University-Wide Policies & Procedures
As one of eight Indiana University campuses, IU Southeast follows central IU policies regarding the use of technology. These policies cover appropriate use of IU technology resources, servers, fair usage, mass e-mail, non-academic use, and more. A complete directory of policies can be found on the University Information Policy Office website.
For your convenience, here are some of the most commonly-referenced items:
Protecting Red-Hot Data: Safe Handling of Critical Information
IU’s Information Policy Office maintains a publication entitled “Protecting Red-Hot Data: A Guide to Safe Handling of Critical Information.” It is important to protect critical information and the provisions associated with the handling of such data.
The above-referenced publication defines critical information as data that requires special care and handling, especially when inappropriate handling of the information could result in:
- Criminal or civil penalties
- Identity theft or personal financial loss
- Invasion of privacy, and/or
- Unauthorized access to this type of information by an individual or many individuals
Critical information is considered “red-hot” data requiring the very highest level of protection. The following types of data are classified as “red-hot:”
- Social security numbers
- Credit card numbers
- Debit card numbers
- Bank account or other financial account numbers
- Driver’s license numbers
- State ID card numbers
- Student loan information
- Protected health information or individually identifiable health information relating to past, present, or future conditions, provisions of health care, and payment for the provisions of health care
- Foundation donor data
- Passwords, pass phrases, PIN numbers, security codes, and access codes
The University has very strict policies and procedures regarding the collection, storage, and transmission of “red-hot” data. The collection of such data requires approval, notification, and consent. After these conditions have been met, “red-hot” data in electronic format can only be stored on a secure file server. It cannot be stored on a desktop workstation, laptop, PDA, USB drive, flash drive, or any mobile/media device unless (a) the information is properly encrypted on the device and (b) you have received proper prior written approval confirming a critical business need to do so. You must use an approved encryption method when electronically transmitting “red-hot” data.
Paper records containing “red-hot” data must be kept in locked file cabinets/storage rooms or otherwise access controlled.
If you or your office handles critical information, please take time to review “Actions you can take to secure sensitive data”.
You may also contact the IT Support Center at (812) 941-2447 or firstname.lastname@example.org if you have any questions or need guidance regarding the collection, storage, or transmission of critical information.
IU Mobile Device Security Standard
Follow IU’s mobile device security standard, otherwise known as IT Policy 12.1. In summary, the policy states that all IU employees (faculty, staff, affiliates and student-workers) who use a mobile device, regardless of who owns the device, to access, store or manipulate institutional data, including accessing their IU email, must meet the following requirements on the mobile device:
- Require a minimum 4-character passcode using at least two unique characters;
- Require your device to auto lock after a maximum of 15 minutes of inactivity;
- Require your device to lockout or wipe after 10 incorrect access attempts.
Mobile devices should never be used to access, store, or manipulate critical information.
Employees must notify email@example.com if the device is lost, stolen or otherwise compromised. Additionally, the device must be wiped (i.e., factory reset) to ensure all data has been erased before transferring ownership (sales, trade-in, etc.).
You can view IT policy 12.1 in its entirety here.
You can get more information on IU’s classification levels of institutional data here.
If you have any questions, or would like assistance with device configuration, please contact the IT Support Center at (812) 941-2447 or firstname.lastname@example.org.
What To Do in the Event of Suspected Data Compromise, Loss, or Exposure
As you are already aware the university prohibits storing sensitive or confidential data on your electronic devices, as such laptop/notebook computers, personal digital assistants, smart phones, tablets, and other computing and communications devices. This includes information such as SSN’s, Driver’s License numbers, and Credit/Debit card information. You can find a more complete list here.
However, if you ever find yourself in a situation where one of your electronic devices has been lost, stolen, infected with a virus, or otherwise compromised—meaning accessed or inadvertently shared with unauthorized individuals—please take the following actions:
- DON’T PANIC
- If the suspected data compromise, loss, or exposure was on a computer, then stop working/using the computer
- DO NOT power it off. This action might delete evidence that may be critical to the incident.
- IMMEDIATELY CALL, no matter what time of day or night or weekday or weekend or holiday, until you get to a human. Try in this order:
- Administrative Offices of UITS at 941-2287 (M-F)
- Contact Support Center at 941-2447 (24x7)
- Southeast Operator and ask to speak with someone in UITS at 812-941-2000 (24x7)
- Provide the following:
- A description of the data that was suspected compromised, lost, or exposed
- The type of physical device that the data was accessed from (jump drive, computer etc.)
- Details such as what, where, when and how the suspected compromised, loss, or exposure of data occurred.
- We also recommend that you update your supervisor on the circumstances.
- Please do not discuss the incident with anyone until authorized to do so by the appropriate IU officials, which in most cases is the University Information Policy Office.
See Protecting Data for additional direction on the safe handling of Critical Information.
Curious if you have accidently stored critical data on your computer? Scan your computer now with Identity Finder.
Identity Finder is a tool to help prevent identity theft. It can search for, protect, and dispose of personal information stored on your computer, file shares, or external media. This information includes credit card numbers, bank account numbers, Social Security numbers, birthdates, passwords, driver's license numbers, addresses, passports, employee identification numbers, maiden names, or other data you determine.
NOTE: We will perform regular scans of our servers.
Please feel free to contact the IT Support Center at (812) 941-2447 or email@example.com with any questions you may have.
IU Southeast Local Policies & Procedures
While we follow central policies regarding the use of technology, there are some local policies developed by the IU Southeast administration. These were created to address local concerns and procedures.
Here are IU Southeast-specific policies:
IU Southeast Mass Email Procedures
Adopted April 1, 2019
Regardless of the purpose, if you are considering mass mailing, be sensitive to the fact that IU community members may not wish to receive unsolicited email that has nothing to do with their duties or mission at IU. The volume of spam is such that there simply is not time to deal with unnecessary email from IU senders as well.
Aside from alienating constituents from overuse of email accounts, all university emails sent to a group of recipients are subject to the FTC Can-Spam Act, which regulates numerous aspects of the messages and ability of recipients to opt out of further messaging. The Act imposes penalties up to $41,484 per email violation, potential imprisonment and potential suspension of the ability to send emails by the university.
You should use targeted methods to reach those who have a particular need to receive your communications (for example, targeted mailing lists, Salesforce, requests for information from your website), rather than using mass methods that may reach people who have nothing to do with your office or have no interest in your service.
At IU Southeast, mass email questions should be sent to the Director of Marketing & Communications or the Vice Chancellor of Advancement.
Mass Email: Any unsolicited email, or group of emails, sent to a significant fraction of any of the communities – faculty, students, or staff – of the IUS campus.
Mass emails sent to the officially administered mass email lists must directly relate to and facilitate the teaching and learning, research, or service missions of the University and must be relevant to the mailing list members. All mass emails that are sent to officially administered mass email lists must be approved by the appropriate University officers, as described below.
Outlook Email: Email composed and sent from the Microsoft Outlook client. Can be plain text or HTML. Anyone can create this and send if they have access to the “all” list or a targeted list of names.
Salesforce Email: Sent from the Salesforce CRM, email can be HTML text or formatted with graphics. Requires more lead time and only designated and trained individuals have access.
Officially Administered Mass Email Lists: Email distribution lists derived from the official IU database of faculty, students, and staff, often referred to as “all” lists, which are made available to the offices of the Chancellor, the Vice Chancellors, and selected departments such as Facility Operations and Human Resources.
Personal and Commercial Emails: Mass emails that are personal, political, or commercial in nature will not be distributed to the lists mentioned above unless they are in support of University business and have been approved following the procedures outline below.
Content and Format of Mass Emails
Mass emails sent to the lists described above should be concise and to the point and should make minimal use of embedded graphics and attachments. These emails must:
- Clearly identify the sending entity of the email (e.g., in the From: field)
- Clearly specify an email address to which replies can be sent (e.g., in the Reply To: field)—preferably an organizational, rather than a personal, email address
- Contain a meaningful description of the email (e.g., in the Subject: field)
- Mask the email addresses of the individual recipients of the mailing (e.g., in the BCC: field).
Outlook or Salesforce?
Reasons to use Outlook:
- On-campus recipients only
- Time-sensitive (Outlook is faster)
- Minimal images
(but not just an image without verbiage)
Reasons to use Salesforce:
- Unsolicited, external emails or approved combinations of internal and external recipients
- Message tracking analytics
- No attachments
- Newsletters and graphical content
Approvals Based On Audience
Requests for distribution of mass emails must be directed to the following officers, or their designees, depending on the largest intended audience of the electronic communication.
- Students—the Vice Chancellor of Student Affairs
- Faculty—the Executive Vice Chancellor for Academic Affairs
- Staff—the Vice Chancellor of Administrative Affairs
- All Campus (Faculty & Staff)—any of the Vice Chancellors
- Alumni—the Alumni Director
- Donors—Vice Chancellor of Advancement
These approvers must be contacted for both Outlook and Salesforce mass emails.
In addition, Human Resources, Facility Operations, University Police, and UITS all have access to “all” lists of faculty and staff for certain types of notifications.
Those individuals or groups desiring access to these lists must receive approval from the appropriate office.
- Lists provided through other sources cannot be used.
- Lists for faculty, staff and students are automatically kept up-to-date within IU systems.
- Current alumni lists must be requested from the Alumni Director. Allow up to ten business days for such lists to be compiled.
Contacts for Salesforce Emails
Requests for Salesforce emails should be submitted via web form here.
Other IU Policies Pertaining to Email
Inventory Procedures Governing Computer Equipment Assets
IU Southeast has strict procedures for tracking computer assets, which include desktop computers, laptops and tablets..
- All computer equipment moves must be performed by the UITS staff so that the records associated with this equipment inventory remain accurate. Requests for moves may be submitted via phone (941-2447), email (firstname.lastname@example.org) or web form (IT Support Request).
- Accounting Services at IU Southeast will no longer approve orders to purchase computer equipment without the approval and signoff of the UITS team. UITS will ensure that all future computer equipment orders are in compliance with the requirements spelled out in university policy. UITS can order the equipment on your behalf, inventory the equipment, and set it up. For more information on the policies, please see policies 12, 12.1 and 28 at the University Policy Office webpage.
What to do with Lost, Unusable or Unwanted USB Flash Drives
To protect our campus community from the risk of personal and institutional data theft, IU policy requires that we all follow these steps regarding USB flash drives:
- Any drive found around campus should be turned in to the University Police office, where it will be kept for 30 days to give the owner a chance to reclaim. After 30 days, the drive will be taken to IT and destroyed.
- Dead, broken or unwanted USB flash drives should be taken to the UITS Help Desk in US 212, where they will be destroyed. Do not simply throw them into the trash.
Instead of USB flash drives, IU recommends using Box cloud storage. Box provides unlimited no-cost storage space to every IU student, faculty or staff member, that is accessible from any web-enabled device. It is secure and, best of all, you can’t accidentally leave it behind!
To learn more about Box, see this Knowledge Base article, About Box at IU.
If you have questions about a USB flash drive please contact the Support Center at (812) 941-2447 or email@example.com.
Employee Cell Phone Policy
An Indiana University policy approved by the Board of Trustees (fiscal policy I–480), effective July 1st 2005, requires employees who have a university-provided cell phone, in many cases, to acquire personal cell phone service and arrange for university reimbursement. The new procedure will allow employees to select their cell phone carrier of choice.
IU Southeast will reimburse employees for one cell phone and an average amount of monthly service fees. Telephone Services will determine the average monthly service charge each year. Employees who carry a cell phone for university business will receive additional pay in this amount each month.
The following are excluded from this policy:
- Departmental Phones: A departmental phone is a shared phone that does not leave the campus and is turned in by each employee at the end of his/her shift. Departmental phones are not impacted by this policy.
- Two-Way Radio Phones: This includes communication devices where phone service is not enabled and only two-way radio function, or push-to-talk capabilities, are enabled.
The process to acquire reimbursement for cell phone service is as follow:
- Employee must complete a request for cell phone reimbursement form and route it to their department head. The Director of Accounting services will be copied on the request.
- Human Resources contacts employee to have condition contract signed. Route sheet and contract are filed in Human Resources.
- Employee obtains personal contract with vendor of choice and brings Department Head a copy of the receipt for hardware and service agreement.
- Department Head notifies Human Resources of total hardware amount and service agreement. Notification must include exact amount.
- Reimbursement is set up via E-Doc in the payroll system by Human Resources.
Before reimbursement is set up, employee must agree with all below conditions of reimbursement and sign condition contract.
Terms and Conditions
- For 2005 – 2006, the base reimbursement rate for cell phone service will be $39.99 per month, and base reimbursement rate for a Blackberry device will be $64.99 per month. Reimbursement will be grossed up to counter income tax effects. These amounts are reviewed annually.
- Base rates are for a standard cell phone and Blackberry services. Any additional features will be at the expense of employee unless the employee’s department head determines that a business need exists.
- In case of termination of employment for any reason, department will pay deactivation fee for cell phone contract if employee cancels plan within 30 days of termination of employment.
- Employee is required to acquire insurance for any assets related to plan. A base insurance rate of $5.99 will be reimbursed.
- If employee goes over allotted minutes of plan, reimbursement will be available if itemized bill is submitted and audited by department head.
- Upgrades of any assets related to phone will not be reimbursable to employee unless department head determines that a business need exists.
- Any damage to plan assets is not reimbursable unless department head determines extraordinary situation exists.
Email as an Official Means of Communication
Effective July 1, 2004, electronic mail (email) became an official means of communication with IU Southeast students. This campus policy is in accordance with the Indiana University Policy on Use of Email as Official Correspondence with Students adopted on December 10, 2003. Students benefit by receiving timely, accurate, and up-to-date communication about matters including, but not limited to:
- financial aid and scholarships
- billing notification
- university policy statements
- university services and events
- course information
- degree completion and/or graduation
- administrative actions
- academic calendar
To set up your email account, visit the Account Management website and follow the instructions on the screen. If you encounter any problems please visit the IT Help Desk in University Center 212, stop by the staffed Student Technology Centers in Crestview 112 or Knobview 207, or call the Support Center at 941-2447.
A student’s failure to receive or read official university communications sent to the student’s official email address does not absolve the student from knowing and complying with the content of the official communication.
The university provides a simple mechanism for students to forward email from the official university email address to another email address of the student’s choice at the Account Management website. Students who choose to have their IU Southeast email forwarded to another email address do so at their own risk. The University is not responsible for any difficulties that may occur in the proper or timely transmission of, or access to, email forwarded to an unofficial email address, and any such problems will not absolve a student of their responsibility to know and comply with the content of official email communications sent to the student’s official IU email address.
Students should check their university email accounts frequently.
Student Technology Fee Guidelines
The Student Technology Fee (STF) is used to directly support information technology services available to students. General purpose services are typically available to all students or support an important campus priority for undergraduates. These typically include the computers, networks, software, and staff support for undergraduates, regardless of their major, and provide the foundation upon which schools can build discipline-specific or unique, distinctive offerings.