F. Operation and Maintenance of Property
1. University System Authority
1.1 Board of Trustees policy (BOT VI.F.2) delegates to the Chancellor the authority to establish University System policy on the operations and maintenance of property and delegate, in turn, to the component institutions the authority to establish correspondent institutional policies.
2. Delegation of Authority
2.1 The Chancellor delegates to the chief executive officers of each component institution the responsibility and authority to establish and administer an operations and maintenance program for all property owned, occupied, or managed by their respective institutions.
2.2 The component institutions' operations and maintenance programs shall include procedures establishing prudent property management practices and ensuring compliance with applicable Board of Trustees and University System policies and state and federal laws. Those programs shall designate specific institutional officials to be responsible for ensuring institutional compliance with program requirements.
3. Policy on Environmental Health and Safety
3.1.1 It is the policy of the University System of New Hampshire (USNH) to maintain a reasonably safe environment for its students, faculty and other academic appointees, staff, and visitors.
3.1.2 Operations at each component institution shall be conducted in compliance with applicable regulations, and when appropriate, with accepted health and safety standards.
3.1.3 A Council on Environmental Health and Safety is responsible for overall coordination and assessment of System-wide environmental health and safety efforts. The Council is chaired by the UNH Director of Environmental Health and Safety and includes representation from each component institution to be designated by the institution's chief executive officer. The Council shall meet quarterly to share current information, and shall provide to the Presidents and then to the Chancellor an annual report describing the state of the University System's environmental health and safety.
3.2.1 Presidents are responsible for the implementation of the Environmental Health and Safety policy at their respective component institutions.
3.2.2 Vice Presidents, Deans, Directors, Department Chairs, principal investigators, supervisors, and all other employees are responsible for compliance with this policy as it relates to operations under their control.
3.3 Campus Program Elements and Objectives
3.3.1 Presidents and Vice Presidents shall enact programs for environmental health and safety and such programs will be in compliance with applicable health and safety standards promulgated by federal, state and local agencies. In the absence of appropriate statutes and governmental regulations, the published standards of nationally recognized professional health and safety organizations would serve as guides. Appropriate working relationships with official regulatory agencies pertinent to environmental health and safety are recommended and encouraged.
3.3.2 Each component institution shall establish a written mission statement to outline operating policies, procedures and guidelines, as well as training for compliance with applicable environmental health and safety objectives listed below.
3.3.3 The written statement and programs for health and safety and environmental compliance shall include, but not be limited to the following program elements and objectives.
220.127.116.11 Injury and Illness Prevention
18.104.22.168.1 Objectives: The objectives are (1) to provide the means by which workplace hazards are identified, and, as dictated, corrected in a timely manner; employees are to be informed of the specific hazards associated with their jobs and are to be trained in the appropriate safe work practices; employees can communicate, without fear of reprisal, their concerns about work area safety, and (2) to integrate existing and future compliance programs and environmental health and safety technical disciplines in a manner to ensure statutory and regulatory compliance in an efficient and logical approach. These programs and disciplines are discussed below.
22.214.171.124.2 Compliance Programs/Technical Disciplines
126.96.36.199.2.1 Industrial Hygiene: The practice of recognition, evaluation and control of potentially harmful substances and physical agents in the work area. The scope of this program shall include, but not be limited to, toxic materials, air quality in controlled environments, elements of physical exposure such as lighting, noise and temperature, and asbestos abatement.
188.8.131.52.2.2 General Safety: Identification and correction of factors which contribute to the incidence of accidental injury shall be maintained. The scope of these efforts shall include environmental conditions, engineering and design, maintenance of facilities and equipment, and the human factor.
184.108.40.206.2.3 Radiation Safety: Applicable regulations and appropriate standards shall be observed in the use of radioactive materials and radiation-producing machines. Appropriate guidelines shall be followed relating to the proper use, storage, and disposal of radioactive materials.
220.127.116.11.2.4 Fire Protection: Program activities shall be sustained which serve to protect life and property from fire. Facilities shall be maintained and operated in compliance with applicable regulations and accepted standards of fire safety and protection.
18.104.22.168.2.5 Occupational Health and Medicine: Appropriate resources and technology shall be applied to the recognition and response to occupational diseases and injury. Preventive health measures and surveillance techniques shall be utilized in a manner consistent with regulatory guidelines, accepted industry standards, and campus policy. The purpose of this program is the maintenance of reasonable standards for the health and safety of campus personnel and students.
22.214.171.124.2.6 Disaster Preparedness: Preparedness programs shall facilitate appropriate technical response to disasters and plan for the coordination of diverse response organizations and activities. Appropriate emergency response plans shall be maintained for each campus and steps taken to ensure adequate familiarity with the plan on the part of campus personnel.
126.96.36.199.2.7 Biological Safety: Applicable regulations and accepted standards governing the use, storage, and disposal of hazardous biological substances shall be observed. Conscientious surveillance shall be maintained and resources and technology applied to the handling of bio-hazardous substances consistent with regulatory controls and/or recognized health and safety standards.
188.8.131.52.2.8 Diving Safety: Diving operations under the auspices of the University of New Hampshire shall be conduced in compliance with appropriate regulations, safety standards, and campus policy.
184.108.40.206 Hazardous Materials and Environmental Management
220.127.116.11.1 Objectives: The objectives are: (1) to comply with statutory and regulatory requirements for hazardous materials inventory and emissions reporting; and (2) to collect, classify, and pack for shipment all hazardous waste for proper disposition.
18.104.22.168.2 Compliance Programs
22.214.171.124.1 Hazardous Waste Management: Procedures and facilities shall be maintained to allow for the preparation and ultimate disposal of hazardous waste produced by the campus. All applicable laws and regulations shall be used to establish standards for compliance.
126.96.36.199.2 Hazardous Materials Inventory and Reporting: This program develops and maintains campus hazardous materials inventories for the purpose of complying with regulations related to hazardous communication, community right-to-know, air emissions, building/fire codes, and emergency preparedness.
4. Policy on Use of Technological Resources
4.1 Purpose. This policy delegates to the institutions within USNH the authority to adopt policies governing access to and use of institutional technological resources, subject to certain general rules for which System wide conformity is essential.
4.2 Definitions. For purposes of this policy the following terms shall have the indicated meanings:
4.2.1 "Technological resources" shall include, but not be limited to, telephones, voice mail applications, desktop computers, computer networks and electronic mail applications.
4.2.2 "Institutional technological resources" means those technological resources owned or operated by the University System or one of its component institutions.
4.2.3 "Non-institutional technological resources" means those technological resources that are neither owned nor operated by the University System or one of its component institutions.
4.3 Scope. This policy applies to access and use of technological resources by faculty, staff, administrators, students, and any other person whether inside or outside the academic community. This policy also applies to the access and use of non-institutional technological resources used in the performance of official duties by faculty, staff, or administrators, but only to the extent of such use.
4.4 Delegation of Authority. The institutions within the University System shall adopt policies governing access to and use of institutional technological resources. Institutional policies shall be consistent with applicable BOT and USY policies, and shall:
4.4.1 Establish standards of conduct which users are expected to meet, including the extent to which technological resources may be used for non-institutional purposes;
4.4.2 Notify users of privacy and security issues related to their use of the institution's technological resources;
4.4.3 Provide (an) effective mechanism(s) to inform users of the relevant institutional policies and train them in the proper use of technological resources;
4.4.4 Establish a policy on the retention, archiving, and deletion of information resident on technological resources owned or operated by the institution;
4.4.5 Establish a process whereby appropriate institutional officials may access, copy, and/or delete information resident in any technological resource owned or operated by the institution, such process to permit said actions only when justified by legitimate institutional interests;
4.4.6 Establish appropriate security mechanisms to protect the information resident in any technological resource against unauthorized access;
4.4.7 Establish a mechanism for receiving reports of violations of the institutional policies on the access to and use of technological resources and for appropriately responding to such reports.
4.5 General rules. The following general rules apply to the use of and access to technological resources anywhere within the University System and its component institutions:
4.5.1 The University System and its component institutions shall retain ownership over the records resident on the technological resources covered by this policy. In the case of faculty, staff, or administrators using non-institutional technological resources for institutional purposes, this policy applies only to records created for those institutional purposes. The institution's ownership of the record shall have no effect on the ownership of the copyright or other intellectual property rights related to information contained in the record, which rights may or may not reside with the institution.
4.5.2 The University System and its component institutions shall retain the right to access, copy, and delete, in accordance with policies established under subsection 4.4.5, above, information resident in technological resources covered by this policy. In the case of faculty, staff, or administrators using non institutional technological resources for institutional purposes, this policy applies only to records created for those institutional purposes.
5. Information Technology Security Policy
5.1 The institutions and individuals of the University System of New Hampshire (USNH), including ITPAC and ITCC, shall provide appropriate security to protect the privacy of information, safeguard electronic and derivative information against unauthorized use and modification, protect systems against unauthorized access, protect systems and related operations against disruptions, and prevent the loss of or damage to IT resources.
5.2 Information Technology Security Organization
USNH will establish and maintain an organizational structure with clearly assigned responsibilities for oversight and enforcement of USNH IT resources security, and a process for maintaining accountability for activities and system configurations that are inconsistent with the policy.
5.3 Physical and Environmental Security
USNH and each USNH institution, manager, provider and user of USNH IT resources is responsible for protecting, to the best of its ability, USNH IT resources. USNH and all USNH institutions, providers and users of USNH IT resources will institute and follow procedures, within their level of responsibility and authority, to protect those IT resources from loss, damage, compromise and unauthorized access, by creating a safe environment for the housing and use of those assets.
5.4 Computer, Network and Telecommunications Management
5.4.1 Network Management. USNH and providers and managers of USNH IT resources must manage the secure operation of the network environment and must do so in a manner that is consistent with a commitment to privacy and applicable USNH privacy policies.
5.4.2 Successful Operation of USNH Network Resources. USNH institutions will create appropriate policies and procedures to ensure and safeguard its IT resources from interference, threats, or other undesirable effects. In addition to IT resources, these policies and procedures shall include consideration for non-IT resources as well as consideration for devices not owned by the USNH either attached or unattached to the network.
5.4.3 Prevention of Loss, Modification or Misuse of Information Exchanged Between Organizations. All USNH institutions, providers and users of USNH IT resources will institute measures to safeguard the flow of data and information into and out of the networks.
5.4.4 Protection of Wireless Air Space. USNH institutions will manage the wireless spectrum to minimize interference between wireless networks and other devices using radio frequencies.
5.5 System Development & Maintenance
5.5.1 Security in Operational Systems and Prevention of Loss, Modification or Misuse of User Data in Application Systems
The appropriate level of protection must be incorporated into operational systems throughout the development process. Especially in cases where the data is sensitive or requires protection because of the risk and magnitude of loss or harm that could result from improper operation, manipulation or disclosure.
5.5.2 Protection of Confidentiality, Authenticity and Integrity of Information
USNH will protect the confidentiality, authenticity and integrity of information.
5.5.3 Conducting IT Projects and Support Activities in a Secure Manner
Changes and updates to systems and data must be traceable to accountable individuals and source documents under a defined management process.
5.5.4 Maintaining Security of Application System Software and Data
All USNH institutions and providers of USNH IT resources will provide and implement reasonable and adequate security measures to protect the information stored in IT resources.
5.6 Disaster Recovery and Business Continuity Management Planning
5.6.1 Disaster Recovery and Response Management Plan. USNH and each USNH institution will develop, keep current, and publish adequate disaster recovery plans to minimize the effects of a disaster and support restoration of USNH critical operations following a disastrous event.
5.6.2 Business Continuity Plan. A "Business Continuity Plan" shall be developed and implemented at all USNH institutions to facilitate the re-establishment and continuance of critical business functions after a disaster occurs.
5.7 System Access Control
5.7.1 Control Access to Information. Computer systems and resources used for the transaction of USNH business shall be protected from theft, malicious destruction, unauthorized alteration or exposure, or other potential compromise resulting from inappropriate or negligent acts or omissions.
188.8.131.52 Computer systems shall require utilization of employee-specific passwords for access. Passwords for access to USNH systems shall comply with industry standards as established by the institutional Chief Information Officers within the technological capabilities of each system.
184.108.40.206 Password change schedules will be established and communicated to password holders at timely intervals.
220.127.116.11 Employee-specific passwords shall be treated as sensitive, confidential information and shall not be shared. Employee-specific passwords also shall not be stored on-line or written down unless adequately secured from unauthorized viewing.
18.104.22.168 Authorized users of computer systems will take reasonable and appropriate measures to prevent access to systems by unauthorized persons.
22.214.171.124 All data on computers or electronic storage devices (including but not limited to desktop, laptop, server, or handheld devices) shall be wiped clean of files and data prior to transfer or surplus.
126.96.36.199 Social Security Number (SSN) is a particularly sensitive data item for all constituents. Whenever the SSN is utilized and/or displayed, the following shall apply to mitigate its exposure to unauthorized access.
188.8.131.52.1 A SSN shall not be sent via e-mail unless encrypted or masked for all but the last four (or fewer) digits of the number.
184.108.40.206.2 Shared electronic and paper reports shall have all but the last four (or fewer) digits of the SSN masked. In the limited cases where SSN is required for regulatory compliance related to employment, payroll processing, provision of benefits, and tax reporting, access to the information shall be limited to those with need to know.
220.127.116.11.3 Paper and electronic documents containing a SSN shall be disposed of in a secure fashion.
18.104.22.168.4 Personal information which links a SSN with a person shall not be publicly displayed.
22.214.171.124 Access to systems and sensitive data from outside the USNH managed environment (for example, from employee homes or during travel) will meet the same level of secure access as is provided in the USNH-managed environment.
126.96.36.199 The Chief Information Officer at each USNH institution will establish standards and interpret this policy to assure that it is implemented in a manner consistent with the technologies at each institution.
5.7.2 Control Access to Systems. Access to systems will be limited to staff who have a need to access them as determined by job responsibilities.
5.8 User Awareness & Training
5.8.1 Reducing Risks of User Error, Theft, Fraud or Misuse of Facilities. USNH institutions and providers of USNH IT resources will institute measures to reduce risks of user error, theft, fraud or misuse of IT resources, by providing appropriate user information and training.
5.8.2 Educating Users about Information Technology Security Threats and Concerns. USNH and its member institutions will communicate to all constituents their responsibility for protecting the technology environment, and provide the information necessary to help them protect IT resources against threats.
5.9.1 Compliance with federal, state and local laws, USNH and institutional policies, and contractual obligations. The use and operation of USNH IT resources will comply with federal, state and local laws, USNH and institutional policies, and contractual obligations.
5.9.2 Providing information concerning laws, policies and contractual obligations. All USNH institutions, providers and managers of USNH IT resources will institute procedures to inform users and administrators of IT resources about applicable laws, policies and contractual obligations.
5.9.3 Procedures for adjudicating security violations. Violations of this security policy constitute unacceptable use of IT resources and may violate other USNH policies and/or state and federal law. Suspected or known violations should be reported to the IT Security Officer at USNH or member institutions.
5.9.4 Performing a Security Audit Process. All USNH institutions, providers and managers of USNH IT resources will periodically conduct an audit of security of IT resources.
5.10 Asset Classification & Control
5.10.1 Maintaining Appropriate Information Technology Inventory Controls. All USNH institutions, providers, managers and users of USNH IT resources will develop and maintain a comprehensive inventory of critical information assets.
5.10.2 Inventories of assets help ensure that effective asset protection takes place, and may also be required for other business purposes, such as health and safety, insurance, or financial (asset management) reasons. The process of compiling an inventory of assets is an important aspect of risk management. An organization needs to be able to identify its assets and the relative value and importance of these assets. Based on the information an organization can then provide levels of protection commensurate with the value and importance of the assets. An inventory should be drawn up and maintained of the important assets associated with each information system. Each asset should be clearly identified and its ownership and security classification agreed [upon] and documented together with its current location.
5.10.3 Safeguarding Information Sensitivity. All USNH institutions, providers, managers and users of USNH IT resources will establish methods to identify, classify, and where necessary, restrict access to institutional data so as to recognize sensitivity, protect confidentiality or safeguard privacy as required by law, institutional policy or ethical considerations.
6. USNH Data Classification Policy
6.1 Purpose. To have appropriate protection for information, it is important to first understand what it is that needs to be protected. The purpose of the Data Classification Model is to define data categories, provide examples of each category, and provide a model that can be used by USNH institutions for classifying and protecting information. As such, this model is a foundation for policies pertaining to the protection of information.
6.2 Scope. This model applies to every student, faculty, and staff member at USNH, as well as any members of the general community working with or for USNH.
6.3 Delegation of Authority. The institutions within the University System shall use this policy as a model when adopting policies regarding the minimum level of protection required for each category of data. USNH Institutions may combine one or more of the USNH data categories to meet their local needs. Institutional policies shall be consistent with applicable BOT and USY policies.
6.4 Restricted Data.
6.4.1 Definition: Data is Restricted if protection is legally defined and/or it is required by federal and/or state law.
188.8.131.52 SSNs and other personally identifiable information as defined by state of NH reporting requirements
184.108.40.206 Information protected by FERPA, HIPAA, FMLA and GLB
220.127.116.11 Research information that requires protection by law
18.104.22.168 Information protected through "Affirmative Action" and/or "disability regulation"
6.5 Sensitive Data.
6.5.1 Definition: Data is Sensitive if controlled access is required by institutional policy, by the data proprietor/steward, by contract, for ethical reasons, and/or if it is at high risk of damage or inappropriate access. It includes data which if compromised, would result in high institutional cost, harm to clients, harm to institutional reputation or unacceptable disruption of the institution to be able to meet its mission. It includes other data explicitly identified as requiring controlled access, but it does not include restricted data as defined above.
6.6 Public Data.
6.6.1 Definition: Data is Public if it is not restricted or sensitive and it is explicitly identified as public. It includes data that may be provided to anyone without any further oversight.