Policies and Procedures
Appropriate Use & Security
University of North Dakota (UND) employees required to use personal mobile device(s) for university business purposes may receive a taxable technology allowance. In limited situations, the use of university-owned mobile devices may be authorized. UND utilizes state-identified mobile carriers for all university-owned mobile devices, and University departments may not separately enter into contracts for mobile devices and services.
All desktop and laptop computers owned by the University must have the most recent version of the University's standard endpoint security software installed and up-to-date. Exemptions to the policy must have the university Chief Information Officer’s approval.
University of North Dakota (UND) imaging systems must be compliant with State Board of Higher Education (SBHE), North Dakota University System (NDUS), and UND policies and procedures, as well as best practices for planning, implementing, and management of electronically stored information.
Users and/or local support providers of IT resources must report all IT incidents promptly and to the appropriate party or office. If necessary, local support providers are responsible for containing, eradicating, and restoring the compromised system.
North Dakota University System
The IT resources of the NDUS support the academic, research, instructional, outreach, and administrative activities of the University System and the use of these resources is a privilege extended to members of the NDUS community. This policy outlines the responsible and appropriate use of these IT resources.
The IT resources of the NDUS support the academic, research, instructional, outreach, and administrative activities of the University System. It is the responsibility of all entities under the State Board of Higher Education to provide these services in an efficient, cost-effective manner with a high level of quality of service.
The State Board of Higher Education Policy 120X.X requires the chancellor to adopt procedures for deploying and managing centralized IT services. It also requires the chancellor to adopt procedures for requesting waivers to these mandated services.
Any electronic data asset of the NDUS or Institution shall be classified as Public, Private or Confidential according to the standards.
This policy outlines the general rules and expectations governing the NDUS' rights to access data and its responsibilities to protect the data and privacy of its constituents.
To ensure the secure operation of endpoint (desktop and laptop) systems and applications.
Access to network resources should be authenticated and users should be accounted for with appropriate timestamps and IP addresses. Network access logs of users should be retained for no less than 30 days. Firewalls and or access control lists should be used when appropriate, to protect network resources and minimize propagation of viruses and worms.
Installations with computer and networking resources will implement reasonable security measures to protect the resources against natural disasters, environmental threats, accidents and deliberate attempts to damage the systems.
Systems administrators shall configure their servers based on the assumption that the network they are connected to is insecure. All unused services shall be disabled. Any access to a server other than a "public" server (i.e. public web server) shall be authenticated and access permissions based on minimal need. File access permissions shall be set to restrict access to confidential or sensitive data to authorized personnel only.
State & Federal
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Any person that owns or licenses computerized data that includes personal information, shall disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition, any person that experiences a breach of the security system as provided in this section shall disclose to the attorney general by mail or electronic mail any breach of the security system which exceeds two hundred fifty individuals. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in section 51-30-04, or any measures necessary to determine the scope of the breach and to restore the integrity of the data system.
Website & Internet
All University of North Dakota courses will be required to have a corresponding Blackboard course site. The Blackboard site shall contain, at a minimum, the instructor contact information, the course syllabus, and the course grade book (if applicable to that course.) Implementation of the requirement will proceed on a
schedule agreed upon by the Provost and Chief Information Officer.Beginning in Fall 2011, access to all online content shall be through Blackboard. Faculty who continue to use other learning management systems or tools will establish access to the other system through Blackboard.
This policy applies to activities involving the download, upload, or distribution of copyright protected digital material in any fashion but not limited to electronic data, music, voice, video and software by University computer system users on University computer systems. This policy applies to all members of the UND community, and to any individual using the UND network.
Electronic mail or "email" is considered an official method for communication at UND because it delivers information in a convenient, timely, cost effective, and environmentally aware manner.
A University assigned student email account shall be the University's official means of communication with all students on the UND campus. The official email account will be provided in the und.edu or und.nodak.edu domain. Students can expect to receive official information regarding deadlines, policy/procedure changes, changes in degree requirements, special events, course schedule changes, regulatory changes, emergency notices, as well as other useful information from the Registrar, Office of Financial Aid, the Provost's Office, Dean of Students, the Graduate School and information from academic departments. Students are responsible for all information sent to them via the University assigned email account. If a student chooses to forward their University email account, he or she is responsible for all information, including attachments, sent to any other email account.
E-mail messages fall into two basic categories, record and non-record (transitory). E-mail messages are considered records when they are created or received in the transaction of official business. They must be retained as evidence of official policies, actions, decisions, or transactions. An example of an e-mail message that is considered to be a record would be the agenda of a meeting sent to the attendees of that meeting. The individual sending that message is considered to be the Office of Record, and must keep that record in accordance with stated retention periods outlined in the Records Retention Schedule. The recipients’ copies are not records, except where the sender is external to UND.
Non-record (or transitory) e-mail messages that have limited business value do not need to be retained and should be regularly deleted. An example of a non-record/transitory message is an e-mail that is received from an external listserv distribution list.
The University of North Dakota (UND/University) is responsible for its web content, therefore websites must adhere to University brand and Brand Standards. Academic, support, and affiliate websites must be constructed using the approved content management system (CMS) unless given an exemption by the vice president for university relations. All entities hosted on UND servers must adhere to all requirements in this policy.
North Dakota University System
Title II of the Digital Millennium Copyright Act (“DMCA”) of 1998 limits the liability of online service providers, such as the North Dakota University System (“NDUS”) and the Higher Education Computer Network (“HECN”) for certain copyright infringement liability if various procedures are followed. This policy is intended to take advantage of the liability protections in the DMCA.The NDUS and its member institutions respect the rights of holders of copyrights, their agents and representatives and will implement appropriate policies and procedures to support these rights without infringing on the legal use, by individuals, of those materials. Legal use can include, but is not limited to, ownership, license or permission, and fair use under the Federal Copyright Act. Employees and students need to be aware of the rights of copyright owners.
The Designated Agent to accept reports alleging copyright infringement by employees and students of the North Dakota University System institutions and offices, in accordance with the Digital Millennium Copyright Act, is:
North Dakota University System
4349 James Ray Drive Stop 7131
Grand Forks, ND 58202
State & Federal
Pursuant to CALEA, industry is generally responsible for setting CALEA standards and solutions. Unless a party files a special petition pursuant to CALEA section 107(b), the Commission does not get formally involved with the compliance standards development process. CALEA also does not provide for Commission review of manufacturer-developed solutions. Entities subject to CALEA are responsible for reviewing the Commission's regulations and analyzing how this regulation applies per their specific network architecture.
A telecommunications carrier may comply with CALEA in different ways. First, the carrier may develop its own compliance solution for its unique network. Second, the carrier may purchase a compliance solution from vendors, including the manufacturers of the equipment it is using to provide service. Third, the carrier may purchase a compliance solution from a trusted third party (TPP). See CALEA Second Report and Order at para. 26. To contact TPPs, carriers may conduct an Internet search using such key words as "CALEA compliance" and "CALEA compliance help," or any combination that will yield a display of TPPs.
The Digital Millennium Copyright Act (DMCA) was signed into law by 1 President Clinton on October 28, 1998. The legislation implements two 1996 World Intellectual Property Organization (WIPO) treaties: the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. The DMCA also addresses a number of other significant copyright-related issues.
University of North Dakota computer purchases must use the University’s designated supplier(s) and conform to a set of University-specified models, and must adhere to the general procurement and technology policies and guidelines of the University. Computers must be requisitioned through the University’s procurement systems or the University Bookstore. Requests for exceptions in the purchase of computers shall be submitted to the Purchasing Office in accordance with approved procedures administered by the University Chief Information Officer.
All UND computers must be purchased on the UND Dell Premium page with exceptions noted below. These computers will have on-campus warranty service and replacement parts and swap-outs for preferred bundles.
The surplusing, transferring, trade-in, and disposal of computers can create information security risks for the University. These risks include, but are not limited to, the unauthorized release of confidential information, the violation of software license agreements, and the unauthorized disclosure of intellectual property that might be stored on the hard drives. This policy will outline the necessary requirements for individuals and departments to follow in order to limit these risks.
Software purchases of $5,000 or more require a Purchase Requisition (PR). All purchases of $5,000 or more will be reviewed by the Office of the CIO. Departments may purchase up to $5,000 on the University Purchasing Card or voucher without a PR if it meets the following criteria:
- Off-the-shelf or click-through application software with standard end user license agreements.
- Online resources (e.g. training, tutorials, reference collections) with standard end user license agreements.
- Support, upgrades and renewals of existing software.