Purpose The purpose of this policy is to ensure the secure and efficient use of Rockhurst University’s network resources. It aims to protect the integrity, confidentiality, and availability of information while promoting a safe and lawful environment for students, faculty, and staff. Scope This policy applies to all users of the Rockhurst University network, including students, faculty, staff, contractors, and guests. It covers all devices that connect to the university’s network, whether owned by the university or by individuals. Acceptable Use Academic and Administrative Use: Network resources should primarily be used for educational, research, and administrative purposes that support the mission of the university. Personal Use: Limited personal use is permitted as long as it does not interfere with network operations or violate any policies. Prohibited Activities:Users must not engage in activities that are illegal, harmful, or that violate university policies. This includes, but is not limited to: Unauthorized access to systems, networks, or data Distribution of malware, viruses, or malicious software Copyright infringement Harassment, bullying, or stalking Distribution of obscene or offensive materials Any activity that could damage the university’s reputation Security Authentication: All users must use their unique university-provided credentials to access network resources. Sharing of credentials is strictly prohibited. Password Management: Users must create strong passwords and change them regularly. Passwords should not be reused across multiple sites. Device Security: All devices connected to the network must have up-to-date antivirus software, operating system updates, and appropriate firewall settings. Data Protection: Sensitive information must be encrypted during transmission and storage. Users should follow the university’s data classification and handling guidelines. Monitoring and Privacy Network Monitoring: The university reserves the right to monitor network traffic to ensure compliance with this policy, protect network integrity, and perform necessary maintenance. Privacy: While the university respects the privacy of users, it may access user accounts and data under specific circumstances, such as compliance with legal requirements or investigations of policy violations. Compliance with Laws and Regulations Local and Federal Laws: Users must comply with all applicable local and federal laws, including but not limited to the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and the General Data Protection Regulation (GDPR) where applicable. Reporting Violations: Users are encouraged to report any suspected violations of this policy or security incidents to the university’s IT department immediately. Policy Review and Updates This policy will be reviewed annually and updated as necessary to ensure compliance with evolving laws, regulations, and best practices. Contact Information For questions or more information about this policy, please contact the Rockhurst University Computer Services at (816) 501-4357. Last Review Date 07/15/2024

Purpose and Scope This policy outlines the guidelines and procedures related to accessing and sharing files stored on personal OneDrive accounts within Rockhurst University. The policy is applicable to all faculty, staff, contractors, and other individuals affiliated with the university who utilize the institution's IT resources. Personal Drive Access Direct access to an individual’s personal OneDrive account by another university affiliate or any external entity is strictly prohibited. Computer Services will not facilitate requests to grant direct access to personal OneDrive accounts, barring exceptional circumstances that have received clearance from university senior management. University affiliates are solely responsible for managing the contents of their personal OneDrive accounts and are required to ensure compliance with all relevant Rockhurst University data protection and privacy policies. File Sharing from Personal Drives All sharing requests for currently employed individuals will not be granted by Computer Services. Instead, these requests, must be directed to the owner of the account. If a university affiliate requires specific files or documents from another's OneDrive, they should directly contact the owner of that account. Owners of OneDrive accounts can share specific files as necessary, either via email or using OneDrive's sharing feature. Only the specifically required files should be shared. All file sharing must be in alignment with Rockhurst University's data protection and privacy policies. Unauthorized sharing of sensitive or classified information could result in disciplinary proceedings. Computer Services is available to provide guidance on safe and efficient file-sharing practices upon request. Responsibilities Computer Services is tasked with overseeing this policy and ensuring university-wide compliance. All university affiliates must familiarize themselves with and adhere to this policy. Non-compliance may lead to disciplinary action in accordance with Rockhurst University's internal regulations. Data Storage Retention Cloud storage will be made available to all active network accounts. Once an account has been disabled, all data storage associated directly with the inactive network account will be deleted after 6 months where it will not be recoverable. It is the responsibility of the business unit to ensure important information is only stored on a department share drive or is transferred to a permanent location before the data is no longer recoverable. Review This policy will undergo a review on a triennial basis or when significant technological, operational, or regulatory changes demand its revision. Last Review Date 2024-09-11

1. Purpose To outline the procedures for responding to phishing campaigns targeting Rockhurst University to minimize their impact and ensure a swift recovery. 2. Scope This policy applies to all faculty, staff, students, and any other stakeholders who use Rockhurst University’s information systems. 3. Policy Statement Rockhurst University is dedicated to protecting its community from phishing attacks. This policy provides a structured response to phishing incidents to mitigate their effects and protect sensitive information. 4. Definitions Phishing: A malicious attempt to acquire sensitive information by posing as a trustworthy entity. Spear Phishing: A targeted attempt aimed at specific individuals or departments. Incident Command System (ICS): A group of individuals tasked with handling security incidents. 5. Detection and Reporting Detection Mechanisms: Utilize email filters, SIEM systems, and other monitoring tools to detect potential phishing attempts. Reporting Procedures: Email Reporting: If an email is suspected to be a phishing attempt, forward it to phishing@rockhurst.edu. Hotline Reporting: Call the dedicated phishing hotline at [insert hotline number]. Online Form: Complete the phishing incident report form available on the university’s intranet. 6. Immediate Response Initial Assessment: The ICS will quickly assess the reported phishing attempt to determine its legitimacy and scope. Containment Measures: Block the sender’s email address. Disable any malicious links. Isolate compromised systems from the network. Communication: Inform potentially affected users and provide instructions on how to proceed. 7. Investigation Evidence Collection: Gather all relevant information, including email headers, URLs, and affected systems. Analysis: Determine the phishing attack’s origin, the methods used, and the extent of the compromise. User Impact Assessment: Identify which users might have been affected and what information may have been compromised. 8. Remediation Password Resets: Promptly reset passwords for affected accounts. System Restoration: Restore any compromised systems to their last known good state using backups. Security Patches: Apply necessary security patches to prevent similar incidents. 9. Communication and Support Internal Communication: Keep the university community informed about ongoing phishing threats and provide updates on the response efforts. Support Services: Offer support services to affected individuals, including guidance on monitoring for identity theft and assistance with any needed recovery actions. 10. Post-Incident Review Debriefing Session: Conduct a debriefing session with the ICS to review the incident and response actions. Root Cause Analysis: Perform a root cause analysis to understand how the phishing attack succeeded. Policy and Procedure Updates: Update policies, procedures, and training programs based on lessons learned. 11. Training and Awareness Continuous Education: Regularly update and conduct phishing awareness training for all university members. Simulated Phishing Exercises: Conduct periodic phishing simulations to test and improve the community’s readiness and response. Hints & Tips: Issue bi-weekly topics to keep security top of mind to all employees and students. 12. Continuous Improvement Regular Audits: Perform regular security audits to ensure the effectiveness of phishing detection and response measures. Feedback Collection: Gather feedback from the community to identify areas for improvement and enhance the response process. 13. Compliance and Enforcement Adherence to Policy: All university members must adhere to this policy. Failure to do so may result in disciplinary actions as outlined in the university’s code of conduct. Legal and Regulatory Compliance: Ensure all response actions comply with relevant legal and regulatory requirements. 14. Review and Revision This policy will be reviewed annually and updated as necessary to address new threats, incorporate technological advancements, and include community feedback.

Purpose The purpose of this Physical Access Control Policy is to establish guidelines for Rockhurst University to ensure secure and controlled access to its buildings and rooms. This policy aims to maintain a safe environment, protect university resources, and safeguard sensitive information. Scope This policy applies to all students, employees, and contractors accessing Rockhurst University buildings and rooms. It encompasses access control systems, physical security measures, and procedures primarily controlled by Campus Security and secondarily by Rockhurst Computer Services. Approval Process Students: Student access to buildings and rooms will be primarily controlled by Student Development through automated processes sourced from the student information system at the beginning of each term. Students will be automatically granted access to the appropriate buildings and rooms based on their enrollment information. In special cases where additional access is required, students may submit a written request to Student Development, specifying the building and room access needed. Student Development will review and approve the written requests based on the provided justification. Student Development will collaborate with Rockhurst Computer Services to ensure that the approved access is properly configured in the access control system. Employees: Employee access to buildings and rooms will be sourced from the human resources system and the student information system. Access permissions will be determined based on the employee's position and job responsibilities. Supervisors are required to provide written approval for their employees' access to specific buildings and rooms beyond standard access. The written approval from supervisors will be submitted to Rockhurst Campus Security for review and configuration in the access control system. to Rockhurst Campus Security will ensure that access permissions align with the approved requests. Contractors: Contractors requiring access to buildings and rooms must obtain written approval from their respective department heads. The department heads will review and approve access requests based on the project or service requirements. The written approval from department heads will be submitted to Rockhurst Campus Security for review and configuration in the access control system. Rockhurst Campus Security will ensure that access permissions align with the approved requests. Building Access Card Issuance Students: Student Development will issue building access cards to students at the beginning of each term or during special student campus events. The building access cards will be programmed with the appropriate access permissions based on the student's enrollment and any additional approved access requests. Employees and Contractors: Rockhurst Computer Services will issue building access cards to employees and contractors. Building access cards will be programmed with the approved access permissions as per the written approvals received from supervisors or department heads. Access Schedule and Exceptions Campus Security will control the building access schedule for all campus buildings. Any exceptions to the access schedule, including after-hours access or special circumstances, must be coordinated with Campus Security. Campus Security is the primary point of contact for any access-related issues or exceptions. Rockhurst Computer Services will act as a secondary contact for Campus Security to assist with access control system management and support. Responsibilities Campus Security: Campus Security is responsible for maintaining and monitoring the access control systems, including access permissions, building access cards, and access schedules. Campus Security will enforce access control policies and respond to access-related inquiries or incidents. Rockhurst Computer Services: Rockhurst Computer Services is responsible for managing the technical aspects of the access control systems, including system administration, software updates, and integration with other university systems. Rockhurst Computer Services will collaborate with Campus Security to ensure the seamless operation and security of the access control systems. Policy Compliance Failure to comply with this policy may result in restricted access privileges, disciplinary action, or legal consequences, depending on the severity of the violation. Any suspected policy violations should be reported to Campus Security for investigation. Policy Review This policy will be reviewed periodically and updated as necessary to reflect changes in technology, best practices, or regulatory requirements. Any proposed changes to this policy must be reviewed and approved by [appropriate authority]. By adhering to this Physical Access Control Policy, Rockhurst University aims to maintain a secure environment and protect its resources and information. Last Review Date 07/01/2024

Purpose The purpose of this Physical Document and Electronic Media Disposal Policy is to establish guidelines for Rockhurst University to ensure the secure disposal of physical documents and electronic media. This policy aims to protect sensitive information and maintain compliance with relevant laws and regulations, such as data privacy and security standards. Scope This policy applies to all departments, employees, contractors, and third-party vendors associated with Rockhurst University. It encompasses the disposal of physical documents, including paper records and printed materials, as well as electronic media, such as computer hard drives, USB drives, CDs, DVDs, and other storage devices. Definitions Physical Documents: Refers to any printed or written information, including but not limited to paper records, documents, and other physical media. Electronic Media: Refers to any form of digital data storage, including computer hard drives, USB drives, CDs, DVDs, and other electronic storage devices. Authorized Vendor: A reputable vendor authorized by Rockhurst University to handle the disposal of physical documents or electronic media. Physical Document Disposal Procedures All physical documents containing sensitive information must be securely shredded using cross-cut shredders or other approved methods before disposal. Departments and employees are responsible for identifying documents that contain sensitive information and ensuring their proper disposal. Sensitive information includes, but is not limited to, personally identifiable information (PII), financial data, medical records, student records, and any confidential or proprietary information. Designated collection points for physical documents should be established within each department or centralized areas for easy and secure disposal. Rockhurst University shall engage an authorized vendor specializing in secure document destruction services to collect, transport, and shred the disposed physical documents on a regular basis. The authorized vendor must provide a certificate of destruction for all shredded documents, indicating the date, time, and method of destruction. Electronic Media Disposal Procedures All electronic media must be securely wiped to remove all data before disposal. The wiping process must use industry-standard methods to ensure complete erasure and render the data irrecoverable. IT personnel or authorized third-party vendors shall perform electronic wiping using approved software or hardware tools. Prior to disposal, departments and employees are responsible for backing up any data they wish to retain from electronic devices. Rockhurst University shall engage an authorized vendor specializing in electronic media disposal to collect, transport, and securely wipe the disposed electronic media devices. The authorized vendor must provide a certificate of data erasure for all electronic media devices, indicating the date, time, and method of disposal. Employee Awareness and Training Rockhurst University will conduct regular security training and awareness programs to educate employees about the importance of physical document and electronic media disposal. Employees must be familiar with this policy and adhere to the prescribed procedures for the secure disposal of physical documents and electronic media. New employees should receive appropriate training on this policy during their onboarding process. Policy Violations Failure to comply with this policy may result in disciplinary action, which can include but is not limited to verbal or written warnings, suspension, termination, or legal action. Suspected violations of this policy should be reported to the appropriate department or supervisor. Policy Review This policy will be reviewed periodically and updated as necessary to reflect changes in technology, best practices, or regulatory requirements. Any proposed changes to this policy must be reviewed and approved by Rockhurst Computer Services. By following this Physical Document and Electronic Media Disposal Policy, Rockhurst University aims to safeguard sensitive information, maintain compliance, and ensure the secure disposal of physical documents and electronic media. Last Review Date 07/01/2024

1. Purpose To establish guidelines and procedures for responding to ransomware attacks to protect Rockhurst University’s information systems, minimize disruption, and ensure a swift recovery. 2. Scope This policy applies to all faculty, staff, students, and other stakeholders who use Rockhurst University’s information systems. 3. Policy Statement Rockhurst University is committed to safeguarding its digital assets and ensuring a rapid and effective response to ransomware incidents to protect sensitive data and maintain operational continuity. 4. Definitions Ransomware: Malicious software designed to block access to a computer system or data until a sum of money is paid. Incident Command System (ICS): A group of individuals responsible for managing and responding to security incidents. 5. Prevention and Preparedness Regular Backups: Ensure regular backups of critical data are performed and securely stored offline. Security Training: Conduct regular training sessions on recognizing and avoiding ransomware attacks. Software Updates: Keep all systems and software updated with the latest security patches. Access Controls: Implement strict access controls to limit access to sensitive information and critical systems. Endpoint Protection: Deploy endpoint protection solutions to detect and block ransomware. 6. Detection and Reporting Detection Mechanisms: Utilize intrusion detection systems (IDS), antivirus software, and network monitoring tools to identify potential ransomware infections. Reporting Procedures: Immediate Reporting: Any suspected ransomware activity must be reported immediately to the ICS via the dedicated hotline or email (ransomware@rockhurst.edu). Incident Reporting Form: Complete the ransomware incident report form available on the university’s intranet. 7. Immediate Response Initial Assessment: The ICS will assess the situation to confirm the presence of ransomware and determine its scope. Containment Measures: Isolate infected systems from the network to prevent further spread. Disable shared drives and network connections of infected systems. Communication: Notify affected users and relevant departments about the ransomware attack and provide instructions. 8. Investigation Evidence Collection: Gather all relevant information, including logs, affected files, and screenshots of ransom messages. Analysis: Determine the ransomware variant, methods of entry, and systems affected. Impact Assessment: Identify the extent of data encryption and potential data loss. 9. Remediation System Restoration: Restore infected systems and data from backups where possible. Decryption: Explore decryption options if available. Contact cybersecurity experts or law enforcement if necessary. Eradication: Remove the ransomware from all affected systems and apply security patches. 10. Communication and Support Internal Communication: Keep the university community informed about the ransomware attack status and response efforts. External Communication: Performed by campus leadership or Marketing team. Support Services: Provide support services to affected individuals, including data recovery assistance and counseling. 11. Post-Incident Review Debriefing Session: Conduct a debriefing session with the ICS to review the incident and response actions. Root Cause Analysis: Perform a root cause analysis to understand how the ransomware attack succeeded. Policy and Procedure Updates: Update policies, procedures, and training programs based on lessons learned. 12. Continuous Improvement Regular Audits: Perform regular security audits to ensure the effectiveness of ransomware prevention and response measures. Feedback Collection: Gather feedback from the community to identify areas for improvement and enhance the response process. 13. Compliance and Enforcement Adherence to Policy: All university members must adhere to this policy. Failure to do so may result in disciplinary actions as outlined in the university’s code of conduct. Legal and Regulatory Compliance: Ensure all response actions comply with relevant legal and regulatory requirements. 14. Review and Revision This policy will be reviewed annually and updated as necessary to address new threats, incorporate technological advancements, and include community feedback.

An organization's record retention policy should help to ensure that necessary records and documents are adequately protected and maintained and that records that are no longer needed or are of no value are discarded in the proper manner and at the proper time. Policy Appendix A represents Rockhurst University's policy regarding the retention and disposal of physical records and electronic documents. Administration The Vice President for Finance & Administration (the "Administrator") is the University officer in charge of the implementation of processes and procedures outlined in the Record Retention Policy, as well as ongoing compliance with and updates to the Policy. The Administrator is authorized to make modifications to the Record Retention Policy from time to time to ensure that it follows local, state, and federal laws and includes the appropriate document and record categories for Rockhurst University. Suspension of Record Disposal in Event of Litigation or Claims If Rockhurst University is served with any subpoena or request for documents, or any employee becomes aware of a governmental investigation or audit concerning Rockhurst University or the commencement of any litigation against or concerning Rockhurst University, such employee shall inform the Administrator and any further disposal of documents shall be suspended until shall time as the Administrator, with the advice of counsel, determines otherwise. The Administrator shall take such steps as is necessary to promptly inform all staff of any suspension in the further disposal of documents. Applicability This Policy applies to all physical records generated during Rockhurst University's operations, including both original documents and reproductions. It also applies to the electronic documents described in Appendix A.   Appendix A The following policy outlines the retention period for various Rockhurst University documents and records: A. Accounting and Finance - Finance Office • Accounts Payable & Accounts Receivable Subsidiary Ledgers and Supporting Documents: 7 years • Annual Audit Reports with Financial Statements: Permanent • Annual Audit Records, including work papers and other documents that relate to the audit: 7 years after completion • Bank Statements and Canceled Checks: 7 years • Employee Expense Reports: 7 years • General Ledgers: Permanent • Notes Receivable Ledgers and Schedules: 7 years • Investment Records: 7 years B. Contracts - Finance Office • Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supporting documentation): 7 years after expiration or termination C. Corporate Records - President's Office • Corporate Records (signed minutes of the Board and all committee meetings, corporate seals, articles of incorporation, bylaws, etc.): Permanent D. Electronic Documents - Computer Services • Data Loss Prevention and Data Classification Policy - https://rockhurstedu.freshservice.com/a/solutions/articles/17000146419 • Physical Document and Electronic Media Disposal Policy - https://rockhurstedu.freshservice.com/a/solutions/articles/17000146379 • System Backup Policy - https://rockhurstedu.freshservice.com/a/solutions/articles/17000145745 • eMail Retention Policy - https://rockhurstedu.freshservice.com/a/solutions/articles/17000145760 E. Personnel Records – Human Resources • Payroll Deductions: Termination + 7 years • W-2 and W-4 Forms: Termination + 7 years • Garnishments, Assignments, Attachments: Termination + 7 years • Payroll Registers: 7 years • Timecards: 3 years • Payroll Tax Records: 7 years • Unclaimed Wage Records: 7 years • Employee Counseling Center Files: 7 years from last service • EEO- I /EEO-2 - Employer Information Reports: 2 years after superseded or filing (whichever is longer) • Employee Earnings Records: Separation + 7 years • Employee Handbooks: 1 copy kept • Employee Healthcare Clinic Records: 7 years from last service • Employee Immunization Records: Separation + 10 years • Employee Personnel Records (including individual attendance records, application forms, job or status change records, discipline, performance evaluations, termination papers, withholding information, garnishments, test results, training, and qualification records): Separation + 7 years • Employment Records - Correspondence with employment agencies and advertisement for job openings: 3 years from date of hiring decision • Employment Records - all non-hired Applicants (including all applications and resumes - whether solicited or unsolicited, results of post-offer, pre-employment physicals, results of background investigations, if any, related correspondence): 1 year • Employee Requests for Access/Disability Services or Accommodation and Related Materials: 3 years • Job Descriptions: 3 years after superseded • Personnel Count Records: 3 years • 1-9 Forms: Later of 3 years after hiring, or Separation + 1 year F. Property Records - Finance Office • Correspondence, Property Deeds, Assessments, Licenses, Rights of Way: Permanent • Accessibility/ADA facilities plans: 3 years G. Tax Records - Finance Office • Tax-Exemption Documents and Related Correspondence: Permanent • IRS Rulings: Permanent • Tax Bills, Receipts, Statements: 7 years • IRS Filings (Form 990, 990-T, 5500 and 990): Permanent • Tax Workpaper Packages - Originals: 7 years • Sales/Use Tax Records: 7 years • Annual Information Returns - Federal and State: Permanent • IRS or other Government Audit Records: Permanent H. Contribution Records - Advancement Office • Records of Contributions < $5,000: 3 years • Records of Contributions > $5,000: Permanent • Documents Evidencing Terms, Conditions or Restrictions on Gifts: Permanent I. Student Records - Office of the Registrar I. Data Documents: • Academic action authorizations (probation, etc.): 3 years after graduation or last date of attendance (LDA) • Academic action authorizations (Final dismissal): Permanent • Academic records (evaluations, competency assessments, etc.): 5 years after graduation or LDCA • Academic records (Student Transcripts): Permanent • Acceptance Letters: 5 years after graduation or LDA • Applications for graduation: 5 years after graduation or LDA • Applications for admission or reentry: 5 years after graduation or LDA • Audit authorizations: 1 year after submission • Drop/Add forms: 3 years after graduation or LDA • Change of grade forms: 3 years after graduation or LDA • Class Lists and grade sheets: 3 years after graduation or LDA • Class schedules: 3 years after graduation or LDA • Relevant correspondence (dismissal, etc.): 5 years after graduation or LDA • Credit/no credit approvals, audit, pass/no pass etc.: 1 year after submission • Curriculum (Major declarations) change authorizations: 3 years after graduation or LDA • Degree audit: 3 years after graduation or LDA • FERPA documents: Permanent • Grade reports: 1 year after submission • Grade data (electronic): Permanent • Graduation Lists: Permanent • Graduation authorizations: 5 years after graduation or LDA • Holds: Until released • Independent Study Contracts: 3 years after graduation or LDA • KCASE documents: 7 years after graduation or LDA • Military documents: 5 years after graduation or LDA • Name change authorizations: 5 years after graduation or LDA • Registration forms: 3 years after submission • Test scores (AP, CLEP, Placement, etc.): 5 years after graduation or LDA • Transcript requests: 1 year after submission • Transcripts from HS and other colleges: 5 years after graduation or LDA • Transfer credit evaluations: 5 years after graduation or LDA • Total Withdrawal from classes: 5 years after graduation or LDA II. Publications, Statistical Data/Documents, and institutional Reports: • Catalogs: Permanent • Commencement Program: Permanent • Degree statistics: Permanent (electronic) • Enrollment statistics: Permanent (electronic) • Grade statistics: Permanent (electronic) • Race/ethnicity statistics: Permanent (electronic) • Schedule of classes (institutional): Permanent (electronic) III. FERPA Documents: • Requests for formal hearings: Permanent • Requests and disclosure of personally identifiable information: Permanent • Student requests for nondisclosure: Until student terminates • Student statements on content of records regarding hearing panel decisions: Permanent • Student’s written consent for records disclosure: Until student terminates • Waivers for rights of access: Until student terminates • Written decisions of hearings: Permanent IV. Student Records - Student Accounts Office • Federal Perkins Loan Program, including Promissory note and borrower correspondence: 3 years • Veterans Affairs, including enrollment certification and application for benefits: 3 years • Accounts Receivable Collections, including return Copy of bills, payment records, copies of scholarship checks: 3 years • Residence Life Housing Contracts: 6 years from completion of payment V. Student Records - Financial Aid Office • Student Financial Aid File Award letter, tax forms, other supporting documents: 3 years • FAFSA - Permanent J. NCAA/Athletic Records - Financial Aid Office • NCAA Records - Student: 5 Years • NCAA Records, General: 10 Years All records and documents not specifically listed will be kept for a period of 5 years after graduation or LDA, unless otherwise specified by law or by the university's policies and procedures. Upon expiration of the retention period, all documents and records shall be destroyed or permanently deleted Last Review Date 2025/01/27

Policy Statement Rockhurst University is committed to safeguarding its proprietary information and ensuring the security of its digital assets. This policy outlines the procedures and requirements for all faculty, students, and staff when using removable media devices, including but not limited to USB drives, external hard drives, CDs, DVDs, and other similar devices. Scope This policy applies to all members of the Rockhurst University community, including faculty, students, and staff. Policy Requirements Security Scans and Antivirus Software: All members of the Rockhurst University community must ensure that any removable media device they intend to use with university systems or for university-related purposes is scanned for malware and viruses before connecting it to any university-owned computer. Antivirus software must be installed and up-to-date on all university-owned and personal computers that may be used with removable media devices. Protection of Proprietary Information: Proprietary information owned by Rockhurst University, including but not limited to research data, student records, financial information, and intellectual property, should only be stored on removable media devices for legitimate business use. Unauthorized removal of proprietary information from the university's premises or its use for non-Rockhurst University purposes is strictly prohibited. Adherence to Data Privacy Policies: All faculty, students, and staff must adhere to Rockhurst University's data privacy policies when handling and transferring data using removable media devices. Personal information, student records, and any other sensitive data should only be transferred using encrypted and password-protected removable media devices. Data containing personally identifiable information (PII) or sensitive financial information must follow applicable data protection laws and university policies. Encryption and Password Protection: All removable media devices used to store or transfer Rockhurst University data must be encrypted and password-protected to ensure data confidentiality. Reporting Security Incidents: Any loss, theft, or suspicion of unauthorized access to removable media devices containing Rockhurst University data must be reported immediately to the IT department and the appropriate university authorities.  Enforcement Violation of this policy may result in disciplinary action, up to and including termination or expulsion, as well as legal action in cases of data breach or unauthorized disclosure of proprietary information. Review and Updates This policy will be reviewed periodically to ensure it remains effective and aligned with the university's security and data protection objectives. Any updates or changes to this policy will be communicated to the Rockhurst University community.

Purpose: The purpose of this strategy is to provide a comprehensive framework for identifying, assessing, mitigating, and monitoring risks that may impact Rockhurst University's reputation, financial health, and operations. The strategy aims to promote a culture of risk management throughout the University, to enable the University to respond effectively to risks as they arise, and to ensure the University's resilience and sustainability. Policy Statement: Rockhurst University is committed to identifying, assessing, mitigating, and monitoring risks that may impact the University's reputation, financial health, and operations. The University will establish and maintain a risk management framework that supports this commitment and promotes a culture of risk management throughout the University. Scope: This strategy applies to all departments and units of Rockhurst University, including faculty, staff, students, and third-party contractors. Risk Management Framework: Rockhurst University will establish and maintain a risk management framework that includes the following components: Risk Identification: Rockhurst University will identify potential risks that may impact the University's reputation, financial health, and operations. The University will use a range of methods to identify risks, including but not limited to: Risk assessments Incident reporting Internal audits External audits Environmental scans Regulatory compliance reviews Business continuity planning Risk Assessment: Rockhurst University will assess the likelihood and potential impact of identified risks using a consistent and systematic approach. The University will prioritize risks based on their likelihood and potential impact. Risk Mitigation: Rockhurst University will develop and implement risk mitigation plans that include specific measures to reduce the likelihood and impact of identified risks. The University will ensure that risk mitigation plans are aligned with the University's strategic goals and objectives and are regularly reviewed and updated as necessary. Risk Monitoring: Rockhurst University will monitor identified risks and the effectiveness of risk mitigation measures on an ongoing basis. The University will use a range of methods to monitor risks, including but not limited to: Regular reporting to senior leadership and the Board of Trustees Key performance indicators and metrics Incident management and response protocols Business continuity testing and exercises Compliance monitoring and reporting Risk Communication: Rockhurst University will ensure that all relevant stakeholders are informed about identified risks and risk mitigation measures. The University will use a range of methods to communicate risks, including but not limited to: Internal memos and announcements Training and education programs Risk management reports Incident reports Compliance reports Business continuity plans and protocols Policy Review: This strategy shall be reviewed annually by the Risk Management Office in consultation with the University's senior leadership team to ensure that it remains current and effective in addressing the University's risk management needs. Conclusion: By implementing this risk management strategy, Rockhurst University aims to promote a culture of risk management that enables the University to identify potential risks and take appropriate measures to mitigate them. The strategy ensures that the University's operations are resilient, sustainable, and aligned with its strategic goals and objectives. Last Review Date 2025/04/10

Rockhurst University Secure Development Practices Policy    Purpose The purpose of this Secure Development Practices Policy is to establish guidelines and best practices for the development of internally developed applications and processes at Rockhurst University. This policy aims to ensure the security, privacy, and integrity of information assets by implementing industry-standard security measures throughout the development lifecycle. Policy Statement Rockhurst University is committed to incorporating secure development practices into all internally developed applications and processes. This policy applies to all developers, system administrators, and personnel involved in the development and maintenance of these applications and processes. Secure Development Lifecycle Rockhurst University will adopt a secure development lifecycle approach, integrating security into all phases of application and process development. The following practices should be followed: 3.1. Requirements Phase: Conduct thorough threat modeling exercises to identify potential security threats and vulnerabilities. Define security requirements and incorporate them into the project's functional requirements. 3.2. Design Phase: Apply secure coding standards and best practices, such as OWASP Top 10, SANS guidelines, or CWE. Implement appropriate security controls and countermeasures based on the identified threats. Design secure authentication and authorization mechanisms. Ensure secure communication channels and data protection mechanisms. 3.3. Development Phase: Follow secure coding practices and guidelines. Perform strong input validation and output encoding to prevent common vulnerabilities like SQL injection, XSS, and command injection attacks. Regularly update and patch software components and libraries to address known vulnerabilities. Use secure APIs and libraries that have undergone security testing and validation. 3.4. Testing Phase: Conduct comprehensive security testing, including penetration testing, code reviews, and vulnerability scanning. Implement fuzz testing, security unit testing, and security regression testing. Address identified vulnerabilities and conduct retesting before deployment.   3.5. Deployment Phase: Ensure secure deployment practices, including hardening the underlying infrastructure, secure configuration settings, and secure storage of credentials and sensitive data. Implement secure communication protocols such as HTTPS/TLS. Regularly update and patch deployed applications and systems. 3.6. Maintenance and Monitoring Phase: Continuously monitor and log security-relevant events. Regularly review logs and implement security incident response procedures. Perform periodic security assessments and audits. Keep up-to-date with security best practices, emerging threats, and industry developments. Security Training and Awareness Rockhurst University will provide regular security training and awareness programs to developers, system administrators, and other personnel involved in the development process. Training should cover secure coding practices, secure development methodologies, and the importance of following security policies and procedures. Compliance with Regulations Rockhurst University will ensure compliance with relevant security and privacy regulations, including but not limited to the General Data Protection Regulation (GDPR), Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry Data Security Standard (PCI DSS). Compliance should be integrated into the development process. Policy Compliance and Enforcement Failure to comply with this policy may result in disciplinary action, including but not limited to verbal or written warnings, suspension, termination, or legal action, as deemed appropriate. Policy Review This Secure Development Practices Policy will be reviewed and updated periodically to ensure its effectiveness and alignment with industry best practices and regulatory requirements. By adhering to this Secure Development Practices Policy, Rockhurst University aims to mitigate security risks, protect sensitive data, and ensure the development of secure and reliable applications and processes. Last Review Date 07/05/2024