Introduction: Effective change management policies for information technology (IT) are critical for ensuring that changes are made in a controlled and consistent manner, minimizing the risk of errors, system failures, and security breaches. This policy will outline the steps that need to be taken to manage changes to IT systems manually. Purpose: The purpose of this policy is to establish a standard process for managing changes to IT systems manually. This policy ensures that any changes to IT systems are documented, tested, and approved before being implemented to reduce the risk of errors, outages, and data breaches. Scope: This policy applies to all personnel who are responsible for managing changes to IT systems manually. Policy: Request for Change: Any proposed changes to IT systems should be documented and submitted as a request for change (RFC) form. The RFC should include the following information: The reason for the change The impact of the change The expected outcome of the change The testing and rollback plan Types of Changes: Standard Change: Changes that usually occur at regular intervals which are pre planned, pre-approved and have a low risk, low impact and don’t require cab approval are called standard changes. (For eg. OS Upgrade) Minor Change: Changes that don’t have a major impact, which is less risky and undergo every stage in a change lifecycle including CAB approval are called minor changes. (For eg. Website changes) Major Change: Changes that can have medium to high impact on ongoing business operations and may have financial implications which require CAB approval, as well as management approval, are called major changes. (For eg. Migration from one data center to another) Emergency Change: Changes that need immediate fixes and Emergency CAB approval where the review is completed later to avoid potential risks are called emergency changes. (For eg. Security Patch) Change Advisory Board (CAB): A change advisory board (CAB) consisting of technical experts and business stakeholders will review all RFCs. The CAB will assess the impact of the change on the system, business processes, and the potential risk of implementing the change. The CAB will approve or reject the RFC based on the assessment. Change Management Plan: The change management plan should include the following: The scope of the change The timelines for the change The testing plan The back-out plan in case the change is unsuccessful The communication plan Testing: Before implementing any change, a testing plan should be executed. The testing should include: Unit testing to ensure the change works as expected Integration testing to ensure the change does not impact other IT systems User acceptance testing (UAT) to ensure the change meets business requirements Implementation: Once the change has been tested and approved, it can be implemented. Implementation should be carried out in the following manner: Communicate the change to all stakeholders Implement the change outside of business hours to minimize impact on operations Monitor the change for any issues or errors Review: After the change has been implemented, a post-implementation review (PIR) should be conducted. The PIR should include the following: Assessment of whether the change met the desired outcome Assessment of whether the change impacted business processes or IT systems negatively Lessons learned for future changes Documentation: All changes should be documented and tracked. This documentation should include: The RFC form The change management plan The testing plan and results The PIR Conclusion: This policy provides a standard process for managing changes to IT systems manually. The policy ensures that all changes are tested, approved, and documented to minimize the risk of errors, outages, and data breaches. All personnel responsible for managing changes to IT systems should follow this policy. Last Review Date 12/20/2024

Introduction This IT Equipment Asset Management Policy outlines the procedures and guidelines for the identification, tracking, and maintenance of IT equipment at Rockhurst University. The primary objective is to ensure efficient management, security, and accountability of IT assets, including their association with individuals when applicable, software/firmware updates, and tracking through FreshService. Policy Scope This policy applies to all IT equipment, including but not limited to computers, laptops, mobile devices, servers, network hardware, and peripherals owned or leased by Rockhurst University. It encompasses the entire asset lifecycle, from acquisition to disposal. Asset Identification and Tagging Barcoding: All IT equipment will be assigned a unique barcode tag for easy identification and tracking purposes. Asset Categories: IT assets will be categorized based on type, department, and location for efficient management. Asset Tracking and Management FreshService: FreshService will serve as the central repository for IT equipment tracking and management. Asset information will be recorded and updated in FreshService, including asset type, location, user association (when applicable), and maintenance history. User Association: IT assets will be associated with specific users or departments whenever feasible, providing clear ownership and accountability. When an employee leaves the University, any university purchased laptops, cell phones, etc are to be returned to Computer Services for reimaging and reassignment after being retained for 30 days. Software and Firmware Updates Automated Updates: Software and firmware updates will be automated wherever possible to ensure security patches and enhancements are promptly applied. Vulnerability Management: Vulnerability assessments will be conducted regularly to identify and address potential security risks, including outdated software and firmware. Acquisition and Deployment Procurement: All IT equipment will be procured through authorized channels and in compliance with university procurement policies. All technology equipment purchases must have prior approval by Computer Services. Inventory Updates: Upon acquisition, IT equipment will be promptly recorded in FreshService, including details such as purchase date, warranty information, and initial software configurations. Maintenance and Repairs Scheduled Maintenance: Routine maintenance schedules will be established to ensure the proper functioning and longevity of IT assets. Asset Repairs: Assets requiring repairs will be promptly reported and addressed through the IT helpdesk. Maintenance and repair records will be maintained in FreshService. Decommissioning and Disposal End-of-Life Process: IT assets reaching the end of their lifecycle will be decommissioned following approved procedures. Secure Data Erasure: Prior to disposal or transfer, all data on IT equipment will be securely wiped to prevent data breaches. E-waste Disposal: Disposal of IT equipment will comply with environmental regulations and follow ethical e-waste disposal practices. Policy Compliance Non-compliance with this policy may result in disciplinary actions, including but not limited to restricted access to IT assets or university systems. Policy Review and Updates This policy will be reviewed annually and updated as necessary to ensure its effectiveness and alignment with industry best practices. Policy Communication and Training All university staff and relevant stakeholders will receive training and be informed of this policy to ensure its proper implementation. Responsibility and Accountability The IT department is responsible for the overall management and implementation of this policy, including ensuring FreshService's proper utilization for asset tracking. Reporting and Escalation Procedures for reporting issues, discrepancies, or concerns related to IT equipment asset management will be established and communicated to university staff. This IT Equipment Asset Management Policy ensures that Rockhurst University's IT assets are effectively tracked, maintained, and associated with individuals when applicable. It also promotes security through software/firmware updates and environmentally responsible disposal practices. Last Review Date 2025/03/10

Purpose The purpose of this Incident Response Plan is to provide guidelines for Rockhurst University Computer Services to effectively respond to and manage computer security incidents. This plan outlines the key steps and responsibilities involved in incident response, including root cause analysis, forensic analysis, and lessons learned. Scope This plan applies to all computer security incidents that occur within Rockhurst University Computer Services. It encompasses incidents related to unauthorized access, data breaches, malware infections, network intrusions, and any other security-related events that may impact the confidentiality, integrity, or availability of university systems and data. Incident Response Process Detection and Reporting: Computer Services staff, end-users, or security monitoring systems should promptly report any suspected or observed security incidents to the designated incident response team. Incidents can be reported via email, phone, or an incident reporting system established by Computer Services. Incident Triage and Assessment: The incident response team will triage and assess reported incidents to determine their severity and potential impact. Initial assessment will involve gathering necessary information about the incident, such as the affected systems, the nature of the incident, and any initial indicators of compromise (IOCs). Incident Containment and Mitigation: Upon assessing the incident, the incident response team will take immediate steps to contain and mitigate the incident's impact. This may involve isolating affected systems from the network, disabling compromised accounts, or implementing temporary security measures to prevent further unauthorized access or data loss. Root Cause Analysis: Once the incident is contained and mitigated, the incident response team will conduct a root cause analysis to determine the underlying cause(s) of the incident. The analysis will involve examining the systems, logs, and other relevant evidence to identify vulnerabilities, configuration errors, or human factors that contributed to the incident. The findings from the root cause analysis will be documented for further remediation and prevention. Forensic Analysis: In more severe or complex incidents, a forensic analysis may be conducted to gather evidence, preserve data integrity, and support potential legal proceedings. Forensic analysis may involve the collection and examination of system logs, network traffic, disk images, or other digital artifacts to reconstruct the incident timeline, identify the attacker(s), and gather additional evidence. Incident Resolution and Recovery: Based on the root cause and forensic analysis, appropriate measures will be taken to resolve the incident and restore affected systems to a secure and operational state. Recovery activities may include system patching, malware removal, data restoration from backups, and the implementation of additional security controls. Lessons Learned: After the incident is resolved, the incident response team will conduct a lessons learned session to evaluate the effectiveness of the response and identify areas for improvement. The lessons learned session will involve reviewing the incident handling process, response actions, and communication procedures. Recommendations for process enhancements, training needs, or technical improvements will be documented and incorporated into future incident response planning. Responsibilities Incident Response Team: The incident response team, consisting of designated members from Rockhurst University Computer Services, will be responsible for coordinating and executing incident response activities according to this plan. Team members will have specific roles and responsibilities defined within the incident response plan. Policy Compliance Failure to comply with this plan may result in delayed incident response, increased impact, or recurring incidents. All Computer Services staff and relevant stakeholders are required to familiarize themselves with this plan and adhere to the prescribed incident response procedures. Plan Review This incident response plan will be reviewed periodically and updated as necessary to reflect changes in technology, best practices, or regulatory requirements. Any proposed changes to this plan must be reviewed and approved by [appropriate authority]. By following this Incident Response Plan, Rockhurst University Computer Services aims to effectively respond to security incidents, minimize damage, and enhance the overall security posture of the university's computer systems and data. Last Review Date 07/01/2024

This policy applies to the purchase of all computer related hardware, software, or services that are to accessed on a university owned device that may or may not connect with Rockhurst University’s computer network. I. Purpose The purpose of this policy is to ensure that the procurement of information technology hardware, software, and computing services follows established Rockhurst University policies and guidelines, that due diligence is performed to ensure compatibility with existing systems and policies, that confidential data is secure inflight and at rest, data recovery plans are in place, that appropriate plans are associated with technology acquisition, and that the approval of the Associate Vice President of Information Technology (CIO) is obtained prior to issuance of a purchase order or a direct purchase. This policy applies to all technology resources and related services owned, used, leased, or operated by the University, regardless of the source of funding, location, or intended purpose. These resources include but are not limited to: Computers and servers of any form factor Software and information systems whether installed on the device or accessed via a cloud service Technology services, consulting, and software maintenance contracts Peripheral equipment (e.g. printers, scanners, etc.) Network devices; televisions, audio-visual, surveillance cameras, AV room controls, and projection equipment Door locking, alarm, and environmental monitoring equipment attached to the Rockhurst network II. Policy The CIO will establish and follow University policy and guidelines for technology procurement. The technology procurement process will follow established procurement and property management processes approved by the Chief Financial Officer. The approval of the CIO shall be obtained before any large technology purchase of any standard software, hardware, and services as defined in section IV.A of this policy. The approval of the CIO shall be obtained before any new technology is acquired for the university as defined in section IV.B of this policy. A legal review is required prior to the execution of any new or modified contract. The CIO will identify and publish approved technology and provide procedures for technology acquisition. The purchases of technology for campus use must be coordinated through Physical Plant Purchasing and Information Technology Services. III. Exclusions There are no exclusions. The CIO has the sole authority to make exceptions, in writing, to this policy. IV. Procedures Standard Approved Software, Hardware and Services Computer Services will establish and maintain a website of computer technology acceptable standards, models and vendors. The website will contain appropriate instructions, forms and information for the purposes of acquiring technology resources. When technology is approved as a campus standard, it is pre-approved for procurement without additional consideration by Information Technology or Physical Plant Purchasing. Non-Standard Software, Hardware and Services If the requested technology is not listed as a current standard, it is non-standard. Deviation requests for non-standard hardware and software must be made using the Help Desk ticketing process and must be approved by the Dean or department head before coming to Computer Services for final approval. To request a technology deviation, please follow the following process: Review the Information Technology Procurement Policy for Rockhurst University to ensure a clear understanding of the guidelines and procedures. Prepare a comprehensive business case if you wish to request a variation from the standard laptop configuration. This case should outline the specific reasons for deviating from the standard device typically issued by Rockhurst Computer Services. Contact Computer Services via our ticketing system to discuss your procurement needs, seek clarification, and initiate the approval process. Should your procurement request is approved, you will receive further instructions on how to proceed with obtaining the non-standard technology. Non-standard software may not be supported by Information Technology. Before purchasing non-standard software, the purchaser must identify the source of support for the software being purchased. Purchase of non-standard technology components is allowed. However, such purchases should be minimized as much as reasonably possible. The purchase of non-standard technology components must be justified by the existence of special circumstances that require it. Also, the purchaser of a non-standard technology component must document the source of support for the component before purchase will be approved. Workstation and Laptop Replacement Guidelines Refer to Rockhurst’s Faculty and Staff Technology Equipment Policy Information Systems Software Information Systems software is software that fulfills a specific business purpose, depends on integration with other sources of information, and is typically used by more than one person. All Information Systems must be evaluated and approved by Computer Services before purchase. Examples of Information Systems are: student information systems (Banner), Customer Resource Management (Slate), and learning management systems (Canvas). When an application software package is considered for purchase, it must be evaluated in terms of its fit with the campus environment (operating hardware requirements, database management system, operating system requirements, Web environment requirements), Legal/FERPA considerations, and the support requirements associated with the package. Last Review Date 2025/03/13

Introduction: Rockhurst University recognizes the importance of conducting risk assessments to identify and evaluate risks to the security, confidentiality, and integrity of nonpublic personal information (NPI) and student FERPA educational records. This Risk Assessment and Management Process outlines the steps involved in conducting effective risk assessments to ensure the protection of sensitive data. Scope: This process applies to all individuals and entities associated with Rockhurst University who handle or have access to systems and data containing NPI and student educational records, including faculty, staff, students, contractors, and any external parties with access to university systems or sensitive data. Risk Assessment Objectives: The primary objectives of Rockhurst University's Risk Assessment and Management Process are as follows: Identify and assess risks to the security, confidentiality, and integrity of NPI and student FERPA educational records. Evaluate the potential impact and likelihood of identified risks. Prioritize risks based on their level of significance and potential impact. Develop appropriate risk mitigation strategies and controls. Monitor and review risks periodically to ensure ongoing effectiveness of mitigation measures. Risk Assessment Process: The risk assessment process consists of the following steps: Establish the Risk Assessment Team: Designate a cross-functional team responsible for conducting risk assessments. The team may include representatives from information security, IT, data custodians, legal, compliance, and other relevant departments. Ensure that team members possess the necessary expertise and knowledge of the university's systems, data, and regulatory requirements. Identify Assets and Data: Identify and document the assets and systems that store, process, or transmit NPI and student FERPA educational records. Classify the sensitivity and criticality of the identified assets and data. Identify Threats and Vulnerabilities: Identify and assess potential threats and vulnerabilities that could impact the security, confidentiality, and integrity of NPI and student educational records. Consider both internal and external threats, including malicious activities, natural disasters, human errors, and technological failures. Evaluate existing controls and safeguards to determine their effectiveness in mitigating identified threats and vulnerabilities. Assess Risk Impact and Likelihood: Evaluate the potential impact and likelihood of each identified risk. Consider the potential harm, financial impact, reputational damage, legal and regulatory consequences, and the likelihood of occurrence. Assign a risk rating or score to each identified risk based on its impact and likelihood. Prioritize Risks: Prioritize risks based on their risk rating or score. Focus on risks with the highest impact and likelihood, as they pose the most significant threat to the security, confidentiality, and integrity of NPI and student educational records. Develop Risk Mitigation Strategies: Develop risk mitigation strategies and controls to address the identified risks. Determine the most appropriate and feasible controls, taking into account cost-effectiveness, regulatory requirements, and organizational capabilities. Document the recommended controls and their implementation timelines. Implement and Monitor Controls: Implement the recommended controls in accordance with the defined timelines. Establish monitoring mechanisms to regularly assess the effectiveness of implemented controls. Monitor changes in the risk landscape and adjust controls as necessary. Review and Update: Conduct periodic reviews of the risk assessment process to ensure its effectiveness and relevance. Update the risk assessment documentation to reflect changes in the university's systems, data, or regulatory requirements. Documentation and Reporting: Maintain comprehensive documentation of the risk assessment process, including identified risks, risk ratings, mitigation strategies, and control implementation. Generate reports summarizing the results of risk assessments, including prioritized risks and recommended mitigation actions, for review by management, stakeholders, and auditors. Training and Awareness: Provide training and awareness programs to educate employees and relevant individuals about the risk assessment process, their roles and responsibilities, and the importance of protecting NPI and student educational records. Policy Review and Updates: Periodically review and update the Risk Assessment and Management Process to align with evolving threats, technologies, and regulatory requirements. By following this Risk Assessment and Management Process, Rockhurst University aims to proactively identify and mitigate risks to the security, confidentiality, and integrity of NPI and student educational records, ensuring the protection of sensitive data and compliance with applicable regulations. Last Review Date 2025/04/10

Introduction: Rockhurst University recognizes the importance of conducting risk assessments to identify and evaluate risks to the security, confidentiality, and integrity of nonpublic personal information (NPI) and student FERPA educational records. This Risk Assessment and Management Process outlines the steps involved in conducting effective risk assessments to ensure the protection of sensitive data. Scope: This process applies to all individuals and entities associated with Rockhurst University who handle or have access to systems and data containing NPI and student educational records, including faculty, staff, students, contractors, and any external parties with access to university systems or sensitive data. Risk Assessment Objectives: The primary objectives of Rockhurst University's Risk Assessment and Management Process are as follows: Identify and assess risks to the security, confidentiality, and integrity of NPI and student FERPA educational records. Evaluate the potential impact and likelihood of identified risks. Prioritize risks based on their level of significance and potential impact. Develop appropriate risk mitigation strategies and controls. Monitor and review risks periodically to ensure ongoing effectiveness of mitigation measures. Risk Assessment Process: The risk assessment process consists of the following steps: Establish the Risk Assessment Team: Designate a cross-functional team responsible for conducting risk assessments. The team may include representatives from information security, IT, data custodians, legal, compliance, and other relevant departments. Ensure that team members possess the necessary expertise and knowledge of the university's systems, data, and regulatory requirements. Identify Assets and Data: Identify and document the assets and systems that store, process, or transmit NPI and student FERPA educational records. Classify the sensitivity and criticality of the identified assets and data. Identify Threats and Vulnerabilities: Identify and assess potential threats and vulnerabilities that could impact the security, confidentiality, and integrity of NPI and student educational records. Consider both internal and external threats, including malicious activities, natural disasters, human errors, and technological failures. Evaluate existing controls and safeguards to determine their effectiveness in mitigating identified threats and vulnerabilities. Assess Risk Impact and Likelihood: Evaluate the potential impact and likelihood of each identified risk. Consider the potential harm, financial impact, reputational damage, legal and regulatory consequences, and the likelihood of occurrence. Assign a risk rating or score to each identified risk based on its impact and likelihood. Prioritize Risks: Prioritize risks based on their risk rating or score. Focus on risks with the highest impact and likelihood, as they pose the most significant threat to the security, confidentiality, and integrity of NPI and student educational records. Develop Risk Mitigation Strategies: Develop risk mitigation strategies and controls to address the identified risks. Determine the most appropriate and feasible controls, taking into account cost-effectiveness, regulatory requirements, and organizational capabilities. Document the recommended controls and their implementation timelines. Implement and Monitor Controls: Implement the recommended controls in accordance with the defined timelines. Establish monitoring mechanisms to regularly assess the effectiveness of implemented controls. Monitor changes in the risk landscape and adjust controls as necessary. Review and Update: Conduct periodic reviews of the risk assessment process to ensure its effectiveness and relevance. Update the risk assessment documentation to reflect changes in the university's systems, data, or regulatory requirements. Documentation and Reporting: Maintain comprehensive documentation of the risk assessment process, including identified risks, risk ratings, mitigation strategies, and control implementation. Generate reports summarizing the results of risk assessments, including prioritized risks and recommended mitigation actions, for review by management, stakeholders, and auditors. Training and Awareness: Provide training and awareness programs to educate employees and relevant individuals about the risk assessment process, their roles and responsibilities, and the importance of protecting NPI and student educational records. Policy Review and Updates: Periodically review and update the Risk Assessment and Management Process to align with evolving threats, technologies, and regulatory requirements. By following this Risk Assessment and Management Process, Rockhurst University aims to proactively identify and mitigate risks to the security, confidentiality, and integrity of NPI and student educational records, ensuring the protection of sensitive data and compliance with applicable regulations. Last Review Date 12/20/2024

Introduction Purpose: This policy establishes the guidelines for submitting Information Technology (IT) service requests at Rockhurst University to ensure a standardized and efficient process for managing IT work. Scope: This policy applies to all members of Rockhurst University who require IT services or support from the Computer Services team. Types of Service Requests The following list of services may be requested as part of this process.    Account and Access Issues: Requests related to creating new user accounts, resetting passwords, and granting or revoking access to various university systems and resources. Network and Internet Connectivity: Requests for troubleshooting network connectivity issues, configuring wireless access, and resolving internet connectivity problems in campus buildings and dormitories. Email and Collaboration Tools: Support for email account setup, email client configuration, and assistance with collaboration tools like Microsoft Office 365, Google Workspace, or university-specific platforms. Software and Application Support: Assistance with installing, configuring, and troubleshooting software applications used by students and faculty for academic purposes. This may include specialized software for specific disciplines and is limited to the software supported by Computer Services. Hardware and Device Support: Help with hardware-related issues, such as malfunctioning computers, printers, scanners, projectors, and other peripherals. IT staff may provide troubleshooting, repairs, or recommendations for hardware upgrades. Learning Management Systems (LMS): Support for the university's learning management system Canvas in conjunction with the eLearning Department. This includes assistance with course setup, user enrollment, and troubleshooting LMS-related issues. Classroom and Meeting Technology: Support for audiovisual equipment, multimedia projectors, interactive whiteboards, and other technology used in classrooms, lecture halls, labs and other gathering spaces on campus. Security and Data Protection: Requests related to cybersecurity, such as reporting phishing attempts, addressing malware infections, and ensuring data protection measures are in place. IT staff may also provide guidance on best practices for secure computing. Portal Support: Assistance with university websites, student portals, and online learning platforms. This may involve troubleshooting issues, updating content, and providing guidance on website navigation. Service Request Process Help Desk Ticketing System: All IT service requests must be submitted through the designated Help Desk ticketing system. Required Information: Service request submissions must include the necessary information to facilitate proper handling and prioritization. Ticket Tracking: Each service request will be assigned a unique ticket number for tracking purposes throughout its lifecycle. Request Details Business Details: Describe the business purpose or reason for the requested IT service, including any relevant background information. Vendor and Product Information: If applicable, provide details about vendors or specific products related to the service request. Funding Source: Indicate the funding source for the requested IT service, such as a specific department, project, or budget allocation. Due Date (if known): If a specific due date is known or required, it should be clearly communicated in the service request. Software Purchases Minimal Requirements: All software purchases must meet the minimal software and hardware requirements specified by the Computer Services team. Approval Process: Software purchases will go through an approval process to ensure compatibility, licensing compliance, and alignment with university policies and standards. Requirements Meeting and Target Date Requirements Meeting: Computer Services will schedule a requirements meeting with the requestor to fully understand the need and gather additional information. Target Date: Based on resource availability and shipping pipeline constraints, Computer Services will provide an approximate target date for the completion of the requested IT service. Change Management Change Documentation: All significant changes resulting from IT service requests must be documented, including the details of the change, impact analysis, and implementation plan. Change Approval: Changes that may have a significant impact on systems or infrastructure must go through the appropriate change management approval process. Compliance and Review Compliance with Policies: Ensure that all IT service requests adhere to relevant policies, procedures, and compliance requirements. Periodic Review: Conduct regular reviews of the IT service request process to identify areas for improvement, streamline workflows, and enhance customer satisfaction. Training and Awareness User Training: May assist with finding training programs to educate users on the proper submission and management of IT service requests. Awareness Campaigns: Conduct awareness campaigns to promote the use of the Help Desk ticketing system and provide guidance on submitting comprehensive service requests. Compliance and Enforcement Non-Compliance: Failure to comply with this policy may result in delays or prioritization changes for service requests or may require resubmission of incomplete requests. Policy Review: This policy will be periodically reviewed and updated to reflect changes in technology, industry best practices, and the needs of Rockhurst University. Note: This policy provides a general framework for IT service requests specific to Rockhurst University's requirements. It is advisable to consult with the IT department and relevant stakeholders to customize the policy based on the university's specific needs and align it with industry best practices. Last Review Date 07/01/2024

Introduction Purpose: This policy outlines the best practices for managing IT vendors at Rockhurst University to ensure the security and safety of student (FERPA), employee, and financial information. Scope: This policy applies to all IT vendors engaged by Rockhurst University. Vendor Selection Evaluation Process: A comprehensive evaluation process will be followed to select vendors based on their capabilities, experience, and security measures. Security Assessment: Vendors must undergo a thorough security assessment to ensure they have appropriate controls in place to protect sensitive information. Contractual Requirements: Contracts with vendors should include clauses that outline their responsibilities for protecting data confidentiality, integrity, and availability, including compliance with the Family Educational Rights and Privacy Act (FERPA). Security and Privacy Requirements Data Protection: Vendors must implement appropriate technical and organizational measures to safeguard student (FERPA), employee, and financial data against unauthorized access, disclosure, alteration, and destruction. Compliance with Laws and Regulations: Vendors must comply with relevant data protection laws, including FERPA, regulations, and industry standards. Incident Response: Vendors must have an incident response plan in place to effectively respond to security incidents and minimize their impact. Documentation and Testing Required Documentation: Security Policies: Vendors should provide their security policies, including information on access controls, data classification, incident response, and disaster recovery. Risk Assessment: Vendors should conduct regular risk assessments to identify potential vulnerabilities and implement appropriate controls. Security Awareness Training: Vendors should provide evidence of security awareness training for their employees. Third-Party Audits: Vendors should provide documentation from independent third-party audits to validate their security practices. Testing: Vulnerability Assessments: Vendors must conduct regular vulnerability assessments to identify and address security weaknesses. Penetration Testing: Vendors should perform periodic penetration tests to identify vulnerabilities that could be exploited by malicious actors. Compliance Audits: Vendors must undergo regular audits to ensure compliance with security and privacy requirements.   Ongoing Vendor Management Vendor Classification: Critical Vendors: Vendors providing services critical to Rockhurst University's core operations, such as student information systems or financial systems, will receive heightened scrutiny and monitoring. Non-Critical Vendors: Vendors providing services that are less critical, such as office supplies or non-sensitive software, will still undergo assessment and monitoring but to a lesser extent. Review and Monitoring: Critical Vendor Review: Critical vendors will undergo periodic reviews at least annually, focusing on their security controls, incident response, and compliance with contractual obligations. Non-Critical Vendor Monitoring: Non-critical vendors will be monitored periodically to ensure ongoing compliance with security and privacy requirements. Incident Reporting: Vendors must promptly report any security incidents or breaches that could impact the confidentiality, integrity, or availability of Rockhurst University's data. Contractual Review: Vendor contracts, especially those with critical vendors, should be periodically reviewed and updated to reflect changes in security requirements, technology, and legal/regulatory landscape. Termination and Transition Exit Strategy: Vendor contracts should include provisions for an orderly termination process, including the return or destruction of all sensitive data. Data Backup: Vendors should provide a comprehensive data backup plan to ensure the availability and recoverability of Rockhurst University's data upon termination. Vendor Rating Criticality Assessment: Vendors providing critical services will be rated based on their importance to Rockhurst University's core operations and the potential impact of their service disruptions. Performance Evaluation: Critical vendors will undergo regular performance evaluations, assessing their service quality, responsiveness, and compliance with contractual obligations. Training and Awareness Training Programs: Rockhurst University may provide training programs to educate employees about the importance of vendor management, security risks, and their responsibilities in maintaining data confidentiality. Awareness Campaigns: Regular awareness campaigns will be conducted to keep employees informed about the potential risks associated with vendor engagements. Compliance and Enforcement Non-Compliance: Non-compliance with this policy may result in termination of vendor contracts and legal actions if necessary. Policy Review: This policy will be periodically reviewed and updated to reflect changes in technology, regulations, and best practices. Note: This policy provides a general framework for IT vendor management specific to Rockhurst University's requirements. It is advisable to consult with legal, security, and compliance professionals when implementing and customizing vendor management practices. Last Review Date 07/01/2024

Introduction: Effective change management policies for information technology (IT) are critical for ensuring that changes are made in a controlled and consistent manner, minimizing the risk of errors, system failures, and security breaches. This policy will outline the steps that need to be taken to manage changes to IT systems manually. Purpose: The purpose of this policy is to establish a standard process for managing changes to IT systems manually. This policy ensures that any changes to IT systems are documented, tested, and approved before being implemented to reduce the risk of errors, outages, and data breaches. Scope: This policy applies to all personnel who are responsible for managing changes to IT systems manually. Policy: Access Requests: All new employees who require access to university networks must submit an access request form to the IT department. The form should include the employee's name, job title, department, and reason for access. Faculty - Network accounts may be established no earlier than 45 days before classes start by HR updating the current hire date in Banner PEAEMPL. Future hires can be set up at any time in Banner, but the network accounts will not be turned on earlier than 45 days before they actually start. An exception process for full-time faculty to obtain network access earlier than 45 days prior to their actual start date has been provided on a case by case basis by the CIO. The Dean’s office will update SIAINST Faculty Status Validation field to “TM” for “Temporary Network Access”. Access will be immediately granted within one business day after the SIAINST record has been updated. Staff - Network accounts will be suspended on term date with the option for managerial review for a limited period not to exceed 30 days or anytime by management authorization by HR current hire date in Banner PEAEMPL. If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services. Emeritus - Employees designated with an Emeritus status will be granted a university email account and access to base Microsoft Office products. Former employees can only be granted this role by the President of the university. Access Approval: Access requests must be approved by the employee's supervisor and the IT department. The IT department will verify the employee's identity and confirm that the employee has a legitimate business need for network access. Access Levels: The IT department will grant network access based on the employee's job responsibilities. Access levels should be reviewed periodically and adjusted as necessary. Usernames and Passwords: The IT department will assign usernames and passwords to new employees for network access. Passwords must be strong and changed periodically. Employees should not share their usernames and passwords with anyone. Training: All new employees must receive training on network security policies and procedures before they are granted access. Annual recurring training will be mandated to retain a network account. Termination: When an employee leaves the University, their network access must be terminated immediately. The IT department must be notified of the employee's departure as soon as possible. Network access must also be terminated for employees who are transferred to another department or who no longer require access. All network termination requests must be submitted via a ticket to the Rockhurst Help Desk. Faculty - Network accounts will be suspended 60 days after termination, or by management authorization by HR updating the termination date in PEAEMPL. If accounts are inactive after 60 days, the account will be suspended and will be turned on after contacting Computer Services. Accounts that have been suspended for 1 year will be removed along with all personal files associated with the account. An exceptional process for former faculty to retain network access after their departure has been provided on a case by case basis by the CIO. The Provost’s office will provide a written request to retain a former faculty account with a defined future date the access may be terminated. This date will also be done in Banner by the Dean’s office entering a future termination date in PEAEMPL. Staff - Network accounts will be suspended on term date with the option for managerial review for a limited period not to exceed 30 days or anytime by management authorization by HR current hire date in Banner PEAEMPL. If accounts are inactive after 60 days, the account will be suspended and will be turned on after contacting Computer Services. Accounts that have been suspended for 1 year will be removed along with all personal files associated with the account. Data Removal: The IT department must remove all University data from the employee's devices when their network access is terminated. This includes laptops, mobile devices, and any other equipment provided by the University. Cloud storage will be made available to all active network accounts. Once an account has been disabled, all data storage associated directly with the inactive network account will be deleted after 6 months where it will not be recoverable. It is the responsibility of the business unit to ensure important information is only stored on a department share drive or is transferred to a permanent location before the data is no longer recoverable. Monitoring: The IT department will monitor network activity to ensure compliance with network security policies and to detect any unauthorized access attempts. Consequences of Violations: Violations of network security policies may result in disciplinary action, up to and including termination of employment. Conclusion: By implementing a Network Access Onboarding and Termination Policy, Rockhurst University can ensure the security of their networks and protect sensitive data from unauthorized access. It is important to review and update this policy periodically to ensure that it remains effective in meeting the University's needs. Last Review Date 2024/09/30

Overview Passwords are a critical aspect of electronic security forming the front line of protection for user accounts. A poorly chosen password can result in the compromise of Rockhurst University's entire network. As such, all Rockhurst University students, and employees (including contractors and vendors with access to Rockhurst University systems) are responsible for selecting and securing their passwords. Purpose The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. Scope This policy governs all faculty, students, staff, vendors, contractors, and any other person allowed access to Rockhurst University information assets. All University personnel and external parties involved with using, requesting, approving, or accessing Rockhurst University information assets, should be aware of this policy. Each user must set a unique password for access to Rockhurst University's electronic systems. A user should never divulge their password to another person or reuse their password on non-Rockhurst accounts either verbally or in a textual message. Passwords and any other sensitive information should never be included in an e-mail message as most e-mail messages travel the internet in clear text. General Password Requirements All user-level passwords (e.g., email, web, desktop computer, etc.) need to be changed no less than annually or if a password has been compromised. Each password must exhibit complexity by: Not containing all or part of the user's account name Not containing commonly used passwords or dictionary words in the organizational block list Contain characters from three of the four following categories: Uppercase characters (A through Z) Lowercase characters (a through z) Base 10 digits (0 through 9) Special characters limited to *, !, @, #, $., %, &) or No spaces, punctuation or special characters Must not be a password previously used in the last 5 passwords Must be a minimum of 12 characters long Users will be locked out if there are more than 5 unsuccessful attempted logons within an hour. All temporary passwords must be changed at first logon. If an account or password is suspected to have been compromised, report the incident to IT Services and immediately change all associated passwords. Your Rockhurst password can be changed by going to https://my.rockhurst.edu and clicking the appropriate forgot password link under the login info. Automated password guessing may be performed on a periodic or random basis by IT Services Management or its delegates. If a password is guessed during one of these scans, the user will be required to change it. Technology-specific Password Requirements All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a biennial (every other year) basis. All production system-level passwords must be part of the IT Services administered global password management database. Applications with sensitive data will have automatic log-offs after a predetermined period of inactivity; username and password will be required for re-authentication. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user. Username and password combinations must not be inserted into email messages or other forms of electronic communication unless the message is encrypted. Where SNMP (Simple Network Management Protocol) is used to monitor servers, network, and storage devices, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used for interactive logins. A keyed hash, or SNMP user accounts and encryption, must be used where available (e.g., SNMP v2 or SNMP v3). Application developers must ensure their programs contain the following security precautions. All applications: should support authentication of individual users, not groups. should not store passwords in clear text or in any easily reversible form. should provide for some sort of role management, so that one user can take over the functions of another user without having to know the other's password. should support Active Directory, or SAMLv2, and wherever possible should support multifactor authentication. University faculty, staff, students, vendors, and contractors are expected to implement this policy and follow the guidelines provided by the Rockhurst University Acceptable Use Policy in conjunction with any additional policies, procedures, and guidelines provided on the Information Technology Services website. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Exceptions Exceptions to this policy may be granted to individuals or departments that manage and maintain their own IT resources. Please contact the Computer Services Help Desk, helpdesk@rockhurst.edu, to request an exception. Last Review Date 2025/03/18