Information Usage, Security, and Privacy Overview

PRIVACY NOTICE
LSU Eunice only collects information from students that is necessary to conduct business.  All access and transactions performed via campus online services are logged for tracking, auditing, and performance evaulation.  Personally identifable information would only be shared in cases required by law.  Access to such information is restricted and governed by university records policies.

ACCESSIBILITY OF COMPUTING AND ONLINE RESOURCES
LSU Eunice Works to make online and campus based resources and facilities accessible according to federal guidelines.  Student requiring additional accommodations may contact the Office of Accommodated Services at 337-550-1206.

SECURITY OF COMPUTING RESOURCES
This statement outlines the role and authority of the Office of Information Technology (OIT) in supporting and upholding the security and integrity of the Louisiana State University Eunice (“LSUE” or the “University”) information technology (IT) environment.
IT has become critical in support of most if not all of LSUE operations, which has resulted in a very complex, distributed, and diverse technology environment. Data is continuously being stored, accessed, and manipulated electronically, which increases the risk of unauthorized access, disclosure, or modification of data.

Institutions of higher education are subject to various regulatory requirements designed to protect the privacy of education records, financial information, medical records, and other personal information maintained by the University relative to its students and employees. Further, the University seeks to maintain as confidential certain research data, intellectual property, and other proprietary information owned, licensed, or otherwise maintained or used by the University.  Systems that are not properly secured are subject to misuse and/or unauthorized access.  Everyone associated with providing and using information technology services should be diligent in their protection of data, use of computing resources, administration and maintenance of systems, response to security threats, and compliance with PS-65 and other policies and directives. Information related to intrusions, attempted intrusions, unauthorized access, misuse, or other abnormal or questionable incidents should be quickly reported to the Office of Information Technology, so the event can be recognized, mitigated, and hopefully avoided elsewhere.

Louisiana State University Eunice functional units operating or utilizing computing resources are responsible for managing and maintaining the security of the data, computing resources and protected information. This requirement is especially important for those computing resources that support or host critical business functions or protected information.

The Director of Information Technology  has the authority: (i) to develop and implement policies necessary to minimize the possibility of unauthorized access to protected information and the University's information technology infrastructure; (ii) to consult and educate user(s) and functional unit(s) relative to their individual and collective responsibilities to protect data and secure computing resources; and (iii) to take reasonable actions to mitigate incidents or concerns relating to security of data or computing resources. This includes establishing guidelines, procedures, standards, and security resources, conducting security audits, and providing consulting services to functional unit(s) for all LSUE computer systems or other computing resources.

User(s) within functional unit(s) are required to report any suspected or known security breaches or flaws relating to the security of University computing resources to the Director of Information Technology. The Director of IT will assess reported breaches and flaws and provide advice as to an appropriate response. A failure to report suspected or known security breaches or flaws is cause for disciplinary action, including termination of employment. Users should immediately discontinue any use of computing resources or practice that could reasonably lead to a security breach.

The Director of IT has the authority to assume control over the response to any suspected or known security breach or flaw involving LSUE’s information technology infrastructure, data, and computing resources regardless of the functional unit involved. Appropriate remedies may be taken to secure the computing resources and mitigate any unauthorized use, disclosure, or access to data, including the removal of devices to more secure facilities and denying access to computing resources and/or data. This authority will be exercised if the Director of IT determines that the functional unit does not have the means and/or ability to access and/or react appropriately in a timely manner to a specific security incident. The IT Security & Policy Officer may draw upon the experience, expertise, and resources of other University functional units when necessary and as appropriate.

Intrusion attempts, security breaches, and other security related incidents or flaws perpetrated against or involving computing resources either attached to an LSUE operated network or in a functional unit shall be reported IMMEDIATELY to the Office of Information Technology. This is CRITICAL for systems supporting vital functions and/or hosting institutional or protected information. User(s) within functional unit(s) must:

     * Report any security breaches in order to obtain advice and assistance,
     * Report any systematic unsuccessful attempts (i.e. log in attempts, probes, or scans), and
     * When feasible, send detailed reports as soon as the situation is detected.

Upon receiving a report, IT staff will respond according to ITS standard operating procedures.
In order to protect University data and systems, as well as to protect threatened systems external to the University, the Director of IT may place limits or restrictions on technology services provided on or from any computing resources.

     * Limitations may be implemented through the use of policies, standards, and/or technical methods, and could include (but may not be limited to) usage eligibility rules, password requirements, or restricting or blocking certain protocols or use of certain applications known to cause security problems.

     * Restrictions may be deployed permanently based on continuing threat or risk after appropriate consultation with affected constituents, or they may be deployed temporarily, without prior coordination, in response to an immediate and serious threat.

Restrictions deployed temporarily will be removed when the risk is mitigated to an acceptable level, or where the affect on University functions caused by the restriction approaches or exceeds risk associated with the threat.  In order to protect University data and systems, as well as to protect threatened systems external to the University, the Director of IT may unilaterally direct that a specific computing resource be isolated from University, campus, or external networks, given:

     * Information reasonably points to the system as having been compromised.

     * There is ongoing activity associated with the system that is causing or will cause damage to other University computing resources or data, or to systems of other internal or external users, or where there is significant risk of such damage occurring.

     * All reasonable attempts have been made to contact the responsible technicians or functional unit management, or contact has been made, but the technician or functional unit managers are unable to or choose not to resolve the problem in a reasonable time.
Isolation is removed when the risk is mitigated to an acceptable level, or where loss of access or function caused by the isolation approaches or exceeds risk associated with the threat, as determined between the responsible functional unit and the Director of IT.
All security breaches, incidents, or concerns should be reported immediately to IT@lsue.edu and to the Office of Information Technology at 337-550-1307.


ACCEPTABLE USE GUIDELINES
The Office of Information Technology provides services as well as user support, training and consulting related to computing, networking, telecommunications, and video conferencing to the LSUE community.  While OIT provides substantial support, maintenance, and consulting in the area traditionally known as “Academic Computing,” the Office of Academic Affairs is responsible for the ultimate allocation, prioritization, and scheduling of instructional technology resources. 

The use of LSUE computing resources is a privilege to which all faculty, staff, and administrators are entitled.  As with other privileges, the use of these services carries a level of responsibility.  The guidelines given below are designed to ensure the security and integrity of the university's computing resources and the associated data as well as to protect the freedom, rights, and privacy of the individual users.

1.     Administrative computing resources are defined as any computing/network services administered, provided, or supported through the Office of Information Technology.   Specific definitions of computing terms as used in this document may be found in Louisiana R.S. 14:73.1. 

2.     Users may use only the computer User Account(s) provided to them and will take the responsibility to protect their account from unauthorized access by other individuals.  This regulation is primarily intended for the protection of  the account and of the associated data.  If a user becomes aware of attempts to violate or bypass these security mechanisms, they are obligated to report such attempts to Information Technology personnel.  (See LA R.S. 14:73.4 and R.S. 14:73.5)

3.     Users will respect the privacy of information stored using LSUE's computing facilities.  Users may not acquire or modify, in any way, information that they are not explicitly authorized to access.  Information which has been acquired or modified remains the possession of the original owner and may not be further distributed or modified without the explicit permission of the original owner.  This is intended to protect confidential records as well as an employee's intellectual property rights.  (See LA R.S. 14:73.2 , R.S. 14:73.5 and the Federal Educational Rights and Privacy Act - FERPA)

4.     Inappropriate use of the Internet and other networks to which LSUE is directly or indirectly connected will be deemed abuse of computer privileges.  Examples of inappropriate use of the networks are participation in network activities that place a strain on limited computer resources, the sending of obscene and/or harassing messages to other individuals on the network, and the unauthorized access or attempted access of another network computer system from LSUE computer resources.  (See LSUE Policy Statement No. 58 for issues relating to "Academic Freedom.")

5.     Users must abide by any patent or copyright restrictions which may relate to the use of computing facilities, products or documentation.  Users may not copy, disclose, modify, or transfer any such materials that they did not create, without the express consent of the original author or copyright holder.  Users may not use LSUE computing facilities or equipment to violate the terms of any software license agreement, or any applicable local, state or federal laws.  (See U.S. Copyright Act as Amended, & sect; 117.  Limitations on exclusive rights:  Computer programs.) 

6.     LSUE's computing equipment or software may not be used for any form of private financial gain. (State of Louisiana's Code of Governmental Ethics,  R.S. 42:1101 through 42:1169)

7.     Access to LSUE's computing facilities by unauthorized persons or for unauthorized purposes is forbidden.

8.     Sensitive data may not be used in a context not explicitly authorized.  (See the Federal Educational Rights and Privacy Act - FERPA.)

9.     Users of administrative computing resources at LSUE must also abide by The LSUE Policy Statement Manual, Louisiana House Bills 1801 and 430, LA R.S. 14:73 Subpart D, Title 18 of U.S. Code 1030, Title 18 of the U.S. Code 2701 as well as other state and federal laws governing the use of computing and networks. Violations of the policies described above for the legal and ethical use of computing resources will be subject to the normal disciplinary procedures of the university and, in addition, the loss of computing privileges may result.  Illegal acts involving LSUE computing resources may also be subject to prosecution by state and federal authorities. 


FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)
The Family Educational Rights and Privacy Act of 1974, also known as the Buckley Amendment, is a federal law that protects the privacy of student “education records.” “Education records” are defined, with a few exceptions, as records containing information directly related to a student that are maintained by a school or its agent (including electronic records). FERPA prohibits schools from disclosing education records, or personally identifiable information in those records, other than certain basic directory information, without the student’s prior written consent, or the parent’s consent if the student is under the age of 18. The student may even request that directory information be withheld. Some exceptions do apply, such as cooperation in criminal investigations.

Disclosure is defined as permitting access to, or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic. Exposing student education records to unauthorized access due to inadequate security measures may arguably constitute a disclosure in violation of FERPA. Other FERPA obligations may be affected by security and system integrity breaches. FERPA provides students the right to access and petition to correct their records, and a security breach might result in the loss or alteration of student records. Similarly, FERPA requires schools to track disclosures of education records to third parties and maintain a database of students who opt-out of directory information disclosures. Security breaches may impair a school’s ability to perform these functions.

Under the terms of FERPA, Louisiana State University Eunice (LSUE) publishes in its catalog each year a description of the items defined as Directory Information that may be released to those requesting it unless the student specifically requests otherwise by submitting written notification in person to the Office of the University Registrar.

All other information may not be released without written consent of the student. Grades, Student ID Numbers, Ethnic Backgrounds and Student Schedules may not be released to anyone without the student’s written consent other than the student and NEVER over the phone. Please note that students may restrict Directory Information at any time. Once flagged, no information may be released on that student without further written permission.