Search Google Appliance

Links
Email SPIRE Moodle Blackboard Learn Online Storage People Finder

Information Technology

IT Information Security Policy Frequently Asked Questions

 

The University of Massachusetts Amherst Information Security Policy is the formal policy on information security governance structure, technical standards, and procedures to preserve and protect the institutional information, research data, and information technology resources of UMass Amherst. This page provides guidance on frequently asked questions related to the Information Security policy, and other related UMass Amherst policies.

What are the current technology guidelines for remote and hybrid work? 

As departments develop standards and practices relevant to their areas for hybrid work, it is important that they consider the potential risks associated with any arrangements and develop appropriate standards that are in line with compliance regulations, privacy concerns, and data risks.

Although the campus information security policy allows for the use of personal devices in general, this practice should be reviewed by the appropriate dean, vice chancellor, director, or supervisor to determine if allowing personal devices for a particular area/role is appropriate given the relative risk this may present.

Example scenarios where personal devices may not be used for remote or hybrid work

  • Data involves patient data, Social Security Numbers, or Credit Card Numbers in any form.
  • Research data with an associated technology control plan.

 

 

Can I use my personal device (computer, tablet, smartphone) for university work/business?

Per the Information Security Policy, Information security is the responsibility of every user of institutional information, research data, and information technology resources.

This means it is the responsibility of the user to make sure they have the appropriate controls in place, properly maintain their device(s) to protect the institutional information and research data under their control, and appropriately manage the risks.

According to the Information Security Policy, if using a personal device is not prohibited by the Data Steward and/or your College/Department,  a personal device can generally be used for university business.* 

*Note: For certain data types or functions additional restrictions may apply. Regulated data, and research data generally are not approved for personal devices. If you are unclear about a particular kind of data, please consult with the appropriate Data Steward or Information Security Office.

When using a personal device for university business:

  • The user assumes all responsibility and liability for protecting the institutional information and research data, including maintaining the appropriate controls, and reporting incidents.
  • Using a personal device for university business could put your device in scope for university public records requests/lawsuits and could cause you personal legal liability related to records requests and lawsuits.
  • The guidance provided for working remotely states: “Never download personally identifiable information, sensitive FERPA information, or health information to your personal device.“
  • UMass IT Enterprise Desktop Support does not provide support for personally owned devices and does not allow personal devices to connect to IT managed department file servers.

Examples of Appropriate Controls and Protections include:

  • Foundational Security Controls
    • Anti-malware
    • Encryption
    • Patching
    • Firewall
    • Secure disposal
  • Reporting incidents that impact the institutional information and research data.
  • Additional controls required based on the categorization of the information or data, the nature of the information technology resource, the applicable regulatory or contractual requirements, or other risk management calculations. The Data Steward should be consulted for more details on requirements. 

IT Risk Management/Information Security can assist with risk assessments: it@umass.edu

Refer to the following policies for more details:

 

 

Can I purchase IT/computing devices, software or services without involving my College/Department IT support?

University procurement policy specifies that the IT department should be involved in the evaluation, planning and purchase of Information Technology hardware, software, and services to

  • ensure appropriate risks are addressed and security and privacy standards are followed.
  • assess the resources and training requirements that will be required to provide the ongoing support.
  • assess compatibility with existing systems.
  • evaluate savings in terms of dollars, resources, implementations. 

The full details of the policies can be found here:

 

 

Can I forward my UMass email to my personal email account (Gmail, Yahoo, AOL, etc.), or use my personal email account for university business?

Forwarding your emails outside of the UMass email systems or using your personal email for university business introduces risk to you and the information contained in the email.

  • It may cause you to be in violation of federal privacy regulations such as FERPA and HIPAA.
  • It may be a violation of the UMass Information Security Policy.
  • It could put your personal email mailbox in scope for UMass related legal and public records requests and may subject you to personal legal liability.
  • You may not receive all of your messages because a sender may not allow a message to be forwarded.

Information Security Policy and email protections

Forwarding university email to your personal email account may cause you to be in violation of federal privacy laws, such as FERPA and HIPAA, and the UMass Information Security Policy due to insufficient protections available in your personal account. Note that HIPAA data is not permitted to be transmitted or stored in email.

The university has enterprise contracts with our email providers to help protect the security and privacy of information stored in your university email account. Your personal email account does not have the same protections in place.

Examples of information that is not appropriate for personal email accounts include: Student related information (FERPA), personally identifiable information (PII), and research data. For more information on data management, see Information Management and Storing University Data.

Legal and Public Records Requests

Forwarding your UMass email to your personal email account, and/or conducting university business using your personal email may put your personal email mailbox in scope for UMass related legal and public records requests and may subject you to personal legal liability.

Email Forwarding Restrictions

Forwarding you UMass email to your personal email account, and/or conducting university business using your personal email may result in your personal email mailbox in scope for UMass related legal and public records requests and may subject you to personal legal liability.

 

 

Can my university computer run an unsupported operating system and/or unsupported software?

Your EDS managed device must be running an operating system and software supported by the vendor so it can receive security fixes and application updates.

Also, the foundational security controls, such as anti-virus software, may not function correctly on older or unsupported operating systems.

Service Administrators and end-users are responsible for maintaining the security of the institutional information, research data and IT assets under their purview. The Foundational Information Security Controls and industry standards specify that systems shall be supported by the vendors, patched against vulnerabilities, and have the appropriate security controls, such as updated anti-virus, to resist threats.

If this is not possible, due to hardware incompatibility, a risk assessment will need to be performed. Contact your IT support contact to coordinate the risk assessment.

 

 

What software controls does UMass Amherst Enterprise Desktop Support put on university computers?

IT configures university computers with a baseline configuration and software tools to help mitigate risk to university data and systems, and to help effectively manage a large number of computers. These software tools include the Foundational Security Controls, other tools and configurations to manage the computers, as well as business related software requested by the department and/or computer users. The only software IT installs that monitors system activity is the anti-malware software to look for malicious actors on your system.

 

 

Can IT Enterprise Desktop Support see what I am doing on a university computer?

It is a violation of policy for an IT Administrator to monitor activities on the computer outside of legitimate, authorized work duties. IT administrators can use tools to address legitimate technical and information security related issues. For remote support, IT Enterprise Desktop Support uses remote access software that requires the computer user to acknowledge and authorize the remote connection. For additional information, see the Confidentiality of Institutional Information and Research Data policy.

 

 

I have access to IT equipment (computers, printers, tablets, etc.) through my employment at UMass. Who owns it?

Please refer to the UMass Property Office website section on Who Owns Equipment.

Questions on equipment ownership and inventory should be directed to the UMass Property Office. property@umass.edu

This extends to equipment purchased with MSP funds.

 

 

University of Massachusetts Amherst
©2023 University of Massachusetts Amherst · Site Policies · Accessibility