Policies

Broadcast Email Policy

Purchase College Broadcast E-mail Policy – 2017

Email is a convenient way to communicate information to the campus community, and as a result there are a tremendous number of requests for campus-wide broadcast e-mail messages. 

Email is popular because you can push your message into peoples mailbox, reaching a larger audience than you would by posting your message to a web site where people have to actively seek it out (websites are a pull channel.) However, the convenience of pushing email at everyone has to be balanced against the burden this places on the time and attention of the College community.  Their time and attention is too precious a resource to subject to a fire-hose of poorly targeted email that is not timely, relevant, and of interest to the recipient. We have all heard complaints about the volume of messages we receive - and we have all heard others say they don’t read any of our broadcast messages – and who miss important information as a result.

It is essential to avoid overuse of broadcast email that diminishes the effectiveness of this channel.

As Stamats notes, sending out an email message does not mean you have effectively communicated your message. Effective communication requires that you say the right thing, at the right time, to the right audience.

The college offers a variety of push/pull communication channels including email, distribution lists, and our web site. It is important that we avoid over-reliance on email broadcasts and employ the right mix of channels, messages, and audiences to communicate effectively with the campus community.

Broadcast Message Volume over the last 10 years has increased by 500%

  • July 2007 to June 2008:    311 Broadcast Messages
  • July 2008 to June 2009:    745 Broadcast Messages
  • July 2009 to June 2010:    884 Broadcast Messages
  • July 2010 to June 2011: 1,086 Broadcast Messages
  • July 2011 to June 2012: 1,339 Broadcast Messages
  • July 2012 to June 2013: 1,365 Broadcast Messages
  • July 2013 to June 2014: 1,179 Broadcast Messages
  • July 2014 to June 2015: 1,300 Broadcast Messages
  • July 2015 to June 2016: 1,450 Broadcast Messages
  • July 2016 to June 2017: 1,553 Broadcast Messages

By far the highest monthly volume of broadcast email is during April and September – just when people are busiest, we are bombarding them the most.  So while it is easy to use email as a communication channel, it is also easy to see why people tune it out.

It is critical that the messages we send are relevant, they are clearly written, they are accurate the first time, and they are sent to the right recipients (and not just “everyone.”) 

Broadcast Email Etiquette

Campus-wide e-mails should be sent out to inform the campus of important announcements, events, or alerts that affect the entire campus.

Campus broadcasts should only occur if there is a reasonable expectation that the message would be of interest to a significant portion of the college community. If your weekly meeting of the Obscure Society typically draws the same ten dedicated souls and meets in a small windowless room, sending an invitation to 10,000 people doesn’t really make sense – they won’t all come, they won’t all fit, and most likely you’re just annoying 9,990 of them with yet another piece of spam they have to delete.

Select your target audience carefully - with laser focus if possible. The time and attention of the campus community is a precious a resource. 

Avoid sending Corrections and Reminders – take the time to get the message right the first time, and promote your deadline or event using the Master Calendar, web site, portal, and distribution list.  

Broadcast email should only be used for official College purposes. Broadcast email should NOT be used to promote products, activities or services that have not been endorsed by the appropriate unit within the College (Job Fairs should be endorsed by Career Development, Overseas Programs should be endorsed by the Office of International Programs, etc.) It should go without saying that broadcast email is not the place to sell your car or rent an apartment.

Start and promote a Distribution List (DL) for those who have participated in similar activities or who have expressed an interest – and allow people to Opt-in and opt-out of your weekly message to that list – and work to make sure that it is a source of valuable information. When you send your broadcast message, use the Distribution List as the destination address, include instructions at the bottom for unsubscribing, and honor those requests in a timely fashion. Promote your distribution list as a source of valuable information on your website, Facebook page, etc.  

In any case, high quality content is far more important than how many copies you are distributing.

Tell us what is in the message and why we should look at it

E-mail messages should always include a descriptive subject line. This serves to entice people to open your message and read further, as well as to relieve them form opening the message if it clearly isn’t something they are interested in. Subject line “News from CTS” – Ho-Hum… Subject line “Your email account will be purged Tuesday at 4:00” - uh-oh.

Tell us who it is from

Marketing studies also say that people are far more likely to open a message when it comes from a real person i.e. “Bill Junor” - than when it comes from an institutional address like “(CTS.Director)” - delete.

Broadcast email Definition:

Any message transmitted to the entire “campus Community” or to an entire cohort (all students, all faculty, all staff) or to any combination thereof is considered a “broadcast message” requiring workflow approval.

School and divisional distribution lists (i.e. LAS students, NS Majors, Sociology Board of Study, a specific class list,  etc.) are NOT considered broadcast messages since the heads of each area already have the necessary rights to distribute those messages themselves, without workflow approval.

Similarly, off campus distribution lists (i.e. Friends of Music, Friends of the Library, etc.), are NOT considered broadcast messages since the heads of each area already have the necessary rights to distribute those messages themselves, without workflow approval.

Who can request a campus-wide e-mail message?

Any member of the Purchase College community can request that a campus-wide message be sent out by submitting a request through the Broadcast Email Messaging (BEM) System. Broadcast requests are automatically routed to the department head for approval, and to the appropriate Vice President or College Officer. Only the VPs/Officers can authorize broadcast emails.

For broadcast requests created by Students, those requests are routed to Student Affairs for workflow approval.

Who will receive a campus-wide broadcast e-mail message?

Campus-wide messages can be sent to all campus-wide e-mail server users. Campus-wide messages can also be sent to other e-mail servers or to external e-mail addresses if the requestor includes external addresses (individuals or Distribution Lists) as part of their request.

The request must specify the audience to receive the message. Broadcast messages can be sent to   1) all faculty 2) all staff, or 3) to all students. These three categories (and others such as residents by wing or students by division) can be combined as necessary to reach the desired audience.

The BEM system allows the originator to specify as many destination addresses as necessary, and those addresses can be a combination of campus addresses and off campus addresses.

Please note that Deans/Directors/Chairs of academic divisions already have the ability to send messages to students and/or faculty/staff within their division themselves.

What can be sent out in a BEM e-mail message?

The BEM system allows creation of rich media messages that are compact and efficient. You can embed graphics, links, and attachments as necessary. In addition, the BEM system contains a variety of general and specific graphical templates for various campus organizations that help to create an attractive presentation wrapper for your message.

Please note that many email servers on the recipient end restrict attachment size to 10mb.

When should I use Email versus the website, the Portal, and the Master Calendar?

To communicate effectively, you should use all these channels in a coordinated fashion.

  • Make sure your message is on your website. You can include far more extensive information on a web page with photos, video, etc than you can in an email. Find out who the web content manager for your area is, and ask them to post the information, or ask them to create a page that you can edit and maintain. If you do decide to use the broadcast email channel, your brief email message should include a link to this additional information on your web site.
  • Use the Portal pages. The Portals contain the “Think Wide Open” scroll bar that highlights stories and events. Stories and Events can be added by Content Managers within each office/academic division using the Live Whale Content Management System (CMS). Your story or Event can appear on your unit’s web page, the Portal Pages, and maybe even the College’s Home Page. Our website was “built for crowdsourcing” – we want your announcements, stories, and events up there front and center where everyone can see them.
  • Space for events must be reserved and approved thorough the RoomBook scheduling system. After you have successfully reserved the room for your event in RoomBook, go into the LiveWhale CMS and create an event there with graphics and descriptions, and share it with the “Portals” group. Please do not use email to promote an event that you haven’t put into the calendar – people won’t be able to locate your email message as the event approaches, and will look for it on the calendar, and if you haven’t actually reserved the room, they may even show up to find some other event in progress.
  • Consider using the Distribution list for a particular segment of the community. There are existing distribution lists for each school, each board of study, campus residents, commuters, etc. If you don’t have the rights to send to the right distribution list, find out who does and ask them, or start your own distribution list.
  • Select your audience carefully - with laser focus if possible. If your message applies to students in certain majors with a certain range of credits who live on campus, create a list for that audience.
Computer Equipment Disposal

The New York State Department of Environmental Conservation has determined that non-working and obsolete computer products must be treated as hazardous waste. Monitors and terminals contain from 4 to 8 pounds of lead and fail the NYS DEC TCLP test for toxicity. Circuit boards of both computers and printers contain lead solder, mercury and cadmium, and often also fail the TCLP test. These items should be disposed of in an environmentally sound manner.

The key points of NYS DEC Regulations are:

  1. All non-working /obsolete computer products should be disposed of in an environmentally sound manner

  2. Monitors and terminals are always a hazardous waste (or household hazardous waste, if from household use).

  3. Other components of a computer system (e.g., circuit boards, keyboards, mice) could be hazardous depending on their lead, mercury, or cadmium content, which can vary from product to product.

  4. The recycling facility must be on file with the DEC.

  5. A C7 Notification Letter must be filed with the DEC that a legitimate recycler is processing the product.

  6. The generator continues to be responsible for product improperly disposed of through non-recycling channels.

  7. Donated equipment must be operational and for continued use.

  8. Storage for over 90–180 days may be a violation.

  9. Substantial penalties may apply for non-compliance.

Additional information is also available at the New York State Department of Environmental Conservation website at
 http://www.dec.ny.gov. The current rates for disposal are about $15 for a PC, monitor, and printer.

Campus agencies must arrange to have their old computer equipment removed by an authorized disposal service that complies with all city, state and federal regulations. You may want to contact our campus Environmental Health and Safety Officer, Ed Musal, at x6917 for further information on hazardous waste removal. One authorized recycling vendor is Per Scholas, who can be reached at (718) 991-0362.

CTS will continue to dispose of old computers that are being replaced with new ones on an individual basis, and properly dispose of them as we have done in the past. However, CTS cannot accept bulk disposal or removal of old computer equipment on behalf of other departments.

Please keep in mind that all departments must fill out a Property Control System – Request for Disposal or Surplus Form.pdf – when disposing of old computer equipment (see attached). The original will go to the department head, a copy should be taped to the item being disposed of, and a copy must go to our campus inventory control coordinator in Purchasing and Accounts Payable. Please call x6920 if you have any questions about using this disposal form.

Computer Ethics Policy

The Purchase College information technology infrastructure includes a private network of secure services for the exclusive use of our students, faculty, staff, and administrators. Other IT services include open access to college information for the general public and the world at large. To utilize private secure services for students, faculty, and staff, you must authenticate with a Purchase College user name and password. 

Users of computer systems and networks at Purchase College must read, understand,  comply with, and electronically sign the Purchase College computer ethics policy when you activate your account. You are responsible for your actions. That responsibility exists regardless of what security mechanisms are in place. Unauthorized use of computing facilities will lead to suspension or loss of privilege, and may lead to more serious penalties. All rules and policies must be adhered to by all users of Campus Technology Services at Purchase College. 

Appropriate use

All users are expected to use these services in a responsible fashion. Student use of all computing resources and services is subject to the Student Code of Conduct. Faculty and staff use of computing resources and services is subject to the Policies of the SUNY Board of Trustees and to campus supervisory oversight.

The college provides a variety of services that are public within the college community, and others that are public to the world. These services include (but are not limited to) our portal, ePortfolios, student web publishing directories, sections of our website, and Moodle, among others. Materials posted to any college site or service must be respectful and appropriate; offensive materials or speech may be removed and/or referred to Student Affairs or the appropriate college supervisor.

Security for Your Account

Do not consider email private or secure. Purchase College does not encrypt email.  Mail can be easily intercepted at any machine that it passes through. lt can be altered and copies can be made and forwarded. Messages sent to nonexistent or incorrect addresses may be delivered to an unintended destination.

The systems administrator(s) at Purchase College have the right to monitor computer systems. The systems administrator(s) have the right to examine user files to diagnose system problems or investigate security breaches.

The internet is not secure. If you are going to transmit sensitive data or files across the internet, you must take precautions to protect it on your own. Data and files can easily be intercepted, read, altered, misused, or destroyed at any machine they pass through. In addition, machines attached to the internet are vulnerable. Do not assume your data is safe on your computer if it is directly connected to the internet.  Do not store valuable or privileged information on these systems without applying security. If you can’t afford to lose it, back it up. If it is information that should never see the light of day, don’t store it on a networked computer.

Backup Your Important Data

Keep all valuable disks and tapes in a secure place. Secure backup copies of valuable files or data off site. When throwing out old disks or tapes, make sure no sensitive information can be found on them.

Intellectual Property and Piracy

Whenever you are shipping software from one place to another, you must consider intellectual property and license issues. The internet is a global network, and the importing and exporting of software may fall under the jurisdiction of the United States Department of Commerce. Exporting anything may require a license. A general license covers anything that is not explicitly restricted and is readily available in public forums in the United States. The exportation of networking code or encryption code is restricted. You may not allow access to a restricted machine to persons or entities outside of the United States. Please be aware, when posting information to a bulletin board, that data will probably cross the border. If you have any questions on the legality of transmissions over the borders of the United States, please seek legal counsel.

Purchase College has joined the internet via an educational connection. Use of the internet for commercial purposes is not allowed.

The following are considered unacceptable uses of computer systems, and are strictly prohibited

  1. Deceiving a machine (i.e., mimicking, imitating, or attempting to use an ID other than your own)

  2. Computer fraud (with and without intent to deceive)

  3. Computer damage or destruction

  4. Offenses against computer users including, but not limited to, harassment

  5. Unauthorized use of any system

  6. Modification or destruction of programs or data other than your own personal files

  7. Use of computer to commit crime (embezzlement, harassment, blackmail, etc.)

  8. Tampering or alteration of computer, computer systems, programs, or files

  9. Unauthorized access or attempted unauthorized access to a computer or network

  10. Causing denial of computer services (e.g., run a virus that renders a network unusable)

  11. Preventing others from using computer services

  12. Causing deterioration of system performance (e.g. playing Doom over a network)

  13. Computer trespass. This includes remote systems as well as secured areas of this system

  14. Theft of computer-related materials

  15. Theft of computer services. For example, you may not use any pay service without paying

  16. Computer invasion of privacy—unauthorized examination of files

  17. Computer-caused physical injury

  18. Copying licensed software

  19. Violation of any interstate laws applying to electronic transmissions

  20. Violation of any import/export laws applying to electronic transmissions

  21. Posting confidential information such as Social Security numbers or phone numbers

  22. Cracking passwords

  23. Even if a file is readable, do not assume you may read it unless explicitly granted authority to do so

  24. Even if a file is able to be updated , do not modify it unless explicitly granted authority to do so

  25. You may not share your account

  26. You may not use any computer resource without prior permission

  27. If a Purchase College systems administrator asks you to cease an activity on the computer, you must stop that activity immediately

Password Policy

Your password is the only means you have of keeping your account and files secure.  The algorithm that encrypts passwords has not been broken. However, it is possible for your password to be stolen when using the Internet so you are encouraged to change it often. More than 80 percent of computer break-ins are because passwords can be easily derived by hackers.


The following requirements must be met when choosing a password:

  1. Your password must be kept secret and changed often.

  2. Your password must contain at least eight keystrokes, including the following in any order;

    choose at least 1 character from 3 of the four groups below:

    • One or more uppercase letters (‘A’ through ‘Z’)

    • One or more lowercase letters (‘a’ through ‘z’)

    • One or more numerals (0 through 9).

    • One or more non-alphanumeric keystrokes (Special Characters), including punctuation marks

      (including ` ~ ! @ # $ % ^ & * ( ) _ - [ ] ’ ” ~ / ? , . < > | ).

      (it is best to include both numerals and punctuation marks.)

  3. The space may be used in creating a password, or pass phrase.  The space is not required and does not count as a special character, but does improve the complexity of a password. Most people find it easier to remember pass phrases than complex passwords. Combining words, spaces, digits and special characters can make a pass phrase that is both easy to remember and hard to guess.

    For example, I’ll always have eyes 4 U is a valid password.

  4. Select a secure password that you are guaranteed to remember.  An easy way to accomplish this is to join unrelated words, syllables, and/or letters that have special meaning only to you. Place non-alphabetic keystrokes between parts of words, syllables, or letters in your password. For example, “my Dog likes to eat Bananas and Strawberries” (note capitalized nouns) becomes “myD@wgl2eB&S”.

  5. Do not use consecutive keys on the keyboard to form any significant part of a password (e.g. “ASD”, “qwerty”, “1234abcd”, “!@#”).

  6. Do not use your login name to form any part of a password, nor use any common name, such as the name of a person or pet, nor any personal information (date, license number, etc.). Reversing these words is ineffective as well (e.g., the password “John.Smith” and “htimS.nhoJ” are equally ineffective, as is “1491/7/ceD”, or any form of a date).

Data Policy

Individuals who are authorized to access sensitive or institutional data are prohibited from divulging that data to any other individual, unless that individual is also authorized to use the data. Individuals are only permitted to access data as authorized.

Game Playing Policy

Game playing is allowed on college computers as long as:

  1. It does not deteriorate system performance

  2. The computer is not needed for school work, research, or any other legitimate purpose

Hardware Policy

  1. You may not move or take any hardware without explicit permission from the designated owner of that hardware.

  2. You may not destroy or vandalize any hardware, cable, or service provided by the campus.

Denial of Service

  1. You may not disable the network by means of any computer program.

  2. You may not disable the network by rendering any equipment unusable.

Security Policy

You are responsible for the security of your account. Please read the policy on passwords. The following are symptoms of unauthorized trespass of your account. If you become aware of the following, please contact CTS at x6465.

  1. New or unexplained files found in your directory

  2. Changes in file lengths or dates

  3. Unexplained data modification or deletion

  4. Unable to login to your account

  5. Suspicious beeps, messages, or pictures

VIOLATION OF THESE POLICIES WILL LEAD TO SUSPENSION OR LOSS OF PRIVILEGE, AND MAY LEAD TO MORE SERIOUS PENALTIES

Computer Replacement Cycle

Purchase College Computer Replacement Cycle Policy - 2013

A computer in good working order that is able to run current versions of various software is an essential component of today’s learning, teaching, and working environment. To ensure that students, faculty and staff have access to the computers and services they need to fulfill their roles, the College has instituted a variety of policies and programs to ensure that computers are maintained and replaced on a regular basis.

For computer labs:

The faculty Instructional Technology Advisory Committee (ITAC) is responsible for managing the  replacement cycle for the ~50 computer labs around campus. Each year, approximately $350,000 in ITAC funding is provided to ensure that the academic computer labs are maintained and upgraded so that they meet the teaching needs of our academic programs.

Each spring ITAC issues a call for proposals to the faculty and academic divisions. Proposals for ITAC funding must be endorsed by the Board of Study Head, the academic unit Chair/Director, and the Dean. During the spring semester ITAC reviews and prioritizes the proposals it receives, making award decisions by the end of the spring semester so that upgrade/replacement implementation can occur over the summer. 

For Full-Time Faculty:

Faculty Support and development are the responsibility of Academic Affairs. Every faculty member should have a computer for communications with students and colleagues, for use with the Moodle Learning Management System, for research, and for administrative tasks like advising and grading. Each full-time faculty member should have a computer able to run current versions of software needed for their discipline.

Faculty are typically provided with one reasonably current desktop computer. In cases where additional justification is clearly warranted and documented, Academic Affairs may choose to provide one reasonably current Laptop computer for faculty use instead of a desktop computer. 

To ensure faculty have appropriate access to computers and electronic services, in 2007 the Provost’s Office instituted the Faculty Computer Replacement Cycle. Under this program, full-time faculty will typically receive a new computer every 3 to 5 years. There are about 200 faculty, and each year an allocation will be made for faculty replacement computers, as funding allows.

Each spring CTS prepares a report for the Academic Affairs Office showing all FT-faculty computers, with out-of-warranty computers highlighted for further review. Specific requests for new computers are also forwarded for consideration. Following administrative review and funding allocation, CTS orders the computers and arranges their delivery to individual faculty members. 

In cases where a faculty member has more than one computer – such as a desktop and a laptop – as long as one of them is a current model and still under warranty, replacement of their second out-of-warranty computer is at the discretion of Academic Affairs.

Full-time faculty receiving a new computer must turn in the old computer to CTS for refurbishment/recycling.

For Part-Time and Adjunct Faculty:

Adjunct and part-time faculty computers remain the responsibility of the individual unit managers. Academic units should ensure that part-time and adjunct faculty also have access to appropriate computers.

There is no central funding pool for adjunct or part-time faculty computers. While CTS can provide refurbished and out-of-warranty machines where there is a special need, these computers are typically 5+ years old and are intended for temporary hardship cases only. Individual unit managers should plan and budget for computers appropriate to their employees needs.

For College Staff:

College staff computers are the responsibility of their unit managers. Individual units should ensure that part-time and student staff also have access to computers appropriate to their needs.

There is no central funding pool for staff computers. While CTS may choose to provide refurbished and out-of-warranty machines in extreme cases where there is a special need, these computers are typically 5+ years old and are intended for temporary use only. Individual unit managers should plan and budget for computers appropriate to their employees needs. Staff receiving a new computer must turn in their old computer to CTS for refurbishment or recycling.  

Typical Computers:

New York State negotiates contracts with major computer vendors each year. The current contract holder for PCs is HP, which offers a standard desktop and 20” monitor for $600, including warranty.  For Apple computers, the standard is the 21” iMac, for which the college currently pays $1,448, including warranty.

Since there is a significant cost differential between PCs and Apple Computers (2:1), and since both PCs and Apple computers are equally capable of running the same software (MS Office, Adobe Creative Suite), the College will provide HP PCs by default. Faculty requests for Apple computers must be accompanied by written justification for the additional expense, endorsed by the chair/director, and sent to the Academic Affairs office.

Since there is a significant cost differential between desktop computers and Laptop computers (almost 2:1), and since both desktop and laptop computers are equally capable of performing the same functions, the College will provide desktop computers by default. Faculty requests for laptop computers must be accompanied by written justification for the additional expense, endorsed by the chair/director, and sent to the Academic Affairs office.

Typical Software:

The College provides both Microsoft and Apple Operating systems and licenses for Microsoft Office desktop productivity software (Word, Excel, Powerpoint, Outlook.) In addition, the College provides concurrent licenses for Adobe Creative Cloud (Photoshop, Acrobat, Illustrator, Premier, etc.), SPSS, and many others via our Sassafras license server. Any other software needed by an individual employee is the responsibility of their administrative unit.

Typical Computer Warranties:

HP, Dell and Apple computers purchased through Purchase College are typically purchased with a 4 year warranty covering hardware replacement and next-day on-site service.  In accordance with the State contract with HP, the warranty is included in the price of the computer. If you are purchasing an Apple, you must add the cost of the Apple Care warranty for the same 4-year period.

While out of warranty computers may be functioning and still serve the user’s needs, these computers become a liability due to increasing cost in time and labor as they age.  When hardware problems arise and repairs are no longer covered under warranty, they take an inordinate amount of time and effort to repair. 

All Computers are College Property:

Whether purchased by the College, Research Foundation, or individual units, all computers and the software they contain remain College Property, and will be managed by CTS. In addition, appropriate use of these devices is governed under the NYS Cyber-security Policy, the Purchase College Computer Ethics Policy, the Purchase College Computer Privacy Policy, and the Purchase College Mobile Device Policy.

Computer Refurbishment and Recycling:

Whether new computers are provided by the College or the unit, the computers being replaced will revert to CTS for disposal (computers are classified as hazardous waste due to the heavy metals they contain).

In rare cases where a replaced computer still has some life left in it, CTS may choose to refurbish it and reassign it temporarily to a staff/faculty member in need.  These refurbished computers should in no way take the place of a new computer purchases, but rather serve as a loaner computer for the staff/faculty member to use during times when they are awaiting the arrival of a new computer that was ordered by their department for them.  Once their new computer is delivered, the loaner computer will be brought back to CTS for retirement and disposal.

In many cases the cost in personnel time keeping old hardware running exceeds the cost of a new computer.

While CTS understands departmental desire to save money by holding onto computers that still run, a decision to keep an old computer comes with a steep price in increased support costs, yielding less than desirable results for the College. For that reason, CTS may decline to provide service in cases where the computer is out of warranty. In addition, the “keep our old computer” problem is often compounded by cascading upgrades - we are asked to give the old computer to so-and-so, and so-and-so’s old computer goes somewhere else – multiplying the workload for CTS.  Therefore, CTS may decline to perform these “cascading upgrades” where we determine that course of action to be inadvisable.     

(Last updated August 2017)

Confidential Information Policy

Purchase College is committed to protecting the privacy and confidentiality of information contained in the multiple databases and print files maintained by the college in the regular course of business. Personal information that is confidential in nature will be used only in accordance with Purchase College Information Security Program, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) regulations, and all applicable SUNY, state, and federal regulations.

 POLICY

Employees at Purchase College by nature of their positions will gain access to private personal information about students, faculty, staff, alumni, and other constituents of the college. Employees are obligated to maintain the confidentiality of any such private personal information that is encountered.

Purchase College expects all employees with access to personal information to deal with that information in a respectful and professional manner. As a matter of policy, the college restricts access to personal information to only those employees who have a legitimate “job-related reason” in the performance of their duties for gaining access. Access and release of any student educational records must be in accordance with FERPA regulations.

Access and release of any health records must be in accordance with HIPAA regulations. Any personal information viewed or accessed by an employee through college systems or records is not to be shared or released to others unless there is a legally permissible purpose for doing so. In addition, in accordance with Section 203-d of the New York Labor Law, Purchase College will not:

  • Publically post or display anyone’s Social Security number;

  • Visibly print a Social Security number on an identification badge, including any time card;

  • Place Social Security numbers in files with open access; or

  • Communicate an employee’s personal “identifying information” to the general public.

Personal Identifying information (PII) is defined by NYS as including an employee’s Social Security number, financial account number and PIN, or driver’s license number. Access to PII will be restricted to those with a demonstrable need for access.

Inappropriate disclosure of information pertaining to students, faculty, staff, and other college constituents may violate applicable law and is considered a violation of ethics and a breach of trust placed in employees by the college. Upon finding of a breach of this policy by an employee in a collective bargaining unit, the college may initiate disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

Employees who deal with confidential material on a regular basis will be required to sign a confidentiality statement and to complete annual information security training. Each campus manager will determine employees required to have access to PII who must receive training and sign confidentiality statements.

GUIDELINES

Employee, student, financial, and medical information contained within Purchase College information systems (electronic and physical files) and external SUNY systems is considered confidential. Access to information made confidential by law or campus practice is limited to those individuals (employees, consultants, adjunct professors, third-party vendors, etc.) whose position legitimately requires use of this information.

The employees (Purchase College faculty, staff, student employees, and volunteers appointed by the college) understand that by virtue of their work for Purchase College they may have access to data that are confidential, and therefore understand they may not disclose such confidential data to any person or entity without appropriate authorization, subpoena, or court order.

Examples of confidential PII information include the following:

  • Social Security numbers (SSN)

  • Motorist identification number

  • Bank account numbers and PIN

In addition, FERPA regulations cover

  • Educational records

  • Information (including directory information) made confidential by written request.

In order to access confidential information, employees agree to adhere to the following guidelines:

  1. Employees understand and acknowledge that improper or inappropriate use of data in the college’s information systems is a violation of college policy, and it may also constitute a violation of federal and/or state laws.

  1. Employees will not provide confidential information to any individual or entity without proper authorization.

  1. Employees will not access, use, copy or otherwise disseminate information or data that is not relevant and necessary to perform their specific job-related duties.

  1. Employees will not remove confidential information from college facilities except as specifically authorized to do so.

  1. Employees will not share their user ID and password with anyone.

  1. Employees will not use the data for personal or commercial purposes.

  1. Employees will refer all requests for educational records from law enforcement governmental agencies and other external entities to the vice president for student affairs for matters related to students and to the FOIL Officer for all other requests.

  1. Employees will refer external requests for all college statistical, academic or administrative data to the Office of Institutional Research, Office of Human Resources, or those departments that have been authorized to respond to such requests.

  1. Employees will not communicate any Purchase College employee’s personal identifying information to the general public.

  1. Employees will report any unauthorized access to confidential data immediately to their supervisor and to the Chief Information Officer.

  1. Employees understand that any improper or inappropriate use of data in the college’s information systems may result in disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

  1. Employees are not permitted to store Social Security numbers, credit card numbers, motorist/non-driver IDs or bank account numbers on individual staff computers, or portable media such as external hard drives, USB thumb drives, CDs, DVDs, tapes, etc. without express authorization from the Chief Information Officer. Storing any other confidential data on individual staff computers or any type of portable media is strongly discouraged.

  1. Employees storing confidential data on college servers must on an operational basis remove files containing confidential data when no longer needed.

  1. Employees who are uncertain about what constitutes legitimate use or release of information should always err on the side of confidentiality and refer their questions about the appropriateness of a request for personal information from college systems or records to their supervisor before releasing the information.

PROCEDURES

  1. Supervisors are required to review the Information Security Policy Regarding Confidential Information with each new employee assigned to their department. During the department orientation process, supervisors should provide each employee with a description of the type(s) of confidential information his or her specific position will work with in the performance of his or her duties.

  1. Employees in areas of the college that deal with confidential material will be required to sign a confidentiality statement to be stored in the employee’s personnel file. Each vice president in conjunction with their managers will determine employees required to sign confidentiality statements.

  1. Supervisors shall review the policy on Information Security Policy Regarding Confidential Information on an annual basis and confirm in writing that each employee in the unit reviewed and understood the policy.

CyberSecurity Investigation Clearance Form

A cybersecurity investigation is to be conducted only with the prior approval of the director of Campus Technology Services and senior campus executives. Each Security Investigation must be fully and completely documented. Nonemergency investigations must have approval of two senior college administrators (president or vice presidents).

Documentation of security investigations must include:

• Report of DMCA violation (nonemergency investigation)

• Other “due cause” documentation (emergency or nonemergency)

• Identification of security threat type

• Risk analysis – severity of threat and potential exposure

• Log files from threatened/compromised system

• Steps taken to contain threat

• Steps taken to contain possibility of exposure of sensitive materials or private information

• Steps necessary to prevent recurrence

The following policy pertains to all Security Investigations:

In an emergency, the Privileged User conducting the investigation may view, copy, modify, or delete data placed on a computer or network by another user – and not normally shared - if and only if the Privileged User has documented probable cause that the contents of the data poses an immediate threat to the system or network. Examples of an immediate threat would include a “Root Kit” or other “Trojan Horse” back door, a worm or virus, or other materials or activities that pose a threat to the normal operation of college computer networks or systems.

• The Privileged User conducting the investigation may view, copy, modify, or delete data placed on a computer or network by another user if the Privileged User has documented that there is probable cause that the account is being used for illegal purposes (copyright violation, commerce, harassment, piracy or other crime) and has a completed Security Investigation Clearance Form.

• The Privileged User conducting the investigation may not erase or tamper with any system log file for any reason other than to archive the log file. If it is necessary to remove a log file from the system due to storage limitations, then the log file must be archived to tape for permanent storage. The archived records must provide an uninterrupted history of events on the system for auditing purposes. Exceptions must be approved in writing by the director of Campus Technology Services and IT security personnel.

Investigation of: _____________________________________________

To be Conducted by: ______________________________________________

Approved By: Director of Campus Technology Services: ___________________________

 

Date: ______________

Senior Administrator #1 Date:________

Name: (Please Print) _______________

Signature________________________________ 

Senior Administrator #2 Date:________

Name: (Please Print) __________________

Signature________________________________  

 

Security Investigation Clearance Form

Data Infrastructure Policy

The security and integrity of the ccollege’s computer systems and data network is our collective responsibility. As we all increasingly rely on electronic forms of communication and electronic access to important information, we must ensure their reliability and protect our network against ever more sophisticated security threats. 

College-Owned Devices :

The personal computers (PCs) and other devices used in offices and computer labs throughout the campus are purchased and owned by the college. This includes department or unit-funded devices, as well as Research Foundation or grant-funded devices.

All college-owned devices (servers, PCs, laptops, tablets, etc.) must be registered in the centralized CTS Workstation Database per the college’s Device Assignment Policy. When a device is transferred from one employee to another—for any reason—the device must be returned to CTS for refreshment and reassignment. Failure to register a device may result in denial of all network services for that device.

All college-owned devices must run a current and secure operating system. A current and secure operating system is one that is actively being supported and patched by its vendor (Microsoft, Apple, Linux).

All college-owned devices must be joined to the campus network domain, and must require the use of Active Directory login credentials to access the computer. Secure administrative access to college computers (admin rights) will be administered by CTS.

These machines must be part of the campus network; the software running on these machines must be legally purchased and approved by CTS before installation.

Personally Owned Devices :

Personally owned devices brought to campus will not be joined to the College Network Domain, will not use Active Directory Credentials for logon access, and therefore will only be able to obtain public network access (services available to the world at large. Individual owners are solely responsible for the operation and security of their device.

Ports and Wiring Infrastructure :

The wired data ports and wireless networks throughout the college are purchased and owned by the college, and are operated and managed by Campus Technology Services (CTS). No connections to college ports are allowed without prior written approval from CTS.

CTS is responsible for the management and administration of all data and telecommunication networking ports, components, and infrastructure serving the campus. No network modifications of any type, including minor renovations, will be permitted without written advance approval from CTS.

Contractors working on any part of the college‘s data and telecommunication infrastructure must have prior written approval from CTS, and work must be coordinated and monitored by CTS.

Any wiring, ports, or devices that are not approved will be disabled, removed, or seized as they present an unwarranted security risk.

Servers

All college servers will be operated by CTS or their designated agents (vendor or proprietary systems). Servers will only be run on appropriate hardware. CTS and CTS alone will act as system administrators to manage the server operating system and network environment. At their discretion, CTS may grant “application administrator” rights to configure and manage specific software applications on a server to appropriately trained individuals outside of CTS.

Any servers found to be in violation will be disabled, removed, or seized as they present an unwarranted security risk.

Other Network Devices

No network devices (data port switches, routers, Wi-Fi, storage systems, etc.) may be installed by anyone other than CTS. Installation of any network device must be approved in advance by CTS.

Any devices found to be in violation will be disabled, removed, or seized as they present an unwarranted security risk.

Desktop Computer Privileged Access Policy

The security and integrity of the college’s computer systems and data network is our collective responsibility. As we increasingly rely on electronic communication and access to information, we must ensure its security and protect our network against ever more sophisticated threats. A single weak machine that is not adequately patched and maintained can wreak havoc with the college’s network, interfering with administrative operations, and disrupting access for thousands of people on campus.

Desktop Computer Access: The PCs in offices and computer labs throughout the campus are purchased and owned by the college. The college’s standard operating systems, Windows 7 and Windows 10, and Apple OSX, contains security features that require you to log on before you can use the computer. All software running on college-owned machines must be legally purchased and approved before installation.

All college employees receive “user” accounts that allow them to run all software on the machines. User-level accounts do not allow you to modify system settings or install software. Secure administrative access to XP and OSX workstations is restricted to CTS staff and selected divisional technology support personnel.

The college is using Windows and domain-wide Group Policy settings to centrally manage security patches and settings for Windows machines and for anti-virus software. For Windows machines and for anti-virus software, the college runs a local Windows update server; Apple OSX machines are set to retrieve updates directly from Apple. It is imperative that the college ensures that security patches are applied and that anti-virus profiles are up to date. 

Restricting changes to desktop computers also greatly simplifies college-wide management of its technology infrastructure and support services. CTS support personnel make use of Remote Desktop or VNC to connect to your computer in real time when you call for support, and are on duty Monday through Thursday 8am-7:45pm, and Fridays 8am-4:45pm.

If you believe that you have a legitimate need for elevated privileges to your desktop operating system, you can submit a Request for Administrator Level Desktop Access.

Laptop Computer Access

All college employees receive “local administrator” access to their laptop computer. This level of access is required for machines that need to be used away from the campus (home, travel). Local administrator access allows you to run all software on the machines, and allows you to modify system settings or install software. However, you are expected to refrain from installing illegal copies of software, from adjusting settings for security patches and remote access, from adjusting any settings that you do not fully understand, and you are expected to refrain from allowing anyone other than yourself access to your credentials or to use your laptop while you are logged on. 

Please call the CTS Helpdesk at (914) 251-6465 if you have questions or need assistance.

Device Assignment and Tracking Policy

Purpose

This policy covers assignment and tracking of college-owned computers and devices commonly assigned to college employees: desktop computers, laptops, tablets, and mobile devices.

The Device Assignment and Tracking (DAT) form is available online. 

 

What’s covered by this document?

This document is applicable to all College staff, faculty, or administrators who are using college-owned computing devices issued or loaned to them by a College department. All College-owned computing devices are governed by this policy, including systems made available as primary workstations, assigned within a departmental office, or purchased through grant dollars for specific projects.

 

All college-owned computers, systems, and mobile devices are covered by the Purchase College Privacy Policy which provides protection for individual privacy appropriate for an academic environment.  See also the Purchase College Mobile Device Policy for additional guidelines and procedures covering mobile devices.

Acquisition

For Staff: Administrative units provide their staff with computers, laptops, and mobile devices as necessary.

  • Administrative units must order computing devices in collaboration with CTS to ensure the devices are registered on the college domain, tracked in the college database, loaded with college software, and are compatible with college systems.

For Faculty: Academic Affairs provides faculty computers, laptops and mobile devices for all faculty as necessary.

  • Academic units must order computing devices in collaboration with CTS to ensure the devices are registered on the college domain, tracked in the college database, loaded with college software, and are compatible with college systems.

  • Each year, CTS produces a report for Academic Affairs showing all full-time faculty computers as recorded in the Workstation Database.

  • The CTS report shows all faculty computers (desktops and laptops), with “replace” recommendations where an individual’s only workstation is outdated or out of warranty, or where all of that individuals computers are outdated or out of warranty. Replacements are for a like device (desktops replaced with desktops).

  • A report is issued to the Provost with an overall cost estimate based on a current quotation for machines included in the “replace” recommendations. Academic Affairs edits the recommendations.

  • Academic Affairs may solicit input from Chairs/Directors regarding pending personnel changes and/or the appropriateness of each “replace” recommendation.

  • Chairs/Directors may get feedback from faculty within their unit.

  • Academic Affairs returns a final “replace” recommendation containing the names and types of devices (Mac or PC, desktop or laptop) to CTS for ordering.

Inventory and Property Control

  • Administrative and Academic units are responsible for tracking computers assigned to the individuals within their unit in their Property Control inventory.

  • CTS Applies Property Control Stickers to devices as part of “preparation for use.”

  • CTS sends Property Control sticker #, device and purchase information to both the Internal Control Officer; Academic Affairs, and to the unit.

  • Property Control audits are the responsibility of administrative and academic units.

 

Preparation for use:

  • Upon delivery, computing devices must be sent to CTS for preparation.

  • CTS prepares the devices - joining them to the domain and loading College software.

  • CTS will affix the appropriate Property Control sticker(s) to the device.

  • CTS prepares the electronic “Device Assignment Form” and sends the form to the individual’s supervisor for their digital signature.

  • CTS notifies each employee when their device is ready for delivery or pickup.

  • Employees may ONLY take delivery of their device (or pick it up) with a completed Device Assignment Form.

  • The Device Assignment and Tracking (DAT) form is available online. 
  • Upon delivery/pickup of a new device, the device being replaced must be returned to CTS. Data can be transferred to the new device during the handoff.

  • Administrative access is provided for all mobile device holders, allowing them to access the mobile device when it is not connected to the college network (offsite), change settings, install software, apply updates, etc.

  • College credentials (CTS) will exist on all College-owned devices to enable CTS staff to provide support and maintenance services as needed.

 

Transfer of Devices

  • Devices that are being re-assigned to another individual must be returned to CTS. Devices are refreshed, and a new electronic Device Assignment Form is prepared.

  • Devices may NOT be handed off to others without being returned to CTS first.

  • Upon departure from College service, all computing devices MUST be returned to CTS for reassignment and/or disposal.

  • All data is wiped from computing devices prior to re-assignment or disposal.

 

Liability/Reporting Loss

  • Departments should not loan college-owned devices to students, student organizations, or other outside parties. CTS maintains a loan pool of equipment for this type of use, and requests should be referred to CTS.

  • In case of theft or loss, the employee must file a report with the University Police.

Report a theft immediately to:

  • The appropriate local law enforcement authority and Purchase University Police

  • CTS (Helpdesk 914.251.6465) as soon as the theft has been noticed. Please provide CTS with a copy of the police report.

 

+++++++++++++++++++++++++++++++

 

Failure to comply with this policy may result in disciplinary and or legal action.

 

See Device Assignment Form

Purchase College / State University of New York

Digital Millennium Copyright Act (DMCA)

As a community of artists, writers, musicians, filmmakers, and scholars whose careers will be spent creating intellectual property, we encourage our entire community to respect the property of others. Downloading anything onto your machine from untrustworthy P2P (peer-to-peer) sources or websites not only exposes you to viruses, worms, and spyware, but often violates the copyright laws and can lead to suspension of network privileges, or to lawsuits from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or the Business Software Alliance (BSA). Please remember that theft is a crime, and that nothing in cyberspace is truly anonymous.

Copyright protections are created when words are put on paper, transmitted via email, when music is recorded, software is written, or when an image is created.  Once done, the work is protected by copyright—no formal copyright registration or seal is required for copyright protection to be in effect. If someone else wants to use the work, they must get permission from its creator.

Copyrighted material includes almost all forms of original expression fixed in tangible medium even if no formal copyright notice is filed or attached. However, you cannot copyright any idea, process, system, method of operation, concept or principle, regardless of the form in which it is described. 

Copyright infringement is any reproduction (download), display, distribution (upload), creation of derivative works, or public performance of copyrighted work without permission of the copyright owner.

Federal copyright law and college policy prohibit the copying and/or distribution of copyrighted material without the permission of the copyright owner. Copyrighted materials include but are not limited to text, graphics, art, photographs, music, film, and software. 

Peer-to-peer (P2P) software such as BitTorrent that is often used to share music, movies and other media may lead to violation of copyright laws. Most P2P software automatically shares anything that you download by default—so if you downloaded the latest Hollywood blockbuster to watch it, you would also be helping to distribute an illegal copy to others by sharing the contents of your machine with the world.

If you use any P2P software for legitimate purposes, as a security precaution, you should disable its file sharing component. There is an IU website with details on disabling file-sharing for most P2P software.

Digital Millennium Copyright Act (DMCA)

Here is A Review of the DMCA.

Here is An overview of the DMCA Act

To report alleged copyright infringements on Purchase College computers, please contact the college’s designated DMCA agent:

Bill Junor
Director of Campus Technology  Services 
Purchase College, SUNY
735 Anderson Hill Rd.
Purchase, NY 10577
Tel. 914.251.6461
Fax 914.251.6476

 
Purchase College DMCA Notification Policy / Procedure for DMCA Infringement Reports - September 2008

Pursuant to the provisions of the Digital Millennium Copyright Act, Purchase College receives DMCA Copyright Infringement Notices alleging that computer(s) registered to Purchase College IP addresses are allegedly illegally infringing on copyrighted materials belonging to others. Infringement of copyright is a violation of Federal law, and the violator is subject to both substantial fines and civil damages.

Under the DMCA, as an Internet Service Provider (ISP), the college is obligated to expeditiously remove or disable the allegedly infringing material and notify the subscriber of its actions in what is referred to as “notice and take down procedure.”  The Purchase College DMCA infringement procedure is as follows: 

  1. RIAA, MPAA and various agents report alleged copyright infringements to the college’s named DMCA agent, CTS.

  2. CTS identifies the computer, the room, and the owner of the computer, and records the DMCA case number, name, other information in a DMCA incident report ticket.

  3. CTS places the computer in question into a restricted network

  4. The computer owner’s name is forwarded to the vice president for student affairs and to the Office of Community Standards in the form of a DMCA Violation Letter that includes the specific information contained in the Violation Notice received by the college.

  5. Student Affairs refers student to the Office of Community Standards for possible disciplinary action.

  6. VP Student Affairs or the Office of Community Standards will notify CTS if/when the individual’s computer should be removed from the restricted network once the Office of Community Standards has completed its process.

The college also recommends  that all students take the University of Texas Copyright Crash Course or their Copyright Tutorial, or take other appropriate steps to further their understanding of copyright infringement.

 Counter Notice

Under the DMCA, the college is obligated to inform you of certain requirements of that Act. You have the right under the Act to send a counter notice that you are not in violation or that the violation has ceased. That notice must be in the form required by the Act, and you are advised to seek legal counsel at your expense for appropriate advice on the form of any counter-notice. The specific statutory language is as follows: (17 USC 512(g)(3)): Contents of Counter-Notification: To be effective under this subsection, a counter notification must be a written communication provided to the service provider’s designated agent that includes substantially the following:

(A)          A physical or electronic signature of the subscriber.
(B)           Identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access to it was disabled.
(C)           A statement under penalty of perjury that the subscriber has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material to be removed or disabled.
(D)          The subscriber’s name, address, and telephone number, and a statement that the subscriber consents to the jurisdiction of Federal District Court for the judicial district in which the address is located, or if the subscriber’s address is outside of the United States, for any judicial district in which the service provider may be found, and that the subscriber will accept service of process from the person who provided notification under subsection ©(1)© or an agent of such person.

The above is provided for your information only, not as advice, nor is it an attempt at stating the law or your responsibility.  You should review the entire Act with your attorney. 

College Computer Network Users: if you lose access due to an alleged violation

If you receive an official notice from the college of an alleged copyright violation and have had your network access restricted, please contact the Office of Student Affairs to find out how you can have your network access restored:

Office of the Vice President
for Student Affairs
Student Services 316L
Purchase College
735 Anderson Hill Rd.
Purchase, NY 10577-1400
(914) 251-6030
Fax: (914) 251-6034
student-affairs@purchase.edu

Domain Names Policy

Overview
A domain name is an identification string consisting of a series of alphanumeric “words” separated by “dots.” A “human‐friendly” domain name that is typically typed into a browser is translated to a numeric IP address for routing traffic between servers on the internet. Examples of domain names include “purchase.edu” and “google.com.” Domain names are defined and translated through the Domain Name System (DNS).

Domain names have multiple levels. For example, purchase.edu is a second‐level name, while moodle.purchase.edu is a third‐level name. Domain names are resolved to an IP address, like 199.79.168.97.

Campus Technology Services (CTS) is solely responsible for administering and maintaining DNS records and DNS name assignments for the purchase.edu domain obtained through Educause.

Custom Name Requests
A school, conservatory, or department outside of CTS may request a third-level name (example.purchase.edu) for an application, site, or server if it is hosted with and administered by CTS. All name creation requests require the approval of the head of the requesting unit. CTS management is responsible for final approval. Requested names should be unambiguous and clearly identify the content of the site. For example, humanresources.purchase.edu would clearly identify a site for the Office of Human Resources, but pink.purchase.edu would not. Custom names are not permitted for applications, sites, or servers that are not managed by or hosted by CTS.

Redirects to External Services
If a third-level domain name cannot be granted (i.e., an external service), a local redirect may be provided at the discretion of CTS. For example, http://www.purchase.edu/ExternalResourceName could be used to promote a college-affiliated service that exists on an external server—and that link can redirect traffic to the external service.

Email Account Naming Policy

 

Longstanding Enrollment Services policy identifies College email as the “official communication channel” for Purchase College. All faculty and staff email addresses published on our public-facing website, and those are their official purchase.edu addresses.

 

When faculty and staff are hired, their legal name is used for the HR appointment transaction. Completed hiring transactions are fed into the Banner system overnight, and an account is automatically created based upon the name used for the HR transaction.

 

For full-time matriculated students, the legal name provided on their application is used as the basis for the account name. For CE students, the name provided on their registration form is used as the basis of the account name.

 

The automated account provisioning process will first try to use the full First.Last legal name to create the account – but there are several conditions that may impact that:

 

  1. If the derived First.Last account name is already in use,

    1. the system will try appending the Middle Initial and a dash ahead of Last name –or-

    2. the system will try appending a sequence number and a dash ahead of Last name (if Middle Initial is Missing, or already taken)

  2. If the name is too long, the system will use the first character of the first name + complete last name.

    1. the system will try appending the Middle Initial and a dash ahead of Last name –or-

    2. the system will try appending a sequence number and a dash ahead of Last name (if Middle Initial is Missing, or already taken)

  3. Other conditions that impact account name assignment: grandfathered account names from the 90’s - which are phased out as employees retire.

 

The account naming process is fully automated, and there is no “preferred name” in HRETS for faculty and staff, so professional names cannot be automatically assigned as email account names.

 

Changing Account Names:

  1. We do accommodate any actual legal name change

    1. If there is a legal name change, we change the account name.

We do accommodate bad data fixes (typos, misspellings, etc.)

  1. With the Registrar’s approval, we accommodate transitioning individuals with account name changes in advance of the legal name change

 

Aliases:

In cases of a legal name change (marriage, etc.) upon request we will establish a temporary forwarding alias from the old account name to the new for a period of 90 days to allow previous contacts to acclimate to the new account name.

 

Other than legal name changes, we cannot entertain any permanent aliases for a variety of reasons. Aliases multiply the namespaces occupied by one individual, and exponentially complicate management of our email system.

 

Earnest.Employee (legal name) may prefer to be called Ernie.Employee – but when another person arrives with an actual legal name “Ernie.Employee” – the account creation process fails.  

 

Allowing aliases also invites abuse – some would like to have an alias of “Little.Kitty@purchase.edu” that would clearly not be appropriate, and CTS cannot adjudicate what is and isn’t appropriate.

 

Rare exceptions to the “no aliases” rule are possible – but must be kept to a minimum (there are only 2 aliases in use today.)

 

HRETS makes no accommodation for “professional/preferred name” so – automation is not possible at this time.

 

Within Banner, the Registrar’s office can accommodate Professional/Preferred names for Faculty, but these only effect how the Faculty’s name will appear within myHeliotrope (SSB).

 

Professional name would also have the same constraints as legal name – it may be in use already; too long, etc. Professional/Preferred name occupies an additional account namespace (legal name is still the account name, alias is a second name)

 

Account names exist in perpetuity, so any name that is used – ever - is gone - forever.  This applies to anyone who becomes a student or an employee.  (The only exception is for Accepted applicant accounts – which are purged completely and the namespace recovered if they never actually enroll.)

 

 

Use of Off-Site Email for Official Business is prohibited

 

College accounts are for College business – personal accounts are for personal business. Our policies and recommendations cannot contradict or even muddy that basic distinction.

 

A faculty member using their @purchase.edu address is clearly identifying themselves as a member of the College community on official business. In contrast, Floaty@aol.com is likely to end up ignored and deleted.

 

Blanket forwarding of email to off-site accounts is disabled. Email often may contain personal, private, and sensitive information about students or about college operations. Blanket forwarding puts official records outside of Purchase College, and is legally problematic.  

Email Forwarding Policy

Email Forwarding Policy

 

Longstanding Enrollment Services policy identifies College email as the “official communication channel.” No blanket forwarding of College email to off-campus accounts is permitted for faculty and staff.

 

A faculty member using their @purchase.edu address is clearly identifying themselves as a member of the College community on official business. In contrast, Floater@aol.com sounds like poo in the pool, and is likely to end up ignored and deleted (that is/was an actual faculty member’s off-site email address.)

 

All faculty email addresses published on our public-facing website are their official purchase.edu addresses.

 

We all have off-site addresses, but we don’t publish those, and we should all be using our official college accounts for official business.

 

In the course of investigating an incident we discovered someone who set up automatic forwarding of all messages to an external account. That is dangerous since email (despite all our warnings) sometimes contains personal, private, and sensitive information about students or about college operations. Blanket forwarding also puts official records beyond the reach of legal discovery in the event of an HR investigation.  

 

College accounts are for College business – personal accounts are for personal business. Our policies and recommendations cannot contradict or even muddy that basic distinction.

 

Once the automatic forwarding was identified, we looked to see how many people had set up forwarding rules.  Out of 1,000 employees, only 39 individuals were identified as having automatic forwarding. Out of those 39 people, only 25 are faculty – and almost all of those are Adjuncts.

 

Each of the 39 was individually notified in Mid-July that the forwarding rule would be disabled. Email messages can still be individually forwarded as necessary – only automatic blanket forwarding was disabled.

Email Policy

Primary and Required Official Channel 

 

Email is the College’s primary means of communication between students, faculty, and staff.  Messages regarding course information, important deadlines, missing documents and official correspondence is sent to your Purchase email account.   

 

All faculty, staff, and students are required to use Purchase College email system when conducting College business. The College expects that official email communications will be received and read in a timely fashion.   

 

Do Not Forward 

 

It is important that messages sent to your official Purchase email account are delivered to the intended recipient.  It is important that official and sensitive College communications remain secure, and therefore Purchase College does not support automatic forwarding or redirection of email messages to external email accounts. 

 

Storing Important and Sensitive materials 

 

Important and sensitive materials should not be kept in your email account. With fragmented discussions and out‐of‐band replies, Email makes a terrible filing cabinet. If you send or receive important or sensitive materials via Email, save those materials in a secure location (Departmental file share or your Home Directory) and delete them from your Email. 

 

Think of your Email account like the mailbox bolted to the front of your house – you would never think of storing anything sensitive or important there – it serves as a drop‐off location only, and you empty it regularly. 

 

Email Retention 

 

Per the Purchase College Email Retention Policy, Email messages are automatically purged at the end of our 3‐year retention period.  

 

Legal Discovery 

 

All College records are subject to legal discovery. If a particular email message has been flagged for legal hold preservation, those messages are automatically exempted from the 3‐rear retention purge. 

Email Retention Policy

In accordance with SUNY and NYS record retention policies, Purchase College email systems will automatically retain messages for three years on active email servers. After three years, email messages will be automatically purged from the system. This automatic deletion policy applies to messages within all folders (inbox, sent, draft file folders, etc.) on Purchase College email servers.

In addition, Purchase College email systems are also configured to purge items in the “deleted items” after 90 days. Items in the “deleted Items” folder are messages that were marked for deletion by the recipient.

All Purchase College email system users are expected to:

  • Regularly check for new messages;
  • Move messages with lasting value to dedicated storage on departmental/office networked file system; and to
  • Delete transitory messages as quickly as possible.

I. POLICY 

The policy provides Purchase College with an email management policy that brings us into compliance with legal and regulatory requirements, and improves the College’s operational efficiency and effectiveness. This email retention policy applies to:

1. All Purchase College email systems

2. All users and account holders of Purchase College email accounts

3. All email sent or received using Purchase College email systems

Transitory Messages

These email messages are normally created for purposes of routine communication or information exchange, and as such, they are not considered official College records. These messages should be considered transitory messages that do not have lasting value (defined below) and should be:

1. Read and promptly deleted; or

2. Read and retained on the active server for no longer than the default retention period (defined below) or until their usefulness has ended (whichever occurs first), and then promptly deleted; or

3. Read and moved off the active server when job requirements necessitate retention for periods longer than the default retention period, and then promptly deleted when their usefulness has ended.  

Examples of transitory messages:

  • Announcements, notices about meetings or events, etc.
  • Internal requests for information
  • An inquiry about department course offerings or scheduling issues

Lasting Value Messages

Email is not a record retention or document management system, so messages with lasting value:

1. Should be moved to dedicated storage on departmental/office networked file systems; and

2. Should not be stored exclusively within individual users’ email folders/files.

These email messages exhibit one or more of the following characteristics that imply lasting value:

Have operational value (required by a department to perform its primary function)

  • Administrative actions taken or planned
  • Assignment of work or tasks to employees
  • Distribution of reports or recommendations  
  • Distribution of policies, procedures, guidelines, rubrics, or templates

Have legal or evidentiary value (required to be kept by law or of value in prosecution of a claim)

  • Falls within a litigation hold or internal investigation (see “Litigation Holds” below)

Have fiscal value (related to the financial transactions of the campus)

  • Required for financial reporting and audits

Has historical significance (of long term value to document past events)

  • Relating to an exceptional and/or significant event

Contain vital information critical to maintaining operational continuity after a disruption or disaster

Vital records or information may fall into any one of the above value categories

Examples of Lasting Value messages:

Announcement of or change to college or departmental policy

A message assigning an employee to perform a task

Responsibility for Retention of Messages with Lasting Value

Only the departments responsible for retention of specific types of records need to store and control the disposition of that information. For example,  

1. If a department issues a policy change announcement via broadcast email, then that department is responsible for retaining that record (and not every recipient);  

2. If a department manager was cc’d on a message that Purchasing used to send an electronic copy of a Purchase Order to a vendor, then the department manager does not need to retain a copy of the Purchase Order record; the Purchasing Office is responsible for retention of all purchasing records.

II. PURPOSE

Electronic mail (email) messages enable us communicate internally with the Purchase College community and externally with prospective students, applicants, prospective employees, alumni, vendors, and colleagues across the world. The 2006 amendment to the Federal Rules of Civil Procedure addressing the discovery of electronically stored information requires institutions to establish email retention policies. New York State also has specific Records Retention Policies. This Purchase College Email Retention Policy establishes the default retention period for email stored on college email servers. This policy also identifies roles and responsibilities for litigation holds with respect to materials stored on college email servers.  

III. SCOPE

Under normal circumstances, official records (policy documents, personnel records, financial transactions, etc.) will exist outside of the college’s email messaging system, and are retained in those source locations rather than in email messaging systems. For this reason, email messages are not normally considered “official records.” While official records are often transmitted through email messaging systems, copies of those official records must be retained by the office which originated the records.

The responsibility for determining whether a specific message has lasting value falls to the holder of the message. Senders and recipients should not retain messages any longer than necessary for their respective job purposes. When that need no longer exists, the messages should be destroyed.  

For messages that the holder determines are of lasting value, the holder should store those messages outside of the messaging system – to a file folder in a personal home directory or a departmental file share. Messages can be moved to a file folder by drag-and-drop (to preserve message header information).

Questions about the proper classification (transitory or lasting value) of a specific message, record, or piece of information should be directed to the employee’s unit head, manager, or department chair.

New York State Records Retention Policy ‐ Default Retention Periods:

New York State Records Retention Policy states that normal business materials should be retained for three business cycles (three years), and financial records should be retained for seven business cycles (seven years.) At the end of that retention period, the records should be destroyed.  

Backup Files

Backup copies of Purchase College email system files are kept for six months. These backups are for system restoration and disaster recovery purposes, and are not designed to or intended to facilitate retrieval of deleted messages.    

Litigation Holds

While email may be considered transitory or of lasting value, the contents of email are subject to discovery when a litigation hold is issued. When litigation against the college or its employees is pending or reasonably expected, the college may receive a litigation hold notice from SUNY legal counsel instructing us to preserve all documents and records relevant to the matter being litigated.  

A litigation hold directive overrides this email retention policy, as well as any record retention schedules that may have otherwise called for the transfer, disposal or destruction of relevant documents, until the hold has been cleared.

Email and account contents of separated employees that have been placed on litigation hold status must be maintained by the Campus Technology Services (CTS) until the hold is released.

No employee who has received a litigation hold notice may alter or delete an electronic record that falls within the scope of that notice. A litigation hold may also cover access to electronic records that the subject has downloaded, saved, or moved to other storage accounts or devices.

IV. ROLES & RESPONSIBILITIES

Campus Technology Services (CTS) will:

  • Establish and publish standards for email account administration, storage allocations, and automatic archiving of messages (that must be retained for periods longer than the default retention period) to users’ local computer folders/files
  • Provide facilities and instructions for moving messages with lasting value to dedicated storage on departmental/office networked file systems
  • Manage technical implementations of litigation holds that are issued by SUNY counsel
  • Suspend automatic deletion processes as necessary to preserve specific electronic messages, records and information that fall within the scope of the litigation hold, and that reside on active servers.

Department heads and unit managers are responsible for reviewing records retention policies and providing guidance to staff and faculty within their respective units. The guidance provided must be in accordance with this policy.

Originators of electronic messages, records, and information that have lasting value are responsible for:

  • Appropriately identifying and retaining such records in accordance with this policy and
  • Seeking assistance from management when unsure about how to categorize specific messages.

College employees who have been notified by management of a litigation hold are responsible for preserving all messages, records, and information that fall within the scope of the hold that they have downloaded and/or stored locally, and must provide copies of all records related to the litigation hold to HR.

Human Resources (HR) will:

Moderate review of records that may be relevant to HR investigation or litigation hold requests

Act as custodian for records that are deemed relevant to HR investigation or litigation hold requests

V. RELATED INFORMATION:

See:

SUNY Record Retention Schedule

NYS Records Retention Schedule   

Federal Rules of Civil Procedure 

Email, Laptop, Desktop, File Share Privacy

Introduction

As an academic institution, Purchase College recognizes that it is absolutely
critical that faculty, staff, and other college employees have confidence that
their privacy will be respected and protected when they are using college
computing resources.

This policy describes the Purchase College privacy practices regarding
information collected by faculty, staff, or other college employees, including
temporary appointees, on college-owned workstations and servers.

This policy covers the college email accounts that are assigned to employees
(faculty and staff), personal “home directories” that are created for individual faculty and staff members, and the contents of college-owned desktop and laptop computers that may be assigned to individual employees.

This policy specifically does not cover information stored in departmental file shares on a server—even if that departmental file share contains a subfolder that may be in the individual’s name. Departmental file shares are specifically set up to be used to store shared documents, and unit supervisors have access to all materials stored in a departmental file share.

Supervisors should note that departmental file shares are the preferred
storage method for official college-related business. Employees should be
strongly discouraged from storing official college-related business (memos,
reports, policies, spreadsheets, or official correspondence) in any place other than a departmental file share.

College Email, Personal Home Directories, and Desktop or Laptop Disk Drives

The entire contents of each individuals email account, personal home directory, and desktop or laptop disk drive(s) are considered private.

No other college employees will access or view the contents of these for any
reason without specific written approval from a minimum of two of the
following:
• President
• Vice president or equivalent college officer (CFO, COO)
• SUNY legal counsel
• Chief of University Police

Specific written approval should be in the form of a completed Security
Investigation Clearance Form (Security Investigation Clearance Form.doc). In emergency circumstances, specific written authorization may be provided via email, but is still required as stated above.

Supervisors seeking access to departed employee materials must obtain
approval as noted above—the individual’s right to privacy does not expire on
their last workday.

Contact Information
For questions regarding this Internet privacy policy, please contact:
Via email:
bill.junor@purchase.edu
Via regular mail:
Bill Junor
Director of Campus Technology Services
Purchase College
735 Anderson Hill Road
Purchase, NY 10577

Equipment Loan Policy

CTS loan policies and procedures are enforced to ensure the security of equipment and the equal opportunity for usage by all students.  

CTS maintains a pool of equipment available to students, faculty and staff, by request through the CTS Work Order System.  

We do our best to accommodate all requests - including the last-minute ones.  Equipment should be reserved in advance to increase the likelihood of availability.  Equipment is primarily reserved for academic purposes, and priority is given to students over faculty and staff.  Equipment is reserved in the order in which it is received, but special circumstances may be accommodated.  Equipment may be borrowed over breaks, but permission from the instructor through the work order system or by email is needed for students to borrow equipment between semesters.   

Most equipment can be borrowed at any time for a period of one week. Requests for longer than one week will be assessed on a case by case basis and will be granted or denied based on academic need, the student demand, and equipment availability of the requested items.  The “Comments” section of the work request should briefly give the reason for the loan request as priority will be given to requests for academic purposes. 

Reserved equipment can be picked up and returned at the CTS Helpdesk (Social Sciences Room 0025) anytime during our normal business hours. 

Those unable to pick up requested equipment by the specified date should notify CTS by phone or through the work order system.  CTS will hold the equipment an extra day upon request, but then the equipment will be returned to the loan pool, and a new request must be submitted.  

CTS may decline or cancel requests for a variety of reasons including reasons of misuse, damage, lost, late return - or for other reasons at the discretion of CTS. 

The borrower assumes full responsibility of the equipment.  Equipment not returned on time will be marked as late and incur charges daily starting at $1 a day per item up to $5 a day per item.  Amount of late fee is determined by the value of the item.  Cameras and camcorders are $5 a day, audio recorders are $5 a day, microphones are $1 a day, tripods are $1 a day, stands and boom poles are $1 a day, light kits are $5 a day, projectors and displays are $5 a day, laptops and tablets are $5 day, other small peripherals are $1 a day.  The final charge will be calculated on the day the late equipment is returned.  For lost or broken equipment, the borrower will be charged the full replacement or repair cost of the items in question. 

 CTS will inspect equipment before pick up and upon return.  The individual borrowing the equipment should check the equipment and report any missing and/or damaged pieces before leaving CTS with the equipment.  Also, if any equipment is damaged or broken while out, it should be reported to CTS upon return.  Equipment should be checked for presence of equipment reserved and general condition of equipment.

All electronic communications for equipment requests from CTS are done through the CTS Work Order System and will appear in the requestor’s Purchase email account Inbox from “Purchase College Work Order System” with the subject line “CTS Work Order Status Report”.

 Individuals are advised not to give equipment to others while it is signed out to them.

 All equipment must be returned in the same condition in which it was loaned out.

Faculty and Staff Computer Replacement

Under the provost’s faculty computer replacement cycle, full-time faculty will receive a new computer every three to four years. Computers for part-time faculty are the responsibility of the individual academic unit managers, but they should should also receive a new computer every three to four years. 

Computers for college staff are the responsibility of the individual unit.

New computers will be imaged, joined to the domain, and loaded with college-provided software, including:  

  • The current operating system (Windows X or OS-X)
  • Antivirus software (Windows/Essentials/Defender or Mac/X-Protect/Clam)
  • Office productivity suite: word processor, spreadsheet, Powerpoint, etc. (MS-Office)
  • Adobe products (Creative Suite and/or Acrobat)
  • Other

When new computers are provided by the college or the unit, the old out-of-warranty computers must revert to CTS for disposal. (Computers are classified as hazardous waste due to the lead, mercury, and heavy metals they contain.)

Warranties

Prior to July 2008, Dell and Apple computers purchased through Purchase College were purchased with a three-year warranty covering hardware replacement, all peripherals, and on-site service. As of June 2010, we are purchasing computers with a five-year warranty through Hewlett Packard or Dell. Since July 2008, all Dell and HP computers purchased through the college carry a five-year warranty. Apple computers will carry a three-year warranty. In accordance with the state contract with Dell and HP, the warranty is included in the price of the computer. If you are purchasing an Apple, you should add (at extra expense) the AppleCare warranty. 

Replacing Computers at the End of Their Service Warranties

When out of warranty, computers may be functioning and still serve the user’s needs, but these computers often become a liability and cost the college a great deal of money in time and labor. When hardware problems arise with out-of-warranty computers (and experience tells us they will), and they are no longer under contract to be serviced by Dell, HP, or Apple, they take an inordinate amount of time and effort to repair. Even worse, it is only a matter of time before a hard drive failure causes the loss of important data that may be next to impossible to replace. CTS technicians often are left with no choice but to put an enormous amount of time and effort to recover data and fix computers that are out of warranty and that should have been replaced. In many cases, the cost in personnel time keeping old hardware running exceeds the cost of a new computer.

When CTS is unable to recover important data, an outside agency may be required in a final attempt at recovering the lost data. The cost to the machine’s owner can be thousands of dollars. Out-of-warranty, slow computers are often brought to CTS for troubleshooting because the departments to which they belong are reluctant to spend money to purchase a new computer if they can get a little more time out of their old and obsolete computers. This contributes to inefficient use of college resources. The cost in time and labor almost always exceeds the amount of money the department saves by delaying the purchase of a new computer. Inevitably, the old computers still do not function as well as the owners hope, and a more calls are again placed to the CTS for service. 

While we understand each department’s desire to save money by holding onto a computer that is still running, we would like to make you aware that your decision to keep your old computer comes with a steep price and yields less than adequate results. CTS may decline to provide service in cases where the computer is out of warranty and we determine that providing the necessary service is inadvisable. In addition, the “old computer” problem is often compounded by cascading upgrades —we are asked to give the old computer to so-and-so, and so-and-so’s old computer goes somewhere else—multiplying the workload.

Many people who were using a computer beyond the three-year replacement cycle will suddenly find themselves with a computer that will no longer work because it does not meet the minimum specifications to run Windows 7.

It is strongly advised that all departments replace computers at the end of their service warranty. Once a new computer is delivered, it will replace the out of warranty computer which will then be brought back to CTS for disposal.

How to Order a New Computer or Replace an Old One

Please submit a work request through The CTS Work Order System for the type of computer you wish to purchase and CTS will get back to you with options.

Identity and Access Management Policy

Students:

Students are granted Purchase College Credentials upon Admission to the college, or upon registration for a course as an LSCE student, summer camp participant, or other non-application-based programs. An active email box is granted along with student credentials (UserID and Password).

Use of Student Credentials:

Students must use this account to interact with college systems – class DL’s Moodle assignments, etc. All official communications from the college to students will be sent to the college email account.

Persistence of Student Credentials:

Student email accounts persist for 18 months after their last course/activity registration. However, Student credentials persist forever – their email mailbox is eliminated 18 months after their last registration, but their UserID and Password remain active so that they can request transcripts, register for additional classes, etc.

Students may elect to set up email forwarding through the self-service menu. Email forwarding will associate an external email mailbox with their Purchase College email address, so that even after Barney.Rubble@purchase.edu has their mailbox de-activated, any email sent to that address will be forwarded to the external email address they specify.

If a student whose email mailbox has been retired registers for another class, a new (and empty) mailbox will be created and associated with their existing credentials (UserID and password.) This is a manual process.

Extended Access to College Systems for students: 

If a student requests continued access to college systems beyond the 18-month grace period following their last registration, an academic department/BOS can create a P-Dash volunteer transaction for the student.

Parents/Guardians:

Students may choose to grant parent/guardian credentials with specific privileges through the Banner Self-Service Proxy function. Parent Guardian credentials are created within the Banner database (no more sub-domain.) No Purchase College email is created for parent/guardian accounts – P/G accounts are associated with an external email where notifications are sent.

Use of Parent/Guardian Credentials:

Parents/Guardians must use this account to interact with college systems.  Students typically grant P/G access to pay their Purchase College bills, view grades, and view schedules – all of which are available through the self-service Banner menu.

Persistence of Parent/Guardian Credentials:

Students grant P/G credentials, and can renew their access as necessary while the Student credential remains valid.

Faculty and Staff Credentials:

All faculty and staff are granted Purchase College Credentials and a campus email mailbox upon their appointment to a position at the college. This group includes all full and part-time faculty and staff, adjunct faculty, and all other persons appointed via PAF in the HRETS system.

Use of Faculty and Staff Credentials:

Faculty and staff use their Purchase College credentials to interact with Purchase College and SUNY systems. Faculty and staff must use their Purchase College email account for conducting all official college business. Faculty and staff are discouraged from using their Purchase College email account for personal business.

Persistence of Faculty and Staff Credentials:

Faculty and Staff credentials persist through their last day of service to the college*. The last day of service is considered to be the “End of Service” date specified on a terminal PAF. For Adjunct or Temporary Service PAF’s, the end-of-service date is the ending date for that Temporary Service appointment, unless the originating PAF TS appointment includes an “extend email privileges until” date. (* A 60-day grace period is applied for employee accounts.)

Extended Access to College Systems for Faculty and Staff:

There is a process for requesting extended account privileges beyond the last day of college service, with executive approval. In cases where a faculty or staff member is a former student, on their last day of service, their group membership will be updated to reflect an alumni only role, and their mailbox will be disabled – but their credentials will remain  - as they would for any student.

Volunteers, Contractors, Vendors, Guests, and other “Affiliated” Community Members:

Upon sponsorship of their role at the college using the HRETS Person Data Sheet (P-Dash), persons in this category are granted College Credentials and an email mailbox.

Campus supervisors use the P-Dash form to sponsor persons to a specific role at the college for a specific period of time.  Persons in this category may be active in multiple and even simultaneous sponsored roles at the College, but will receive one active credential.

Use of Affiliate Credentials:

Persons in the affiliated category use their Purchase College credentials to interact with college and SUNY systems. Persons in the affiliated category must use their Purchase College email account for conducting official College business, and are discouraged from using the account for personal business.

Persistence of Affiliate Credentials:

For persons in the affiliate category who are provisioned via the P-Dash form, credentials persist through their last day of service to the college. The last day of service is the end-of-service date listed on their P-Dash form. Note that there is no automatic grace period as there is for regular college employees. However, the affiliate – and their sponsoring supervisor – will receive notification of the pending expiration of the P-Dash account 30 days before its ending date, and again at 20 days and 10 days.

Extended Access to College Systems for Affiliates: 

There is no process for requesting extended account privileges beyond the last day of college service for affiliate credentials. However, a sponsoring office can choose to re-appoint the affiliate using another P-Dash transaction for an additional period of time. In cases where an affiliate is a former student, their group membership will be updated to reflect an alumni only role, and their mailbox will be disabled – but their credentials will remain - as they would for any student.

Information Privacy

This policy describes the Information Privacy and Accessibility Policies in use on the College’s Web Site.

 

Accessibility 
The Purchase College website is designed to comply with web accessibility guidelines. You can adjust the site in a number of ways to fit your needs. We aim to create an environment that enables anyone to participate fully in the mainstream of college life.  The website is built according to WCAG (Web Content Accessibility Guidelines issued by the World Wide Web Consortium). 

Customize the Site to Fit Your Needs

To make the Purchase College website easier to read and navigate, you can change the display settings, such as:

  • Text size

  • Color and contrast

  • Screen magnification

  • Style sheets

The BBC website “My Web My Way” offers a useful guide to adjusting these and other features in your specific operating system and browser.

Information Privacy

This website is designed to make it easier and more efficient for individuals and businesses to interact with the Purchase College. Purchase College recognizes that it is critical individuals and businesses to be confident that their privacy is protected when they visit the Purchase College website.

Consistent with the provisions of the Internet Security and Privacy Act, the Freedom of Information Law, and the Personal Privacy Protection Law, this policy describes the Purchase College privacy practices regarding information collected from users of this website. This policy describes what information is collected and how that information is used. 

For purposes of this policy, “personal information” means any information concerning a natural person, which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person. Purchase College does not collect any personal information about you unless you provide that information voluntarily by sending an email, responding to a survey, or completing an online transaction.

Information Collected Automatically When You Visit this Website
When visiting this website, Purchase College automatically collects and stores the following information about your visit:

  1. User client hostname. The hostname or Internet Protocol address of the user requesting access to a Purchase College website.

  2. HTTP header, “user agent.” The user agent information includes the type of browser, its version, and the operating system on which that the browser is running.

  • HTTP header, “referrer.” The referrer specifies the Web page from which the user accessed the current Web page.

  1. System date. The date and time of the user’s request.

  2. Full request. The exact request the user made.

  3. The status code the server returned to the user.

  • Content length. The content length, in bytes, of any document sent to the user.

  • The request method used.

  1. Universal Resource Identifier (URI). The location of a resource on the server.

  2. Query string of the URI. Anything after the question mark in a URI.

  3. The transport protocol and the version used.

None of the foregoing information is deemed to constitute personal information. The information that is collected automatically is used to improve this website’s content and to help the Purchase College understand how users are interacting with the website. This information is collected for statistical analysis, to determine what information is of most and least interest to our users, and to improve the utility of the material available on the website. The information is not collected for commercial marketing purposes, and Purchase College is not authorized to sell or otherwise disclose the information collected from the website for commercial marketing purposes. As a campus of the State University of New York, Purchase College does report application information to SUNY, and that information may include information collected through the Purchase College website.

Cookies
Cookies are simple text files stored on your web browser to provide a means of distinguishing among users of this website. The use of cookies is a standard practice among Internet websites.

To better serve you, we may use “session cookies” to enhance or customize your visit to this website. Session cookies can be created automatically on the device you use to access the Purchase College website do not contain personal information and do not compromise your privacy or security. We may use the cookie feature to store a randomly generated identifying tag on the device you use to access this website. A session cookie is erased during operation of your browser or when your browser is closed.

If you wish, you may complete a registration to personalize this website and permit a “persistent cookie” to be stored on your computer’s hard drive. This persistent cookie will allow the website to recognize you when you visit again and tailor the information presented to you based on your needs and interests. The Purchase College website uses persistent cookies only with your permission.

The software and hardware you use to access the website allows you to refuse new cookies or delete existing cookies. Refusing or deleting these cookies may limit your ability to take advantage of some features of this website.

Information Collected When You Email This Website or Complete a Transaction 
During your visit to this website, you may send an email to Purchase College. Your email address and the contents of your message will be collected. The information collected is not limited to text characters and may include audio, video, and graphic information formats included in the message. Your email address and the information included in your message will be used to respond to you, to address issues you identify, to improve this website, or to forward your message to another state agency for appropriate action. Your email address is not collected for commercial purposes and Purchase College is not authorized to sell or otherwise disclose your email address for commercial purposes.

During your visit to this website, you may complete a transaction such as a survey, registration, or order form. The information, including personal information, volunteered by you in completing the transaction is used by the Purchase College to operate Purchase College programs, which include the provision of goods, services, and information. The information collected by Purchase College may be disclosed by Purchase College for those purposes that may be reasonably ascertained from the nature and terms of the transaction in which the information was submitted.

Purchase College does not knowingly collect personal information from children or create profiles of children through this website. Users are cautioned, however, that the collection of personal information submitted in an email will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access. The Agency strongly encourages parents and teachers to be involved in children’s Internet activities and to provide guidance whenever children are asked to provide personal information online.

Information and Choice
As noted above, Purchase College does not collect any personal information about you unless you provide that information voluntarily by sending an email, responding to a survey, or completing an online form. You may choose not to send us an email, respond to a survey, or complete an online form. While your choice not to participate in these activities may limit your ability to receive specific services or products through this website, it will not normally have an impact on your ability to take advantage of other features of the website, including browsing or downloading information.

Disclosure of Information Collected Through This Website 
The collection of information through this website and the disclosure of that information are subject to the provisions of the Internet Security and Privacy Act. Purchase College will only collect personal information through this website or disclose personal information collected through this website if the user has consented to the collection or disclosure of such personal information. The voluntary disclosure of personal information to Purchase College by the user, whether solicited or unsolicited, constitutes consent to the collection and disclosure of the information by Purchase College for the purposes for which the user disclosed the information to Purchase College, as was reasonably ascertainable from the nature and terms of the disclosure.

However, Purchase College may collect or disclose personal information without consent if the collection or disclosure is: (1) necessary to perform the statutory duties of the Purchase College, or necessary for Purchase College to operate a program authorized by law, or authorized by state or federal statute or regulation; (2) made pursuant to a court order or by law; (3) for the purpose of validating the identity of the user; or (4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.

Further, the disclosure of information, including personal information, collected through this website is subject to the provisions of the Freedom of Information Law and the Personal Privacy Protection Law.

Purchase College may disclose personal information to federal or state law enforcement authorities to enforce its rights against unauthorized access or attempted unauthorized access to Purchase College’s information technology assets.

Retention of Information Collected Through this Website
The information collected through this website is retained by Purchase College in accordance with the records retention and disposition requirements of the New York State Arts & Cultural Affairs Law. See here for Information on the requirements of the Arts & Cultural Affairs Law.  In general, the Internet services logs of Purchase College, comprising electronic files or automated logs created to monitor access and use of services provided through this website, are retained for one week and then destroyed. Information, including personal information, that you submit in an email or when you complete a survey, registration form, or order form is retained in accordance with the records retention and disposition schedule established for the records of the program unit to which you submitted the information. Information concerning these records retention and disposition schedules may be obtained through the Internet privacy policy contact listed in this policy.

Access to and Correction of Personal Information Collected Through This Website
Any user may submit a request to the Purchase College privacy compliance officer to determine whether personal information pertaining to that user has been collected through this website. Any such request shall be made in writing and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification. The address of the privacy compliance officer is:

Bill Junor
Campus Technology Services
Purchase College, SUNY
735 Anderson Hill Rd.
Purchase, NY 10577
bill.junor@purchase.edu

The privacy compliance officer shall, within five (5) business days of the receipt of a proper request, provide access to the personal information; deny access in writing, explaining the reasons therefore; or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not be more than thirty (30) days from the date of the acknowledgment.

In the event that Purchase College has collected personal information pertaining to a user through the website and that information is to be provided to the user pursuant to the user’s request, the privacy compliance officer shall inform the user of his or her right to request that the personal information be amended or corrected under the procedures set forth in section 95 of the Public Officers Law.

Confidentiality and Integrity of Personal 
Information Collected Through This Website

Purchase College is strongly committed to protecting personal information collected through this website against unauthorized access, use or disclosure. Consequently, Purchase College limits employee access to personal information collected through this website to only those employees who need access to the information in the performance of their official duties. Employees who have access to this information follow appropriate procedures in connection with any disclosures of personal information.

In addition, Purchase College has implemented procedures to safeguard the integrity of its information technology assets, including, but not limited to, authentication, monitoring, auditing, and encryption. These security procedures have been integrated into the design, implementation, and day-to-day operations of this website as part of our continuing commitment to the security of electronic content as well as the electronic transmission of information.

For website security purposes and to maintain the availability of the website for all users, the Agency may employ software to monitor traffic to identify unauthorized attempts to upload or change information or otherwise damage this website.

Disclaimer
The information provided in this privacy policy should not be construed as giving business, legal, or other advice, or warranting as fail proof, the security of information provided through this website.

External Internet Site Disclaimer
The Purchase College website may contain hyperlinks to other World Wide Web/Internet sites. These linked sites are created and maintained by other public and/or private organizations, and are in no way connected to, under the control of, or associated with Purchase College. Purchase College neither endorses nor maintains these linked sites, and is therefore not responsible in any way for any content, advertising, products, services, or information on or available from them. Because Purchase College has no control over linked sites’ content, it makes no guarantees, and accepts no liability, regarding it, including, but not limited to, its availability, accuracy, currency, content, quality, or lack of objectionable or offensive content. This disclaimer also applies to any other websites that those sites may link to.

External linked websites are not provided as a benefit to the linked party. Inclusion of the linked websites does not imply or constitute an endorsement or promotion by SUNY or Purchase College of any persons or organizations sponsoring the displayed websites.

If you decide to visit any linked site, you do so at your own risk and it is your responsibility to take all protective measures to guard against viruses or other destructive elements inherent on the internet.

Feedback
We continuously make improvements and enhancements to our accessibility features. Please let us know of any problems you may have encountered, or of any features that you have found particularly useful. 

You can contact the Helpdesk at:

For questions regarding this policy, please contact:

Bill Junor
Director of Campus Technology Services
Purchase College
735 Anderson Hill Road
Purchase, NY 10577
bill.junor@purchase.edu

Information Sensitivity Policy

 

  • Purpose

The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Purchase College without proper authorization.

 

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).   All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect confidential information. The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the College’s Information Security Officer (ISO).

       

  • Scope

All Purchase College information is categorized into two main classifications:

  • Public Information

  • Confidential Information

 

Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any adverse consequences. As a public institution, the College publishes a wide range of information including enrollment statistics, strategic planning information, operational procedures, etc. As an educational institution, the College seeks open communication and participation from its community students, faculty and employees, and the public we serve.

 

Confidential information contains all other information, and is  a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Confidential information should be protected closely, and includes various types of information:

  • All personally identifiable information on students, employees, or other individuals;

  • College information of a sensitive nature (vendor evaluations and selection processes; contingency plans; confidential meeting minutes, etc) and other information integral to the success of the College should be considered “confidential” within common sense guidelines. This information is intended for use by College employees only, and for official business only. Following the principle of academic freedom and open communication, this information may be shared within the college community, but it should not be publicly available.

  • Also included in confidential information is other information that is less critical, such as telephone directories, general information, personnel information, enrollment strategies, targets, and statistics etc., which does not require as stringent a degree of protection. Inquiries regarding this information from outside the College should be directed to supervisors.

  • Another subset of confidential information is ” Third Party Confidential” information. This is confidential information belonging or pertaining to another entity which has been entrusted to Purchase College by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from vendor lists, customer lists, and supplier information. Information in this category ranges from extremely sensitive relatively open, and again, common sense should apply, with referrals to supervisors if there is any doubt.

 

In all cases, Purchase College personnel are encouraged to use common sense judgment in securing confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor.

      

  • Policy

The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as information in each category may necessitate more or less stringent protection depending upon the circumstances and the nature of the confidential information in question.

        

  • Minimal Sensitivity: General College information; some personnel and technical information

 

Marking guidelines for information in hardcopy or electronic form: Marking is at the discretion of the owner or custodian of the information. If marking is desired,  “Confidential” may be written or designated in a conspicuous place on or in the information in question. Even if no marking is present, College information is presumed to be “Confidential” unless expressly determined to be Public information by a Purchase College employee with authority to do so.

 

Access:  Purchase College employees, contractors, people with a business need to know.

Distribution within Purchase College:  Standard interoffice mail, College electronic mail and electronic file transmission methods.

Distribution outside of Purchase College internal mail:  U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods.

Electronic distribution:  No restrictions except that it be sent to only approved recipients.

Storage:  Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.

Disposal/Destruction:  Deposit outdated paper information in specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

 

  • More Sensitive: Business, financial, technical, and most personnel information

 

Marking guidelines for information in hardcopy or electronic form: As the sensitivity level of the information increases, you may, in addition or instead of marking the information “Confidential” or “Proprietary”, wish to label the information ” Purchase College Internal Use Only” or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times.

 

Access:  Purchase College employees and non-employees with signed non-disclosure agreements who have a business need to know.

Distribution within Purchase College:  Standard interoffice mail, College electronic mail and electronic file transmission methods.

Distribution outside of Purchase College internal mail:  Sent via U.S. mail or approved private carriers.

Electronic distribution:  No restrictions to approved recipients within Purchase College, but should be encrypted or sent via a private link to approved recipients outside of Purchase College premises.

Storage: Individual access controls are highly recommended for electronic information.

Disposal/Destruction:  In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

            

 

  • Most Sensitive: marketing, operational, personnel, financial, source code, & technical information integral to the success of the College

 

Marking guidelines for information in hardcopy or electronic form: To indicate that Purchase College Confidential information is very sensitive, you may should label the information “Purchase College Internal: Registered and Restricted”, ” Purchase College Eyes Only”, “Purchase College Confidential” or similar labels at the discretion of your individual business unit or department. Once again, this type of  confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.

 

Access:  Only those individuals (Purchase College employees and non-employees) designated with approved access or non-disclosure agreements.

Distribution within Purchase College:  Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods.

Distribution outside of Purchase College internal mail:  Delivered direct; signature required; approved private carriers.

Electronic distribution:  No restrictions to approved recipients within Purchase College, but it is highly recommended that all information be strongly encrypted.

Storage:  Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer.

Disposal/Destruction:  Strongly Encouraged: In specially marked disposal bins on Purchase College premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

 

  • Enforcement

Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment.

 

  • Terms and Definitions

 

Appropriate measures

To minimize risk to the College from an outside connection or individual. Purchase College computer use by unauthorized personnel must be restricted so that, in the event of an attempt to access Purchase College corporate information, the amount of information at risk is minimized.

 

Configuration of Purchase College-to-other business connections

Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.

           

Delivered Direct; Signature Required

Do not leave in interoffice mail slot, call the mail room for special pick-up of mail.

           

Approved Electronic File Transmission Methods

Includes supported FTP clients and Web browsers.

           

Envelopes Stamped Confidential

You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and mark it confidential.

           

Approved Electronic Mail

Includes the campus mail system supported by CIS only. If you have a business need to use other mail services contact the appropriate support organization.

           

Approved Encrypted email and files

Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms.

           

Purchase College Information System Resources

Purchase College Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.

           

Expunge

To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, such as that supplied as a part of Norton Utilities. Otherwise, the PC or Mac’s normal erasure routine keeps the data intact until overwritten.

            

Individual Access Controls

Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner.

 

Insecure Internet Links

Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of Purchase College.

           

Physical Security

Paper Information: Sensitive information should be secured in locking fireproof cabinets, locked cabinets, or locked and alarmed offices depending on the nature of the information. Visitors should be escorted when in areas containing confidential information. Confidential information should not be left unattended or in plain sight in publicly accessible areas. Confidential information that is outdated or no longer needed, and for which retention schedules have expired should be stored in appropriately marked containers until shredded.

 

Electronic information: Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.

                       

Identity Verification:

Individuals or organizations requesting confidential information should be challenged to provide appropriate credentials and their identity verified before releasing confidential information to them. 

 

Known Desktop Applications (AppLocker) Policy

AppLocker Policy

Overview

AppLocker is a Microsoft technology that allows administrators to control which applications are allowed to run in order to prevent the launching or installation of malicious software.

Policy

AppLocker will be used to secure college-managed computers that have a supported version of the Windows Operating System. AppLocker rules will be configured to block malware and allow applications required for academic and business purposes. A best effort will be made to allow other applications requested by users if the application does not pose a security risk and if a rule to allow it can be configured in a secure manner.

Procedures

If you receive the message “Your system administrator has blocked you from running this program”, it is most likely because the application does not match an AppLocker rule that would allow it to run. If you receive the message, please open a work order or call the helpdesk to let us know.

If you do not recognize the program name and location, your computer could have malicious software or it could simply be a benign application, like an auto-updater, trying to run.

If the application is something you are trying to open and want, please provide us some details so we can determine if we can create a rule to allow it. Basic information like the name of the software, its purpose, why you need it, and any other information you believe to be relevant is enough to begin a review.

Considerations

Applications that run from standard locations, like the Program Files or Windows directories, are automatically permitted to run, so do not require any special permissions. However, applications that run from any location within a user directory need to have a rule created to allow them to run (e.g. C:\Users\first.last\AppData\). Most publishers now sign their applications with a digital certificate that can be used to verify that the software comes from a legitimate developer. Signed applications that are not malicious can usually be granted permission to run. However, some developers do not sign their applications. If an application is unsigned and its executables reside within a user-writable directory, it might not be possible to securely configure a rule to allow it, so a request to allow it may have to be denied.

Legal Proceeding Preparation (E-Discovery) Policy

 

  1. Purpose

 

Purchase College has always been responsible for complying with various information demands made upon it by the public, oversight agencies, and the courts.  Such demands may arise in the context of litigation, administrative proceedings, audits, investigations, and Freedom of Information Law requests.  With the proliferation of electronic information storage capabilities and systems, the task of compliance with the requests has become ever more complicated and challenging.  The purpose of this Policy is to provide guidance and directives to aid various University constituencies and officers in their efforts to comply with those “e-discovery” responsibilities and demands. 

 

  1. Summary

 

Custodians must understand the basic operations of electronic storage systems and programs and must manage records and ESI according to applicable laws, regulations, policies, retention schedules, and best practices.  This includes the duty to notify Counsel of potential Triggering Events. 

The SUNY Office of General Counsel will make the ultimate determination of what constitutes a ‘Triggering Event’ and after such determination is made, will order Legal Holds accordingly.  Counsel will also direct the production of ESI, if necessary.    

Key Persons must cooperate with Counsel to identify, preserve, maintain, and produce ESI that is subject to a Legal Hold issued by the General Counsel’s Office.  

 

III.       Definitions

 

E-Discovery” is a short hand term for the process of preserving and exchanging electronically-stored information (ESI) in the context of modern litigation or other legal processes. 

 

A “Legal Hold” is a process by which the Office of General Counsel (“OGC”) directs the preservation of certain records, information, and data, for the purpose of complying with an information request or other legal obligation. 

 

Counsel” means any member of the University’s Office of General Counsel.

 

A “Custodian” is any officer, employee, or agent of the Univeristy that possesses, controls, or maintains any record, information, or data of the University. 

 

A “Key Person” is any officer, employee, or agent of the Univeristy that possesses, controls, or maintains any record, information, or data that is subject to a Legal Hold.  A Key Person may also be someone who is in a position of leadership over a subject program or department (HR, Student Affairs, Facilities, etc.), or someone who has been designated as a campus liaison to Counsel.

 

IT Personnel” means the Chief Information Officer of any campus or the designee thereof. 

 

A “Triggering Event” is any event or set of circumstances that cause Counsel to reasonably anticipate litigation or another legal process which could give rise to a preservation obligation.  Factors to consider in determining whether a Triggering Event has occurred include:

  1. Likelihood of litigation or other legal processes;

  2. History of the institution;

  3. Location, durability, and control of potential ESI;

  4. Media coverage;

  5. Seriousness or magnitude of potential legal action;

  6. Relative burdens and costs of preservation effort;

  7. Common sense and professional judgment. 

 

A “Legal Preservation Notice” or “LPN” is a set of written instructions sent from Counsel to Key Persons.  A LPN may be issued electronically; however, it should include an appropriate acknowledgment.  At a minimum, a LPN should include information related to:

  1. The nature of the event giving rise to the Legal Hold;

  2. The ESI or other records that are subject to the Legal Hold;

  3. A brief recitation of the legal obligations related to Legal Holds in general;

  4. Instructions for preserving the relevant ESI (including any transfer instructions);

  5. Contact information for both legal and IT advice.

 

Electronically Stored Information” or “ESI” means any information, record, document, file or data stored on any University program, system, device, or server of any kind.  ESI can also reside on the personal devices and in the personal accounts of university officers, employees, and agents if such devices and accounts are used for conducting University business.  ESI may include documents, audio recordings, videotape, e-mail, instant messages, word processing documents, spreadsheets, databases, calendars, telephone logs, contact information, Internet usage files, metadata, and all other electronic information created, received, and/or maintained on computer systems.  

  

 

  1. Specific Duties

 

Counsel

 

  1. Be familiar with campus ESI systems, including e-mail, word processing, spreadsheets and databases, student information, backup and archival systems, and websites.

 

  1. Issue Legal Hold upon the occurrence of the following events:

    1. Receipt of EEOC Complaint;

    2. Receipt of SDHR Complaint;

    3. Receipt of OCR Complaint;

    4. Receipt of NOI, Claim or Summons and Complaint;

    5. Catastrophic events involving injury to persons or property.

 

  1. Consider issuing at Legal Hold upon the occurrence of any event giving rise to a reasonable anticipation of litigation or another legal process for which ESI may be relevant. Such events may include:

    1. Initiation of investigation by state or federal law enforcement;

    2. Initiation of investigation by Inspector General;

    3. Receipt of Attorney Demand Letter;

    4. Injury to persons or property;

    5. Major employment actions, such as tenure denial or the filing of a disciplinary grievance;

    6. Major contract actions, such as breach or early termination;

    7. Major student actions, such as dismissal or interim suspension;

    8. Receipt of FOIL request;

    9. Audit engagement;

    10. Receipt of a subpoena.

 

  1. Once it is determined that a Triggering Event has occurred, work with applicable campus leadership to identify Key Persons.

 

  1. Describe litigation facts and issues sufficiently to aid in identification of relevant documents or information. This may include determination on an on-going basis of appropriate search terms or key words for use in search tools/software.

 

  1. Identify a retrospective time period for Legal Hold.

 

  1. Define scope/types of ESI for recipients of LPN. This determination should be based, in part, on reasonable proportionality determinations.  The more likely or serious the potential case or action, the more extensive the Legal Hold should be. 

 

  1. Work with IT Personnel to determine appropriate method for preserving ESI.

 

  1. Issue instructions with respect to future communications (i.e. limit use of e-mail; save relevant emails in particular folder).

 

  1. Monitor compliance with LPN.

 

  1. Issue periodic reminders that LH is still in effect.

 

  1. Set review parameters and participate in ESI review process to the extent necessary to ensure appropriate determinations are made regarding relevance, privilege, and other factors.

 

  1. Manage any necessary production in consultation with IT Personnel, Records Management Officers, the Attorney General, and other appropriate parties.

 

Custodians/Key People

 

  1. Understand the basic operations of electronic storage systems and programs.

 

  1. Manage records and ESI according to applicable laws, regulations, policies, retention schedules, and best practices. This includes limiting the amount of ESI that is stored on systems and devices under your control that does not have a legal, operational, or historical value to the University.

 

  1. Notify counsel of threats of legal action and other potential Triggering Events.

 

  1. If you are a “Key Person” and receive an LPN, you have a duty to preserve relevant information (define relevant, define types of information/ESI), no matter where it may be located (e.g., home computer, personal phone).

 

  1. You must provide counsel with information on the sources, locations, nature of relevant ESI, and other records in your possession or control.

 

  1. You must not delete, destroy, purge, overwrite, or otherwise modify existing relevant ESI (or newly created relevant ESI) even if it is a duplicate, draft or “personal”.

 

  1. You must give access to relevant information in order that it can be preserved and retrieved if needed.

 

IT Personnel

 

  1. Educate Counsel and Custodians on basic operations of systems, devices, and programs under their control.

 

  1. Monitor use of IT systems to ensure Custodians comply with applicable policies, including those related records management.

 

  1. Contract and work with capable, responsible vendors. This may include vendors responsible for e-discovery services.

 

  1. Cooperate with Counsel in identifying ESI sources.

 

  1. Work with Counsel and Key Persons to implement Legal Holds. This may include having direct responsibility over ESI collection and preservation activities, pursuant to the direction of Counsel. 

 

  1. When receive LPN, take steps to preserve relevant ESI (define types); be aware of names, locations of Key Persons.

 

  1. Work with Key Persons to ensure preservation of new relevant data, if any.

 

  1. Be prepared to help Counsel review, produce and explain relevant ESI during any related legal proceedings.

 

  1. Other Policy Determinations

 

  1. All electronic storage systems, devices, and programs purchased or used by the University should be capable of meeting the obligations described herein. Generally, in the least, this means that they should be capable of long-term retention of ESI.  It is considered preferable if such systems, devices, and programs also allow for the easy searching and sorting of ESI. 

 

  1. Failure by any party to follow this policy may result in discipline and expose him or her to legal sanctions.

 

  1. All officers, employees, and agents of the University should familiarize themselves with potential Triggering Events and communicate the occurrence of such events to Counsel through appropriate channels.

 

  1. The exact scope, parameters, and features of a Legal Hold should be custom fit to the circumstances of the Triggering Event and proportional to the risk presented.

 

  1. Campus policies should allow for administrative access and control of all University systems, programs, and devices. These policies should make clear to all employees that they have no privacy interest in Univeristy records and ESI, regardless of where it is stored.

 

  1. All University officers should endeavor to document the steps they take pursuant to this policy and provide such documentation to Counsel.

 

  1. Campuses must make compliance with this policy a priority and provide adequate resources to ensure that compliance is readily achievable.

 

  1. OGC will provide routine guidance to University leadership and constituencies.

 

  1. The Univeristy will at all times strive to coordinate its efforts with applicable vendors, unions, and the Attorney General’s Office to meet its E-Discovery obligations.

 

  1. Custodians should work to eliminate multiple copies/drafts of records and other documents, and delete unnecessary email on a routine basis. ESI that does not have a legal, operational, or historical value to the Univeristy should not be retained and stored on Univeristy systems.

 

  1. Back-ups systems at Univeristy campuses should generally be used for the purpose of disaster recovery only. Time frames, or cycles of such systems should be gauged accordingly. 

 

  1. The Records Management Officer on each campus shall be charged with ensuring compliance with this policy, unless the President makes another designation.

 

  1. Each campus should consider creating policies to supplement this in order to better fit its local environment and organizational structure.

 

  1. Supervisors and IT Personnel are jointly responsible for managing records and ESI that are associated with a separated employee in accordance with University policies and procedures.

 

Other Related Information

 

SUNY Policy 6609 – Records Retention and Disposition http://www.suny.edu/sunypp/documents.cfm?doc_id=650

 

SUNY Policy 6608 – Information Security Guidelines http://www.suny.edu/sunypp/documents.cfm?doc_id=583

 

Forms

 

Legal Preservation Notice

 

Questionnaire/Interview Outline to Prepare for E-Discovery 

 

Authority

 

NY Education Law § 353 http://codes.lp.findlaw.com/nycode/EDN/I/8/353

 

Appendices

 

Introduction to the SUNY Records Retention and Disposition Schedule http://www.suny.edu/compliance/topics/recordsretention/intro%20button.jpg

 

From:              Counsel

To:                  Campus / IT Personnel

Subject:          Notice to Preserve Information Related to [Case] – A/C Privilege

______________________________________________________________________________

 

Dear [Campus / IT Personnel],

 

Please forward the following message to [known Key Persons] and anyone else that might have information regarding the recent [describe Triggering Event]:

 

“You are receiving this message because a [litigation/investigation/audit] involving a [campus name] program is anticipated and the College has determined that you are likely to be in possession of data, documents, or information that may become part of the College’s response to this [litigation/investigation/audit].  [Campus] has an urgent legal obligation to preserve this information.

 

You are required to take all reasonable steps to identify and preserve any and all emails, hard copy files, electronically-stored information or other records in your possession that relate to [Triggering Event].  Relevant information may be in paper files, on campus IT systems, hand held devices, removable media such as CDs or flash drives, laptop computers, back-up tapes, personal computers (if SUNY business was conducted utilizing a personal or home computer), or any other storage medium.

 

Immediately halt all deletion efforts including routine destruction and deletion or modification of such information, documents or evidence.  You must maintain this information, as well as any new information/evidence (hard copy or electronic) created after receipt of this message, in the form which it now exists.  Please contact [IT Personnel] if you need help collecting or preserving information responsive to this request.

 

If you identify and preserve any documents or other materials identified as a result of this communication, please contact [Counsel] and inform him/her that you are in possession of such materials.  Further instructions will be forthcoming once the scope of the [litigation/investigation/audit] becomes more apparent.  

 

As this obligation is continuing, you must also save any new information/evidence that you create or receive until the Office of General Counsel notifies you we are no longer under a duty to preserve it.  However, future communications involving this matter should be limited to formal discussions involving [Counsel].

 

Please confirm by return email that you have received this communication and are in the process of complying with the directives herein.  Any questions regarding this matter should be directed to [Counsel].  Thank you for your cooperation.”

 

QUESTIONNAIRE/INTERVIEW OUTLINE TO PREPARE FOR E-DISCOVERY

 

 

OVERVIEW OF COMPUTING ENVIRONMENT

            Types of computers:  How many and how are they used?

                       IT-managed computers:  

                                   Centralized mainframes and mid-range processors

                                   IT-managed servers

                                              Application servers   

                                              Email servers

                                              File servers

                       Departmental servers: How many, what uses, relationship to IT?

                       Desktop computers

                       Mobile computers (including sub-computing devices)

                       Hosted services

                       Other

            Storage devices and media:  What policies and practices govern their use?

                       Hard drives

                                   Network drives:  How many and what uses?

                                   Local hard drives

                       Removable media

                                   Magnetic tapes (other than backup tapes)

                                   CD / DVD drives

                                   Other: flash drives, etc

            Backup practices

                       Backup schedule for incremental and full backups

                       Backup media: magnetic tapes and other

                       Number of backup copies produced

                       Storage locations for backup media:  onsite and offsite

                       Retention / recycling practices for backup media

                       Organization and accessibility of backup tapes

                       Is real-time backup in use or planned?

 

DATABASE APPLICATIONS

                       Survey of databases likely to be relevant for e-discovery

                                   Purpose: business functions that database supports

                                   Software that creates and maintains database

                                              Current status

                                              Plans for upgrading / replacement

                                   Computer system on which software operates

                                   Database retention policy

                                   Archiving practices for older database records

                       Legacy database applications: current status and usability

 

EMAIL

            Type of email software in use

            Number and location of email servers

            Number and types of email users

            Retention practices for email

Limitations on mailbox size

Automatic deletion after a specified time

            Transfer of email to other files:  Is it permitted and/or encouraged?

            Backup practices for email (if different from general backup practices)

                       Backup schedule: incremental and full

                       Storage locations for backup media

                       Accessibility of backup media

            Use of non-SUNY email for SUNY business

 

FILESHARES:  DEPARTMENTAL AND OTHER

                       Network storage locations

                       Retention practices

                       Backup practices

 

 

 

 

 

         STATE UNIVERSITY of NEW YORK

 RECORDS RETENTION & DISPOSITION SCHEDULE

 

INTRODUCTION

 

  1. PURPOSE

 

This new State University of New York (University) Records Retention and Disposition Schedule (RR&D Schedule) indicates the minimum length of time that campus and University officials must retain the records covered by this schedule before the records may be disposed of legally. Schedule items have been reviewed by the NYS Offices of the Attorney General and State Comptroller and approved by the New York State Archives for use by the University, pursuant to provisions of Sect. 57.05, Arts and Cultural Affairs Law and 8 NYCRR Part 188. This new RR&D Schedule replaces and supersedes the 1977 Records Retention and Disposition Schedule formerly issued by the University. It also replaces and supersedes any other retention authorizations and guidance that campus and University officials may have adopted for specific records. It must be noted that the University also follows the New York State Archives’ General Retention and Disposition Schedule for New York State Government Records (State Schedule) to the extent that a category of records is not covered by the University’s own retention schedule. University and campus officials should determine first if there is a specific record category applicable from the RR&D Schedule. That schedule will supersede retention periods for similar items in the State Schedule. Records not covered by the RR&D Schedule will be governed by the State Schedule.

 

All University records must be retained in accordance with the retention periods and guidelines specified in this new RR&D Schedule and in any related policies, procedures, guidelines, or directives that the University has issued or may issue in the future. See Section 5 of this Introduction for suggestions regarding the disposition of records that no longer need to be retained.

 

The purposes of this new RR&D Schedule are to:

  • ensure that records are retained as long as needed for administrative, legal, and fiscal purposes;

  • ensure that state and federal records retention requirements are met;

  • ensure that records with enduring historical and other research value are identified and retained permanently; and

  • encourage and facilitate the systematic disposal of unneeded records.

 

  1. RECORDS MANAGEMENT OFFICER AT THE STATE UNIVERSITY OF NEW YORK

Pursuant to NYS Arts and Cultural Affairs Law §57 (Divisions of History and Public Records) and 8 NYCRR §188 (State Government Archives and Records Management), the University has designated a University Records Management Officer to coordinate the proper retention and disposition of records throughout University campuses and at the System Administration Office. It is suggested that each campus also designate a records management officer.

All inquiries about records management should be referred to the University Records Management Officer (518-320-1311) and, whenever necessary, the Office of University Counsel & Vice Chancellor for Legal Affairs for resolution. The University Records Management Officer and the Office of University Counsel & Vice Chancellor for Legal Affairs will also be responsible for referring, whenever necessary or appropriate, any questions on records management issues to the State Archives.

 

  1. HOW TO USE THE RR&D SCHEDULE

 

3.1 Interpreting the RR&D Schedule Items

 

Many of the items on this RR&D Schedule are broad and describe the purpose or function of records rather than identifying individual documents and forms.

 

Specific items are listed in sixteen (16) tables with functional headings (e.g., Academic Affairs, Athletics, Student Accounts) which are arranged alphabetically.  Using the Subject Index at the end of the RR&D Schedule, campus and University officials should match the records in their offices with the descriptions on the RR&D Schedule to determine the appropriate retention periods. Records whose content and function are substantially the same as an item described on the RR&D Schedule should be considered to be covered by that item. Campus and University officials should check with the University Records Management Officer when they are uncertain regarding coverage of a function.

 

In situations where campus and University officials have combined related types of records covered by different items on the RR&D Schedule into a single file, it may be impractical to separately apply the retention periods of the various applicable RR&D Schedule items to the individual records in the file. In such situations, officials may find it more convenient to dispose of the entire set of records by using the applicable retention item with the longest retention period.

 

Retention periods on the RR&D Schedule apply to one “official” copy designated by the campus or the University, regardless of physical form or characteristic (paper, microfilm, computer disk or tape, or other medium), unless otherwise stated. No matter what the medium, campus and University officials must ensure that the information will be retained for the specified retention period.  The time identified as the minimum retention period begins with the creation of the record, unless otherwise specified.  When original records are migrated to different media, unless pre-approved in the RR&D Schedule, approval of the State Archives is needed to destroy the original records prior to the expiration of the assigned retention period even when the new media versions will be retained for that period. 

 

3.2 Records Disposition Authorization (RDA) Number

 

In addition to the consecutive numbering of items within each section of the RR&D Schedule, each item is assigned a Records Disposition Authorization (RDA) number by the State Archives.  The Subject Index at the end of the RR&D Schedule refers to items by their RDA numbers.

 

  1. SPECIAL SITUATIONS

 

4.1 Legal Actions

 

Some records may be needed for use in legal actions involving a campus and/or the University. Records that are identified in or relevant to such actions must be retained for the entire period of the action, including any appeals, or the period for making an appeal,  plus an additional year, even if their retention period has expired. Prior to disposing of records related to or retained for a legal action, campus and University officials should consult with the University Records Management Officer, who will work with the Office of University Counsel & Vice Chancellor for Legal Affairs to verify that no new legal actions or appeals have been initiated that would require longer retention of the records.

 

4.2 Electronic Records

 

While items on the RR&D Schedule for the most part cover records regardless of the physical form in which they are maintained, they do not cover all records relevant to the operation of electronic information systems.  For guidance on the disposition of records of the design, development and operation of IT systems, refer to the Information Technology section of the State Archives’ General Retention and Disposition Schedule for New York State Government Records. Contact the University Records Management Officer if you have any questions or problems or if you need additional information on the disposition of electronic records.

 

Generally, records transmitted through e-mail systems have the same retention periods as records in other formats that are related to the same function or activity. E-mail records should be scheduled for disposition in conjunction with any other records related to that function or activity. Campus and University officials may delete, purge, or destroy e-mail records if the records have been retained for the minimum retention period established in the RR&D Schedule and are not being retained for a legal action or otherwise subject to a litigation hold or for an audit. Transitory messages may be destroyed when no longer needed.  For further guidance on the disposition of e-mail messages and attachments, see item 90369 in the State Archives’ General Retention and Disposition Schedule for New York State Government Records Contact the University Records Management Officer for additional information.

 

4.3 Drafts and Personal Working Papers

 

When drafts are created in the preparation of University records, the final version is considered the official copy for retention purposes.  Temporary drafts that were not reviewed, circulated or used to make decisions may be discarded when no longer needed.  This should be done at the earliest opportunity following approval of the final version.  This policy applies to drafts in all forms, including word processing files, spreadsheet files, and other computer files.

 

Personal working papers, including notes, may be developed during the transaction of University business or during the preparation of University records. Most personal working papers, such as notes taken at a meeting or annotations on a draft record that is ultimately superseded by a final version, have no legal, operational, or research value that warrants retaining them beyond their moment of immediate usefulness. These records should be discarded at the earliest opportunity, generally within one (1) year after the purpose for which they were created has been fulfilled. This policy applies to personal working papers in all formats, including word processing files, spreadsheet files, and other computer files.

 

4.4 Additional Retention Requirement for Licensed Health Professionals Other Than Physicians

 

The State Education Department’s Office of the Professions oversees the professional conduct of licensed health professionals other than physicians (e.g., athletic trainers, nurses and mental health practitioners, etc.). Paragraph 3 of subdivision a of 8 NYCRR §29.2 (Regulations of the Commissioner of Education) states that “unprofessional conduct” includes “failing to maintain records for each patient which accurately reflects the evaluation and treatment of the patient” and that, unless otherwise provided by law, records of minor patients must be retained for at least six years, and until one year after the patient reaches the age of 21 years.

 

Some health-related items on the RR&D Schedule contain minimum legal retention periods that permit disposition of records after a minor attains age 21. In these instances, certain records pertaining to minors must also be retained for an additional year if the records are subject to the Section 29.2 requirements for health professionals other than physicians, if these professionals are employed by or associated with a campus or the University. For additional information on this situation, contact the University Records Management Officer.

 

4.5 Audits

 

Program and fiscal audits and other needs of state and federal agencies are taken into account when retention periods are established in the RR&D Schedule. However, in some instances agencies with audit responsibility and authority may formally request that certain records be kept beyond the retention periods. If such a request is made, these records must be retained beyond the retention periods until the campus or the University receives the audit report or until the need is satisfied.

 

4.6 Archival Records

 

Archival records are records that campuses and the University must keep permanently to meet their fiscal, legal, or administrative needs or that campuses and the University retain because they contain historically significant information. Records do not have to be old to be archival; campus and University officials create and use archival records daily in their offices. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains.

 

When the State Archives has determined that a record item has enduring historical or other research significance, the item has been given a permanent designation on the RR&D Schedule. However, the State Archives cannot identify all record items with historical or research significance. Knowledge of people, places, or events in each campus community and the unique circumstances of each campus will determine which records are significant. Campus and University officials will need to appraise records with non-permanent retention periods for potential research or historical value before destroying them.

 

The usefulness of archival records depends on the ability of the campuses and the University to preserve them, retrieve the information they contain, and make that information available to researchers.

 

4.7 Appraising Records for Historical or Research Significance

 

A campus or University record has historical or other research importance if it provides significant evidence of how the campus or University functions and/or if it provides significant information about people, places, or events that involve the campus or the University. Since each campus community has its own unique history, the importance or value of a record item may vary from campus to campus.

 

Campus and University records may contain a tremendous amount of information about the people, buildings, and sites in the campus or University community, as well as important time periods or significant events that affected the people associated with the campus or the University. This information can be very valuable to staff, researchers, and the public, but only if the information itself is significant. The significance of the records will depend on:

 

  • When the records were created. Records created during a time of momentous change, which are scarce, or which cover a long period of time tend to be more significant.

  • What kind of information the records contain. Records that contain more in-depth information are more likely to have enduring value.

  • Who created the records. Records that reflect an employee’s perspective or individual point of view may be more significant.

  • What other records exist. If the information in the records exists in other records within a campus or the University or elsewhere, then the records are less likely to be significant.

  • The unique history of the campus or the University. Records created during important time periods or events can provide clues to how the events affected the development of the campus or the University and the community it serves.

4.8 Records Not Listed on the RR&D Schedule and Non-Existent Records

 

The RR&D Schedule covers the majority of all records of the campuses and the University. For any record not listed, the custodian of the records should contact the University Records Management Officer, who will then contact the Office of University Counsel & Vice Chancellor for Legal Affairs for assistance. If the record is not covered by an item on the RR&D Schedule or an applicable item on the State Schedule, it must be retained until a revised edition of or addendum to the RR&D Schedule is issued containing an item covering the record in question and providing a minimum legal retention period for it.

 

Conversely, the State Archives has no legal authority to require a campus or the University to create records where no records exist, even if the records in question are listed on the RR&D Schedule. Although there may be laws, regulations, or other requirements that certain records must be created, the mere fact that a particular record is identified on the RR&D Schedule should not be interpreted as a requirement that the record must be created.

 

4.9 Public Access to Records/Confidentiality

 

The RR&D Schedule does not address the issue of public access to records. Access issues are covered by the Freedom of Information Law (NYS Public Officers Law §§84 – 90), Personal Privacy Protection Law (NYS Public Officers Law §§91– 99) and Access to Personal Information Maintained by State University of New York (8 NYCRR § 315), as well as by the federal Family Educational Rights and Privacy Act (FERPA). Campus and University officials should consult with their Records Access Officer on questions related to public access to records.

 

Records on the RR&D Schedule may or may not be confidential, depending on what information they contain and on the possible effect of disclosure of that information. In approaching issues of confidentiality and access, it may be helpful to consider the following:

 

  • What was the purpose for which the records were created?

  • What information do they contain? What subjects are covered?

  • How are the records used?

  • How do they relate to other records that may have similar information?

  • What would be the likely effect of disclosure of the information in the records?

Campus and University officials should consult their Records Access Officer with questions related to public access to records that may contain confidential information.

 

4.10 Migration of Records to Different Media, i.e., digitizing of records

 

The majority of the tables within the RR & D Schedule have been pre-approved for migration of original paper records into electronic formats.  This means that once paper records are scanned and reformatted as electronic records, the original paper records maybe destroyed even if the assigned retention period has not expired.  The new electronic records must be retained for the remainder of the applicable retention period.  The University was given authorization for migration of paper records into electronic formats under the following conditions.

 

(1) the images will accurately and completely reproduce all the information in the records being imaged;

(2) the imaged records will not be rendered unusable due to changing or proprietary technology before their retention and preservation requirements are met;

(3) the imaging system will not permit additions, deletions, or changes to the images without leaving a record of such additions, deletions, or changes; and

(4) designees of  the State University  of New York will be able to authenticate the imaged records by competent testimony or affidavit which shall include the manner or method by which tampering or degradation of the reproduction is prevented.

 

Accordingly, campuses planning to replace original records with electronic or imaged copies for retention purposes must ensure that all conditions listed above are met and that a campus official will be able to attest to the manner in which replacement of records occurred to fulfill these conditions.

 

Before undertaking any replacement of paper records as described above, the campus records management officer should determine if pre-approval exists for the category of records involved and if not, must seek specific approval from the State Archives, through the University Records Management Officer. 

 

  1. SUGGESTIONS FOR RECORDS DISPOSITION

 

Records without historical value must be disposed of continually as they meet their stated minimum retention periods. The advantages of a program for systematic, legal disposal of obsolete records are that it:

 

  •     Demonstrates routine, good faith operation of the records retention system;

 

  • Ensures that records are retained as long as they are actually needed for administrative, fiscal, legal, or research purposes;

  • Ensures that records are promptly disposed of after they are no longer needed;

  • Frees storage space and equipment for important records and for new records as they are created;

  • Eliminates time and effort required to service and sort through superfluous records to find needed information;

  • Eliminates the potential fire hazard from storage of large quantities of valueless records; and

  • Facilitates the identification and preservation of archival records.

Suggestions for systematically approaching the disposition process include the following:

 

  • Disposition should be carried out regularly, at least once a year. It should not be deferred until records become a pressing storage problem.

  • Since State law does not prescribe the physical means of destruction of most records, records may be destroyed in any way prescribed by the University Records Management Officer. Disposition through consignment to a paper recycling plant is often the best choice as it helps conserve natural resources and may also yield revenue for the campus or the University. For records containing confidential information (e.g., Social Security numbers, credit card numbers, personnel evaluations, salary levels), disposition should be carried out in a way that ensures that the confidentiality of individuals named in the records is protected.

 

  • A record should be kept of the identity, inclusive dates, and approximate quantity of records that are disposed. Sample disposition forms designed by the State Archives are available from the University Records Management Officer.

The official who carries out disposition at your campus will describe what has been done to dispose of records during the year in an annual report to the University Records Management Officer.

 

  1. REMINDERS

 

  • No records may be disposed of unless they are listed on the RR&D Schedule, or their disposition is covered by the State Schedule or other state laws.

  • Records are listed in sections with a functional heading. You should use the Subject Index at the end of the RR&D Schedule to match the records in your office with the description on the RR&D Schedule to determine the appropriate retention period. You should check with your Records Management Officer if you are uncertain regarding coverage of a function.

  • Records being used in legal actions or otherwise subject to a litigation hold must be retained for one year after the legal action (and any appeals period) ends, or until their scheduled retention period has expired, whichever is longer. Consult the Office of University Counsel & Vice Chancellor for Legal Affairs before disposing of any such records.

  • Any record listed on the RR&D Schedule for which a Freedom of Information (FOIL) request has been received should not be destroyed until that request has been answered and until any potential appeal is made and resolved, even if the scheduled retention period of the record has expired.

  • Records being kept beyond the established retention periods for audit and other purposes at the request of state or federal agencies must be retained until the campus or the University receives the audit report, or the need is satisfied.

  • Retention periods on the RR&D Schedule apply to one “official” copy designated by the campus or the University, unless otherwise stated.

  • The minimum retention period begins with the creation of the record, unless otherwise specified.

  • The retention periods listed on the RR&D Schedule pertain to the information contained in records, regardless of physical form or characteristic (paper, microfilm, computer disk or tape, or other medium).

  • Duplicate copies of records prepared for administrative convenience, including copies maintained in different media (paper, electronic, etc.) may be disposed of at any time, except where retention is specified elsewhere on the RR&D Schedule. When original records are migrated to different media, unless pre-approved in the RR&D Schedule, approval of the State Archives is needed to destroy the original records prior to the expiration of the assigned retention period even when the new media versions will be retained for that period. There is no requirement for campuses or the University to create records where no records exist, even if the records in question are listed on the RR&D Schedule.

  • The RR&D Schedule cannot identify all record items with historical significance for individual campuses or the University. Campus and University officials will need to appraise records with non-permanent retention periods for potential research or historical value before destroying them.

  • Certain records may need to be retained for one year longer than the RR&D Schedule dictates if those records are subject to the requirements stated in 8 NYCRR29.2 for health professionals other than physicians, if these professionals are employed by or associated with a campus or the University.

  • The RR&D Schedule does not address confidentiality of records. Confidentiality of records is often dependent upon what information they contain. Campus and University officials should address such questions to the Office of University Counsel & Vice Chancellor for Legal Affairs.

 

 

 

 

 

 

Mailbox Management Policy

Mail Management Policy

Purchase College provides a standard 1 gigabyte storage allocation for faculty and staff mailboxes. That 1GB of space is enough to store thousands of messages – unless those messages contain unnecessary bloated attachments.

We can and do provide additional mailbox space - in smaller increments - but there are a lot of visible and hidden costs for runaway mailbox space needs, and we depend on faculty and staff to have some discipline in managing their storage space.

No matter how much space we provide, anyone who doesn’t practice basic organizational discipline and basic mailbox discipline will very quickly outrun their allocation. Anyone who says they have to spend “a tremendous amount of time managing their files or their mailbox is doing something wrong.

Everyone practices some level of basic organizational discipline – related files go into project folders – or whatever suits their needs. Given that practice, managing mailbox space use should take no more than 5 or 10 minutes per week – at most – and is a simple process.

CTS can arrange a quick training session for managing mailbox and file space. There are a number of simple techniques that will help to contain runaway needs.

In addition, everyone should recognize that mailboxes make the absolute WORST filing cabinet ever invented. Large mailboxes invariably contain multiple copies of the same bloated attachments in multiple and fragmented conversation threads – making it impossible to locate the latest version – or to locate anything for that matter. Think of your mailbox like the one attached to the front of your house – stuff gets dropped off there, and you take it inside and file it away. Nobody uses that mailbox to store things – for obvious reasons. The same obvious reasons apply to email - Phishers download the entire contents your mailbox as soon as they get your credentials – we have seen that happen all too often here – and it happens to tech-savvy individuals too.

Aside from best practices, there are a lot of hidden costs, which nobody cares about – that is - until they do care. Storage space is expensive. Backup software licensing fees are expensive too – and we pay for every gigabyte we back up. SUNY Legal counsel advises limiting everyone’s total storage footprint and mailbox size – so they don’t have to search through a tremendous amount of material when a legal hold is placed – and that happens far more often than anyone would like as well.

Our faculty/staff email storage footprint today is 2.5 times the size it was 4 years ago. If we have to restore that 20 terabytes of data from backup, it will take 4 or 5 DAYS to do that restore, and during that restoration period, nobody will have email, and everybody will be screaming. It is reasonable to assume that a majority of that storage footprint – and to assume that a majority of that 4/5 days of recovery time - is ‘wasted’ on unnecessary material and multiple copies of bloated attachments that has accumulated in everyone’s mailbox.

Only the mailbox/storage owner can determine what is important enough to keep. We ask that you keep the important materials that land in your mailbox inside the house, and not in the mailbox outside your front door. Doing that will help you be more organized, find things faster, and find inner peace and tranquility.

 

Email space management tips:

  1. Avoid sending or forwarding bloated attachments to committees or large groups of campus persons. Instead, use SharePoint links to documents instead of attachments - or use the Broadcast Email system (which provides server links rather than bloaty attachments.)

 

  1. Use the “Size” column in Outlook to float the bloat to the top, and then cut it out.

 

  1. Save the attachments you do receive in your mailbox as they arrive – I put a tag into the subject line to record their original presence and their file storage location - “<\path\Filename.type>”

 

  1. If you do SEND OUT an attachment via email, that means you already have that document stored somewhere, so cut it out of your sent items, and put in a “<\path\Filename.type>” placeholder note to record its presence in your sent message.
Mobile Device Ownership Stipend

Under certain limited circumstances, faculty members may request that the college subsidize their purchase of a mobile electronic device via payment of a Mobile Ownership Stipend. These circumstances may include, but not be limited to, sensitive research needs, creative production, and the need to manipulate or otherwise alter the device firmware or hardware.

Faculty members applying for a Mobile Ownership Stipend shall submit a brief written justification to their supervisor. The request must specify the type of device the faculty member intends to purchase and the amount of stipend requested. The request shall be reviewed and evaluated by the board-of-study coordinator, chair or director, and provost’s office, based on faculty needs and preferences, proposed utilization for teaching/research, and academic program needs.

If the request is approved, a one-time stipend, in an amount to be determined by the board-of-study coordinator, chair or director, and provost, shall be provided to support individual ownership, maintenance, and software needs for the mobile device over an expected life span of four years. Departure from college service prior to the fourth anniversary of the stipend may result in a request to return the device to the college. The Mobile Ownership Stipend would be eligible for renewal every fourth year to align with the college’s existing faculty computer replacement policy.

Individuals receiving a stipend may not receive a computer under the normal faculty computer replacement cycle that provides college-owned and college-supported devices. In almost all cases, it is likely to be an either/or choice (faculty computer or mobile stipend). Both programs intend to ensure faculty have access to a computer in their offices for communication, advising, and research. At the end of the four-year cycle, faculty may choose to opt into the normal college-owned faculty computer replacement cycle again.

Maintenance and Support

With the Mobile Ownership Stipend, you are responsible for any support, maintenance, or repairs over the life of the device. It is strongly recommended that you obtain warranty coverage for the life of the device, and to cover the device under your homeowners or renters insurance.

If you apply for a Mobile Ownership Stipend, no college administrative account will be created on the machine. Without necessary administrative credentials, college support for personally owned computers is limited.

The machine will not be automatically joined to the college network by default. You may still access the college Wi-Fi network by logging in with your college credentials.

As a courtesy, CTS will provide basic on-site support for your device, as is done for student-owned machines. This good-faith-effort is typically defined as up to an hour—under normal circumstances. All parts and software required for service activities must be provided by the customer.

If you do bring the device to CTS for support, you will be asked to provide a temporary administrative-level account for the technician’s use. If any software re-installation is recommended, you will need to provide your software license keys and media.

Please note that CTS reserves the right to decline to provide service for personal devices for any reason.

Software and Printing

College-provided concurrent-use software licenses will not be available for your use. (College-licensed software includes, but is not limited to, Microsoft Office, Apple iWork software suite, Adobe Creative Suite, Autodesk Creative Suites, AutoCad architectural suite, SPSS statistics, font libraries, and other software with concurrent-use licenses.)

Note that Microsoft and other vendors offer “work-at-home” licenses to college employees at substantial discounts. More information can be found on the Downloads and Software page. Microsoft Office and Windows—for $9.75 each—and other products can be obtained from the aforementioned page.

Since personally owned devices are not joined to the domain, network print services are not available.

Accessing college-provided software/print services from your personally-owned computers:

CTS provides a VPN to access your campus desktop computer. If you do not have a desktop computer in your office, there is also a Terminal Server you can use to connect to a standard Windows virtual desktop. (Note that Apple does not allow virtualization of its operating systems or hardware.) Campus-licensed concurrent-use software and print services may be available through the VPN or the Terminal Server.

Submitting a Request

Requests for a Mobile Ownership Stipend can be brief. Please include:

  • The reason the stipend is being requested. Research privacy, creative production, and the need to modify or alter the device are valid reasons.
  • Description of proposed utilization for teaching/research
  • The amount being requested
  • Acknowledgement of implications regarding college software, printing, and support

Submit the request to the coordinator of your board of study. If approved, the coordinator will forward approval to the chair or director for review. If the chair or director approve, the request will be forwarded to the dean and the provost’s office for review and final determination as to the funding amount.

Surrendering a Device

Surrender of device in connection with litigation discovery demands, Freedom of Information Law (FOIL) request, and/or to protect the college’s interests

At the direction of the college’s legal counsel and a college vice president, any mobile device obtained through this program shall promptly be surrendered to the college for purposes of complying with discovery in litigation, Freedom of Information Law requests, and/or as may be needed to protect the legal interests of the college. Upon surrender, the college shall undertake a search of the contents of the device. Such search shall be narrowly tailored to the specific matter or matters at issue. To the extent practicable, the device shall promptly be returned to the owner. If, in the sole opinion of college legal counsel, the device must be maintained in college custody, the college shall copy the contents of the device’s hard drive and/or memory and provide the owner with a temporary replacement device.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Mobile Ownership Stipend Request

Purchase College / State University of New York

• I am requesting a Mobile Ownership Stipend in the amount of $______________

• I am requesting a Mobile Ownership Stipend because:

• I intend to use the stipend to support my teaching/research in the following ways: 

EMPLOYEE:

I have read and agree to the terms of the Mobile Ownership Stipend Policy.

_____________________/______ (Employee signature / date) 

 

SUPERVISOR:

I approve the issuance of a Mobile Ownership Stipend to the employee:
_____________________/______ (Supervisor / date)

CHAIR/DIRECTOR:

I approve the issuance of a Mobile Ownership Stipend to the employee:
_____________________/______ (Chair/Director signature / date)

DEAN:

I approve the issuance of a Mobile Ownership Stipend to the employee:
_____________________/______ (Dean signature / date)

COLLEGE OFFICER:

I approve the issuance of a Mobile Ownership Stipend in the amount of $_____

____________________/_______ (Officer signature / date) 

Mobile Device Policy

Purpose

This policy offers some best practices regarding the use and safekeeping of laptops, tablets, and mobile computing devices, and governs the use of and liability for College-owned mobile devices.

What’s covered by this document?

All College-owned mobile computing devices are governed by this policy, including systems made available as primary workstations, assigned within a departmental office, or purchased through grant dollars for specific projects.

All college-owned computers, systems, and mobile devices are covered by the Purchase College Privacy Policy which provides protection for individual privacy appropriate for an academic environment. 

Scope

This document is applicable to all College staff, faculty, or administrators who are using mobile computing devices issued or loaned to them by a College department.

College-owned mobile devices may be used for any work-related tasks, including:

  • as your primary workstation.

  • on a College trip, conference, or workshop.

  • for research, creative production, or any work-related purpose.

General Use

  • You will receive administrative credentials for your device.

  • Feel free to change user settings to your liking

  • Please be sure to safeguard the device - log off or “lock” the device when it is not in use.

Physical Protection and Reasonable Care  

  • Password protect all mobile devices

  • Secure your mobile device and keep it with you.

Reporting Loss

  • Report a theft immediately to:

    • The appropriate local law enforcement authority

    • Purchase College University Police

    • CTS (Helpdesk 914.251.6465) as soon as the theft has been noticed. Provide CTS with a copy of the police report.

 General information on Faculty Computers and Mobile Devices

Acquisition

  • Administrative units provide their staff with computers, laptops, and mobile devices as necessary.

  • Academic Affairs provides faculty computers, laptops and mobile devices for all faculty as necessary.

  • See also the “Mobile Device Ownership Stipend” Policy.

Inventory, Reporting, and Replacement

  • Each year, CTS produces a report for Academic Affairs showing all full-time faculty computers as recorded in the College’s Workstation Database.

  • The CTS report shows all faculty computers (desktops and laptops), with “replace” recommendations in cases where an individual’s only workstation is outdated or out of warranty, or where all of that individuals computers are outdated or out of warranty. Replace recommendations are for a like device (desktops replaced with desktops).

  • The report to the Provost is accompanied by an overall cost estimate based on a current quotation for the mix of desktops/laptops covered by the “replace” recommendations.

  • Academic Affairs may solicit input from Chairs/Directors regarding pending personnel changes and/or the appropriateness of each “replace” recommendation.

  • Chairs/Directors may solicit feedback from individual BOS or faculty within their unit.

  • Academic Affairs returns a final “replace” recommendation containing the names and types of devices (Mac or PC, desktop or laptop) to CTS for ordering.

Preparation for use:

  • Upon arrival, CTS prepares the machines by joining them to the college network and loading college software onto them.

  • CTS notifies each faculty member when their device is ready for delivery or pickup.

  • Upon delivery/pickup of a new device, the device being replaced must be returned to CTS. Data can be transferred to the new device during the handoff.

  • Administrative access is provided for all mobile device holders. Administrative access allows you to access the mobile device when it is not connected to the college network (offsite), to change settings, install software and apply updates, and other functions.

  • College credentials (CTS) will exist on all College-owned devices to enable CTS staff to provide support and maintenance services as needed.

  • Upon resignation or departure from College service, all College-owned equipment –must be returned to CTS for inventory purposes, reassignment and/or disposal. All data is wiped from computing devices prior to disposal.

Physical Protection and Reasonable Care

  • Every mobile computing device must be password-protected

  • Each user of a College-owned mobile device is responsible for the security of that device, regardless of whether it is used in the office, at one’s place of residence, or in any other location such as a hotel, conference room, car or airport. Users are expected to provide reasonable care and effort to protect the mobile device.

  • The equipment may not be transported as checked luggage on public transportation (airplanes, trains, and buses). The user will keep the equipment in their possession at all times while traveling.

  • Carrying cases and mobile devices should be labeled accordingly so in the event of a loss the equipment might be returned. All mobile devices must have a College asset tag.

  • Special care should be taken with the security of the mobile device. Equipment must not be left unattended in public areas. Do not leave your office unattended and unlocked, even for a brief time, if your mobile device is not secured in the office.

  • Do not store mobile devices in a locked car or car trunk, as severe temperatures may damage it and the car may be broken into if the mobile device can be seen.

Liability

Along with the privilege of using a College owned mobile device comes the responsibility to safeguard the device and any data it contains.

  • Individuals are personally responsible for the security and safety of the mobile device.

  • Departments should not loan college-owned mobile devices to students, student organizations, or other outside parties. CTS maintains a distinct pool of equipment for this type of use, and requests should be referred to CTS.

  • In case of theft or loss, the employee must file a report with the University Police.

  • A theft must be reported immediately to:

    • The appropriate local law enforcement authority

    • Purchase College University Police

    • CTS (Helpdesk 914.251.6465) as soon as the theft has been noticed. Provide CTS with a copy of the police report.

  • If a mobile device is damaged, lost or stolen and it is determined that reasonable care and protection guidelines were not followed, the person to whom the mobile device was may be subject to disciplinary action. The determination of responsibility will be made by a College Officer, in consultation with the unit supervisor, UPD, CTS and the Property Control Officer.

  • Failure to follow this policy and these procedures may result in loss of computer privileges.

  • Failure to return the mobile device may result in disciplinary or legal action.

Data Security

Data Security policies apply to all computing devices used for College business. Since mobile computing devices are more susceptible to loss or theft, it is important that you do not store any Personal Private Sensitive Information (PPSI) on mobile devices, and that you maintain current backups of any important files that you do have on the mobile device.

Why avoid storing personal, private, and sensitive information? Mobile devices are particularly susceptible to loss or theft. If Personal Private Sensitive Information (PPSI) is stored on a device that is lost or stolen, the individuals whose information was compromised may face long lasting ramifications from the improper use of their personal and financial information. In addition, New York State law may require that the college publicly disclose the loss of such PPSI and notify all individuals whose information was potentially compromised.  As a result, we highly recommend that you do not store any sensitive data on mobile computing devices.

What is Personal, Private, and Sensitive Information (PPSI)?

Per NYS Cyber-Security Policy P02, PPSI is considered a combination of any three of the following personally identifiable information items: Name, Address, SSN, account number, credit card number, maiden name, and date of birth.

To Secure Data on Your Device:

  • Ensure that virus protection updates, operating system updates and virus scans are performed regularly (these are default CTS settings.)

  • When using your mobile device in a public place, use encrypted network connections (via HTTPS on Wi-Fi or VPN) to ensure your communications remains secure.

  • Avoid using “remember me” for websites that require an account log on. This avoids storing your ID/password for that site in cookies and browser cache files.

  • Do not download, store, or record data that includes any personally identifiable information such as: student/faculty/staff/alumni/vendor Name, Address, SSN, account number, credit card number, etc. If the mobile computing device is lost or stolen, this data could be used for Identity theft. The user is responsible for the security of all College data stored on, or carried with, the mobile device.

  • Do not alter any system software or hardware configuration unless instructed to do so by someone from Campus Technology Services.

  • Additional application software should not be loaded onto the mobile device unless approved by Campus Technology Services.

  • Safe guard the device and data by ensuring the mobile device is “locked” or the user is logged off when not in use.

Inventory Tracking and Disposal

  • Upon termination of college employment, the mobile device, peripherals, and carrying case need to be returned either to the issuing department or to the CTS Helpdesk on or before the last day of work.

  • Do not give the mobile device to anyone else for use. Doing so will be considered misuse of the equipment.

  • The department responsible for the mobile device must maintain records of who has which mobile device for what period of time. The department responsible for the mobile device should retain a copy of each Mobile Device Authorization Form they issue.  If the mobile device does not have a barcode, then the unique identifying number (e.g. a serial number or service tag number) should be used to identify the equipment.

  • When a mobile device reaches the end of its useful life, it must be returned to the CTS Help Desk for disposal. They will ensure that the device is wiped clean before the unit leaves campus.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Failure to comply with this policy may result in disciplinary and or legal action.

Thank you for reading this document.

 

 

Acknowledgement of Mobile Computing Device Usage Policy

Purchase College / State University of New York

____________________ authorize _______________________ to receive a mobile computing device.

         (Supervisor’s name)                                                (Employee’s name)

 

—————————————————————————————————————————–

Mobile computing device information: 

Laptop ___          Tablet ___           Other ______________

Manufacturer       ____________________                Model___________________________

Serial #  ___________________________     Original cost: _____________              Date of purchase: __________

—————————————————————————————————————————–

SUPERVISOR

I approve the issuance of a Mobile Computing Device to the employee:                _____________________/______

                 (Supervisor signature / date)

COLLEGE OFFICER

I approve the issuance of a Mobile Computing Device to the employee:                     _________________/_______

                            (College Officer’s signature / date)

—————————————————————————————————————————–

EMPLOYEE:

I have read and agree to follow the Mobile Computing Device Usage Policy:    _____________________/______

                 (Employee signature / date)

—————————————————————————————————————————–

Submit form to Campus Technology Services. A copy should also be retained by the issuing department.

This information has been recorded in the computer inventory database: _____________________________

       (CTS Reviewer / date)

 

NYS Office of Information Technology Mobile Device Security Standard

   
NYS-S14-009
State Capitol P.O. Box 2062
Albany, NY 12220-0062
www.its.ny.gov

1.0 Purpose and Benefits of the Standard
Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices that are only used within a State Entity’s (SE) facilities and on the SE’s networks.

This standard outlines the additional protections required for the use of mobile devices by SEs.

2.0 Enterprise IT Policy/Standard Statement
Section 2 of Executive Order No. 117 provides the State Chief Information Officer, who also serves as director of the Office of Information Technology Services (ITS), the authority to oversee, direct and coordinate the establishment of information technology policies, protocols and standards for State government, including hardware, software, security and business reengineering.  Details regarding this authority can be found in NYS ITS Policy NYS-P08-002, Authority to Establish State Enterprise Information Technology (IT) Policy, Standards and
Guidelines.

Except for terms defined in this standard, all terms shall have the meanings found in the IT New York Glossary.


3.0 Scope
This standard covers all mobile devices managed by the State or which are used by the State workforce to store SE information.

Mobile devices are computing devices in a small form factor that have at least one network connection interface, non-removable and/or removable storage, and is portable (i.e., nonstationary).  These devices come in the forms such as: smartphones, PDAs, smart watches, tablets, laptops, and wearable devices.

4.0 Information Statement
4.1. Mobile devices must follow all requirements of the NYS Information Security Policy.
4.2. As per the state Encryption Standard, all mobile devices that access or contain any SE information must be encrypted.
4.3. For State issued mobile devices or personal mobile devices with direct access to NYSmanaged networks (see NYS Bring Your Own Device Standard), only those applications which are approved by the SE may be installed and or run on the mobile devices. Applications must be restricted through the use of whitelisting (preferable) or blacklisting.  Applications must be digitally signed to ensure that only applications from trusted entities are installed on the device and that code has not been modified.
4.4. State information must be removed or rendered inaccessible from mobile devices after no more than 10 incorrect authentication attempts.
4.5. Mobile devices must automatically lock after being idle for a period not to exceed 10 minutes.
4.6. Mobile devices which directly connect to NYS-managed private networks, virtually connect to NYS-managed private networks in a manner consistent with a directly connected device, or which contain or could contain SE information, including e-mail data, must be managed by a Mobile Device Management (MDM) or other centralized management solution.
4.7. Use of synchronization services, such as backups, for mobile devices (e.g., local device synchronization, remote synchronization services, and websites) must be controlled by the SE through an MDM or other centralized management solution.
4.8. Mobile devices may not access NYS private networks unless their operating environment integrity is verified (including whether the device has been rooted/jailbroken).
4.9. SEs must manage all mobile devices by:
a. Implementing device policies and configurations as appropriate to the use of the device.
b. Developing and implementing processes which check for upgrades and patches to the software components, and for appropriately acquiring, testing, and deploying the updates to State issued devices.
c. Reconfiguring access control features as needed based on factors such as policy changes, technology changes, audit findings, and new security needs.
d. Detecting and documenting anomalies which may indicate malicious activity or deviations from policy and procedures. Anomalies should be reported to other systems’ administrators as appropriate.
e. Providing training and awareness activities for mobile device users on threats and recommended security practices which can be incorporated into the SE’s security and awareness training.

5.0 Compliance
This standard shall take effect upon publication. The Policy Unit shall review the standard at least once every year to ensure relevancy. The Office may also assess agency compliance with this standard. To accomplish this assessment, ITS may issue, from time to time, requests for information
to covered agencies, which will be used to develop any reporting requirements as may be requested by the NYS Chief Information Officer, the Executive Chamber or Legislative entities.

If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, SEs shall request an exception through the Enterprise Information Security Office exception process.

6.0 Definitions of Key Terms

Mobile Device
A computing device in a small, portable form factor that has at least one network connection interface, non-removable and/or removable storage, including but not limited to smartphones, Personal Digital Assistants (PDAs), tablets, laptops, smart watches, and wearable devices.

7.0 ITS Contact Information
Submit all inquiries and requests for future enhancements to the standard owner at:

Standard Owner
Attention: Enterprise Information Security Office
New York State Office of Information Technology Services
1220 Washington Avenue – Bldg. 7A, 4th Floor
Albany, NY 12242
Telephone: (518) 242-5200
Facsimile: (518) 322-4976

Questions may also be directed to your ITS Customer Relations Manager at:
Customer.Relations@its.ny.gov
See here for The State of New York Enterprise IT Policies.

8.0 Review Schedule and Revision History

04/18/2014 Original Standard Release Thomas Smith, Chief
Information Security Officer
05/15/2015 Minor clarifications, added link to the BYOD standard and
removed optional language pertaining to MDM 

Deborah A. Snyder,
Deputy Chief
Information Security
Officer

04/18/2016 Scheduled Standard Review

9.0 Related Documents

NIST Special Publication 800-124, Guidelines for Managing and Securing Mobile Devices in the Enterprise
NIST Special Publication 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices
Federal CIO Council and Department of Homeland Security Mobile Security Reference Architecture

NYS Security Breach Disclosure Policy

To all faculty, staff, and administrators:

New York State Security Compromise Disclosure Law On December 7, 2005, the “NYS Information Security Breach and Notification Act” went into effect. It was signed August 9 by the governor. This new law requires that “entities conducting business in NY who own or license computerized data which includes private information” disclose any breach of private data to NY residents (and nonresidents) whose personal information was stored on any system that may have been compromised. The law defines personal information as “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.”

What does this mean to me? Identity theft has become a major problem over the last few years. More than 51 million Americans have had their personal information compromised since February 2005 (including more than three million NYS residents —see the CSCIC list at the end). Criminals —and organized crime in particular —have found it to be a very lucrative business. With a few key pieces of personal information—a name, SSN, birth date and address—they can use your identity to open new credit card and financial accounts, take out a mortgage on your house, and generally plunder your financial accounts for huge amounts of money before you even realize it is happening. Repairing the damage to your credit rating takes years, and is difficult if not impossible. On a personal level, we all understand and support this legislation because we all would want to know if our personal information has fallen into the wrong hands.

What does this mean for Purchase College? Purchase College computer systems store data on tens of thousands of current and former students and employees. We have all seen press reports of other schools that have been hacked or lost a laptop containing personal information. New York has now followed California’s lead in implementing a notification law. Prior to this, compromises were often kept quiet.  Under the new law, if there is “reason to believe” that a system has been or may have been compromised, we are required to notify all individuals whose information was stored on the compromised system, and to notify the Consumer Protection Board or the press if more than 5,000 records are involved. Obviously, this would have a disastrous effect on the college’s public image and our recruiting and enrollment efforts, not to mention the potential damage to the individuals whose information may have been compromised.

What is the college doing to protect our systems and data? Campus Technology Services (CTS), the central technology and support organization serving the campus, provides centralized administrative systems that serve faculty, staff, and students.  CTS also supports and maintains all college-owned faculty and staff workstations. The most common way that systems are compromised is through known exploits on machines that are not properly patched.

What should you do? Review practices regarding use of computer systems within your unit—particularly those systems that are not stored, managed, and maintained by CTS. If you have a local MS Access database on a machine in your office, or any locally stored database of students, clients, constituents, or employees, you should contact CTS to discuss options for securing that data.

Data should never be stored on local workstations—not only is that data not part of any backup and recovery process, but local workstations can be (and are) stolen. The college provides file servers accessible through the network that provide secure storage for all of your data files.

Any stolen or lost computers (desktops or laptops) should be reported to the University Police immediately. You should keep a record of all of your unit’s computer hardware (make, model, serial number and MAC address) in the event that it is stolen or lost.

The proliferation of external USB/Firewire disk drives and USB memory keys is another threat. These portable devices can also store large amounts of data that is easily lost or stolen. Again, data should only be stored on centralized college servers.

If your unit is not already using a centralized file share on a CTS server, chances are your employees are using local or removable storage that is not secure. Please call CTS at x6465 to set up a file share for your office.

It is critical that when an employee leaves your unit, please notify CTS so that their access to college systems can be terminated. Former employees can retain email privileges where necessary, but should not have access to other college systems after they leave.

Take stock of physical security within your unit. Are the offices and cabinets where sensitive paper records are stored secure and accessible to authorized personnel only? Are there alarm systems covering these areas?

Most importantly, you need to raise awareness among everyone within your unit about the seriousness of cybersecurity threats.  Understanding the issues and the ramifications of a compromise—personally and institutionally—is the only thing that will make someone think twice about downloading that data file onto their laptop or USB key. Have your people check the contents of their computers and storage devices and eliminate anything that doesn’t need to be there. Remind everyone not to email confidential data files or SSNs.

If a compromise is suspected: If you suspect that a computer system in your unit has been compromised, or if any laptop or college-owned desktop computer is lost or stolen, please notify CTS and the University Police immediately. We will work with you to determine whether or not a compromise has occurred, and what actions need to be taken.

If a compromise occurs: The law requires us to notify three NYS offices:

  • NYS Attorney General
  • NYS Office of Cyber Security & Critical Infrastructure Coordination (CSCIC)
  • Consumer Protection Board (CPB)

More Information:

The summary and text of the Assembly bill signed August 9 by the governor:

The Privacy Rights Clearinghouse website.

Online Course Authentication Policy

At Purchase College, students in online courses must use a secure log-in to the campus learning management system, using their Purchase College username and password. This is required for students to register for courses and to participate in them online.

Student privacy rights are strictly protected. Only those enrolled in the course have access to the course. The outside community does not have access to the coursework, nor do students who are not enrolled in the specific course.

All students are informed of the academic integrity policy in course syllabi and at www.purchase.edu/online. Upon registering, all students formally agree to the college’s Student Code of Conduct, which include the academic integrity policy.

Campus Technology Services (CTS) also has a computer ethics and usage policy, which outlines clear expectations, including maintaining security of accounts, not sharing account access, and the strong password use enforced by the campus system.

Faculty members are encouraged to use video tools (i.e., Skype, Adobe Connect), in addition to phone conversations with students as needed. Instructors are encouraged to use activities in the online course for students to, once again, actively agree to the college’s policies on academic integrity and on computer ethics and usage.

As additional means of addressing student authentication become available, Purchase College will research possible adoption of such resources.

Pandemic Business Continuity

Online services for Faculty and Students in case of school closure

As you are probably aware, the Swine flu pandemic continued to produce cases in the US throughout its off-season, and flu season returns this fall. While it has had a fairly mild effect in the vast majority of cases to date, it does spread like wildfire. Schools across the country are bracing for flu season this fall, including Purchase.

In a worst case scenario, if the campus were to close due to pandemic pandemonium or other emergency during the semester for a period of several weeks or more, there are a variety of tools that could help the faculty and students continue their studies and complete the semester. These tools include both low-tech (email!) and hi-tech options, and the college’s Teaching Learning and Technology Center (TLTC) is offering a series of faculty workshops over the next few weeks that may help you get started.

Some course activities translate more easily than others into an online environment. It is easy to see how writing assignments, discussions, and even tests can be conducted through the internet without too much effort – but a  painting or dance class is another matter entirely. Whatever your discipline, we encourage all faculty to begin considering their options and strategizing on how to cope with a disruptive campus closing during the semester.

The services below are available to faculty and students, and are listed in low-tech to high-tech order:

Purchase College Email
Each faculty and staff member is assigned an email account. You can use your account from any computer with an Internet connection and a standard Web Browser (Internet Explorer, Firefox, Netscape, etc.) by going to http://www.purchase.edu   and following the email link in the page footer.  Your account is used for official communications to and from the College and students, and it provides access to self-service web applications (grades, class lists, etc.) Your account also provides access to online Library resources and reserved readings, and to the Moodle and Blackboard course management systems.

Class Lists:
CTS automatically creates an email distribution list for each class, with the faculty member as the list manager.  The new Banner system introduces changes in the term format, the course numbering format, and eliminates section numbers.  The format for summer 2014 classes and beyond is YYYY-TERM-Subject-Code-CRN@purchase.edu or for example 2014-40-WRl1105-40115@purchase.edu.  Faculty do not have to create their own lists.

(Banner Term codes are 20=Summer, 40=Fall, 55=Winter, 60=Spring)

Each faculty advisor has a distribution list containing their advisees:adv.faculty.FirstName.LastName@purchase.edu.
If you are the head of a Board of Study there is a list of your majors (i.e. hum.faculty.womens-studies@purchase.edu ).

There is a faculty listserve  Faculty.Discuss@purchase.edu open to all faculty members. This list is moderated by the Faculty at Large President, and is for discussion of faculty matters.

All Purchase College email distribution lists can be used from any email account, on or off campus using the format List.Name@purchase.edu.
 
Purchase College Voice Mail and Unified Messaging
Purchase College provides Voice Mail for each campus phone, and has an option for Unified Messaging service which forwards all of your campus voice-mail to your College email account as sound files. To sign up for Unified Messaging, contact CTS at x6465 or submit a request through the CTS Work Order System. This is an excellent way to get your voice mail messages when you are away from your office.

Remote Access VPN, File Servers and Remote Desktop
Purchase also has a Virtual Private Network (VPN) service available for faculty and staff. The VPN connects your home computer or remote laptop to the campus network – and optionally to your office computer by remote desktop session. This means you have access to all the programs and data that you are accustomed to on your office computer – from home. The VPN also provides access to your Home Directory and other file shares on our servers.  The VPN is very cool and very convenient, and it could make a very big difference if you cannot come into your office – but you must set it up in advance. If you want to use the VPN, call CTS at 251-6465 or submit a request through the CTS Work Order System.

Moodle
The college has the Moodle online Learning Management System (LMS). A LMS is basically a web site for each class. Moodle includes a wide variety of tools and plug-ins that provide rich functionality for students and faculty administrative services such as quizzes and gradebooks. Contact the Teaching, Learning and Technology Center at TLTC@purchase.edu to find out about Moodle workshops and other training opportunities.

Online Testing
Online quizzes can be created at any time, and posted during a certain window of opportunity. You can alert students to an upcoming quiz via email. Students can use their Purchase credentials to log in and take the quiz.

Moodle contains “online Quiz” functions. Moodle allows faculty to create quizzes that contain text and multiple choice style tests, and allow you to embed/link to various media. For instance, you can embed an audio file or a picture and ask students to provide a context or analysis of it.

The College’s ClassApps Web survey tool (available on the Portal Page) can also be used to administer tests online. The ClassApps Web Survey provides a rich array of question types, branching functions, and other features that allow you to create elaborate tests. There is even a built-in response scoring function for non-text (multiple choice) answers. Surveys can be authenticated with Purchase college student credentials,  and you can release the URL via email and close it at the end of the testing window (which can be as long or as short as you want).

Web 2.0 Tools
CTS also runs a Wordpress  Blog Server (http://blogs.purchase.edu) for the campus community, as well as a Wiki Server (https://collaborate.purchase.edu).  These Blogs and Wikis can be used for classes or as collaboration tools.

Adobe Connect Videoconferencing
The college has three Adobe Connect videoconferencing “rooms.” These can be used  to connect a group of dispersed individuals with laptops webcams in a unified group with a shared whiteboard and document workspace. This works reasonably well for small groups – you can see and hear each person in a thumb nail video, and share documents.

Skype
Skype is an internet based telephone application that also includes video if you have a webcam on your computer. While Skype is best for one-to-one video connections, it also supports small groups for conference activities, and provides tools for white-boarding and sharing documents.

Software for your home computer
The College has a Microsoft Campus Agreement that provides work-at-home rights for MS Office (Word, Excel, Outlook Email, PowerPoint, and Access Database) for all faculty and staff home computers. The software is free, but must be ordered on media or download costing about $10 per copy. The order form is linked from the Portal page (see next section).  The College also provides Anti-Virus work-at-home licenses for all faculty and staff home computers. That  software can be downloaded directly from the Downloads page.

Administrative Computing Services for Faculty
The Web Portal contains the Master Calendar of Events, Announcements from College Officers, Deans and Directors, and links to the Employee Services site.

The Employee Services site is where Faculty and staff self-service web applications such as class lists, grades, enrollment reports, committee web sites, and other resources can be found.

Support Services
The Campus Technology Services (CTS) provides telephone and on-site support services for network access and standard applications. The CTS Service Center in SS0025 is open to 7:45pm Monday through Thursday, and to 4:45pm Friday. You can also contact us at (914) 251-6465.

CTS uses Remote Assistance to troubleshoot and resolve most problems. The Technical Support staff strives to provide responsive on-the-spot or same-day service for faculty and staff .

College-owned computers are provided for all full-time faculty, and are running Windows 7,  10 or Mac OSX.

Other Faculty Technology Resources

The Teaching, Learning and Technology Center  (TLTC) provides extensive support for faculty and staff using the Web based Moodle course management systems. the TLTC is located in the Purchase college Library. For more information, contact the TLTC at 251-6425

Please keep in mind that if the campus closes, CTS and TLTC staff may not be on campus either, the helpdesk may not be fully staffed to answer calls, etc.  We encourage everyone to plan ahead to avoid delays. 

Policy: Change Management

Definition: The phrase “Change Management” incorporates any addition, modification, or removal of systems, software, or hardware that may have an impact on institutional operations. In our highly interconnected environment, the impact of a change may have unintended or unanticipated consequences, and must be carefully planned and communicated in advance to avoid disrupting normal operations. 

Scope:

This policy addresses how change management is handled for systems, applications and devices in the Purchase College Domain. 

The change management process involves:

  • Logging change requests.
  • Assessing the impact, cost, benefits, and risk of requested changes.
  • Providing approval or rejection.
  • Overseeing the change implementation.
  • Monitoring and reporting the status of changes.
  • Closing change requests and conducting post-implementation reviews.

Tools:

Purchase College uses NNT Change Tracker to apply and archive changes as they are applied to servers and network devices. For text-based configuration changes, NNT tracks which lines of configuration were impacted by a given patch or update.  For computer workstations, CTS makes use of SCCM, Munki, and group policy to deploy software, updates, and patches. 

Classification and Categorization of Changes

There are three different categories of changes:

  1. Normal Change – Any service change that is not a standard change or an emergency change.
  2. Emergency Change – A change that must be implemented as soon as possible; for example, to resolve a major incident or implement a security patch.
  3. Standard Change – A preauthorized change that is low risk, relatively common, and follows a procedure or work instruction.

In addition to the change categories, changes can be classified as major, significant, or minor, depending on the level of cost and risk involved, and on the scope and relationship to other changes. The detail procedures for each group should address this classification. 

Emergency Changes

A change that must be made before a Change Advisory Board (CAB) can be convened to review and approve it due to a repair or error in an IT service that is causing a negative impact. Incident resolution may sometimes require emergency changes. Examples include a critical service-down that requires a quick hardware swap-out, or a late-night system emergency when the change manager or others may not be available.

An emergency change must follow these steps:

  • If time allows, the change initiator must make a good-faith effort to contact their manager or the appropriate change manager to give them the opportunity to approve the change prior to making it.

  • Once the change is deployed and the incident is resolved, the change initiator must document the change in Help.HSC as an emergency change.

  • The change manager and the CAB will review all emergency changes at their next scheduled meeting. 

Change Planning:

When any change is being considered—a new device, new system, OS upgrade, software version upgrade, security patch—or the elimination of a resource or service is being considered, it is critical that careful consideration be given to the potential impact of the change, and to the process for implementing the change. It is also critical that the implications be carefully communicated to any stakeholders that may be affected by the change.

The change initiator is responsible for the ensuring that the analysis and communication are conducted during the planning phase. The change initiator is often a business unit (e.g., Office of Admissions) without IT expertise, and they may have to rely on technical staff—or on other staff from other units—to determine the full impact and implications of the change they wish to initiate. Since a change may affect more than one area—or even the entire institution—a Change Advisory Board (CAB) will also be used to ensure the implications are widely understood. The composition of the CAB may vary depending on the change being proposed.

The composition of the CAB will be determined by the change initiator and the director of CTS. The change initiator is responsible for convening the CAB in a timely fashion and obtaining their approval for the change.

Change Request:

The change initiator must complete a Change Request Form providing information on the change they are proposing. The Change Request Form will be reviewed by the director of CTS and the Change Advisory Board. The Change Advisory Board may add additional information before approving or rejecting the change request.

  • Business reason for change (process improvement, regulatory requirement, etc.)
  • All costs associated with making this change (new version of software cost, re-training, etc.)
  • Other units that may be affected by the change 

Risk and Impact Analysis

The change initiator must complete a risk and impact analysis form for the change they are proposing. See the Appendix for the Risk and Impact Analysis template.

Change Communication

The change initiator is responsible for communicating the change to the proper audiences. Once the initiator is notified of the change approval, they should initiate necessary communications about the change prior to the change being made. See guidelines for when change notifications should be sent and to whom they should be sent.

Approved changes that have a broad impact, such as the entire college community, may require additional communications, such as notification by broadcast email, signage, or other methods. For changes with broad impact, the change initiator should work with his or her management to ensure the necessary notifications are being completed.

Standard and Routine IT Maintenance Changes, IT Roles

Servers

All college servers are assigned a primary system administrator. A secondary (and tertiary) system administrator is also assigned for each server in the event the primary system administrator is not available for any reason. Collectively, these individuals are referred to as the system administrator (SA).

The SA is responsible for reviewing and applying operating system (OS) patches and updates as soon as is practical, and for maintaining their systems at the most current state possible. The SA is responsible for advising management when a server cannot be updated due to hardware or software incompatibility. Patches and point releases are considered normal and routine changes—and do not require CAB approval. Operating system upgrades do require CAB approval.

 Documentation for all patches and upgrades should be carefully reviewed before applying any change to any system. For patches, no approval beyond the SA is required. For OS upgrades, written approval should be obtained in advance from the assistant director for networks and systems – as well as from any application administrator (see below) responsible for applications on the server.

 For servers where a TEST environment is available (i.e. Banner, SQL-Server, Web Server), the patches and upgrades will be applied to the TEST instance of the server first to help determine any undocumented adverse impact of the change. 

Applications

For many applications residing on college servers, an application administrator (AA) is assigned to configure and manage the operation of a specific application (i.e. Moodle, Genetec.) The application administrator is often an individual with functional expertise for that application. The application administrator may also be the same person as the system administrator (SA). The application administrator has elevated privileges allowing them to change configuration settings and to manage the application through whatever back-end console the application may provide. The AA is expected to work closely with the SA for the server where his or her application is hosted. 

The AA is responsible for reviewing and applying application patches and updates as soon as is practical, and for maintaining the application at the most current state possible. The AA is responsible for advising his or her system administrator (and management) when an application cannot be updated due to hardware or operating system incompatibility.

Devices

All college network devices (firewalls, routers, switches, load balancers, storage arrays and sub-systems, appliances, etc.) are assigned a primary system administrator. A secondary (and tertiary) system administrator is also assigned for each device in the event the primary system administrator is not available for any reason. Collectively, these individuals are referred to as the system administrator (SA).

The SA is responsible for reviewing and applying vendor patches and updates as soon as practical, and for maintaining his or her devices at the most current state possible. The SA is responsible for advising management when a server cannot be updated due to hardware, software, or firmware incompatibility.

For instances where devices are deployed in a resilient fashion, patches and upgrades will be applied to one of the devices first—and then evaluated to determine whether there is any undocumented adverse impact of the change before it is applied to the other device.

Workstations

All college workstations (desktop computers, laptops) place CTS in the desktop system administrator (DSA) role. All college workstations must be joined to the domain and must be accessible for application of software patches and system updates. The CTS DSAs use SCCM, Munkee, and group policy to distribute patches and updates to Apple and Windows workstations. 

Patches and point releases of common software are considered normal and routine changes—and do not require CAB approval. Operating system upgrades do require CAB approval. 

Change Management Roles and Responsibilities

Roles associated with the change management process are defined in the context of the management function and are not intended to correspond with organizational job titles.

Role  and Responsibilities

Change Initiator
Business or IT representative who initiates a request for change. This person is responsible for filling out the Request for Change (RFC) form ensuring that all required information is included, submitting it according to this procedure, and notifying change manager.

Change Process Owner
Senior manager who provides management control and guidance for the process in the IT department. Accountable for process design, operation, and improvement. Approves process rollout and changes to the process. Coordinates with change process owners in other departments to ensure common practices where appropriate.

Change Manager
This person has overall operational responsibility for the change management process in the IT department. Accountable for vetting the change request to ensure accuracy and completeness and sufficient information for the CAB to approve or reject the proposal. May make the determination regarding categorization and classification of the request.

Change Advisory Board
The CAB is a cross-functional team responsible for assessing change requests in terms of business need, cost/benefit, viability, and potential impacts to existing systems or processes. The CAB instructs the change manager to approve, defer, return, reject, or cancel changes. Also, the CAB makes recommendations related to change implementation. After changes are complete, the CAB reviews them for success/failure and lessons learned.

Emergency CAB (ECAB)
This team (or individual) is a subset of the CAB that is responsible for dealing with Emergency changes. The ECAB must be able to respond on very short notice and authorize or reject Emergency changes.

Technical Review Board
An ad-hoc group of subject manner experts and technical experts who are convened by a CAB to do an in-depth review of a change.

Service Owner
Represents one or more services in IT leadership and CAB meetings. Understand customer service requirements. Authorizes changes to the service.

Component Manager
Represents one or more service components in the CAB. Understands the technical structure of the component and subcomponents, and how they support the service.

Stakeholder
Any individual with an interest in types of changes or in a particular change. 

Appendix – Risk and Impact and Analysis Template

 

Risk Assessment                                                                                               Risk Score: Low/Medium/High

 

  1. How often has this change been successfully made?

 

1 Routinely        2 Occasionally   3 Never

 

  1. What is the degree of difficulty to implement this change? (Consider the complexity of the change, number of devices involved, number of steps in the process, time pressure and number of people involved to accomplish it.)

 

1 Low                 2 Medium          3 High

 

  1. Has this change been successfully tested, or will it be, prior to implementation?

 

1 Yes                  2 No

 

  1. Which test environment have you, or will you, use for this change?

 

1 Separate/duplicate     2 Shared            3 Partial             4 Production/none

 

  1. Have the recovery procedures ever been successfully tested?

 

1 Yes/NA                         2 No

 

  1. What type of support is available if external technical assistance is needed?

 

1 On site            2 Remote           3 On call            4 Not available

 

  1. What is the degree of difficulty and effort for the Vendor/Partner, if needed, to return the system/component to an operational state?

 

1 NA                   2 Low                 3 Medium          4 High

 

  1. What is the probability of this system/component failing?

 

1 Never/low      2 Medium          3 High

 

  1. What is the probability of this change negatively affecting any of the applications, databases, servers or infrastructure components supporting a the application?

 

1 Low/NA          2 Medium          3 High

 

Appendix – Risk and Impact and Analysis Template

 

Impact Assessment                                                                           Impact Score: Low/Medium/High

 

  1. What amount of downtime will the user experience, outside of the regularly scheduled maintenance window?

 

1 None               2 Less than an hour       3 Greater than 1 hour               4 Greater than 4 hours

 

  1. What is your recovery capability if this change fails?

 

1 Easy backout or alternate/fail-over is available and will provide almost immediate service

2 An alternate is available, but needs to be brought online

3 No alternate system/component or spare is available

 

  1. Could Patient Safety/Care potentially experience a negative impact due to this change?

 

1 Yes                  2 No

 

  1. Could providers or mission-critical programs (e.g., academic classes, offices) potentially experience a negative impact due to this change?

 

1 Yes                  2 No

  1. Is end user training required, prior to implementation?

 

1 Yes                  2 No

 

  1. If the change were to fail, what is the worst case scenario? (In or outside of the regularly scheduled maintenance window)

 

1 None               2 Slowdown      3 Partial or full outage

 

  1. If a partial or full outage is possible, has the business successfully tested their manual/contingency procedures, should the change fail?

 

1 NA/Yes           2 I don’t know                3 No

  1. How many IT services/business applications are impacted by this change?

 

1 None               2 One or two                  3 Three or more               4 All

 

  1. Approximately how many users/workstations will be negatively impacted during the change implementation?

 

Number of users/workstations

Print Management Policy

The internet and electronic systems have exponentially increased the amount of materials available in today’s learning, teaching, and working environment. Most people still prefer to read text on paper because it is more comfortable. Paper copies are often needed for study, distribution at meetings, and other purposes. Despite broader electronic access to documents, there remains a need for print services for students, faculty and staff.

 

The college provides and manages print services in a variety of ways.

 

Print Services for Students:

CTS employs a Print Management System (Paper Cut) that students can access from all of the computer labs around campus. Funded from the Student Technology Fee, CTS provides and supports the printers, paper and toner for the computer labs and library printers. A+D uses a separate version of this same system for managing printing in their specialized labs.

 

Prior to 2007 there were no limits on student printing. In 2007-2008 we monitored student print usage to begin assessing utilization and to identify a reasonable print allocation level. Beginning in the 2008-2009 academic year, students were provided with small print allocation each semester. The student community slowly became used to the idea that printing isn’t ‘free.’

 

Each semester each registered FT student receives an additional print allocation. Student Print Allocations are pro-rated. The print allocation has been set at a maximum of 2000 points per semester since spring 2014.

 

When a student prints a document, a dialog box appears showing their allocation balance and the fee for the print job they are requesting. The Print Management System charges from 3 print points per page (duplex B/W prints) to 35 points per page (one-sided color print). The 2000 print point/semester allocation is enough for each student to print up to 800 pages per semester. Any remaining balance is carried forward, with subsequent semester’s allocations added to it. The idea is that a student’s print balance should accumulate over their four years here to support an increased print need as they research and produce their senior project. Print allocations are suspended between semesters, and eliminated upon graduation. Unused print allocations are not refundable.

 

Print statistics from 2013 showed that the average student allocation balance is 9952 points, with 2,200 students having a balance over 1000 points, and only 108 students below 1000 points.

 

For fiscal year 2012-2013 the Student Technology Fee account spent $148,000 on paper (12k), toner (115k) and replacement printers (21k).

 

The annual expenditure for print services is equal to the total cost of one super-awesome computer lab that the college is forgoing each and every year, so we continue trying to minimize this expense.

 

Print Services for Faculty and Staff:

Faculty and staff printing is the responsibility of their home unit. Many academic units have shared laser printers in divisional offices, and many faculty have desktop printers as well. Staff print services are the responsibility of their home unit. Many units have shared network printers, and many provide individual desktop inkjet printers for their faculty and staff.

 

As a courtesy, when Print Management was introduced in 2009, CTS provided all faculty and staff with a one-time Print allocation of 5000 points to allow them to print outside of their offices when they are in the library or a computer lab.  This is a one-time allocation and will not be replenished once it is exhausted. Faculty and staff who have subsequently joined the college receive a one-time courtesy allocation of 2000 points.

 

The one-time courtesy print allocation of 2000 points is intended to allow faculty to print in the library and labs in an emergency, it is not intended for routine use. Class handouts and other materials should be printed in divisional offices, not in the computer labs.

Privacy Policy

As an educational institution, and in the spirit of academic freedom, Purchase College recognizes that it is essential that faculty, students, staff, and other college employees have some degree of confidence that their privacy will be respected and protected when using college computing resources for collaboration, research, scholarship, and administrative purposes. Purchase College considers information privacy a very serious matter, and therefore the college has established local policies and procedures to safeguard and protect each individual’s privacy. 

This document describes the Purchase College and New York State (NYS) policies and practices regarding information privacy for students, faculty, staff, or any other persons using college-owned devices and systems.

Purchase College, as a part of  the State University of New York (SUNY)—a state agency—is governed by NYS policies on information security. New York State Information Security Policy P03-002 covers the privacy of materials on state-owned computers in the following statements:

Monitoring:

Consistent with applicable law, employee contracts and state entity policies, the state entity reserves the right to monitor, inspect, and/or search at any time all state entity information systems. Since computers and networks are provided for business purposes, staff members shall have no expectation of privacy in the information stored in or sent through these information systems. State entity management additionally retains the right to remove from its information systems any unauthorized material.

This policy is applicable to state entities, staff and all others, including outsourced third parties, which have access to or manage state entity information. Where conflicts exist between this policy and a state entity’s policy, the more restrictive policy will take precedence. 

Covered by this Policy:

This policy covers the individual email accounts that are assigned to students, faculty, staff and other employees; the personal “home directories” that are created for individual students, faculty and staff members; contents of college-owned desktop computers, laptop computers and mobile computing devices assigned to individual employees; and materials stored in college-owned servers (file servers, web servers, collaboration servers, etc.)

The Purchase College Privacy Policy:

For college email, personal home directories, and information stored on desktop or laptop computers, tablets, mobile devices, and servers, the contents of each individuals email account, personal home directory, server directory, desktop or laptop drives or mobile storage devices are considered to be for college business purposes. However, the materials contained therein will only be accessed by the college under specific circumstances—and with explicit written approval from a minimum of two of the following:

  • President

  • Vice Presidents

  • SUNY Legal Counsel

Supervisors seeking access to departed employee materials must obtain approval as noted above.  

Process:

Approval: Specific written approval will include: Written justification for accessing the materials, the name of the individual whose materials will be accessed, the location of the materials to be accessed, who they are to be accessed by, and a time period for access sufficient to achieve the stated goal (locating messages, files, or other materials.)

This written approval must be provided to the Director of CTS/ISO. In emergency circumstances (electronic intrusion, malware, etc.) verbal approval may be granted, but specific written authorization must be provided as soon as is practical. Without written approval as described, no college employee may access any other individuals’ electronic materials for any reason—and any such access will be considered a violation of the college’s computer ethics policy. 

Procedure: Upon receipt of written approval from two or more college officers to access an individual’s materials, CTS information security staff will notify the director of Human Resources (HR) to arrange supervised access to the materials, and secure an electronic copy of the materials in question for the supervised review.  Human Resources will then arrange a time and location for the supervised review. During the supervised review, a senior Human Resources staff member will be present to supervise the review, and CTS information security staff may be present to provide any needed assistance in accessing the materials. In cases where large volumes of material are subject to review, HR, CTS, and the reviewer may convene more than once during the stated review period. The duration of the period for which access is to be granted must be reasonable and will not be open ended.

Justification:

Written approval to access electronic materials will only be granted in cases where:

  • There is an open and active Human Resources investigation

  • There is an open and active law enforcement investigation

  • There is reasonable cause to believe that the computing resource is being used in violation of the college’s computer ethics policy, a contractual obligation, or state or federal law.

  • The individual is not available to grant access due to illness or extended absence and there is a demonstrable business need to access materials believed to be in their possession

Exclusions:

  • This policy specifically does not cover information stored in collaborative or departmental file share folders that are normally used as repositories for shared materials—even if that departmental file share contains a subfolder that may be in an individual’s name. Collaborative file sharing folders are specifically set up to be used to store shared documents, and unit supervisors routinely have access to all materials stored in departmental file-share folders. Supervisors and employees should take note that departmental file -hare folders are the preferred storage method for official college-related business. Employees should be strongly discouraged from storing official college-related business (memos, reports, policies, spreadsheets, or official correspondence) in any place other than a departmental file-share folder. Likewise, employees should be strongly discouraged from storing materials they consider personal or private in any shared file folders.

  • Similarly, this policy does not cover course-related file shares, drop boxes, or other shared resources that are specifically set up for classes or instructors. Materials placed into academic shared resources are not considered private, and the instructor will routinely have access to these materials.

Contact
For questions regarding this Email and Computer Privacy Policy, please contact:

Kathleen Farrell                                             Ricardo Espinales
Director of Human Resources               Assistant Director of Human Resources
Purchase College                                          Purchase College
735 Anderson Hill Road                            735 Anderson Hill Road
Purchase, NY 10577                                    Purchase, NY 10577
Kathleen.Farrell@purchase.edu         Ricardo.Espinales@purchase.edu

Bill Junor
Director of CTS/Information Security Officer
Purchase College
735 Anderson Hill Road
Purchase, NY 10577
bill.junor@purchase.edu

Purchase Cyber Security

USE A STRONG PASSWORD OR A PASSPHRASE  AND  NEVER SHARE IT  WITH ANYONE

• Use a strong password for all of your accounts – a mix of upper and lowercase letters, numbers and special characters –at least 8 characters or longer. Review the College’s Password Policy and complexity requirements.

• Never reuse passwords for different accounts. 
• On your home computer, turn OFF the guest account - or limit access privileges for that account.

• NEVER write a password down, and NEVER share it with anyone. Purchase College will never ask you to verify your credentials or your password.  ​Your password is your identity, and should never be shared with anyone for any reason.

 

NEVER LEAVE MY COMPUTER UNATTENDED  IN PUBLIC LOCATIONS

• While security cable locks may serve as a theft deterrent, many have been shown to be ineffective against a determined thief.

• Never leave your computer unattended.

• If you need to leave your computer unattended in your car, place it in the trunk or in some location where it is not visible to a passerby.

• Use anti-theft software on laptops and mobile devices to help protect your data in the event of a theft.

 

KEEP MY COMPUTER’S SOFTW​ARE UP-TO-DATE

• Configure your computer to download and install system and application updates automatically. Due to the number of patches, it is quite cumbersome to manage patches manually.

• Patch software on your personal computer and check whether you are running the latest version of your browser and browser plug-ins like Java and Adobe Reader.

 

SAFEGUARD MY COMPUTER WITH ANTIVIRUS​  SOFTWARE AND A PERSONAL FIREWALL

• Configure your computer’s antivirus software to update automatically every day. New viruses are being discovered on a regular basis, which puts your computer and information at risk if the antivirus on your computer is not updated regularly.

• Most operating systems, including Windows and Macintosh OS X, have firewall software built in.

Check to ensure that this software is enabled. This will help stop attempts to break into your computer.

 

SAFEGUARD PURCHASE COLLEGE DATA, SUNY DATA, AND MY OWN PERSONAL DATA

• Do not store sensitive data on CDs, DVDs, USB thumb drives, and other types of removable media that can be easily misplaced or stolen. If storing sensitive data on such media is necessary, make sure that the data is encrypted.

• Be familiar with the College and SUNY policies regarding Use of IT Resources, acceptable and unacceptable uses and email guidelines. See Computer Ethics and Usage Policy.

• Perform regular backups of your data.

 

THINK BEFORE I CLICK

• Never open unexpected email attachments. If in doubt, verify authenticity by phone or email before opening the message or the attachment.

• Don’t get lured in by phishing emails. Learn how to recognize telltale signs of phishing emails.

• When in doubt, ask someone at CTS whether the message is a phishing attempt, or a legitimate message.

• Take the Phishing test, and see how you fare.

 

USE CAUTION WHEN DEALING WITH  EMAIL AND OTHER FORMS OF ELECTRONIC​  COMMUNICATION

• Avoid transmitting sensitive data via email and other insecure means of communication. If it is​ ​necessary to send sensitive data via insecure means, ensure that the data is encrypted.

• Never provide your password or other sensitive information in an email or in a response to an email.  A request to do so is likely to be a phishing attempt.

 

TREAT MY MOBILE DEVICE LIKE ANY OTHER  COMPUTER

• Smart phones, tablets, and other mobile devices are just small computers - and they suffer the same security issues as traditional computers. Your pledge to maintain cyber security applies to mobile devices and tablets too.

• Configure a password or passcode on your device.

• Install antivirus software and a firewall, if available.

• Ensure that you’re running the latest version of your device’s operating system.

• Ensure that you’re running the latest version of any applications installed on your mobile device.

• Disable or uninstall applications that you don’t use.

• Disable wireless and Bluetooth if not in use.

• Enable encryption mechanisms, if available.

• Regularly backup any data on your mobile device.

• Follow secure mobile device disposal practices.

 

REPORT SUSPECTED SECURITY CONCERNS  IMMEDIATELY

• If you suspect your computer has been compromised, contact the CTS Help Desk at 914-251-6465 or email us at helpdesk@purchase.edu.

• If you suspect any other type of breach in the security of Purchase College Computing resources,​ contact the University Police at 914-251-6911.

 

HELP PROMOTE CYBERSECURITY AWARENESS

• Share the Cybersecurity Pledge with your friends and colleagues.

• Raise awareness of good security practices among your friends and colleagues, and keep an eye out for poor security practices (e.g. a password written on a sticky note and in plain sight, a computer left unattended in a public location, etc.).

• Do your best to assist your friends and colleagues with cybersecurity, and know where to direct them if you’re unable to assist.

• Protect yourself from identity theft and learn what to do if your information is compromised.

 

The computer settings mentioned in this document are the Standard configuration for Purchase College provided desktops and laptops, and many of these settings are not subject to change by anyone outside of CTS.

 

Check your home computer to ensure that it also contains similar anti-malware software and configuration settings, and use STRONG passwords or passphrases for ALL of your online accounts.

 

CYBERSECURITY QUESTIONS?

We encourage you to contact CTS if you have any cybersecurity questions. You can reach us by phone at 914-251-6465, by email at helpdesk@purchase.edu, or through a Work Order.

 

Campus Technology Services

Purchase College, SUNY

Tel 914.251.6465​

helpdesk@purchase.edu

Work Orders

Record Retention Policies

In 2010, SUNY issued new regulations regarding records retention. This policy revision is the first since 1977, and is intended, in part, to address the storage and retention of electronic records.

NYS and SUNY require all campuses to adhere to these record retention policies, and plan to  conduct random audits to ensure each campus is compliant. These policies cover all records stored in any format (paper and electronic).

In addition, the College is now required to submit annual verification confirming the appropriate retention and destruction of records by all departments.

Please review these policies on records retention by via the links below.

**2010 SUNY Records Retention Policy**

**New York State Record Retention Policy**

Joseph Kyambadde serves as the College’s Records Management Officer. If you have questions specific to your area, feel free to contact Joe at Joseph.Kyambadde@purchase.edu,

 

Remote Assistance- Remote Desktop Information and Policy

Remote Assistance: Remote assistance allows a CTS technician to connect to a user’s computer remotely for the purpose of providing technical support and resolving issues. The CTS technician gains remote access after the user gives authorization via connect invitation sent through a messenger screen. Remote assistance is provided while the user is present at their computer, and both user and CTS technician can control the mouse and view what’s being done. Once remote assistance has been provided, the CTS technician ends the session and disconnects from the user’s computer.

Remote Desktop: Remote desktop is performed after hours when the user is not present at their computer. The user or department head must give advance authorization which would be noted in the work order along with the service call date and time. The computer should be logged off but not shut down during the time of the scheduled service call for remote desktop
to work. The CTS technician can then connect to the computer to perform the scheduled service. Once the service call is completed, the CTS technician ends the session and disconnects from the user’s computer.


Remote Assistance/Remote Desktop Policy
1. CTS technicians are not permitted to perform remote assistance/remote desktop without authorization from the user or department head.
2. User authorization for remote assistance/remote desktop is given via connect invitation message (for remote assistance) or verbal authorization as noted in the work order (for remote desktop).
3. CTS provides remote assistance/remote desktop services only to Purchase College owned computers that are on campus and connected to the Purchase College network.
4. The CTS technician will disconnect from the user’s computer once technical support has been provided and the remote session has been completed.

ResNet Wi-Fi Services Policy

ResNet Wi-Fi Services Policy

 

If you live in any campus housing facility, your residence complex already has Wi-Fi service. Installing personally owned Wi-Fi routers is prohibited since they may interfere with college provided Wi-Fi services.

All of your devices must be registered for campus Wi-Fi service. “Devices” include smart phones, tablets, Laptops, Game Consoles, etc.

Unregistered devices that attempt to connect will denied service.

To register devices go to https://connect.purchase.edu. 

We will do our best to help everyone with Wi-Fi service, but there can be no guarantee regarding speeds over wireless due to the nature of Wi-Fi service. 

Please remember that all residential rooms contain wired internet ports which provide 100mbps service - which is faster than Wi-Fi - and which is not shared or subject to interference. 

 

 

Security Awareness Training

How safe do you think you are online? While we all think we’re being careful, too many members of our campus community fall victim to phishing or Malware infection - over 100 in the last year. It can happen to any of us – and it does with depressing regularity.

The security and privacy of our online information is under greater threat than ever before. It is our individual and collective responsibility to safeguard our faculty, staff, and students’ personal, private and sensitive information that is contained in Purchase College computer systems.     

To comply with SUNY and New York State mandates that every employee undergo annual Security Awareness training, we are using the SANS “Securing the Human” online training program. 

This self-paced training is a collection of videos designed to improve awareness of the threats to information security, and to increase the likelihood that all of us will recognize those threats whenever and wherever we encounter them - online, on the phone, in person, or in the comfort of our homes.

The program includes a series of short 2 to 5 minute videos covering topics from why you are a target to how to spot phishing to how properly secure your home computer and home network. Each video is followed by three multiple choice questions you answer to “Complete” that topic. Upon completion of all the topics, the system will issue you a Completion Certificate.

All employees were automatically enrolled in this system earlier this year. Please follow the link and access these training materials using your regular Purchase College credentials.

https://sso.securingthehuman.org/suny

Please make sure to visit the site regularly and make your way through all of the materials. Consider putting a recurring appointment in your calendar and spend 15 minutes on this each week. These training materials will be refreshed at the end of the calendar year, and a new cycle will begin.

The system tracks your progress through the materials. Our goal is 100% completion by all faculty and staff. If you pace yourself, it will be easy. But if you leave it all until the very end, it will be harder for you. In December we will be reporting to each of the Sector Officers on the progress of the folks in their areas. 

www.purchase.edu/CTS
914.251.6465

 

Purchase College, State University of New York
735 Anderson Hill Road, Purchase, NY 10577

Social Media Policy and Procedure

Purpose:

Purchase College, SUNY, encourages the appropriate use of social media as a method for communicating ideas and information, and as part of our educational mission.

This policy governs employees of Purchase College, specifically the behavior of individuals as they utilize a variety of social media technologies and is not limited to any specific media format.

Social Media Defined:

For the purpose of this policy, social media is defined as Web-based and mobile technologies that enable the exchange of user-generated content and conversation.

Policy:

  1. College-Related Social Media: Official Purchase College social media channels may allow members of the public to comment or react to posted content and information. Individuals, including employees of Purchase College acting in their personal capacity, may post or comment anonymously or identifiably. In general, Purchase College invites discussion of important ideas and issues through social media. However, Purchase College reserves the right to remove posts of comments that are obscene, defamatory, offensive, contain threats of violence, abusive, spam or advertising, or unrelated to the content or information. Purchase College also reserves the right to remove posts of comments that violate applicable laws including, but not limited to, copyright and trademark, or those that violate the use policies promulgated by the applicable social media provider.

  2. If authorized and in keeping with Purchase College policy, college departments may use social media to promote the educational mission of the college. Uses may include recruitment of new students, communications with accepted and registered students, fundraising and alumni relations.

  3. Departments may use the College’s name, address, telephone numbers and logo for social networking purposes.

  4. Departments must identify an individual faculty/staff member who will be responsible for the maintenance of social media sites.

  5. In any communications on social media, all faculty/staff must identify themselves by name and title with the College.

  6. In any use of social media, College departments, including all faculty/staff of such departments, shall not violate any laws and/or college policies including, but not limited to those regarding:

  7. inappropriate language;

  8. Inappropriate pictures of any sort or kind;

  9. Posting or promoting illegal activity or proof of illegal activity;

  10. Harassing or discriminating against any person;

  11. Posting defaming comments or remarks against any person;

  12. Copyright and trademark.

  13. Posting any personal opinions of any sort or kind regarding the College without a disclaimer that such opinions are not the official position of the College and/or

  14. Posting unprofessional or rude comments, responses or postings of any sort or kind about the College or its employees

Personal Social Media (using campus resources):

  1. Any use of or access to personal social media done during business hours on College computing and networking resources shall be consistent with the College’s Information Technology Resources Acceptable Use Policy, including personal incidental use.

  2. In any personal use of social media, the use of any College logos, trademarks, letterhead, pictures, address and/or telephone numbers is strictly prohibited.

  3. Do not use the College’s name to promote or endorse any product, cause or political party or candidate.

  4. The Official College website or College-sanctioned social media sites, College-wide or departmental, shall not include links to personal sites.

  5. College-issued email addresses should not be used for personal social media use.

  6. There is no right or expectation of privacy in the personal use of the College’s computing and networking resources.

  7. By using the College’s computing and networking resources, the faculty/staff member is consenting to monitoring of the use by the College without further notice to the faculty/staff member.

  8. In any personal use of social media, the user shall not violate any laws and/or college policies, including but not limited to those regarding:

    1. Inappropriate language;

    2. Inappropriate pictures of any sort or kind;

    3. Posting or promoting illegal activity or proof of illegal activity;

    4. Harassing or discriminating against any person; v. Posting defaming comments or remarks against any person;

    5. Copyright and trademark.

    6. Posting any personal opinions of any sort or kind regarding the College without a disclaimer that such opinions are not the official position of the College and/or

    7. Posting unprofessional or rude comments, responses or postings of any sort or kind about the College or its employees.

Personal Use of Social Media (using personal resources):

  1. While faculty/staff may identify themselves as an employee of the College, they should be clear that they are not representing the view of the College.

  2. The use of any College logos, trademarks, and letterhead, pictures, address and/or telephone numbers is strictly prohibited.

  3. Do not use the College’s name to promote or endorse any product, cause or political party or candidate.

  4. The Official College website or College-sanctioned social media sites, College-wide or departmental, shall not include links to personal sites.

  5. College-issued email addresses should not be used for personal social media.

  6. If it is generally accessible, employers can look at social media sites.

  7. Individuals can be held liable for what they write online. Individuals have been held liable for commentary deemed to be proprietary, copyrighted, defamatory, libelous or obscene (as defined by the courts).

  8. Employees can be disciplined for content or images that are defamatory, pornographic, harassing, and libelous or are otherwise in violation of the law and that impact work.

Guidance:

  1. Be responsible

  2. Be authentic, factual, respectful

  3. Be careful

  4. Avoid engaging in on-line disputes

  5. Add value

  6. Be explicit that your views are your own

  7. Keep work out of it

  8. Be cautious when engaging students through social media

Remember—the Internet is permanent–don‘t write anything that you wouldn’t want to see attached to your name forever!

Sanctions:

Violations of this policy may result in disciplinary action in accordance with appropriate Agreements between the State of New York and the various bargaining units.

Procedures for Establishing and Using Purchase College Social Media Channels:

To post on behalf of a College office or department:

  1. Notify the Publications and Electronic Media Office - Departments or offices that have a social media page or would like to start one must contact the Publications and Electronic Media Office so the office can keep track of College-represented pages and link new pages to official social media pages.

  2. Have a backup administrator – Purchase College’s Web Communications Manager (in the Publications and Electronic Media Office) must have administrative rights to your social media content, in case of emergency or employee turnover.

  3. Have a plan - Develop a strategy for keeping information on social media sites up to date and interesting.

  4. Protect the institutional voice - Posts on social media sites should protect the College’s institutional voice by remaining professional in tone and in good taste.

Telephone Policy

The Telecommunications Office maintains the telephone services for the campus community, including desktop and residential telephones. There are no charges for on-campus telephone calls. For faculty and staff, the College funds telephone services centrally and there are no charge backs to individuals or departments for work related telephone calls.

Faculty and staff who make off-campus calls from their desktop telephones and receive a monthly statement must read and certify the “Acknowledgement of College Telephone Policy” on their monthly invoice.

Purchase College provides employees with the use of desk telephones for official College related business. Access to telephone services – and the type of service to be provided (Local, Tri-State, Regional) - is provided at the discretion of their unit supervisor. Outbound calls for desk telephones can be limited to on-campus calling only, local (NYC Metro area) calling only, and in appropriate cases, nationwide and international calling.

Business / Personal Calls Defined
Business calls are telephone calls that are necessary to accomplish your job or professional activities. A call home to communicate a change in the status of your State work schedule (e.g. that you must work late because of unscheduled overtime or offices are closing due to a blizzard) is also considered a business call. Any other call that is not related to your professional activities on behalf of Purchase College, local or long distance is considered to be a personal call.

New York State Executive Order #1, issued January 18th 2007: State telephones may not be used for non-governmental long-distance calls, other than toll-free calls, collect calls and calls billed to a personal account. State telephones may be used for incidental and necessary personal calls, limited in number and duration, which do not interfere with an employee’s public duties.

Faculty and staff who make off-campus calls from their desktop telephones must read and acknowledge the College Telephone Policy listed below. All College employees must review and certify their monthly statement.

This policy describes the assignment, use and management of desk and cell telephones by employees of Purchase College, State University of New York.

All College employees must read and certify the “Acknowledgement of Desktop and Cellular Telephone Policy” on their monthly statement. 

State Audit Procedures

Due diligence is required of all supervisors and employees to ensure that employees respect and adhere to these telephone policies and procedures. State auditors have identified telephone usage as an area of potential high risk / exposure. When State auditors perform reviews of Telecommunications equipment and telephone usage, they look for areas of abuse or misuse.

Included are calls made

1) After hours late night,

2) For long periods of time,

3) To high risk area codes, (Area Codes 900, 809, 284, etc.)

4) On weekends,

5) During holidays, and

6) To frequently called numbers for excessive periods of time.

Desktop Telephone Policy

All supervisors are responsible for monitoring telephone usage within their units. Supervisors shall determine what type of telephone access is required for each employee. Desktop telephone equipment will be provided by Campus Technology Services. Monthly statements for desktop phones are paid by the College, and invoice will be sent to faculty/staff for review. The unit’s supervisor will have the ability to review usage and compliance within their unit where appropriate.

Unit supervisors are responsible for reviewing the all statements and to ensure that all invoices are certify for the desktop phone assigned to each employee. Supervisors are responsible for making sure that personnel within their unit are aware of and in compliance with this policy, and that actual telephone usage within their units falls within appropriate parameters. Each employee is responsible for reviewing his or her desktop telephone usage, and for reimbursing the College for personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3). The unit supervisor will monitor and correct excessive telephone usage - both in terms of financial expense and the amount of time spent on the phone.

I. Desktop Phone Reimbursements

All employees assigned a desktop telephone must review/certify their monthly invoice regardless of whether reimbursement is due or not [See Attachment C].

Pay Invoices by credit card online.

  1. Default is total amount due. Partial invoice payments are allowed, with any remaining balance carried forward to the next invoice.
  2. To pay an invoice, the TBS system asks for: Name on Card, Card #, Expiration Date (MM/YYYY) amount, zip code.  
  3. To avoid processing credit card transactions for tiny amounts of money, if your balance due for a monthly invoice is less than $5.00, that balance due amount due will be rolled forward to the next time a new invoice is generated. 
  4. Payments are processed through a secure PCI-DSS Compliant 3rd party payment gateway – no credit card information is ever stored on any College servers.
  5. Once payment authorization is received, the invoice is marked paid.
  6. An Email confirmation of payment is sent to Faculty/Staff/.

Telephone Billing System (TBS)

The Telephone Billing System (TBS) is a self-service web application for faculty, staff, and rental clients who are receiving telephone service. The system allows you to review telephone usage, file the required monthly certification of work/personal calls, and pay personal telephone usage charges online.

For supervisors the system provides the ability to review usage and compliance within their unit.

The TBS system collects call detail data from our telephone system – the number called, date, time, call duration etc. and generates monthly telephone invoices for college employees and rental clients based on the telephone extensions assigned to them.

As each new monthly invoice is posted, an individual email notification will be sent to each faculty, staff, and rental client receiving telephone service from the College.

Faculty, staff, and rental clients can use the TBS to:

 View paid an unpaid invoices

  • Review detailed call history by monthly invoice  (Extension, day/time, #called, city, state, charge) 
  • Complete the required monthly certification of personal/work-related calls (employees.)
  • For office phone extensions, a check box to identify personal/work is provided for each call.
  • For work-related calls, amount is subtracted from amount due.
  • Rental clients (including staff/faculty phones in residential apartments) do not have the option to declare work/personal calls, and are expected to pay the invoice in full.

Calling Cards

As an alternative to reimbursing the College for personal calls, we encourage employees to consider using their personal calling cards when they make personal calls. Whether you use a calling card or not, all employees are still required to certify their monthly statement [see Attachment C].

Desk Telephone Controls

To comply with State Regulations, the following controls have been implemented to guard against misuse of State telephones for non-State and personal calls.

  1. Each month, CTS sends a statement of local and long distance telephone calls, by extension, to faculty/staff to their purchase email address. Supervisors are expected to review the statement of their staff, ensuring invoices are review and certify for personal/business related telephone calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3).
  2. In addition, CTS monitors telephone activity reports for detection of abuse. If, in the monitoring process conditions arise that cause concern, the Director of Campus Technology Services will bring the issue to the Unit Supervisor suggesting that the Supervisor review the activity with the employee involved and ensure the college is reimburse for personal phone calls as appropriate per Executive Order 1 (See P. 3).
  3. All telephone activity using desktop or College-owned cellular phones is subject to audit procedures at any time.
  4. All College employees must review their statement [Attachment C] each month to certify that the calls made were for official College business and that the charges are just and proper. The monthly statement must identify any personal phone calls that were made. To avoid processing credit card transaction for small amounts of money, if balance due for a monthly invoice is less than $5.00. The balance due and amount due will be rolled forwarded to the next invoice. All charges includes actual cost of all personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3).

II. CTS handling of Telephone Reimbursements

Campus Technology Services will processes telephone reimbursements as follows:

  1. Since individual College units are not charged for telephone usage, reimbursements for personal calls made using Desktop Telephones will be deposited into the CTS Telecommunications IFR account to offset the cost of providing telephone service to the campus.
  2. If it is a reimbursement for personal calls made on a College-owned Cellular Telephone which is paid by the unit through its procurement card, CTS and Purchasing will issue a quarterly “Refund of Appropriation” to credit the state or IFR account that the cell phone is charged against.

III. Cellular Telephone Policy

Purchase College recognizes that it is important for key service personnel and administrators to be available 24x7x365 so that they are accessible in the event of emergency, off-hours, or while they are working in the field.

Purchase College provides two options for employees who fall into that category:

  • Option 1:A College-owned cell phone charged to the Unit Supervisor’s Procurement Card
  • Option 2: A Quarterly reimbursement allowance to defray the ongoing cost of official College business calls made from a personally owned cell phone. 

Quarterly-Cell-Reimbursement-Request

If a supervisor determines that an employee has a need for a cellular phone, the College encourages the use of Option 2, a reimbursement allowance. The College makes this recommendation due to the time involved in tracking personal calls, ensuring that monthly paperwork and reimbursements are submitted in a timely manner, and due to the overhead and audit requirements associated with College-owned phones.

Appropriate Use of Cell Phones

Cell phones should NOT be used as a replacement for a desktop telephone. Calls made using a cell phone are significantly more expensive than calls made using desktop land lines. Use a desktop phone whenever possible, and only use the cell phone when no desk telephone is available.

When you are trying to contact someone, call the desk telephone number first before resorting to the cell number.

Assigned cellular telephones should be used for official business-related activities. Personal use of an assigned unit shall be occasional, incidental, or for emergencies.

Each employee assigned a cellular telephone shall be primarily responsible for the security and maintenance of the unit, and must immediately report theft, loss or vandalism.

The responsibility for assigned cellular telephones cannot be transferred to another employee. When an employee to whom a cellular telephone has been assigned terminates employment, the unit must be returned to their supervisor in appropriate working condition, prior to the employee’s last day at work.

Cellular Telephone Use While Driving

It is illegal to operate a motor vehicle in New York State while using a cell phone without a hands-free device. New York State strongly encourages its employees not to use hand-held cellular telephones while driving a motor vehicle, and to use care while using any cellular telephone while driving.

Cell Phone Controls

Any employee assigned a College-owned cellular telephone or who receives a reimbursement allowance for his or her personal cell phone and who fails to comply with the State University’s desk/cellular telephone policy may have her or his privileges suspended or revoked and may be subject to disciplinary action.

  1. If it is determined that call volume does not warrant the expense of the cell phone, the unit supervisor may terminate the reimbursement authorization or ask the employee to return the College-owned phone at any time.
  2. If cellular telephone usage is extremely high and not due to excessive personal calls, their supervisor may contact the service provider and upgrade the service plan.
  3. Each College Officer/Supervisor must annually re-authorize all employees who are receiving a reimbursement allowance for a personally-owned cell phone. This reauthorization must accompany the supervisor’s estimated encumbrance for cell phone reimbursement allowances at the start of each fiscal year. (See P. 8)

College-Owned Cell Phone Inventory

The Director of CTS will maintain a current inventory of all College-owned cell phones. This inventory will include manufacturer, model, calling plan, telephone number, and the name of the employee to whom it is assigned.

Option 1: College-Owned Cellular Phones

The acquisition of cellular telephones and service plans shall be in accordance with the State University of New York Administrative Procedures Manual Item 300 Purchasing and Contract Procedures. The equipment and billing for cell phones will be charged to each unit’s procurement card.

Supervisors may request College-owned cellular telephones for specific employees where there is a demonstrable need for immediate or off-hours access. This is typically for service personnel who are in the field and away from their desk, on call during non-business hours, or for key supervisory personnel.

All requests for cell phones must be made and approved in writing by the sector Officer using the “Cell Phone Authorization Form” [See Attachment A]. The Cell Phone Authorization Form requires a brief justification for assignment of the instrument, specifies what type of service(s) are needed (Voice/text/data), the calling plan to be provided, and the type of cellular instrument to be provided.

An annual roster of campus cell phones will be provided to each College Officer for review. Each College Officer will review his or her roster periodically to ensure compliance with this policy.

To Obtain a College-owned Cellular Phone for an Employee

  1. The employee’s supervisor will submit a “College Cell Phone Authorization Form” [See Attachment A] to the appropriate College Officer, who must sign the form before a cellular phone can be purchased and assigned to the staff member.
  2. The College Officer will notify the requestor and CTS that an authorization for a cell phone or reimbursement allowance has been approved and to whom.
  3. The supervisor will contact CTS and provide their Procurement Card information to purchase the device and service plan. Since there are many different types of instruments available, the supervisor should also indicate how much they want to allow for the initial purchase of the instrument.

Billing for College-owned Cell Phones

Monthly bills for College-owned cellular phones will be automatically charged to each unit’s Procurement Card.

Verizon Wireless and Nextel Communications have set up Web sites for employees and their supervisors to review detailed monthly billing information. CTS will provide an ID/Password to each supervisor and employee for access to the appropriate Web site.

All employees with College-owned cellular phones and supervisors who authorize College-owned cellular phones for their employee(s) are required to review the monthly statements to ensure that the utilization is appropriate.

Employees with College-owned Cellular Phones must submit a Monthly College-Owned Cellular Telephone Usage Statement [Attachment D] to The Telecommunications Office SS0007 certifying that the calls made were for official College business and that the charges are just and proper. The monthly statement must identify any and all personal phone calls that were made using the cell phone, and the submittal must include a reimbursement to the College for personal calls as appropriate per the guidelines contained in Executive Order 1 (See P. 3) at a rate of $0.45 per minute.

Reimbursement checks should be made payable to “Purchase College, State University of New York” and forwarded to the CTS Office in the basement of the Social Science Building SS0025.

Please note that a Monthly College-Owned Cellular Telephone Usage Statement must be submitted whether any reimbursement is due or not.

Option 2: Quarterly Reimbursement Allowance for Personally-Owned Cell Phones

Supervisors may request that specific employees receive a monthly allowance for their personally owned cellular phones where there is a demonstrable need for immediate or off-hours access. This is typically for service personnel who are either on call during non-business hours, in the field and away from their desk, or for key supervisory personnel.

The personally-owned cell phone must be for the exclusive use of the employee, and in his or her possession at all times. Recognizing the prevalence of “Family Plans” that are often held in the name of a significant other, the personal account does not need to be in the employee’s name, as long there is a cell phone instrument for her or his exclusive use.

Participants in the reimbursement allowance program will receive quarterly reimbursement checks through the Purchasing and Accounts Payable office. Participants must submit a copy of their monthly cell phone bill to the Purchasing Office to obtain their quarterly reimbursement allowance.

This submittal is the Personal Cell Telephone Reimbursement Request Form [Attachment E] along with the cover page of the monthly statements showing the employees name, phone number, and statement date. The submittal is intended to demonstrate that the individual still has the phone in active service, it does not need to (and should not) include the detailed call log portion of the monthly statement.

To obtain a Cell Phone Reimbursement Allowance for an employee

  1. Each fiscal year the employee’s supervisor will submit a “Cell Phone Reimbursement Allowance Request Form” [See Attachment B] specifying for what services (Voice/Text/Data) the employee is to receive a reimbursement for. The form must be approved and signed by the appropriate College Officer.
  2. The College Officer will notify the requesting supervisor that an authorization for a cell phone or reimbursement allowance has been approved and to whom.
  3. The supervisor will ask the employee to read and sign the ‘College Cellular Phone Use Policy.’ [Attachment B]
  4. At the start of each Fiscal Year, the unit supervisor will submit to the Purchasing Office:
  5. A Purchase Requisition for “Estimated Encumbrance for Cellular Telephone Services” to cover the cost of all cellular phone reimbursements for their unit
  6. Attached to the Requisition must be a copy of the fully executed annual Personal Cell Telephone Reimbursement/Allowance Form for each employee who is authorized to receive a reimbursement.
  7. Supervisors are NOT expected to review monthly statements for employees who choose the Monthly Allowance option for a personally owned cellular phone. However, supervisors are expected to periodically assess whether the monthly allowance continues to be appropriate in each case where it is granted.

Obtaining Quarterly Reimbursement Allowance checks

The Purchasing and Accounts Payable Office will issue quarterly reimbursement checks (the maximum reimbursement frequency) for employees authorized to receive a cell phone allowance. Reimbursements will not be entertained for any statement submitted more than 12 months after the service was provided (the minimum reimbursement frequency).

To obtain a quarterly reimbursement employees must submit a copy of the Personal Cell Telephone Reimbursement Request Form [Attachment E] to the Purchasing and Accounts Payable Office along with the cover page of each monthly cell phone statement showing the date of service, carrier, subscriber name, address, and cell phone number. Regardless of the amount due, the employee will receive the standard reimbursement rate authorized by their supervisor for each monthly cell phone bill that is submitted. The check will be made payable to the authorized employee and mailed to his or her home address.

Monthly Cellular Telephone Usage Statements are NOT required for employees using the Reimbursement Allowance Option. However, supervisors are encouraged to regularly assess whether reimbursement continues to be appropriate throughout the year and supervisors have the right to terminate reimbursement allowances at any time for any reason.

Acknowledgement of College Telephone Policy

Purchase College / State University of New York

Users of College-owned desk and cellular telephones must read, understand, and comply with the Purchase College State University of New York Desk and Cellular Telephone Policy. By using the telephone, you agree to comply with all rules, regulations, and policies of Purchase College and any applicable local, state, federal and international laws, guidelines, and regulations. This responsibility exists regardless of what monitoring mechanisms may be in place. Violation of these policies may lead to suspension, loss of service or privilege, and may lead to even more serious sanctions.

Do not consider desk or cellular telephone bills private or secure because the bill contains your name and billing address. Purchase College, State University of New York has the right to monitor telephone bills and usage to determine if misuse or abuse exists.

Users must review their desk and cellular telephone bills and remit reimbursements for any personal calls at the end of each quarter.

Payments [check or money order] made payable to Purchase College for desk/cellular telephone reimbursement should relate to the monthly period for which the reimbursement applies and should be accompanied by the Purchase College, State University of New York Desk/Cellular Telephone Monthly Reimbursement Report.

Desk or Cellular telephones may not be used to defame, harass, intimidate or threaten any other person(s).

Do not allow others to use your phone, as you will be ultimately responsible for payment of charges.

—————————- Agreement With Desk And Cell Telephone Policy ——–

I HAVE READ AND UNDERSTAND THE PURCHASE COLLEGE DESK AND CELL TELEPHONE USE POLICY.

BY SIGNING THIS FORM, I AGREE TO ABIDE BY THE RULES, REGULATIONS, AND POLICIES SET FORTH. THEREIN, AND TO ALL APPLICABLE INTERNATIONAL, FEDERAL, STATE, AND LOCAL LAWS. VIOLATION OF THESE POLICIES MAY LEAD TO SUSPENSION OR LOSS OF SERVICE OR OF PRIVILEGE, AND EVEN MORE SERIOUS SANCTIONS.

Printed Name : ______________________ Title:________________________

Department: _________________ Signature:___________________________

Date: _______________________

Submit this form to the CTS Office, Social Science Building

College-Owned Cellular Telephone Authorization Form

Purchase College / State University of New York

College-owned cellular phones should NOT be used as a replacement for a desktop telephone. Calls made using a cellular phone are significantly more expensive than calls made using desktop land lines. College-owned cellular phones are only to be assigned to employees where either:

  1. a) The employee must be accessible and normally works in the field and is not near a fixed land line
  2. b) The employee is engaged in providing a critical or emergency service for the College community and must be accessible at all times

I, __________________________ authorize _________________________ to receive a state-owned (Supervisor’s name) (Employee’s name) cellular telephone for their use in conducting official business for Purchase College. I have communicated the College’s policy governing the use of cellular telephones to him/her, and he/she has agreed to comply with the policy.

The employee has agreed to reimburse the College at the end of each month for any personal calls made using this cellular phone at the rate of $0.45 per minute whether those calls are within plan minutes or not.

The employee has acknowledged that failure to comply with these policies could result in the phone being revoked and other disciplinary measures.

—————————————————————————————————– Type of service to be provided (check all that apply) : Voice ___ Text ___ Data ___

Type of calling Plan 200 minutes __ 400 Minutes ___

Type of Cellular instrument: Standard Phone ___ Blackberry___ Maximum cost:_________

—————————————————————————————————————————– Telephone number (or “NEW”): ____________ EMPLOYEE: I agree to abide by the Purchase College Desk / Cell Telephone Policy: _________________________________ (Employee signature date) SUPERVISOR APPROVAL I approve the issuance of a Cell Telephone to the above employee: _________________________________ (Supervisor signature date) COLLEGE OFFICER APPROVAL I approve the issuance of a Cell Telephone to the above employee: _________________________________ (College Officer’s signature date)

Submit this form to the Purchasing and Accounts Payable Office.

Personal Cellular Telephone Reimbursement/Allowance Form

Purchase College / State University of New York

Cellular phones should NOT be used as a replacement for a desktop telephone. Calls made using a cellular phone are significantly more expensive than calls made using desktop land lines. This reimbursement/Allowance program should only to be assigned to employees where either:

  1. c) The employee must be accessible and normally works in the field and is not near a fixed land line
  2. d) The employee is engaged in providing a critical or emergency service for the College community and must be accessible at all times

I, __________________________ (Supervisor’s name) authorize _________________________ (Employee’s name) to receive a quarterly  reimbursement allowance for their personally-owned cellular phone for the period, __________________________ that is to be used to conduct official business for Purchase College. I have (Date range) communicated the College’s policy governing the use of Cell telephones to them, and they have agreed to comply with the policy.

The employee agrees to submit the cover pages of their monthly cellular telephone statements to the Purchasing and Accounts Payable Office to obtain his/her allowance reimbursement check on a quarterly basis.

The employee has acknowledged that failure to comply with Purchase College Telephone Policies could result in disciplinary measures.

—————————————————————————————————————————-

Type of service (check all that apply) :

___ Voice ($25/month) ___ Text ($10/month) ___ Data ($35/month) ——-

Telephone number (or “NEW”): ____________

EMPLOYEE: I agree to abide by the Purchase College Desk / Cell Telephone Policy: _________________________________ (Employee signature date)

SUPERVISOR APPROVAL I approve the assignment of a reimbursement allowance to the above employee: ___________________________ (Supervisor signature date)

COLLEGE OFFICER APPROVAL I approve the assignment of a reimbursement allowance to the above employee: ____________________________ (College Officer’s signature date)

Submit this form to the Purchasing and Accounts Payable Office. 

Quarterly Desktop Telephone Usage Statement

Purchase College State University of New York

  1. Instructions on Completing This Form: Please send this form at the end of each quarterto the CTS Office (Social Sciences Building SS0025) along with your credit card authorization, check or money order made payable to Purchase College for any personal calls.

NOTE: All employees must submit a quarterly report whether or not a reimbursement is due to Purchase College. If no reimbursement is due for personal calls made during the period (see P 3, Executive Order #1 for guidelines), insert a zero in item II.B. Thank you for your prompt attention to this matter.

I certify that:

  1. I have reviewed a copy of the desktop telephonebill for the period below to determine if any reimbursement is due for personal calls.
  2. The amounts represented on this report reflect reimbursement for personal calls.
  3. All calls not reimbursed are just and proper calls relating to official State University business.

Name: __________________________________

Department: ___________________________

Signature: _________________________

Date: ______________

 

  1. DESKTOP TELEPHONE REIMBURSEMENT

Phone Personal Calls Period of Charges Number Amount Due (e.g. Jan 2008) (A) (B) (C) 1. Desk Phone 2. Desk Phone 3. Desk Phone 4. Desk Phone

TOTAL REIMBURSEMENT ENCLOSED: _______________________

III. Payment Type: (Please Check One) CHECK CASH MONEY ORDER CREDIT CARD AUTHORIZATION: (Please Check One) AMERICAN EXPRESS DISCOVER MASTERCARD VISA Credit Card Account Number: __________________________________________________ Expiration Date: __________/__________

Payment Amount: $_________________________ (Month / Year)

Name as it appears on the card: First ___________Initial _____Last___________________

Authorized Signature: _____________________________________

Date: _______________

Monthly College-Owned Cellular Telephone Usage Statement

Purchase College / State University of New York

  1. Instructions on Completing This Form:Please send this form at the end of each monthto the CTS Office (Social Sciences Building SS0025) along with your credit card authorization, check or money order made payable to Purchase College for any personal calls.

NOTE: You are to submit a report whether or not a reimbursement is due to Purchase College. If no personal calls were made during the period, insert a zero in item II.B. Thank you for your prompt attention to this matter.

I certify that:

  1. I have reviewed a copy of the cellular telephone bill for the period below to determine if any reimbursement is due for personal calls.
  2. The amounts represented on this report reflect reimbursement for personal calls.
  3. All calls not reimbursed are just and proper calls relating to official State University business.

Name: __________________________________

Department: ___________________________

Signature: _________________________

Date: ______________

Account No: ______________

  1. CELLULAR TELEPHONE REIMBURSEMENT

Phone Personal Calls Period of Charges Number Amount Due (e.g. Jan 2008) (A) (B) (C) 1. Cellular Phone 2. Cellular Phone 3. Cellular Phone 4. Cellular Phone

TOTAL REIMBURSEMENT ENCLOSED: _______________________

III. Payment Type: (Please Check One) CHECK CASH MONEY ORDER CREDIT CARD AUTHORIZATION: (Please Check One) AMERICAN EXPRESS DISCOVER MASTERCARD VISA

Credit Card Account Number: __________________________________________________ Expiration Date: __________/__________

Payment Amount: $_________________________ (Month / Year)

Name as it appears on the card: First ___________Initial _____Last___________________

Authorized Signature: _____________________________________

Date: _______________

Quarterly Personal Cell Telephone Reimbursement Request Form

Purchase College / State University of New York

Cell phones should NOT be used as a replacement for a desktop telephone. Calls made using a cell phone are significantly more expensive than calls made using desktop land lines. This reimbursement allowance program should only to be assigned to employees where either:

  1. e) The employee must be accessible and normally works in the field and is not near a fixed land line
  2. f) The employee is engaged in providing a critical or emergency service for the College community and must be accessible at all times

My signature below certifies that this Reimbursement Allowance is for conducting official business on behalf of Purchase College, and that I have read and agree to comply with the College’s policy governing the use of cellular telephones.

I, __________________________ request reimbursement for use of my personally owned cellular phone

(Employee’s name) # ______________________________

For the period ______________________________

on _____________. (Cell Phone Number) (Date Range) (Today’s Date)

I have attached the cover page for each monthly cellular telephone statement showing the date of service, carrier, subscriber name and address, and cell phone number.

I understand that I will be reimbursed at the standard allowance rate for each approved service type that was in effect at the time that the service was provided.

Submit this form to the Purchasing and Accounts Payable Office.

Purchasing and Accounts Payable Review

I have reviewed the authorization documentation on file and the attached submittal and approve the issuance of a Reimbursement Allowance Check to the above employee:

___________________________ (PAP Reviewers signature date) 

Telephone Usage Refund Policy

All telephone bills are reviewed for accuracy before they are sent to departments, residents and renters. If you find an error on your bill, please contact CTS at (914) 251-6465 as soon as possible! You must report the call(s) in question BEFORE payment is submitted. Once an error is reported, CTS will check the call against our long distance carrier bills in order to validate the claim.

For international and domestic calls of 1 minute or less, a credit can be applied immediately. Calls over 1 minute must be checked against the bill of the carrier to assess whether or not the call was completed. If it is confirmed that the call was completed, the charge will remain on the bill.

If your PIN has been lost or stolen, or unauthorized calls are being made from your office phone, you must report this to CTS. You are responsible for all calls made before you reported your PIN or unauthorized calls to CTS. In such cases, if you wish to dispute the charges, you MUST file a report with University Police. Otherwise, you will still be responsible for additional calls made with your PIN or from your office phone. CTS will cooperate with University Police and provide any information they need for their investigation.

Please note that refunds will appear as a credit to the account. A refund check will be issued only if service has been terminated or you are no longer employed by the College.

Vendor Nondisclosure Agreement

This is a Nondisclosure Agreement made as of _______________________ (“Effective Date”) between State University of New York College at Purchase, an educational corporation organized and existing under the New York State Education Law, hereinafter referred to as “Purchase College, SUNY, a New York State Public higher education institution with its principal place of business at 735 Anderson Hill Road, Purchase NY 10577, and _______________ (“Company”), a ______________ corporation with its principal place of business at _______________________________________________________<address> for the purpose of protecting and preserving the confidential and/or proprietary nature of information to be disclosed or made available by Purchase College to the Company under this Agreement.  For purposes of this Agreement Purchase College and Company are sometimes collectively referred to as the “Parties” and individually referred to as a “Party”.  As used herein, “Recipient” shall mean the Party who has been given “Confidential Information” (as hereinafter defined) by and of the other Party.  Discloser shall mean the Party who gives Confidential Information to the other Party.

 

  1. The Parties agree to use the Confidential Information received hereunder solely for the purpose of performing the service or services for which the Company and Purchase College have made an agreement (“Purpose”), and only to the extent necessary for the stated Purpose. The Recipient agrees that it will not provide Confidential Information to any third parties or business partners without prior written agreement from Purchase College.

  2. “Confidential Information” means any business and/or personally identifiable information  relating to Purchase College’s students, employees or other parties contained in files or storage systems to which the Company will be provided access by Purchase College.

  3. “Confidential Information” shall include, without limitation, printed or electronically recorded matter, personally identifiable information, customer and employee information, business information, and other information of a non-public nature. Confidential Information also includes information generated as a result of the activities of the parties hereunder, and information whether disclosed in writing or orally, that is marked “confidential” or should be deemed by its nature to be confidential. 

  4. All Confidential Information shall remain the property of Purchase College. No rights or license therein is granted except a limited right to use the Confidential Information solely for the Purpose.

  5. The Company agrees that for Confidential Information it shall use the same degree of care and means it utilizes to protect its own information of a similar nature, but in any event not less than reasonable care and means, to prevent unauthorized use or disclosure of such Confidential Information to third parties. The Confidential Information may be disclosed only to employees or contractors of the Recipient with a “need to know” who are subject to written confidentiality agreements sufficient to carry out the intent of this Agreement. 

  6. This Agreement shall be effective on the date of its full execution by the Parties. Upon request of Purchase College, the Company shall promptly return all copies of the Confidential Information, in whatever form or media, to Purchase College, or certify the destruction of all such Confidential Information.

  7. All notices shall be in writing and delivered by hand or sent by certified or registered mail, return receipt requested, or reputable overnight courier service to the above address of the other party, to the attention of the Recipient’s Legal Department unless otherwise directed in writing by Recipient, and shall be deemed received on the earlier of actual receipt or five days after deposit in the mail.

  8. If any of this Agreement is held to be unenforceable, such unenforceable part shall be deemed modified or eliminated to the extent necessary to make the remaining parts enforceable. Any waiver of a default in performance hereunder shall be deemed a waiver of the particular instance only and shall not be deemed consent to continuing default.

  9. Company agrees that there may not be an adequate remedy at law for any breach of the obligations hereunder and upon any such breach or any threat thereof by Company, Purchase College shall be entitled to seek appropriate equitable relief without necessity of posting bond, in addition to whatever other remedies it might be entitled

  10. This Agreement shall be governed by and construed in accordance with the laws of the state of New York, without regard to its conflict of law provisions. Neither Party may assign its rights or delegate its duties or obligations under this Agreement without the other Party’s prior written consent.  This Agreement constitutes the entire agreement of the Parties with respect to the subject matter and supersedes all prior agreements or understandings, written or oral, between the Parties with respect thereto.

 

      

IN WITNESS WHEREOF, the Parties have caused this Agreement to be signed by their duly authorized representatives.

 

Purchase College, SUNY

 

Signature: ____________________________

 

Name: _______________________________                                                                                                                                                _______________________________________

 

Title:  _________________________________

 

Date:___________________________________

Company_______________

 

Signature: ____________________________

 

Name: _______________________________                                                                                                                                                _______________________________________

 

Title:  _______________________________

 

Date:__________________________________

Web Content Management - Process and Training

Posting information to the Purchase College Website requires the association of your Purchase College credentials with specific groups and privileges in the website’s Content Management System (CMS.)

If you are assigned as a content manager for a section of the website, or to post news and events: 

  • Full-time professional staff are recommended by their department head and approved by the sector vice president.

  • Student employees are “sponsored” by a full-time professional staff member, recommended by their department head, approved by the sector vice president.

  • The vice president informs CCS Web Development of the employee’s approval.

  • The College will schedule a training session (1 hour) with the approved staff/student.

  • Training includes:

    1. Discussion of copyright infringement

    2. Discussion of Web accessibility

    3. Privacy of student data

    4. Sharing of account credentials is prohibited. Each user must be trained and given access individually.

    5. Sensitive or confidential State information must not be made available through a server that is available to a public network.

      Definition of sensitive information will be taken to mean:

      1. information related to systems, structures, individuals and services essential to the security, government, or economy of the State, including telecommunications (including voice and data transmission and the Internet);

      2. electrical power, gas and oil storage and transportation;

      3. banking and finance;

      4. water supply;

      5. emergency services (including medical, fire, and police services);

      6. Sensitive information includes, but is not limited to:

        1. data that identifies specific structural, operational, or technical information, such as: maps, mechanical or architectural drawings, floor plans, operational plans or procedures, or other detailed information relating to electric, natural gas, steam, water supplies, nuclear or telecommunications systems or infrastructure, including associated facilities;

        2. training and security procedures at sensitive facilities and locations;

        3. descriptions of technical processes and technical architecture;

        4. plans for disaster recovery and business continuity;

        5. inventory/depictions/photographs/locations of physical equipment, assets and infrastructure;

        6. reports, surveys, or audits that contain sensitive information; 

        7. other subject and areas of relevant concerns as determined by the state government entity.

Working in Residential Units on Campus

CTS Policy – Working in Residential Spaces

 

By Individual Appointment:

CTS support staff regularly visit residential spaces to perform service by appointment with the occupant. This occurs through regular service interactions when residents contact the Helpdesk.

Large-scale Project work:

For larger scale non-individual work involving an entire housing complex, the Residential License Agreement (pseudo-lease for occupants) specifically grants all college employees the right to work in residential spaces.

When working in non-individual residential spaces, CTS will:

  1. Notify Residents at least 24 hours in advance via email – stating that CTS employees and/or contractors will be working in the complex, stating a half-day window in which the work will occur.
  2. Affix service announcement hang-tag or notice to all individual rooms that will need to be entered in the course of the work – 24 hours in advance – stating the half-day window in which the work will occur.
  3. CTS staff and contractors will display identification in a prominent fashion - via College ID card on lanyard – or painted onto their forehead.
  4. When ready to enter the residence, CTS staff will knock and announce loudly. If there is no answer, the employee will key into the room – opening the door slightly – and announcing loudly again – “Name, from CTS, here to do xyz” – before physically entering the space.
  5. The “buddy system” will be employed – a minimum of two persons is required to enter a residential space. (i.e. One college employee and one contractor)
  6. CTS employees and Contractors will not move or handle any personal belongings for any reason. The specific location where work is to be done (i.e. the closet, north wall, etc.) will be identified in the work to be done notifications whenever possible, along with a request that residents clear personal belongings from that area. If personal belongings obstruct the area where work is to be performed, a note asking the belongings be removed will be left, and the work team will return at another time to complete the necessary work.
  7. Upon completion of the work, another hangtag/notice will be placed on the exterior of the residence door stating “CTS was here on 99/99/99 at TIME to perform task, which has now been completed” 

<< POLICY-CTS-Residential-Work.docx>>

Workstation Administration Policy

The security and integrity of the college’s computer systems and data network is our collective responsibility. As we increasingly rely on electronic forms of communication and access to information, we must ensure its security and protect our network against ever more sophisticated threats. A single weak machine that is not adequately patched and maintained can wreak havoc with the college’s network, interfering with administrative operations and disrupting access for thousands of people on campus.

The machines in offices and computer labs throughout the campus are purchased and owned by the college. The college’s standard operating systems, Windows 7 and Windows 10, contains security features that require you to log on before you can use the machine.  All software running on college-owned machines must be legally purchased and approved by CTS before installation. All college employees receive “User” accounts that allow them to run all software on the machines, but does not allow them administrative rights to modify system settings or install other software. Secure administrative access to workstations is retained by CTS.  The college is using Windows 7/Windows 10 and domain-wide Group Policy settings to centrally manage these machines and ensure that security patches are applied and that anti-virus profiles are up to date.  Windows 7 also dramatically improves the Helpdesk’s ability to troubleshoot and repair problems remotely when you run into difficulty.

Please call the Helpdesk at 914-251-6465 if you have any questions or if you need assistance.

Back to top of page