E-4. Policies
Responsibilities as a Computer User at IU
By receiving and using an Indiana University Network ID, users accept certain responsibilities and standards for computer use, which apply to all IU computing resources. To review the IU Acceptable Use Agreements for students and employees, visit the Acceptable Use Agreement webpage.
Peer-to-peer (P2P) File Sharing and Copyright Safety
Peer-to-peer (P2P) file-sharing allows users to share files online through an informal network of computers running the same software. File-sharing can give users access to a wealth of information, but it also has a number of risks which can lead to serious network security issues. In addition, unauthorized distribution of copyrighted material using IU’s IT resources can result in costly legal penalties. Learn more by reading the Peer-to-peer File Sharing & Copyright Safety webpage.
University-Wide and Campus IT Policies
University-wide IT policies apply to all users of Indiana University information technology resources regardless of affiliation, and irrespective of whether those resources are accessed from on- or off-campus locations. IU Southeast-specific policies also exist. Visit the Tech Services IT policies webpage to learn more.
Policies IT-12 and IT-12.1 for Employees
IT-12 and IT-12.1 policies are regarding data security and procuring technology devices using IU funds, including desktops, laptops, iPads, tablets, etc.
Procedure for procuring technology devices using University funds:
All IT-related orders must route through UITS using the guidelines below. If an IT-related order is placed by the department, instead of routing through UITS, the requisition will be disapproved.
The following items must be requested through the IT Service Request Form:
- Computing devices: Desktops, laptops, and tablets/mobile devices
- Storage devices: Thumb Drives, external hard drives, SD Cards etc.
- Presentation displays: Projectors and televisions
- Network equipment: Routers, switches, wireless, and virtual servers
To request software purchases for the Southeast campus, departments should submit an SSSP Form: Software & Services Selection Process Form. Please contact IT prior to completing the SSSP Form for assistance. Requestors will be notified via email when the form has been received, and a UITS representative from our campus will be copied on the email. Once the request receives approval from Purchasing, the department will be notified via email and may enter the requisition in BUY.IU. The order should be flagged as software in the “Compliance” section of the requisition document.
Requests that do not require the completion of the SSSP form:
- Renewal of existing IT software and services contracts that do not have a use case change from the prior contract term. Use case is defined as how the software or services are presently being used. In these cases, the department should include the previously submitted SSSP form on the requisition for Purchasing review.
- Software and/or services indicated on the SSSP Conditional Allow list
IT-12/IT-12.1 policy requirements for data security on desktop computers, laptops, tablets, and cell phones:
-
-
- IT-12 requires that machines run software that is up-to-date, and that patches and updates be installed to address security risks.
- Anti-virus must be installed on all machines.
- Sensitive data must be encrypted while in transit.
- Limit access to resources to only those eligible and required. All users must be identified and authenticated before access is allowed.
- Day-to-day work should be performed by users with a standard account. Secondary accounts are required for any work that would require administrative privileges on a machine.
- For SE-UITS systems to apply software updates to machines, machines should be left on during nights and weekends (signed out but not powered off). This allows software updates and anti-virus scans to take place at a time that will not interfere with most user activity.
- IT-12.1 applies to all mobile devices, including personally owned devices.
- When dealing with critical information from a mobile device, written approval from the senior executive of the unit is required.
- When dealing with critical information the information must be encrypted on the device and in transit.
- More information about handling critical data can be found here: https://datamanagement.iu.edu/docs/critical-data-guide.pdf
- Users should scan for critical data on their workstations/laptops every 30 days using a tool such as Identity Finder.
-
Table for mobile device compliance:
| Mobile Device | Passcode/Passphrase | Intrusion Prevention | Encryption | Remote Wiping |
|---|---|---|---|---|
| Handheld mobile device (i.e., Smart Phone, Tablet, etc.) | Required – minimum 4-character passcode using at least 2 unique characters, and auto lock after a maximum of 15 minutes of inactivity. | Required - Lockout or wipe after 10 incorrect attempts, OR Increasing delay after incorrect attempts. | Recommended in all cases if supported by the device. Required for all intended use involving critical information. [2] |
UIPO Incident Response or the Support Center will assist with remote wiping based on the circumstances of reported loss or theft. |
| Laptop/Notebook Computer | Required – Passphrase meeting IU requirements [3] must be used when device boots, and auto lock after a maximum of 15 minutes of unattended inactivity. | Required – lockout after 25 incorrect attempts within 2 hrs. | Required - full disk. | Not applicable |
Read the full policies:
IT-12: https://policies.iu.edu/policies/it-12-security-it-resources/current.html
IT-12.1: https://informationsecurity.iu.edu/policies/standards/it121.html
If you have any questions or concerns, please contact the UITS Support Center at (812) 941-2447 or helpdesk@ius.edu.