Introduction: Rockhurst University recognizes the importance of implementing robust access controls to protect systems and data containing nonpublic personal information (NPI) and student educational records in compliance with applicable regulations, including the Gramm-Leach-Bliley Act (GLBA), Federal Trade Commission (FTC) Safeguard requirements, and the Family Educational Rights and Privacy Act (FERPA). This Access Control Policy outlines the principles and procedures for granting, modifying, and revoking access privileges based on job roles and responsibilities. Scope: This policy applies to all individuals and entities associated with Rockhurst University who require access to systems and data containing NPI and student educational records, including faculty, staff, students, contractors, and any external parties granted access to university systems or sensitive data. Policy Statement: Rockhurst University is committed to maintaining the confidentiality, integrity, and availability of NPI and student educational records by implementing access controls based on the principle of least privilege. Access privileges will be granted, modified, and revoked in accordance with individuals' job roles, responsibilities, and the need-to-know principle. Access Control Principles: The following principles guide the implementation of access controls: Least Privilege: Access privileges will be granted at the minimum level necessary to perform job functions effectively. Users will have access only to the resources required for their assigned duties. Role-Based Access Control (RBAC): Access privileges will be based on defined job roles and responsibilities. Roles will be clearly defined, and access rights associated with each role will be documented. Need-to-Know: Access to NPI and student educational records will be restricted to individuals who require access to fulfill their professional responsibilities. Separation of Duties: Where feasible, tasks and access privileges will be segregated among different individuals to prevent unauthorized activities and reduce the risk of errors or fraud. Account Provisioning and De-provisioning: Access privileges will be provisioned when individuals join the university or assume new roles and de-provisioned promptly upon termination of employment or change in job responsibilities. Access Control Procedures: The following procedures outline the process for granting, modifying, and revoking access privileges: Role Assignment: Job roles and responsibilities will be clearly defined, and access rights associated with each role will be documented. Access privileges will be granted based on an individual's assigned role and the need-to-know principle. Access Request and Approval: Individuals requiring access to systems and data containing NPI and student educational records will submit access requests to their supervisors or appropriate data custodians. Access requests will be reviewed and approved by authorized personnel based on the principle of least privilege and adherence to defined roles and responsibilities. Access Provisioning: Upon approval, access privileges will be provisioned by the designated administrators or IT personnel responsible for system and data management. Access privileges will be granted based on the defined roles and responsibilities of the individual. Access Modification: Access privileges may be modified based on changes in job roles, responsibilities, or the need-to-know principle. Access modification requests should follow the same request and approval process as access provisioning. Access Revocation: Access privileges will be promptly revoked upon termination of employment, change in job responsibilities, or as deemed necessary by authorized personnel. The revocation process will ensure the removal of access to systems and data containing NPI and student educational records. Access Review: Regular access reviews will be conducted to ensure that access privileges remain appropriate and necessary. Access reviews will be performed by authorized personnel to identify and address any excessive or outdated access privileges. Monitoring and Enforcement: Rockhurst University will implement monitoring mechanisms to detect unauthorized access attempts and violations of access control policies. Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or legal consequences. Training and Awareness: Rockhurst University will provide training and awareness programs to educate employees and relevant individuals about access control policies, procedures, and their responsibilities regarding NPI and student educational records. Policy Review and Updates: This Access Control Policy will be reviewed periodically to ensure its effectiveness and compliance with changing regulatory requirements. Updates will be made as necessary to address emerging risks and technological advancements.  By adhering to this Access Control Policy, Rockhurst University aims to safeguard NPI, student educational records, and maintain compliance with GLBA, FTC Safeguard, and FERPA regulations. Last Review Date 2024.06.12

Purpose: The purpose of this policy is to ensure that all students and employees of Rockhurst University are aware of and understand the policies governing the use of computer services provided by the University. The policy aims to promote responsible and ethical use of these services, protect the privacy and security of university data, and comply with relevant laws and regulations. Policy Statement: All students and employees of Rockhurst University must acknowledge that they have reviewed, understand, and accept all Computer Services policies as provided on the University Intranet page https://help.rockhurst.edu/support/solutions/17000022372. Failure to comply with any of these policies may result in disciplinary action, up to and including termination of employment or suspension or expulsion from the University. Scope: This policy applies to all students and employees of Rockhurst University who use or have access to computer services provided by the University, including but not limited to email, internet, software, hardware, and electronic data storage. Procedure: The Computer Services department shall maintain an up-to-date list of all policies governing the use of computer services provided by the University. All new students and employees shall receive a copy of the Computer Services policies as part of their orientation process. All existing students and employees shall be required to review and acknowledge their understanding and acceptance of the Computer Services policies on an annual basis through the University's online portal. The acknowledgement shall be recorded and maintained by the Computer Services department. Any violations of the Computer Services policies shall be reported to the appropriate authorities for investigation and disciplinary action. Policy Review: This policy shall be reviewed annually by the Computer Services department to ensure that it remains current and effective in addressing the University's computer services policies. Conclusion: By implementing this policy, Rockhurst University aims to promote responsible and ethical use of computer services provided by the University. The policy ensures that all students and employees are aware of and understand their obligations when using these services, and that they comply with relevant laws and regulations. Last Review Date 2024/04/10

Purpose: The purpose of this policy is to establish a framework for conducting an annual risk assessment at Rockhurst University to identify potential risks that could negatively impact the University's reputation, financial health, and operations. The policy aims to ensure that appropriate measures are taken to mitigate identified risks and to promote a culture of risk management throughout the University. Policy Statement: Rockhurst University shall conduct an annual risk assessment to identify potential risks that could negatively impact the University's reputation, financial health, and operations. The risk assessment shall be conducted by the Risk Management Office, in collaboration with other relevant departments and stakeholders, and shall cover all areas of the University's operations. Scope: This policy applies to all departments and units of Rockhurst University, including faculty, staff, students, and third-party contractors. Procedure: The Risk Management Office shall develop a risk assessment plan that outlines the scope, methodology, and timeline for conducting the assessment. The risk assessment plan shall be approved by the University's senior leadership team. The Risk Management Office shall identify and assess potential risks to the University, including but not limited to: Financial risks, such as budget shortfalls, investment losses, or fraud. Operational risks, such as disruptions to key services, information security breaches, or natural disasters. Reputational risks, such as negative publicity, damage to brand image, or non-compliance with legal and ethical standards. The Risk Management Office shall prioritize identified risks based on their likelihood and potential impact. The Risk Management Office shall develop a risk mitigation plan that outlines specific measures to be taken to reduce the likelihood and impact of identified risks. The Risk Management Office shall present the risk assessment findings and risk mitigation plan to the University's senior leadership team for review and approval. The Risk Management Office shall monitor and update the risk mitigation plan on an ongoing basis to ensure that identified risks are adequately addressed and that new risks are identified and assessed in a timely manner. The Risk Management Office shall provide regular reports to the University's senior leadership team and the Board of Trustees on the status of the risk assessment and risk mitigation efforts.    Policy Review: This policy shall be reviewed annually by the Risk Management Office in consultation with the University's senior leadership team to ensure that it remains current and effective in addressing the University's risk management needs. Conclusion: By implementing this policy, Rockhurst University aims to promote a culture of risk management that enables the University to identify potential risks and take appropriate measures to mitigate them. The policy ensures that the University's operations are resilient, sustainable, and aligned with its strategic goals and objectives. Last Review Date 2024/04/10

Introduction Purpose: This policy establishes guidelines for maintaining an application inventory at Rockhurst University to track essential vendor information, application details, data sources, security information, and contract-related information. Scope: This policy applies to all applications and vendors used by Rockhurst University. Application Inventory Management Centralized Inventory: Rockhurst University will maintain a centralized application inventory to track all applications used within the organization. Essential Vendor Information: The inventory will capture essential vendor information, including vendor name, contact details, and escalation points. Application Information Application Details: The inventory will include details about each application, such as the application name, version, purpose, and description. Hosting Information: Indicate whether each application is hosted at Rockhurst University or by the vendor. Criticality Assessment: Assign a criticality rating to each application based on its importance to Rockhurst University's operations and the potential impact of its unavailability. Upstream and Downstream Data Sources: Identify the upstream and downstream data sources and integration points for each application to ensure data flows are documented. Confidential Data Student Data (FERPA): Identify if the application stores or processes confidential student data protected by the Family Educational Rights and Privacy Act (FERPA). Employee Data (HIPAA and Others): Identify if the application stores or processes confidential employee data protected by regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or other applicable laws. Other Confidential Data: Identify any other types of confidential data, such as financial data or personally identifiable information (PII), that are stored or processed by the application. Security Information Access Controls: Document the access control mechanisms implemented by the application to ensure authorized access to university data. Encryption and Data Protection: Identify the encryption methods and data protection measures in place to safeguard sensitive information. Secure Data Transmission: Describe the protocols and encryption standards used for secure data transmission between the application and external systems. Security Incident Response: Document the application's incident response plan and procedures for addressing security incidents or breaches.   Contract-related Information Contract Term Dates: Record the start and end dates of the contract for each application. Renewal Dates: Capture the renewal dates of the contracts to ensure timely review and renegotiation, if necessary. Annual Maintenance Escalations: Document any annual maintenance escalations, such as cost increases or service level adjustments, to track changes in vendor terms. Recommended Fields for Vendor Inventory The following information should be captured for each vendor in the inventory: a. Vendor Name b. Vendor Contact Information (including primary point of contact) c. Vendor Escalation Points d. Vendor Certifications and Compliance (e.g., ISO, SOC, PCI DSS) e. Vendor Security Practices and Controls f. Vendor Financial Stability and Performance g. Vendor References and Client Testimonials h. Contractual Terms and Conditions i. Service Level Agreements (SLAs) j. Contractual Obligations for Data Confidentiality and Protection k. Vendor Insurance Coverage (e.g., cyber liability insurance) l. Vendor Incident Response and Business Continuity Plans m. Vendor Performance Metrics and Reporting n. Vendor Exit Strategy and Data Ownership Rights Compliance and Review Compliance with Policies and Regulations: Ensure that each application and vendor comply with relevant policies and regulations, such as data protection laws and industry standards. Regular Review: Conduct periodic reviews of the application inventory and vendor information to ensure accuracy, update vendor details, and capture any changes or additions. Training and Awareness Training Programs: Provide training programs to relevant staff members responsible for maintaining the application inventory and vendor management process. Awareness Campaigns: Conduct awareness campaigns to inform employees about the importance of maintaining an application inventory and adhering to vendor management practices. Compliance and Enforcement Non-Compliance: Non-compliance with this policy may result in corrective actions, including termination of contracts or legal actions if necessary. Policy Review: This policy will be periodically reviewed and updated to reflect changes in technology, regulations, and best practices. Note: This policy provides a general framework for maintaining an application inventory specific to Rockhurst University's requirements. It is advisable to consult with legal, security, and compliance professionals to customize the policy to the organization's specific needs and align it with relevant regulations and standards. Last Review Date 07/01/2024

Introduction Rockhurst University recognizes the value of utilizing personal devices to enhance educational and professional activities. This Bring Your Own Device (BYOD) policy outlines the guidelines and best practices for creating a secure and productive technology environment, while supporting the latest versions of Windows and Mac OS. Scope This policy is applicable to all students, faculty, staff, and affiliated individuals who wish to use personal devices, including laptops and mobile devices, on the university network and for university-related purposes. Eligibility All individuals must adhere to this policy when connecting personal devices to the university network. Technical support and assistance will be provided exclusively for devices running the following specified operating systems: Windows: Windows 10 version 1809 or newer, with automatic updates enabled until 10/14/2025. Windows 11 required on and atter 10/14/2025. Mac: macOS High Sierra, macOS Mojave, macOS Catalina, or newer. Devices operating on unsupported systems are welcome to connect to the university network but may not receive comprehensive technical support. Security Practices Up-to-date Operating System: Users must maintain an up-to-date operating system, ensuring regular installation of security patches and updates. Antivirus Software: Adequate antivirus software is mandatory to safeguard devices and the university network. For Windows: Windows Defender, which is included by default, is recommended for antivirus protection. For Mac: Users are advised to install Avast antivirus software. Network Access Wi-Fi Access: Devices can access the university's Wi-Fi network after successful registration via the designated device registration portal. Network Security: Before connecting to the university network, devices must have an updated firewall and active antivirus software. Data and Privacy Data Protection: Users are responsible for safeguarding both personal and university data on their devices. Whenever possible, university-related data should be stored on secure university servers. Data Backup: Regular data backups are strongly recommended to mitigate potential data loss. Data Sharing: Unauthorized sharing of sensitive university data is strictly prohibited. Software Usage Authorized Software: Users are allowed to install only authorized software and must adhere to all relevant licensing agreements. Software Updates: Regular software updates, including third-party applications, are crucial to maintaining security and functionality. Support and Assistance Limited Support: Technical support for personal devices will be provided to the best of the university's ability, with potential limitations on certain troubleshooting measures. University Resources: Users are encouraged to prioritize university-provided resources for critical tasks, ensuring optimal performance and security. Compliance and Enforcement 9.1. Non-Compliance: Violations of this policy may result in temporary or permanent suspension of network access. 9.2. Incident Reporting: Users must promptly report any security incidents, including device loss or theft, to the university's IT department. Review and Updates This BYOD policy will undergo annual review and will be revised as necessary to align with advancements in technology and security practices. Acknowledgment All users must acknowledge their comprehension of and agreement to adhere to this BYOD policy before connecting their devices to the university network. Through the implementation of this BYOD policy, Rockhurst University aims to foster a secure and efficient technology environment, supporting the latest Windows and Mac OS versions, and encouraging responsible device usage among its students, faculty, and staff. Last Review Date 12/13/2024

This policy applies to the acquisition and operation of all Rockhurst University owned cellular phones. Purpose The purpose of this Cell Phone Use Policy is to establish guidelines for the use and management of university-provided cell phones, service, or data plans at Rockhurst University. This policy outlines the circumstances under which the university will pay for such devices and services, ensuring that resources are allocated efficiently and in alignment with the essential job functions of employees. Scope This policy applies to all employees of Rockhurst University who are provided with university-paid cell phones, service or data plans, or pagers. Device and Service Eligibility Rockhurst University will only provide cell phones, service or data plans, or pagers on a limited basis. University-paid devices and services are granted under the following circumstances: On-call Employees: Employees who are required to be on-call, and whose essential job function necessitates immediate availability, may be eligible for a university-paid device or service plan. Public Safety: Employees who are considered key personnel for emergency or safety purposes may be eligible for a university-paid device or service plan. Medical Professionals: Employees in roles that require immediate response to medical emergencies may be eligible for a university-paid device or service plan. Work Location: Employees who perform a majority of their duties in the field where communication by other means is not available or is inefficient may be eligible for a university-paid device or service plan. Regulatory Requirements: Employees who are required by law or regulation to maintain constant communication for compliance or reporting purposes may be eligible for a university-paid device or service plan. The issuance of a cell phone will be requested by Vice President level authority or above via Computer Service Request ticket. Device and Service Responsibilities Employees who are provided with university-paid devices or service plans must use them responsibly and in accordance with the university's acceptable use policy. Devices and service plans are intended for university-related activities and communications. Personal use should be limited to reasonable and occasional use, and excessive personal use is discouraged. Lost or damaged devices must be reported to the university's IT department immediately. Employees are responsible for any non-warrantied replacement or repair costs. Employees leaving the university must return their devices and accessories to the university's IT department. A standard phone will be issued by the university. Any enhanced phones or features beyond the standard issue will be paid for by the employee. Should an employee leave the university and wish to keep the phone, payment for the remaining prorated value of the phone will be assessed by Computer Services. Device Security Employees with university-paid devices must implement security measures, such as password protection and encryption, to safeguard university data and communications. In the event of a lost or stolen device, employees should report it immediately to the IT department to initiate necessary security protocols. Monitoring and Compliance Rockhurst University reserves the right to monitor and review the use of university-provided devices and services to ensure compliance with this policy. Violation of this policy may result in disciplinary action, including the revocation of university-paid devices and service privileges. Policy Review This policy will be reviewed periodically and updated as necessary to reflect changes in technology, regulations, and university needs. Approval and Acknowledgment By accepting a university-paid device or service plan, employees acknowledge their understanding and agreement to comply with this Cell Phone Use Policy. Last Review Date 12/13/2024

Purpose: The purpose of this policy is to protect Rockhurst University's investment in classroom and other technology and to promote its responsible and appropriate use. This ensures technology remains functional, secure, and beneficial for enhancing educational and other event experiences. Policy: Ownership and Intended Use: All classroom and other technology equipment provided by Rockhurst University, including but not limited to computers, projectors, audio-visual systems, printers/copiers, and other technological devices, are the property of Rockhurst University. These resources are intended solely for educational and university-related purposes. Prohibited Actions: Tampering: Disabling, tampering with, or disconnecting any classroom or technology equipment is strictly prohibited. This includes unplugging, removing, or disabling any cables, cords, or devices. Damage or Disruption: Any intentional damage or disruption to equipment is a violation of this policy and may result in disciplinary action, including fines, suspension of technology privileges, or academic consequences. User Responsibilities: Proper Use: Users are expected to handle all equipment with care and use it exclusively for educational or university-approved purposes. Restoration: After use, users must return equipment to its original state. This includes shutting down devices, logging out of accounts, and ensuring items are returned to their proper locations. Software and Applications: Installing or downloading software, apps, updates, plugins, or extensions on university equipment is strictly prohibited without prior authorization from the IT department. Relocation of Equipment: Users are not permitted to move or relocate technology equipment without explicit approval from the Computer Services department. Event Responsibilities: Users are responsible for operating the equipment provided in the event space. Computer Services personnel will assist with initial setup and provide training on the equipment but are not responsible for managing events without prior planning and coordination. While Computer Services may support larger events, they are not expected to provide assistance for smaller classroom or conference room events. Event Recording- Rockhurst University provides multiple platforms for recording classes, meetings, and events, depending on the technology available in the room: Mediasite: Designed to capture audio, video, and presentation content, Mediasite automatically uploads recordings to a secure platform where they can be edited, managed, and accessed on demand. Events requiring Mediasite should be coordinated with Rockhurst’s eLearning department. Microsoft Teams: Records audio, video, and screen sharing during sessions, automatically saving the recording to Microsoft OneDrive or SharePoint for seamless access and sharing. Meeting organizers are responsible for initiating recordings and sharing them as needed. Zoom: Captures audio, video, and shared content during sessions, with flexible options to save recordings either locally or to the cloud for easy storage and sharing. Meeting organizers are responsible for initiating and distributing event recordings. Event and Meeting Management: User Responsibility: Anyone using Rockhurst University's technology is expected to take full responsibility for managing their presentation, audio, video, and event timing. Users must ensure all materials and media are prepared and functioning correctly before the event begins. Computer Services will meet with users upon request to provide training on using the technology in a meeting space. Computer Services Role: Computer Services personnel are not responsible for running meetings or managing event logistics. The event organizer is responsible for all aspects of event execution as outlined under "User Responsibility." For large events requiring Computer Services' involvement, the organizer must schedule a planning session and submit a detailed plan for approval. This plan should: Include a clear event schedule, with media requirements and timing. Outline specific responsibilities and tasks, including when they occur during the event. Adhere to best practices for event management and technology use. Facilities Coordination: Any issues related to non-technical aspects of meeting spaces, such as electrical power, seating, tables, or other furniture, must be coordinated with Facilities Management. Computer Services is not responsible for these requests. Reporting Issues: Users must report any issues, damage, or malfunctions immediately to Rockhurst University's Computer Services Help Desk. This includes hardware failures, software problems, or other issues affecting functionality or security. Consequences for Policy Violations: Violations of this policy may result in disciplinary action, including fines, suspension of technology privileges, or academic consequences. Repeat offenses may lead to further actions, including the loss of access to classroom technology and potential suspension or expulsion from the university. Conclusion: By adhering to this policy, all users contribute to maintaining functional and reliable classroom and other technology at Rockhurst University. Responsible use helps foster a positive learning environment and ensures long-term academic success. By using Rockhurst University's technology equipment, users acknowledge and agree to abide by this policy. Failure to comply may result in the loss of access to technology and further disciplinary action as outlined above. Last Review Date 12/10/2024

Summary Service Level Agreements (SLAs) for the Rockhurst University Computer Services reflect the needs and expectations of the university community, including students, faculty, and staff.  Computer Services personnel will make every effort to meet or beat these established guidelines. General Guidelines All tickets will be assigned by the Help Desk team within 8 business hours of receipt to the correct support team if the ticket cannot be immediately addressed by the Help Desk.  Each ticket will be acknowledged as received to the originating customer along with any additional information that may be needed to further clarify the nature of the problem. (A screenshot is extremely helpful) The Help Desk is expected to address all initial ticket requests related to PC imaging/issuance, general O365 issues, printer setup, account setup, VPN, password reset and general portal issues.   FreshService automation for the service catalog is to be owned and maintained by the Help Desk. After initial triage, remaining tickets are to be assigned as follows: Applications Development Argos Banner Data transfer between systems Distribution List automation   Ellucian portal Network Account Onboarding  Password reset Information Services: Audio Visual Badge Requests Broadcast Alerts Desktop Intranet Pages KnowBe4 Laptop Setups/Software Mac Devices Network Accounts (Students, Faculty, Staff) O365 Outlook PaperCut   Software Licensing SSO/MFA VPN Network & Telecommunications team Building access (Physical hardware) Campus Network Cell Phones File Shares OS Updates PC Image  Phone issues    Security cameras Server Infrastructure Software Updates Wi-Fi   Trouble Tickets   Response Time - The time taken to acknowledge a help desk ticket once reported. Critical Issues (e.g., system-wide outages, security breaches): Response Time: Within 15 minutes High Priority Issues (e.g., major application failures, significant impact on multiple users): Response Time: Within 1 business hour Medium Priority Issues (e.g., individual application issues, non-critical system errors): Response Time: Within 4 business hours Low Priority Issues (e.g., general inquiries, minor issues): Response Time: Within 1 business day Resolution Time - The time taken to resolve the reported issue. Critical Issues: Resolution Time: Within 4 hours or best effort High Priority Issues: Resolution Time: Within 1 business day Medium Priority Issues: Resolution Time: Within 3 business days Low Priority Issues: Resolution Time: Within 5 business days   Escalation Procedures - Clear guidelines on how and when issues should be escalated to higher levels of support. Critical Issues: Immediate escalation to CS management & CIO High Priority Issues: Escalation to next level after 1 hour without progress to CS management & CIO Medium Priority Issues: Escalation to next level after 4 hours without progress to CS management Low Priority Issues: Escalation to next level after 1 business day without progress to CS management    Network Account Issues Customers are encouraged to use the automated password reset tools available to the campus to expedite their network account lockout and password issues. Response Time - The time taken to acknowledge a help desk ticket related to network account issues.     Account Lockouts: Response Time: Within 15 minutes during business hours Password Resets: Response Time: Within 30 minutes during business hours New Account Setup: (Help Desk Ticket Required) Response Time: Within 1 business day Account Deactivation: (Help Desk Ticket Required) Response Time: Within 1 business day Other Account Issues: (Help Desk Ticket Required) Response Time: Within 4 hours Resolution Time - The time taken to resolve network account issues. Account Lockouts: Resolution Time: Within 30 minutes during business hours Password Resets: Resolution Time: Within 1 hour during business hours New Account Setup: (Help Desk Ticket Required) Resolution Time: Within 1 business day Account Deactivation: (Help Desk Ticket Required) Resolution Time: Within 1 business day Other Account Issues: (Help Desk Ticket Required) Resolution Time: Within 4 hours Escalation Procedures - Guidelines on how and when account issues should be escalated. Account Lockouts and Password Resets: Escalation after 30 minutes without resolution during business hours New Account Setup and Account Deactivation: Escalation after 4 hours without progress during business hours Other Account Issues: Escalation after 4 hours without progress during business hours   Customer Responsibilities for All Help Desk Tickets Providing Accurate Information: Clearly describe the problem or request. Include specific details such as error messages, screenshots, and steps taken prior to encountering the issue. Provide any relevant account information, such as username or ID number. Timely Submission: Submit the ticket as soon as the issue is noticed to prevent escalation or further complications. Categorizing the Issue: Select the appropriate category and priority level for the issue if options are provided, to ensure it is routed correctly. Availability for Follow-Up: Be available for any follow-up questions or clarifications from the Help Desk staff. Respond promptly to any requests for additional information or actions required on their part. Computer Services will reach out to you once the ticket is submitted.  If at any time during the life of the ticket there is no response from the customer after 3 attempts, the ticket will be closed, and the issue will be assumed to be resolved. Updating the Ticket: Update the ticket if there are any changes to the situation or if the problem is resolved before the Help Desk addresses it. Close the ticket or confirm resolution once the issue is resolved to satisfaction. Providing Feedback: Provide feedback on the service received, which can help improve future support processes.

Rockhurst University is committed to providing reliable, secured, and equitable access to and use of its computing, networking, telephone, and information resources. These resources are intended for the use of Rockhurst University students, faculty, staff, and administrators in support of the university’s missions of education and community service. University-owned or operated computing resources are provided for use by faculty, students, staff, and authorized associates of Rockhurst University. All faculty, students, staff, and associates are responsible for the use of Rockhurst computing resources in an effective, efficient, ethical, and lawful manner. Official Policy The following sections encompass the Rockhurst University Computer Use Policy: Security Confidentiality and Privacy Responsibilities of Users Acceptable Use Discipline and Sanctions Existing University Rules and Regulations Electronic Data Policy and Cloud Data Policy (Employees only) This Rockhurst University Computer Usage policy constitutes the university-wide policy for the institution’s computer data networks and the resources they make available, and any and all stand-alone computers that are owned and administered by Rockhurst University (“computing resource”). This policy is applicable to all students, faculty, staff and recognized organizations of Rockhurst University and all others who use or access the university computing resource. This policy reflects the ethical principles of the university community as embodied in the Statement of Mission and Values of Rockhurst and defines the privileges and responsibilities of use of the university computing environment. Computer use has become an integral part of many university activities. While much computing is now done on individual computers, most information and communications systems either reside on central computers or use networks. Distributed resources, such as computer labs, provide additional computing tools. Procedures for gaining access to and making optimum use of these resources, including the steps to be taken in lodging complaints, are available to users through the Computer Services Help Desk, located on the 4th floor of Conway Hall, Room 401, x4357 (HELP). Members of the university community who access or traverse non-university networks whether or not through the university computing resource must follow the policies of those non-university networks provided they are not in conflict with legal use, university mission and values, and this policy. The guidelines of the network traversed can usually be obtained from the network information center of the network traversed. Security Rockhurst University advises all users that any and all information entered into, stored, transmitted, or received via the university computing resource is not fully secure and, regarding non-university networks, the levels of obtainable security vary depending on the non-university network traversed. All users of electronic mail systems are advised that electronic mail in its present form cannot be secured and is extremely vulnerable to unauthorized access and modification. Information on methods available for protecting information on the university computing resource from loss, tampering, unauthorized search, or other access is available from the Computer Services Help Desk, located on the 4th floor of Conway Hall, Room 401, x4357. Information on methods available for protection on a non-university network is often available from the information center of the network traversed. Confidentiality and Privacy General Users are advised that the university does not guarantee the confidentiality or privacy of any information entered into, stored, transmitted, or received via the university computing resource. There is no expectation of privacy in any information or data entered into, stored, transmitted, or received via the computing resource. The university may access, search, view, retrieve, modify, or print information or data entered into, stored, transmitted, or received on the computing resource in connection with, among other things, the following: Maintenance or improvement of computing resources. Monitoring of the computing resource for viruses and other destructive computer programs. Any work-related purpose. Investigation of violation of university policy. Investigation by authorized law enforcement or other federal, state, or local agencies. Where otherwise required by law. In general, requests for disclosure of information entered into, stored, transmitted, or received on the computing resource will be honored only under one of the following conditions: When approved by the appropriate university officials or the head of the department involved. When authorized by the owners of the information. When required or not prohibited by federal, state, or local law. Where appropriate and possible, the university will provide notice of disclosure to the affected computer user(s). The Family Educational and Privacy Rights Act The Family Educational and Privacy Rights Act, 20 U.S.C. Section 1232g and implementing regulations (“FERPA”) restricts the disclosure of student education records. Users should familiarize themselves with the FERPA policy and guidelines, which describe restrictions on disclosure of student education records. If you have any questions about the FERPA policy or guidelines and, in particular, any question on whether information in a student education record is subject to restrictions on disclosure, contact the Registrar at 816-501-4057. You can access the entire FERPA Policy here. Responsibilities of Users The user should assign an obscure account password and change it frequently. The user should understand that the levels of protection applicable to the university computing resource or non-university networks traversed automatically applies to files and, if and when necessary, supplement it for sensitive information. No one should share their password with another. A university computer account may be used only by the person to whom it is assigned. The user should be cognizant of computer viruses, phishing attacks, malware, and other destructive computer programs, and take all available steps to avoid being a victim or unwitting distributor of these viruses and programs. The user, and not the university, is responsible for any invasion of the user’s or another’s privacy and for any loss of data. Rockhurst employees will not store business related or personal data on any Rockhurst issued computers. This data is not backed up and could become a security risk if the computer is lost or stolen. Please refer to Rockhurst’s Data Retention Policy and Cloud Data Storage Policy. Acceptable Use Guidelines for Acceptable Use The computer resource is a tool integral to the functioning of the university. All who use the computing resource must understand that it is primarily for advancement of the university’s mission and values expressed through its teaching, research, public service, business, and outreach functions. Use of the computing resource is permitted only in conformity with these values as expressed in university policy, including this Computer Usage Policy and other university policies, and in conformity with federal, state, and local law. Computer resources are the property of the university. Use of the computing resource is a privilege and not a right and the university may withdraw that privilege under its policies. It is prohibited to register a non-Rockhurst University ".edu" domain for any computer which is connected to the university computing resource without the prior approval of the Associate Vice President for Facilities and Technology. Any approval, if given, must clearly identify that the non-Rockhurst.edu address is using Rockhurst University resources for delivery. Any personal e-mail account or creation of a personal World Wide Web page or a personal collection of electronic material that is accessible to others must include a disclaimer that reads as follows: “The material located at this site is not endorsed, sponsored or provided by or on behalf of Rockhurst University.” Because of the state of the art of computing technology, the computing resource is subject to invasion and injury by unauthorized persons, whether caused or facilitated intentionally, negligently, or unintentionally. To protect against prohibited invasion and injury, all who use the computing resource must use it in conformity with its security protections. A university computer account may be accessed or used only by the person(s) to whom it is assigned. The computing resource is a limited resource shared by the Rockhurst community. The resource is finite and all who use the resource must recognize that they are one of many users and overuse can bring with it negative consequences. Those who use the computing resource must also respect the needs of other authorized users. No list of acceptable uses or prohibited activities can be complete. Below are examples of prohibited activity. Circumventing or attempting to circumvent any system security. Gaining or attempting to gain unauthorized access to any university computer account. Purposely attacking or negatively impacting the performance of a university computing resource or network. Sending or collecting chain letters or unsolicited bulk mail messages to the university community or other population (e.g., “spamming” or “MLM”). Sending e-mail under another’s e-mail address (e.g., “spoofing”) for any purpose. Invading the privacy or confidentiality of any other user including, without limitation, accessing or attempting to access another’s account without permission from the account holder or the Associate Vice President for Information Technology. Harassing another person, group, or organization on any basis. Disrupting or monitoring electronic communications of another without authorization from the Associate Vice President for Information Technology. Tapping, that is sniffing, or taping telephone or network or wireless transmissions is strictly prohibited. Preventing another authorized user from that user’s authorized access or use of the computing resource or otherwise interfering with another’s authorized use. Use of another’s password except with permission of the Associate Vice President for Facilities and Technology. Stating or implying university sponsorship or endorsement. Engaging in any use which results in any direct cost to the university. Other activities, although not specifically described in this policy, may result in violation of university policy. If you have a question regarding whether any use or anticipated use is a violation of university policy, contact the Computer Services Help Desk, located on the 4th floor of Conway Hall, Room 401, x4357. In addition to this statement of acceptable use, below are specific categories of use that provide additional guidance. Institutional Use The university computing resource is to be used primarily to advance the university’s missions of education, research, and public service or for university-related business. Faculty, staff, students, and others with permission may use the computing resource only for purposes related to their studies, their responsibilities for providing instruction, the discharge of their duties as employees, their official business with the university, or other university-sanctioned activity. Commercial Use The use of the university computing resource for commercial purposes is only as permitted under university policy, including university intellectual property policy and this Computer Usage policy, by special arrangement with the appropriate university official, or as defined in existing conflict of interest policies. Commercial use which is otherwise permissible must be communicated in writing to the Associate Vice President for Information Technology. Any commercial use that is accessible to others must include a disclaimer that reads as follows: "The information contained in this communication is not endorsed, sponsored or provided by or on behalf of Rockhurst University." Legal Use The computing resource may only be used for legal purposes. Examples of unacceptable and illegal use include, but are not limited to, the following: Discrimination or harassment as defined in the university anti-discrimination/harassment policy. Violation of any university licensing agreement or any copyright or trademark law, including unauthorized copying of copyright-protected material. Libel, slander, or defamation of another including other users. Destroying or damaging equipment, software or data belonging to the university or any other user. Accessing pornography for purposes other than education or research. Some of the prohibited uses described in the Guidelines for Acceptable Use. Ethical Use The computing resource should be used in accordance with the ethical standards of the university community. Examples of unethical use, some of which may also have legal consequences, include, but are not limited to, the following: Use of the computing resource in ways that unnecessarily impede the computing activities of others, such as randomly initiating interactive electronic communications or e-mail exchanges, overuse of interactive network utilities, and similar activities. Use of the computing resource for private business purposes unrelated to the mission of the university or university life, absent authorization as stated in this policy. Academic dishonesty, such as plagiarism or cheating. Violation of network usage policies and regulations. Cooperative Use Users of the computing resource can facilitate computing at the university in many ways. Collegiality demands the practice of cooperative computing. It includes: Regularly deleting unneeded files from one’s accounts on shared computing resources. Refraining from any use that overloads or otherwise negatively impacts the performance of the university computing resources. Refraining from use of sounds and visuals which might be disruptive to others. Refraining from irresponsible use of any computing resource. Refraining from unauthorized use of a departmental or individual computing resource. Political Use Use of the university computing resource for political purposes is prohibited. Discipline and Sanctions Any violation of this policy by a student, faculty member, staff member, and/or recognized organization of the university should be reported to the Associate Vice President of Information Technology. A violation of this policy by a staff or faculty member may lead to disciplinary action, up to and including termination of employment. A violation of this policy by a student may lead to disciplinary action, up to and including dismissal from the university. A violation of this policy by a recognized organization may lead to disciplinary action, up to and including deactivation. A violation of this policy by a guest of the university and/or others with permission to use the university’s computing resources should also be reported to the Associate Vice President of Information Technology. A violation of this policy by a third-party may lead to disciplinary action, including withdrawal of computer use privileges and/or a ban from campus. Violations of this policy are serious infractions and addressed in a manner applied to such serious violations, which may include reporting such incidents to federal, state, and/or local law enforcement authorities. Disclaimer As part of the services available through the university, an individual could access information that may contain objectionable material. Rockhurst University takes no responsibility for the content of those entities over which it has no control. Existing University Rules & Regulations This policy is in addition to existing university rules and regulations and does not alter or modify any existing university rule or regulation. All users of the university computing resource must comply with other university policies and use of the university computing resource in violation of these other policies may be cause for sanctions under those policies in addition to this policy. Questions and Comments Please direct any question or comments regarding this policy to the Computer Services Help Desk located on the 4th floor of Conway Hall, Room 401, x4357 (HELP). Terminology The following terms have very specific meanings in the context of this document: Administrator - The person having executive authority over one or more computing resources. Central computing resource - Computers and peripherals purchased, maintained, and operated by Computer Services and made available to the university community. Departmental computing resource - Computers and peripherals purchased by Computer Services, a university department, or an administrative unit, primarily for the use of the personnel within that entity. Individual computing resource - Computers and peripherals purchased by Computer Services, university departments or administrative units, primarily for the use of an individual member of that entity, and which can be made available to other individuals or groups. Networked computing resource - Computers and peripherals connected to any university data network. Shared computing resource - Computers and associated peripherals that are commonly used, simultaneously, by more than one person. System administrator -The person or group who has system privileges and is responsible for the operation and security of one or more networked computing resources. Unit - The individual, group, or organization responsible for performing a function within the university community. User -Any individual who has access to a university computing resource. University community - The aggregate of individuals employed by and/or enrolled as students at Rockhurst University, as evidenced by a valid school ID. Electronic Data Policy and Cloud Data Policy (Employees only) The university has an Electronic Data Policy and Cloud Data Policy that all Rockhurst employees must follow. To obtain a copy of these policies, please contact the Rockhurst University Human Resources Department or the Computer Services Helpdesk. Last Review Date 02/13/2025

Introduction: Rockhurst University fully respects the rights that exist for any material protected under United States and international copyright laws. Rockhurst University recognizes the use of copyrighted materials is an essential component of academic and other co-curricular campus activities.  This policy outlines the University's procedures regarding the legal use of copyrighted works. Public Areas vs. Private Areas of Rockhurst University The University distinguishes between public areas and private areas. Public areas are physical areas on the campus accessible to anyone without permission, including students, faculty, staff, and visitors such as auditoriums, large open areas or other campus facilities intended for large audiences. Private areas are those where access is restricted to specific individuals or groups, such as residence halls, physical classrooms, offices, or online meeting spaces such as Zoom or MS Teams Public Performance Rights Public performance rights refer to the legal right to perform, display, or show a copyrighted work publicly, such as a movie theater, television, or a public place. In most cases, public performance rights are required to show an entire copyrighted work in a public place, such as a public university event or university sponsored group, even if the audience is limited to a specific group of people. Obtaining public performance rights ensures that the owner of the copyright is compensated for the use of their work and avoids potential legal issues related to copyright infringement. Public performance rights are requiredif the showing of an entire copyrighted work is: open to the public, such as a screening at a public event, OR in a public space where access is not restricted, such as a showing of a film for a class in a venue open for anyone to attend, OR formally sponsored by a Rockhurst University club or organization.   Public performance rights are not requiredif the showing of an entire copyrighted work is: privately viewed in a home with only family and friends in attendance, OR in the public domain. For questions about public performance rights, please reach out to the Computer Services Help Desk. Student Housing: Student housing is residential and typically falls within the private area category of Rockhurst University. If an informal group of students, some of whom live in the dormitory, view a copyrighted work in entirety in that location, public performance rights would not be required as this is akin to private viewing. If the viewing is formally sponsored by the University, club, or student organization, then performance rights would be required, regardless of location. Student housing screening areas are intended for residential student usage. Signage will be posted noting students are using university property when accessing individual subscription accounts and will state the following information: “This screen and streaming device are university property. If you use this property to access individual streaming accounts (i.e. Netflix, Hulu, etc.) then you must sign in and sign out each time of usage.  Do not save your personal account information to this university device. This will protect your accounts as well as avoid issues for Rockhurst.   Thank you for protecting yourself, fellow students, and RU”. Fair Use Doctrine for the Instructional Use of Copyrighted Materials Fair Use is a doctrine in US copyright law allowing limited use of copyrighted materials without permission. To qualify for fair use, the following four criteria must all be met when using an entire work: The use must be a "regular part of systematic instructional activities" The use must be in a nonprofit educational institution The use must be in a classroom or "similar place devoted to instruction" The copy used must be lawfully made or legally obtained. Instructors can use the Rockhurst University Fair Use Checklist to determine if intended use is considered fair use. Copyrighted Work Usage within Online Instruction   Course modality is another factor determining which guidelines and laws apply to legal use of copyrighted work.   Online instruction is more restricted on usage of entire copyrighted works due to the DMCA Act and TEACH Act. Licenses for instructional software also trump copyright laws and may be more strict in their requirements.   Instructors using university Zoom accounts are required to follow the Zoom Terms of Use, which prohibit transmitting entire streamed works, recordings, or performances through Zoom without acquiring broadcasting licensure for the work prior to playing through Zoom.    As a condition to using Microsoft services, instructors using university MS Teams accounts, or any other Microsoft product (i.e. Stream), are prohibited by Microsoft’s Terms of Use “to use the services for any unlawful action”, including making material protected by intellectual property laws, such as copyright or trademark laws, available. An instructor may play reasonable and limited portions of a work through Zoom or MS Teams. To determine what is a reasonable portion, instructors can use the Fair Use Checklist to determine if intended use is considered fair.    Copyrighted Work Usage within In-Person Instruction For educational purposes only, if a faculty member has a DVD or subscription/account to the streaming service (a “legally obtained copy”), the entirety of the performance can be shown during face-to-face, in-person instruction only.   Faculty may not share their individual streaming subscription account information to students. Students may use their own individual accounts to view entire works outside of class.    Faculty may reach out to the Greenlease Library Director, Laura Horne-Popp, who can assist in determining if the University is positioned to handle the request for content usage. Detailed information regarding Guidelines for Copyright, Fair Use and additional laws can be found at:   http://libguides.rockhurst.edu/copyrightguidelines. Last Review Date 2024/05/04