Ĺ·ĂŔÉ«ÇéƬ

• Misuse definition expanded to include circumventing security measures and systems not meeting minimum security standards for data classification. Network access will require minimum security.
• While university information systems are not routinely monitored for content, the university retains the right to review files, emails, and data for compliance with policy and its business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy, and consent to university review.
• University email is required for University business. No automated forwarding of University email to a non-University email account.
  • A university-provided email will be required.
    
    • This is a change for UNL to align with the practices already in place at UNK, UNMC, UNO and the Office of the President.
• Updated language/terms for “web pages” to “website, apps and digital content”
• Use of university systems is required for university business.
• Security training is mandatory annually.
• All endpoints and systems must implement access controls, participate in vulnerability and patch management, and enroll in Endpoint Management.
  • Distributed IT will utilize tools provided by ITS to support their organizations.
• New data protection requirements for removable media (external flash drives/hard drives).
• A new IT policy and standard exception process has been created.

• The university’s information systems are not monitored for general content. The university is dedicated to maintaining the same academic spirit of free and open thought, idea, and expression on its digital networks as it does on its physical campuses and classrooms.
• The university retains the right to review computer processes, files, emails, and data for compliance with federal and state laws, university policies and standards, security and business purposes. Use of university information systems constitutes acknowledgment that users have no expectation of privacy and consent to university review.

NU ITS employees sign a Non-Disclosure/Confidentiality Agreement annually, ensuring the confidentiality of university and personal data when it is encountered in the course of any work performed by NU ITS. These agreements cover information systems and data used for research. NU ITS employees are trained to recognize confidential information and handle it appropriately, and are required to complete additional training (e.g., HIPAA and FERPA). NU ITS partners closely with the research governance organizations at each campus, which endorse collaboration with ITS to appropriately secure information systems and data required by research. In situations where additional regulatory requirements or compliance are necessary, such as ITAR research, specified NU ITS personnel have been vetted and approved for work in these projects.

This policy applies to all administrative units of the university. The University of Nebraska System and each university campus is encouraged to provide supplemental policy guidance, consistent with this policy, designed to implement the provisions herein. Failure to comply with university IT policies may result in sanctions related to the individual’s use of IT resources or other appropriate sanctions via university personnel and student policies up to and including expulsion for students and termination of employment for employees.

• Students need to understand the definitions of misuse in the document.
• Students need to be aware of contacting instructors only at university email accounts.
• Anyone doing research that needs to access high-risk data must do so on a university-provided endpoint that meets the minimum-security controls.

Yes, the requirements from Executive Memorandum 16 do not limit what devices you can use to access publicly accessible University systems. It only comes into scope if you are locally storing medium or high risk classified University data on a non-University device. If you need to store medium or high-risk University data, you should store it in your University-provided

The following examples of common university services are not network restricted and will continue to be accessible from any device:

• Firefly Employee Self Service
• MyBlue, MyRed, MyNCTA, & MavLink
• Learning Management System (Canvas)
• eSignature System
• Office 365 (University email, Teams, OneDrive, SharePoint, etc.)
• Multi-factor Authentication (Duo)
• Zoom

No, your personal device will not be managed. Additionally, you can use your personal device to access publicly accessible university information systems that contain medium risk data, including but not limited to: Firefly; MyBlue, MyRed, MyNCTA and MavLink; Learning Management System (Canvas); eSignature System; and Two-Factor Authentication (Duo).

Yes, the requirements from Executive Memorandum 16 do not limit what devices you can use to access and use Canvas.  It only comes into scope if you are locally storing medium or high risk classified University data on a non-University device.  If you need to store medium or high-risk University data, you should store it in your University-provided

Yes, you can download and store course materials from the Canvas learning management system on your personal device, excluding non-directory and/or FERPA protected student data.  Non-directory (page 181) and/or FERPA protected student data is classified as medium and/or high risk institutional data and is not to be stored on personal devices, per Executive Memorandum 42. 

BYOD (Bring Your Own Device) will include any device, desktops/laptops/tablets/cell phones, purchased by a faculty/staff/student with personal funds. Grant funds are university funds, and items purchased with grant funds will be treated as university-owned endpoints.

Minimum security requirements include: Supported and patched OS, Cortex XDR, Disk Encryption, and a Local Firewall.

• If you are accessing university systems to retrieve your records or information, such as your pay stub, W-2, grades, class assignments, etc, you are not required to implement the minimum-security controls on your personal device. It is still highly recommended to have your endpoint up to date and running the university-provided Antivirus.
• If you access other people's data you must comply with ALL appropriate policies and minimum-security controls outlined in EM16.

No. While you may access University email from your personal cell phone, data is stored in the Microsoft Office 365 cloud. A personal device is only in scope if it stores medium or high-risk University data.

Depending on the extent of the subpoena/FOIA the data would be provided by the individual who owns the device or the device owner could be required to provide the device to a third party for a forensic image to be created.

The personal version of Cortex, also known as "Cortex Prevent" by Palo Alto Networks, provides devices with basic malware prevention services and helps maintain a cyber-secure ecosystem at the university. Cortex Prevent does not include the advanced forensics or remediation functionality that is included on university-owned devices. A Cortex administrator can NOT initiate remote terminal sessions or view any files on a Cortex Prevent client. Cortex administrators can see basic metadata for personal devices, such as the device name, OS version, active user name, MAC address, and IP address.

A University-owned endpoint is a computing device used directly by a user. Examples include but are not limited to: desktops, laptops, and tablets.

Yes. university desktops and laptops will need to be enrolled in the appropriate management system to receive essential configurations and regular security patches. All university endpoints and systems must implement access controls, including passwords and/or biometric security.

• Yes. Managed endpoints will provide users with an opportunity to defer regular patches/updates for a period of time so that the update process can occur at a convenient time. Once the maximum deferrals have been reached, patches will be automatically installed. Details on the patch process will be made available. 
• Some patches/updates deemed immediately necessary due to the risk level could be made within minimal notification by our Information Security team. 
• Campus links to the patch process:
  • Kearney: 
  • Lincoln: 
  • Omaha: 

No, servers are included in the definition of “systems”.  Applicable systems, such as servers, must also enroll in the appropriate endpoint management system to receive essential security configurations and routinely patch software to address identified vulnerabilities.

Yes, any university-owned endpoint meeting the minimum security controls may store university data. Best practice would be to only store the relevant data needed to complete your job responsibilities. Data should be maintained in the system of record and should not be duplicated or replicated in other information systems.

Connecting to more than one network at a time allows a workstation to act as a bridge, potentially enabling unauthorized devices to access sensitive or confidential networks and Information Systems. The need for this type of networking is rare and requires a security exception to enable functionality, where appropriate.

Department IT Support is coordinating the migration of Information Systems into the appropriate Risk Classification. Please contact your IT Support Team if you have questions regarding the process or schedule.

Department IT Support is coordinating the migration of Information Systems into the appropriate Risk Classification. Please contact your IT Support Team if you have questions regarding the process or schedule.

On Microsoft Windows, the ability to leverage a personal Microsoft account can enable users to leverage their personal credentials in place of a managed and authorized university identity to access the endpoint, potentially circumventing University of Nebraska security configurations. To prevent unauthorized access, personal accounts are disabled by default.

No, a university-owned computer can be used to store personal data for incidental use. However, personal data stored on a university-owned computer may not be considered private as university-owned computers are subject to public records requests per state law. Data is only inspected if there is a proper public record request, a law enforcement subpoena, or a legitimate University interest in a search.

An exception will be required if university business is conducted outside of University owned/managed Information Systems.

University-owned Linux devices are expected to meet the same Security requirements as Windows and macOS devices. Essential security services are currently available to accommodate commonly used Linux platforms. Over time, Linux-specific guides and endpoint management systems will become available to offer parallel services and support.

Remote Desktop is a feature that enables someone to access the desktop of another computer in a remote location. Typically, this is done from one physical computer to another physical computer while using a VPN. A Virtual Desktop offers similar remote access functionality but can be securely accessed from any computer, web browser, or mobile device without a VPN. For more information, review the . 

Privacy and Security Notice – Displaying and accepting a standardized Privacy and Security Notice at login is a NIST requirement that accomplishes two goals. 1) It ensures that users acknowledge and consent to abide by the University of Nebraska’s Policy for Responsible Use of University Computers and Information Systems before accessing University Information Systems. 2) It confirms that the Information System is owned and managed by the University of Nebraska and can be trusted to conduct university business and comply with applicable federal, state and local security-related laws and regulations, contractual requirements, and university directives. 

Managed Login Window (CRTL+ALT+DEL) – A standardized and managed login experience for every login event on Windows and macOS provides accessibility capability for users with certain types of physical impairments that may otherwise have difficulty accessing an Information System. Additionally, by enforcing the default OS login experience, users are assured that malware has not replaced the login window to intercept passwords and provides a standardized interface that cannot be altered by a user or third-party software. Additionally, users of the system are not disclosed to potential threat actors for targeting. 

(See the previous answer)

(See the previous answer)

(See the previous answer)

Enterprise management of the Windows Hello features is under review by ITS to ensure that this authentication method can be supported and configured in alignment with University of Nebraska policy and standards.

(See previous answer, accessibility needs)

Yes, unless using the .gov tenant.

Respond to the message using the student or colleague’s university email address. If the sender’s university email address is unknown, it is acceptable to respond to the original email and ask the sender to provide their university email address.

Limited personal use of university information systems, including email, is acceptable if it is not used for personal financial gain, or not being used to represent oneself as a “university agent” to an outside entity. It is strongly recommended to use a personal email address for personal use.

Yes, university-business-related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.

Yes, all university employees will be required to use university email accounts for university business. 

Email will not be allowed to be automatically forwarded to other services. You are able to use non-Microsoft email clients to access your mail, e.g. Apple Mail. Note: Non-Microsoft services will need to support modern authentication to work with Microsoft 365.

Yes, university business related emails that are sent to or from the personal email account of a university employee are subject to disclosure pursuant to the Nebraska Public Records Act.

Data for research sponsored/hosted by the University of Nebraska should be stored within approved University of Nebraska information systems. Collaborative research sponsored/hosted by another institution can be stored within said organizations approved information systems.

No, SaaS by design runs on the provider’s infrastructure, or infrastructure that they hold the contracts for. If this SaaS solution passed the software procurement review process, you should not need to do anything else. However, if it has not been through or failed that review, it will need to be evaluated on your next renewal.

NU-ITS contracts for IaaS and PaaS information systems on behalf of the university to ensure that security, compliance, and performance requirements are met, and our scale can be leveraged to provide the best pricing. Current offerings include Amazon Web Services (AWS), Microsoft Azure, and on-premises private cloud. Any IaaS or PaaS agreements will need to be reviewed and migrated into NU-ITS information systems.

Service accounts are acceptable for use on servers, to run a specific service. But are not to be used as a general user login. Service accounts should also be unique to the service and follow applicable standards and best procedures. Service accounts are NOT shared accounts and should not be used as such.

• The licensing details should be reviewed to ensure this is an acceptable use of the software. If it is licensed on a per user basis, licenses will need to be procured for each user of the software.
• Otherwise, users should log into the shared computer with their individual university credentials.

In the spirit of running an open network and academic freedom, only services that are deemed as malicious or a threat to the university will be blocked from being accessible on the university network.

The use of non-university managed services for university business will need to be reviewed on a case-by-case basis to ensure that university data is properly protected. The Exception Committee will review these cases as they are submitted and will provide recommendations to the department chair, college dean and campus CIO.

The three most common examples are: 1) ongoing litigation; 2) public record requests; or 3) suspected misuse

Confidentiality of faculty and staff information is governed by RP 6.7

There has never been an “expectation of privacy” in data stored on University devices. All emails and documents are subject to public records – as they always have been. This is per state law and not University policy. Faculty data is only inspected if there is a proper public record request, a law enforcement subpoena, or a legitimate University interest in the search.

Unless there is a suspicion of misuse or malfeasance, faculty/employees are generally provided notice prior to a search.

For most employees, there is no requirement to use a personal device. For those employees who do choose to conduct University business on a personally owned device, this policy now clarifies that those devices may be subject to inspection, per Section 7d of EM16.

The policy does not apply to data that is only stored in cloud-based platforms such as MyRed or Canvas. It would be applicable to data that is downloaded from those platforms and then stored locally on the device. Access alone is not enough to trigger this portion of the policy.

“Incident” in this context is a security incident where there is a data breach or a threatened data breach or another violation of law or University policy.

If an employee chooses to do University business on a personal device, it is possible that device contains University data that does not exist elsewhere and the University can only access and confirm the storage of information on that device by looking at the actual device. These searches would be because of a public record request, litigation holds, subpoena, or another request where the responsive information may be locally stored on a personal device. The University must comply with state and federal law regardless of where or how information is stored. Most employees can avoid this problem by only conducting University business on University-provided devices.

This policy is not creating any new steps – it is making clear that the University must follow the law and how it would comply with those laws.

This is only applicable if users are using personal devices to conduct University business rather than using University-provided devices. It will come into play if University data is being stored locally on those devices for any amount of time. The University is required to comply with state and local laws and it could be the case that a personal device must be searched in compliance with those laws. Only responsive records would be retained or produced after those searches. This policy does not change or broaden the University’s requirements under law, it clarifies those laws and obligations to University employees.