Department of Education
Systems and Data Security and Use Agreement
References
This
document references the following documents. You are hereby advised to
familiarize yourself with these documents as well as this document.
California Penal Code,
Section 502
State of
California Information Practices Act of 1977 (IPA)
University
of California Electronic Mail Policy
UC Business and Finance Bulletins
G-29, Procedures
for Investigating Misuse of University Resources
IS-3,
Electronic Information Security
RMP-2, Records
Disposition Program and Procedures
RMP-4, Vital
Records Protection Policy
RMP-7,
Privacy of and Access to Information Responsibilities
RMP-8,
Legal Requirements of Privacy of and Access to Information
RMP-9,
Guidelines for Access to University Personnel Records by Government Agencies
UCI Administrative Policies & Procedures
Section 700-06,
Policy on Reporting Improper Activities
Section 714-15,
Policy on Accessing University Administrative Information Systems
Section 714-16,
Procedures for Accessing University Administrative Information Systems
Section 714-17,
Using University Administrative Information Systems
Section 720-10,
Information from Public Records (California Public Records Act) – Guidelines
Section 720-11,
Privacy of and Access to Information (Excluding Student Records) – Guidelines
Section 800-15,
Implementation Guidelines for the UC Electronic Mail Policy
Definitions
The following terms may be used in this document. If so,
there are in accordance with their definitions in BFB IS-3, Appendix
A.
Authorized
User
Business
Continuity Plan
Computer
Virus
Disaster
Disaster
Recovery Plan (DRP)
Electronic
Information Resource (EIR)
Electronic
Information Resource Custodian (EIRC)
Electronic
Information Resource Proprietor (EIRP)
Electronic
Information Security Coordinator (EISC)
Intrusive
Computer Software (ICS)
Security
Server
User
Furthermore,
the following terms may also be used in this document and are define here:
Departmental Security Administrator (DSA): a
departmental security administrator has the rights necessary to grant access to
a predefined set of users at various levels to specified functions/applications
of a university electronic information resource.
DoE: Department of Education,
LoginID: A unique identifier assigned to a user which, in conjunction with a
valid password, provides access to specific functions/applications on a
university EIR.
Sensitive Information: Sensitive information includes, but is not limited to, a person's
name together with social security number, bank account number, and/or
California Driver's License number, as defined by SB1396
UCInetID: A
three to eight letter code, based on an individual’s name, that uniquely
identifies the individual at UCI. UCInetIDs are used to authenticate
individuals as UCI affiliates for access to UCI electronic services. UCInetIDs are also the basis of an
individual’s information in the UCI online directory database, PH/QI, which
defines who has access to UCI network resources and provides an e-mail address
for everyone at UCI.
University Records: University records
include, but are not limited to, private, confidential or sensitive information.
Systems and Data Security and Use Agreement
You must read
and sign this document before any access will be given to any DoE or other university systems or information.
I,
the undersigned employee, as an Authorized User of university EIRs and data, acknowledge that I have read, understand and
agree to adhere to the following statements:
All
LoginIDs in conjunction with valid passwords are
considered equivalent to a signature. The Authorized User of a university LoginID is responsible for all entries made under their LoginID. Similarly, all email using a university LoginID constitutes a legal communication as if were a hand-written letter signed by the individual who sent
it.
The
Authorized User will maintain proper security by never providing anyone with
access to or use of any university EIRs for any
reason. If anyone without access needs access, they are to contact DoE IT support or the DoE DSA for
access. This includes never revealing or sharing any LoginID
(login or password) with anyone.
The
Authorized User of the LoginID will use university EIRs only for legitimate and necessary business reasons for
which they have been explicitly authorized. It is never permissible to casually
view or browse any university records. Authorized users may access university EIRs and records only on a “need to know” basis. Users are
not allowed to view or use university EIRs or records
for any personal interest or advantage.
The
Authorized User will maintain the privacy and confidentiality of all accessible
data, personal, confidential, sensitive or otherwise, and understands that unauthorized
disclosure of personal, confidential or sensitive information may constitute
invasion of privacy and may result in disciplinary, civil and/or criminal actions.
The
Authorized User will not store any Sensitive Information in any computer,
unless the law requires it and such storage is approved by the DoE DSA. If Sensitive Information is stored, the Authorized
User must secure and protect it according to current and applicable University
policies, procedures and standards, including but not limited to encrypting the
information.
Proper
physical security of data must be maintained. All media must be locked away
securely in desk drawers or file cabinets which lock. Users should logoff all EIRs when not present with the EIR or at a minimum lock the
EIR while away. In general, EIRs should be powered
down when the user leaves unless specifically instructed or given permission to
do otherwise.
Data
will be cleaned from all storage media before any part or whole of any storage
media machine is disposed or salvaged. Re-formatting media to delete
information is mandatory but considered insufficient. The media must be
physically destroyed prior to disposal.
The
Authorized User is expected to report any suspected violations of systems or
data security or use to their supervisor or the department DSA. If illegal
activity has been determined, all information and equipment will be turned over
to campus police and/or legal authorities for prosecution to the full extent of
the law.
The
Authorized User is informed that, under existing California state law, any
person who maliciously accesses, alters, deletes, damages or destroys any EIR,
network, computer program or data shall be guilty of a felony.
The
Authorized User is informed that references to personal, confidential or
sensitive information in the UC Irvine Campus Policies and Procedures and in
this document are for informational purposes and may not specify all the computer
use standards, University policies and procedures, or state and federal laws by
which the Authorized User is governed.
The
Authorized User is informed that failure to comply with these policies, rules
and regulations may result in disciplinary action, up to and including
dismissal, as well as referral to law enforcement authorities.
Any
violation of local, state or federal laws may carry the additional consequence
of prosecution under the law, where judicial action may result in specific
fines, imprisonment, costs of litigation, reimbursement for damages or both, or
all the above.
The
University will take the strongest actions possible in the case of any breach
of these agreements.
As
an Authorized User of university EIRs and data, I
understand that all EIRs and data I use to perform my
job duties are the property of the
By
signing this agreement, you are acknowledging, that you have read this Systems
and Data Security and Use Agreement in its entirety and agree to abide by it.
Signed:__________________________________ Date:__________________________
Print:____________________________________
rjh/ske:
2006/09/21