VIII. Cybersecurity Policies and Standards

Table of Contents

USY Administrative Board :: VIII. Cybersecurity Policies and Standards

USNH Technology/Cybersecurity Standards

A. Cybersecurity Policy

1. Purpose
2. Authority
3. Scope
4. Audience
5. Policy Statement
6. Enforcement
7. Exceptions
8. Roles and Responsibilities
9. Definitions

B. Acceptable Use Policy

1. Purpose
2. Scope
3. Audience
4. Policy Statement
5. Enforcement
6. Exceptions
7. Roles and Responsibilities
8. Definitions

C. Information Classification

1. Purpose
2. Scope
3. Audience
4. Policy Statement
5. Enforcement
6. Exceptions
7. Roles and Responsibilities
8. Definitions

D. Password Policy

1. Purpose
2. Scope
3. Audience
4. Policy Statement
5. Enforcement
6. Exceptions
7. Roles and Responsibilities
8. Definitions

E. Privacy Policy

A. Cybersecurity Policy

1.   Purpose

This policy informs all University System of New Hampshire (USNH) community members, which includes employees, students, prior students, alumni, parents, contractors, and vendors, of their responsibilities related to maintaining the privacy and security of institutional information and information technology resources.

Protection of information and information technology resources is critical to ensuring the confidentiality, integrity, and availability of that information and to support the ongoing success of USNH and the administrative, academic, and business units of its component institutions.

2.   Authority

Authority to establish and enforce this policy and all related standards has been granted to the Chief Information Officer (CIO) by the USNH Administrative  Board.

3.   Scope

This policy and the related standards apply to access and use of institutional information and information technology resources by all authorized USNH community members. It applies to information in digital format as well as information in physical formats (e.g., on paper).

For purposes of this policy the term "information technology resources" shall include, but not be limited to, telecommunication and network equipment, desktop/laptop computers, mobile devices, servers, storage solutions, software packages, and applications which are owned by or operated on behalf of USNH, its component institutions, or any of its administrative, academic, or business units. The term shall also include non-institutional information technology resources used in the performance of official duties by faculty, staff, or administrators, but only to the extent of such use.

Critical Infrastructure Technology Resources, which includes industrial control systems (ICS) and operational technology (OT), are not in-scope for this policy or the related standards, unless explicitly indicated in the scope of a specific standard.

4.   Audience

USNH community members authorized to access or use institutional information and/or information technology resources should be familiar with this policy and their responsibilities for compliance with the requirements it defines.

5.   Policy Statement

5.1   Cybersecurity is everyone's responsiblity

5.1.1   All USNH community members have responsibility for protecting the confidentiality, availability, and integrity of USNH and its component institution’s information and information technology resources.

5.1.2   All USNH and component institution information and information technology resources are assets of USNH. The provisions outlined in this policy:

5.1.2.1   Apply to any USNH or component institution information, regardless of where or how it is accessed, captured, stored, processed, transmitted, or otherwise managed or what format it is in.

5.1.2.2   Apply to any device that accesses, captures, stores, processes, transmits, or otherwise manages institutional information and/or utilizes a USNH-owned or managed information technology resource, regardless of whether that device is itself an institutional information technology resource (owned and managed by USNH or its component institutions) or a non-institutional information technology resource (personally owned).

5.1.3   All USNH administrative, academic, and business units shall implement and enforce appropriate cybersecurity controls to:

  • Protect the privacy and confidentiality of institutional information in all formats
  • Safeguard institutional information against unauthorized use, modification, destruction, and loss
  • Protect information technology resources from unauthorized access, compromise, modification, disruption, and destruction

5.1.4   Situations that are not covered by this policy, or its related standards, or situations for which clarity is required to ensure compliance, shall be raised to the attention of the Chief Information Security Officer (CISO) for guidance and resolution.

5.2   Governance

5.2.1   An organizational structure with clearly assigned responsibilities for oversight and enforcement of cybersecurity across the University System shall be established and maintained and led by the CISO.

5.2.2   The CISO shall develop and maintain a Cybersecurity Program and all its components, including this policy and all related policies, standards, processes, and procedures.

5.2.3   The CIO shall be responsible for approval of the Cybersecurity Program and all related components. The CIO has the authority to delegate approval for aspects of this program to the CISO.

5.2.4   Standards, processes, and procedures outlining the requirements to comply with this, and other information technology or cybersecurity policies, shall be established in alignment with best practices and industry framework(s) identified in the Cybersecurity Program.

5.2.5   Cybersecurity Policies and Standards shall be maintained in an easily accessible location appropriate for authorized community members.

5.2.6   Processes required to monitor adherence to this policy and the related standards shall be established, implemented, monitored for effectiveness, and regularly reviewed, to enable and ensure continuous improvement.

5.2.7   Owners of all USNH information and information technology resources shall be assigned (e.g., information/data stewards, business application owners, technology service owners) and shall act as the authorizing manager for that asset.

5.2.8   The CISO shall provide periodic reporting of meaningful cybersecurity metrics to the CIO and the appropriate authoritative body to ensure visibility into the effectiveness of and compliance with USNH Cybersecurity Policy and Standards.

5.3   Protection of USNH Information

5.3.1   All institutional information shall be classified according to the information classification system outlined in the USNH Information Classification Policy.

5.3.2   Pursuant to the relevant standards, USNH community members shall adhere to established information handling requirements, respect the privacy of others whose information they have access to, and take appropriate precautions to protect that information from unauthorized disclosure or use.

5.3.3   Administrative, logical, and physical controls shall be implemented for all institutional information, regardless of the format of the information (e.g., electronic, stored on removable media, printed). Required controls shall be based on the information’s classification and documented in the relevant standard(s).

5.3.4   Access to and use of all institutional information, regardless of classification or format, shall be authorized by the designated information steward.

5.3.5   All institutional information shall be encrypted per the requirements outlined in the relevant standard(s).

5.3.6   All institutional information that is stored in physical formats shall be secured per the requirements outlined in the relevant standards.

5.3.7   Access to institutional information tied to another specific community member’s account shall only be authorized as outlined in the relevant standard.

5.3.8   Access to institutional information shall only be granted to a vendor or other external party after all requirements defined in the relevant standard(s) have been met.

5.3.9   Appropriate media sanitization methods as defined in the relevant standard(s) shall be used to remove all institutional information from each information technology resource that is capable of storing data, prior to the release of that resource for disposal or re-use, or at the cessation of organizational control over that resource.

5.4   Protection, Continuity, and Resilience

5.4.1   USNH information and information technology resources shall be protected from natural and human hazards in alignment with the Cybersecurity Risk Management Standard and other relevant USNH standard(s).

5.4.2   USNH information, regardless of where it is stored or by whom it is managed, shall be backed up according to requirements established in the relevant standard(s). 

5.4.3   The CIO and the CISO have the authority to act, with appropriate communication to business application owners, technology service owners, and the USNH community, if possible, to ensure that enterprise information technology resources do not pose a threat to the mission or operations of USNH or its component institutions, institutional information, or other information technology resources.

5.4.4   Enterprise Technology & Services (ET&S) shall develop, publish, and maintain an Information Technology Disaster Recovery Plan designed to minimize the effects of a disaster and support restoration of critical enterprise information technology resources and operations following a disaster.

5.5   Risk Management

5.5.1   Risk must drive cybersecurity decision making, investment, and prioritization.

5.5.2   The CISO shall be responsible for establishment, management, and maintenance of a Cybersecurity Risk Management Program which shall be documented in the relevant standard(s).

5.5.3   All administrative, academic, and business units shall be required to participate in this Program, if requested to do so, and are responsible for implementing Risk Action Plans developed as a result of that participation.

5.5.4   All enterprise Information technology resources and critical administrative, academic, or business processes shall be assigned a security categorization as outlined in the relevant standard(s). This categorization shall be used in formal and informal risk assessments involving that resource.

5.5.5   Cybersecurity risk assessments shall be performed, documented, actioned, tracked, reviewed, and revised as dictated by the relevant standard(s).

5.5.6   Cybersecurity risks that are not mitigated, transferred, or avoided shall require risk acceptance as outlined in the relevant standard(s).

5.6   Personnel Security

5.6.1   All USNH employees, including student workers that work with certain types of information, shall be subject to a background check according to the process dictated by USNH Human Resources.

5.6.2   USNH community members who manage institutional information and/or information technology resources on behalf of the University System, or its component institutions, shall be required to review and sign the Enterprise Technology & Services Confidentiality and Cybersecurity Agreement.

5.6.3   USNH community members authorized to access or use institutional information or information technology resources may be required to sign data-specific agreements and/or complete additional training requirements prior to being provided with that access.

5.7 Awareness & Training

5.7.1   A Cybersecurity Awareness and Training Program, designed to reduce the risks of error, theft, fraud, misuse, or other compromise of institutional information and information technology resources, shall be established and documented in the relevant standard(s).

5.7.2   USNH community members shall be informed of their responsibilities for the protection of institutional information and information technology resources and provided appropriate training to aid in fulfilling those responsibilities.

5.7.3   USNH community members with specific cybersecurity responsibilities shall be informed of these responsibilities and provided appropriate training to aid in fulfilling those responsibilities, prior to being granted any privileged or elevated access necessary to fulfill those responsibilities.

5.8   Identity and Access Management

5.8.1   Access to institutional information shall be restricted to only those individuals with approved authorizations.

5.8.2   Institutional information shall only be shared, including verbally, in paper form, or via digital means, with those individuals who are authorized to receive it, using the appropriate mechanism for the information’s classification as defined in the relevant policies and standards.

5.8.3   Access to institutional information stored in or managed by information technology resources shall be protected from unauthorized access through the management of identities, authentication credentials, accounts, and authorized access permissions.

5.8.4   Each USNH community member shall be assigned a single, primary USNH identity according to the requirements defined in the relevant standard(s).

5.8.5   Use of USNH username shall be restricted to approved uses as established in the relevant standard(s).

5.8.6   Access to institutional information and information technology resources shall be granted in accordance with the requirements and restrictions defined in the relevant standard(s).

5.8.7   Passwords used to secure access to information technology resources shall follow the requirements established in the USNH Password Policy.

5.8.8   Accounts used to access information technology resources shall be approved, created, enabled, modified, disabled, removed, and used in accordance with the requirements established in the relevant standard(s).

5.8.9   Privileged access to information technology resource shall be granted and managed in accordance with the requirements established in the relevant standard(s).

5.8.10   Remote access to information technology resources shall comply with the established security requirements, usage restrictions, recommended configurations, and implementation guidance provided in the relevant standard(s).

5.9   Regulatory Compliance

5.9.1   Use and operation of information and information technology resources shall comply with federal, state, and local laws, USNH and component institution policies, and contractual obligations.

5.9.2   Access to and use of institutional information protected by regulation or industry requirement, including but not limited to the following, shall follow all requirements defined in the relevant standard(s):

  • FERPA – Family Educational Rights and Privacy Act
  • HIPAA – Health Insurance Portability and Accountability Act
  • GLBA – Gramm-Leach Bliley Act
  • PCI-DSS – Payment Card Industry – Data Security Standard

5.9.3   The CISO shall institute programs, processes, procedures, and training, as needed, to inform USNH community members and administrators about the security controls needed to comply with applicable laws, regulations, USNH policies, and contractual obligations.

5.9.4   The CISO shall periodically conduct an audit of security controls implemented by administrative, academic, and business units to ensure compliance with applicable laws, regulations, USNH policies, and contractual obligations.

5.10   Physical and Environmental Security

5.10.1   USNH community members authorized to access and/or use information and information technology resources shall take appropriate measures, as outlined in relevant standard(s), to prevent physical access to that information and those resources by unauthorized persons.

5.10.2   Technology Service Owners and Business Application Owners shall institute and enforce procedures, within their level of responsibility and authority, to protect the information and information technology resources under their control in compliance with the relevant standard(s).

5.10.3   Physical access to facilities where specific types of information or information technology resources are housed or stored shall be restricted to authorized personnel. Examples of specific types include, but are not limited to:

  • Information stored in paper format with a classification that requires physical access be restricted
  • Infrastructure components including, but not limited to, networking equipment (e.g., switches and routers)
  • Servers that are capturing, storing, processing, transmitting, or otherwise managing institutional information
  • Endpoints that require specific physical security controls to meet research grant requirements or other contractual obligations

5.11   Network Management

5.11.1   All USNH networks shall be managed in such a manner that the confidentiality, integrity, and availability of institutional information and information technology resources are safeguarded from interference, unauthorized access, or compromise consistent with USNH’s commitment to privacy, and the requirements defined in the relevant standard(s).

5.11.2   Designated Network Administrators shall be responsible for management of all USNH networks and implementation of all required security controls to safeguard those networks, as defined in the relevant standard(s).

5.11.3   Access to the information technology resources used to provide and manage USNH networks shall be appropriately restricted, both physically and logically, to ensure only authorized personnel have access.

5.11.4   USNH networks shall be monitored to detect cybersecurity incidents as required in the relevant standard(s).

5.11.5   USNH wireless networks shall be managed, and the wireless spectrum monitored, to minimize interference between wireless networks and other devices using radio frequencies.

5.12   Information Technology Resource Management

5.12.1   Appropriate safeguards and controls shall be incorporated into the lifecycle of all information technology resources as required by the relevant standard(s).

5.12.2   Required safeguards and controls shall be determined by the classification of the institutional information being accessed, captured, stored, processed, transmitted, or otherwise managed and/or the security categorization of the information technology resource(s).

5.12.3   Configuration changes made to information technology resources, regardless of where they are hosted or who manages them, shall be approved using the procedures defined in the relevant standard(s).

5.12.4   Regular maintenance activities (e.g., applying patches, installing updates, arranging for annual service calls) shall be performed on all information technology resources according to the requirements defined in the relevant standard(s).

5.12.5   All administrative, academic, and business units shall develop and maintain a comprehensive inventory of information technology resources for which they are responsible.

5.12.6   Software used to conduct USNH or component institution business shall comply with all Cybersecurity Policies and Standards, including software and applications that reside on USNH owned or managed information technology resources as well as software and applications that are provided by and/or managed by vendors.

5.12.7   Endpoint devices used to connect to USNH networks shall be configured, managed, used, maintained, and disposed of according to the requirements defined in the relevant standard(s).

5.12.8   All servers connecting to USNH Networks shall be configured, administered, and managed in accordance with the requirements defined in the relevant standard(s).

5.12.9   Administrative, academic, and business units shall not deploy, implement, or build enterprise information technology services that duplicate services provided by Enterprise Technology & Services (ET&S) (e.g., email servers) without the express written permission of the CIO. Unauthorized services may be blocked from accessing the network.

5.12.10   Enterprise telecommunication services and the information technology resources used to provide them shall be appropriately protected from intentional, unintentional, inappropriate, or negligent acts or omissions according to the requirements in the relevant standard(s).

5.13   Vendor Management

5.13.1   Procurement and/or use of vendor information technology resources that capture, store, process, transmit, or otherwise manage institutional information shall require approval by Cybersecurity & Networking and follow the requirements defined in the relevant standard(s). This includes vendor cloud-hosted applications and vendor-supported information technology resources that are hosted on-premise.

5.13.2   Administrative, academic, and business units that procure information technology resources from vendors, and who choose to manage and support those vendor applications internally, rather than engage in a support agreement with Enterprise Technology & Services (ET&S) for management of those resources, shall obtain ET&S approval and be responsible for:

  • Ensuring appropriate cybersecurity controls are implemented
  • Implementing and managing access controls aligned with the Access Management Standard and the Accounts Management Standard
  • Providing support to the USNH community
  • Maintaining that information technology resource (e.g., applying security patches, handling upgrades, monitoring performance)
  • Managing the relationship with the vendor
  • Maintaining appropriate audit trail artifacts and annual attestation(s)

5.14   Incident Management

5.14.1   All members of the USNH community are responsible for reporting cybersecurity incidents, including any suspected, potential, or actual unauthorized disclosure of institutional information, to Cybersecurity & Networking immediately per the process identified in the Cybersecurity Incident Response Plan.

5.14.2   Cybersecurity events and incidents shall be investigated, mitigated, remediated, documented, and tracked according to the Cybersecurity Incident Response Plan.

5.14.3   To ensure appropriate, timely notification of potential and confirmed data breaches, the CISO, in cooperation with the USNH General Counsel’s Office, shall manage all required notifications to relevant regulatory bodies pursuant to the relevant standard(s).

5.15   Policy Maintenance

5.15.1   The CISO is responsible for documenting issues of clarity within this Policy or the related Standards raised by USNH community members and for ensuring those issues are resolved in a timely manner through revision of this Policy and the related standards.

5.15.2   This Policy and the related standards shall be reviewed and maintained regularly, but no less than once per year.

6.   Enforcement

Failure to comply with this Policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).

Non-compliant technology and/or activities may be mitigated as deemed necessary by the CISO and/or CIO.

Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

7.   Exceptions

Requests for exceptions to this Policy shall be submitted and approved according to the requirements provided in the Cybersecurity Exception Standard.

8.   Roles and Responsibilities

8.1   Administrative, Academic, and Business Unit Leadership

8.1.1   Enforce appropriate cybersecurity controls to:

  • Protect the privacy of institutional information
  • Safeguard electronic and derivative information against unauthorized use and modification
  • Protect information technology resources against unauthorized access, modification, and disruption
  • Prevent the loss of or damage to institutional information and information technology resources

8.1.2   Develop and maintain a comprehensive inventory of information technology resources for which they are responsible.

8.1.3   Provide support, maintenance, and vendor relationship management, either directly, or through negotiated agreements with Enterprise Technology & Services (ET&S), for information technology resources procured from vendors.

8.1.4   Report all cybersecurity events or incidents to Cybersecurity & Networking.

8.2   Application Developer/System/Database/Application Administrator

8.2.1   Ensure appropriate cybersecurity controls are applied during the information technology resource lifecycle.

8.2.2   Protect, to the extent practical, the information technology resources in their care from natural and human hazards.

8.2.3   Report all cybersecurity events or incidents to Cybersecurity & Networking.

8.3   Business Application Owner

8.3.1   Institute and follow procedures to protect the information technology resources under their control from loss, damage, theft, compromise, and unauthorized access.

8.3.2   Ensure appropriate access management controls are implemented to reduce the risk of unauthorized access.

8.3.3   Report all cybersecurity events or incidents to Cybersecurity & Networking.

8.4   Chief Information Officer (CIO)

8.4.1   Approve all cybersecurity Policies and Standards.

8.5   Chief Information Security Officer (CISO)

8.5.1   Develop and maintain the Cybersecurity Program and all its components, including this policy and all related standards, processes, and procedures.

8.5.2   Ensure the policies, standards, processes, and procedures supporting the Cybersecurity Program are established in alignment with the framework(s) designated in the Cybersecurity Program.

8.5.3   Provide access to the standards, processes, and procedures related to this policy in an easily accessible location appropriate for authorized community members.

8.5.4   Monitor adherence to this policy and all related standards, processes, and procedures.

8.5.5   Establish the Cybersecurity Risk Management program.

8.5.6   Provide appropriate cybersecurity awareness training for all USNH community members.

8.5.7   Institute procedures to inform appropriate USNH community members about applicable laws, regulations, USNH and component institution policies, and contractual obligations.

8.5.8   Conduct an audit of security controls used to protect institutional information.

8.5.9   Review and approve exceptions to this policy and related standards.

8.5.10   The CISO shall establish and maintain an Identity and Access Management program.

8.6   Information Steward/Data Steward

8.6.1   Act as the authorizing manager for a designated information asset(s).

8.6.2   Authorize all access to and use of designated information asset(s).

8.7   Network Administrator

8.7.1   Manage all USNH networks in such a manner that institutional information and information technology resources are safeguarded from interference, unauthorized access, and compromise.

8.7.2   Manage the wireless spectrum to minimize interference between wireless networks and other devices that use radio frequencies.

8.7.3   Monitor and enforce compliance with this Policy on all USNH networks.

8.7.4   Report all cybersecurity events or incidents to Cybersecurity & Networking.

8.8   Technology Service Owner

8.8.1   Institute and follow procedures to protect the information technology resources under their control from loss, damage, theft, compromise, and unauthorized access.

8.8.2   Create a safe environment for the housing and use of information technology resources under their control.

8.8.3   Report all cybersecurity events or incidents to Cybersecurity & Networking.

8.9   USNH Community Members

8.9.1   Protect the confidentiality, availability, and integrity of USNH and its component institution’s information and information technology resources as required by the relevant standard(s).

8.9.2   Follow processes and procedures provided by Enterprise Technology & Services (ET&S) and the USNH administrative, academic, and business units to ensure compliance with all required cybersecurity controls.

8.9.3   Complete all assigned cybersecurity training within the required timeframe.

8.9.4   Request clarification when needed to ensure understanding of responsibilities and requirements for complying with USNH policies and standards.

8.9.5   Sign confidentiality and data handling agreements as required prior to accessing institutional information and/or information technology resources that require them.

8.9.6   Adhere to established information handling requirements, respect the privacy of others whose information they have access to, and take appropriate precautions to protect that information from unauthorized disclosure or use.

8.9.7   Report any suspected, potential, or actual unauthorized disclosure of institutional information per the process identified in the Cybersecurity Incident Response Plan.

8.9.8   Report all cybersecurity incidents to Cybersecurity & Networking.

8.10   The USNH President’s Council

8.10.1   Oversight of the Cybersecurity Program to ensure USNH has made proper and appropriate preparations to respond to and recover from a Cyber Event.

8.11   The Identify and Access Management (IAM) Team

8.11.1   The IAM team has developed a Standard Operating Procedure (SOP) (V1.1, dated 20 March 2023) which contains or addresses network monitoring, log management, and incident management. The SOP is reviewed and updated quarterly.

9. Definitions. Terms used in the USNH Cybersecurity Policies and Standards and not otherwise defined will have the meaning as described in the National Institute of Standards and Technology Computer Security Resource Center Glossary  (https://www.nist.gov/glossary).


CONTACT INFORMATION

For USNH community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, & Compliance (GRC) via this Support Form.

All other requests can be submitted here: Submit an IT Question.

B. Acceptable Use Policy

1.   Purpose

The information technology resources provided by the University System of New Hampshire (USNH) and its component institutions support the educational, instructional, research, and administrative activities of the University System and those institutions. Use of these resources is a privilege that is extended to USNH community members. Inappropriate or improper use of these shared resources can impede or negatively impact availability for the rest of the community. As such, all community members are required to behave in a responsible, ethical, and legal manner during that use.

This policy defines acceptable use of information technology resources at USNH and its component institutions and outlines the responsibilities and obligations of community members who are granted access to or use of these resources. Specifically, this policy supports the following objectives:

  • Safeguarding the confidentially, availability, integrity, and privacy of institutional information and enterprise information technology resources
  • Providing a reliable information technology environment for all USNH community members
  • Guaranteeing use of enterprise information technology resources is consistent with the principles and values that govern use of other USNH and component institution resources (e.g., facilities)
  • Confirming that enterprise information technology resources are used for their intended purposes

2.   Scope

This policy applies to anyone who utilizes USNH information technology resources, and all uses of those resources, irrespective of where the resources are being used. This includes students, faculty, staff, contractors, vendors, prior students/alumni, parents, volunteers, and external customers utilizing services provided by USNH.

For purposes of this policy only, any individual who is authorized to access or use a USNH or component institution information technology resource is considered a member of the USNH community.

This policy covers the use of all information and information technology resources owned, managed, licensed, or entrusted to USNH or one of its component institutions, regardless of who is providing those resources, how they are being provided, or how they are being accessed. Referred to throughout this policy as institutional information and USNH information technology resources, this includes, but is not limited to:

  • Information technology resources administered by Enterprise Technology & Services (ET&S) or contracted vendors
  • Information technology resources administered or managed by individual administrative, academic, or business units
  • Institutionally owned endpoint devices
  • Institutional telecommunication services including voicemail
  • Personally owned endpoint devices that connect to any USNH network
  • Devices, regardless of device ownership, that connect to any USNH information technology resource, including students’ use of devices

Business Application Owners or Technology Service Owners have the authority to establish more restrictive requirements governing use of those resources in their care. When there are additional use restrictions for a specific information technology resource, individuals who need access to that resource shall be informed of those restrictions, and agree to abide by them, prior to access being granted.

3.   Audience

This Policy applies to all USNH community members granted access to any USNH information technology resource.

4.   Policy Statement

4.1   Information Technology Resources are Shared

4.1.1   USNH provides information technology resources to authorized members of the USNH community and others in support of each USNH component institution’s mission and the mission of the University System.

4.1.2   To ensure access to and reliability of this shared resource, USNH and its component institutions shall safeguard the confidentiality, integrity, availability, and privacy of these information technology resources and the institutional information captured, stored, processed, transmitted, or otherwise managed by them.

4.1.3   USNH and component institution policies that govern freedom of expression, discriminatory harassment, and related matters in the context of standard written expression, also govern electronic expression as well. This Policy addresses circumstances that are particular to information technology resources and is intended to augment, but not to supersede, other relevant USNH and component institution policies.

4.2   Community Member Rights and Responsibilities

4.2.1   Members of the USNH community shall be provided with the use of information technology resources. While accessing and using these resources, community members shall have a reasonable expectation of:

  • reliable use of these shared resources
  • protection from abuse and intrusion by others sharing these resources

4.2.2   Community members shall be responsible for exercising good judgment in the use of those resources including respecting the rights and privacy of others, respecting the security and integrity of the information technology resources they are given access to, and observing all relevant laws, regulations, contractual obligations, and USNH policies and standards.

4.2.3   Any suspicious activity related to enterprise or institutional accounts or information technology resources shall be reported immediately according to the Cybersecurity Incident Reporting process.

4.3   Acceptable Use

4.3.1   Acceptable Use of information technology resources is always ethical, reflects academic integrity, and shows restraint in the consumption of shared resources.

4.3.2   It demonstrates respect for intellectual property, ownership of data, information technology resource security, and freedom from intimidation and harassment.

4.3.3   The following are explicitly defined as acceptable:

4.3.3.1   Use that supports the administrative, academic, research, outreach, service, and operational mission of USNH and each of its component institutions.

4.3.3.2   Use of information technology resources for which the community member has been authorized to access and use so long as that use adheres to the intended use of those resources.

4.3.3.3   Use that protects the intellectual property of others and the rights of copyright holders of music, videos, images, texts, and other media.

4.4   Prohibited Use

4.4.1   Use of USNH information technology resources that is illegal, disruptive, or that has the potential to negatively impact other community members or shared information technology resources is prohibited.

4.4.2   Use that violates a USNH or component institution policy, a contractual obligation, or that subverts the mission of USNH, or its component institutions is prohibited.

4.4.3   Additionally, the following uses of USNH information technology resources are explicitly prohibited:

4.4.3.1   Unauthorized Use

4.4.3.1.1   Use or attempted use of any information technology resources without permission.

4.4.3.1.2   Use of another community member’s credentials, even if the community member gives their permission.

4.4.3.1.3   Sharing any password associated with enterprise or component institution credentials in violation of the USNH Password Policy.

4.4.3.1.4   Allowing or enabling use of USNH information technology resources by any individual or organization that is not affiliated with USNH or one of its component institutions.

4.4.3.2   Illegal Use

4.4.3.2.1   Use of USNH information technology resources in violation of civil or criminal law at the federal, state, or local levels or in violation of any regulation.

4.4.3.2.2   Use of USNH information technology resources to libel, slander, harass, defame, intimidate, or threaten anyone.

4.4.3.2.3   Use that violates copyright laws through inappropriate reproduction or dissemination of copyrighted material.

4.4.3.3   Inappropriate Use

4.4.3.3.1   Use that is inconsistent with the University System's non-profit status.

4.4.3.3.2   Use of USNH information technology resources for profit and/or commercial use, including non-USNH or component institution business purposes.

4.4.3.3.3   Use for the purpose of lobbying that connotes USNH or component institution involvement in or endorsement of any political candidate or ballot initiative.

4.4.3.3.4   Attempting to alter or reconfigure any USNH information technology resource without proper authorization.

4.4.3.3.5   Use that results in the display of obscene, lewd, or sexually harassing images or text in a public area or location that can be in view of others.

4.4.3.4   Damaging Use

4.4.3.4.1   Use that damages the integrity of information technology resources, whether they belong to USNH or not.

4.4.3.4.2 Use of information technology resources to gain unauthorized access to networks or other information technology resources, whether they belong to USNH or not.

4.4.3.4.3   Use that seeks to circumvent, defeat, or attempt to defeat information technology resource security controls.

4.4.3.5   Disguised Use

4.4.3.5.1   Use that attempts to alter or obscure the identity of the community member or the identity of an endpoint or other connected device while communicating with any USNH network

4.4.3.5.2   Masquerading as or impersonating others or otherwise using a false identity without authorization, while accessing and/or utilizing USNH information technology resources.

4.4.3.6   Disruptive Use

4.4.3.6.1   Use that impedes, interferes with, impairs, or otherwise causes harm to the activities of other community members (e.g., consumption of excessive bandwidth, distribution of malicious programs, spamming internal distribution lists).

4.4.3.6.2   Removal of any USNH-owned or administered information technology resource from its normal location without authorization.

4.5   Privacy

4.5.1   Student educational records stored on or accessible via USNH information technology resources shall only be shared and used in accordance with the Family Educational Rights and Privacy Act of 1974 (FERPA). Handling requirements for information protected by FERPA are provided in the Protected Information Handling Standard.

4.5.2   While all USNH community members shall have a reasonable expectation to a certain degree of privacy related to their use of information technology resources provided by USNH and its component institutions, there are specific circumstances under which access to information or information technology resource use for a specific community member shall be authorized for USNH officials, ET&S personnel, law enforcement, other community members, or other external parties.

4.5.3   Some of those circumstances allow for this access without the knowledge and/or consent of the impacted community member.

4.5.4   The rules governing when and how that access is granted and to whom it can be granted for allowable circumstances shall be documented in the Access to Password Protected Information Standard.

4.5.5   ET&S reserves and retains the right to access, affect, and inspect information technology resources, and the information stored within those resources, without the consent of community members, to the extent necessary to manage and administer those resources (e.g., backup and caching of information and communications, the logging of activity, monitoring of general usage patterns, and other activities necessary or convenient for the provision of service).

4.6   Use of Personally Owned Devices

4.6.1   USNH and its component institutions shall allow community members to connect personally owned devices to USNH networks and to use personally owned endpoint devices to access approved institutional information and USNH information technology resources on-campus or remotely.

4.6.2   While this is an acceptable use of USNH information technology resources, community members who choose to use personally owned devices to connect to and/or access any USNH information technology resource shall agree to the following:

4.6.2.1   Connecting to a USNH network with a personally owned endpoint or other device implies consent for USNH and its component institutions to perform security scans on that device while connected to the network.

4.6.2.2   Any personally owned device connecting to a USNH network must be registered with the appropriate component institution.

4.6.2.3   Unregistered devices may be blocked from accessing USNH networks or other information technology resources.

4.6.2.4   All personal endpoint devices connecting to USNH information technology resources must meet the requirements defined in the Endpoint Management Standard.

4.6.2.5   Personally owned endpoint devices used by USNH employees to conduct USNH or component institution business that are involved in a cybersecurity incident may be searched as part of the internal ET&S investigation or any investigation by law enforcement.

4.6.3   Although use of personally owned endpoint devices or other devices to connect to or use USNH information technology resources is considered acceptable use, these devices shall not be used to host websites, applications, or services, across any USNH network, for a non-USNH or component institution organization, without specific authorization from the Chief Information Security Officer (CISO).

4.7 Personal Use of USNH Information Technology Resources

4.7.1   Incidental personal use of USNH information technology resources is allowed (e.g., internet access, accessing personal e-mail) as long as it is consistent with this Policy, and any applicable administrative, academic, or business unit policies, procedures, and guidelines, and it does not:

4.7.1.1   Interfere with the performance of an employee’s job or other responsibilities.

4.7.1.2   Consume a disruptive amount of information technology resources.

4.7.1.3   Violate any other USNH or component institution policies.

4.7.2   While this is considered an acceptable use, supervisors may impose further limits on use of USNH information technology resources for non-work purposes, in accordance with normal supervisory procedures.

4.8   Network Infrastruture

4.8.1   Unless specifically authorized, by the Chief Information Security Officer (CISO), community members shall not connect networking equipment (e.g., routers, hubs, sniffers) to any USNH network, nor operate network services (e.g., routing, name service, multicast services) on any endpoint or other device attached to a USNH network.

4.8.2   Community members shall not attempt to modify or tamper with any USNH wired and/or wireless network services nor to extend these information technology resources beyond the limits provided.

4.8.3   Unauthorized information technology resources connecting or attempting to connect to a USNH network may be denied access, have access terminated, and/or be banned from future access.

4.8.4   Detailed requirements for obtaining authorization to connect to a USNH network shall be provided in the relevant USNH Standards.

4.9   Loss of Access to Shared Information Technology Resources

4.9.1   ET&S may temporarily deactivate or restrict an individual's access to one or more shared information technology resources, even in the absence of a suspected AUP violation, when necessary to preserve the confidentiality, integrity, and/or availability of those and other information technology resources.

4.10   Acceptable Use Violations

4.10.1   If a community member observes or is otherwise aware of an alleged violation of this Policy, they should report the matter to the CISO.

4.10.2   The CISO, based on the details of the alleged violation, may investigate and, if appropriate, refer the matter to the appropriate USNH institution’s disciplinary authorities as outlined in the Enforcement section below.

4.11   Policy Maintenance

4.11.1   This Policy and the related standards shall be reviewed and maintained regularly, but no less than once per year.

5.   Enforcement

Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).

Non-compliant technology and/or activities may be mitigated as deemed necessary by the CISO and/or CIO.

Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

6.   Exceptions

Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the Cybersecurity Exception Standard.

7.   Roles and Responsibilities

7.1   Business Application Owners/Technology Service Owners

7.1.1   Adhere to the rules governing access to specific community member institutional information and/or information technology resources defined in the Access to Password Protected Information Standard.

7.1.2   When warranted:

7.1.2.1   Establish more restrictive requirements governing use of information technology resources in their care.

7.1.2.2   Provide USNH community members with any additional requirements governing use of that specific information technology resource prior to granting access to that resource.

7.1.2.3   Ensure USNH community members agree to abide by information technology specific requirements before access is granted.

7.2   Chief Information Security Officer (CISO)

7.2.1   Determine if alleged violations of this policy require investigation or further action.

7.2.2   Refer violations of this policy, where appropriate, to the relevant USNH institutional disciplinary authority.

7.2.3   Document issues of clarity within this policy or the related standards raised by USNH community members.

7.2.4   Ensure issues with this policy raised by USNH community members are resolved in a timely manner through revision of this policy and the related standards, if needed.

7.2.5   Ensure this policy and related standards are reviewed and maintained regularly, but no less than once per year.

7.3   USNH Community Members

7.3.1   Observe all relevant laws, regulations, contractual obligations, and USNH policies and standards in relation to their access and use of USNH and component institution information technology resources.

7.3.2   Exercise good judgement in the use of USNH information technology resources.

7.3.3   Respect the rights and privacy of other community members.

7.3.4   Respect the security and integrity of USNH information technology resources.

7.3.5   Protect all enterprise and component institution credentials (username and password) issued to them.

7.3.6   Report any suspicious activity related to enterprise or institutional accounts or information technology resources immediately according to the Cybersecurity Incident Reporting process.

7.3.7   Avoid engaging in any prohibited use of information technology resources including the connection of networking equipment to any USNH network and modification or tampering with any USNH network service.

7.3.8   Understand the ramifications of using a personally owned endpoint or other device to access USNH information technology resources.

7.3.9   Report alleged violations of this policy to the CISO.

7.4   Enterprise Technology & Service (ET&S)

7.4.1   Provide information technology resources in support of USNH and component institution missions and objectives.

7.4.2   Safeguard the confidentiality, integrity, availability, and privacy of institutional information and USNH information technology resources.

7.4.3   Cooperate, upon the advice of the USNH General Counsel’s Office (GCO), with any local, state, or federal investigation involving or pertaining to use of institutional information or USNH information technology resources.

7.4.4   Adhere to the rules governing access to specific community member institutional information and/or information technology resources defined in the Access to Password Protected Information Standard.

8.   Definitions

See the ET&S Cybersecurity Policy & Standard Glossary for full definitions of each term.

  • Acceptable Use
  • Anti-virus
  • Authorization
  • Availability
  • Business Application Owner
  • Chief Information Security Officer
  • Confidentiality
  • Copyright
  • Credentials
  • Cybersecurity Incident
  • Encryption
  • Endpoint Device
  • Exception
  • Information Technology Resource
  • Information
  • Institutional Information
  • Integrity
  • Intellectual Property
  • Password
  • Personally Owned Device
  • Policy
  • Privacy
  • Prohibited Use
  • Standard
  • Technology Service Owner
  • Username
  • USNH Community Member
  • Vulnerability

CONTACT INFORMATION

For USNH community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, and Compliance (GRC) via this Support Form.

All other requests can be submitted here: Submit an IT Question.

C. Information Classification Policy

1.   Purpose

This policy informs all University System of New Hampshire (USNH) community members of their responsibilities related to maintaining the privacy and security of institutional information. To effectively safeguard institutional information, the USNH community must have a shared understanding of what needs to be protected and what kind of protection is required for different types of institutional information.

To facilitate that shared understanding, this Policy establishes a model for the classification of institutional information that defines each classification and provides examples of the kind of information associated with each classification. This model shall be used by all USNH institutions to classify information. The classifications defined here form the foundation for any other policies or standards pertaining to the protection of information.

This policy and the related Information Handling Standards define the minimum requirements for each information classification tier.

2.   Scope

This policy applies to all institutional information, regardless of storage format (e.g. data/digital, paper).

3.   Audience

All USNH community members should understand this policy and how it applies to the institutional information they access and use.

4.   Policy Statement

All USNH and component institution information shall be protected appropriately based on the classification of that information. Institutional information shall only be shared between, and released to, authorized parties when there is a need to know, and as necessary, to execute job-related duties in alignment with established information handling standards.

4.1   Classification Structure

To facilitate the development and communication of clear standards, processes, and procedures for implementing the appropriate security controls for each type of institutional information, the Information Classification Model is separated into distinct tiers. Each tier in the model encompasses specific types of institutional information which require that level of protection.

4.2   Tier 4 - Restricted Information

4.2.1   Information is restricted if protection is:

  • legally defined
  • required by federal and/or state law (excluding FERPA)
  • required by contract or industry standard

4.2.2   Additionally, information can be designated as Restricted by the data steward of that information.

4.2.3   If compromised or exposed, Restricted information could result in significant institutional cost, harm to institutional reputation, and/or unacceptable disruption of the institution’s ability to meet its mission.

4.2.4   Examples of Restricted Information

4.2.4.1   SSNs and other personally identifiable information as defined by state of NH reporting requirements

4.2.4.2   Electronic Protected Health Information (ePHI) or non-electronic Protected Health Information (PHI) as defined by HIPAA

4.2.4.3   Research information that contractually requires specific security or privacy controls

4.2.4.4   Information protected by PCI-DSS

4.2.4.5   Information protected by FMLA and GLBA

4.2.4.6   Information protected through "Affirmative Action" and/or "disability regulation"

4.2.4.7   Information technology infrastructure, design, security, and authentication stores

4.3   Tier 3 - Protected Information

4.3.1   Information is protected if privacy controls are required by regulation or law but required protections do not rise to the level of those mandated for Restricted Information.

4.3.2   If compromised or exposed, protected information may result in serious institutional cost, harm to institutional reputation, and/or unacceptable disruption of the institution’s ability to meet its mission.

4.3.3   Examples of Protected Information

4.3.3.1   Information protected by FERPA

4.3.3.2   Library information

4.3.3.3   Research information that requires protection by contract

4.4   Tier 2 - Sensitive Information

4.4.1   Information is sensitive if controlled access is required by institutional policy, by the data steward, by contract, for ethical reasons, and/or if it is at high risk of damage or inappropriate access.

4.4.2   It includes information which, if compromised, could result in high institutional cost, harm to clients, harm to institutional reputation or unacceptable disruption of the institution’s ability to meet its mission.

4.4.3   It includes other information explicitly identified as requiring controlled access, but that does not require the level of protection dictated in the higher tiers. Any institutional information that has not been designated as falling under another tier shall be considered sensitive.

4.4.4   Examples of Sensitive Information

4.4.4.1   Directory information as defined by the institution or by regulation

4.4.4.2   Intellectual property

4.4.4.3   Fundraising data

4.5   Tier 1 - Public Information

4.5.1   Information is public if it is explicitly identified as public by the data steward responsible for that information. It includes information that may be provided to anyone without any further oversight.

4.5.2   Examples of Public Information

4.5.2.1   Contact information of employees that is approved for publication in the public directory

4.5.2.2   Campus map that has been explicitly approved for public display

4.5.2.3   Academic calendar that has been explicitly approved for public display

4.6   Information Handling Requirements

4.6.1   With the input, oversight, and approval of the institutional data stewards, Cybersecurity & Networking shall be responsible for the development, publication, and maintenance of Standards defining the required security controls for each of the defined tiers.

4.6.2   Administrative, academic, and business units shall be responsible for the development and maintenance of clear and consistent information handling procedures, aligned with those Standards, in support of operations and business processes that involve the collection, access, use, processing, storage, or transmission of institutional information.

4.7   Clarification on Classification

4.7.1   While designated Data Stewards at each institution are responsible for determining the appropriate classification for the information under their stewardship, Cybersecurity & Networking is the central point of contact for questions about or clarification on the appropriate classification of a specific type of information or data element and for the required security controls for each classification.

5.   Enforcement

Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).

Non-compliant technology and/or activities may be mitigated as deemed necessary by the Chief Information Officer and/or Chief Information Security Officer.

Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

6.   Exceptions

Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the USNH Cybersecurity Exception Standard.

7.   Roles and Responsibilities

7.1   Administrative, Academic, and Business Units

7.1.1   Develop and maintain clear and consistent information handling procedures, aligned with the published Information Handling Standards, in support of operations and business processes that involve the collection, access, use, processing, storage, or transmission of institutional information.

7.2   Cybersecurity & Networking

7.2.1   Develop standards defining required security controls for each Classification Tier defined in this Policy.

7.2.2   Provide guidance to USNH community members on the Information Classification Model.

7.3   Data/Information Stewards

7.3.1   Determine the appropriate classification for each type of information under their purview.

7.4   USNH Community Members

7.4.1   Understand the classification of all institutional information with which they interact.

8.   Definitions

See the ET&S Policy & Standard Glossary for full definitions of each term.

  • Chief Information Officer (CIO)
  • Chief Information Security Officer (CISO)
  • Data/Information Steward
  • Exception
  • FERPA
  • GLBA
  • HIPAA
  • Information
  • Institutional Information
  • PCI-DSS
  • Policy
  • Procedure
  • Protected Information
  • Public Information
  • Restricted Information
  • Security Control
  • Sensitive Information
  • Standard
  • USNH Community Member

CONTACT INFORMATION

For USNH community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, and Compliance (GRC) via this Support Form.

All other requests can be submitted here: Submit an IT Question.

D. Password Policy

1.   Purpose

The purpose of this policy is to establish the requirements for the proper construction, usage, handling, and maintenance of all passwords at all University System of New Hampshire (USNH) institutions. These requirements ensure consistent application of security controls necessary to safeguard the information and information technology resources of USNH and its component institutions. USNH aligns itself with best practices from such organizations as National Institute for Standards and Technology (NIST) and Center for Internet Security (CIS).

2.   Scope

This policy applies to all passwords used to authenticate to USNH information technology resources or any information technology resource that stores non-public USNH data.

It does not apply to the following types of passwords, the requirements for each are defined elsewhere:

  • Service Account Passwords - defined as passwords used by an information technology resource to contact or interface another information technology resource
  • UNH Parent Portal Account Passwords

3.   Audience

All USNH community members with access to institutional information or information technology resources should be familiar with this Policy and their responsibilities for complying with the requirements it defines.

4.   Policy Statement

4.1   Password Change Frequency

4.1.1   All passwords associated with USNH accounts shall be changed annually with the following exceptions:

  • System Administrator Accounts (every six months)
  • All non-primary identity accounts accessed by employees with privileged access shall have passwords changed upon departure of employee.

4.1.2   USNH community members shall be notified of the need to change their password, prior to the password’s expiration date.

4.1.3   USNH community members with expired passwords shall be restricted from accessing USNH information technology resources.

4.2   Password Construction

4.2.1   Passwords shall:

  • Be between 14 and 64 characters in length
  • Be sufficiently different from previous passwords
  • Contain a minimum of 5 unique characters

4.2.2   Passwords shall not:

  • include the user’s first, last, or preferred name, the user’s USNH username (e.g., abc1234), or the user’s USNH ID (e.g., 991122334)
  • be re-used
  • contain number or character sequences of 4 or more (e.g., abcd, 6789, sTuV)
  • contain characters repeated 4 or more times sequentially (e.g., bbbb, 8888, TttT, &&&&)

4.2.3   Known compromised or commonly used weak passwords are disallowed.

4.3   Password Usage

4.3.1   Passwords used for USNH purposes shall not be used for purposes outside of USNH including, but not limited to personal banking, Amazon, Netflix, etc.

4.3.2   Passwords used for accessing USNH information technology resources that require local application accounts for authentication shall not be the same as the community member’s USNH password.

  • Local application accounts are accounts for official university applications that do not use USNH credentials 
  • Examples: Salesforce, USNH Benefits

4.4   Password Handling

4.4.1   Passwords shall:

  • Be treated as sensitive, confidential information
  • Not be shared with anyone, including administrative assistants or supervisors
  • Not be written down or stored on-line in clear text
  • Not be shared in email, chat, or other electronic communication
  • Not be spoken aloud

4.4.2   Administrators of information technology resources who need to provide passwords to other administrators may use communication mechanisms for providing those passwords that are approved by Cybersecurity & Networking.

4.4.3   USNH community members shall not use the "Remember Password" feature of web browsers to store USNH passwords.

4.4.4   Forgotten passwords shall be reset using USNH approved automated mechanisms.

4.4.5   USNH community members with forgotten passwords who are unable to reset their password using automated mechanisms shall provide verification of identity via the approved USNH process.

4.4.6   Default passwords on all information system components, peripherals, and Internet of Things (IoT) devices shall be changed to passwords that meet the minimum requirements outlined in this Policy prior to installation or deployment.

4.4.7   Members of USNH Enterprise Technology & Services (ET&S) shall never ask users to provide their password for any USNH account.

4.5   Compromised Passwords

4.5.1   USNH community members who believe their password has been compromised shall notify their local Help Desk immediately.

4.5.2   If USNH has reason to believe a community member’s password has been compromised, the community member’s access may be revoked, without notification, until the community member’s identity can be verified, and their password can be reset.

4.5.3   USNH community members with potentially compromised passwords shall provide verification of their identity and set a new password to regain access to USNH information technology resources.

5.   Enforcement

Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).
Non-compliant technology and/or activities may be mitigated as deemed necessary by the USNH CISO and/or CIO.
Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

Contractors or vendors that fail to comply with this policy may be in violation of their contract with USNH and risk penalties up to contract termination.

6.   Exceptions

Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the USNH Cybersecurity Exception Standard.

7.   Roles and Responsibilities

  • Application Administrators
    • Ensure local application accounts, including those used to administer applications and those enabling community member access, follow all requirements defined in this policy.
  • Chief Information Security Officer (CISO)
    • Enforce this policy and related standards
    • Review this policy annually
  • Enterprise Technology & Services (ET&S)
    • Send expiring password notifications to USNH community members
    • Disable accounts with expired passwords per the USNH Password Management Standard
  • USNH Community Members
    • Comply with all restrictions and requirements outlined in this Policy when selecting passwords for use at USNH
    • Maintain the confidentiality of USNH passwords
    • Use unique passwords on every account (e.g., do not use your USNH password for other accounts)
    • Report all cybersecurity events or incidents to Cybersecurity & Networking.  or example, a USNH password that suddenly stops working without being changed by its owner would be considered a cybersecurity event.

8.   Definitions

  • Access
  • Account
  • Administrator
  • Authentication
  • Compromised Account
  • Confidentiality
  • Cybersecurity/Information Security
  • Cybersecurity Incident
  • Exception 
  • Identity
  • Information
  • Information Technology Resource 
  • Institutional Information
  • Internet of Things (IoT)
  • Non-Primary Identity
  • Password
  • Policy
  • Privileged Access
  • Security Control
  • Standard
  • Username 
  • USNH Community Member
  • USNH ID

CONTACT INFORMATION

For USNH community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to USNH Cybersecurity Governance, Risk, & Compliance (GRC) via this Support Form.

All other requests can be submitted here: Submit an IT Question.
 

E. Privacy Policy

Our Commitment to Privacy

Your privacy is important to us. To better protect your privacy, we provide this policy explaining our websites information practices and the choices you can make about the way your information is collected and used. To make this policy easy to find, we make it available on our homepage and at every point where personally identifiable information may be requested. This policy applies to all information collected or submitted on University System of New Hampshire (USNH) websites or mobile applications. By using USNH websites, you are consenting to our collection and use of information in accordance with this Privacy Policy.

International Visitors

USNH is located in the United States (State of New Hampshire). By providing information to USNH, you are transferring your personal data to the United States. If you are providing personal information and are not a resident of the United States, your country’s laws governing data collection and use may differ from those in the United States. 

The Information We Collect

Personal Information

USNH collects personal information about you through our websites and mobile applications only when you voluntarily submit your information to us.

"Personal information" is any information that can be used to identify you or that may be linked to you. This information is commonly limited to the information found in a public directory, such as first name, last name, postal address, email address, and phone number. 

Certain USNH websites allow individuals to create and maintain individualized accounts. Where these sites are concerned, users have the responsibility of maintaining the confidentiality of their accounts and passwords, and for restricting access to their computers. Users agree to accept responsibility and repercussions for all activities that originate from their accounts.

Log Files

USNH and our third-party vendors may automatically collect certain information regarding your use of our websites, devices and applications. Information collected includes:

  • Your session and the pages you visit; 
  • Network device addresses such as IP address;
  • Cybersecurity Metadata such as vulnerability data, patch levels and malware data;
  • Date and time of access;
  • Operating system of the device through which you access USNH websites;
  • Browser type and version, the monitor screen size and color depth and other plugin and program information as sent by your browser.

The generic information we collect is based on IP address, which is the location of a computer or network.  We may use or disclose your IP address and data connection-specific information, to help us diagnose problems with our servers and network, and to administer our websites by identifying (1) which parts of our sites are most heavily used, and (2) where our audience comes from, from both within and outside the USNH data networks.  In addition, generic information collected during your visit can be associated with you, if 1) you choose to provide your personal information during your visit, 2) for marketing and development purposes, 3) it is necessary to do so to investigate an cybersecurity incident, and/or 4) we are required to do so by law or court order.

Mobile Applications

When you install mobile applications with the publisher name “University of New Hampshire,” “Keene State College,” “Plymouth State University” or “Granite State College”, the application may ask for permission to use or access:

GPS services

Push notifications 

Camera

The general information described above may be aggregated with the general information of all site visitors to identify and improve how our websites or applications are used. In turn, we may share this aggregate information about our site with partners or the general public. Aggregate data does not contain any information that could be used to contact or identify you.

Web Analytics

Some USNH websites and mobile applications (“apps”) use Google Analytics, a service provided by Google, Inc. Google Analytics places a cookie on your computer or a code embedded in the mobile application to analyze how you use the site or app. The information generated by the cookie is transmitted to and stored by Google on its servers. Google uses this information to compile reports on website and mobile activity, and then the university site and application owners use that information to improve their sites and apps. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google does not associate your IP address with any other data held by Google.

Cookies

Cookies are small files that are stored on your computer (unless you block them). We use cookies to understand and save your preferences for future visits and compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. You may disable cookies by selecting the appropriate settings in your browser or you can opt out of the collection and use of this information; however, this may prevent you from experiencing the full functionality of our websites.

Other Sources

USNH may receive information about you from other sources, including third parties, that help us update, expand, and analyze our records, identify new customers, or prevent or detect fraud. USNH may also receive information about you from social media platforms, including but not limited to, when you access our social media content or interact with us on these platforms. The information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform; therefore, we encourage you to review them.

How We Use Collected Information

USNH may use the information we collect:

  • To respond to your inquiries;
  • To provide services or materials you request;
  • To operate and understand how services are utilized;
  • To maintain our contact list(s);
  • For marketing and development purposes;
  • To provide business services for which the information is intended;
  • To assess the effectiveness of our events, campaigns, and publications;
  • For information processing that is reasonably appropriate or necessary within our legal obligations.

On some pages, you can request information, make requests, and register to receive materials or make recommendations about other people. We use the personal information you provide when placing a request to complete that request to the best of our ability. We use return email addresses to answer the email we receive. Such addresses may be used to communicate further with you for internal marketing and development purposes.  You can choose to opt out of receiving marketing communications from us by “unsubscribing” using the instructions in any marketing email you receive from us. 

We process your Personal Information for the purposes described above to facilitate transactions requested by you and to meet our contractual obligations (for example, registering you for events); on the basis of our legitimate interests (for example, website analytics); or on the basis of your consent, where applicable.

How We Share Collected Information

We do not share this information with outside parties except for the following limited purposes:

  • When we have your consent to share the information;
  • To the extent necessary to complete your request;
  • To verify (or match) information about you from other sources;
  • With USNH school officials and administration;
  • In response to subpoenas, court orders, or legal processes;
  • As we deem necessary to protect the legitimate interests, rights, safety or property of the University System of New Hampshire and its component institutions.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above. If we are required to disclose information by law or court order, we will make reasonable efforts to notify any affected parties in advance.

Internet-Based Advertisements

We use tools such as Google Adwords to remarket to individuals who visit our program and promotional pages. Third-party vendors, such as Google, show our ads on sites across the internet, and in some cases, use cookies to serve ads based on someone's past visits to our website. You can opt out of Google's use of cookies by visiting Google's Ads Settings. You can also opt out of all third-party vendor use of cookies by visiting the Network Advertising Initiative opt-out page.

Our Commitment to Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Our Commitment to Children's Privacy

We are committed to protecting the privacy of the very young. While our websites are generally not directed at or intended to attract visitors under age 13, our institutions do run certain programs for children for which online registration or participation is available. For those activities, the following additional Children's Privacy Policy supplements this USNH Privacy Policy.

Children's Privacy

We recognize the need to provide additional privacy protections when information is collected from or about children under the age of 13. The following guidelines apply to activities (including but not limited to on-campus camps or lessons for children and online activities designed for children), in addition to our general Privacy Policy. These rules follow the Children's Online Privacy Protection Act (COPPA).

Information We May Collect

We may collect the following information about a child who will participate in a USNH-administered youth activity:

Name
E-mail address
Street address
Date of birth (to ensure enrollment in age-appropriate activities)

Depending upon the activities in which your child chooses to participate, your child may be asked or choose to provide additional information. We do not require a person to disclose more information than is reasonably necessary to participate in an activity.

How We Use the Information

We use the information about your child to register your child for a USNH event and to insure appropriate content and safety for participants. USNH and its institutions will not disclose a child's information to any third party without parental authorization, except as may otherwise be required by law.

Parent/Guardian Consent

We will not collect or store online information from or about a child under age 13 until we have received a parent's or guardian's verified consent.

Parents or Guardians may review their child's personal information in our online databases; correct factual inaccuracies in the information collected about their child; refuse to permit us to collect further personal information from their child; and ask that information be deleted from our online records. Appropriate contact information for parents will be provided on every webpage promoting or permitting activities by children under age 13.

COPPA Notice Template

A Children's Online Privacy and Protection Act ("COPPA") notice template is provided for use by the institutions of USNH.

Questions Regarding this Privacy Policy

If you have questions about the data we collect, how that data is used, or this privacy policy in general, please contact the appropriate USNH Institution:

External Links

Some USNH websites may contain links to external websites not owned by, or officially affiliated with, USNH in any way. USNH is not responsible for the privacy practices or the content of such websites.

Changes to this Policy

We reserve the right to change, modify, add or remove portions of our privacy statements at any time. Any such amendments will be noted on this page, so please visit periodically to view current statements.