Policy Statement: Rockhurst University is committed to maintaining the security and privacy of its information assets, ensuring compliance with the Gramm-Leach-Bliley Act (GLBA), and mitigating the risk of cyber incidents or breaches. This policy outlines the best practice steps for reviewing Security Information and Event Management (SEIM) logs to detect and proactively respond to potential threats and vulnerabilities. Purpose: The purpose of this policy is to establish guidelines for the regular review of SEIM logs to identify security incidents, assess risks, and take proactive measures to reduce the likelihood and impact of cyber incidents or breaches. The policy aims to ensure compliance with GLBA requirements and safeguard sensitive information. Scope: This policy applies to all employees, contractors, and authorized individuals who have access to Rockhurst University's information assets and SEIM logs. Responsibilities: Chief Information Officer (CIO): The CIO or designated representative shall be responsible for overseeing the implementation and compliance of this policy. They will ensure that appropriate resources and tools are available to facilitate the SEIM log review process. Information Security Officer (ISO): The ISO or designated representative shall be responsible for coordinating the SEIM log review activities. They will ensure that the review is conducted promptly and in accordance with this policy. IT Administrators: IT administrators shall perform regular SEIM log reviews in accordance with the guidelines outlined in this policy. They will investigate and escalate any identified security incidents or suspicious activities to the ISO or designated representative. SEIM Log Review Process: Log Collection and Aggregation: Rockhurst University has implemented a SEIM solution capable of collecting and aggregating logs from various systems, network devices, applications, and security tools across the organization. The SEIM system will be appropriately configured to ensure comprehensive log collection. Log Retention: SEIM logs shall be retained for a minimum period as required by applicable regulations or industry standards. The retention period shall be documented and reviewed periodically to meet legal and operational requirements. Regular Review:  Frequency:SEIM logs shall be reviewed based on the criticality of the system by designated IT administrators. High-Risk Systems or Critical Infrastructure: Daily log review is recommended to detect and respond to potential threats promptly. Medium-Risk Systems: Weekly log review is typically sufficient to identify and respond to security incidents in a timely manner. Low-Risk Systems: Monthly log review may be appropriate, considering the lower likelihood and impact of security incidents. Review Guidelines: IT administrators shall follow the guidelines provided by the ISO to review the SEIM logs effectively. The guidelines should include the identification of common indicators of compromise (IOCs), patterns, anomalies, and potential security incidents. Incident Detection and Response: Any identified security incidents or anomalies shall be promptly investigated. IT administrators shall escalate potential incidents to the ISO or designated representative for further analysis and appropriate response. SEIM Log Review Process The log review process should consist of the following key components: Log Analysis: Review the collected logs from various systems, applications, network devices, and security tools for potential security incidents or suspicious activities. This includes analyzing log entries, timestamps, event types, and relevant details. Event Correlation: Identify patterns, anomalies, or correlations between different log entries to uncover potential indicators of compromise (IOCs) or signs of unauthorized access, malicious activities, or system vulnerabilities. Threshold Monitoring: Set thresholds or baseline metrics for specific log entries to trigger alerts or notifications when unusual or abnormal events occur, indicating a potential security incident. User and Account Activity: Monitor and analyze user and account activities, including login attempts, access privileges, user behavior, and authentication logs, to identify any unauthorized access, privilege abuse, or suspicious behavior. Network Traffic Analysis: Review network logs and traffic patterns to detect any unusual or malicious network activity, such as unauthorized connections, data exfiltration attempts, or unusual communication protocols. System and Application Logs: Analyze system logs, including operating systems, databases, web servers, and critical applications, to identify potential security vulnerabilities, errors, or system misconfigurations that could be exploited. Security Event Correlation: Correlate security events with threat intelligence feeds, known vulnerabilities, or external indicators of compromise (IOCs) to identify potential threats or attacks that match known patterns or signatures. Incident Escalation and Response: Promptly escalate identified security incidents or suspicious activities to the appropriate incident response team or designated personnel for further investigation and response. Follow the incident response plan to mitigate the impact of the incident and initiate appropriate actions. Documentation: Maintain detailed and accurate records of log reviews, including findings, actions taken, and any remediation measures implemented. This documentation is crucial for auditing, compliance, and future reference. Continuous Improvement: Regularly evaluate and refine the log review process based on the analysis of historical logs, incident response feedback, emerging threats, and industry best practices. Implement necessary adjustments to enhance the effectiveness and efficiency of the log review process. Incident Response and Mitigation:  Incident Response Plan: Rockhurst University shall maintain an incident response plan that outlines the steps to be taken in the event of a security incident. The plan shall include the roles and responsibilities of relevant stakeholders, communication procedures, and the escalation process. Proactive Measures: Upon identifying potential security incidents or vulnerabilities, the ISO or designated representative shall coordinate with IT administrators to initiate proactive measures to reduce the risk and impact of the incident. This may include system patching, network segmentation, user awareness training, or other appropriate actions. GLBA Compliance and Auditing: GLBA Compliance: The SEIM log review process shall be conducted in accordance with GLBA requirements, including the protection of non-public personal information (NPI) and ensuring appropriate access controls, monitoring, and incident response procedures. Audit and Monitoring: Rockhurst University shall conduct periodic internal and external audits to assess the effectiveness of the SEIM log review process, adherence to this policy, and compliance with GLBA regulations. Audit findings and recommendations shall be documented and addressed in a timely manner. Training and Awareness: Rockhurst University shall provide regular training and awareness programs to employees and authorized individuals regarding the importance of SEIM log review, incident detection, and their roles in maintaining information security. Non-Compliance: Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract, as well as legal consequences in accordance with applicable laws and regulations. Policy Review: This policy shall be reviewed annually or as deemed necessary by the CIO or designated representative to ensure its relevance, effectiveness, and compliance with changing regulatory requirements. Last Review Date 06/24/2024 

Objective The objective of this Software Development Life Cycle (SDLC) policy is to establish a standardized and comprehensive process for the development, implementation, and maintenance of both vendor purchased and internally developed applications at Rockhurst University. This policy encompasses various stages of the SDLC, including preliminary analysis, risk identification and mitigation, systems analysis, general design, detail design, development, quality assurance and acceptance testing, implementation, and post-implementation maintenance and review. Additionally, the policy emphasizes the importance of vendor patch currency to ensure the latest security measures and application efficiencies are maintained. Preliminary Analysis or Feasibility Study Before considering the purchase or development of any application, a thorough preliminary analysis or feasibility study will be conducted to assess the viability, requirements, and potential risks associated with the application. The analysis will include an evaluation of the existing systems, the identification of specific needs, an assessment of potential alternatives (including both vendor solutions and internal development), and consideration of resource availability and technology feasibility. Risk Identification and Mitigation A comprehensive risk identification process will be conducted for both vendor purchased and internally developed applications. Risks will be categorized and assessed for their potential impact on the project's timeline, cost, security, and quality. Appropriate risk mitigation strategies will be developed and implemented to minimize the impact of identified risks throughout the SDLC. Systems Analysis The systems analysis phase will involve a detailed requirements gathering and analysis process to determine the functional and non-functional requirements of the application. Clear documentation of the requirements, including use cases, system diagrams, and user stories, will be prepared to facilitate understanding and communication. General Design The general design phase will focus on creating a high-level architectural design of the application, considering both vendor solutions and internally developed applications. The design will encompass components, modules, interfaces, and data flow diagrams, providing a blueprint for the development team. Detail Design The detail design phase will involve a comprehensive design of each component and module identified in the general design phase. Detailed technical specifications, database schema, class diagrams, and other design artifacts will be created to guide the development process. Development The development phase will involve coding, unit testing, and integration of the application components, whether vendor purchased or internally developed. Development will adhere to coding standards, version control practices, and best programming practices to ensure code quality and maintainability. Quality Assurance and Acceptance Testing A dedicated quality assurance team will conduct rigorous testing to ensure the application meets the specified requirements and quality standards. Different types of testing, including functional, performance, security, and usability testing, will be performed. Acceptance testing will involve collaboration with end-users and stakeholders to validate the application's functionality and usability. Implementation The implementation phase will involve the deployment of the application into the production environment, whether it is a vendor solution or an internally developed application. A well-defined deployment plan, including rollback procedures and contingency plans, will be prepared and executed. Post-Implementation Maintenance and Review After implementation, a post-implementation review will be conducted to assess the effectiveness and efficiency of the application. Ongoing maintenance and support activities will be carried out to address bugs, implement enhancements, and ensure the stability and performance of the application. Application Currency Rockhurst University recognizes the critical importance of maintaining up-to-date software versions and security patches for both vendor purchased and internally developed applications. An established process will be in place to regularly monitor and evaluate vendor updates, security bulletins, and patches. Patches will be promptly tested, applied, and deployed to ensure the latest security measures and application efficiencies are maintained. For vendor purchased applications, Rockhurst University will establish a communication channel with vendors to receive timely notifications about patch releases and security updates. For internally developed applications, a designated team or individual will be responsible for monitoring and applying patches in a timely manner. Patches will be tested in a controlled environment before deployment to production systems to mitigate any potential negative impacts. Documentation will be maintained to track the patching process, including patch application dates, testing results, and any associated issues or resolutions. Policy Compliance and Enforcement All vendor purchased and internally developed applications at Rockhurst University must adhere to this SDLC policy, including the requirements for preliminary analysis, risk identification, systems analysis, design, development, testing, implementation, maintenance, and vendor patch currency. Compliance with the policy will be monitored through regular audits and reviews. Non-compliance with the policy may result in appropriate disciplinary actions as defined by the university's policies and procedures. Policy Review and Updates This SDLC policy will be reviewed periodically to ensure its relevance and effectiveness. Updates to the policy will be made as necessary based on changes in industry best practices, technology advancements, or specific requirements of Rockhurst University. By following this SDLC policy, Rockhurst University aims to ensure the consistent and secure development, implementation, and maintenance of both vendor purchased and internally developed applications, while also maintaining the latest security measures and application efficiencies through effective vendor patch management. Last Review Date 07/08/2024

Students & Adjunct Faculty Software Email and Calendar Readers: Office 365 Office Online (Webpage, linked to Office 365) Outlook on the Web (OWA) Cloud Storage OneDrive Desktop/Laptop Operating Systems Android 13 is expected to be supported until March 2026. iOS 17 will likely be retired with the release of iOS 19, anticipated in late 2025. macOS 13 is expected to be supported until October 2025. Windows 10 is expected to reach the end of Microsoft support on October 14, 2025. Browsers Chrome: Latest version Microsoft Edge: Latest version Safari: Latest version Firefox: Latest version Word Processors, Spreadsheets, and Presentations Office 365 Video Conferencing/Collaboration Microsoft Teams Zoom Web Conferencing Media and Design Tools Adobe Creative Cloud Utilities Anti-Virus / Anti-Spyware (Mandatory Requirement for Windows) Any commercially available anti-virus product is required for all Windows based devices attaching to the campus network. The Rockhurst Help Desk will help students install a free product if they do not have a product loaded on their device. PDF Utilities Adobe Acrobat Hardware Minimum Laptop Requirements: Type: PC or Mac Processor: Intel Core or AMD Ryzen Display: 13” or larger Memory: 8gb or higher (16gb preferred) Hard Drive: 256GB SSD or higher Wireless: WiFi 5 or better Miscellaneous Hardware (We only support hardware that is fully updated and still officially receiving current security patches from its manufacturer) Amazon Echo Amazon FireStick Google Home Google TV Nintendo Switch PlayStation Roku Smart TV’s Xbox Note: Wireless printers are strongly discouraged from use on campus, as they may interfere with your wireless connections in dorms. It is recommended that students plug their printer directly into their laptop or desktop. Staff and Faculty Software Email, and Calendar Readers Office 365 Outlook on the Web (OWA) Network Storage Network share drive OneDrive cloud storage SharePoint Desktop/Laptop Operating Systems Android 13 is expected to be supported until March 2026. iOS 17 will likely be retired with the release of iOS 19, anticipated in late 2025. macOS 13 is expected to be supported until October 2025. Windows 10 is expected to reach the end of Microsoft support on October 14, 2025. Browsers Chrome: Latest version Microsoft Edge: Latest version Safari: Latest version Firefox: Latest version Office Word Processors, Spreadsheets, Presentations Office 365: Latest version Video Conferencing/Collaboration Microsoft Teams Zoom Web Conferencing Remote Access Cisco AnyConnect Secure Mobility Client Media and Design Tools Adobe Creative Cloud: Latest version Utilities Anti-Virus / Anti-Spyware Cisco AMP for Endpoint Connections Sophos Endpoint Agent PDF Utilities Adobe Acrobat Hardware Faculty Laptops HP Probook x360 440 G1 8gb RAM I5-8250U CPU 256 SSD Touch screen, 360 degree hinge. Dell Latitude 3420 16GB ram 12 gen intel core i5 1.3Ghz non-touch screen 238 GB ssd Staff Laptops HP Elitebook 840 G3 ( not in circulation) 8gb RAM I5-6300 CPU 256gb SSD Touch screen model, and non-touch screen models are in use by staff. HP Probook 440 G7 8gb RAM I5- 10th gen 128 GB M.2 SATA TLC SSD Non-touch screen model laptop. Dell Latitude 3420 16GB ram 12 gen intel core i5 1.3Ghz non-touch screen 238 GB ssd Miscellaneous - These items are to be approved for purchase by Computer Services per the Information Technology Procurement Policy. Docking Station Label Makers Laptop Charger Laptops Mice and Keyboards Monitors Printers Projectors Scanners Televisions Last Updated 01/24/2025

Purpose  This policy is to define the length of time a student has access to their Rockhurst University email and network accounts. This policy serves to maintain the security, affordability, and efficiency of the Rockhurst University network. It is the sole responsibility of the student to back up any files or emails prior to account removal. Scope  This policy applies to all Rockhurst student accounts. Applicability:  The policy applies to email and network accounts for: Active Students    Graduated Students Inactive Students Returning Students Student Network Accounts Active Students Student network and email accounts will remain active as long as the student maintains credit enrollment at Rockhurst University. Passwords will be reset every six months while their account is active to ensure security. All student accounts will be required to have multi-factor authentication (MFA) for added security. Students are encouraged to regularly back up important data to prevent loss in case of unexpected issues. Security awareness training will be provided annually to ensure students are informed about best practices in cybersecurity. Graduated Students Network accounts for graduating students will be deactivated 6 months after graduation providing that the student is not enrolled in any Rockhurst University courses.         The graduate student will receive a notification to their Rockhurst email account 30 days in advance of deactivation to allow ample time for the student to back up important data.  Once the network file shares have been deleted, the files cannot be recovered. Inactive Students Network accounts for non-enrolled graduate and undergrad students will be deactivated after 6 months from the end of the last term the student was enrolled in or from the last day the student attended classes at Rockhurst University.   The student will receive a notification to their Rockhurst email account 30 days in advance of being deactivated to allow ample time for the student to back up important data.  Once the network file shares have been deleted, the files cannot be recovered.   Returning Students Returning students that have not been enrolled in any courses at Rockhurst University for more than 6 months may be reissued their former network and email accounts if the account has not been reassigned to another student. If the account is no longer available, the returning student will be assigned a new network account and university email account. Related Policies eMail Use Policy for Rockhurst University eMail Retention Policy for Rockhurst University eMail and Security Awareness Training Policy for Rockhurst University Network Account Password Policy for Rockhurst University

Backup Objectives: To ensure data availability and business continuity in case of data loss or disaster. To backup all critical data, including databases, applications, and user data. To minimize the time required to restore data in case of failure or disaster. Backup Targets: Primary Nimble storage array with high-performance SSDs and data protection features. Secondary Nimble storage array for replication and disaster recovery purposes. Cloud-based storage as a tertiary backup target. Backup Software: Veeam Backup & Replication, integrated with Nimble for seamless backup and recovery operations. Backup Frequency: Daily incremental backups for all critical data, including databases and applications. Weekly full backups for all user data and less critical systems. Retention Policies: Keep daily backups for 14 days. Keep weekly backups for one month. Monthly backups for three months. Quarterly backups for six months. Yearly backups for seven years. Disaster Recovery: Implement replication between primary and secondary Nimble arrays using Nimble Replication. Periodically test the disaster recovery plan to ensure that it can be relied upon in case of disaster. Testing and Validation: Periodically test and validate backups to ensure that they are reliable and can be restored successfully. Conduct regular disaster recovery tests to ensure the availability of the backup data. Monitoring and Management: Monitor the backup process regularly to ensure that backups are completed successfully and within the defined backup window. Configure alerts for backup failures or other issues that require attention. Regularly review and update the backup policy to ensure that it remains effective and aligned with business and compliance requirements. Overall, a backup policy utilizing Nimble should be comprehensive and designed to meet the specific needs of the organization. It should be regularly reviewed and updated to ensure that it remains effective and aligned with business and compliance requirements. Last Review Date 2025/03/12

Purpose: Rockhurst University recognizes the importance of providing students with access to technology resources for their academic needs. This policy outlines the guidelines and procedures for loaning university laptops or other technical devices to students for a period of up to one week. Eligibility: This technical device loaner program is available to currently enrolled Rockhurst University students in good academic standing. Students must have a valid university ID and sign the Technical Device Loaner Agreement noting the ID of the device before checking out a device. Loaner Duration Period: Rockhurst owned technical devices may be borrowed for a maximum period of one week. Extensions of the loan period will only be granted in exceptional circumstances and must be approved by Computer Services in advance. Software and Configuration: Borrowed laptops or other technical devices may come pre-configured with standard university software necessary for academic purposes. Students are prohibited from installing or removing any software or making configuration changes to the laptop or other technical device. All laptops are equipped with internet connectivity. Students are responsible for using the device in accordance with the university's acceptable use policy. Care and Responsibility: Students are expected to use the loaned laptops or other technical device responsibly and handle them with care. Loaner devices must be kept in a safe and secure location when not in use. Loaner devices should not be left unattended in public areas. Students are responsible for any damage or loss of the Loaner device during the loan period. Loaner devices must be returned in the same condition as when borrowed, with all accessories and peripherals. Any damage to the Loaner device will be assessed for repair costs, and the student will be responsible for funding full or partial repair expenses. Returning Loaner devices: Loaner devices must be returned to the designated return location by the agreed-upon due date and time. Late returns may result in penalties, including the suspension of future Loaner devices borrowing privileges. Upon return, the Computer Services staff will inspect the Loaner device to ensure it is in good working condition. Students will receive a receipt that they have successfully returned the Loaner devices for their records after inspection of the Loaner device. Penalties for Violations: Violations of this policy, including unauthorized software installation, damage, or failure to return the Loaner device on time, may result in the suspension of Loaner device borrowing privileges and additional disciplinary action as determined by the university's code of conduct. Students will be responsible for all associated costs, including repair or replacement, in the event of damage, loss, or theft. Dispute Resolution: In the event of a dispute or disagreement regarding the loaner devices terms, students may seek resolution through the university's established grievance procedure. Policy Acknowledgment: By borrowing a laptop from Rockhurst University, students acknowledge their understanding and agreement to abide by the terms and conditions outlined in this policy. Review and Updates: This policy is subject to periodic review and updates by Rockhurst Computer Services to ensure its effectiveness and relevance. Contact Information: For any questions or concerns related to this policy or loaner devices, please contact Rockhurst Computer Services.   Loaner Agreement Acknowledgements   Student Signature: _______________________________________________   Device ID: ______________________   Issue Date: ______________________         Due Date: ______________________   Actual Return Date: ______________________

This policy applies to the acquisition and operation of all Rockhurst University owned cellular phones. I. Purpose To state policy regarding acceptable (& non-acceptable) use of university resources to purchase or payment of phone/data expenses. II. Policy Rockhurst University will only pay for cell phones, service or data plans, or pagers on a limited basis. In order to have a university paid device or service/data plan, there must be a requirement for the use of such a device as part of the employees’ essential job function and is limited to the following circumstances: On-call employees 24/7 monitoring or availability is required: or must be available immediately upon contact Public safety Employee is considered key personnel for emergency or safety purposes Medical professionals Emergency response is required Work location employees who perform a majority of their duties in the field where communication by other means is not available or inefficient Regulatory requirements Required by law or regulation to maintain communications Rockhurst University will not pay for devices or plans when having such a device and/or plan is primarily for the convenience of the employee and does not meet criteria above. The use of the device/plan must be for the primary use of conducting Rockhurst University business, as such, most Rockhurst University employees will not be eligible for a university provided device or service. There must be a strong and continuing business need before a Rockhurst University provided device or service can be approved. When Rockhurst University activities necessitate the use of a cellular/wireless phone or other telecommunications equipment (tablets, hotspots, etc), referred to collectively as “cellular device”, the employee may be assigned a Rockhurst University cellular device. Sharing of devices among employees within a unit is appropriate when the business need necessitates the use of the device by multiple employees at differing times. When it is determined that it is in the best interest of the Rockhurst University (as outlined above), and funds are available, a cellular device and service may be provided by Rockhurst Computer Services for use by an employee. University approved procurement methods must be utilized in the purchase of devices and service or data plans. The lowest cost plan available to accommodate the particular business need shall be utilized. Under certain circumstances where there is a more cost-effective method to allow an employee to utilize cellular services without supplying a device, the Rockhurst University may pay an allowance to an employee through the University's payroll system. The amount of the allowance must be less than the amount paid for similar Rockhurst University provided plans for the same type of service required for the business need. For example, an employee that could be provided a device based on the criteria above due to work location, may not need a device for all work locations and may choose to provide their own personal device and seek reimbursement for cellular services in lieu of a University paid device/plan. This limits the cost to the University when the primary purpose of the device is not for a business need but is a requirement for the employee to perform their essential job duties. However, this method should only be used on a limited basis when it would not be practicable or cost-effective for the University to separately purchase the device/service. Regardless of the method of payment, no cellular device or service plan may be paid unless it meets the criteria as outlined above. A cellular phone or device will not be provided to attract a prospective employee, promote the morale or goodwill of an employee or as a means of providing additional compensation. All cellular devices provided by the University are the property of the University and must follow University policies for payment, tracking, and recording of university property. Devices provided by the University will be directly paid by the University. Personal Use Personal long distance telephone calls (non-cellular) or calls that cause overages on university paid plans (cellular) are not allowed on University paid phones and devices. "Personal" includes telephone calls while consulting for which an employee receives compensation other than from the University. Departmental Responsibilities for Cellular Phones Services must be obtained from telecommunications companies under contract with the University unless the necessary service is unavailable from one of those carriers. The service plan must be based on anticipated business usage and the plan should provide call detail. Departmental managers and other departments designated by the campus shall monitor usage to assure that the appropriate service or data plan is in place, based on business needs and most economical use. The need for a Rockhurst University cellular device and service must be reviewed at least once a year, to verify and document that a University cellular device and service is still justified. When an employee changes departments or leaves the University, any and all equipment (including chargers, extra batteries, hands-free devices, etc.) must be returned to the Rockhurst Computer Services department and service should be canceled, transferred to another employee, or transferred to the new department. Periodic Review Periodically, or when responsibilities change, administrative superiors should review business needs of employees. Administrative superiors should discontinue unneeded service or obtain appropriate approval to make necessary changes to the service level. III. Exclusions There are no exclusions. The CIO has the sole authority to make exceptions, in writing, to this policy. Last Review Date 2025/03/13

This policy applies to the purchase of all computer related hardware, software, or services that are to accessed on a university owned device that may or may not connect with Rockhurst University’s computer network. I. Purpose The purpose of a user network account policy is to establish guidelines and rules for managing user accounts on a computer network. The policy outlines the responsibilities and expectations of network users in order to maintain the security and integrity of the network. II. Policy • Passwords: Users should be required to create strong passwords that include a mix of upper and lower case letters, numbers, and symbols. Passwords should be changed regularly and should not be shared with others. • Access control: Users should be granted access only to the resources and systems that are required for their job or academic role. Access should be granted based on the principle of least privilege, meaning that users should only have the minimum level of access necessary to perform their duties. • Data protection: Users should be required to protect sensitive data by encrypting it when transmitting or storing it, and by not sharing it with unauthorized individuals or third-party services. • Authentication: All user accounts should be authenticated using secure methods such as multi-factor authentication (MFA) or biometrics. This helps to prevent unauthorized access to university systems and data. • Monitoring and reporting: The university should monitor user accounts for suspicious activity, and users should be required to report any suspected security breaches. This helps to identify security threats and prevent further damage. • Training and awareness: The university should provide training and awareness programs to help users understand their responsibilities for maintaining the security of their accounts. This includes guidelines for safe browsing, avoiding phishing scams, and protecting sensitive data. • Incident response: The university should have an incident response plan in place to quickly respond to security incidents and minimize the impact of any security breaches. • Regular security reviews: The university should conduct regular security reviews to identify vulnerabilities and ensure that security controls are effective. III. Exclusions There are no exclusions. The CIO has the sole authority to make exceptions, in writing, to this policy. IV. Procedures A. Standard Approved Software, Hardware and Services 1. The CIO will establish and maintain a website of computer technology acceptable standards, models and vendors. The website will contain appropriate instructions, forms and information for the purposes of acquiring technology resources. 2. When technology is approved as a campus standard, it is pre-approved for procurement without additional consideration by Information Technology or Physical Plant Purchasing. B. Non-Standard Software, Hardware and Services 1. If a package is not listed as a current standard, it is non-standard. Requests for non-standard software must be made using the Help Desk ticketing process and must be approved by the Dean or department head before coming to Information Technology for final approval. 2. Non-standard software may not be supported by Information Technology. Before purchasing non-standard software, the purchaser must identify the source of support for the software being purchased. Purchase of non-standard technology components is allowed. However, such purchases should be minimized as much as reasonably possible. The purchase of non-standard technology components must be justified by the existence of special circumstances that require it. Also, the purchaser of a non-standard technology component must document the source of support for the component before purchase will be approved. C. Workstation and Laptop Replacement Guidelines 1. Refer to Rockhurst’s Faculty and Staff Technology Equipment Policy D. Information Systems Software 1. Information Systems software is software that fulfills a specific business purpose, depends on integration with other sources of information, and is typically used by more than one person. 2. All Information Systems must be evaluated and approved by the CIO before purchase. Examples of Information Systems are: student information systems (Banner), Customer Resource Management (Slate), and learning management systems (Canvas). When an application software package is considered for purchase, it must be evaluated in terms of its fit with the campus environment (operating hardware requirements, database management system, operating system requirements, Web environment requirements), Legal/FERPA considerations, and the support requirements associated with the package. Last Review Date 2025/03/13

Policy Statement Rockhurst University is committed to maintaining a robust Vulnerability Management Plan that incorporates industry best practices for vulnerability scanning, patching, and maintaining system currency. This policy includes continuous scanning by Rockhurst's managed security services provider (MSSP), homeland security scans, coalition insurance scans, and internal and external penetration tests. It also emphasizes the importance of maintaining system currency from key vendors, utilizing Microsoft automated patching for workstations and servers, and automating Meraki cloud updates for network switches and Wi-Fi access points. Scope This policy applies to all systems, applications, workstations, servers, network switches, and Wi-Fi access points owned, managed, or operated by Rockhurst University. Vulnerability Scanning  Continuous Scanning: Rockhurst University will engage the services of a managed security services provider (MSSP) to perform continuous vulnerability scanning on its systems and applications. The MSSP will use industry-leading vulnerability scanning tools and techniques to identify potential vulnerabilities. Homeland Security Scans: Rockhurst University will participate in vulnerability scanning programs offered by homeland security agencies or organizations. These scans will help identify vulnerabilities related to known threats, exploits, and security weaknesses. Coalition Insurance Scans: Rockhurst University will collaborate with its insurance provider and undergo vulnerability scanning assessments as part of the insurance policy requirements. These scans will help identify potential vulnerabilities and ensure compliance with insurance guidelines. Penetration Testing Internal Penetration Tests: Rockhurst University will conduct internal penetration tests on its systems and applications. These tests will simulate attacks from within the university's network to identify vulnerabilities and weaknesses that could be exploited by insider threats. External Penetration Tests: Rockhurst University will periodically engage third-party security firms to perform external penetration tests. These tests will simulate real-world attacks from outside the university's network to identify vulnerabilities and potential points of unauthorized entry. Patch Management Vendor Relationships: Rockhurst University will maintain relationships with key vendors to ensure timely access to patches, security updates, and vulnerability information. Regular communication with vendors will help keep the university's systems up to date and secure. Automated Patching: Workstations and Servers: Rockhurst University will leverage automated patch management solutions, such as Microsoft Automated Patching, to ensure timely deployment of security patches to workstations and servers. Automated patching mechanisms will be configured to apply patches promptly while considering system availability and maintenance windows. Network Switches and Wi-Fi Access Points: Rockhurst University's Meraki cloud-managed network switches and Wi-Fi access points will be configured to receive automated updates from the Meraki cloud platform. These updates will include security patches and feature enhancements. Patch Testing and Validation: Prior to deployment, patches and updates will be tested in a controlled environment to ensure compatibility with Rockhurst University's systems, applications, and configurations. This testing will help identify any potential issues or conflicts before patches are deployed in the production environment. Patch Deployment and Tracking: Rockhurst University will establish a defined process for deploying patches and updates across its systems, applications, workstations, servers, network switches, and Wi-Fi access points. The process will include appropriate change management procedures to minimize disruptions and ensure accountability. Patch deployment will be tracked and documented to maintain an accurate inventory of applied patches, enabling visibility into the patch status and assisting in compliance audits and vulnerability remediation efforts. System Currency: Rockhurst University recognizes the importance of maintaining system currency to reduce the risk of vulnerabilities. The following practices will be implemented: a. Regularly review and assess the currency of systems and applications, ensuring they are supported by vendors and receiving necessary security updates. b. Develop a system retirement plan to phase out outdated systems and applications that are no longer supported by vendors or cannot be adequately patched. Policy Review This Vulnerability Management Plan (Scanning/Patching) Policy will be reviewed periodically to ensure its effectiveness, alignment with industry best practices, and compliance with changing regulations. Updates to the policy may be made as necessary. Policy Non-Compliance: Failure to comply with this policy may result in disciplinary action, including but not limited to verbal or written warnings, suspension, termination, or legal action, as deemed appropriate. By following this Vulnerability Management Plan, Rockhurst University aims to proactively identify and remediate vulnerabilities, minimize the risk of security incidents, and ensure the ongoing security and integrity of its systems, applications, and data. Last Review Date 07/05/2024