2.4 Information Technology

Information Technology (IT) provides essential services to Iowa Regent’s universities.  It is critically important that these services be used to 1) support the mission of the Regents, 2) appropriately secured the systems, facilities, and information that is created, accessed, handled, and stored by them and 3) provide equal access to IT resources.  Universities and Schools shall maintain complementary IT policies and procedures, which are consistent with this policy manual and any other applicable technology use policies of the Regents.

  1. Acceptable Use
    Unless otherwise specified in this policy manual, or other Regents policies, use of Regents information technology resources are restricted to purposes related to the Regents mission.  Eligible individuals are provided access to IT resources in order to support their studies, instruction, research, duties as employees, and official business with the Regents, and other Regents-sanctioned activities. Universities and Schools will have policies that define additional details of acceptable and prohibited uses, privacy principles, and enforcement, that augment the following basic requirements for acceptable use:
    1. Individuals may not share or transfer to others their Regents accounts including network IDs, passwords, access codes that allow them to access Regents information technology resources.
       
    2. Incidental personal use of information technology resources must adhere to all applicable Regents policies.
       
    3. Uses may not involve violations of the law, interfere with the fulfillment of an employee's Regents responsibilities, or adversely impact or conflict with activities supporting the mission of the Regents.
       
  2. Security
    Universities must have policies that address:
    1. Authentication to systems, including
      1. Password length, complexity and renewal requirements
         
      2. Requirements for use of multi-factor authentication
         
      3. Account life cycles
         
    2. Security classification of institutional data and the protections to be applied to the different categories of data
       
    3. IT facility access controls and services required to protect critical and sensitive IT equipment areas
       
    4. Minimum IT security requirements for all equipment that utilizes campus networks
       
    5. IT security event reporting and incident handling
       
    6. Appropriate IT security controls to achieve compliance with all applicable local, state, and federal laws, industry standards, and regulations.  These may include but are not limited to:
      1. Health Insurance Portability and Accountability Act (HIPAA)
         
      2. Family Education Rights and Privacy Act (FERPA)
         
      3. Federal Information Security Management Act (FISMA)
         
      4. Human Subjects Research (45 CFR 46; 21 CFR 56)
         
      5. Export Controls (EAR; ITAR)
         
      6. Gramm-Leach Bliley Act (GLBA)
         
      7. Payment Card Industry Data Security Standards (PCIDSS)
         
  3. Accessibility
    To ensure equal access, as well as compliance with applicable local, state, and federal laws, the Regents universities and schools shall have policies and guidelines that demonstrate and support our commitment to electronic and information technology accessibility, including but not limited to, the following:
    1. Guidelines for the procurement (e.g., Request for Proposal, contractual language), design and development,  management, and use of accessible electronic and information technologies
       
    2. Establishment of technical standards for accessible on-site and online learning and work environments
       
    3. Accessible web sites (e.g., Web Content Accessibility Guidelines)
       
    4. Accessible document and media types
       
    5. Campus awareness programs and support services