Campus Policy Number: 400-35
DEPARTMENT: COMPUTING & COMMUNICATIONS
SUBJECT: Computer Systems Access, Use, and Security
DATE: February 14, 2003
Information Systems (Access, Use, & Security)
Policy Owner: Computing & Communications
Effective Date: 2/14/2003
UCR POLICY FOR ACCESS TO UNIVERSITY INFORMATION SYSTEMS
Computing & Communications is responsible for providing access to key corporate/enterprise systems to assist campus departmental and campus administrative goals. Key corporate/enterprise systems include payroll/personnel, general ledger, purchasing, accounts payable, student information and UCR email system.
- GUIDELINES FOR ACCESS
Access to the University's information systems and data is limited to those individuals who have a demonstrated need for access based on their job duties. Request for access to administrative information systems for individuals must be made by their department head or delegate. Access may be granted for UCR employees that hold career and limited status positions. Access may also be granted for non-UCR employees such as consultants, auditors, or temporary agency employees.
- DATA PRIVACY
Some of the data contained in the University's information systems may be defined as personal or confidential under the University's policies and the State of California Information Practices Act of 1977 (IPA). References to personal and confidential information in the Riverside Campus Policies and Procedures Manual are for the individual’s information but may not specify all the computer use standards, University policies and procedures, and State and Federal laws by which an employee is governed.
It is the responsibility of individual users to access and use data in accordance with the University's policies and the State of California Information Practices Act of 1977. For more specific information, refer to the references shown in I. ADDITIONAL REFERENCES.
- USER RESPONSIBILITIES
Individual users certify understanding of and agree to adhere to Computing's guidelines by signing the LOGON ID REQUEST/COMPUTER SECURITY AND USE AGREEMENT or APPLICATION FOR UCR NETID. Specifically, an individual given access to UCR systems acknowledges an understanding of and agrees to adhere to the following:
- Security is to be maintained by not providing anyone else access to or use of University information systems maintained by Computing & Communications.
- The Logon ID, UCR NET ID, and Username are considered equivalent to a signature and the individual is responsible for all entries made under that Logon ID.
- Proper password security to all systems, including electronic mail, is to be maintained by not revealing passwords to anyone.
- Proper physical security is to be maintained by not leaving a workstation/terminal unattended while logged into a University system.
- Suspected security violations are to be reported to the department head, the Associate Vice Chancellor of Computing and Communications or designate, and to the Dept. of Audit & Advisory Services.
- Under existing California state law, any person who maliciously accesses, alters, deletes, damages, or destroys any computer system, network, computer program, or data shall be guilty of a felony.
- Computing resources and University data shall be used only for legitimate University business for which an individual is explicitly authorized.
- The privacy and confidentiality of all accessible data shall be maintained at all times.. It is understood that unauthorized disclosure of personal/confidential information is an invasion of privacy and may result in disciplinary, civil, and/or criminal actions against an individual.
- References to personal and confidential information in the Campus Policy and Procedures Manual and the LOGON ID REQUEST/COMPUTER SECURITY AND USE AGREEMENT are for the individuals information but may not specify all computer use standards, University policies and procedures, and state and Federal laws by which users are governed.
Failure to comply with the “User Responsibilities” may result in disciplinary action, up to and including dismissal. Any violation of local, state, or Federal laws may carry the additional consequence of prosecution under the law - where judicial action may result in one or more of the following:
- specific fines
- litigation costs
- payment of damages
The University will take the strongest actions possible in the case of any breach of these agreements.
- DEPARTMENTAL RESPONSIBILITIES
- Access to the University's information systems is granted to individuals with a demonstrable need for access. The department head or delegate certifies that requested access is required for the individuals necessary and proper performance of assigned job duties. The department head initially requests individual access to the University's information systems maintained by Computing & Communications by submitting the required signed authorization forms. (Signature Authorization Delegation Form http://www.cnc.ucr.edu/index.php?content=policies )
- CANCELLATION REQUEST http://cnc.ucr.edu/downloadable_files/cancelaccessvms.pdf form is used by a department to cancel a logon ID and/or access to specific systems. When an employee terminates University employment, transfers to another department, or changes departmental responsibilities, or an individual is no longer affiliated with the University and no longer requires access to the University's information systems maintained by Computing, it is the responsibility of the department to notify Computing and Communications. Computing and Communications will cancel the logon ID, UCR Net ID and/or access to systems.
- Cancellation of the logon ID cancels access to all systems.
- Signature of the department head or delegate is required.
- Prior to the release of the terminating employee's last check, a cancellation request should be sent to Computing & Communications.
- AUTOMATIC CANCELLATIONS
- A logon ID with no activity for three consecutive months will be canceled by Computing unless the logon ID is placed On inactive status - see 2. below.
- If an employee will be on leave of absence or furlough for three months or longer, arrangements must be made to have the logon ID placed on inactive status until the employee returns. The employee, the department head, or the authorized delegate should send a written memo to the Computing and Communications stating the employee name, logon ID, leave begin date and leave return date. Failure to follow this procedure will result in the logon ID being canceled.
- AUDIT & ADVISORY SERVICES
To accomplish audit objectives, the Department of Audit and Advisory Services is authorized to have full inquiry access to all University information systems. This open access will facilitate the periodic review of controls over system security, access, and use.
- DEPARTMENT INFORMATION SYSTEMS
Access, use, and security controls over information systems distributed throughout campus departments are the responsibility of the campus department management. Questions concerning access, use, and security controls for a particular department's information system can be directed to Computing & Communications, or the Department of Audit and Advisory Services.
- ADDITIONAL REFERENCES
Business and Finance Bulletins (available for reference in the Labor Relations Office):
RMP-7: Privacy of and Access to Information Responsibilities
RMP-8: Legal Requirements of Privacy of and Access to Information
RMP-9: Guidelines for Access to University Personnel Records by Government Agencies
Campus Policies and Procedures Manual: Policies
800-70: Privacy and Access to Information
- FORMS http://cnc.ucr.edu/index.php?content=policies
- Signature Authorization/Delegation
- IBM Logon ID Request
- Application for UCR Net ID
- Request for Access to Systems - Non-IBM
- Request for Access to Systems - IBM
- Cancellation Request - UCR Net ID
- Cancellation Request - IBM