Policy Statement: Rockhurst University (the "University") is committed to maintaining the security and integrity of its data center. This policy establishes the requirement for maintaining a visitor log for anyone entering the data center. The purpose of this policy is to enhance security measures, monitor access, and ensure accountability within the data center facility. Scope: This policy applies to all individuals, including employees, contractors, vendors, and visitors, who require access to the University's data center. Policy Guidelines: Access Control: Access to the data center is restricted to authorized personnel only. All visitors must obtain prior approval and be escorted by an authorized staff member. Visitors must adhere to the data center's rules and regulations during their visit. Visitor Log: A visitor log shall be maintained for all individuals entering the data center. The log should capture the following information: Visitor's full name Visitor's affiliation or organization Date and time of entry and exit Purpose of visit Authorized staff member escorting the visitor The log should be legible, accurate, and stored securely. Entries must be made in real-time, immediately upon entry or exit from the data center. Visitor Check-In Process: Prior to entering the data center, visitors must check in at the designated security checkpoint. Visitors must present a valid identification document (e.g., driver's license, passport, or university ID) to the security personnel. The security personnel will verify the visitor's identity and cross-check against the approved access list. Once verified, the visitor will be provided with a visitor badge or pass to be visibly worn at all times while inside the data center. Escort Requirement: Visitors must be escorted at all times by an authorized staff member. The authorized staff member is responsible for monitoring the visitor's activities, ensuring compliance with data center policies, and answering any questions the visitor may have. Data Center Rules and Regulations: Visitors must adhere to the data center's rules and regulations, which may include, but are not limited to: Prohibition of food, beverages, or smoking inside the data center. ii. Requirement to maintain a quiet and professional environment. iii. Restriction on accessing or tampering with equipment, cables, or other data center infrastructure. iv. Compliance with any additional security measures, such as biometric access controls or video surveillance. Record Retention: Visitor logs must be retained for a minimum period of two years, as specified by applicable legal, regulatory, or audit requirements. After the retention period, the logs should be securely destroyed to protect the privacy and security of visitor information. Policy Compliance: Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or legal action, depending on the severity and frequency of the violation. The University reserves the right to revoke visitor access privileges to the data center at any time and for any reason. Policy Maintenance: Rockhurst Computer Services is responsible for the maintenance, review, and interpretation of this policy. Any suggested changes or concerns related to this policy should be directed to Rockhurst Computer Services. Last Review Date 06/28/2024

Policy Statement: Rockhurst University is committed to protecting the confidentiality, integrity, and availability of sensitive data. This Data Encryption Policy establishes guidelines for encrypting sensitive data in motion (during transmission) and at rest (when stored), following industry best practices. Scope: This policy applies to all Rockhurst University personnel, including employees, contractors, and third-party service providers who handle sensitive data in the course of their work. Data Classification: Sensitive data shall be classified based on its confidentiality and regulatory requirements. Examples of sensitive data include personally identifiable information (PII), financial data, healthcare information, research data, and any other data that, if compromised, could harm individuals or the university. Encryption for Data in Motion: Secure Communication Protocols: All sensitive data transmitted over networks, both internal and external, shall use secure communication protocols, such as HTTPS/TLS, to encrypt data during transmission. Applications, web services, and APIs that transmit sensitive data must use secure protocols and cryptographic algorithms approved by recognized standards organizations. Secure Email Communication: Sensitive data sent via email must be encrypted using secure email encryption mechanisms or secure file transfer protocols. Sensitive attachments should be encrypted separately before sending them via email. Encryption for Data at Rest: Database Encryption: Sensitive data stored in databases shall be encrypted at the field level or database level, based on the data's classification and regulatory requirements. Encryption keys used for database encryption must be securely stored and managed, following best practices for key management. File and Disk Encryption: Sensitive data stored on laptops, desktops, servers, and other devices shall be encrypted using full disk encryption (FDE) or file-level encryption, based on the data's classification and regulatory requirements. Encryption keys used for file and disk encryption must be securely stored and managed, following best practices for key management. Cloud Storage Encryption: Sensitive data stored in cloud environments must be encrypted at rest using encryption mechanisms provided by the cloud service provider or through client-side encryption. The encryption keys used for cloud storage encryption must be securely managed and protected. Encryption Key Management: Key Generation and Storage: Encryption keys used for data encryption must be generated using strong cryptographic algorithms and securely stored. Keys shall be protected against unauthorized access, loss, or theft through appropriate access controls and encryption mechanisms. Key Rotation and Retirement: Encryption keys shall be periodically rotated to minimize the risk associated with compromised or weakened keys. When encryption keys are retired, the data encrypted with those keys shall be securely re-encrypted or permanently deleted. Compliance with Regulations: Rockhurst University shall ensure that data encryption practices align with relevant security and privacy regulations, such as GDPR, FERPA, HIPAA, and PCI DSS. Encryption measures implemented must meet or exceed the encryption requirements outlined in these regulations. Incident Response and Reporting: In the event of a security incident or suspected data breach involving encrypted data, the university's incident response plan shall be followed. All incidents must be reported promptly to the appropriate authorities as required by applicable regulations. Training and Awareness: Rockhurst University shall provide regular training and awareness programs to educate personnel about data encryption best practices, the importance of encryption, and the proper handling of encrypted data. Policy Review: This Data Encryption Policy shall be reviewed periodically to ensure its effectiveness, alignment with industry best practices, and compliance with changing regulations. Updates to the policy may be made as necessary. Policy Non-Compliance: Failure to comply with this policy may result in disciplinary action, including but not limited to verbal or written warnings, suspension, termination, or legal action, as deemed appropriate. By adhering to this Data Encryption Policy, Rockhurst University aims to safeguard sensitive data from unauthorized access, maintain compliance with regulations, and protect the confidentiality and integrity of information assets. Last Review Date 07/05/2024

Policy Overview and Objectives Rockhurst University recognizes the importance of protecting its data assets and preventing the unauthorized disclosure or loss of sensitive information. The purpose of this Data Loss Prevention (DLP) and Data Classification Policy is to establish guidelines for the classification and protection of data based on its sensitivity. This policy applies to all electronic data collected, generated, accessed, modified, transmitted, stored, or used by the University, irrespective of the medium or format. Data Classification Levels a. Confidential Information (High Sensitivity): Definition: Data should be classified as Confidential if its unauthorized disclosure, alteration, or destruction could result in legal or financial liability to the University.  Sources of liability include legal or regulatory requirements, University policies, agreements to which the University is a party, or information that is inherently sensitive.  Data in this category is not distributed outside the University unless the transmission is expressly authorized and done through approved channels.  Please contact the Associate Vice President of Information Technology if you have a question about establishing an approved channel for an authorized transmission.  Data in this category should only be accessible to employees with a need to know, and the data should only be transmitted through electronic means if the Confidential Data is encrypted. Examples of the type of information that is Confidential is provided in Appendix A. Handling Requirements: Access: Limited to authorized individuals with a legitimate need-to-know. Storage and Transmission: Must be encrypted using approved encryption methods. Retention and Disposal: Must follow specific retention and disposal guidelines to ensure secure destruction. b. Private Information (Medium Sensitivity): Definition: Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that Data could harm the University’s image or reputation, or could undermine the confidentiality of University business, but would not necessarily violate existing laws, University policies, or University contracts. Data in this category is not routinely distributed outside the University and accessed or distributed within the University only on a need-to-know basis. Examples of the type of information that is considered Private is provided in Appendix A. Handling Requirements: Access: Limited to authorized individuals based on job roles and responsibilities. Storage and Transmission: Should be protected using appropriate security measures, such as access controls and encryption, as necessary. Retention and Disposal: Must adhere to defined retention periods and secure disposal practices. c. Public Information (Low Sensitivity): Definition: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that Data would result in no harm to the University. Public Data has no legal or other restrictions on access or usage and may be open to the University community and the general public. Examples of the type of information that is considered Public is provided in Appendix A. Handling Requirements: Access: Accessible to the general public and authorized personnel as needed. Storage and Transmission: No specific security requirements, but reasonable measures should be taken to ensure integrity and availability. Retention and Disposal: Follow standard retention and disposal practices. Responsibilities a. Data Owners: Data owners are responsible for identifying and classifying the data under their control. They must ensure appropriate protection measures are implemented based on the data classification level. b. Users: Users must adhere to the handling requirements and access restrictions specified for each data classification level. They are responsible for reporting any potential data loss or security incidents promptly. c. IT Department: The IT department is responsible for implementing technical controls to enforce the protection requirements for each data classification level. They must ensure that appropriate security measures, such as encryption, access controls, and monitoring, are in place. Data Handling and Protection Measures a. Access Controls: Access to data should be granted on a need-to-know basis, following the principle of least privilege. Strong authentication mechanisms, such as unique user IDs and passwords, should be implemented to protect sensitive data. b. Encryption: Confidential and Private Information must be encrypted during transmission and storage using approved encryption methods. c. Data Storage: Data storage systems should provide appropriate security controls, such as access controls, encryption, and regular backups. d. Data Transmission: Sensitive data should be transmitted over secure channels, such as encrypted connections and virtual private networks (VPNs). e. Retention and Disposal: Data should be retained only as long as necessary to fulfill legal, regulatory, and business requirements. Secure disposal methods, such as shredding physical documents and secure erasure of electronic data, must be employed. Compliance and Consequences a. Compliance: All faculty, staff, students, and contractors must comply with this policy. Failure to comply may result in disciplinary action, including termination, as well as legal consequences. b. Consequences: Any suspected violations of this policy should be reported to the appropriate authorities for investigation. Violations will be subject to disciplinary actions in accordance with the applicable policies and procedures. Policy Review This policy will be reviewed periodically and updated as necessary to reflect changes in technology, regulations, or organizational needs. Any proposed changes to this policy must be reviewed and approved by [appropriate authority]. By implementing this Data Loss Prevention and Data Classification Policy, Rockhurst University aims to safeguard its sensitive information and ensure compliance with relevant regulations while promoting a secure data environment. Policy Overview and Objectives Rockhurst University recognizes the importance of protecting its data assets and preventing the unauthorized disclosure or loss of sensitive information. The purpose of this Data Loss Prevention (DLP) and Data Classification Policy is to establish guidelines for the classification and protection of data based on its sensitivity. This policy applies to all electronic data collected, generated, accessed, modified, transmitted, stored, or used by the University, irrespective of the medium or format. Data Classification Levels a. Confidential Information (High Sensitivity): Definition: Data should be classified as Confidential if its unauthorized disclosure, alteration, or destruction could result in legal or financial liability to the University.  Sources of liability include legal or regulatory requirements, University policies, agreements to which the University is a party, or information that is inherently sensitive.  Data in this category is not distributed outside the University unless the transmission is expressly authorized and done through approved channels.  Please contact the Associate Vice President of Information Technology if you have a question about establishing an approved channel for an authorized transmission.  Data in this category should only be accessible to employees with a need to know, and the data should only be transmitted through electronic means if the Confidential Data is encrypted. Examples of the type of information that is Confidential is provided in Appendix A. Handling Requirements: Access: Limited to authorized individuals with a legitimate need-to-know. Storage and Transmission: Must be encrypted using approved encryption methods. Retention and Disposal: Must follow specific retention and disposal guidelines to ensure secure destruction. b. Private Information (Medium Sensitivity): Definition: Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that Data could harm the University’s image or reputation, or could undermine the confidentiality of University business, but would not necessarily violate existing laws, University policies, or University contracts. Data in this category is not routinely distributed outside the University and accessed or distributed within the University only on a need-to-know basis. Examples of the type of information that is considered Private is provided in Appendix A. Handling Requirements: Access: Limited to authorized individuals based on job roles and responsibilities. Storage and Transmission: Should be protected using appropriate security measures, such as access controls and encryption, as necessary. Retention and Disposal: Must adhere to defined retention periods and secure disposal practices. c. Public Information (Low Sensitivity): Definition: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that Data would result in no harm to the University. Public Data has no legal or other restrictions on access or usage and may be open to the University community and the general public. Examples of the type of information that is considered Public is provided in Appendix A. Handling Requirements: Access: Accessible to the general public and authorized personnel as needed. Storage and Transmission: No specific security requirements, but reasonable measures should be taken to ensure integrity and availability. Retention and Disposal: Follow standard retention and disposal practices. Responsibilities a. Data Owners: Data owners are responsible for identifying and classifying the data under their control. They must ensure appropriate protection measures are implemented based on the data classification level. b. Users: Users must adhere to the handling requirements and access restrictions specified for each data classification level. They are responsible for reporting any potential data loss or security incidents promptly. c. IT Department: The IT department is responsible for implementing technical controls to enforce the protection requirements for each data classification level. They must ensure that appropriate security measures, such as encryption, access controls, and monitoring, are in place. Data Handling and Protection Measures a. Access Controls: Access to data should be granted on a need-to-know basis, following the principle of least privilege. Strong authentication mechanisms, such as unique user IDs and passwords, should be implemented to protect sensitive data. b. Encryption: Confidential and Private Information must be encrypted during transmission and storage using approved encryption methods. c. Data Storage: Data storage systems should provide appropriate security controls, such as access controls, encryption, and regular backups. d. Data Transmission: Sensitive data should be transmitted over secure channels, such as encrypted connections and virtual private networks (VPNs). e. Retention and Disposal: Data should be retained only as long as necessary to fulfill legal, regulatory, and business requirements. Secure disposal methods, such as shredding physical documents and secure erasure of electronic data, must be employed. Compliance and Consequences a. Compliance: All faculty, staff, students, and contractors must comply with this policy. Failure to comply may result in disciplinary action, including termination, as well as legal consequences. b. Consequences: Any suspected violations of this policy should be reported to the appropriate authorities for investigation. Violations will be subject to disciplinary actions in accordance with the applicable policies and procedures. Policy Review This policy will be reviewed periodically and updated as necessary to reflect changes in technology, regulations, or organizational needs. Any proposed changes to this policy must be reviewed and approved by [appropriate authority]. By implementing this Data Loss Prevention and Data Classification Policy, Rockhurst University aims to safeguard its sensitive information and ensure compliance with relevant regulations while promoting a secure data environment.

Policy Statement: Rockhurst University is committed to ensuring the security of its information systems and protecting sensitive data from unauthorized access, theft, and misuse. To achieve this, all employees are required to complete training on phishing and other email security threats. Bi-weekly simulated phishing tests will be conducted to assess employees' awareness and response to potential threats. Failure to pass the simulated test will result in mandatory additional training. Policy Scope: This policy applies to all Rockhurst University employees, including faculty, staff, and administrators, who have access to the university's network and email systems. Policy Guidelines: Training Program: Rockhurst University will provide comprehensive training on phishing and other email security threats to all employees. The training program will cover topics such as identifying phishing emails, recognizing common email security threats, best practices for email security, and reporting suspicious emails. The training will be available through an online learning platform or conducted through in-person workshops, as determined by the university's IT department. All employees must successfully complete the training within [specific timeframe, e.g., 30 days] of their employment start date. Simulated Phishing Tests: a. Bi-weekly simulated phishing tests will be conducted throughout the year to assess employees' ability to recognize and respond to phishing attempts. b. Simulated phishing emails will be sent to employees' work email accounts, designed to resemble real phishing emails. c. Employees must exercise caution and refrain from clicking on any suspicious links or opening attachments in simulated phishing emails. d. If an employee fails a simulated phishing test by clicking on a link or opening an attachment, they will be required to undergo additional mandatory training. Consequences of Failure: If an employee fails a simulated phishing test, they will be notified of their failure and be required to complete additional mandatory training on email security within a specified timeframe. Failure to complete the additional training within the designated timeframe may result in temporary suspension or revocation of network account privileges. Employees will regain full access to their network accounts upon successful completion of the additional training.   Reporting Suspicious Emails: Employees are encouraged to report any suspicious emails or potential phishing attempts to the university's IT Help Desk. Reporting procedures and contact information for the IT department will be provided during the training. Prompt reporting of suspicious emails will enable the IT department to take appropriate action to mitigate potential risks. Training Recordkeeping: The university's IT department will maintain records of employee training completion, including successful completion of the initial training and any additional mandatory training. Training records will be used to monitor compliance with the policy and track employee progress. Training records will also be used to identify areas for improvement in the training program and address individual employee training needs. Policy Review: This policy will be reviewed annually to ensure its effectiveness and relevance. Any necessary updates or modifications will be made in accordance with evolving security threats and best practices. By adhering to this Security Training Policy, Rockhurst University aims to enhance its overall security posture and protect its employees and sensitive information from email-based threats. Last Review Date 06/28/2024

Policy Statement: Rockhurst University acknowledges the importance of safeguarding sensitive information in external email communication. To uphold industry best practices and compliance standards, all faculty and staff members are required to seek approval from their Vice President before sending encrypted emails to external domains involving industry-sensitive information. Procedure: Complete Encryption Approval Request Form: Prior to sending encrypted emails, faculty and staff must seek approval from their VP.  Approval requests can be made by completing the attached Encryption Approval Request Form and submitting it to the Rockhurst University Help Desk (helpdesk@rockhurst.edu). The electronic email encryption request form can be found here. Once approval has been granted, follow the steps to send an encrypted email message. Develop Encrypted eMail Content: Draft the email containing sensitive information intended for external communication in Outlook. Encryption: Place the word “Encrypt:” anywhere in the Outlook message subject line of the confidential email message. Submission: Submit the email message to the recipient. Non-Compliance: Failure to adhere to this policy for the transmission of secure information may result in disciplinary action and potential breaches of confidentiality. Enforcement: This policy is effective immediately upon issuance and applies to all faculty and staff members of Rockhurst University. Review and Revision: This policy will be reviewed periodically to ensure its effectiveness and relevance. Any necessary revisions will be made in consultation with relevant stakeholders. Contact Information: For inquiries or clarification regarding this policy, please contact the Chief Information Officer (CIO) or the IT department. Related Policies:  eMail Use Policy for Rockhurst University Data Loss Prevention and Data Classification Policy for Rockhurst University

Policy Statement: The purpose of this email retention policy is to establish guidelines for the retention and management of Outlook mail within Rockhurst University. This policy ensures that emails and associated documents are retained for a period of two years, aligning with our data retention requirements and compliance obligations. Scope: This policy applies to all employees, students, contractors, and any other personnel who have access to and use Outlook mail within Rockhurst University. Policy Guidelines: Retention Period: All Outlook mail, including emails, attachments, and associated metadata, will be retained for a minimum of two years from the date of creation or receipt. After the two-year period, emails and their attachments will be eligible for deletion unless specific legal, regulatory, or business requirements dictate otherwise. Email Categorization and Classification: Users should exercise good judgment when categorizing and classifying emails. Utilize appropriate folders, tags, or labels to organize emails based on their nature, relevance, or departmental requirements. Ensure that emails are properly classified to facilitate efficient retrieval and compliance with retention policies. Email Deletion: At the end of the two-year retention period, emails will be subject to deletion unless they fall under specific legal, regulatory, or business requirements that mandate their preservation for a longer period. Users are responsible for periodically reviewing their mailbox and deleting any irrelevant or unnecessary emails that do not need to be retained as per the two-year retention policy. Legal Holds and Litigation: In the event of a legal hold or pending litigation, the two-year retention period may be suspended, and emails relevant to the matter must be preserved until further notice. Users must promptly communicate any legal hold notices to the designated personnel responsible for email retention. Backup and Recovery: Regular backups of Outlook mail will be performed to ensure data integrity and facilitate recovery in case of accidental deletion, system failure, or disaster. Backups should be retained for a period aligned with the two-year retention policy to ensure recoverability if needed. Employee Responsibilities: Users are responsible for managing their mailbox and adhering to this email retention policy. Users should familiarize themselves with and follow the procedures outlined in this policy. Failure to comply with the policy may result in disciplinary action. Communication and Awareness: This policy will be communicated to all employees, faculty, staff, and relevant stakeholders. Training and awareness programs will be conducted to educate users about their responsibilities regarding email retention and management. Review and Audit: This email retention policy will be reviewed periodically to ensure its effectiveness and compliance with evolving legal, regulatory, and institutional requirements. Regular audits will be conducted to monitor adherence to the policy and identify areas for improvement. Approval: This policy has been reviewed and approved by the appropriate authority at Rockhurst University. Any questions or concerns regarding this policy should be directed to the designated contact or department responsible for email retention. Last Review Date 2024/05/19

Policy Statement: Email is a vital tool for communication within Rockhurst University's community, comprising both employees and students. This comprehensive Email Use Policy is designed to ensure the responsible, secure, and efficient use of the University's email system. We have incorporated the most current corporate and security best practices, aligned with the legal and ethical standards for large universities. 1. Purpose and Scope - This policy aims to: Promote effective communication within the University community. Safeguard University data and protect the confidentiality, integrity, and availability of information. Ensure that email usage aligns with ethical standards and legal requirements. Foster a secure email environment that mitigates risks associated with data breaches and cyber threats. This policy applies to all employees, students, and affiliates of Rockhurst University who use University-provided email accounts and systems. 2. Responsible Parties - The University's IT Department is responsible for enforcing and administering this policy. The department should stay informed about current email security threats and best practices, continuously enhancing the University's email security measures. 3. Acceptable Use - Acceptable uses of the University email system include: Official University communications. Academic and research-related purposes. Administrative and business functions in support of the University's mission. 4. Prohibited Uses - Prohibited uses of the University email system include: Sending offensive or discriminatory content, including but not limited to material with derogatory remarks about gender, race, age, sexual orientation, or religious beliefs. Distributing illegal or unauthorized material. Engaging in spam, phishing, or any malicious activities. Violating intellectual property rights. Any activity that violates applicable laws and regulations. 5. Security and Privacy Users must protect their email accounts through strong, confidential passwords. The University may access and monitor email accounts to ensure security, compliance, and operational integrity. Email data is subject to legal and regulatory requirements. Confidential and sensitive information should be securely shared and stored. 6. Data Protection and Confidentiality - Users are obligated to protect University information, adhering to data protection regulations. Sensitive or confidential information should not be shared without appropriate security measures. 7. Legal Compliance - Users must comply with all applicable laws and regulations, including anti-discrimination laws, intellectual property rights, and industry-specific requirements. 8. Personal Use - While limited personal use of university email accounts is allowed, such use should not hinder work or academic responsibilities, compromise security, or violate this policy. 9. Commercial and Business-Related Uses - Using University email addresses or systems for commercial or business purposes unrelated to the University's mission is not permitted. 10. Email Forwarding - Email received at university addresses may not be automatically forwarded to non-University addresses to protect against data loss and security risks. 11. Chain or Joke Letters - Creating or forwarding chain letters or joke emails from university email addresses or systems is prohibited, as they can be disruptive and unprofessional. 12. Monitoring and Recording - The University may monitor and record email messages for security, compliance, and operational reasons. While not all email activity is continually monitored, the University reserves the right to do so. 13. Reporting Violations - Employees and students are encouraged to report policy violations promptly to Computer Services and Human Resources. Violations may result in disciplinary actions in accordance with university policies. 14. Email Retention and Archiving - The University has email retention and archiving policies to comply with legal requirements and industry regulations. Please refer to Rockhurst University’s eMail Retention Policy. 15. Updates and Revisions - This policy may be updated to reflect changes in technology, laws, or regulations. Users will be informed of updates as they occur. Conclusion Rockhurst University's Email Use Policy is built on the foundation of current corporate and security best practices to ensure the responsible and secure use of email communication. All members of the University community share the responsibility of upholding this policy, which aims to protect the University's reputation, data, and security. Failure to adhere to this policy may result in disciplinary actions in accordance with university policies. Last Review Date 2024/10/14

Introduction: Effective change management policies for information technology (IT) are critical for ensuring that changes are made in a controlled and consistent manner, minimizing the risk of errors, system failures, and security breaches. This policy will outline the steps that need to be taken to manage changes to IT systems manually. Purpose: The purpose of this policy is to establish a standard process for managing changes to IT systems manually. This policy ensures that any changes to IT systems are documented, tested, and approved before being implemented to reduce the risk of errors, outages, and data breaches. Scope: This policy applies to all personnel who are responsible for managing changes to IT systems manually. Policy: Access Requests: All new employees who require access to university networks must submit an access request form to the IT department. The form should include the employee's name, job title, department, and reason for access. Faculty - Network accounts may be established no earlier than 45 days before classes start by HR updating the current hire date in Banner PEAEMPL. Future hires can be set up at any time in Banner, but the network accounts will not be turned on earlier than 45 days before they actually start. An exception process for full-time faculty to obtain network access earlier than 45 days prior to their actual start date has been provided on a case by case basis by the CIO. The Dean’s office will update SIAINST Faculty Status Validation field to “TM” for “Temporary Network Access”. Access will be immediately granted within one business day after the SIAINST record has been updated. Staff - Network accounts will be suspended on term date with the option for managerial review for a limited period not to exceed 30 days or anytime by management authorization by HR current hire date in Banner PEAEMPL. If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services. Emeritus - Employees designated with an Emeritus status will be granted a university email account and access to base Microsoft Office products. Former employees can only be granted this role by the President of the university. Access Approval: Access requests must be approved by the employee's supervisor and the IT department. The IT department will verify the employee's identity and confirm that the employee has a legitimate business need for network access. Access Levels: The IT department will grant network access based on the employee's job responsibilities. Access levels should be reviewed periodically and adjusted as necessary. Usernames and Passwords: The IT department will assign usernames and passwords to new employees for network access. Passwords must be strong and changed periodically. Employees should not share their usernames and passwords with anyone. Training: All new employees must receive training on network security policies and procedures before they are granted access. Annual recurring training will be mandated to retain a network account. Termination: When an employee leaves the University, their network access must be terminated immediately and any university purchased laptops, cell phones, etc are to be returned to Computer Services for reimaging and reassignment after being retained for 30 days. The IT department must be notified of the employee's departure as soon as possible. Network access must also be terminated for employees who are transferred to another department or who no longer require access. All network termination requests must be submitted via a ticket to the Rockhurst Help Desk. Faculty - Network accounts will be suspended 50 days after termination in Banner or anytime by management authorization by HR updating the termination date in PEAEMPL. If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services. An exception process for former faculty to retain network access after their departure has been provided on a case by case basis by the CIO. The Provost’s office will provide a written request to retain a former faculty account with a defined future date the access may be terminated. This date will also be done in Banner by the Dean’s office entering a future termination date in PEAEMPL. Staff - Network accounts will be suspended on term date with the option for managerial review for a limited period not to exceed 30 days or anytime by management authorization by HR current hire date in Banner PEAEMPL. If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services. Data Removal: The IT department must remove all University data from the employee's devices when their network access is terminated. This includes laptops, mobile devices, and any other equipment provided by the University. Cloud storage will be made available to all active network accounts. Once an account has been disabled, all data storage associated directly with the inactive network account will be deleted after 6 months where it will not be recoverable. It is the responsibility of the business unit to ensure important information is only stored on a department share drive or is transferred to a permanent location before the data is no longer recoverable. Monitoring: The IT department will monitor network activity to ensure compliance with network security policies and to detect any unauthorized access attempts. Consequences of Violations: Violations of network security policies may result in disciplinary action, up to and including termination of employment. Conclusion: By implementing a Network Access Onboarding and Termination Policy, Rockhurst University can ensure the security of their networks and protect sensitive data from unauthorized access. It is important to review and update this policy periodically to ensure that it remains effective in meeting the University's needs. Last Review Date 2024/09/11

This policy applies to university supplied laptops, docking stations, cell phones, tablets and all other computing and telecommunications equipment provided to individual faculty and staff. Acceptable Use Laptops and other technology equipment are provided to faculty and staff University employees in support of their position responsibilities. This equipment is intended to be used solely by the employee and cannot be shared with family, friends, or other employees. All employees must also familiarize themselves with the Computer Usage Policy, the Data Loss Prevention and Data Classification Policy, and the Cloud Data Policy as well as other policies included in the faculty and staff handbooks. Responsibilities Employee Responsibilities This equipment is the property of the University. It is the employee’s responsibility to maintain the equipment in their care as best they can and to protect the equipment from theft and damage. The employee may not physically alter or make any irreversible changes to the equipment. Upon separation from employment, the employee will return all equipment to the Computer Services Help Desk on or before their final day. The employee is to promptly report any problems that arise to the Computer Services Help Desk. All repairs are to be handled by Rockhurst Computer Services. The employee is not to take the equipment anywhere else for any kind of service or repair unless explicitly instructed to do so. Employees are not to attempt to repair or alter any part of the equipment. The employee is expected to be able to produce the equipment upon request by Computer Services, to provide any information regarding the equipment and to otherwise assist in attempts by Computer Services to confirm an accurate inventory. The employee is expected to bring the equipment in their care to Computer Services for system upgrades when notified to do so. Automatic updates that are pushed by Computer Services must be installed within 24 hours of notification of update. Employee Termination When an employee leaves the University, their network access must be terminated immediately and any university purchased laptops, cell phones, etc are to be returned to Computer Services for reimaging and reassignment after being retained for 30 days. Computer Services Responsibilities Computer Services will provide the equipment, software and any and all support of the system, including assistance in use and operation of the equipment and assistance with use of the software. Computer Services will provide full support of all uses of the equipment in all on-campus environments. Limited support will be provided for off-campus environments, as Computer Services cannot be held responsible for external factors such as problems with the employee’s home Internet Service Provider. Computer Services is only responsible for the use or functionality of software installed by Computer Services. Data and Repair Computer Services will always strive to preserve all files and data on the equipment when performing a repair, but it is ultimately the employee’s responsibility to ensure the safety of their data. In some rare situations, data recovery can prove to be impossible. Computer Services strongly recommends that the employee keep a backup of all important files on the network or approved cloud-based repositories. It is also the employee’s responsibility to use reasonable means to protect sensitive University information and confidential records. Reasonable means include not leaving the laptop logged in when unattended. Refer to the Electronic Data Policy for more information. Rockhurst employees will not store business related or personal data on any Rockhurst issued computers. This data is not backed up and could become a security risk if the computer is lost or stolen. Please refer to Rockhurst’s Data Retention Policy, Cloud Data Storage Policy, and Computer Usage Policy. Replacement Refresh Cycle All laptops in possession of the University are put on a refresh cycle. After a laptop has been in use for four years it will be replaced. Peripheral equipment will be evaluated on the same cycle and be replaced as necessary. Cell phones are generally refreshed on a 2-year cycle. Please also see the Rockhurst University Policy on Wireless Devices. Theft or Irreparable Damage Should the equipment become lost or stolen, it is the employee’s responsibility to immediately report the theft to Campus Security and Computer Services. When reporting to Computer Services, employees should provide a listing of sensitive data that may be stored on the lost or stolen equipment so steps may be taken to protect that information from external attempts to misuse the data. Employees are responsible for protecting University property and for returning equipment to Computer Services in reasonable condition. If the university issued equipment is lost, stolen, or damaged, Computer Services consults with the applicable President’s Council member to determine if the equipment will be replaced. The applicable President Council member’s department will be responsible for the full replacement cost. Requests Requests for new equipment can only be made by department heads and academic dean offices and must occur during the appropriate time during the budgeting process. Equipment replacement due to theft or irreparable damage can occur at any time, but must be reviewed by the appropriate department head, Dean, or Associate Dean, and the AVP for Information Technology. Locations, Hours & Contacts Technical support, service requests and requests for assistance can be made in multiple ways Calling the Computer Services Help Desk at (816) 501-4357 Placing a service request in our online request system Visiting the Help Desk on the 4th floor of Conway Hall during regular business hours Last Review Date 02/13/2025

Introduction: Rockhurst University recognizes the importance of safeguarding nonpublic personal information (NPI) in compliance with the Gramm-Leach-Bliley Act (GLBA), Federal Trade Commission (FTC) Safeguard requirements, and the Family Educational Rights and Privacy Act (FERPA). This Information Security Program outlines the framework for establishing and maintaining an effective information security posture within the university while adhering to GLBA, FTC, and FERPA guidelines. The program encompasses policies, procedures, guidelines, and controls designed to mitigate information security risks and ensure the protection of NPI and student educational records. Scope: This program applies to all individuals and entities associated with Rockhurst University who handle or have access to nonpublic personal information or student educational records, including faculty, staff, students, contractors, and any external parties with access to university systems, networks, or sensitive data. Objectives: The primary objectives of Rockhurst University's GLBA, FTC Safeguard, and FERPA compliant Information Security Program are as follows: Protect the confidentiality, integrity, and availability of nonpublic personal information and student educational records. Ensure compliance with GLBA, FTC Safeguard, and FERPA requirements. Minimize the risk of unauthorized access, disclosure, alteration, or destruction of NPI and student educational records. Promote awareness and education regarding information security best practices related to NPI and student data. Establish incident response procedures to address and mitigate security incidents involving NPI and student educational records promptly. Information Security Governance: Rockhurst University's information security governance framework incorporates GLBA, FTC Safeguard, and FERPA requirements and includes the following elements: Information Security Steering Committee: A committee comprising key stakeholders responsible for overseeing and guiding the university's GLBA, FTC Safeguard, and FERPA compliance initiatives. Information Security Officer (ISO): A designated individual responsible for implementing and managing the GLBA, FTC Safeguard, and FERPA compliant information security program. This role is assigned to the Associate Vice President & CIO of Information Technology. Risk Management: Regular assessment and management of information security risks associated with NPI and student educational records through risk identification, analysis, evaluation, and treatment processes. Compliance Monitoring: Ongoing monitoring of compliance with GLBA, FTC Safeguard, and FERPA requirements and associated policies, procedures, and controls. Information Security Policies and Procedures: Rockhurst University has established comprehensive policies and procedures to guide information security practices in compliance with GLBA, FTC Safeguard, and FERPA requirements. These policies cover areas such as: Privacy Policy: A policy outlining the university's commitment to protecting the privacy of individuals' NPI, student educational records, and their rights regarding the collection, use, and disclosure of such information. Risk Assessment and Management: Procedures for conducting risk assessments to identify and evaluate the risks to the security, confidentiality, and integrity of NPI and student educational records. Access Control: Procedures for granting, modifying, and revoking access privileges to systems and data containing NPI and student educational records based on job roles and responsibilities. Data Encryption: Requirements for encryption of NPI and student educational records in transit and at rest to protect against unauthorized disclosure. Incident Response: Procedures for detecting, reporting, assessing, and responding to security incidents involving NPI and student educational records promptly. Vendor Management: Procedures for evaluating and managing the security of third-party vendors and service providers who handle NPI or have access to student educational records. Employee Training and Awareness: Initiatives to educate employees about GLBA, FTC Safeguard, and FERPA requirements, information security risks, and their responsibilities for protecting NPI and student data. Information Security Controls: Rockhurst University employs a range of technical and administrative controls to protect NPI and student educational records in compliance with GLBA, FTC Safeguard, and FERPA requirements. These controls include but are not limited to: Access Controls: Implementing strong authentication mechanisms, least privilege principles, and regular access reviews to restrict access to NPI and student educational records. Data Classification and Handling: Clearly defining the classification of NPI and student data and implementing appropriate security measures based on the sensitivity of the information. Network Security: Utilizing firewalls, intrusion detection and prevention systems, and secure network configurations to protect against unauthorized access and network-based attacks. System Monitoring and Logging: Implementing robust monitoring and logging mechanisms to detect and respond to unauthorized access or suspicious activities involving NPI and student educational records. Physical Security: Implementing measures to safeguard physical access to facilities, data centers, and systems containing NPI and student data. Incident Response: Defining procedures for responding to security incidents involving NPI and student educational records, including containment, investigation, recovery, and reporting. Vendor Due Diligence: Conducting thorough assessments of third-party vendors' security controls to ensure they meet GLBA, FTC Safeguard, and FERPA requirements. Compliance and Audit: Rockhurst University is committed to ongoing compliance with GLBA, FTC Safeguard, and FERPA requirements. Regular audits and assessments are conducted to evaluate the effectiveness of the information security program and ensure compliance with these regulations. Security Incident Reporting: All members of the Rockhurst University community are encouraged to promptly report any suspected or confirmed security incidents or breaches involving NPI or student educational records to the ISO or the designated incident response team. Program Review and Improvement: This Information Security Program is subject to periodic review and updates to address evolving threats, technologies, GLBA, FTC Safeguard, and FERPA requirements, and other regulatory changes. Feedback and suggestions from the university community are essential for the continuous improvement of the program. By implementing this GLBA, FTC Safeguard, and FERPA compliant Information Security Program, Rockhurst University aims to protect the confidentiality, integrity, and availability of nonpublic personal information, student educational records, and fulfill its obligations under these regulations. Last Review Date 2025/03/10