Responsible Computing for Contractors

University Information and Policy

The information of any organization is one of its most valuable assets. As a contractor to the University of Delaware (UD), you are obligated to secure these University assets.

While working at UD, you are subject to the same information technology policies as employees. Information Security Policy (No. 1-15) establishes responsibility for protecting University information from unauthorized access, modification, destruction or disclosure. The Policy for Responsible Computing (No. 1-14) requires you to make responsible use of computing and information resources and to guard against abuse. Together these policies form the cornerstone of responsible computing at the UD. This document and the UD information policies mentioned in this document and its appendix provide implementation guidelines for complying with these requirements. You need to become familiar with these policies because they apply both to UD employees and contractors.

Read and understand these policies and take time to see how they apply to your work responsibilities. Ask your UD project manager if you are unsure of what is expected of you.

Protect Personal Information

Disclosing personally identifiable, non-public academic, financial or health information without permission is prohibited by the University's Information Security Policy (No. 1-15), Personal Non-Public Information Policy (No.1-22), and Federal laws including the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Safeguarding personal non-public information, especially Social Security numbers (SSNs), is also critically important because improperly disclosed SSNs, when linked to a name, could create a high risk of identity theft or financial loss.

As a contractor, you may have access to personal, non-public information. The Personal Non-Public Information (PNPI) Policy provides definitions of PNPI and requirements on how to protect such sensitive information. PNPI should be maintained on a central server. If PNPI must be stored locally, it must be encrypted. The systems management section below outlines methods for safeguarding data. You must treat all PNPI equally, regardless of its use on production, development, test, or disaster recovery systems.

Unless required in order to perform your contractual services to UD, SSNs or other high risk personal non-public information must not be collected or stored. All University information must be stored only on University-owned computers. Do not use a company issued or personally-owned computer for storing UD data. Whenever possible, centrally administered systems must be used to retrieve, process or store PNPI. Contractors may not use any removable media such as CDs, DVDs, Flash Drives, or external hard drives without prior written consent from the appropriate UD project manager. In those cases, the PNPI must be encrypted.

You are required to notify your UD project manager immediately if you discover that a computer on which unencrypted PNPI is stored has been compromised. The University may be required to notify all persons whose information may be disclosed. Be wary of, and verify all requests for PNPI from unfamiliar persons. Do not provide access to PNPI to your work associates without prior written consent from your UD project manager. Never send or confirm personal non-public information over the phone or by email, even if the requesting party provides it.

Managing Systems in Your Care

Unless the department for whom you are contracting has designated someone else to manage your University-owned personal computer/workstation, you are considered its system administrator. As a system administrator, you are responsible for safeguarding your computer’s stored information and for keeping it safe from unauthorized users and processes (worms, bots, viruses, etc.). You may also be responsible for a departmental server, computing site or subnet. System administrator responsibilities can range from a single laptop or office PC to a multi-processor server.

Security Management Basics

  • Properly secure your system and its stored data (permanently attached and removable media) from unauthorized modification, destruction or disclosure. An insecure system is vulnerable to being compromised and then used for remote attacks on other machines. By keeping your system free from malware, you also prevent possible accusations against yourself, your employer, and the University.

  • Keep your computer’s operating system up to date by configuring the computer you are using to automatically download and install patches. If, as part of your contracted duties, you are administering a server, you must keep its operating system patched and updated as well. Software vendors, including Microsoft, Adobe, Mozilla, Google, and Apple, routinely release security and other critical patches when vulnerabilities are discovered.

  • Use current anti-virus softwareat all times, especially to scan email attachments. Information Technologies requires McAfee anti-virus software for Windows and Mac OS computers. The University has a site license for McAfee anti-virus software that can be downloaded free of charge.

  • Use a firewall to protect your computer from unwanted, malicious probes by other systems. Windows Vista, Windows 7, and Apple Macintosh computers have a built-in firewall that is easily activated.

  • Electronic communications (e.g., POP or IMAP email, Web files, and login sessions) are not routinely encrypted over the University network or when working remotely. If you are using a wireless connection on the UD campus, use the UDel Secure wireless network. The University's recommended mail service is encrypted automatically. Although the probability of an Internet e-communication being intercepted is small, sensitive communications and documents, those containing PNPI like Social Security numbers, credit card numbers, academic records and especially your passwords, must not be sent over the Internet without being encrypted. Recommended encryption protocols are described in more detail on our best practices encryption Web page. Contact your UD project manager for more information about using encrypted protocols to secure electronic communications.

  • Encrypt files containing personal non-public information. If the computer or removable media is compromised or stolen, the encrypted information will be unusable in the perpetrator’s hands. Contact your UD project manager for more information on encryption software.

  • Only install software approved by your UD project manager on your UD provided computer. Peer to peer applications should not be installed on any system without prior approval. (Read more.)
  • Choose passwords hat are not easily guessed for all computer accounts, including the administrator accounts on your computer. Sound passwords are combinations of letters and numbers or special characters, the longer the better. Commit them to memory and never write them down or tell them to anyone.

  • Email messages are often stored as files on centrally-administered storage. The email messages you send become the possession of the receiver and can easily be re-distributed or seen by others. In this sense, they are not private. They are unlike face-to-face or unrecorded telephone conversations in this regard. When the confidentiality of a message is of the utmost importance, only a person-to-person conversation may be sufficiently secure.

  • Log off your computer when you leave your desk, or set up your computer to require a password after a pre-set amount of inactivity using a screen saver or similar utility. Keep confidential information on your screen safe from “wandering eyes,” just as you would keep confidential printed material hidden from “wandering eyes.”

Other Best Practices

  • Notify your UD project manager when your UD provided computer and other media is scheduled to be retired or 2 weeks prior to your last day at UD to review the contents of your system and the locations where PNPI is stored. This will provide sufficient time for your UD project manager to ensure sensitive, confidential or non-public information is destroyed before disposing of the media on which it is stored.

  • Back up your data regularly and know how to restore it. Several generations of backups are recommended. Backups must be available, so store them where others know where they are and can access them. Contact your UD project manager for assistance.

  • Lock copies of your data on removable media or printed reports in your desk or a fire-resistant cabinet. Portable USB flash drives and other compact storage technologies have enough capacity to back up enormous amounts of institutional data. Highly sensitive or confidential institutional data stored on removable media must be encrypted.

  • Your electronic data files are subject to the same records retention requirements as paper records. Consult with your UD project manager to determine there are any retention requirements you need to be aware of.

  • Routinely delete email messages that do not need to be saved.

  • Shared files and systems: Grant access to others on a need-to-know basis, and remove access and user profiles when others’ access is no longer needed.

For additional assistance with managing your system, contact your UD project manager.

Computing Resources Acceptable Use Guidelines

Contractors are expected to be responsible in their use of computing resources in compliance with University of Delaware policies and all applicable laws and regulations. This principle is the basis for the following general acceptable use guidelines:

  • Respect the integrity of the University network. Improperly configured or inappropriate processes running on your system can have a destabilizing effect on the network. The University reserves the right to constrain and remove applications, services or improperly configured systems which may be negatively impacting network performance.

University policies prohibit certain activities:

  • Using University computing resources for non-University activities, fund-raising, partisan political purposes, or on behalf of organizations not affiliated with the University.

  • Using any University computer, facility, equipment, software, network or other resource, including email, without authorization or for any activity other than that for which access or use was assigned or authorized.

  • Sending chain letters, pyramid scheme messages, spam or engaging in any behavior which wastes resources or is disruptive to the network.

  • Sending sexually explicit, offensive, demeaning, insulting or intimidating e-communications, ethnic or racial slurs or anything that harasses or disparages others. Sending such messages is grounds for disciplinary actions, including termination of your contract.

  • Violating copyright, trademark, or other laws or regulations in sending e-communications, publishing Web pages or posting to newsgroups and discussion lists.

  • Using University of Delaware institutional email lists without appropriate authorization.

  • Intentional, unauthorized access to or interception of information or e-communications. The ability to access information or intercept e-communications does not inherently include authorization to do so.

  • Altering, destroying or forging e-communications or intentionally compromising the integrity of the network.

The University's Policy for Employees' Use of Electronic Communications (No.1-19) establishes the applicability of existing University policies and federal, state and local law to electronic communications, including requirements for good electronic citizenship and expectations for privacy. Generally, the University will not make any efforts to monitor e-communications except when required by law or to investigate any policy infraction. If you haven't already, you need to become familiar with these current policies.

Appendix: Additional information about University Policies

The following University policies define your role in, and responsibilities for protecting University information. As a contractor, you are subject to the terms of these policies as if you were a UD employee.

  • The Information Security Policy (No. 1-15) establishes responsibility for protecting University information from unauthorized access, modification, destruction or disclosure. This includes all University information and media types, from printed reports to email saved on your computer to published Web pages.

    The policy states that all employees are responsible for protecting University information and that each department is required to make protection of this information a part of its overall business plan.
  • The Policy for Responsible Computing (No. 1-14) requires University students, employees, and contractors to make responsible use of computing and information resources and to guard against abuse.
  • The Electronic Record Keeping Policy (No. 1-13) makes it the responsibility of each department to establish standards for electronic file organization, measures for protecting sensitive information stored electronically and procedures for file backup.

    This policy extends to electronic records the requirements of the
    University Archives and Records Management Program (No. 1-10), which governs records retention, vital records protection and filing practices and techniques as they pertain to paper files.
  • The Policy for Electronic Mail Management and Retention (No. 1-18) advises University employees, contractors, and departmental managers of their responsibilities regarding the creation of email messages, the routine deletion of email and the retention of email messages that are official University of Delaware records.
  • The Policy for Employees' Use of Electronic Communications (No. 1-19) establishes the applicability of existing University policies and federal, state and local law to electronic communications (e-communications), including expectations for privacy and requirements for good electronic community citizenship.
  • The Personal Non-Public Information Policy (No. 1-22) expands on the Information Security Policy (No. 1-15) by establishing requirements for protecting PNPI and notifying individuals whose personal, non-public information may have been disclosed by computer security breaches.
  • The Credit Card Policy (No. 3-26) defines the minimum technical criteria that must be met for University departments to receive credit card information over the Web.
  • The Family Educational Rights and Privacy Act (No. 4-20), or FERPA, requires the University protect the confidentiality of student educational records. These include academic, financial, disciplinary, medical and counseling office records.

    To be in compliance, the University must obtain the written consent of a student before disclosing information. A student’s right to see his or her records does not extend to parents or guardians.
  • The University may not release directories, rosters, lists or address labels of students to parties not affiliated with the University. University policy prohibits posting grades and test scores publicly using any personally identifiable information, including the last 4 digits of the social security number.
  • The Policy for Copyrightable Material (No. 6-07) defines the general principles and administrative responsibilities and procedures for establishing and safeguarding intellectual property developed by University employees and contractors.