase College Email Retention Policy establishes the default retention period for email stored on college email servers. This policy also identifies roles and responsibilities for litigation holds with respect to materials stored on college email servers.
Under normal circumstances, official records (policy documents, personnel records, financial transactions, etc.) will exist outside of the college’s email messaging system, and are retained in those source locations rather than in email messaging systems. For this reason, email messages are not normally considered “official records.” While official records are often transmitted through email messaging systems, copies of those official records must be retained by the office which originated the records.
The responsibility for determining whether a specific message has lasting value falls to the holder of the message. Senders and recipients should not retain messages any longer than necessary for their respective job purposes. When that need no longer exists, the messages should be destroyed.
For messages that the holder determines are of lasting value, the holder should store those messages outside of the messaging system – to a file folder in a personal home directory or a departmental file share. Messages can be moved to a file folder by drag-and-drop (to preserve message header information).
Questions about the proper classification (transitory or lasting value) of a specific message, record, or piece of information should be directed to the employee’s unit head, manager, or department chair.
New York State Records Retention Policy ‐ Default Retention Periods:
New York State Records Retention Policy states that normal business materials should be retained for three business cycles (three years), and financial records should be retained for seven business cycles (seven years.) At the end of that retention period, the records should be destroyed.
Backup copies of Purchase College email system files are kept for six months. These backups are for system restoration and disaster recovery purposes, and are not designed to or intended to facilitate retrieval of deleted messages.
While email may be considered transitory or of lasting value, the contents of email are subject to discovery when a litigation hold is issued. When litigation against the college or its employees is pending or reasonably expected, the college may receive a litigation hold notice from SUNY legal counsel instructing us to preserve all documents and records relevant to the matter being litigated.
A litigation hold directive overrides this email retention policy, as well as any record retention schedules that may have otherwise called for the transfer, disposal or destruction of relevant documents, until the hold has been cleared.
Email and account contents of separated employees that have been placed on litigation hold status must be maintained by the Campus Technology Services (CTS) until the hold is released.
No employee who has received a litigation hold notice may alter or delete an electronic record that falls within the scope of that notice. A litigation hold may also cover access to electronic records that the subject has downloaded, saved, or moved to other storage accounts or devices.
IV. ROLES & RESPONSIBILITIES
Campus Technology Services (CTS) will:
Department heads and unit managers are responsible for reviewing records retention policies and providing guidance to staff and faculty within their respective units. The guidance provided must be in accordance with this policy.
Originators of electronic messages, records, and information that have lasting value are responsible for:
College employees who have been notified by management of a litigation hold are responsible for preserving all messages, records, and information that fall within the scope of the hold that they have downloaded and/or stored locally, and must provide copies of all records related to the litigation hold to HR.
Human Resources (HR) will:
Moderate review of records that may be relevant to HR investigation or litigation hold requests
Act as custodian for records that are deemed relevant to HR investigation or litigation hold requests
V. Related Information:
|Email, Laptop, Desktop, File Share Privacy|
As an academic institution, Purchase College recognizes that it is absolutely
This policy describes the Purchase College privacy practices regarding
This policy covers the college email accounts that are assigned to employees
This policy specifically does not cover information stored in departmental file shares on a server—even if that departmental file share contains a subfolder that may be in the individual’s name. Departmental file shares are specifically set up to be used to store shared documents, and unit supervisors have access to all materials stored in a departmental file share.
Supervisors should note that departmental file shares are the preferred
College Email, Personal Home Directories, and Desktop or Laptop Disk Drives
The entire contents of each individuals email account, personal home directory, and desktop or laptop disk drive(s) are considered private.
No other college employees will access or view the contents of these for any
Specific written approval should be in the form of a completed Security
Supervisors seeking access to departed employee materials must obtain
|Equipment Loan Policy|
CTS loan policies and procedures are enforced to ensure the security of equipment and the equal opportunity for usage by all students.
CTS maintains a pool of equipment available to students, faculty and staff, by request through the CTS Work Order System.
We do our best to accommodate all requests - including the last-minute ones. Equipment should be reserved in advance to increase the likelihood of availability. Equipment is primarily reserved for academic purposes, and priority is given to students over faculty and staff. Equipment is reserved in the order in which it is received, but special circumstances may be accommodated. Equipment may be borrowed over breaks, but permission from the instructor through the work order system or by email is needed for students to borrow equipment between semesters.
Most equipment can be borrowed at any time for a period of one week. Requests for longer than one week will be assessed on a case by case basis and will be granted or denied based on academic need, the student demand, and equipment availability of the requested items. The “Comments” section of the work request should briefly give the reason for the loan request as priority will be given to requests for academic purposes.
Reserved equipment can be picked up and returned at the CTS Helpdesk (Social Sciences Room 0025) anytime during our normal business hours.
Those unable to pick up requested equipment by the specified date should notify CTS by phone or through the work order system. CTS will hold the equipment an extra day upon request, but then the equipment will be returned to the loan pool, and a new request must be submitted.
CTS may decline or cancel requests for a variety of reasons including reasons of misuse, damage, lost, late return - or for other reasons at the discretion of CTS.
The borrower assumes full responsibility of the equipment. Equipment not returned on time will be marked as late and incur charges daily starting at $1 a day per item up to $5 a day per item. Amount of late fee is determined by the value of the item. Cameras and camcorders are $5 a day, audio recorders are $5 a day, microphones are $1 a day, tripods are $1 a day, stands and boom poles are $1 a day, light kits are $5 a day, projectors and displays are $5 a day, laptops and tablets are $5 day, other small peripherals are $1 a day. The final charge will be calculated on the day the late equipment is returned. For lost or broken equipment, the borrower will be charged the full replacement or repair cost of the items in question.
CTS will inspect equipment before pick up and upon return. The individual borrowing the equipment should check the equipment and report any missing and/or damaged pieces before leaving CTS with the equipment. Also, if any equipment is damaged or broken while out, it should be reported to CTS upon return. Equipment should be checked for presence of equipment reserved and general condition of equipment.
All electronic communications for equipment requests from CTS are done through the CTS Work Order System and will appear in the requestor’s Purchase email account Inbox from “Purchase College Work Order System” with the subject line “CTS Work Order Status Report”.
Individuals are advised not to give equipment to others while it is signed out to them.
All equipment must be returned in the same condition in which it was loaned out.
|Faculty and Staff Computer Replacement|
Under the provost’s faculty computer replacement cycle, full-time faculty will receive a new computer approximately every five years. Computers for part-time faculty are the responsibility of the individual academic unit managers, but they should should also receive a new computer approximately every five years.
Computers for college staff are the responsibility of the individual unit.
New computers will be imaged, joined to the domain, and loaded with college-provided software, including:
When new computers are provided by the college or the unit, the old out-of-warranty computers must revert to CTS for disposal and recycle. (Computers are classified as hazardous waste due to the lead, mercury, and heavy metals they contain.)
Prior to July 2008, Dell and Apple computers purchased through Purchase College were purchased with a three-year warranty covering hardware replacement, all peripherals, and on-site service. As of June 2010, we are purchasing computers with a five-year warranty through Hewlett Packard or Dell. Since July 2008, all Dell and HP computers purchased through the college carry a five-year warranty. Apple computers will carry a three-year warranty. In accordance with the state contract with Dell and HP, the warranty is included in the price of the computer. If you are purchasing an Apple, you should add (at extra expense) the AppleCare warranty.
Replacing Computers at the End of Their Service Warranties
When out of warranty, computers may be functioning and still serve the user’s needs, but these computers often become a liability and cost the college a great deal of money in time and labor. When hardware problems arise with out-of-warranty computers (and experience tells us they will), and they are no longer under contract to be serviced by Dell, HP, or Apple, they take an inordinate amount of time and effort to repair. Even worse, it is only a matter of time before a hard drive failure causes the loss of important data that may be next to impossible to replace. CTS technicians often are left with no choice but to put an enormous amount of time and effort to recover data and fix computers that are out of warranty and that should have been replaced. In many cases, the cost in personnel time keeping old hardware running exceeds the cost of a new computer.
When CTS is unable to recover important data, an outside agency may be required in a final attempt at recovering the lost data. The cost to the machine’s owner can be thousands of dollars. Out-of-warranty, slow computers are often brought to CTS for troubleshooting because the departments to which they belong are reluctant to spend money to purchase a new computer if they can get a little more time out of their old and obsolete computers. This contributes to inefficient use of college resources. The cost in time and labor almost always exceeds the amount of money the department saves by delaying the purchase of a new computer. Inevitably, the old computers still do not function as well as the owners hope, and a more calls are again placed to the CTS for service.
While we understand each department’s desire to save money by holding onto a computer that is still running, we would like to make you aware that your decision to keep your old computer comes with a steep price and yields less than adequate results. CTS may decline to provide service in cases where the computer is out of warranty and we determine that providing the necessary service is inadvisable. In addition, the “old computer” problem is often compounded by cascading upgrades —we are asked to give the old computer to so-and-so, and so-and-so’s old computer goes somewhere else—multiplying the workload.
Many people who were using a computer beyond the three-year replacement cycle will suddenly find themselves with a computer that will no longer work because it does not meet the minimum specifications to run the latest Windows operating system.
It is strongly advised that all departments replace computers at the end of their service warranty. Once a new computer is delivered, it will replace the out of warranty computer which will then be brought back to CTS for disposal and recycle.
How to Order a New Computer or Replace an Old One
Please submit a work request through The CTS Work Order System for the type of computer you wish to purchase and CTS will get back to you with options.
|Identity and Access Management Policy|
Students are granted Purchase College Credentials upon Admission to the college, or upon registration for a course as an LSCE student, summer camp participant, or other non-application-based programs. An active email box is granted along with student credentials (UserID and Password).
Use of Student Credentials:
Students must use this account to interact with college systems – class DL’s Moodle assignments, etc. All official communications from the college to students will be sent to the college email account.
Persistence of Student Credentials:
Student email accounts persist for 18 months after their last course/activity registration. However, Student credentials persist forever – their email mailbox is eliminated 18 months after their last registration, but their UserID and Password remain active so that they can request transcripts, register for additional classes, etc.
Students may elect to set up email forwarding through the self-service menu. Email forwarding will associate an external email mailbox with their Purchase College email address, so that even after Barney.Rubble@purchase.edu has their mailbox de-activated, any email sent to that address will be forwarded to the external email address they specify.
If a student whose email mailbox has been retired registers for another class, a new (and empty) mailbox will be created and associated with their existing credentials (UserID and password.) This is a manual process.
Extended Access to College Systems for students:
If a student requests continued access to college systems beyond the 18-month grace period following their last registration, an academic department/BOS can create a P-Dash volunteer transaction for the student.
Students may choose to grant parent/guardian credentials with specific privileges through the Banner Self-Service Proxy function. Parent Guardian credentials are created within the Banner database (no more sub-domain.) No Purchase College email is created for parent/guardian accounts – P/G accounts are associated with an external email where notifications are sent.
Use of Parent/Guardian Credentials:
Parents/Guardians must use this account to interact with college systems. Students typically grant P/G access to pay their Purchase College bills, view grades, and view schedules – all of which are available through the self-service Banner menu.
Persistence of Parent/Guardian Credentials:
Students grant P/G credentials, and can renew their access as necessary while the Student credential remains valid.
Faculty and Staff Credentials:
All faculty and staff are granted Purchase College Credentials and a campus email mailbox upon their appointment to a position at the college. This group includes all full and part-time faculty and staff, adjunct faculty, and all other persons appointed via PAF in the HRETS system.
Use of Faculty and Staff Credentials:
Faculty and staff use their Purchase College credentials to interact with Purchase College and SUNY systems. Faculty and staff must use their Purchase College email account for conducting all official college business. Faculty and staff are discouraged from using their Purchase College email account for personal business.
Persistence of Faculty and Staff Credentials:
Faculty and Staff credentials persist through their last day of service to the college*. The last day of service is considered to be the “End of Service” date specified on a terminal PAF. For Adjunct or Temporary Service PAF’s, the end-of-service date is the ending date for that Temporary Service appointment, unless the originating PAF TS appointment includes an “extend email privileges until” date. (* A 60-day grace period is applied for employee accounts.)
Extended Access to College Systems for Faculty and Staff:
There is a process for requesting extended account privileges beyond the last day of college service, with executive approval. In cases where a faculty or staff member is a former student, on their last day of service, their group membership will be updated to reflect an alumni only role, and their mailbox will be disabled – but their credentials will remain - as they would for any student.
Volunteers, Contractors, Vendors, Guests, and other “Affiliated” Community Members:
Upon sponsorship of their role at the college using the HRETS Person Data Sheet (P-Dash), persons in this category are granted College Credentials and an email mailbox.
Campus supervisors use the P-Dash form to sponsor persons to a specific role at the college for a specific period of time. Persons in this category may be active in multiple and even simultaneous sponsored roles at the College, but will receive one active credential.
Use of Affiliate Credentials:
Persons in the affiliated category use their Purchase College credentials to interact with college and SUNY systems. Persons in the affiliated category must use their Purchase College email account for conducting official College business, and are discouraged from using the account for personal business.
Persistence of Affiliate Credentials:
For persons in the affiliate category who are provisioned via the P-Dash form, credentials persist through their last day of service to the college. The last day of service is the end-of-service date listed on their P-Dash form. Note that there is no automatic grace period as there is for regular college employees. However, the affiliate – and their sponsoring supervisor – will receive notification of the pending expiration of the P-Dash account 30 days before its ending date, and again at 20 days and 10 days.
Extended Access to College Systems for Affiliates:
There is no process for requesting extended account privileges beyond the last day of college service for affiliate credentials. However, a sponsoring office can choose to re-appoint the affiliate using another P-Dash transaction for an additional period of time. In cases where an affiliate is a former student, their group membership will be updated to reflect an alumni only role, and their mailbox will be disabled – but their credentials will remain - as they would for any student.
This policy describes the Information Privacy and Accessibility Policies in use on the College’s Web Site.
Customize the Site to Fit Your Needs
To make the Purchase College website easier to read and navigate, you can change the display settings, such as:
The BBC website “My Web My Way” offers a useful guide to adjusting these and other features in your specific operating system and browser.
This website is designed to make it easier and more efficient for individuals and businesses to interact with the Purchase College. Purchase College recognizes that it is critical individuals and businesses to be confident that their privacy is protected when they visit the Purchase College website.
Consistent with the provisions of the Internet Security and Privacy Act, the Freedom of Information Law, and the Personal Privacy Protection Law, this policy describes the Purchase College privacy practices regarding information collected from users of this website. This policy describes what information is collected and how that information is used.
For purposes of this policy, “personal information” means any information concerning a natural person, which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person. Purchase College does not collect any personal information about you unless you provide that information voluntarily by sending an email, responding to a survey, or completing an online transaction.
Information Collected Automatically When You Visit this Website
None of the foregoing information is deemed to constitute personal information. The information that is collected automatically is used to improve this website’s content and to help the Purchase College understand how users are interacting with the website. This information is collected for statistical analysis, to determine what information is of most and least interest to our users, and to improve the utility of the material available on the website. The information is not collected for commercial marketing purposes, and Purchase College is not authorized to sell or otherwise disclose the information collected from the website for commercial marketing purposes. As a campus of the State University of New York, Purchase College does report application information to SUNY, and that information may include information collected through the Purchase College website.
To better serve you, we may use “session cookies” to enhance or customize your visit to this website. Session cookies can be created automatically on the device you use to access the Purchase College website do not contain personal information and do not compromise your privacy or security. We may use the cookie feature to store a randomly generated identifying tag on the device you use to access this website. A session cookie is erased during operation of your browser or when your browser is closed.
If you wish, you may complete a registration to personalize this website and permit a “persistent cookie” to be stored on your computer’s hard drive. This persistent cookie will allow the website to recognize you when you visit again and tailor the information presented to you based on your needs and interests. The Purchase College website uses persistent cookies only with your permission.
The software and hardware you use to access the website allows you to refuse new cookies or delete existing cookies. Refusing or deleting these cookies may limit your ability to take advantage of some features of this website.
Information Collected When You Email This Website or Complete a Transaction
During your visit to this website, you may complete a transaction such as a survey, registration, or order form. The information, including personal information, volunteered by you in completing the transaction is used by the Purchase College to operate Purchase College programs, which include the provision of goods, services, and information. The information collected by Purchase College may be disclosed by Purchase College for those purposes that may be reasonably ascertained from the nature and terms of the transaction in which the information was submitted.
Purchase College does not knowingly collect personal information from children or create profiles of children through this website. Users are cautioned, however, that the collection of personal information submitted in an email will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access. The Agency strongly encourages parents and teachers to be involved in children’s Internet activities and to provide guidance whenever children are asked to provide personal information online.
Information and Choice
Disclosure of Information Collected Through This Website
However, Purchase College may collect or disclose personal information without consent if the collection or disclosure is: (1) necessary to perform the statutory duties of the Purchase College, or necessary for Purchase College to operate a program authorized by law, or authorized by state or federal statute or regulation; (2) made pursuant to a court order or by law; (3) for the purpose of validating the identity of the user; or (4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.
Further, the disclosure of information, including personal information, collected through this website is subject to the provisions of the Freedom of Information Law and the Personal Privacy Protection Law.
Purchase College may disclose personal information to federal or state law enforcement authorities to enforce its rights against unauthorized access or attempted unauthorized access to Purchase College’s information technology assets.
Retention of Information Collected Through this Website
Access to and Correction of Personal Information Collected Through This Website
The privacy compliance officer shall, within five (5) business days of the receipt of a proper request, provide access to the personal information; deny access in writing, explaining the reasons therefore; or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not be more than thirty (30) days from the date of the acknowledgment.
In the event that Purchase College has collected personal information pertaining to a user through the website and that information is to be provided to the user pursuant to the user’s request, the privacy compliance officer shall inform the user of his or her right to request that the personal information be amended or corrected under the procedures set forth in section 95 of the Public Officers Law.
Confidentiality and Integrity of Personal
In addition, Purchase College has implemented procedures to safeguard the integrity of its information technology assets, including, but not limited to, authentication, monitoring, auditing, and encryption. These security procedures have been integrated into the design, implementation, and day-to-day operations of this website as part of our continuing commitment to the security of electronic content as well as the electronic transmission of information.
For website security purposes and to maintain the availability of the website for all users, the Agency may employ software to monitor traffic to identify unauthorized attempts to upload or change information or otherwise damage this website.
External Internet Site Disclaimer
External linked websites are not provided as a benefit to the linked party. Inclusion of the linked websites does not imply or constitute an endorsement or promotion by SUNY or Purchase College of any persons or organizations sponsoring the displayed websites.
If you decide to visit any linked site, you do so at your own risk and it is your responsibility to take all protective measures to guard against viruses or other destructive elements inherent on the internet.
You can contact the Helpdesk at:
For questions regarding this policy, please contact:
|Information Sensitivity Policy|
The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Purchase College without proper authorization.
The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing). All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect confidential information. The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the College’s Information Security Officer (ISO).
All Purchase College information is categorized into two main classifications:
Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any adverse consequences. As a public institution, the College publishes a wide range of information including enrollment statistics, strategic planning information, operational procedures, etc. As an educational institution, the College seeks open communication and participation from its community students, faculty and employees, and the public we serve.
Confidential information contains all other information, and is a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Confidential information should be protected closely, and includes various types of information:
In all cases, Purchase College personnel are encouraged to use common sense judgment in securing confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor.
The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as information in each category may necessitate more or less stringent protection depending upon the circumstances and the nature of the confidential information in question.
Marking guidelines for information in hardcopy or electronic form: Marking is at the discretion of the owner or custodian of the information. If marking is desired, “Confidential” may be written or designated in a conspicuous place on or in the information in question. Even if no marking is present, College information is presumed to be “Confidential” unless expressly determined to be Public information by a Purchase College employee with authority to do so.
Access: Purchase College employees, contractors, people with a business need to know.
Distribution within Purchase College: Standard interoffice mail, College electronic mail and electronic file transmission methods.
Distribution outside of Purchase College internal mail: U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods.
Electronic distribution: No restrictions except that it be sent to only approved recipients.
Storage: Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.
Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.
Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.
Marking guidelines for information in hardcopy or electronic form: As the sensitivity level of the information increases, you may, in addition or instead of marking the information “Confidential” or “Proprietary”, wish to label the information ” Purchase College Internal Use Only” or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times.
Access: Purchase College employees and non-employees with signed non-disclosure agreements who have a business need to know.
Distribution within Purchase College: Standard interoffice mail, College electronic mail and electronic file transmission methods.
Distribution outside of Purchase College internal mail: Sent via U.S. mail or approved private carriers.
Electronic distribution: No restrictions to approved recipients within Purchase College, but should be encrypted or sent via a private link to approved recipients outside of Purchase College premises.
Storage: Individual access controls are highly recommended for electronic information.
Disposal/Destruction: In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.
Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.
Marking guidelines for information in hardcopy or electronic form: To indicate that Purchase College Confidential information is very sensitive, you may should label the information “Purchase College Internal: Registered and Restricted”, ” Purchase College Eyes Only”, “Purchase College Confidential” or similar labels at the discretion of your individual business unit or department. Once again, this type of confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.
Access: Only those individuals (Purchase College employees and non-employees) designated with approved access or non-disclosure agreements.
Distribution within Purchase College: Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods.
Distribution outside of Purchase College internal mail: Delivered direct; signature required; approved private carriers.
Electronic distribution: No restrictions to approved recipients within Purchase College, but it is highly recommended that all information be strongly encrypted.
Storage: Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer.
Disposal/Destruction: Strongly Encouraged: In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.
Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.
Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment.
To minimize risk to the College from an outside connection or individual. Purchase College computer use by unauthorized personnel must be restricted so that, in the event of an attempt to access Purchase College corporate information, the amount of information at risk is minimized.
Configuration of Purchase College-to-other business connections
Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.
Delivered Direct; Signature Required
Do not leave in interoffice mail slot, call the mail room for special pick-up of mail.
Approved Electronic File Transmission Methods
Includes supported FTP clients and Web browsers.
Envelopes Stamped Confidential
You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and mark it confidential.
Approved Electronic Mail
Includes the campus mail system supported by CIS only. If you have a business need to use other mail services contact the appropriate support organization.
Approved Encrypted email and files
Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms.
Purchase College Information System Resources
Purchase College Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.
To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, such as that supplied as a part of Norton Utilities. Otherwise, the PC or Mac’s normal erasure routine keeps the data intact until overwritten.
Individual Access Controls
Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner.
Insecure Internet Links
Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of Purchase College.
Paper Information: Sensitive information should be secured in locking fireproof cabinets, locked cabinets, or locked and alarmed offices depending on the nature of the information. Visitors should be escorted when in areas containing confidential information. Confidential information should not be left unattended or in plain sight in publicly accessible areas. Confidential information that is outdated or no longer needed, and for which retention schedules have expired should be stored in appropriately marked containers until shredded.
Electronic information: Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.
Individuals or organizations requesting confidential information should be challenged to provide appropriate credentials and their identity verified before releasing confidential information to them.
|Known Desktop Applications (AppLocker) Policy|
AppLocker is a Microsoft technology that allows administrators to control which applications are allowed to run in order to prevent the launching or installation of malicious software.
AppLocker will be used to secure college-managed computers that have a supported version of the Windows Operating System. AppLocker rules will be configured to block malware and allow applications required for academic and business purposes. A best effort will be made to allow other applications requested by users if the application does not pose a security risk and if a rule to allow it can be configured in a secure manner.
If you receive the message “Your system administrator has blocked you from running this program”, it is most likely because the application does not match an AppLocker rule that would allow it to run. If you receive the message, please open a work order or call the helpdesk to let us know.
If you do not recognize the program name and location, your computer could have malicious software or it could simply be a benign application, like an auto-updater, trying to run.
If the application is something you are trying to open and want, please provide us some details so we can determine if we can create a rule to allow it. Basic information like the name of the software, its purpose, why you need it, and any other information you believe to be relevant is enough to begin a review.
Applications that run from standard locations, like the Program Files or Windows directories, are automatically permitted to run, so do not require any special permissions. However, applications that run from any location within a user directory need to have a rule created to allow them to run (e.g. C:\Users\first.last\AppData\). Most publishers now sign their applications with a digital certificate that can be used to verify that the software comes from a legitimate developer. Signed applications that are not malicious can usually be granted permission to run. However, some developers do not sign their applications. If an application is unsigned and its executables reside within a user-writable directory, it might not be possible to securely configure a rule to allow it, so a request to allow it may have to be denied.
|Legal Proceeding Preparation (E-Discovery) Policy|
Purchase College has always been responsible for complying with various information demands made upon it by the public, oversight agencies, and the courts. Such demands may arise in the context of litigation, administrative proceedings, audits, investigations, and Freedom of Information Law requests. With the proliferation of electronic information storage capabilities and systems, the task of compliance with the requests has become ever more complicated and challenging. The purpose of this Policy is to provide guidance and directives to aid various University constituencies and officers in their efforts to comply with those “e-discovery” responsibilities and demands.
Custodians must understand the basic operations of electronic storage systems and programs and must manage records and ESI according to applicable laws, regulations, policies, retention schedules, and best practices. This includes the duty to notify Counsel of potential Triggering Events.
The SUNY Office of General Counsel will make the ultimate determination of what constitutes a ‘Triggering Event’ and after such determination is made, will order Legal Holds accordingly. Counsel will also direct the production of ESI, if necessary.
Key Persons must cooperate with Counsel to identify, preserve, maintain, and produce ESI that is subject to a Legal Hold issued by the General Counsel’s Office.
“E-Discovery” is a short hand term for the process of preserving and exchanging electronically-stored information (ESI) in the context of modern litigation or other legal processes.
A “Legal Hold” is a process by which the Office of General Counsel (“OGC”) directs the preservation of certain records, information, and data, for the purpose of complying with an information request or other legal obligation.
“Counsel” means any member of the University’s Office of General Counsel.
A “Custodian” is any officer, employee, or agent of the Univeristy that possesses, controls, or maintains any record, information, or data of the University.
A “Key Person” is any officer, employee, or agent of the Univeristy that possesses, controls, or maintains any record, information, or data that is subject to a Legal Hold. A Key Person may also be someone who is in a position of leadership over a subject program or department (HR, Student Affairs, Facilities, etc.), or someone who has been designated as a campus liaison to Counsel.
“IT Personnel” means the Chief Information Officer of any campus or the designee thereof.
A “Triggering Event” is any event or set of circumstances that cause Counsel to reasonably anticipate litigation or another legal process which could give rise to a preservation obligation. Factors to consider in determining whether a Triggering Event has occurred include:
A “Legal Preservation Notice” or “LPN” is a set of written instructions sent from Counsel to Key Persons. A LPN may be issued electronically; however, it should include an appropriate acknowledgment. At a minimum, a LPN should include information related to:
“Electronically Stored Information” or “ESI” means any information, record, document, file or data stored on any University program, system, device, or server of any kind. ESI can also reside on the personal devices and in the personal accounts of university officers, employees, and agents if such devices and accounts are used for conducting University business. ESI may include documents, audio recordings, videotape, e-mail, instant messages, word processing documents, spreadsheets, databases, calendars, telephone logs, contact information, Internet usage files, metadata, and all other electronic information created, received, and/or maintained on computer systems.
Other Related Information
SUNY Policy 6609 – Records Retention and Disposition http://www.suny.edu/sunypp/documents.cfm?doc_id=650
SUNY Policy 6608 – Information Security Guidelines http://www.suny.edu/sunypp/documents.cfm?doc_id=583
Legal Preservation Notice
Questionnaire/Interview Outline to Prepare for E-Discovery
To: Campus / IT Personnel
Subject: Notice to Preserve Information Related to [Case] – A/C Privilege
Dear [Campus / IT Personnel],
Please forward the following message to [known Key Persons] and anyone else that might have information regarding the recent [describe Triggering Event]:
“You are receiving this message because a [litigation/investigation/audit] involving a [campus name] program is anticipated and the College has determined that you are likely to be in possession of data, documents, or information that may become part of the College’s response to this [litigation/investigation/audit]. [Campus] has an urgent legal obligation to preserve this information.
You are required to take all reasonable steps to identify and preserve any and all emails, hard copy files, electronically-stored information or other records in your possession that relate to [Triggering Event]. Relevant information may be in paper files, on campus IT systems, hand held devices, removable media such as CDs or flash drives, laptop computers, back-up tapes, personal computers (if SUNY business was conducted utilizing a personal or home computer), or any other storage medium.
Immediately halt all deletion efforts including routine destruction and deletion or modification of such information, documents or evidence. You must maintain this information, as well as any new information/evidence (hard copy or electronic) created after receipt of this message, in the form which it now exists. Please contact [IT Personnel] if you need help collecting or preserving information responsive to this request.
If you identify and preserve any documents or other materials identified as a result of this communication, please contact [Counsel] and inform him/her that you are in possession of such materials. Further instructions will be forthcoming once the scope of the [litigation/investigation/audit] becomes more apparent.
As this obligation is continuing, you must also save any new information/evidence that you create or receive until the Office of General Counsel notifies you we are no longer under a duty to preserve it. However, future communications involving this matter should be limited to formal discussions involving [Counsel].
Please confirm by return email that you have received this communication and are in the process of complying with the directives herein. Any questions regarding this matter should be directed to [Counsel]. Thank you for your cooperation.”
Questionnaire/Interview Outline to Prepare for E-Discovery
Overview of Computing Environment
Types of computers: How many and how are they used?
Centralized mainframes and mid-range processors
Departmental servers: How many, what uses, relationship to IT?
Mobile computers (including sub-computing devices)
Storage devices and media: What policies and practices govern their use?
Network drives: How many and what uses?
Local hard drives
Magnetic tapes (other than backup tapes)
CD / DVD drives
Other: flash drives, etc
Backup schedule for incremental and full backups
Backup media: magnetic tapes and other
Number of backup copies produced
Storage locations for backup media: onsite and offsite
Retention / recycling practices for backup media
Organization and accessibility of backup tapes
Is real-time backup in use or planned?
Survey of databases likely to be relevant for e-discovery
Purpose: business functions that database supports
Software that creates and maintains database
Plans for upgrading / replacement
Computer system on which software operates
Database retention policy
Archiving practices for older database records
Legacy database applications: current status and usability
Type of email software in use
Number and location of email servers
Number and types of email users
Retention practices for email
Limitations on mailbox size
Automatic deletion after a specified time
Transfer of email to other files: Is it permitted and/or encouraged?
Backup practices for email (if different from general backup practices)
Backup schedule: incremental and full
Storage locations for backup media
Accessibility of backup media
Use of non-SUNY email for SUNY business
File Shares: Departmental and Other
Network storage locations
State University of New York Records Retention and Disposition Schedule
This new State University of New York (University) Records Retention and Disposition Schedule (RR&D Schedule) indicates the minimum length of time that campus and University officials must retain the records covered by this schedule before the records may be disposed of legally. Schedule items have been reviewed by the NYS Offices of the Attorney General and State Comptroller and approved by the New York State Archives for use by the University, pursuant to provisions of Sect. 57.05, Arts and Cultural Affairs Law and 8 NYCRR Part 188. This new RR&D Schedule replaces and supersedes the 1977 Records Retention and Disposition Schedule formerly issued by the University. It also replaces and supersedes any other retention authorizations and guidance that campus and University officials may have adopted for specific records. It must be noted that the University also follows the New York State Archives’ General Retention and Disposition Schedule for New York State Government Records (State Schedule) to the extent that a category of records is not covered by the University’s own retention schedule. University and campus officials should determine first if there is a specific record category applicable from the RR&D Schedule. That schedule will supersede retention periods for similar items in the State Schedule. Records not covered by the RR&D Schedule will be governed by the State Schedule.
All University records must be retained in accordance with the retention periods and guidelines specified in this new RR&D Schedule and in any related policies, procedures, guidelines, or directives that the University has issued or may issue in the future. See Section 5 of this Introduction for suggestions regarding the disposition of records that no longer need to be retained.
The purposes of this new RR&D Schedule are to:
Pursuant to NYS Arts and Cultural Affairs Law §57 (Divisions of History and Public Records) and 8 NYCRR §188 (State Government Archives and Records Management), the University has designated a University Records Management Officer to coordinate the proper retention and disposition of records throughout University campuses and at the System Administration Office. It is suggested that each campus also designate a records management officer.
All inquiries about records management should be referred to the University Records Management Officer (518-320-1311) and, whenever necessary, the Office of University Counsel & Vice Chancellor for Legal Affairs for resolution. The University Records Management Officer and the Office of University Counsel & Vice Chancellor for Legal Affairs will also be responsible for referring, whenever necessary or appropriate, any questions on records management issues to the State Archives.
3.1 Interpreting the RR&D Schedule Items
Many of the items on this RR&D Schedule are broad and describe the purpose or function of records rather than identifying individual documents and forms.
Specific items are listed in sixteen (16) tables with functional headings (e.g., Academic Affairs, Athletics, Student Accounts) which are arranged alphabetically. Using the Subject Index at the end of the RR&D Schedule, campus and University officials should match the records in their offices with the descriptions on the RR&D Schedule to determine the appropriate retention periods. Records whose content and function are substantially the same as an item described on the RR&D Schedule should be considered to be covered by that item. Campus and University officials should check with the University Records Management Officer when they are uncertain regarding coverage of a function.
In situations where campus and University officials have combined related types of records covered by different items on the RR&D Schedule into a single file, it may be impractical to separately apply the retention periods of the various applicable RR&D Schedule items to the individual records in the file. In such situations, officials may find it more convenient to dispose of the entire set of records by using the applicable retention item with the longest retention period.
Retention periods on the RR&D Schedule apply to one “official” copy designated by the campus or the University, regardless of physical form or characteristic (paper, microfilm, computer disk or tape, or other medium), unless otherwise stated. No matter what the medium, campus and University officials must ensure that the information will be retained for the specified retention period. The time identified as the minimum retention period begins with the creation of the record, unless otherwise specified. When original records are migrated to different media, unless pre-approved in the RR&D Schedule, approval of the State Archives is needed to destroy the original records prior to the expiration of the assigned retention period even when the new media versions will be retained for that period.
3.2 Records Disposition Authorization (RDA) Number
In addition to the consecutive numbering of items within each section of the RR&D Schedule, each item is assigned a Records Disposition Authorization (RDA) number by the State Archives. The Subject Index at the end of the RR&D Schedule refers to items by their RDA numbers.
4.1 Legal Actions
Some records may be needed for use in legal actions involving a campus and/or the University. Records that are identified in or relevant to such actions must be retained for the entire period of the action, including any appeals, or the period for making an appeal, plus an additional year, even if their retention period has expired. Prior to disposing of records related to or retained for a legal action, campus and University officials should consult with the University Records Management Officer, who will work with the Office of University Counsel & Vice Chancellor for Legal Affairs to verify that no new legal actions or appeals have been initiated that would require longer retention of the records.
4.2 Electronic Records
While items on the RR&D Schedule for the most part cover records regardless of the physical form in which they are maintained, they do not cover all records relevant to the operation of electronic information systems. For guidance on the disposition of records of the design, development and operation of IT systems, refer to the Information Technology section of the State Archives’ General Retention and Disposition Schedule for New York State Government Records. Contact the University Records Management Officer if you have any questions or problems or if you need additional information on the disposition of electronic records.
Generally, records transmitted through e-mail systems have the same retention periods as records in other formats that are related to the same function or activity. E-mail records should be scheduled for disposition in conjunction with any other records related to that function or activity. Campus and University officials may delete, purge, or destroy e-mail records if the records have been retained for the minimum retention period established in the RR&D Schedule and are not being retained for a legal action or otherwise subject to a litigation hold or for an audit. Transitory messages may be destroyed when no longer needed. For further guidance on the disposition of e-mail messages and attachments, see item 90369 in the State Archives’ General Retention and Disposition Schedule for New York State Government Records. Contact the University Records Management Officer for additional information.
4.3 Drafts and Personal Working Papers
When drafts are created in the preparation of University records, the final version is considered the official copy for retention purposes. Temporary drafts that were not reviewed, circulated or used to make decisions may be discarded when no longer needed. This should be done at the earliest opportunity following approval of the final version. This policy applies to drafts in all forms, including word processing files, spreadsheet files, and other computer files.
Personal working papers, including notes, may be developed during the transaction of University business or during the preparation of University records. Most personal working papers, such as notes taken at a meeting or annotations on a draft record that is ultimately superseded by a final version, have no legal, operational, or research value that warrants retaining them beyond their moment of immediate usefulness. These records should be discarded at the earliest opportunity, generally within one (1) year after the purpose for which they were created has been fulfilled. This policy applies to personal working papers in all formats, including word processing files, spreadsheet files, and other computer files.
4.4 Additional Retention Requirement for Licensed Health Professionals Other Than Physicians
The State Education Department’s Office of the Professions oversees the professional conduct of licensed health professionals other than physicians (e.g., athletic trainers, nurses and mental health practitioners, etc.). Paragraph 3 of subdivision a of 8 NYCRR §29.2 (Regulations of the Commissioner of Education) states that “unprofessional conduct” includes “failing to maintain records for each patient which accurately reflects the evaluation and treatment of the patient” and that, unless otherwise provided by law, records of minor patients must be retained for at least six years, and until one year after the patient reaches the age of 21 years.
Some health-related items on the RR&D Schedule contain minimum legal retention periods that permit disposition of records after a minor attains age 21. In these instances, certain records pertaining to minors must also be retained for an additional year if the records are subject to the Section 29.2 requirements for health professionals other than physicians, if these professionals are employed by or associated with a campus or the University. For additional information on this situation, contact the University Records Management Officer.
Program and fiscal audits and other needs of state and federal agencies are taken into account when retention periods are established in the RR&D Schedule. However, in some instances agencies with audit responsibility and authority may formally request that certain records be kept beyond the retention periods. If such a request is made, these records must be retained beyond the retention periods until the campus or the University receives the audit report or until the need is satisfied.
4.6 Archival Records
Archival records are records that campuses and the University must keep permanently to meet their fiscal, legal, or administrative needs or that campuses and the University retain because they contain historically significant information. Records do not have to be old to be archival; campus and University officials create and use archival records daily in their offices. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains.
When the State Archives has determined that a record item has enduring historical or other research significance, the item has been given a permanent designation on the RR&D Schedule. However, the State Archives cannot identify all record items with historical or research significance. Knowledge of people, places, or events in each campus community and the unique circumstances of each campus will determine which records are significant. Campus and University officials will need to appraise records with non-permanent retention periods for potential research or historical value before destroying them.
The usefulness of archival records depends on the ability of the campuses and the University to preserve them, retrieve the information they contain, and make that information available to researchers.
4.7 Appraising Records for Historical or Research Significance
A campus or University record has historical or other research importance if it provides significant evidence of how the campus or University functions and/or if it provides significant information about people, places, or events that involve the campus or the University. Since each campus community has its own unique history, the importance or value of a record item may vary from campus to campus.
Campus and University records may contain a tremendous amount of information about the people, buildings, and sites in the campus or University community, as well as important time periods or significant events that affected the people associated with the campus or the University. This information can be very valuable to staff, researchers, and the public, but only if the information itself is significant. The significance of the records will depend on:
4.8 Records Not Listed on the RR&D Schedule and Non-Existent Records
The RR&D Schedule covers the majority of all records of the campuses and the University. For any record not listed, the custodian of the records should contact the University Records Management Officer, who will then contact the Office of University Counsel & Vice Chancellor for Legal Affairs for assistance. If the record is not covered by an item on the RR&D Schedule or an applicable item on the State Schedule, it must be retained until a revised edition of or addendum to the RR&D Schedule is issued containing an item covering the record in question and providing a minimum legal retention period for it.
Conversely, the State Archives has no legal authority to require a campus or the University to create records where no records exist, even if the records in question are listed on the RR&D Schedule. Although there may be laws, regulations, or other requirements that certain records must be created, the mere fact that a particular record is identified on the RR&D Schedule should not be interpreted as a requirement that the record must be created.
4.9 Public Access to Records/Confidentiality
The RR&D Schedule does not address the issue of public access to records. Access issues are covered by the Freedom of Information Law (NYS Public Officers Law §§84 – 90), Personal Privacy Protection Law (NYS Public Officers Law §§91– 99) and Access to Personal Information Maintained by State University of New York (8 NYCRR § 315), as well as by the federal Family Educational Rights and Privacy Act (FERPA). Campus and University officials should consult with their Records Access Officer on questions related to public access to records.
Records on the RR&D Schedule may or may not be confidential, depending on what information they contain and on the possible effect of disclosure of that information. In approaching issues of confidentiality and access, it may be helpful to consider the following:
Campus and University officials should consult their Records Access Officer with questions related to public access to records that may contain confidential information.
4.10 Migration of Records to Different Media, i.e., digitizing of records
The majority of the tables within the RR & D Schedule have been pre-approved for migration of original paper records into electronic formats. This means that once paper records are scanned and reformatted as electronic records, the original paper records maybe destroyed even if the assigned retention period has not expired. The new electronic records must be retained for the remainder of the applicable retention period. The University was given authorization for migration of paper records into electronic formats under the following conditions.
(1) the images will accurately and completely reproduce all the information in the records being imaged;
(2) the imaged records will not be rendered unusable due to changing or proprietary technology before their retention and preservation requirements are met;
(3) the imaging system will not permit additions, deletions, or changes to the images without leaving a record of such additions, deletions, or changes; and
(4) designees of the State University of New York will be able to authenticate the imaged records by competent testimony or affidavit which shall include the manner or method by which tampering or degradation of the reproduction is prevented.
Accordingly, campuses planning to replace original records with electronic or imaged copies for retention purposes must ensure that all conditions listed above are met and that a campus official will be able to attest to the manner in which replacement of records occurred to fulfill these conditions.
Before undertaking any replacement of paper records as described above, the campus records management officer should determine if pre-approval exists for the category of records involved and if not, must seek specific approval from the State Archives, through the University Records Management Officer.
Records without historical value must be disposed of continually as they meet their stated minimum retention periods. The advantages of a program for systematic, legal disposal of obsolete records are that it:
Suggestions for systematically approaching the disposition process include the following:
The official who carries out disposition at your campus will describe what has been done to dispose of records during the year in an annual report to the University Records Management Officer.
|Mailbox Management Policy|
Mail Management Policy
Purchase College provides a standard 1 gigabyte storage allocation for faculty and staff mailboxes. That 1GB of space is enough to store thousands of messages – unless those messages contain unnecessary bloated attachments.
We can and do provide additional mailbox space - in smaller increments - but there are a lot of visible and hidden costs for runaway mailbox space needs, and we depend on faculty and staff to have some discipline in managing their storage space.
No matter how much space we provide, anyone who doesn’t practice basic organizational discipline and basic mailbox discipline will very quickly outrun their allocation. Anyone who says they have to spend “a tremendous amount of time” managing their files or their mailbox is doing something wrong.
Everyone practices some level of basic organizational discipline – related files go into project folders – or whatever suits their needs. Given that practice, managing mailbox space use should take no more than 5 or 10 minutes per week – at most – and is a simple process.
CTS can arrange a quick training session for managing mailbox and file space. There are a number of simple techniques that will help to contain runaway needs.
In addition, everyone should recognize that mailboxes make the absolute WORST filing cabinet ever invented. Large mailboxes invariably contain multiple copies of the same bloated attachments in multiple and fragmented conversation threads – making it impossible to locate the latest version – or to locate anything for that matter. Think of your mailbox like the one attached to the front of your house – stuff gets dropped off there, and you take it inside and file it away. Nobody uses that mailbox to store things – for obvious reasons. The same obvious reasons apply to email - Phishers download the entire contents your mailbox as soon as they get your credentials – we have seen that happen all too often here – and it happens to tech-savvy individuals too.
Aside from best practices, there are a lot of hidden costs, which nobody cares about – that is - until they do care. Storage space is expensive. Backup software licensing fees are expensive too – and we pay for every gigabyte we back up. SUNY Legal counsel advises limiting everyone’s total storage footprint and mailbox size – so they don’t have to search through a tremendous amount of material when a legal hold is placed – and that happens far more often than anyone would like as well.
Our faculty/staff email storage footprint today is 2.5 times the size it was 4 years ago. If we have to restore that 20 terabytes of data from backup, it will take 4 or 5 DAYS to do that restore, and during that restoration period, nobody will have email, and everybody will be screaming. It is reasonable to assume that a majority of that storage footprint – and to assume that a majority of that 4/5 days of recovery time - is ‘wasted’ on unnecessary material and multiple copies of bloated attachments that has accumulated in everyone’s mailbox.
Only the mailbox/storage owner can determine what is important enough to keep. We ask that you keep the important materials that land in your mailbox inside the house, and not in the mailbox outside your front door. Doing that will help you be more organized, find things faster, and find inner peace and tranquility.
Email space management tips:
|Mobile Device Ownership Stipend|
Under certain limited circumstances, faculty members may request that the college subsidize their purchase of a mobile electronic device via payment of a Mobile Ownership Stipend. These circumstances may include, but not be limited to, sensitive research needs, creative production, and the need to manipulate or otherwise alter the device firmware or hardware.
Faculty members applying for a Mobile Ownership Stipend shall submit a brief written justification to their supervisor. The request must specify the type of device the faculty member intends to purchase and the amount of stipend requested. The request shall be reviewed and evaluated by the board-of-study coordinator, chair or director, and provost’s office, based on faculty needs and preferences, proposed utilization for teaching/research, and academic program needs.
If the request is approved, a one-time stipend, in an amount to be determined by the board-of-study coordinator, chair or director, and provost, shall be provided to support individual ownership, maintenance, and software needs for the mobile device over an expected life span of four years. Departure from college service prior to the fourth anniversary of the stipend may result in a request to return the device to the college. The Mobile Ownership Stipend would be eligible for renewal every fourth year to align with the college’s existing faculty computer replacement policy.
Individuals receiving a stipend may not receive a computer under the normal faculty computer replacement cycle that provides college-owned and college-supported devices. In almost all cases, it is likely to be an either/or choice (faculty computer or mobile stipend). Both programs intend to ensure faculty have access to a computer in their offices for communication, advising, and research. At the end of the four-year cycle, faculty may choose to opt into the normal college-owned faculty computer replacement cycle again.
Maintenance and Support
With the Mobile Ownership Stipend, you are responsible for any support, maintenance, or repairs over the life of the device. It is strongly recommended that you obtain warranty coverage for the life of the device, and to cover the device under your homeowners or renters insurance.
If you apply for a Mobile Ownership Stipend, no college administrative account will be created on the machine. Without necessary administrative credentials, college support for personally owned computers is limited.
The machine will not be automatically joined to the college network by default. You may still access the college Wi-Fi network by logging in with your college credentials.
As a courtesy, CTS will provide basic on-site support for your device, as is done for student-owned machines. This good-faith-effort is typically defined as up to an hour—under normal circumstances. All parts and software required for service activities must be provided by the customer.
If you do bring the device to CTS for support, you will be asked to provide a temporary administrative-level account for the technician’s use. If any software re-installation is recommended, you will need to provide your software license keys and media.
Please note that CTS reserves the right to decline to provide service for personal devices for any reason.
Software and Printing
College-provided concurrent-use software licenses will not be available for your use. (College-licensed software includes, but is not limited to, Microsoft Office, Apple iWork software suite, Adobe Creative Suite, Autodesk Creative Suites, AutoCad architectural suite, SPSS statistics, font libraries, and other software with concurrent-use licenses.)
Note that Microsoft and other vendors offer “work-at-home” licenses to college employees at substantial discounts. More information can be found on the Downloads and Software page. Microsoft Office and Windows—for $9.75 each—and other products can be obtained from the aforementioned page.
Since personally owned devices are not joined to the domain, network print services are not available.
Accessing college-provided software/print services from your personally-owned computers:
CTS provides a VPN to access your campus desktop computer. If you do not have a desktop computer in your office, there is also a Terminal Server you can use to connect to a standard Windows virtual desktop. (Note that Apple does not allow virtualization of its operating systems or hardware.) Campus-licensed concurrent-use software and print services may be available through the VPN or the Terminal Server.
Submitting a Request
Requests for a Mobile Ownership Stipend can be brief. Please include:
Submit the request to the coordinator of your board of study. If approved, the coordinator will forward approval to the chair or director for review. If the chair or director approve, the request will be forwarded to the dean and the provost’s office for review and final determination as to the funding amount.
Surrendering a Device
Surrender of device in connection with litigation discovery demands, Freedom of Information Law (FOIL) request, and/or to protect the college’s interests
At the direction of the college’s legal counsel and a college vice president, any mobile device obtained through this program shall promptly be surrendered to the college for purposes of complying with discovery in litigation, Freedom of Information Law requests, and/or as may be needed to protect the legal interests of the college. Upon surrender, the college shall undertake a search of the contents of the device. Such search shall be narrowly tailored to the specific matter or matters at issue. To the extent practicable, the device shall promptly be returned to the owner. If, in the sole opinion of college legal counsel, the device must be maintained in college custody, the college shall copy the contents of the device’s hard drive and/or memory and provide the owner with a temporary replacement device.
Mobile Ownership Stipend Request
Purchase College / State University of New York
• I am requesting a Mobile Ownership Stipend in the amount of $
• I am requesting a Mobile Ownership Stipend because:
• I intend to use the stipend to support my teaching/research in the following ways:
I have read and agree to the terms of the Mobile Ownership Stipend Policy.
(Employee signature / date)
I approve the issuance of a Mobile Ownership Stipend to the employee:
I approve the issuance of a Mobile Ownership Stipend to the employee:
I approve the issuance of a Mobile Ownership Stipend to the employee:
I approve the issuance of a Mobile Ownership Stipend in the amount of $
(Officer signature / date)
|Mobile Device Policy|
This policy offers some best practices regarding the use and safekeeping of laptops, tablets, and mobile computing devices, and governs the use of and liability for College-owned mobile devices.
What’s covered by this document?
All College-owned mobile computing devices are governed by this policy, including systems made available as primary workstations, assigned within a departmental office, or purchased through grant dollars for specific projects.
This document is applicable to all College staff, faculty, or administrators who are using mobile computing devices issued or loaned to them by a College department.
College-owned mobile devices may be used for any work-related tasks, including:
Physical Protection and Reasonable Care
General information on Faculty Computers and Mobile Devices
Inventory, Reporting, and Replacement
Preparation for use:
Physical Protection and Reasonable Care
Along with the privilege of using a College owned mobile device comes the responsibility to safeguard the device and any data it contains.
Data Security policies apply to all computing devices used for College business. Since mobile computing devices are more susceptible to loss or theft, it is important that you do not store any Personal Private Sensitive Information (PPSI) on mobile devices, and that you maintain current backups of any important files that you do have on the mobile device.
Why avoid storing personal, private, and sensitive information? Mobile devices are particularly susceptible to loss or theft. If Personal Private Sensitive Information (PPSI) is stored on a device that is lost or stolen, the individuals whose information was compromised may face long lasting ramifications from the improper use of their personal and financial information. In addition, New York State law may require that the college publicly disclose the loss of such PPSI and notify all individuals whose information was potentially compromised. As a result, we highly recommend that you do not store any sensitive data on mobile computing devices.
What is Personal, Private, and Sensitive Information (PPSI)?
Per NYS Cyber-Security Policy P02, PPSI is considered a combination of any three of the following personally identifiable information items: Name, Address, SSN, account number, credit card number, maiden name, and date of birth.
To Secure Data on Your Device:
Inventory Tracking and Disposal
Failure to comply with this policy may result in disciplinary and or legal action.
Thank you for reading this document.
Acknowledgement of Mobile Computing Device Usage Policy
Purchase College / State University of New York
authorize (name) to receive a mobile computing device.
(Supervisor’s name) (Employee’s name)
Mobile computing device information:
Laptop Tablet Other
Serial # Original cost: Date of purchase:
I approve the issuance of a Mobile Computing Device to the employee:
(Supervisor signature / date)
I approve the issuance of a Mobile Computing Device to the employee:
(College Officer’s signature / date)
I have read and agree to follow the Mobile Computing Device Usage Policy:
(Employee signature / date)
Submit form to Campus Technology Services. A copy should also be retained by the issuing department.
This information has been recorded in the computer inventory database:
(CTS Reviewer / date)
|NYS Office of Information Technology Mobile Device Security Standard|
1.0 Purpose and Benefits of the Standard
This standard outlines the additional protections required for the use of mobile devices by SEs.
2.0 Enterprise IT Policy/Standard Statement
Except for terms defined in this standard, all terms shall have the meanings found in the IT New York Glossary.
Mobile devices are computing devices in a small form factor that have at least one network connection interface, non-removable and/or removable storage, and is portable (i.e., nonstationary). These devices come in the forms such as: smartphones, PDAs, smart watches, tablets, laptops, and wearable devices.
4.0 Information Statement
If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, SEs shall request an exception through the Enterprise Information Security Office exception process.
6.0 Definitions of Key Terms
8.0 Review Schedule and Revision History
04/18/2014 Original Standard Release Thomas Smith, Chief
Deborah A. Snyder,
04/18/2016 Scheduled Standard Review
9.0 Related Documents
NIST Special Publication 800-124, Guidelines for Managing and Securing Mobile Devices in the Enterprise
|NYS Security Breach Disclosure Policy|
To all faculty, staff, and administrators:
New York State Security Compromise Disclosure Law On December 7, 2005, the “NYS Information Security Breach and Notification Act” went into effect. It was signed August 9 by the governor. This new law requires that “entities conducting business in NY who own or license computerized data which includes private information” disclose any breach of private data to NY residents (and nonresidents) whose personal information was stored on any system that may have been compromised. The law defines personal information as “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.”
What does this mean to me? Identity theft has become a major problem over the last few years. More than 51 million Americans have had their personal information compromised since February 2005 (including more than three million NYS residents —see the CSCIC list at the end). Criminals —and organized crime in particular —have found it to be a very lucrative business. With a few key pieces of personal information—a name, SSN, birth date and address—they can use your identity to open new credit card and financial accounts, take out a mortgage on your house, and generally plunder your financial accounts for huge amounts of money before you even realize it is happening. Repairing the damage to your credit rating takes years, and is difficult if not impossible. On a personal level, we all understand and support this legislation because we all would want to know if our personal information has fallen into the wrong hands.
What does this mean for Purchase College? Purchase College computer systems store data on tens of thousands of current and former students and employees. We have all seen press reports of other schools that have been hacked or lost a laptop containing personal information. New York has now followed California’s lead in implementing a notification law. Prior to this, compromises were often kept quiet. Under the new law, if there is “reason to believe” that a system has been or may have been compromised, we are required to notify all individuals whose information was stored on the compromised system, and to notify the Consumer Protection Board or the press if more than 5,000 records are involved. Obviously, this would have a disastrous effect on the college’s public image and our recruiting and enrollment efforts, not to mention the potential damage to the individuals whose information may have been compromised.
What is the college doing to protect our systems and data? Campus Technology Services (CTS), the central technology and support organization serving the campus, provides centralized administrative systems that serve faculty, staff, and students. CTS also supports and maintains all college-owned faculty and staff workstations. The most common way that systems are compromised is through known exploits on machines that are not properly patched.
What should you do? Review practices regarding use of computer systems within your unit—particularly those systems that are not stored, managed, and maintained by CTS. If you have a local MS Access database on a machine in your office, or any locally stored database of students, clients, constituents, or employees, you should contact CTS to discuss options for securing that data.
Data should never be stored on local workstations—not only is that data not part of any backup and recovery process, but local workstations can be (and are) stolen. The college provides file servers accessible through the network that provide secure storage for all of your data files.
Any stolen or lost computers (desktops or laptops) should be reported to the University Police immediately. You should keep a record of all of your unit’s computer hardware (make, model, serial number and MAC address) in the event that it is stolen or lost.
The proliferation of external USB/Firewire disk drives and USB memory keys is another threat. These portable devices can also store large amounts of data that is easily lost or stolen. Again, data should only be stored on centralized college servers.
If your unit is not already using a centralized file share on a CTS server, chances are your employees are using local or removable storage that is not secure. Please call CTS at x6465 to set up a file share for your office.
It is critical that when an employee leaves your unit, please notify CTS so that their access to college systems can be terminated. Former employees can retain email privileges where necessary, but should not have access to other college systems after they leave.
Take stock of physical security within your unit. Are the offices and cabinets where sensitive paper records are stored secure and accessible to authorized personnel only? Are there alarm systems covering these areas?
Most importantly, you need to raise awareness among everyone within your unit about the seriousness of cybersecurity threats. Understanding the issues and the ramifications of a compromise—personally and institutionally—is the only thing that will make someone think twice about downloading that data file onto their laptop or USB key. Have your people check the contents of their computers and storage devices and eliminate anything that doesn’t need to be there. Remind everyone not to email confidential data files or SSNs.
If a compromise is suspected: If you suspect that a computer system in your unit has been compromised, or if any laptop or college-owned desktop computer is lost or stolen, please notify CTS and the University Police immediately. We will work with you to determine whether or not a compromise has occurred, and what actions need to be taken.
If a compromise occurs: The law requires us to notify three NYS offices:
The summary and text of the Assembly bill signed August 9 by the governor:
The Privacy Rights Clearinghouse website.
|Online Course Authentication Policy|
At Purchase College, students in online courses must use a secure log-in to the campus learning management system, using their Purchase College username and password. This is required for students to register for courses and to participate in them online.
Student privacy rights are strictly protected. Only those enrolled in the course have access to the course. The outside community does not have access to the coursework, nor do students who are not enrolled in the specific course.
All students are informed of the academic integrity policy in course syllabi. Upon registering, all students formally agree to the college’s Student Code of Conduct, which include the academic integrity policy.
Campus Technology Services (CTS) also has a computer ethics and usage policy, which outlines clear expectations, including maintaining security of accounts, not sharing account access, and the strong password use enforced by the campus system.
Faculty members are encouraged to use video tools (i.e., Skype, Adobe Connect), in addition to phone conversations with students as needed. Instructors are encouraged to use activities in the online course for students to, once again, actively agree to the college’s policies on academic integrity and on computer ethics and usage.
As additional means of addressing student authentication become available, Purchase College will research possible adoption of such resources.
|Pandemic Business Continuity|
Online services for Faculty and Students in case of school closure
As you are probably aware, the Swine flu pandemic continued to produce cases in the US throughout its off-season, and flu season returns this fall. While it has had a fairly mild effect in the vast majority of cases to date, it does spread like wildfire. Schools across the country are bracing for flu season this fall, including Purchase.
In a worst case scenario, if the campus were to close due to pandemic pandemonium or other emergency during the semester for a period of several weeks or more, there are a variety of tools that could help the faculty and students continue their studies and complete the semester. These tools include both low-tech (email!) and hi-tech options, and the college’s Teaching Learning and Technology Center (TLTC) is offering a series of faculty workshops over the next few weeks that may help you get started.
Some course activities translate more easily than others into an online environment. It is easy to see how writing assignments, discussions, and even tests can be conducted through the internet without too much effort – but a painting or dance class is another matter entirely. Whatever your discipline, we encourage all faculty to begin considering their options and strategizing on how to cope with a disruptive campus closing during the semester.
The services below are available to faculty and students, and are listed in low-tech to high-tech order:
Purchase College Email
(Banner Term codes are 20=Summer, 40=Fall, 55=Winter, 60=Spring)
Each faculty advisor has a distribution list containing their advisees:adv.faculty.FirstName.LastName@purchase.edu.
There is a faculty listserve Faculty.Discuss@purchase.edu open to all faculty members. This list is moderated by the Faculty at Large President, and is for discussion of faculty matters.
All Purchase College email distribution lists can be used from any email account, on or off campus using the format List.Name@purchase.edu.
Remote Access VPN, File Servers and Remote Desktop
Moodle contains “online Quiz” functions. Moodle allows faculty to create quizzes that contain text and multiple choice style tests, and allow you to embed/link to various media. For instance, you can embed an audio file or a picture and ask students to provide a context or analysis of it.
The College’s ClassApps Web survey tool (available on the Portal Page) can also be used to administer tests online. The ClassApps Web Survey provides a rich array of question types, branching functions, and other features that allow you to create elaborate tests. There is even a built-in response scoring function for non-text (multiple choice) answers. Surveys can be authenticated with Purchase college student credentials, and you can release the URL via email and close it at the end of the testing window (which can be as long or as short as you want).
Web 2.0 Tools
Software for your home computer
Administrative Computing Services for Faculty
The Employee Services site is where Faculty and staff self-service web applications such as class lists, grades, enrollment reports, committee web sites, and other resources can be found.
CTS uses Remote Assistance to troubleshoot and resolve most problems. The Technical Support staff strives to provide responsive on-the-spot or same-day service for faculty and staff.
College-owned computers are provided for all full-time faculty, and are running Windows 10 or the latest Mac OSX.
Other Faculty Technology Resources
The Teaching, Learning and Technology Center (TLTC) provides extensive support for faculty and staff using the Web based Moodle course management systems. the TLTC is located in the Purchase college Library. For more information, contact the TLTC at 251-6440.
Please keep in mind that if the campus closes, CTS and TLTC staff may not be on campus either, the helpdesk may not be fully staffed to answer calls, etc. We encourage everyone to plan ahead to avoid delays.
|Policy: Change Management|
Definition: The phrase “Change Management” incorporates any addition, modification, or removal of systems, software, or hardware that may have an impact on institutional operations. In our highly interconnected environment, the impact of a change may have unintended or unanticipated consequences, and must be carefully planned and communicated in advance to avoid disrupting normal operations.
This policy addresses how change management is handled for systems, applications and devices in the Purchase College Domain.
The change management process involves:
Purchase College uses NNT Change Tracker to apply and archive changes as they are applied to servers and network devices. For text-based configuration changes, NNT tracks which lines of configuration were impacted by a given patch or update. For computer workstations, CTS makes use of SCCM, Munki, and group policy to deploy software, updates, and patches.
Classification and Categorization of Changes
There are three different categories of changes:
In addition to the change categories, changes can be classified as major, significant, or minor, depending on the level of cost and risk involved, and on the scope and relationship to other changes. The detail procedures for each group should address this classification.
A change that must be made before a Change Advisory Board (CAB) can be convened to review and approve it due to a repair or error in an IT service that is causing a negative impact. Incident resolution may sometimes require emergency changes. Examples include a critical service-down that requires a quick hardware swap-out, or a late-night system emergency when the change manager or others may not be available.
An emergency change must follow these steps:
When any change is being considered—a new device, new system, OS upgrade, software version upgrade, security patch—or the elimination of a resource or service is being considered, it is critical that careful consideration be given to the potential impact of the change, and to the process for implementing the change. It is also critical that the implications be carefully communicated to any stakeholders that may be affected by the change.
The change initiator is responsible for the ensuring that the analysis and communication are conducted during the planning phase. The change initiator is often a business unit (e.g., Office of Admissions) without IT expertise, and they may have to rely on technical staff—or on other staff from other units—to determine the full impact and implications of the change they wish to initiate. Since a change may affect more than one area—or even the entire institution—a Change Advisory Board (CAB) will also be used to ensure the implications are widely understood. The composition of the CAB may vary depending on the change being proposed.
The composition of the CAB will be determined by the change initiator and the director of CTS. The change initiator is responsible for convening the CAB in a timely fashion and obtaining their approval for the change.
The change initiator must complete a Change Request Form providing information on the change they are proposing. The Change Request Form will be reviewed by the director of CTS and the Change Advisory Board. The Change Advisory Board may add additional information before approving or rejecting the change request.
Risk and Impact Analysis
The change initiator must complete a risk and impact analysis form for the change they are proposing. See the Appendix for the Risk and Impact Analysis template.
The change initiator is responsible for communicating the change to the proper audiences. Once the initiator is notified of the change approval, they should initiate necessary communications about the change prior to the change being made. See guidelines for when change notifications should be sent and to whom they should be sent.
Approved changes that have a broad impact, such as the entire college community, may require additional communications, such as notification by broadcast email, signage, or other methods. For changes with broad impact, the change initiator should work with his or her management to ensure the necessary notifications are being completed.
Standard and Routine IT Maintenance Changes, IT Roles
All college servers are assigned a primary system administrator. A secondary (and tertiary) system administrator is also assigned for each server in the event the primary system administrator is not available for any reason. Collectively, these individuals are referred to as the system administrator (SA).
The SA is responsible for reviewing and applying operating system (OS) patches and updates as soon as is practical, and for maintaining their systems at the most current state possible. The SA is responsible for advising management when a server cannot be updated due to hardware or software incompatibility. Patches and point releases are considered normal and routine changes—and do not require CAB approval. Operating system upgrades do require CAB approval.
Documentation for all patches and upgrades should be carefully reviewed before applying any change to any system. For patches, no approval beyond the SA is required. For OS upgrades, written approval should be obtained in advance from the assistant director for networks and systems – as well as from any application administrator (see below) responsible for applications on the server.
For servers where a TEST environment is available (i.e. Banner, SQL-Server, Web Server), the patches and upgrades will be applied to the TEST instance of the server first to help determine any undocumented adverse impact of the change.
For many applications residing on college servers, an application administrator (AA) is assigned to configure and manage the operation of a specific application (i.e. Moodle, Genetec.) The application administrator is often an individual with functional expertise for that application. The application administrator may also be the same person as the system administrator (SA). The application administrator has elevated privileges allowing them to change configuration settings and to manage the application through whatever back-end console the application may provide. The AA is expected to work closely with the SA for the server where his or her application is hosted.
The AA is responsible for reviewing and applying application patches and updates as soon as is practical, and for maintaining the application at the most current state possible. The AA is responsible for advising his or her system administrator (and management) when an application cannot be updated due to hardware or operating system incompatibility.
All college network devices (firewalls, routers, switches, load balancers, storage arrays and sub-systems, appliances, etc.) are assigned a primary system administrator. A secondary (and tertiary) system administrator is also assigned for each device in the event the primary system administrator is not available for any reason. Collectively, these individuals are referred to as the system administrator (SA).
The SA is responsible for reviewing and applying vendor patches and updates as soon as practical, and for maintaining his or her devices at the most current state possible. The SA is responsible for advising management when a server cannot be updated due to hardware, software, or firmware incompatibility.
For instances where devices are deployed in a resilient fashion, patches and upgrades will be applied to one of the devices first—and then evaluated to determine whether there is any undocumented adverse impact of the change before it is applied to the other device.
All college workstations (desktop computers, laptops) place CTS in the desktop system administrator (DSA) role. All college workstations must be joined to the domain and must be accessible for application of software patches and system updates. The CTS DSAs use SCCM, Munkee, and group policy to distribute patches and updates to Apple and Windows workstations.
Patches and point releases of common software are considered normal and routine changes—and do not require CAB approval. Operating system upgrades do require CAB approval.
Change Management Roles and Responsibilities
Roles associated with the change management process are defined in the context of the management function and are not intended to correspond with organizational job titles.
Role and Responsibilities
Change Process Owner
Change Advisory Board
Emergency CAB (ECAB)
Technical Review Board
Appendix – Risk and Impact and Analysis Template
Risk Assessment Risk Score: Low/Medium/High
1 Routinely 2 Occasionally 3 Never
1 Low 2 Medium 3 High
1 Yes 2 No
1 Separate/duplicate 2 Shared 3 Partial 4 Production/none
1 Yes/NA 2 No
1 On site 2 Remote 3 On call 4 Not available
1 NA 2 Low 3 Medium 4 High
1 Never/low 2 Medium 3 High
1 Low/NA 2 Medium 3 High
Appendix – Risk and Impact and Analysis Template
Impact Assessment Impact Score: Low/Medium/High
1 None 2 Less than an hour 3 Greater than 1 hour 4 Greater than 4 hours
1 Easy backout or alternate/fail-over is available and will provide almost immediate service
2 An alternate is available, but needs to be brought online
3 No alternate system/component or spare is available
1 Yes 2 No
1 Yes 2 No
1 Yes 2 No
1 None 2 Slowdown 3 Partial or full outage
1 NA/Yes 2 I don’t know 3 No
1 None 2 One or two 3 Three or more 4 All
Number of users/workstations
|Print Management Policy|
The internet and electronic systems have exponentially increased the amount of materials available in today’s learning, teaching, and working environment. Most people still prefer to read text on paper because it is more comfortable. Paper copies are often needed for study, distribution at meetings, and other purposes. Despite broader electronic access to documents, there remains a need for print services for students, faculty and staff.
The college provides and manages print services in a variety of ways.
Print Services for Students:
CTS employs a Print Management System (Paper Cut) that students can access from all of the computer labs around campus. Funded from the Student Technology Fee, CTS provides and supports the printers, paper and toner for the computer labs and library printers. A+D uses a separate version of this same system for managing printing in their specialized labs.
Prior to 2007 there were no limits on student printing. In 2007-2008 we monitored student print usage to begin assessing utilization and to identify a reasonable print allocation level. Beginning in the 2008-2009 academic year, students were provided with small print allocation each semester. The student community slowly became used to the idea that printing isn’t ‘free.’
Each semester each registered FT student receives an additional print allocation. Student Print Allocations are pro-rated. The print allocation has been set at a maximum of 2000 points per semester since spring 2014.
When a student prints a document, a dialog box appears showing their allocation balance and the fee for the print job they are requesting. The Print Management System charges from 3 print points per page (duplex B/W prints) to 35 points per page (one-sided color print). The 2000 print point/semester allocation is enough for each student to print up to 800 pages per semester. Any remaining balance is carried forward, with subsequent semester’s allocations added to it. The idea is that a student’s print balance should accumulate over their four years here to support an increased print need as they research and produce their senior project. Print allocations are suspended between semesters, and eliminated upon graduation. Unused print allocations are not refundable.
Print statistics from 2013 showed that the average student allocation balance is 9952 points, with 2,200 students having a balance over 1000 points, and only 108 students below 1000 points.
For fiscal year 2012-2013 the Student Technology Fee account spent $148,000 on paper (12k), toner (115k) and replacement printers (21k).
The annual expenditure for print services is equal to the total cost of one super-awesome computer lab that the college is forgoing each and every year, so we continue trying to minimize this expense.
Print Services for Faculty and Staff:
Faculty and staff printing is the responsibility of their home unit. Many academic units have shared laser printers in divisional offices, and many faculty have desktop printers as well. Staff print services are the responsibility of their home unit. Many units have shared network printers, and many provide individual desktop inkjet printers for their faculty and staff.
As a courtesy, when Print Management was introduced in 2009, CTS provided all faculty and staff with a one-time Print allocation of 5000 points to allow them to print outside of their offices when they are in the library or a computer lab. This is a one-time allocation and will not be replenished once it is exhausted. Faculty and staff who have subsequently joined the college receive a one-time courtesy allocation of 2000 points.
The one-time courtesy print allocation of 2000 points is intended to allow faculty to print in the library and labs in an emergency, it is not intended for routine use. Class handouts and other materials should be printed in divisional offices, not in the computer labs.
As an educational institution, and in the spirit of academic freedom, Purchase College recognizes that it is essential that faculty, students, staff, and other college employees have some degree of confidence that their privacy will be respected and protected when using college computing resources for collaboration, research, scholarship, and administrative purposes. Purchase College considers information privacy a very serious matter, and therefore the college has established local policies and procedures to safeguard and protect each individual’s privacy.
This document describes the Purchase College and New York State (NYS) policies and practices regarding information privacy for students, faculty, staff, or any other persons using college-owned devices and systems.
Purchase College, as a part of the State University of New York (SUNY)—a state agency—is governed by NYS policies on information security. New York State Information Security Policy P03-002 covers the privacy of materials on state-owned computers in the following statements:
Consistent with applicable law, employee contracts and state entity policies, the state entity reserves the right to monitor, inspect, and/or search at any time all state entity information systems. Since computers and networks are provided for business purposes, staff members shall have no expectation of privacy in the information stored in or sent through these information systems. State entity management additionally retains the right to remove from its information systems any unauthorized material.
This policy is applicable to state entities, staff and all others, including outsourced third parties, which have access to or manage state entity information. Where conflicts exist between this policy and a state entity’s policy, the more restrictive policy will take precedence.
Covered by this Policy:
This policy covers the individual email accounts that are assigned to students, faculty, staff and other employees; the personal “home directories” that are created for individual students, faculty and staff members; contents of college-owned desktop computers, laptop computers and mobile computing devices assigned to individual employees; and materials stored in college-owned servers (file servers, web servers, collaboration servers, etc.)
For college email, personal home directories, and information stored on desktop or laptop computers, tablets, mobile devices, and servers, the contents of each individuals email account, personal home directory, server directory, desktop or laptop drives or mobile storage devices are considered to be for college business purposes. However, the materials contained therein will only be accessed by the college under specific circumstances—and with explicit written approval from a minimum of two of the following:
Supervisors seeking access to departed employee materials must obtain approval as noted above.
Approval: Specific written approval will include: Written justification for accessing the materials, the name of the individual whose materials will be accessed, the location of the materials to be accessed, who they are to be accessed by, and a time period for access sufficient to achieve the stated goal (locating messages, files, or other materials.)
This written approval must be provided to the Director of CTS/ISO. In emergency circumstances (electronic intrusion, malware, etc.) verbal approval may be granted, but specific written authorization must be provided as soon as is practical. Without written approval as described, no college employee may access any other individuals’ electronic materials for any reason—and any such access will be considered a violation of the college’s computer ethics policy.
Procedure: Upon receipt of written approval from two or more college officers to access an individual’s materials, CTS information security staff will notify the director of Human Resources (HR) to arrange supervised access to the materials, and secure an electronic copy of the materials in question for the supervised review. Human Resources will then arrange a time and location for the supervised review. During the supervised review, a senior Human Resources staff member will be present to supervise the review, and CTS information security staff may be present to provide any needed assistance in accessing the materials. In cases where large volumes of material are subject to review, HR, CTS, and the reviewer may convene more than once during the stated review period. The duration of the period for which access is to be granted must be reasonable and will not be open ended.
Written approval to access electronic materials will only be granted in cases where:
Kathleen Farrell Ricardo Espinales
|Purchase Cyber Security|
Use a Strong Password and Never Share it with Anyone
• Use a strong password for all of your accounts – a mix of upper and lowercase letters, numbers and special characters –at least 8 characters or longer. Review the College’s Password Policy and complexity requirements.
• Never reuse passwords for different accounts.
• NEVER write a password down, and NEVER share it with anyone. Purchase College will never ask you to verify your credentials or your password. Your password is your identity, and should never be shared with anyone for any reason.
Never Leave the Computer Unattended in Public Locations
• While security cable locks may serve as a theft deterrent, many have been shown to be ineffective against a determined thief.
• Never leave your computer unattended.
• If you need to leave your computer unattended in your car, place it in the trunk or in some location where it is not visible to a passerby.
• Use anti-theft software on laptops and mobile devices to help protect your data in the event of a theft.
Keep My Computer’s Software Up to Date
• Configure your computer to download and install system and application updates automatically. Due to the number of patches, it is quite cumbersome to manage patches manually.
• Patch software on your personal computer and check whether you are running the latest version of your browser and browser plug-ins like Java and Adobe Reader.
Safeguard My Computer with Anti-virus Software and a Personal Firewall
• Configure your computer’s antivirus software to update automatically every day. New viruses are being discovered on a regular basis, which puts your computer and information at risk if the antivirus on your computer is not updated regularly.
• Most operating systems, including Windows and Macintosh OS X, have firewall software built in.
Check to ensure that this software is enabled. This will help stop attempts to break into your computer.
Safeguard Purchase College Data, SUNY Data, and My Own Personal Data
• Do not store sensitive data on CDs, DVDs, USB thumb drives, and other types of removable media that can be easily misplaced or stolen. If storing sensitive data on such media is necessary, make sure that the data is encrypted.
• Be familiar with the College and SUNY policies regarding Use of IT Resources, acceptable and unacceptable uses and email guidelines. See Computer Ethics and Usage Policy.
• Perform regular backups of your data.
Think Before I Click
• Never open unexpected email attachments. If in doubt, verify authenticity by phone or email before opening the message or the attachment.
• Don’t get lured in by phishing emails. Learn how to recognize telltale signs of phishing emails.
• When in doubt, ask someone at CTS whether the message is a phishing attempt, or a legitimate message.
• Take the Phishing test, and see how you fare.
Use Caution When Dealing with Email and Other Forms of Electronic Communication
• Avoid transmitting sensitive data via email and other insecure means of communication. If it is necessary to send sensitive data via insecure means, ensure that the data is encrypted.
• Never provide your password or other sensitive information in an email or in a response to an email. A request to do so is likely to be a phishing attempt.
Treat My Mobile Device Like Any Other Computer
• Smart phones, tablets, and other mobile devices are just small computers - and they suffer the same security issues as traditional computers. Your pledge to maintain cyber security applies to mobile devices and tablets too.
• Configure a password or passcode on your device.
• Install antivirus software and a firewall, if available.
• Ensure that you’re running the latest version of your device’s operating system.
• Ensure that you’re running the latest version of any applications installed on your mobile device.
• Disable or uninstall applications that you don’t use.
• Disable wireless and Bluetooth if not in use.
• Enable encryption mechanisms, if available.
• Regularly backup any data on your mobile device.
• Follow secure mobile device disposal practices.
Report Suspected Security Concerns Immediately
• If you suspect your computer has been compromised, contact the CTS Help Desk at 914-251-6465 or email us.
• If you suspect any other type of breach in the security of Purchase College Computing resources, contact the University Police at 914-251-6911.
Help Promote Cyber Security Awareness
• Share the Cybersecurity Pledge with your friends and colleagues.
• Raise awareness of good security practices among your friends and colleagues, and keep an eye out for poor security practices (e.g. a password written on a sticky note and in plain sight, a computer left unattended in a public location, etc.).
• Do your best to assist your friends and colleagues with cybersecurity, and know where to direct them if you’re unable to assist.
• Protect yourself from identity theft and learn what to do if your information is compromised.
The computer settings mentioned in this document are the Standard configuration for Purchase College provided desktops and laptops, and many of these settings are not subject to change by anyone outside of CTS.
Check your home computer to ensure that it also contains similar anti-malware software and configuration settings, and use STRONG passwords or passphrases for ALL of your online accounts.
Cyber Security Questions?
Campus Technology Services
Purchase College, SUNY
|Record Retention Policies|
In 2010, SUNY issued new regulations regarding records retention. This policy revision is the first since 1977, and is intended, in part, to address the storage and retention of electronic records.
NYS and SUNY require all campuses to adhere to these record retention policies, and plan to conduct random audits to ensure each campus is compliant. These policies cover all records stored in any format (paper and electronic).
In addition, the College is now required to submit annual verification confirming the appropriate retention and destruction of records by all departments.
Please review these policies on records retention by via the links below.
Joseph Kyambadde serves as the College’s Records Management Officer. If you have questions specific to your area, feel free to contact Joe at Joseph.Kyambadde@purchase.edu,
|Remote Assistance- Remote Desktop Information and Policy|
Remote Assistance: Remote assistance allows a CTS technician to connect to a user’s computer remotely for the purpose of providing technical support and resolving issues. The CTS technician gains remote access after the user gives authorization via connect invitation sent through a messenger screen. Remote assistance is provided while the user is present at their computer, and both user and CTS technician can control the mouse and view what’s being done. Once remote assistance has been provided, the CTS technician ends the session and disconnects from the user’s computer.
Remote Desktop: Remote desktop is performed after hours when the user is not present at their computer. The user or department head must give advance authorization which would be noted in the work order along with the service call date and time. The computer should be logged off but not shut down during the time of the scheduled service call for remote desktop
|ResNet Wi-Fi Services Policy|
ResNet Wi-Fi Services Policy
If you live in any campus housing facility, your residence complex already has Wi-Fi service. Installing personally owned Wi-Fi routers is prohibited since they may interfere with college provided Wi-Fi services.
All of your devices must be registered for campus Wi-Fi service. “Devices” include smart phones, tablets, Laptops, Game Consoles, etc.
Unregistered devices that attempt to connect will denied service.
See page to register devices.
We will do our best to help everyone with Wi-Fi service, but there can be no guarantee regarding speeds over wireless due to the nature of Wi-Fi service.
Please remember that all residential rooms contain wired internet ports which provide 100mbps service - which is faster than Wi-Fi - and which is not shared or subject to interference.
|Security Awareness Training|
It is getting worse - are you prepared?
|Social Media Policy and Procedure|
Purchase College, SUNY, encourages the appropriate use of social media as a method for communicating ideas and information, and as part of our educational mission.
This policy governs employees of Purchase College, specifically the behavior of individuals as they utilize a variety of social media technologies and is not limited to any specific media format.
Social Media Defined:
For the purpose of this policy, social media is defined as Web-based and mobile technologies that enable the exchange of user-generated content and conversation.
Personal Social Media (using campus resources):
Personal Use of Social Media (using personal resources):
Remember—the Internet is permanent–don‘t write anything that you wouldn’t want to see attached to your name forever!
Violations of this policy may result in disciplinary action in accordance with appropriate Agreements between the State of New York and the various bargaining units.
Procedures for Establishing and Using Purchase College Social Media Channels:
To post on behalf of a College office or department:
The Telecommunications Office maintains the telephone services for the campus community, including desktop and residential telephones. There are no charges for on-campus telephone calls. For faculty and staff, the College funds telephone services centrally and there are no charge backs to individuals or departments for work related telephone calls.
Faculty and staff who make off-campus calls from their desktop telephones and receive a monthly statement must read and certify the “Acknowledgement of College Telephone Policy” on their monthly invoice.
Purchase College provides employees with the use of desk telephones for official College related business. Access to telephone services – and the type of service to be provided (Local, Tri-State, Regional) - is provided at the discretion of their unit supervisor. Outbound calls for desk telephones can be limited to on-campus calling only, local (NYC Metro area) calling only, and in appropriate cases, nationwide and international calling.
Business / Personal Calls Defined
New York State Executive Order #1, issued January 18th 2007: State telephones may not be used for non-governmental long-distance calls, other than toll-free calls, collect calls and calls billed to a personal account. State telephones may be used for incidental and necessary personal calls, limited in number and duration, which do not interfere with an employee’s public duties.
Faculty and staff who make off-campus calls from their desktop telephones must read and acknowledge the College Telephone Policy listed below. All College employees must review and certify their monthly statement.
This policy describes the assignment, use and management of desk and cell telephones by employees of Purchase College, State University of New York.
All College employees must read and certify the “Acknowledgement of Desktop and Cellular Telephone Policy” on their monthly statement.
State Audit Procedures
Due diligence is required of all supervisors and employees to ensure that employees respect and adhere to these telephone policies and procedures. State auditors have identified telephone usage as an area of potential high risk / exposure. When State auditors perform reviews of Telecommunications equipment and telephone usage, they look for areas of abuse or misuse.
Included are calls made
1) After hours late night,
2) For long periods of time,
3) To high risk area codes, (Area Codes 900, 809, 284, etc.)
4) On weekends,
5) During holidays, and
6) To frequently called numbers for excessive periods of time.
Desktop Telephone Policy
All supervisors are responsible for monitoring telephone usage within their units. Supervisors shall determine what type of telephone access is required for each employee. Desktop telephone equipment will be provided by Campus Technology Services. Monthly statements for desktop phones are paid by the College, and invoice will be sent to faculty/staff for review. The unit’s supervisor will have the ability to review usage and compliance within their unit where appropriate.
Unit supervisors are responsible for reviewing the all statements and to ensure that all invoices are certify for the desktop phone assigned to each employee. Supervisors are responsible for making sure that personnel within their unit are aware of and in compliance with this policy, and that actual telephone usage within their units falls within appropriate parameters. Each employee is responsible for reviewing his or her desktop telephone usage, and for reimbursing the College for personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3). The unit supervisor will monitor and correct excessive telephone usage - both in terms of financial expense and the amount of time spent on the phone.
I. Desktop Phone Reimbursements
All employees assigned a desktop telephone must review/certify their monthly invoice regardless of whether reimbursement is due or not [See Attachment C].
Pay Invoices by credit card online.
Telephone Billing System (TBS)
The Telephone Billing System (TBS) is a self-service web application for faculty, staff, and rental clients who are receiving telephone service. The system allows you to review telephone usage, file the required monthly certification of work/personal calls, and pay personal telephone usage charges online.
For supervisors the system provides the ability to review usage and compliance within their unit.
The TBS system collects call detail data from our telephone system – the number called, date, time, call duration etc. and generates monthly telephone invoices for college employees and rental clients based on the telephone extensions assigned to them.
As each new monthly invoice is posted, an individual email notification will be sent to each faculty, staff, and rental client receiving telephone service from the College.
Faculty, staff, and rental clients can use the TBS to:
View paid an unpaid invoices
As an alternative to reimbursing the College for personal calls, we encourage employees to consider using their personal calling cards when they make personal calls. Whether you use a calling card or not, all employees are still required to certify their monthly statement [see Attachment C].
Desk Telephone Controls
To comply with State Regulations, the following controls have been implemented to guard against misuse of State telephones for non-State and personal calls.
II. CTS handling of Telephone Reimbursements
Campus Technology Services will processes telephone reimbursements as follows:
III. Cellular Telephone Policy
Purchase College recognizes that it is important for key service personnel and administrators to be available 24x7x365 so that they are accessible in the event of emergency, off-hours, or while they are working in the field.
Purchase College provides two options for employees who fall into that category:
If a supervisor determines that an employee has a need for a cellular phone, the College encourages the use of Option 2, a reimbursement allowance. The College makes this recommendation due to the time involved in tracking personal calls, ensuring that monthly paperwork and reimbursements are submitted in a timely manner, and due to the overhead and audit requirements associated with College-owned phones.
Appropriate Use of Cell Phones
Cell phones should NOT be used as a replacement for a desktop telephone. Calls made using a cell phone are significantly more expensive than calls made using desktop land lines. Use a desktop phone whenever possible, and only use the cell phone when no desk telephone is available.
When you are trying to contact someone, call the desk telephone number first before resorting to the cell number.
Assigned cellular telephones should be used for official business-related activities. Personal use of an assigned unit shall be occasional, incidental, or for emergencies.
Each employee assigned a cellular telephone shall be primarily responsible for the security and maintenance of the unit, and must immediately report theft, loss or vandalism.
The responsibility for assigned cellular telephones cannot be transferred to another employee. When an employee to whom a cellular telephone has been assigned terminates employment, the unit must be returned to their supervisor in appropriate working condition, prior to the employee’s last day at work.
Cellular Telephone Use While Driving
It is illegal to operate a motor vehicle in New York State while using a cell phone without a hands-free device. New York State strongly encourages its employees not to use hand-held cellular telephones while driving a motor vehicle, and to use care while using any cellular telephone while driving.
Cell Phone Controls
Any employee assigned a College-owned cellular telephone or who receives a reimbursement allowance for his or her personal cell phone and who fails to comply with the State University’s desk/cellular telephone policy may have her or his privileges suspended or revoked and may be subject to disciplinary action.
College-Owned Cell Phone Inventory
The Director of CTS will maintain a current inventory of all College-owned cell phones. This inventory will include manufacturer, model, calling plan, telephone number, and the name of the employee to whom it is assigned.
Option 1: College-Owned Cellular Phones
The acquisition of cellular telephones and service plans shall be in accordance with the State University of New York Administrative Procedures Manual Item 300 Purchasing and Contract Procedures. The equipment and billing for cell phones will be charged to each unit’s procurement card.
Supervisors may request College-owned cellular telephones for specific employees where there is a demonstrable need for immediate or off-hours access. This is typically for service personnel who are in the field and away from their desk, on call during non-business hours, or for key supervisory personnel.
All requests for cell phones must be made and approved in writing by the sector Officer using the “Cell Phone Authorization Form” [See Attachment A]. The Cell Phone Authorization Form requires a brief justification for assignment of the instrument, specifies what type of service(s) are needed (Voice/text/data), the calling plan to be provided, and the type of cellular instrument to be provided.
An annual roster of campus cell phones will be provided to each College Officer for review. Each College Officer will review his or her roster periodically to ensure compliance with this policy.
To Obtain a College-owned Cellular Phone for an Employee
Billing for College-owned Cell Phones
Monthly bills for College-owned cellular phones will be automatically charged to each unit’s Procurement Card.
Verizon Wireless and Nextel Communications have set up Web sites for employees and their supervisors to review detailed monthly billing information. CTS will provide an ID/Password to each supervisor and employee for access to the appropriate Web site.
All employees with College-owned cellular phones and supervisors who authorize College-owned cellular phones for their employee(s) are required to review the monthly statements to ensure that the utilization is appropriate.
Employees with College-owned Cellular Phones must submit a Monthly College-Owned Cellular Telephone Usage Statement [Attachment D] to The Telecommunications Office SS0007 certifying that the calls made were for official College business and that the charges are just and proper. The monthly statement must identify any and all personal phone calls that were made using the cell phone, and the submittal must include a reimbursement to the College for personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3) at a rate of $0.45 per minute.
Reimbursement checks should be made payable to “Purchase College, State University of New York” and forwarded to the CTS Office in the basement of the Social Science Building SS0025.
Please note that a Monthly College-Owned Cellular Telephone Usage Statement must be submitted whether any reimbursement is due or not.
Option 2: Quarterly Reimbursement Allowance for Personally-Owned Cell Phones
Supervisors may request that specific employees receive a monthly allowance for their personally owned cellular phones where there is a demonstrable need for immediate or off-hours access. This is typically for service personnel who are either on call during non-business hours, in the field and away from their desk, or for key supervisory personnel.
The personally-owned cell phone must be for the exclusive use of the employee, and in his or her possession at all times. Recognizing the prevalence of “Family Plans” that are often held in the name of a significant other, the personal account does not need to be in the employee’s name, as long there is a cell phone instrument for her or his exclusive use.
Participants in the reimbursement allowance program will receive quarterly reimbursement checks through the Purchasing and Accounts Payable office. Participants must submit a copy of their monthly cell phone bill to the Purchasing Office to obtain their quarterly reimbursement allowance.
This submittal is the Personal Cell Telephone Reimbursement Request Form [Attachment E] along with the cover page of the monthly statements showing the employees name, phone number, and statement date. The submittal is intended to demonstrate that the individual still has the phone in active service, it does not need to (and should not) include the detailed call log portion of the monthly statement.
To obtain a Cell Phone Reimbursement Allowance for an employee
Obtaining Quarterly Reimbursement Allowance checks
The Purchasing and Accounts Payable Office will issue quarterly reimbursement checks (the maximum reimbursement frequency) for employees authorized to receive a cell phone allowance. Reimbursements will not be entertained for any statement submitted more than 12 months after the service was provided (the minimum reimbursement frequency).
To obtain a quarterly reimbursement employees must submit a copy of the Personal Cell Telephone Reimbursement Request Form [Attachment E] to the Purchasing and Accounts Payable Office along with the cover page of each monthly cell phone statement showing the date of service, carrier, subscriber name, address, and cell phone number. Regardless of the amount due, the employee will receive the standard reimbursement rate authorized by their supervisor for each monthly cell phone bill that is submitted. The check will be made payable to the authorized employee and mailed to his or her home address.
Monthly Cellular Telephone Usage Statements are NOT required for employees using the Reimbursement Allowance Option. However, supervisors are encouraged to regularly assess whether reimbursement continues to be appropriate throughout the year and supervisors have the right to terminate reimbursement allowances at any time for any reason.
Acknowledgement of College Telephone Policy
Purchase College / State University of New York
Users of College-owned desk and cellular telephones must read, understand, and comply with the Purchase College State University of New York Desk and Cellular Telephone Policy. By using the telephone, you agree to comply with all rules, regulations, and policies of Purchase College and any applicable local, state, federal and international laws, guidelines, and regulations. This responsibility exists regardless of what monitoring mechanisms may be in place. Violation of these policies may lead to suspension, loss of service or privilege, and may lead to even more serious sanctions.
Do not consider desk or cellular telephone bills private or secure because the bill contains your name and billing address. Purchase College, State University of New York has the right to monitor telephone bills and usage to determine if misuse or abuse exists.
Users must review their desk and cellular telephone bills and remit reimbursements for any personal calls at the end of each quarter.
Payments [check or money order] made payable to Purchase College for desk/cellular telephone reimbursement should relate to the monthly period for which the reimbursement applies and should be accompanied by the Purchase College, State University of New York Desk/Cellular Telephone Monthly Reimbursement Report.
Desk or Cellular telephones may not be used to defame, harass, intimidate or threaten any other person(s).
Do not allow others to use your phone, as you will be ultimately responsible for payment of charges.
Purchase College / State University of New York
College-owned cellular phones should NOT be used as a replacement for a desktop telephone. Calls made using a cellular phone are significantly more expensive than calls made using desktop land lines. College-owned cellular phones are only to be assigned to employees where either:
I, authorize to receive a state-owned (Supervisor’s name) (Employee’s name) cellular telephone for their use in conducting official business for Purchase College. I have communicated the College’s policy governing the use of cellular telephones to him/her, and he/she has agreed to comply with the policy.
The employee has agreed to reimburse the College at the end of each month for any personal calls made using this cellular phone at the rate of $0.45 per minute whether those calls are within plan minutes or not.
The employee has acknowledged that failure to comply with these policies could result in the phone being revoked and other disciplinary measures.
Submit this form to the Purchasing and Accounts Payable Office.
Personal Cellular Telephone Reimbursement/Allowance Form
Purchase College / State University of New York
Cellular phones should NOT be used as a replacement for a desktop telephone. Calls made using a cellular phone are significantly more expensive than calls made using desktop land lines. This reimbursement/Allowance program should only to be assigned to employees where either:
I, (Supervisor’s name) authorize (Employee’s name) to receive a quarterly reimbursement allowance for their personally-owned cellular phone for the period, that is to be used to conduct official business for Purchase College. I have (Date range) communicated the College’s policy governing the use of Cell telephones to them, and they have agreed to comply with the policy.
The employee agrees to submit the cover pages of their monthly cellular telephone statements to the Purchasing and Accounts Payable Office to obtain his/her allowance reimbursement check on a quarterly basis.
The employee has acknowledged that failure to comply with Purchase College Telephone Policies could result in disciplinary measures.
Submit this form to the Purchasing and Accounts Payable Office.
Quarterly Desktop Telephone Usage Statement
Purchase College State University of New York
NOTE: All employees must submit a quarterly report whether or not a reimbursement is due to Purchase College. If no reimbursement is due for personal calls made during the period (see P 3, Executive Order #1 for guidelines), insert a zero in item II.B. Thank you for your prompt attention to this matter.
I certify that:
Monthly College-Owned Cellular Telephone Usage Statement
Purchase College / State University of New York
NOTE: You are to submit a report whether or not a reimbursement is due to Purchase College. If no personal calls were made during the period, insert a zero in item II.B. Thank you for your prompt attention to this matter.
I certify that:
Account No: ______________
Quarterly Personal Cell Telephone Reimbursement Request Form
Purchase College / State University of New York
Cell phones should NOT be used as a replacement for a desktop telephone. Calls made using a cell phone are significantly more expensive than calls made using desktop land lines. This reimbursement allowance program should only to be assigned to employees where either:
My signature below certifies that this Reimbursement Allowance is for conducting official business on behalf of Purchase College, and that I have read and agree to comply with the College’s policy governing the use of cellular telephones.
I have attached the cover page for each monthly cellular telephone statement showing the date of service, carrier, subscriber name and address, and cell phone number.
I understand that I will be reimbursed at the standard allowance rate for each approved service type that was in effect at the time that the service was provided.
Submit this form to the Purchasing and Accounts Payable Office.
Purchasing and Accounts Payable Review
I have reviewed the authorization documentation on file and the attached submittal and approve the issuance of a Reimbursement Allowance Check to the above employee:
(PAP Reviewers signature date)
|Telephone Usage Refund Policy|
All telephone bills are reviewed for accuracy before they are sent to departments, residents and renters. If you find an error on your bill, please contact CTS at (914) 251-6465 as soon as possible! You must report the call(s) in question BEFORE payment is submitted. Once an error is reported, CTS will check the call against our long distance carrier bills in order to validate the claim.
For international and domestic calls of 1 minute or less, a credit can be applied immediately. Calls over 1 minute must be checked against the bill of the carrier to assess whether or not the call was completed. If it is confirmed that the call was completed, the charge will remain on the bill.
If your PIN has been lost or stolen, or unauthorized calls are being made from your office phone, you must report this to CTS. You are responsible for all calls made before you reported your PIN or unauthorized calls to CTS. In such cases, if you wish to dispute the charges, you MUST file a report with University Police. Otherwise, you will still be responsible for additional calls made with your PIN or from your office phone. CTS will cooperate with University Police and provide any information they need for their investigation.
Please note that refunds will appear as a credit to the account. A refund check will be issued only if service has been terminated or you are no longer employed by the College.
|Vendor Nondisclosure Agreement|
This is a Nondisclosure Agreement made as of _______________________ (“Effective Date”) between State University of New York College at Purchase, an educational corporation organized and existing under the New York State Education Law, hereinafter referred to as “Purchase College, SUNY, a New York State Public higher education institution with its principal place of business at 735 Anderson Hill Road, Purchase NY 10577, and _______________ (“Company”), a ______________ corporation with its principal place of business at _______________________________________________________<address> for the purpose of protecting and preserving the confidential and/or proprietary nature of information to be disclosed or made available by Purchase College to the Company under this Agreement. For purposes of this Agreement Purchase College and Company are sometimes collectively referred to as the “Parties” and individually referred to as a “Party”. As used herein, “Recipient” shall mean the Party who has been given “Confidential Information” (as hereinafter defined) by and of the other Party. Discloser shall mean the Party who gives Confidential Information to the other Party.
In Witness Whereof, the Parties have caused this Agreement to be signed by their duly authorized representatives.
|Web Content Management - Process and Training|
Posting information to the Purchase College Website requires the association of your Purchase College credentials with specific groups and privileges in the website’s Content Management System (CMS.)
If you are assigned as a content manager for a section of the website, or to post news and events:
|Working in Residential Units on Campus|
CTS Policy – Working in Residential Spaces
By Individual Appointment:
CTS support staff regularly visit residential spaces to perform service by appointment with the occupant. This occurs through regular service interactions when residents contact the Helpdesk.
Large-scale Project work:
For larger scale non-individual work involving an entire housing complex, the Residential License Agreement (pseudo-lease for occupants) specifically grants all college employees the right to work in residential spaces.
When working in non-individual residential spaces, CTS will:
|Workstation Administration Policy|
The security and integrity of the college’s computer systems and data network is our collective responsibility. As we increasingly rely on electronic forms of communication and access to information, we must ensure its security and protect our network against ever more sophisticated threats. A single weak machine that is not adequately patched and maintained can wreak havoc with the college’s network, interfering with administrative operations and disrupting access for thousands of people on campus.
The machines in offices and computer labs throughout the campus are purchased and owned by the college. The college’s standard operating system, Windows 10, contains security features that require you to log on before you can use the machine. All software running on college-owned machines must be legally purchased and approved by CTS before installation. All college employees receive “User” accounts that allow them to run all software on the machines, but does not allow them administrative rights to modify system settings or install other software. Secure administrative access to workstations is retained by CTS. The college is using Windows 7/Windows 10 and domain-wide Group Policy settings to centrally manage these machines and ensure that security patches are applied and that anti-virus profiles are up to date. Windows 7 also dramatically improves the Helpdesk’s ability to troubleshoot and repair problems remotely when you run into difficulty.
Please call the Helpdesk at 914-251-6465 if you have any questions or if you need assistance.