Get to Know CTS

Duquesne University’s Computing and Technology Services (CTS) department provides a critical set of technology services enabling Duquesne's teaching, learning, research and business. CTS partners with the campus community to meet our common goals through the University's Spiritan Mission of Service.​

Tech News

Read the latest IT news on technology topics, including operating systems, software, security, much more!

Start Reading

Need Technology Assistance

Visit the IT Service Desk with technology-related questions and issues.

Explore Technology Services

Explore our database of IT resources available to Duquesne Faculty, Staff and Students.

IT

Featured Technology Services

Our featured IT Services include MultiPass, DuqNet Wi-Fi, Email, and more!

IT Guide

New to DU

View our quickstart guide with a list of essential IT software and services needed to begin your journey at Duquesne.

Tech QuickStart Guide
Software
For a complete list, view our Software Catalog.

Looking for Software

Download FREE software essential for reaching your Bigger Goals at Duquesne.

 

Service Requirements

Effective date: 06/1/2022

Last update: 06/28/2022

Purpose

This Service Requirement describes the University's requirements for access controls of Information Technology (IT) systems and services. Access controls are designed to minimize the potential exposure to the University resulting from unauthorized use of computing resources and to preserve and protect the confidentiality, integrity and availability of University networks, systems and applications.

Never share your credentials, password or other sensitive information and do not respond to emails that request access to your MultiPass ID, password, secret questions, or other personal information. Duquesne University's Computing and Technology Services (CTS) team will NEVER ask for your MultiPass password or other personally identifiable information.

Scope

This Service Requirement applies to all students, employees, affiliates or other members of the community who connect to servers, applications or network devices that transmit Duquesne University Restricted Data per the CTS Data Governance Service Requirement. All servers, applications or network devices that contain, transmit, or process Duquesne University Restricted Data are considered "High Security Systems"


Service Requirement

SEGREGATION OF DUTIES

Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the CTS Service Owner or Banner Module Owner, with a valid business justification. Account creation, deletion, and modification as well as access to protected data and network resources are implemented as defined in the CTS Account Administration Guide.

On an annual basis, CTS will audit all user and administrative access to High Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.

USER ACCOUNT ACCESS

USER ACCESS

All users of High Security Systems will abide by the following set of rules:

  • Users with access to the configuration and permissions of systems and services should utilize a separate unique account (when possible), different from their normal University account. This account will conform to the following standards:
    • The password will conform, at a minimum, to the published CTS Credential and Passwords Service Requirement.
    • Inactive accounts should be disabled after 90 days of inactivity.
    • Access should be enabled only during the time period needed and disabled when not in use.
    • Access will be monitored when account is in use.
     
  • Users will not login using generic, shared or service accounts.
  • Third Parties with remote access to University premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each user.

ADMINISTRATIVE ACCESS

  • Administrators will abide by the CTS Privileged Access Service Requirements.
  • Users will abide by the above user access guidelines
  • Administrators will immediately upon notice revoke all of a user's access to systems or services when a change in employment status, job function or responsibilities dictate the user no longer requires such access.
  • All service accounts should be used by no more than one service, application or system.
  • Administrators should not extend a user group's permissions in such a way that it provides inappropriate access to any user in that group.
  • All servers, applications and network devices are recommended to utilize a login banner that displays the following content:

Duquesne's computer networks and systems are solely for authorized uses supporting the University's Mission of education, research, and service. Uses that contradict the University's mission are strictly prohibited and may result in monitoring of use, denial of access, and/or disciplinary measures adding up to and including dismissal or termination. By connecting to Duquesne's computer networks and systems, you agree to use these resources strictly for their intended purpose.

REMOTE ACCESS

All users and administrators accessing High Security Systems must abide by the CTS Information Security Requirements for Remote Access.

THIRD PARTY ACCESS

  • Any third-party, non-Duquesne affiliate that requires remote access to High Security Systems for support, maintenance or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.
  • All third-party access to High Security Systems must be approved by the privileged access process.
  • Third parties may access only the systems that they support or maintain.
  • All third-party accounts on High Security Systems will be disabled and inactive unless needed for support or maintenance. Requests for enabling access must be requested in writing. Requests for access outside of this policy must be approved by the CIO or CISO. CTS will be responsible for enabling/disabling accounts and monitoring vendor access to said systems. All third parties with access to any High Security Systems must adhere to all regulations and governance standards associated with that data (e.g., PCI security requirements for cardholder data, FERPA requirements for student records, HIPAA requirements for Protected Health Information). Third party accounts must be immediately disabled after support or maintenance is complete.
  • Data should not be copied from high security systems to a user's remote machine.
  • Users will abide by the above user access guidelines.

PHYSICAL ACCESS

All CTS data centers will abide by the following physical security requirements:

  • Video surveillance will be installed to monitor access into and out of CTS data centers.
  • Access to CTS data centers will be accomplished through the use of electronic badge systems and/or biometric systems.
    • Only the Facilities Department, Public Safety, CTS Storage Systems, and Networks Services will have physical key access.
     
  • Physical access to CTS data centers is limited to CTS personnel, designated approved departmental employees or contractors whose job function or responsibilities require such physical access.
  • Visitors accessing CTS data centers will be accompanied by authorized CTS personnel, and all access will be logged via the CTS Data Center Visitor Access Log.
    • This log will be stored at each CTS Data Center.
    • Each visitor, and accompanying authorized CTS personnel, must sign in and out of the data center
    • The log will be kept for a minimum of 3 months.
     
  • Modification, additions or deletions of physical access to CTS Data Centers will be accomplished by utilizing a ticket to the CTS Accounts Workspace in FootPrints.
  • All terminated onsite personnel and expired visitor identification (such as ID badges) will have their access revoked immediately.
  • Physical access requires the approval of the CTS Storage Services Team.
  • The CTS Infrastructure Services Director will audit physical access to CTS data centers on an annual basis.

Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Definitions

CTS Service Owner:

Banner Module Data Owner: The individual responsible for the administrative oversight of a given DU-IT Banner System or specific modules within the DU-IT Banner System - - Finance, Advancement, Human Resources, Financial Aid, Student Admissions and Recruiting, Student Registration and Student Accounts - - and ultimately responsible for the data within said module/system.

 

Service Requirement PDF

Effective date: 06/21/2021

Last update: 05/20/2022

Purpose

Asset management is the process of receiving, tagging, documenting, and eventually disposing of equipment. It is critically important to maintain up to date inventory and asset controls to ensure computer equipment locations and dispositions are well known. Lost or stolen equipment often contains sensitive data. Proper asset management procedures and protocols provide documentation that aid in recovery, replacement, criminal, and insurance activities.

This policy provides procedures and protocols supporting effective organizational asset management specifically focused on electronic devices.

Scope

This Service Requirement applies to all students, employees, affiliates or other members of the community making use of Duquesne University electronic devices.


Service Requirement

ASSET TYPES

The following minimal asset classes are subject to tracking and asset tagging:

  1. Desktop workstations
  2. Laptop mobile computers
  3. Mobile Hotspots
  4. Tablet Devices
  5. Printers, copiers, fax machines, and multifunction print devices
  6. Handheld devices
  7. Scanners
  8. Servers
  9. Network appliances (e.g. firewalls, routers, switches, uninterruptible power supply (UPS), endpoint network hardware, and storage)
  10. Voice over Internet Protocol (VOIP) Telephony Systems and Components
  11. Internet Protocol (IP) Enabled Video and Security Devices
  12. Memory/Storage Devices

ASSET VALUE

Assets which cost less than $500 shall not be tracked, including computer components, such as smaller peripheral devices, video cards, or keyboards, or mice. However, assets, which store data regardless of cost, shall be tracked either as part of a computing device or as a part of network attached storage. These assets include:

  1. Network Attached Storage (NAS), Storage Area Network (SAN) or other computer data storage
  2. Temporary storage drives 
  3. Tape or optical media with data stored on them including system backup data.

ASSET TRACKING REQUIREMENTS

The following procedures and protocols apply to asset management activities:

  1. All assets must have an internal Duquesne University asset number assigned and mapped to the device's serial numbers
  2. An asset tracking database shall be created to track assets. It shall minimally include purchase and device information including:
    1. Date of purchase
    2. Make, model and descriptor
    3. Serial Number
    4. Location
    5. Type of Asset
    6. Owner
    7. Department
    8. Purchase order number
    9. Disposition
  3. Prior to deployment, Computing and Technology Services (CTS) shall assign an ID to the asset and enter its information in the asset tracking database. All assets maintained in the asset tracking database inventory shall have an assigned owner.

ASSET DISPOSAL AND REPURPOSING

Procedures governing asset management shall be established for secure disposal or repurposing of equipment and resources prior to assignment, transfer, transport, or surplus.

When disposing of any asset, sensitive data must be removed prior to disposal. Computing and Technology Services (CTS) shall determine what type of data destruction protocol should be used for erasure. Minimally, data shall be removed using low formatting and degaussing techniques. For media storing confidential information or personally identifiable information (PII) that is not being repurposed, disks should be physically destroyed prior to disposal.

AUDIT CONTROLS AND MANAGEMENT

On-demand documented procedures and evidence of practice should be in place for this operational policy as part of Duquesne University. Satisfactory examples of evidence and compliance include:

  1. Current and historical asset management system checks for various classes of asset records. 
  2. Spot checks of record input and accuracy against tracking database.
  3. Evidence of internal process and procedure supporting this policy for compliance with general workstation computing policies.

Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

 

Service Requirement PDF

Effective July 1, 2012

The purpose of this policy is to outline the process by which University personnel acquire computing equipment. The goal of the policy is to ensure each employee has a suitable computer to perform their assigned responsibilities while also providing prudent stewardship of University resources. It is necessary to establish a reliable and supportable operating environment for computing equipment while also reducing risk to the comprehensive campus computing infrastructure.

Scope

This policy applies to all University employees and the purchase of all laptop and desktop computers and tablet devices, regardless of dollar value or the source of University funds.  A “computer” in the context of this policy is defined to be a complete working computer system and does not include e-book readers, printers, peripherals, external memory, external disk drives or monitors.

Policy

  1. All computer purchases must be made through the University’s Computer Store and must adhere to the University’s procurement and technology policies and standards, e.g., information security, responsible use, etc. as described in TAP 26 (Appendix A). Computer purchases made outside of the Computer Store or not adhering to these polices and standards will not be processed, supported by CTS, paid or reimbursed.
  2. All computer purchases must conform to a set of University-specified standard models, including a preference for EPEAT Certification as established and quoted by the CTS computer store. (University-specified standard models are identified in Appendix B. These standards will change periodically and current standards can be determined by contacting the CTS Computer Store). The CTS Computer Store will assess employees' computing needs in consultation with the employee/department and will provide basic standard computing resources or will address the exceptions identified below or other specialized needs that have been approved through the Computer Purchase Exception Form (Appendix C):

  1. Faculty, as defined in the Duquesne University Faculty Handbook and including postdoctoral positions and graduate assistants, whose teaching and research responsibilities require specialized computer systems.
  2. Staff and administrators whose specific technical, environmental or functional job responsibilities require an alternative to the preferred supplier(s), standard models or secondary computers.

  1. Deans and Directors will establish a formal 5-year computer system replacement/upgrade program.  CTS will assist Departments in identifying purchasing methods and terms which best meet the needs of the Departments and the University.
  2. It is expected that all faculty, staff and administrators will have only one University-owned computer for teaching and business functions, unless authorized by the Computer Purchase Exception Form.
  3. When receiving a new system or upon leaving the University, unless otherwise authorized through the Computer Purchase Exception Form process, the employee or Department is required to return the replaced system (Return Procedures Appendix D) which will be cleaned and formatted by CTS and resold or recycled by the Computer Store or otherwise repurposed as appropriate. Repurposing with an outside entity requires approval of the Divisional Vice President.
  4. All computers purchased or reimbursed with University funds remain the property of the University until disposed of or repurposed through the University’s Computer Store. Failure to return University-owned equipment, software or data upon leaving the University or at the request of the University may result in legal action or obligate the employee to reimburse the University for the value of the equipment.
  5. All software placed on University-owned systems must be legally licensed, virus-free software. CTS will make every effort but is not responsible for ensuring that non-supported software will work properly on University-owned systems.  If non-supported software causes a conflict with software or network resources used to conduct University business, e.g., Banner, then CTS is authorized to remove it from the computer.
  6. Failure to adhere to licensing agreements or other inappropriate or wrongful use of University-owned computing equipment, software or data can result in disciplinary action.
  7. If a computer is lost or stolen, it is the responsibility of the employee to immediately notify Duquesne University’s Public Safety department or their local police department, University Risk Management and CTS.

To view forms and related policies listed as appendix items, employees should go the Purchasing Policies section of DORI.


Contacts

CTS Help Desk

CTS Computer Store

Effective date: 07/01/2021

Last updated: 05/20/2022

Purpose

This Service Requirement describes the University's requirements for acceptable credential management, password selection and maintenance. Duquesne University is committed to a secure information technology environment in support of our mission. The need for a strong password is greater than ever and credentials issued by Duquesne University are often the first line of attack, and the last line of defense in the protection of personal and institutional assets. Information Technology systems and services at Duquesne University require the use of credentials and passwords including but not limited to email, academic and administrative applications, computer labs, DORI, and endpoint computers.

Never share your credentials, password or other sensitive information and do not respond to emails that request access to your MultiPass ID, password, secret questions, or other personal information. Duquesne University's Computing and Technology Services (CTS) team will NEVER ask for your MultiPass password or other personally identifiable information.


Service Requirements

All Individuals Password Service Requirements

Applies to all students, employees, affiliates or members of the community to whom credentials have been issued and have responsibilities in the care of those credentials. The following rules are required to be followed to reduce the risk of compromise to your credentials and password.

 

  1. Passwords are sensitive and classified as Restricted Data therefore all protections of Restricted Data should be applied to their use.
  2. Passwords should never be written down, stored on-line without encryption, or stored in plain text files.
  3. Passwords may not be disclosed or shared with another person, including CTS, or any other Duquesne Employee. If for some reason your password is disclosed to another employee, it should be reset as quickly as possible. .
  4. If a user suspects a password has been disclosed or compromised, the user must change their password immediately and report the incident to CTS at help@duq.edu, 412-396-4357, or 1-888-355-8226.
  5. Passwords must be changed at least every 120 days.
  6. Passwords should not be inserted into email messages or other forms of electronic communication without the consent of CTS.
  7. Passwords that could be used to access Restricted Data and sensitive information must be encrypted in transit.
  8. Automated password guessing may be performed on a periodic or random basis by CTS or its delegates. If a password is guessed during one of these scans, the user will be required to change it.
  9. MultiPass accounts are locked out after sequential failed password attempts.
  10. MultiPass accounts are required to enroll in the University's Multifactor Authentication solution.. Accounts will be auto-enrolled into Multifactor authentication if not established during account claim.

 

Administrators Password Service Requirements

Applies to any employee (faculty or staff) who issues credentials and is responsible for the management of the credentials including provisioning and support of accounts and passwords. These employees have certain responsibilities in the administration of those credentials. The following rules are required to be followed to reduce the risk of compromise of any person's personal information and/or security credentials.

 

  1. All production system-level and shared service account passwords must be part of the CTS Services administered password management system using the centralized password management system.
  2. All system-level and shared service account passwords (e.g. root, enable, domain admin, application admin accounts, etc.) must be changed on at least a semi-annual basis. All passwords must also be updated when any member of staff, who had access to the password or password management system, leaves the university or changes roles where they no longer will have privileged access to the password management system.
  3. Privileged accounts must have a unique password from all other accounts and in particular MultiPass passwords.
  4. All production systems should have a lockout of no more than 4 failed attempts.
  5. Disable default passwords and if a disable is not possible, change the default password immediately upon installation and configuration of the system or application.
  6. Passwords should not be stored or transmitted using weak encryption or hashing algorithms. Encryption algorithms such as 3DES or AES and hashing algorithms such as SHA-1 or SHA-256 should be used. DES and MD-4 should not be used.
  7. The same password should not be used for multiple systems, applications or services. Unique passwords should be used to avoid a chain effect allowing an attacker into multiple systems as the result of a compromise.
  8. Never ask a user's password. If needed, delegation of permission is an alternative as well as use of impersonation that ties back to the administrator's account. If for some reason an administrator requires the user's password for troubleshooting and/or remediation, the administrator should ensure the user resets their password before closing out the support request.

 


Password Strength Service Requirements

Length

  1. Minimum length: 10 characters
  2. Maximum length: 24 characters

Password Complexity

  1. Characters limited to: a-z, A-Z, 0-9 and [ ] { } ~ ! @ # $ % & * ( ) - + = : . ? |
  2. Passwords must contain at least one lowercase letter, one uppercase letter, one number and one special character.
  3. Password changes must consist of more than 3 different characters than previous passwords.
  4. Passwords should not contain any of the following information:
    1. MultiPassID
    2. Your Name (first, middle or last)
    3. Your Birth Year (YYYY)
    4. Any 4 digit sequential part of your Social Security Number
    5. Your phone number
    6. Your address
    7. A known date such as anniversary, etc.
    8. Phrases including Duquesne, DUQ, or DORI
    9. Phrases that include the word "password"

Helpful Tips for Passwords

Consider using a passphrase instead of a password. A passphrase is made up of a sequence of words with numeric and/or symbolic characters inserted throughout. Passphrases typically are longer and easier to remember in most cases. For example, the passphrase "Mypasswordis$tr0ng!" 19 characters and is also relatively easy to remember.


Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

 

Service Requirement PDF

Effective date: 7/1/2021

Last updated: 05/20/2022

Purpose

The purpose of the Data Governance Service Requirement is to ensure that data is created, maintained, secured, monitored, audited and used in a manner that contributes value to Duquesne University. As it relates to this service requirement, Duquesne University's data and information is referenced within this service requirement as "institutional data". This service requirement defines the appropriate controls for protecting the confidentiality, integrity and availability of institutional data.


Service Requirements

Duquesne University's institutional data, in all forms, is one of the University's most valuable assets and must be maintained and protected as such. It is critical to ensure that institutional data is accurate and trusted to support our University mission.

These service requirements are based on the following principles:

  1. Duquesne University's institutional data is information that is prepared, managed, used, or retained by an organization or individual related to the activities or operations of the University. University Data is maintained and secured based on the business needs of the University, regulatory compliance obligations, and the requirements set forth within this document.
  2. Any technology environment that stores, processes or transmits Duquesne University's institutional data shall be secured in a manner that is reasonable and appropriate as defined in this policy based on the level of risk assigned to the data classification.
  3. Institutional data protections and controls are the responsibility of the entire Duquesne University community. Individuals who are authorized to access institutional data shall adhere to these service requirements.
  4. Institutional data use must follow and adhere to University policies and any applicable federal, state, or local laws.

Misuse of any aspect of institutional data may result in the loss of access, University disciplinary actions and/or legal prosecution under international, federal, state and local laws, where applicable. Duquesne University reserves the right, without notice, to limit or restrict any individual's use, and to inspect, copy, remove or otherwise alter any data, file, or system resource which may undermine the authorized use of any of the technology environment or which is used in violation of these service requirements, University rules or policies. The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines, which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Institutional Data Classification Summary

Data Classification Risk Description Examples
Level 1: Restricted Data High

Institutional data that could seriously or adversely impact Duquesne University and/or could have consequences on our responsibility for safety and education if accessed by unauthorized individuals. Institutional data is considered as high risk related to compliance, reputation, and/or confidentiality/privacy concerns. This data should have the highest level of security controls applied.

  • PII (Social Security Numbers-SSN, Driver's License Numbers)
  • Bank/Financial Account Information
  • Credit Card Information (PCI)
  • Student protected data (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Protected Data (HIPAA)
  • General Data Protection Regulation (GDPR)
  • Controlled Unclassified Information (CUI)
  • Human Resource Data
  • University Financial Data
  • Credential and Authentication Data
Level 2: Internal Data Medium

Institutional data that should be protected from general access and/or restricted to protected groups or individuals. A reasonable level of security controls should be applied.

  • Non-Banner Information stored in and/or accessed via DORI
  • Institutional data not publicly available and not classified as restricted.
  • Intellectual Property Data
Level 3: Public Data None All public institutional data. While little or no controls are required to protect this data, some levels of controls should be applied to prevent the unauthorized modification or destruction of the data. Generally accessible institutional data such as information accessible at www.duq.edu that does not require authentication to access.

 

Institutional Data Classification Service Requirements

Level 1: Restricted Data

Restricted data, in electronic format, shall only be accessed for essential business purposes. All controls must be appropriately designed to allow for authorized use only. Access to Restricted Data should follow the Principal of Least Privilege. In most cases, this data has been deemed essential for business operations and/or law requires the protection of this data, including compliance related areas that may include but is not limited to Family Educational Rights & Privacy Act (FERPA), Health Insurance Portability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), the EU General Data Protection Regulation (GDPR), Controlled Unclassified Information (CUI), Payment Card Industry (PCI), ACT 101 or Title IX.

  • Storage: Restricted data in electronic format must be stored in an approved university data center and/or an approved institutional data repository. Restricted data can be stored on approved University file storage locations that provide appropriate data security controls including encryption, authentication, and authorization. Restricted data should not be stored in electronic format on University-owned owned computers/devices such as desktops, laptops, tablets and phones. Restricted data cannot be stored in electronic format on personally owned computers/devices including desktops, laptops, tablets and phones.
  • Transmission: Restricted data in electronic format must be encrypted while in transit over a public network and the Duquesne University network (wired/wireless/VPN). Any transmission to a third party outside of the Duquesne University wired network must be encrypted. Remote Access to Restricted Data requires the use of the University VPN and Multifactor authentication.
  • Authentication: Restricted data in electronic format must be protected and accessed by University secure authentication methods approved by CTS. .
  • Third party use: Restricted data in electronic format can be stored by University approved third parties. In order to be an approved third party the following conditions must be met.
    • A mutual non-disclosure agreement agreed to by the third party and Duquesne University, must be executed.
    • The third party agrees to provide an appropriate SOC (Service Organization Control) report and that report is reviewed and approved by Computing and Technology Services (CTS). A Higher Education Community Vendor Assessment Tool (HECVAT)
    • A University contract reviewed and approved by Computing and Technology Services (CTS) and Legal Affairs, and executed by the Vice President for Finance and Business.

Level 2: Internal Data

Internal Data in electronic format, shall only be accessed for business purposes. Controls shall be appropriately designed to allow for authorized use only. Protection of this data is the responsibility of the University department that utilizes the data as a course of business. This data should not be related to any compliance related areas including but not limited to HIPAA, FERA, PCI, GLBA, ACT 101, GDPR or Title IX.

  • Storage. Internal Data in electronic format can be stored on systems and applications residing in an approved University data center and/or an approved institutional data repository. Internal Data can be stored in electronic format on University-owned computers including desktops, laptops, and mobile devices. Internal data can be stored on University file storage locations that provide appropriate data security controls including authentication and authorization. While Internal Data isn't required to be encrypted, it is advised when possible.
  • Transmission. Internal Data in electronic format must be encrypted while in transit over a public network. Internal Data is not required to be transmitted in an encrypted form while on the Duquesne University network (wired/wireless/VPN), but it is recommended to do so when possible. Any transmission of Internal Data off of the Duquesne University network to a third party is required to be encrypted.
  • Authentication. Internal Data should be protected with secure authentication methods approved by CTS.
  • Third party use. Internal Data transmitted to third parties or via the Duquesne University wireless network must be encrypted when considered confidential or when the privacy is required.

Level 3: Public Data

Public Data in electronic format can reside in the public domain such as a public website and can be accessible to all students, faculty, and staff. Protections of this data are at the discretion of the responsible University department. However industry standard protections should be applied to protect any institutional data.


Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.


Appendix A–Predefined Types of Restricted Information

Computing and Technology Services has defined several types of "Restricted Data" based on state and federal regulatory requirements. This data could potentially trigger compliance or breach obligations if not protected and encrypted. They're defined as follows:

1. Authentication Verifier
An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared amongst a small group of individuals when approved by CTS. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:

  • Passwords
  • Shared secrets
  • Cryptographic private keys

2. Electronically Transmitted Protected Health Information ("ePHI")
ePHI is defined as "individually identifiable health information" transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium by a Covered Component. ePHI is considered individually identifiable if it contains one or more of the following identifiers:

  • Name
  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate number
  • Device identifiers and serial numbers
  • Universal Resource Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code that could identify an individual 

ePHI does not include education records or treatment records covered by the Family Educational Rights and Privacy Act (FERPA) or employment records held by the University in its role as an employer.

3. Federal Tax Information ("FTI")
FTI is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services. See Internal Revenue Service Publication 1075 Exhibit 2 for more information.

4. Payment Card Information
Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

  • Cardholder name
  • Service code
  • Expiration date
  • CVC2, CVV2 or CID value
  • PIN or PIN block
  • Contents of a credit card's magnetic stripe


5. Personally Identifiable Education Records
Personally Identifiable Education Records are defined as any Education Records that contain one or more of the following personal identifiers:

  • Name of the student
  • Name of the student's parent(s) or other family member(s)
  • Social security number
  • Student number  (D-Number)
  • A list of personal characteristics that would make the student's identity easily traceable
  • Any other information or identifier that would make the student's identity easily traceable

See Duquesne University's FERPA Policy or more information.

6. Personally Identifiable Information

For the purpose of meeting security breach notification requirements, PII is defined as a person's first name or first initial and last name in combination with one or more of the following data elements:

A. Government Identification number

  • Social security number - SSN (including last 4 digits of SSN)
  • State-issued driver's license number
  • State-issued identification card number
  • Tribal identification number
  • Passport number
  • Alien registration number
  • Voter identification number

B. Financial Records

  • Credit Card number
  • Debit Card number
  • Checking account number
  • Savings account number
  • Personal Tax information
  • Unique electronic identifiers
  • Routing codes
  • Passwords, personal identification numbers (PIN), or other access codes for financial or credit accounts
  • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account

C. Personal Identifiers (Can be used in combination with other attributes to create PII or threat to PII)

  • Date of birth
  • Mother's Maiden Name
  • UserID and Password
  • Parent's legal surname prior to marriage if this information would permit access to a person's financial account or resources
  • Digital or electronic signatures

D. Controlled Unclassified Information

  • Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
  • CUI Categories and details are published in the National Archives website located at https://www.archives.gov/cui/registry/category-list.
Service Requirement PDF

Last updated: 02/11/2021

Purpose

Duquesne University has and will continue to implement/upgrade wireless services across most areas of the University campus to promote the ease of mobile computing. This service allows all of the University community to gain entry to the campus-wide network from wireless-enabled devices where coverage is available. Any disruption, either accidental or intentional, of the wireless network's airspace may interfere with others' ability to access important University resources.

To offer this service, users of Duquesne University's wireless networks must understand that Computing and Technology Services (CTS) needs to minimize potential interference within its airspace to ensure all users receive reliable performance. Wireless networking is the broadcast form of communication over a radio frequency and, as such, presents a variety of additional issues and security risks that are not present with a wired connection.

Wireless Ethernet utilizes the Federal Communications Commission (FCC) ISM unlicensed frequency spectrum. This frequency spectrum occupies the 2.4 GHz and 5GHz radio frequency bands. This type of wireless network is the most common and utilizes the IEEE 802.11bg, 802.11a, 802.11n and 802.11ac DSSS (Direct Sequence Spread Spectrum) wireless LAN specification. There are other electronic devices (both consumer, scientific, & professional) that operate in the same 2.4 GHz and 5 GHz frequency band and may cause interference or prevent the University wireless network from operating properly. These devices include and are not limited to other IEEE wireless LAN devices (including wireless-enabled printers, wireless routers, hotspot-enabled devices, ad-hoc configured devices, etc.), Bluetooth products, cordless phones and microwave ovens. Students, staff and faculty are encouraged to work with CTS to ensure the highest level of service.


Service Requirements

CTS reserves the right to manage the shared use of the 2.4 and 5 GHz radio spectrum in the same manner as the wired network. For that reason, CTS will regulate the University's airspace to prevent unauthorized access, interference, and or loss of signal. In addition, CTS reserves the right to enhance and adopt new technologies, as they deem necessary.

Furthermore, when connected to any University provided wireless networks users must be in conformance with all policies regarding computing, including all provisions in the University's network service requirements as set forth by CTS. Any student, staff, faculty and guest using wireless devices to connect to any wireless networks provided by the University must understand these regulations, and comply with the guidelines set within those policies.

In addition to the existing network policies, certain unique restrictions apply to wireless devices and are listed below:

  • Only authorized access points provided and installed by CTS are permitted. Personal wireless routers or client machines configured as ADHOC (computer to computer) are NOT permitted. The University reserves the right to remove or disconnect any device that may cause interference or is improperly configured in accordance with University policy.
  • All clients must be configured in such a way as to comply with all security features of the wireless network. It is the responsibility of the user to configure their operating system in such a manner as not to conflict with other services offered over the campus network. CTS will reserve the right to deny connectivity to clients that do not meet the minimum requirements (hardware & software) for authentication.
  • Cordless phones that use the frequency band of 2.4 GHz or 5 GHz are NOT permitted in areas that have wireless coverage. CTS will work with departments to eliminate interference as incidents arise.
  • Only users affiliated with Duquesne University are authorized to use the wireless network on campus. Any unauthorized use or abuse of this policy will result in loss of connectivity to all involved parties.

Effective Date: 07/01/2021

Last updated: 08/23/2022

Purpose

This Service Requirement defines the appropriate use of email for transmitting electronic messages using Duquesne University email systems. There is a reliance on electronic communications and email provides a fast, convenient, and cost-effective platform to deliver communications. It is imperative that Duquesne University provide an official form of e-mail as a means to communicate with our community members. These service requirements apply to all faculty, staff, consultants, students, retirees, and other authorized users that transmit and/or receive electronic messages using a Duquesne University email system.

These service requirements apply to any system or service that sends or receives electronic communications on behalf of Duquesne University. This includes but is not limited to: Office365 Email Service, Mailing Lists, Third-Party Contracted Services, and Mass Mailing Systems. As it relates to these service requirements, the term "technology environment" means any and all forms of information technology including computer-related equipment, software, accounts, tools, and intellectual property.


Service Requirements

The Email Service Requirements specify the fundamental requirements for the appropriate use of email at Duquesne University. The fundamental email requirements cover:

  1. Email as an Official Means of Communication
  2. Email and Restricted Data
  3. Email Accounts and Directory Information
  4. Abuse of Email
  5. Departmental/Group Accounts
  6. Email Management and Administration

Service Requirements Specifications

1. University Email as an Official Means of Communication

A Duquesne University email account is the official method of communication for Duquesne University business. A communication will be considered delivered one day following the date the communication is processed and delivered by your Duquesne University email account. Failure to check your email account does not excuse or exempt you from any actions required of you by the University.

Duquesne University expects all full and part-time students registered in a degree program, and its faculty, administrators, and staff to activate and actively maintain a Duquesne University email account in order to receive University communications.

Students may opt to have their Duquesne University email messages automatically forwarded to another email account (e.g. @gmail or @outlook), but forwarding of email does not absolve a student of the responsibilities associated with communication sent to official Duquesne University email addresses (MultiPassID@duq.edu). Students who opt to have their Duquesne University email messages automatically forwarded to another email account do so at their own risk. The University cannot guarantee the proper handling of email by outside services, third parties, or departmental email servers. Communications from students to University faculty and staff regarding academic matters should be generated from the student's Duquesne University email account (domain duq.edu).

Employees are prohibited from automatically forwarding their University email to a personal email account and must use University email to conduct all University business. See TAP 26. Automatic email forwarding exceptions may be granted only in rare circumstances by the Vice President and Chief Information Officer, in consultation with the appropriate University administrators, based on business need and compliance risk. The University shall, in its sole discretion, determine whether an individual is primarily an employee or a student. Ad hoc forwarding of University email to a personal email account, where such University email is not confidential or related to an employee's job duties, may be acceptable. For example, forwarding a University email sent to all employees that describes the University's benefits open enrollment period to a personal email account would be acceptable.

Definition of "Technology Environment" for Duquesne University Email Service Requirement:

The Technology Environment is property of Duquesne University and as such, Duquesne University retains exclusive rights to the environment including permission to monitor and log activity. All messages, data files and programs stored in or transmitted via the Technology Environment ("Electronic Communications") are Duquesne University records. The University reserves the right to access and disclose all messages, data files and programs sent over or stored in its technology environment for any purpose. Duquesne University reserves the right to periodically examine any aspect of the Technology Environment and any other rights necessary to protect the technology environment.

2. Email and Restricted Data

Duquesne University email services are provided by Microsoft Office 365, which offers a level of privacy for Duquesne University higher than the public offering. However, email is not a secure mechanism for sharing data. Therefore, Restricted Data as defined in the CTS Data Governance Service Requirement is strictly prohibited from being sent in email. As stated in the CTS Data Governance Service Requirement this includes information that is regulated such as Personally Identifiable Information (PII), Family Educational Rights & Privacy Act (FERPA), Health Insurance Portability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), the EU General Data Protection Regulation (GDPR) or other regulated data as defined. If restricted data is sent via email, the body of the message or attachment must be fully encrypted.

3. Email Accounts and Directory Information

Duquesne University individual and group email accounts are assigned by Computing and Technology Services (CTS) in order to send electronic communications. Accounts are assigned based on either your MultiPass ID or your group's official University Name.

An individual's email address is published in the Duquesne University directory (for students based on FERPA designation).

4. Abuse of Email

Use of email is a privilege, not a right. This privilege can be revoked and individuals can be subject to disciplinary or legal actions for inappropriate or unacceptable behavior included but not limited to:

  1. Sending unsolicited or unauthorized mass email (spam)
  2. Use of offensive language
  3. Distribution of obscene materials
  4. Threats
  5. Infringement on other's privacy
  6. Interference with others' work
  7. Copyright infringement
  8. Illegal activity
  9. Violates, or encourages the violation of, the legal rights of others or federal and state laws
  10. Alters, disables or interferes with the use and operation of email services
  11. Misrepresents the identity of the sender of the email
  12. Creates a risk to safety or health, compromises national security, or interferes with an investigation by law enforcement
  13. Tests or reverse-engineers the email services in order to find limitations, vulnerabilities, or to evade filtering capabilities
  14. Spreads or distributes software that covertly gathers or transmits data about an individual

5. Departmental/Group Accounts

Departmental/Group accounts can be requested but will require a designation of a sponsor, who will administer the addition, deletion, or modification of individuals who are permitted to access the email mailbox. Group names have to represent an official organization, center, or initiative approved by the University Cabinet and/or Board of Directors.

6. Email Management and Administration

Duquesne University's Computing and Technology Services (CTS) manages and administers the Microsoft Office 365 email solution.

a. Email Quotas and Restrictions

As determined by Microsoft, email on the hosted Microsoft Office 365 system has a maximum file size for attachments of 150MB and a maximum mailbox size (including folders and deleted mail of 100GB).

Certain attachments are not allowed to be sent or received via email at Duquesne University. Prohibited attachments include macro enabled office documents, script files, and executables.

b. Use of .pst folders.

The University strongly discourages the use of .pst folders for the archiving and storing of email messages. .pst folders are rarely backed up which can lead to data loss. Also, .pst's are prone to corruption and only work on Outlook email clients. There also may be compliance issues if the .pst files are lost, stolen, or mishandled. If a .pst is required and used, CTS recommends that a password be placed on the file for security and privacy.

c. Legal Holds

Users who receive a legal hold from Legal Affairs are responsible for keeping copies of all relevant documents as further described in the hold notice, including email. CTS also places legal holds within Microsoft Office 365 upon notification from Legal Affairs.

d. Email De-Activation and Retention

The de-activation process for email accounts differ depending on the user's role at the University. That role along with the de-activation timeline determines how long email is retained for individuals.

a. Employees: Administrators/Staff/ Faculty
  1. Email is disabled immediately upon separation/last day worked. If such separation is for cause, email privileges may be immediately revoked without notice.
  2. Email is retained for 1 year after last day worked and then deleted. An Out-of-Office reply can be placed on an employee's mailbox directing senders to another party at the University.
  3. The University does not provide forwarding to any email address other than the email address to which the message was originally intended by the sender. This includes the forwarding of email from a former employee to a current employee after separation. If email is required from the separated employees' mailbox, the department can request CTS to perform a targeted search for specific email(s). For privacy, access will not be provided to a former employee's mailbox.
  4. When deemed critical to ongoing business needs, access to the former employees' email will be granted to departmental supervisors or other member of the University as deemed appropriate. Formal written approval is required from Legal Affairs.
  5. The use of an automated response/bounce message for former employees can be applied for 1 year from last day worked if approved by both the former employee's Supervisor and Human Resources. The message must contain information for senders to direct questions for University business to a contact at Duquesne University and may contain new personal/business contact information for the former employee if appropriate and approved.
  6. As set forth more fully above, employee Duquesne University email messages may not be automatically forwarded to another email account (e.g. @gmail or @outlook) except in rare, pre-approved circumstances.
b. Student
  1. For graduated students, email is disabled 13 months after graduation. Email is purged 60 days following the end of the 13th month.
  2. For students who leave before graduation, email is retained for 13 months from the last term they were registered. Email is purged 60 days following the end of the 13th month.
  3. If a student graduates and then becomes an employee of the university and then separates from the university within the 13-month retention period, the email account is treated as an employee account and is handled as such (see section a. above).
c. Retiree
  1. As outlined in TAP 18, individuals who are defined as a "retiree" of the University are entitled to a Duquesne University email address.
  2. Duquesne University retiree email accounts are offered for retirees. Retirees are required to follow all University policies, service requirements, and processes to retain the email account.
  3. Email access will be disabled if the retiree has not accessed the account within the past 12 months.
  4. Retired faculty who have active research/scholarly projects that benefit Duquesne University can request and be granted a one-year extension to keep their University email and MultiPass access during retirement, subject to (at the University's discretion and request) having privileged, confidential and FERPA-related University materials removed from their accounts by the University to prevent security issues.

  5. Former University Presidents will be provided an email account to continue their ongoing support of the mission of the University.

  6. Review and approval for extensions shall be conducted by the retired faculty member's Department Chair and Dean. Requests should include:

    • A brief description of the research/scholarship being conducted
    • How (if at all) full-time Duquesne students or faculty are being involved in the research/scholarship.
    • How (if at all) university resources will be utilized
    • How the work advances the academic interests of Duquesne University.

    Duquesne University should be listed as the affiliated university for any publications based on this work.

    Retired faculty members must make a request for such an extension annually in writing and send it to his/her Dean for approval by June 1 of each year. This access can be reviewed and re-approved annually with the consent of the Department Chair and Dean. Deans shall consult with Department Chairs in making final decisions.

    For each approved request, an email confirming approval shall be sent by the department to hrservices@duq.edu. Retired faculty members, once approved for an extension, will receive an email from CTS outlining what they need to do to keep their MultiPass active.

    Questions regarding this policy can be sent to help@duq.edu.

e. Privacy and Right of University Access

While the University will make every attempt to keep email messages secure, privacy is not guaranteed and users should have no general expectation of privacy of email sent through University Email Accounts (including email forwarded from University Email Systems).

Certain circumstances may require University administrators to access individual's email accounts. These circumstances can include, but are not limited to: maintaining the system, investigating security or abuse incidents, business continuity, leaves, investigations, litigation, or separation from the University. Access to individual email accounts will be provided if approved by Legal Affairs based on the University's business needs.

7. Enforcement

The unauthorized or improper use of Duquesne University's Technology Environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Service Requirement PDF

Effective date: 03/28/2018

Last updated: 10/05/2022

The following security requirements, which defines secure remote access and the required tools and practices, is intended to ensure that remote access to the Duquesne University network and restricted data (Defined in the CTS Data Governance Service Requirement) is performed in a secure fashion.
  • Comply with Duquesne University policies and procedures as well as federal, state and local laws.
  • If accessing restricted data, a university owned and managed device must be used. Personal devices are not permitted to access or use restricted data.
  • Remote access is restricted to approved technology provided by Computing and Technology Services (CTS). This includes the university virtual private network (VPN) or SSH Secure Gateway. These systems require MultiPass accounts and Multifactor Authentication.
  • Access to university web sites and web services must be protected with the latest supported and secured TLS encryption.
  • Secure Shared Storage must be used when working with Restricted Data: Details are listed on the CTS Storage Services website. Duquesne University Data may not be stored on your local workstation, or on any portable media (e.g., USB key, CD, DVD, external hard drive, etc.)
  • Maintain good information security practices:
    • Never put Restricted information in email.
    • Never transfer Restricted University data via email, USB, CD, or other portable media unless encrypted
    • Keep your computer updated with the latest security patches; set automatic updates for Windows, Apple and other critical application patches
    • Install and leverage endpoint protection provided by CTS, such as Sophos Intercept X Endpoint Detection and Response (EDR)
    • Follow the CTS password and credential service requirements.
    • Don't click on suspicious links in emails or download unapproved software
  • Protect University computers and laptops:
    • Don't leave your laptop unattended
    • Lock down screens or log off before leaving your computer
    • Ensure that your PC/laptop is physically secured
    • Be particularly careful with laptops when traveling
    • Encrypt mobile devices where possible and supported by CTS
  • Be familiar with and comply with policies pertaining to all data you will work with, such as:
    • TAP 26 Acceptable Use of Computing Resources
    • TAP 28 Family Educational Rights and Privacy Act (FERPA)
    • TAP 39 Records Retention Policy
    • CTS Service Requirements

By connecting and utilizing the Duquesne University Remote Access solutions such as the University Virtual Private Network (VPN) or SSH Gateway you agree to comply with the above requirements.

Enforcement:

The unauthorized or improper use of Duquesne University's Technology Environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at https://www.duq.edu/work-at-du/human-resources-home/the-administrative-policies-(taps)/26-acceptable-use-of-computing-resources.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Service Requirement PDF

Effective date: 07/01/2021

Last updated: 05/20/2022

Purpose

The Information Security Service Requirement defines and describes the responsibilities and required practices for all members of the community with respect to information security and the protection of University data and information. This service requirement applies to all faculty, staff, students, third-party agents and other University affiliates who utilize Duquesne University information, data, and computing environments.

Duquesne University relies on a wide range of computing environments to meet its educational, community engagement, financial and operational requirements. It is therefore imperative that computer data, hardware, networks, and software be adequately protected and safeguarded against alteration, damage, theft, or unauthorized access & use.


Organizational and Functional Responsibilities

University Community Members

It is the responsibility of University Community Members to:

  1. Protect University information and resources, including passwords,
  2. Report suspected information/computer security incidents to one or more of the following: the information owner, IT Service Desk, the Director for Information Security and Chief Information Security Officer or General Counsel.
  3. Follow all university policies and CTS service requirements. Individuals can find a list of the IT-related policies and service requirements at http://duq.edu/about/campus/computing-and-technology/policies.

Vice President for Information Technology and Chief Information Officer (VP for IT & CIO)

The VP for IT & CIO has overall responsibility ensuring the implementation, enhancement, monitoring and enforcement of the Information Security Program.

VP for IT & CIO will ensure that the organizational structure is in place for:

  1. Coordinating and implementing information security policies, standards and procedures;
  2. Assigning information security responsibilities;
  3. Implementing an information security awareness program;
  4. Responding to IT security incidents;
  5. Leading major initiatives to enhance IT security;
  6. Monitor significant changes in the exposure of information assets to major threats, legal or regulatory requirements.

Assistant Vice President and Chief Information Security Officer (AVP & CISO)

The AVP/CISO, under the direction of the VP for IT & CIO, is responsible for developing and managing a comprehensive cyber-security program the provides:

  1. University-wide information security policies, standards and procedures;
  2. An information security awareness program; monitoring significant changes in the exposure of information assets to major threats;
  3. Response plan for IT security incidents;
  4. Investigations of all alleged information security violations;
  5. Development and implementation of major initiatives to enhance information security at Duquesne University.

Information Security Team

The Information Security staff have responsibility for daily operations and support of Information Security systems and services.

  1. Develop, maintain and enforce information security processes, policies and requirements.
  2. Monitor and alert on security threats and risks to the University.
  3. Provide training awareness programs to the University community.
  4. Implement and support security solutions and technology.
  5. Operate and enforce the University incident response plan.

Information Technology (IT) Support Staff

IT support staff have responsibility for managing the information data and computing environments at Duquesne University. It is their responsibility to support the Information Security Program and provide resources needed to enhance and maintain a level of information security consistent with industry best practices to protect the University. These individuals and organization have the following responsibilities to ensure information security environment at Duquesne University:

  1. Oversee and validate that the proper security controls are implemented for which the University has assigned ownership responsibility, based on the University's classification designations.
  2. Validate that appropriate information security requirements for user access to automated information are defined for files, databases, and physical devices assigned within various areas of responsibility at the University.
  3. Confirm that critical data and recovery plans are backed up and the associated recovery plans are developed jointly with data owners. 

Information Security Service Requirements

  1. All stored and transmitted electronic information regardless of form or format is an asset and must be protected from its creation, through its useful life, and to its authorized disposal. It must be maintained in a secure, accurate and reliable manner and be readily available for authorized use. Information must be classified and protected per the CTS Data Governance Service Requirements (http://duq.edu/about/campus/computing-and-technology/policies).
  2. Information is one of the University's most valuable assets and the University relies upon that information to support our mission. The quality and availability of that information is central to the University's ability to carry out its mission. Therefore, the security of the University's information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of University information has an obligation to preserve and protect University information assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals.
  3. Confidentiality / Integrity / Availability: All University information must be protected from unauthorized access to help ensure the information's confidentiality and maintain its integrity. Information owners will secure information within their jurisdiction based on the information's value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.
  4. Individual Accountability: Individual accountability is the cornerstone of any information security program. Without it, there can be no information security. Individual accountability is required when accessing all University resources and includes:
    1. Access to University computer systems and networks must be provided through the use of individually assigned unique computer identifiers, known as user-IDs;
    2. Individuals who use University computers must only access information assets to which he or she is authorized;
    3. Authentication tokens associated with each user-ID, such as a password, must be used to authenticate the person accessing the data, system or network. Passwords, tokens or similar technology must be treated as confidential information, and must not be disclosed. Transmission of such authentication information must be made only over secure mechanisms;
    4. Each individual is responsible to reasonably protect against unauthorized activities performed under his or her user-ID;
    5. User-ids and passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared except where approved for group/shared small group accounts.

Incident Management Process and Procedures

  1. Information Security incidents will be logged and used by the University for regulatory purposes and to determine appropriate remediation and controls to limit the potential of future incidents.
  2. Incident Response Plan. The Director for Information Security & CISO is responsible for developing and publishing an Incident Response Plan (IRP) for the University. That plan is available from CTS via a request to help@duq.edu by University members.
  3. Incident Response Team. The Incident Response Plan (IRP) will establish an Incident Response Team (IRT). This team is responsible for handling reported information security incidents for the University.
  4. Reporting of Information Security Incidents. Campus community members are to report any suspected or confirmed Information Security incident to the information owner, IT Service Desk (help@duq.edu or 412-396-4357), the Director for Information Security & CISO or General Counsel. This includes but is not limited to viruses, spyware, malicious attack and activity, denial of service, breaches of confidentiality or the disclosure of restricted University data.

Gramm-Leach-Bliley Act (GLBA) Security Requirements:

  1. Overview: As mandated by the Federal Trade Commission's Safeguards Rule and the Gramm- Leach-Bliley Act ("GLBA") this document describes the elements pursuant to which Duquesne University intends to (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
  2. Designation of Representatives: The AVP/CISO is designated as the Officer who shall be responsible for coordinating and overseeing GLBA compliance for Duquesne University. The AVP/CISO may designate other representatives to oversee and coordinate particular elements of GLBA compliance for the University.
  3. Scope of GLBA: GLBA compliance applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the Institution or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from the Institution, (ii) about a student or other third party resulting from any transaction with the Institution involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
  4. Risk Identification and Assessment. Duquesne University intends to identify and assess external and internal risks to the availability, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Duquesne University will establish procedures for identifying and assessing such risks in each relevant area of operations, including:
    1. Employee training and management. The AVP/CISO will coordinate with representatives in the Enrollment Management Group and Academic Affairs to evaluate the effectiveness of the Institution's procedures and practices relating to access to and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the Duquesne's current policies and procedures in this area, including University TAP's.
    2. Information Systems and Information Processing and Disposal. The AVP/CISO will coordinate with representatives of the Institution's Enrollment Management Group and Academic Affairs to assess the risks to nonpublic financial information associated with the Institution's information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. This evaluation will include assessing Duquesne's current policies and procedures. The AVP/CISO will also coordinate with technology staff to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws. n
    3. Detecting, Preventing and Responding to Attacks. The AVP/CISO will coordinate with technology staff to evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. In this regard, the AVP/CISO may elect to delegate to a representative the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by Duquesne University.
  5. Designing and Implementing Safeguards. The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The AVP/CISO will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
  6. Overseeing Service Providers. The AVP/CISO shall coordinate with those responsible for the third-party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the AVP/CISO will work with Legal Affairs, Shared Services, and Procurement and Payment Services to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of Legal Affairs. These standards shall apply to all existing and future contracts entered into with such third-party service providers.

 

Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Service Requirement PDF

Effective date: 07/01/2018

Last updated: 05/20/2022

Purpose

This Service Requirement defines the appropriate use of mobile devices as a means of accessing Restricted or Internal University Data. This service requirement's purpose is to provide the ways in which the University permits the use of mobile devices to access University data.

These service requirements apply to any mobile device that accesses Duquesne University Data. It also applies to any campus affiliates including faculty, staff, students, retirees, or guests accessing University Data.

University Data that is considered Restricted or Internal is defined in the CTS Data Governance Service Requirements detailed at http://duq.edu/about/campus/computing-and-technology/policies/service-requirements/cts-data-governance.

Service Requirements

These Mobile Device Service Requirements specify the fundamental details for the appropriate use of mobile devices at Duquesne University.

University Owned Mobile Devices

Certain University employees are required to use mobile devices for Duquesne University business functions. University supervisors must identify those employees that require a mobile device as part of their job responsibilities. Computing and Technology Services (CTS) is responsible for the procurement and institutional management of all University-owned mobile devices. CTS will work directly with IT support staff, departments and individuals on the purchase of a mobile device and any subscription to data/voice plans. Departments are responsible for providing the appropriate funding for the purchase of the devices and subscriptions to voice/data plans.

All University-owned mobile devices are required to be managed by Computing and Technology Services (CTS), which requires the installation of managed service software. This software allows the University to maintain proper security controls, software updates, approved applications, and configurations of mobile devices owned by the University.

Employees are allowed incidental personal use of University-owned mobile devices as long as no applicable fees, state or federal laws and/or university policies are being violated by such use. University-owned mobile devices including the data stored on a device, and the data/voice plans and records are the sole property of the University. When an employee leaves the University, all University-owned mobile devices must be returned to the University.

Personally Owned Mobile Devices

The University recognizes that in today's world of mobile devices, many individuals leverage the use of their personal mobile devices to connect to University information technology resources. Computing and Technology Services (CTS) permits the use of personal devices to access certain resources on campus but may require security controls to be configured on personal devices based on the sensitivity of that data that individuals are accessing. All use of personally owned devices to access University Data must comply with state and federal laws, as well as with Duquesne University's own policies and service requirements governing the appropriate use of technology.

All Mobile Devices accessing University Internal or Restricted Data

If a campus affiliate, either for work-related or academic requirements or through their own personal choice, elects to access University Data via a mobile device, they must accept the security policies defined by the University. These security policies will be required to be added to the mobile device upon connecting to University Data.

The mobile security requirements to access University Data are:

  • Require at least a 5 digit pin/passcode to unlock the device;
  • Access to remotely wipe the Duquesne University data in the event the device is lost or stolen;
  • Potentially limit the amount of email that can be stored on the device based on manufacturer/software availability.

Data Loss Prevention (DLP) continues to be a concern at Duquesne and other institutions across the world try to gain control over the proliferation of sensitive data and how to put policies and controls around it. Data breaches continue to affect institutions, resulting in tarnished reputations and costly identity protection services. It is important that members of our community be aware of the restricted data including personally identifiable information (PII) that might be stored on devices, and remove any traces of PII immediately.

Report a Lost or Stolen Mobile Device Processes

  • If a University-owned or personal mobile device containing University Data classified as Restricted or Internal is lost or stolen, please contact the IT Service Desk at 412-396-4357 to report the device is missing. CTS may then issue a remote wipe command to erase the University data from the mobile device.

Other best practices for mobile device management

While not requirements, these best practices for mobile device management will help provide our campus affiliates guidance on how to protect and secure mobile devices. 

  • Use anti-malware applications.
  • Leverage encryption if possible. 
  • Verify encryption mechanisms and ensure that data is being transmitted securely. 
  • Disable options and applications that you don't use. 
  • Regularly back up your data. 
  • Dispose of your device safely by removing all sensitive data.
  • Avoid jailbreaking.
  • Verify applications before downloading.

Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Service Requirement PDF

Last updated: 02/11/2021

Service Requirements

Use of the Duquesne University network is a privilege, not a right. Failure to comply with these guidelines may result in loss of network privileges, judicial action, possible suspension or termination.

  1. The Duquesne network is intended to support the academic, educational and research efforts of the Duquesne University students, faculty and staff. Only members of the University are entitled to use it. By connecting to the Duquesne network, you agree to use these resources strictly for their intended purpose. Uses that contradict the University's Mission are strictly prohibited.
  2. The Duquesne University campus network may not be used to obtain illegal copies of software or other copyrighted materials. Utilizing network technologies to steal or share copyrighted music, movies and software is a federal offense and may result in the permanent loss of network privileges and possibly other legal actions.
  3. Under no circumstances may a device connected to the University's network use an IP address other than that which is assigned to it by CTS.
  4. Any student, faculty or staff assigned to a given network or IP address is responsible for all activity originating from it. If someone else is using your device, do not permit him or her to violate these rules as you will be held responsible for their actions.
  5. You may not intentionally tamper, alter, install or destroy any network wiring or hardware on campus property.
  6. No device or piece of equipment may be installed or connected to the campus network without the prior consent of CTS. Any non-authorized wireless device that is connected to the campus network physically could still cause interference within the University's airspace and are bound by the same regulations as devices directly connected to it. For more information, please refer to the DuqNet wireless network service requirements.
  7. No server of any sort may be run on the campus network other than those sanctioned by CTS.
  8. In the event that a device begins sending traffic that is disruptive to the operation of the campus network, CTS reserves the right to protect the campus network by disabling that device's connection or signal. This includes any running services that CTS deems as inappropriate or disruptive to the integrity of the network. Before the connection may be re-enabled, the offending machine's owner will be responsible for correcting the problem and demonstrating to CTS technical staff that the problem has been resolved. Once corrected, the restoration of connectivity is at the discretion of the University. Repeated violations of this policy may result in permanent loss of network access privileges or more serious repercussions.
  9. You may not possess or use any hardware or software designed to probe the network or interfere with the security of the network or devices connected to it.
  10. You may not use the network to violate any federal, state, or local laws nor may you use the network to violate any policy, procedure or regulation of Duquesne University.

Students accept these policies as they are spelled out in the "Student Code of Conduct" Article IV, Section E, Paragraph 23. For more information, see the Code of Student Rights, Responsibilities and Conduct in Duquesne's student handbook.

Effective date: 06/1/2022

Last update: 06/28/2022

Purpose

This Service Requirement describes the University's requirements for privileged access of Information Technology (IT) systems and services. Individuals who have operational knowledge and elevated access to Duquesne University IT systems and services are often extended trust and responsibility in their duties. "Privileged Access," provides employees and vendors enhanced access to IT Systems and services. This Service Requirement will outline the security measures and risk mitigation steps required to gain access to sensitive and privileged systems and services.

Scope

This Service Requirement applies to all students, employees, affiliates or other members of the community who connect to servers, applications or network devices at Duquesne University.

Service Requirement

The requirements to obtain secure access to restricted and privileged University systems and data include:

  1. Privileged access users must use Duquesne University MultiPass credentials where possible and must comply with the CTS Credentials and Password Service Requirement.
  2. The Principle of Least Privilege must be followed. Privileged access users must have permissions set to the lowest level of access needed to accomplish their job function. Standard university processes must be used to request and approve all privileged access accounts. Annual review of all privileged access is required.
  3. Privileged access users should only have access on a Need-to-Know basis. The users should only have access to, and knowledge of, the data needed to do their job function.
  4. It is the responsibility of each business unit, to utilize a Separation of Duties and Rotation of Duties plan. Separation of duties is achieved by separating roles and responsibilities for a high-risk business process across multiple people. Rotation of Duties is achieved by rotating tasks periodically, so it becomes more difficult for users to collude together to engage in fraudulent behavior. These steps reduce risk to systems and university data, especially in situations where credentials become compromised.
  5. Appropriate logs must be maintained in a centralized system where integrity and access can be controlled and monitored. Any additional logs must be made available to the Information Security Office for review when requested. Logs shall be reviewed on a regular basis for malicious activity as required by university standards or regulatory compliance.
  6. Privileged access users' desktop or laptop computers should be university owned and managed by centralized university-controlled endpoint technologies. When utilizing privileged access to university systems, users should, when technically feasible, connect via the university's physical network or use the universities VPN.
  7. Privileged access users should leverage the University's Beyond Trust (Bomgar) and/or Thycotic Secret Server solutions which limits the exposure and risks to internal systems and services where technical controls and limitations are necessary.
  8. Individuals with privileged access must respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with all relevant laws, policies and regulation. In all cases, access to other individuals' electronic information shall be limited to the least perusal of contents and the least action necessary to resolve a situation.
  9. Privileged access users shall take necessary precautions to protect the confidentiality and integrity of information encountered in the performance of their duties. If, during the performance of their duties, users observe strange activity or evidence indicating misuse, they must immediately notify their supervisor and/or the Information Security Office.
  10. An individual must login to the privileged access client with their MultiPass credentials to initiate the connection to the sensitive infrastructure or asset.
  11. Individuals logging into the privileged access systems must also provide a second-factor of authentication via Duo (also known as "multifactor" or "two-factor" authentication).
  12. A secure, encrypted session will be established from the user's workstation to the privileged access system or server.

Implementing such safe-measures help the University reduce risk of damages related to data loss, data breach, denial of service and other negatively impacting events caused by malicious actors on and off-campus.

Obtaining Privileged Access

Individuals requiring privileged access to sensitive systems and data must file a request with the CTS IT Service Desk (help@duq.edu) to initiate a "Privileged Access" account request. The requestor will need to list what server(s) they wish to connect to as well as services/ports.

The request will be reviewed and approved by the Information Security Office. The Manager of Secure Integrated Infrastructure will continue the process by provisioning access and provide onboarding support.

An example of Banner test database access would look like this:

Server Service (port)
Example-Database-Server oracle (1521)

Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Definitions

Rotation of Duties/Job Rotation: This is a practice that compels employees to rotate into different jobs or at least rotate some of their duties periodically such as the case as during vacations or personal days off. This helps to deter fraud and to prevent other misdeeds such as sabotage and information misuse.

Separation of Duties: refers to the principle that no user should be given enough privileges to misuse the system on their own. For example, the person authorizing a paycheck should not also be the one who can prepare them. Separation of duties can be enforced either statically (by defining conflicting roles, i.e., roles which cannot be executed by the same user) or dynamically (by enforcing the control at access time).

Service Requirement PDF

Effective date: 01/13/2017

Last updated: 05/20/2022

Purpose

Remote connectivity to campus is a critical tool for our community and its members. Computing and Technology Services (CTS) provides a Virtual Private Network (VPN) as a method of securing communications between your computer and the University network from home, business travel locations, conferences, or other non-work locations using public internet. The need to keep remote access secure for authorized users is a critical component of the campus VPN. These Service Requirements apply to all users of technology and associated processes at Duquesne.


Service Requirements related to VPN Access

  1. VPN connections are only permitted from institutionally managed machines that are maintained for patches, updates, and endpoint protection.
  2. Installation of the VPN will be performed by a member of CTS.
  3. Devices that require VPN connectivity must connect to the campus network at least once every 90 days.
  4. VPN is available to all University Employees. Access control to systems and services is defined by individual roles and responsibilities.

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, university disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to
T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Service Requirement PDF

Effective date: 07/01/2021

Last updated: 05/20/2022

Purpose

This Policy describes requirements for Duquesne University's Vulnerability Management Program ("VMP") to identify, assess, and remediate vulnerabilities, weaknesses, or exposures in Information Assets and Information Systems or other processes that may lead to a security or business Risk. This Policy is applied to all of Duquesne University's networks and the devices connected to those networks. The intended audience of this document is all employees and students of Duquesne University as well as relevant external parties. All parties are required to adhere to this Policy and attend to defined responsibilities.

Reference Documents

  • Acceptable Use of Computing Resources (TAP 26)
  • Family Educational Right and Privacy Act (TAP 28)
  • CTS Data Governance Service Requirements
  • CTS Information Security Service Requirements
  • CTS Mobile Device Service Requirements
  • CTS Information Security Requirements for Remote Access
  • CTS Asset Management Service Requirement
  • CTS Change Management Process
  • University Third Party Risk Management Service Requirement 
  • CTS Incident Response Plan

Strategy

In order to meet the requirements of Duquesne University's Vulnerability Management Program the Information Security Team ("the Team") will define, document, and maintain the following:

  • Critical assets and infrastructure to be included in the scope of vulnerability analysis and resolution activities
  • Technical resource needs
    • Approved tools and methods to aid in vulnerability monitoring, identification, analysis, and remediation efforts
  • Staffing requirements
  • Stakeholders - parties that have a vested interest in the management and success of the VMP and who shall receive vulnerability information from the Team and provide feedback and recommendations to the Team. Stakeholders include but are not limited to:
    • Systems Team
    • Networking Team
    • Application and Database Team
    • Endpoint Team
    • University Management
    • Departmental System Owners
    • Help Desk
    • Legal Affairs
    • Relevant Third-Parties
  • Roles and Responsibilities
  • Vulnerability information and sharing requirements
  • Regulatory and contractual obligations
  • Standardized processes for VMP activities and communications
  • A schedule for VMP activities
  • Operational and awareness training requirements
  • Auditing requirements and frequency

Definitions

Charter The Duquesne University Vulnerability Management Program Charter
Critical Asset Any asset that stores or processes restricted data and/or is imperative to the core functionality of the University
Exploit An action taken, intentional or otherwise, that takes advantage of a vulnerability and causes unintended behavior in an asset or service
Risk The likelihood and consequences of a vulnerability being exploited through intentional or unintentional actions
The Standard The Duquesne University Vulnerability Management Program Standard
Vulnerability Any weakness in an asset or service that may be exploited, intentionally or otherwise, to cause unintended behavior in an asset or grant access to unauthorized resources

Vulnerability Management Program Policy

Duquesne University's Vulnerability Management Program shall be implemented to ensure that vulnerabilities and security weaknesses in the University's information assets are identified, assessed, and remedied in a timely manner.

Scope

Vulnerability Management Program activities shall cover all University critical assets, data, and relevant third-party assets as defined in the Standard and the CTS Data Governance Service Requirements.

In order to ensure that Vulnerability Management Program activities are adequately accounting for all critical assets and data, the Information Security Team shall have access to an asset inventory and network diagrams in accordance with the Standard.

Roles and Responsibilities

The security of critical assets and data is the responsibility of the entire Duquesne University community. All employees, students, and relevant third parties shall be informed of the Vulnerability Management Program requirements and their specific roles and responsibilities to that end.

Role Description Responsibilities
Information Security Team Responsible and accountable for the administration and enforcement of VMP requirements as defined in this Policy and the Standard. Central point of contact for all relevant parties.
Systems Team Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews.
Networking Team Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews.
Application and Database Team Participate in and support VMP activities for software applications and datacenter assets, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews.
Endpoint Team Maintain endpoint security requirements, participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews.
Help Desk Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews.
Infrastructure Team Manage VMP team access to the asset inventory. Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews.
Change Management Team Advise the VMP team during initial program rollout. Participate in program audits, reviews, and updates. Evaluate changes in asset configurations identified as remediations. Inform the VMP team of relevant changes to assets within the scope of the Program.
Risk Management Team Advise and inform the VMP team on relevant organizational risks and risk acceptance criteria. Participate in escalation processes as necessary.
Incident Response Team Participate in and own communications and timelines for VMP escalation processes as necessary. Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Communicate relevant vulnerability information after a breach. Participate in program auditing and reviews.
Legal Affairs Required to collaborate with the VMP team to ensure compliance with regulatory and contractual requirements. Responsible and accountable for compliance fulfillment.
University Management Sponsor the VMP by providing necessary resources and governance.
Operational Units Responsible and accountable for third-party-owned assets within scope of the VMP. Units are required to cooperate with the VMP team and perform assigned tasks in accordance with the Standard and report security concerns to the VMP team.
Asset Owners and Operators Responsible and accountable for assigned University assets. Owners and Operators are required to cooperate with the VMP team and perform assigned tasks in accordance with the Standard and report security concerns to the VMP team.
Other Duquesne University Community Members Required to adhere to this Policy and report security concerns to the VMP Team. Encouraged to attend VMP awareness training.
Third-Party Service Providers Required to adhere to this Policy and report security concerns to the VMP team. Service providers engaged to perform VMP activities are expected to provide an actionable report on any findings and offer guidance for the improvement of the VMP.
Third-Party Auditors Required to audit compliance to the Vulnerability Management Program Policy and Standard in accordance with the requirements defined in the Standard, report on any findings, and offer guidance for the improvement of the VMP. Engaged periodically to evaluate program efficacy.

Training Requirements

Personnel responsible for Vulnerability Management Program services shall maintain the requisite competencies to adequately utilize approved tooling and methods as defined in the Standard.

The Information Security Team shall develop and deliver appropriate vulnerability management awareness training and resources and ensure relevant parties understand their obligations and contributions to the goals of the Vulnerability Management Program.

Vulnerability Assessment and Remediation Requirements

The Information Security Team will perform testing and scanning activities using approved tools and methods and in accordance with the Standard. Testing and scanning activities shall be performed periodically and on demand as required by the Standard and Charter. Consideration for impacts to University operations shall be given when scheduling assessments. Identified vulnerabilities will be remedied by appropriate personnel according to their Roles and Responsibilities and timelines associated with the assigned criticality ratings, as defined within the Standard.

Necessary changes to asset configurations shall be coordinated and tracked in accordance with Computing and Technology Services Asset Management Service Requirement and Change Management Process.

If periodic assessment requirements or remediation timelines are not satisfied for any reason, the Vulnerability Management Team shall invoke the necessary escalation processes defined in the Standard.

Vulnerability Information Sources and Sharing Requirements

Information about technical Vulnerabilities of Information Systems shall be obtained in a timely fashion; Duquesne University's exposure to such Vulnerabilities shall be evaluated and appropriate measures must be taken to address the associated risk. The Vulnerability Management Program shall include regular reviews of vulnerability information sources identified in the Standard.

Vulnerability Tracking and Validation Requirements

Vulnerabilities and remediations shall be tracked in accordance with the Standard. Vulnerabilities that are assigned a Critical or High rating shall be tracked to completion without exception.

Program Auditing and Review

Vulnerability Management Program documentation, requirements, processes, tools, methods, and scope shall be periodically reviewed in accordance with the Standard. Proposed changes shall be implemented in collaboration with the University's Change Management Team and in accordance with applicable Change Management Policies.

Effectiveness of the Vulnerability Management Program shall be evaluated against industry standard Key Performance Indicators (KPIs) as defined in the Vulnerability Program Standard.

University compliance to and efficacy of the Vulnerability Management Program requirements shall be evaluated periodically by independent third-party service providers in accordance with the Program Standard.

Violations

The University considers any violation of the vulnerability management program policies to be a serious offense.

Duquesne University will take any and all actions necessary to copy and examine files, systems, or information resident on University systems that are potentially related to unacceptable use, and to protect the network and computing environment from systems, users, and events that threaten or degrade computing services.

If violations cause harm to computing resources including network and systems or impact user integrity, CTS will attempt to contact the offending party via email, telephone, or in person to explain the problem and discuss remediation. Significant violations may require CTS to disconnect the system from the network or suspend violator's use of computing resources and/or access to information stored or managed by the University.

Violations of this policy will be subject to regular disciplinary processes and procedures of the University that apply to students, faculty, and employees and may result in the loss of their computing privileges and other measures, up to and including expulsion from the University or loss of employment. Illegal acts involving University computing resources may also be subject to prosecution or other sanctions by local, state or federal authorities.

Decisions about whether a particular use of computing resources, or a particular access or use of Restricted Data conform to this Policy shall be made by the Provost's Office if the use involves faculty; by the Office of Student Conduct if the use involves students; and by the Office of Human Resources if the use involves staff. All decisions shall be made in consultation with the Chief Information Officer and Legal Affairs to ensure consistency.

Service Requirement PDF

Security Policy and Compliance

As per the University Copyright Policy, Duquesne takes copyright violations seriously. Besides raising awareness about copyrighted works laws, it takes appropriate action in support of enforcement as required by policy and law. United States copyright law "protects the original works of authorship fixed in any tangible medium of expression, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device."

The University's Copyright policy states "unauthorized use and distribution of copyrighted works can deprive creators and publishers of a fair return on their work and inhibit the creation of new works. Respect for the intellectual and creative work and property of others has always been essential to the mission of colleges and universities. As members of the academic community, we value the free exchange of ideas. But just as the University does not tolerate plagiarism, it cannot condone the unauthorized use and distribution of intellectual and creative work. Such protected works may include, but are not limited to, written texts (whether in physical or electronic form), recorded music or audio files, musical scores, photographic images, and video images." Furthermore, TAP No. 26: Acceptable Use of Computing Resources prohibits the distribution of copyright-protected material including DMCA protected material via the University network or computer systems, unless the copyright owner grants permission.

The Higher Education Opportunity Act

The Higher Education Opportunity Act of 2008 (Public Law 110-315) Section 488 requires institutions of higher education to annually inform students that "unauthorized distribution of copyrighted material, including unauthorized peer-to-peer file sharing, may subject the students to civil and criminal liabilities." Duquesne University does this through the student handbook which is communicated to students each semester. The law goes on to require institutions "to provide a summary of penalties for violation of Federal copyright laws, including disciplinary actions that are taken against students who engage in unauthorized distribution of copyrighted materials using the institution's information system." Copyright protected materials can include, but are not necessarily limited to: music, movies or other video, literary works, software, digital images or libraries.

DMCA Takedown Notice

A DMCA Takedown Notice is a legal notification from a copyright holder or their representatives instructing the recipient to remove or make unavailable the copyright-protected work cited. Duquesne University typically receives DMCA Takedown Notices through email. Notifications must contain the following elements to be valid:

  1. A physical or electronic signature of an authorized representative of the copyright holder of the allegedly infringed content
  2. Identification of the specific copyrighted work claimed to have been infringed
  3. Identification of the material that is claimed to be infringing with sufficient detail to allow the service provider to locate the material that is to be removed or made inaccessible.

Penalties and Legal Actions

A user in violation of copyright law may face the following penalties:

  • Suspension from the university network as described under The University Processing of a DMCA Notice
  • Prosecution in criminal court or a civil lawsuit seeking damages. Civil liability for copyright infringement can be as high as $150,000 per instance of infringement in addition to legal fees. Criminal penalties for a first offense may be as high as three years in prison and a fine of $250,000
  • Disciplinary action taken by Human Resources, General Counsel's Office, or the Office of Student Conduct depending on the specific affiliation of the alleged infringer.

Other Legal Actions

Along with DMCA Takedown Notices, copyright holders and their representative agencies have also issued the following types of legal documents:

  • Early Settlement Offer
  • Preservation Request
  • Subpoena

Any of these documents can be sent individually or in groups, along with or instead of a DMCA Takedown Notice.

Avoid Triggering a DMCA Takedown Notice

To avoid violating copyright laws, users should consider the following:

  • Do not publish copyright-protected materials on university web sites without obtaining permission from the copyright holder or their representative.
  • Disable P2P software on all devices before connecting to the campus network.
  • Adhere to Duquesne University's Copyright Policy.
  • Consider using an EDUCAUSE recommended resources for legal downloading.

Enforcement

The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at duq.edu/taps. Other IT-related policies can be found at duq.edu/cts/policies. Additionally, the University Information Security Incident Response Plan (IRP) provides a response for any DMCA complaint or violation. Complaints or violations can be reported via email to help@duq.edu or by calling 412.396.4357.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

The EU General Data Protection Regulation enacted on May 25, 2018, protects and empowers all EU citizens' data privacy and reshapes the way organizations across the region approach data privacy.

The GDPR applies to entities located outside of the EU who control or process personal data of anyone who is in the EU, regardless of EU citizenship. This includes organizations that offer goods or services to, or monitors the behavior of, people inside the EU. GDPR applies even if the processing takes place outside of the EU. This includes members of the Duquesne University community who may be residing (permanently or temporarily) in the EU, and EU citizens who attend or work for Duquesne University. This regulation also includes EU citizens who participate in campus activities including alumni organizations, mailing lists, forums, or other functions.

General Requirements of GDPR

The GDPR is focused on the personal data of EU data subjects. This includes information that directly or indirectly could identify an individual through the use of what is deemed personal data. Personal data is any information about an identified or identifiable EU data subject and includes names, addresses, phone numbers, date of birth, and also online identifiers (including IP addresses), cookie identifiers, location data (e.g. GPS coordinates) and device information. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life, and sexual orientation are also deemed personal data under GDPR.

The GDPR gives EU data subjects significant rights over how their personal data is collected, processed, and transferred. They have the right to, among other things:

  • Access any data that an organization has collected about them and receive that access within 30 days of notice;
  • Know why an organization is processing their personal data and the categories of personal data that an organization processes;
  • Correct any errors in personal data collected or processed by an organization;
  • Learn with whom or what third-party organization their information has been shared;
  • Know how long an organization will store their personal data; and
  • Under certain circumstances and conditions, invoke the "right to be forgotten," at which the organization will de-identify the individual's personal data within 30 days of notice. 

From an organizational perspective, GDPR requires data protection safeguards be implemented and imposes a number of obligations. An organization must:

  • Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
  • Minimize the collection and processing of personal data whenever possible;
  • Protect any personal data that it collects and uses;
  • Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change;
  • Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
  • Have a breach notification policy and notify authorities within 72 hours of declaration of the breach.

GDPR at Duquesne University

Duquesne University has established a GDPR committee that provides guidance about the regulation. Since there are members of the Duquesne University community that are EU data subjects that reside (permanently or temporarily) in the EU, the University will comply with the GDPR regulation

Data Subjects may inquire about their rights or procedures at any time via help@duq.edu. Duquesne University business units should be able to demonstrate how they meet the requirements listed above and may consult with the GDPR Committee for any questions, concerns or resource needs including conducting a data protection impact assessment by emailing help@duq.edu.

The University Technologies policies including TAP 26, CTS Data Governance Service Requirements, Information Security Service Requirements, and other policies and service requirements listed at https://duq.edu/cts/policies define appropriate and reasonable privacy and security measures. Additionally the University Information Security Incident Response Plan (IRP) addresses the 72-hour breach notification requirements. Incidents can be reported via email to help@duq.edu or by calling 412.396.4357 (HELP) 24/7.

Federation Participant Information


1.1 The InCommon Participant Operational Practices information below is for:
InCommon Participant organization name: Duquesne University
The information below is accurate as of this date: April 28, 2017


1.2 Identity Management and/or Privacy information
Additional information about the Participant's identity management practices and/or privacy policy regarding personal information can be found on-line at the following location(s).
URL(s): http://www.duq.edu/cts/policies http://www.duq.edu/cts/accounts


1.3 Contact information
The following person or office can answer questions about the Participant's identity management system or resource access management policy or practice.
Name: Tom Dugas
Title or role: Director, Information Security/New Initiatives
Email address: dugast@duq.edu
Phone 412.396.6574 FAX 412.396.5144



Identity Provider Information


The most critical responsibility that an Identity Provider Participant has to the Federation is to provide trustworthy and accurate identity assertions.[3] It is important for a Service Provider to know how your electronic identity credentials are issued and how reliable the information associated with a given credential (or person) is.


Community


2.1 If you are an Identity Provider, how do you define the set of people who are eligible to receive an electronic identity? If exceptions to this definition are allowed, who must approve such an exception?
Students, faculty, staff, retirees, affiliates and special patrons are subject to the Duquesne University policies and receive a userID. Authorized personnel in sponsoring departments are required to submit requests for affiliates and special patrons to Human Resources for access approval.


2.2 "Member of Community" is an assertion that might be offered to enable access to resources made available to individuals who participate in the primary mission of the university or organization. For example, this assertion might apply to anyone whose affiliation is "current student, faculty, or staff."
What subset of persons registered in your identity management system would you identify as a "Member of Community" in Shibboleth identity assertions to other InCommon Participants?
Anyone identified as current faculty, staff, student, retiree, affiliate, or special patron


Electronic Identity Credentials


2.3 Please describe in general terms the administrative process used to establish an electronic identity that results in a record for that person being created in your electronic identity database? Please identify the office(s) of record for this purpose. For example, "Registrar's Office for students; HR for faculty and staff."
The Enrollment Management Group for students and the Office of Human Resources for faculty and staff.


The process for the establishment of electronic identity occurs for students at the time a deposit is recorded in our ERP and the student offer is accepted.
For employees it when their complete employment information is entered into our ERP system Banner.


2.4 What technologies are used for your electronic identity credentials (e.g., Kerberos, userID/password, PKI, ...) that are relevant to Federation activities? If more than one type of electronic credential is issued, how is it determined who receives which type? If multiple credentials are linked, how is this managed (e.g., anyone with a Kerberos credential also can acquire a PKI credential) and recorded?
LDAP is used as the principal store for usernames/passwords. Secondarily, usernames are synced with Active Directory and ADFS.


2.5 If your electronic identity credentials require the use of a secret password or PIN, and there are circumstances in which that secret would be transmitted across a network without being protected by encryption (i.e., "clear text passwords" are used when accessing campus services), please identify who in your organization can discuss with any other Participant concerns that this might raise for them:
Passwords are not transmitted unencrypted.


2.6 If you support a "single sign-on" (SSO) or similar campus-wide system to allow a single user authentication action to serve multiple applications, and you will make use of this to authenticate people for InCommon Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, whether user-initiated session termination is supported, and how use with "public access sites" is protected.
We provide SSO by virtue of the Shibboleth/IDP sign-on process. The standard IDP timeout mechanisms are enforced. User-initiated timeouts only exist by closing out the browser. We also have various application session timeouts and Active Directory timeouts for endpoints based on the role and areas of responsibilities.


2.7 Are your primary electronic identifiers for people, such as "net ID," eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned? If not, what is your policy for re-assignment and is there a hiatus between such reuse?
All electronic identifiers are unique to the individual and are never reassigned.


Electronic Identity Database


2.8 How is information in your electronic identity database acquired and updated? Are specific offices designated by your administration to perform this function? Are individuals allowed to update their own information on-line?
The information is acquired and updated by the offices listed in 2.3 through manual and automated scripts populating the University's enterprise systems. Individuals cannot update their information online directly.


2.9 What information in this database is considered "public information" and would be provided to any interested party?
Information categorized as "directory information" is considered to be public information.


Uses of Your Electronic Identity Credential System


2.10 Please identify typical classes of applications for which your electronic identity credentials are used within your own organization.
Business Management Systems, Academic Management Systems, Library Systems, Network and IT systems, and Emergency/Security Systems.


Attribute Assertions


Attributes are the information data elements in an attribute assertion you might make to another Federation participant concerning the identity of a person in your identity management system.


2.11 Would you consider your attribute assertions to be reliable enough to:
[YES] control access to on-line information databases licensed to your organization?
[YES] be used to purchase goods or services for your organization?
[YES] enable access to personal information such as student loan status?


Privacy Policy


Federation Participants must respect the legal and organizational privacy constraints on attribute information provided by other Participants and use it only for its intended purposes.


2.12 What restrictions do you place on the use of attribute information that you might provide to other Federation participants? Attribute information that we provide may only be used for the agreed upon business purpose. In may not be shared with other parties in detail or in aggregate without our expressed written consent.
Attribute information that we provide may only be used for the agreed upon business purpose. It may not be shared with other parties in detail or in aggregate without our expressed written consent.


2.13 What policies govern the use of attribute information that you might release to other Federation participants? For example, is some information subject to FERPA or HIPAA restrictions?
Some information is restricted by FERPA, HIPAA and other laws as well as University policies govern the release of attribute information which Duquesne University might release to Federation Participants.


3. Service Provider Information


Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers. Service Providers must describe the basis on which access to resources is managed and their practices with respect to attribute information they receive from other Participants.


3.1 What attribute information about an individual do you require in order to manage access to resources you make available to other Participants? Describe separately for each resource ProviderID that you have registered.
Duquesne University is not currently a service provider.


3.2 What use do you make of attribute information that you receive in addition to basic access control decisions? For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?
N/A


3.3 What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)? For example, is this information encrypted?
N/A


3.4 Describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information?
N/A


3.5 If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?
N/A


4. Other Information


4.1 Technical Standards, Versions and Interoperability
Identify the version of Internet2 Shibboleth code release that you are using or, if not using the standard Shibboleth code, what version(s) of the SAML and SOAP and any other relevant standards you have implemented for this purpose.
IDP version 3.2.1


4.2 Other Considerations
Are there any other considerations or information that you wish to make known to other Federation participants with whom you might interoperate? For example, are there concerns about the use of clear text passwords or responsibilities in case of a security breach involving identity information you may have provided?
In the case of a local identity breach, the Computing and Technology Services Information Security Team will work with Legal Affairs to notify those impacted. If outside organizations need to report a breach to Duquesne University, please use help@duq.edu and our team will handle the local coordination.

 

Computing and Technology Services (CTS)

CTS Main Office

IT Service Desk

On-call staff can be notified of wide-spread/high-impact issues 24x7 by pressing 9 via the IT Service Desk phone menu.