800 - Technology | Troy University
Safety Alert
ePolicy Manual
800 - Technology
800 - Technology
Toggle Sub-Menu:
800 - Technology
TECHNOLOGY 800-817
801 - The Worldwide Web Policy
Troy University recognizes that the Web is an important electronic publication medium
that facilitates its mission. It is in the interest of the University that all Web
sites are maintained in a consistent manner so that they provide high quality information
about the University's educational offerings, mission, programs and events to the
community, prospective students, and the general public. The Web sites serve as a
gateway to college services, teaching and learning resources.
This policy sets minimal standards that are meant to ensure that information published
electronically is visually appealing, well-written and follows the same high standards
as other forms of published information.
The World Wide Web is one of the primary ways in which TROY presents itself and communicates
to various audiences. Therefore, it is essential that Web sites of the University
present an image that is unified, of a high quality and favorably represents the University.
The TROY Web Guide is intended to serve in this regard as a valuable resource for
those who contribute in any way to the Web presence of Troy University.
Please direct any questions or comments to members of the Web Team whose names are
located on the last page of this Web Guide.
801.1
Review of Policy
TROY recognizes that electronic publication technology is evolving rapidly and this
policy is expected to evolve along with it. The policy will be reviewed as needed
by the Web Team and the Associate Vice Chancellor for Marketing and Communication.
This policy does not address all servers, such as Spectrum or Prism servers, or faculty
Web pages.
801.2
Site Life Cycle
Information on Web pages should be updated as regularly as necessary, whether that
is daily, weekly, monthly, quarterly, etc. The date the page was last updated should
be indicated somewhere on the page. If a page does not need to be updated more than
once a year, the “this page is updated” should be changed at least every six months
to let visitors know that the information is relatively accurate. Every office is
encouraged to update or refresh the content and design of their pages twice a year,
preferably every fall and spring or more frequently if needed.
As new templates are developed, they will be available on the
Troy University
Web site.
801.3
Design Quality
Graphic design is the first and last part of the site observed by online visitors.
Effectively designed Web sites grab viewer attention and offer clear, consistent navigation.
The Web team will provide templates to help design sites that are consistent with
the look and feel of the University's homepage and interior pages. Templates may be
viewed on the
Troy University
Web site.
801.4
Content Quality
For recommended style standards, refer to the TROY Style and Graphic Standards Manual.
For Web-related words, keep in mind the following: homepage is one word, Web is uppercase
when it stands alone; lowercase when combined with another word (e.g. Web site; World
Wide Web; webmaster), download and upload are spelled as one word and online is one
word, no hyphen.
801.5
Use of University Marks and Branding
TROY logos and word marks may be used on official University Web sites such as University
departments, approved student groups and schools, as long as the logos are used correctly.
For correct logo usage, consult the TROY Style and Graphic Standards Manual (Marketing).
801.6
A clear, easy navigation through every page of the TROY Web site is a necessity. A
site and its pages should not be a maze where visitors must guess their next move
or try the “Back” button to get out. Every page should, at a minimum, include (a)
a link to the TROY homepage and (b) the homepage footer menu bar. Pages should also
include a link to the appropriate department/division/school/etc. from where the page
originates. URL links should be tested routinely to ensure that they are still correct.
The TROY templates include navigation to frequently used sites within TROY and quick
links to the University's interior pages.
801.7
Templates
Troy University requires Web pages to look consistent, including certain common design
elements. To simplify this process, University-approved templates are available for
use on the
Troy University
Web site.
801.8
World Wide Web Guidelines
801.8.1 General
This policy governs documents (Web pages) appearing on the World Wide Web from Troy
University servers. Both official and unofficial University Web sites, as defined
below, must comply with all copyright laws of the United States, all other applicable
local, state and federal laws and applicable policies, rules and guidelines of Troy
University, including those defined herein. The dominant theme of any Web site, whether
an official or unofficial University Web site, must not appeal to prurient interest
to the average person applying contemporary community standards. This policy will
be periodically revised in response to pertinent legal and/or technological issues
in consultation with the appropriate entities. Any questions, comments or suggestions
concerning this policy should be addressed to the Troy University Web Team.
801.8.2 Official University Web Sites
Official University Web sites are defined as Web sites or Web pages created by Troy
University entities including, but not limited to, its colleges, schools, departments
and administrative offices stating they represent TROY.
All official University Web sites must be approved by the Web coordinator who has
administrative oversight over the area represented by the Web site or by the TROY
Web team. The associate vice chancellor for marketing and communication will be the
final approving authority for all official Web sites.
All official University Web sites must adhere to the minimum standards described below.
These minimum standards are presented in conjunction with associated recommendations
in this Web Guide.
Display clear identification of Troy University on the top-level pages of each Web
site. The preferred means of identification is to display a Troy University word mark.
The official TROY templates are required for University offices.
Display a clearly labeled link on each Web page to the TROY homepage (https://www.troy.edu).
Display clearly labeled ownership information on each Web page in the form of a contact
e-mail address, which may be supplemented by a contact name and/or telephone number.
In unusual cases, a contact name and telephone number may be substituted for a contact
e-mail address.
Display a clearly labeled disclaimer (example: http://www.troy.edu/disclaimer): “Although
the authors of this Web site have made every reasonable effort to be factually accurate,
no responsibility is assumed for editorial or clerical errors or error occasioned
by honest mistake. All information contained on this Web site is subject to change
by the appropriate officials of Troy University without prior notice. Material on
this Web site does not serve as a contract between TROY and any other party.”
The appropriate administrative unit(s) that publishes information on an official University
Web site is fully responsible for factually accurate content and currency of information.
Web sites that contain out-of-date information may be requested by the Web team or
a member of that team to make necessary corrections. Web sites failing to comply following
such requests may be unlinked from the University page until the necessary corrections
have been made.
All official University Web sites must present information using the highest editorial
standards (spelling, punctuation, grammar, style, etc.). Web sites that contain editorial
errors may be requested to make the necessary corrections by any member of the Web
Team. Web sites failing to comply following such requests may be unlinked from the
University page until the necessary corrections have been made.
Any official University Web site desiring to conduct commercial activity, including
receipt of online credit card payments, must take appropriate steps to ensure secured
transactions. These type transactions must be approved by the Vice Chancellor for
Finance prior to placing this type of information or capability on the University
Web site.
Links to commercial entities must be related to the University's mission and must
not imply endorsement by the University.
All names used to represent the University must be official names recognized by Troy
University, e.g., “Troy University,” “TROY,” “TROY-Dothan campus,” etc. Except when
referring to Troy University athletics, the use of Trojans” is discouraged.
801.8.3 Unofficial University Web Sites
Unofficial University Web sites are defined as Web sites or Web pages created and
maintained by anyone other than Troy University campuses, Web coordinators or site
masters.
All unofficial University Web sites must carry the following disclaimer: “The views,
opinions and conclusions expressed in this page are those of the author or organization
and not necessarily those of Troy University or its officers and trustees. The content
of this page has not been reviewed or approved by Troy University and the author or
organization is solely responsible for its content.”
Troy University will not undertake to pre-approve or review the content of unofficial
University Web sites. However, any pages discovered in violation of this policy are
subject to immediate removal from Troy University Web servers.
Unofficial University Web sites may not be used for commercial purposes or for personal
financial gain or benefit. Troy University is not responsible for any liability resulting
from any such activities prior to their discovery and appropriate remedy.
801.9
Site Ownership
801.9.1 Web Team
The Web team will be coordinated by the Information Technology (IT) department of
the university. Its responsibilities are assisting with the development of templates,
approving templates and making them available to departments in the realm of the Web.
Members of the Web Team will be responsible for assisting content providers and site
masters and in monitoring the various sites to ensure the accuracy and timeliness
of the published information. In addition, the Web team will seek the advice of document
and design experts when necessary.
801.10 Content Providers
Administrative departments, academic units, individual faculty and staff, and student
and college organizations may contribute content to the various Web sites. Content
providers, in effect, own the content of a given page and are responsible for accuracy.
Content providers should have firsthand knowledge of a particular page's content.
Though they need not have specialized Web publishing knowledge, familiarity with Web-writing
guidelines is very useful because text online is read differently than printed text
and thus needs to be written differently. All pages should include the content provider's
e-mail address on the bottom of the page, along with the date that the page was last
updated so that interested readers can get in touch with the content expert.
Other things content providers should remember in the design of Web sites include
the following:
In the construction of your pages, avoid
sexist and/or racist material
offensive language
defamatory, abusive or harassing material
pornographic material
commercial advertising
Do nothing that might lead users of the TROY Web site into making improper use of
our facilities,
for example, providing links to:
archives that may contain pornographic material
sites that distribute illegal software
bulletin boards that contain dubious material
801.11 Site Master
Every site must be owned and maintained by a staff or faculty member—not a student
or external company. Using an external vendor to create, and in some instances to
help maintain a site, is acceptable; however, at least one faculty or staff member
from the responsible office must own and be accountable for the site, including having
a basic knowledge of how to update, remove or change information on the site. Student
interns may help create or update sites; however, a student cannot be the owner of
the site and cannot be the only person in the responsible office who knows how to
update and manipulate the site.
Ownership by staff or faculty is essential in order to maintain continuity of a Web
site. Student workers are a marvelous resource, but when the student leaves, the Web
site still needs to be maintained, updated and even redesigned at some point in time.
Without ownership by staff or faculty, material on the Web can easily become outdated.
Outdated and inaccurate information on a Web site is often worse than no information
at all.
801.12 Registry
The individual Web coordinators for each site will oversee and maintain the registry
of site owners. The information gathered for the registry is used to not only delete
old or non-maintained sites, but also to quickly identify who is responsible for each
existing University site. Each owner of a newly created site must register with the
Web coordinator for his/her particular campus or site. This can be done online on
the
Troy University
Web site.
801.13 Departmental vs. Central Control
Every office, organization and school is responsible for the look and content presented
on its site, as well as keeping the sited updated, fresh and consistent with the overall
look of the Troy University homepage and interior pages. The Web team has overall
oversight not only of the University's homepage and interior pages, but also of all
pages on the TROY Web site.
801.14 Shutting Down a Site
Every office, organization and school is responsible for the look and content of their
site. When there are egregious errors or problems with a site, the Web team will contact
the person responsible for the page and discuss ways to fix the problem. If the problem
persists or if it is an emergency situation that requires immediate attention, the
Web team maintains the right and responsibility to shut down a site either on a temporary
or permanent basis.
801.15 External Vendors
Working with an external Web design vendor is an acceptable solution when developing
a University Web site or page.
Unless there are extenuating circumstances, the following policies should be understood
and shared when working with external vendors.
All code and images belong to Troy University. The created Web site must reside on
an approved Web server.
801.16 Requested Changes in Web Area Structure
Requested changes to the structure of existing Web areas, such as moving existing
areas to new locations, removing existing areas or redirecting areas, will need to
be approved by the Web coordinator at the campus where the changes are requested and
by any other department heads whose departments may be affected by the requested changes.
801.17 Correct HTML
All tags should conform to the guidelines and recommendations given by the World Wide
Web Consortium.
The Consortium also offers a validation service for your pages. So if you wish to
test them, just type your URL into the appropriate box.
801.18 Checking for Errors
Always check your pages carefully, particularly if you have been using a word processor
that translates text into html. When the text is translated, these programs often
insert alien characters, such as accents and random letters, or shrink the text to
an unreadable size. Such word processors include Microsoft Excel, SPSS Data Analysis
Software, Microsoft Word and Corel WordPerfect, etc.
802 - Information Technology Usage Policy
Troy University uses information technology to help students, faculty, and staff accomplish
their goals. Information technology also helps the Troy University reach its objectives.
This worldwide reliance upon diverse technologies means increased responsibilities
and opportunities for everyone throughout the University. The timely and appropriate
use of these information technologies will help each person succeed.
Troy University's information technology (computing, information technology, radio
and television, telephone, and network resources) is provided to faculty, staff and
students for the purposes of study, research, service, and related academic and administrative
activities. University information technology facilities are valuable resources and
must be used in a responsible manner. These resources are shared among many people.
Each person should use technology resources in a manner that allows others to also
use information technology.
Use of the Troy University information technology is a privilege, not a right. This
includes use of computer labs. All users of Troy University's information technology
resources must agree to use the facilities legally, ethically, and in keeping with
their intended purpose.
802.1
Policy
Troy University IT Resources must be used in accordance with applicable licenses and
contracts, and according to their intended use in support of Troy University's mission.
All users must comply with federal, state, and local laws, as well as Troy University
policies, when using Troy University IT Resources.
The following sections define the acceptable uses of Troy University IT Resources.
Any conflict between these policies and the legitimate business of Troy University
can be resolved through the policy exception request process as defined with the Policy
Exception Policy.
802.2
Acceptable Use
802.2.1 Employees and Student Employees
With the exception of incidental personal use, as defined below, Troy University IT
Resources must be used only to conduct the legitimate business of Troy University
(e.g., scholarly activity, academic instruction, research, learning, business operations).
Personal devices are not allowed on Troy University Administrative networks; personal
devices are allowed on public WiFi networks.
Incidental personal use of Troy University IT Resources by Troy University employees
is permitted if the personal use does not interfere with the execution of job duties,
does not incur cost on behalf of Troy University, and is not unacceptable as defined
in the Unacceptable Use section below.
802.2.2 Students
Troy University students may use the ResNet, Gaming networks for recreational and
personal purposes to the extent that such use is not unacceptable as defined in the
Unacceptable Use section below and does not adversely affect network service performance
for other users engaged in academic, research, or official business activities.
802.3 Unacceptable Use
Troy University employees, including students acting as employees, are prohibited
from the following actions when using Troy University IT Resources:
Unauthorized use of IT Resources for commercial purposes or personal gain
Transmitting commercial or personal advertisements, solicitations, or promotions
All users are prohibited from using Troy University IT resources in a manner which
results in a violation of law or policy or potentially adversely affects network service
performance.
Examples of Unacceptable Use include, but are not limited to, the following:
Activity that violates federal, state, or local law
Activity that violates any Troy University or Board of Trustee policy
Activities that lead to the destruction or damage of equipment, software, or data
belonging to others or Troy University
Circumventing information security controls of Troy University IT Resources
Releasing malware
Intentionally installing malicious software
Impeding or disrupting the legitimate computing activities of others
Unauthorized use of accounts, access codes, passwords, or identification numbers
Unauthorized use of systems and networks
Unauthorized monitoring of communications
This list is not complete or exhaustive. It provides examples of prohibited actions.
Any user in doubt about the acceptable use of Troy University IT Resources should
contact Cyber Security for further clarification and assistance.
802.4 Scope
All Troy University IT resource users are covered by this policy.
802.5 Policy Terms
Troy University IT Resources
Troy University owned computers, networks, devices, storage, applications, or other
IT equipment. “Troy University owned” is defined as equipment purchased with either
Institute funding (including sources such as Foundation funds etc.) or Sponsored Research
funding (unless otherwise specified in the research agreement).
802.6 Enforcement
Violations of this policy may result in loss of Troy University system and network
usage privileges, and/or disciplinary action (up to and including termination or expulsion)
as outlined in applicable Troy University policies.
If a user suspects that they are a victim of a violation of this policy, then the
violation may be reported directly to the Troy University Cyber Security team by sending
an email to
security@troy.edu
per the Incident Reporting procedures found in the Cyber Security Policy.
803 - System Integrity
It is improper to take actions that will interfere with or alter the integrity of
the University's information technology systems. Such actions include unauthorized
use of accounts, impersonation of other individuals, unauthorized access to or any
attempt to alter, share or distribute restricted databases, attempts to capture or
crack passwords, attempts to break encryption protocols, compromising privacy; destruction
or alterations of data or programs belonging to other users, experiments to demonstrate
computer facility vulnerabilities, and attempts to steal or destroy software on campus
computing facilities or computer hardware. These types of actions are improper and
can result in a loss of the right to use information technology resources.
Computer accounts and passwords should be protected against unauthorized use. Accounts
and passwords should never be shared with anyone. Each computer user has the specific
responsibility to protect his/her password. Anyone suspecting his/her password may
be compromised should immediately report this to an administrator of the computer
facility. This helps protect the integrity of Troy's information technology systems.
Changing another person's password without authorization is considered a form of harassment
and is improper behavior.
Users must not browse, access, copy, share, distribute, or change private or administrative
files without authorization. Users must not change public files without authorization.
Users must not attempt to modify the computer systems or software in any unauthorized
manner.
The use of invasive software, such as worms, “crackers,” and viruses is unethical,
improper, and illegal. No computer user should use his/her knowledge of a computer
system to destroy or alter accounts, files, software, or hardware to obtain extra
resources or to deprive others of information technology resources.
Users are responsible for damages caused by infected software they introduce into
the system.
Hardware, software, network equipment, manuals, supplies and other information technology
related equipment, must not be removed from their established site(s) without proper
authorization. Abuse or misuse of any computer hardware, software, or other campus
related technology including networking resources is illegal and/or unethical behavior.
804 - Security Policy
The office of Information Technology is responsible for the coordination and implementation
of all information technology security policies and procedures. Troy University endeavors
to provide first-class electronic resources to its academic and administrative communities.
To maintain stable, reliable electronic infrastructures, Troy University has outlined
the following guidelines concerning the use of all University electronic resources.
Users should not use the University's electronic resources in a manner subject to
criminal or civil liability.
All software must be accompanied by a valid software license.
University electronic resources may not be employed for private gain. Alabama Code
36-25-5 (a) and 36-25-27 (a) specifically prohibits personal gain through the use
of public resources.
All electronic data are considered private and protected. Misuse or manipulation of
electronic data is subject to criminal and civil actions.
Use of electronic resources in a careless, destructive, defamatory or illegal manner
is prohibited.
The University reserves the right to limit or stop any electronic activity not in
accordance with University policy or state and federal statutes.
804.1
Data Classification
804.1.1 Scope
This policy covers all data produced, collected or used by Troy University, its employees,
student workers, consultants or agents during the course of University business.
804.1.2 Purpose
The purpose of this policy is to identify the different types of data, to provide
guidelines and examples for each type of data, and to establish the default classification
for data.
804.1.3 Policy
Data Classification Types
All data covered by the Scope of this policy will be classified as TROY Protected
data, TROY Sensitive data, or TROY Public data.
804.1.3.1 TROY Protected Data
TROY Protected data is any data that contains personally identifiable information
concerning any individual and is regulated by local, state, or Federal privacy regulations,
or by any voluntary industry standards or best practices concerning protection of
personally identifiable information that TROY chooses to follow.
These regulations may include, but are not limited to:
Family Educational Rights and Privacy Act (FERPA)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standards (PCI-DSS)
Examples of some of the types of data that are regulated are listed in the appendix.
804.1.3.2 TROY Sensitive Data
TROY Sensitive data is any data that is not classified as TROY Protected data, but
which is information that TROY would not distribute to the general public. This classification
is made by the department originating the data. Examples of the types of data included
are: budgets, salary and raise information, TROY ID, EMAIL ID and possible properties
for TROY to purchase.
804.1.3.3 TROY Public Data
TROY Public data is any data that TROY is comfortable distributing to the general
public. For department-specific data, this classification comes from the department.
If data is created jointly by more than one department, the involved departments should
jointly classify the data. If they are unable to come to a consensus, then the data
must be classified as TROY Sensitive Data. For University-wide data, this classification
can only come from the Office of the Chancellor, the Office of Registration and Records,
the Division of Academic Affairs, or Institutional Research. Examples of the types
of data included are: department faculty lists, department addresses, press releases,
and the TROY web sites. Any TROY data that does not contain personally identifiable
information concerning any individual, and that is not TROY Protected data or TROY
Sensitive data, must be classified as TROY Public data.
804.1.3.4 Default Classification of Data
Any data that contains personally identifiable information concerning any individual
or that is covered by local, state, or Federal regulations, or by any voluntary industry
standards concerning protection of personally identifiable information that TROY chooses
to follow, is automatically classified as TROY Protected Data. All other data is classified
as TROY Sensitive Data by default. Online resources will be available to assist individuals
in properly classifying data.
804.1.4 Questions About This Policy
If you have questions about this policy, please contact the Information Security team
security@troy.edu.
804.1.5 Appendix
TROY Protected Data Listed below are examples of types of personally identifiable
information that are generally protected by local, state, or Federal privacy regulations.
These examples are not an exhaustive list of all possible types of information that
are protected by local, state, or Federal privacy regulations.
Examples:
Social security numbers
Credit card and debit card numbers
Bank account numbers and routing information
Driver's license numbers and state identification card numbers
Student education records
Business Office: Student account files and Perkins loan information
Departments and Colleges: Academic advising records, admission files, including ACT,
SAT and TOEFL scores, and high school and college transcripts and other scholastic
records
Financial Assistance: Financial assistance application files, student federal work-study
information, scholarships and Stafford loan information
Intercollegiate Athletics: Injury reports, scholarship contacts, performance records,
height and weight information
Registration and Records: Permanent record of academic performance (grades, transcript,
including supporting documents), course schedules
Residence Life: Residential life and housing services files
Student Life: Student activity files, student disciplinary files, multi-cultural programs
and services files, and intramural sports files
Student Services: Career planning files, including placement information and employers'
files, international programs and services files
Undergraduate Admission and other admission offices: Admission files on prospective
students
University Library: Circulation records
Personal health records
Patient information: addresses, dates, telephone/fax numbers, social security numbers,
medical records numbers, patient account numbers, insurance plan numbers, vehicle
information, license numbers, medical equipment numbers, photographs, fingerprints,
e-mail and Internet addresses Note: Personal health records stored in education records
are subject to FERPA and are excluded from HIPAA.
804.1.6 Additional Information About Referenced Regulations
FERPA
FERPA is a Federal law that protects the privacy of student education records. This
law applies to all schools that receive funds under an applicable program of the U.S.
Department of Education. FERPA provides students with the right to inspect and review
certain education records maintained by the school and to request corrections if the
records are inaccurate or misleading. It requires that schools obtain written permission
before releasing information from a student's education record. It also allows schools
to publish certain “directory” information about students, unless the student has
requested that the school not do so.
Directory Information upon student request
Student's name and email address
Dates of attendance
Major and minor fields of study, degree desired, classification (freshman, sophomore,
junior, senior) and full-time or part-time status
Participation in officially recognized activities
Degrees and awards received (i.e. Dean's List, Who's Who, etc.)
The penalty for failing to comply with FERPA may result in the loss of all federal
funding, including grants and financial aid.
Additional FERPA information can be found on the
U.S. Department of Education
page and on the
Troy University
Web site.
GLBA
GLBA protects consumers' personal financial information held by financial institutions.
It requires that financial institutions provide customers with a privacy notice explaining
what information is collected, how it is used, and how it is protected.
The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution
and of up to $10,000 for the officers and directors of the institution.
Additional GLBA information can be found on the
Federal Trade Commission
Web site.
HIPAA
HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations
for the use and disclosure of PHI, including a patient's health status, provision
of health care, medical records or payment history.
Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and
a one year to a ten year prison term, depending on the circumstances. These fines
are for the individual, not the institution.
Additional HIPPA information can be found on the
HHS.gov
Web site.
Payment Card Industry Data Security Standards (PCI-DSS)
PCI DSS is an industry standard which protects credit card customer account data.
It requires specific control objectives be met by any organization that accepts credit
cards for payment. These control objectives include secure network, server, and desktop
standards, as well as procedures to ensure that credit card data is properly protected
during the transaction.
Failing to comply with PCI DSS can result in significant fines. Credit card providers
can fine merchants up to $500,000 per compromise when the merchant was not compliant
at the time of the compromise. Merchants may also be banned from accepting certain
types of credit cards. Additional information can be found on the
PCI
Website.
Additional US State Laws
If you work for TROY inside the United States but outside of Alabama or the United
States, please send an email containing the state in which you work to
security@troy.edu
. The Information Security team will respond to you with any data privacy laws that
also apply to you.
804.1.7 History
June 4, 2009: Initial Policy (TROY IT Best practices)
August 2, 2016: Policy Updated for review
September 7, 2016: Policy submitted for adoption
December 12, 2024: Policy Updated for review
804.2
Encryption
804.2.1 Scope
This policy covers all computers, electronic devices, and media capable of storing
electronic data that house TROY Protected data or TROY Sensitive data as defined by
the Data Classification Policy. This policy also covers the circumstances under which
encryption must be used when data is being transferred.
804.2.2 Purpose
The purpose of this policy is to establish the types of devices and media that need
to be encrypted, when encryption must be used, and the minimum standards of the software
used for encryption.
804.2.3 Policy
804.2.3.1 Devices and Media Requiring Encryption
Encryption is required for all laptops, workstations, and portable drives that may
be used to store or access TROY Protected data. Encryption is recommended for all
laptops, workstations, and portable drives that may be used to store or access TROY
Sensitive data. IT will provide, install, configure, and support encryption where
it is needed. Departments who have a laptop, workstation, or portable drive that needs
to be encrypted should contact the IT Information Security team at
security@troy.edu
804.2.3.2 Electronic Data Transfers
Any transfer of unencrypted TROY Protected data or TROY Sensitive data must take place
via an encrypted channel. Encrypted TROY Protected data or TROY Sensitive data may
be transmitted via encrypted or unencrypted channels. All email communications that
involve email addresses outside of TROY use an unencrypted channel, and therefore
require that messages containing Troy Protected data or TROY Sensitive data be encrypted.
Approved methods of encrypting electronic data transfers are listed in the appendix.
If the encryption method includes a password, that password must be transferred through
an alternative method, such as calling the individual and leaving the password on
their voice mail. Email messages containing encrypted data may never include the password
in the same message as the encrypted data. Individuals who are unsure if they are
correctly encrypting electronic data transfers should contact the IT Information Security
team at
security@troy.edu
804.2.3.3 Physical Transfer of Electronic Data
Any time TROY Protected data or TROY Sensitive data is placed on a medium such as
a CD, DVD, or portable drive to facilitate a physical transfer, either entirely within
TROY or between TROY and a 3rd party, that data must be encrypted. Archiving TROY
Protected data or TROY Sensitive data to a physical medium is not recommended, but
is permitted if the data is encrypted. All archiving should be done electronically,
so that it is stored in a controlled data center and backed up by IT.
804.2.3.4 Software
IT will install software that is capable of encrypting the entire hard drive on all
identified TROY computers and electronic devices subject to this Policy. Users who
require encryption software should contact IT to arrange installation of encryption
software.
804.2.4 Questions About This Policy
If you have questions about this policy, please contact the Information Security team
at security@troy.edu.
804.2.5 Policy Adherence
Failure to follow this policy can result in disciplinary action as provided in the
Staff Handbook, Student Handbook, and Faculty Handbook. Disciplinary action for not
following this policy may include termination, as provided in the applicable handbook
or employment guide.
804.2.6 Appendix
Examples of portable drives:
Flash drives
Thumb drives
Memory sticks
USB hard drives
iPods
IT will make the following approved encryption methods available for electronic data
transfers
Transport Layer Security (TLS1.1 TLS1.2)
SSH File Transport Protocol (SFTP)
Connecting via an IT-approved Virtual Private Network (VPN)
Referenced Policies
Examples of Portable Drives and Devices:
With advancements in technology, the following examples of portable drives and devices
should be considered when handling data securely:
USB flash drives
External hard drives (SSD and HDD)
Portable SSDs
Memory cards (e.g., SD cards, microSD cards)
Mobile devices (e.g., smartphones, tablets, and iPods)
Portable multimedia devices with storage capabilities
Network-attached storage (NAS) devices configured for portability
USB-C drives and Thunderbolt-enabled portable storage
Approved Encryption Methods for Electronic Data Transfers:
IT will ensure the availability and enforcement of the following approved encryption
methods for secure electronic data transfers:
Transport Layer Security (TLS 1.2 and above): For securing web-based communications
and data exchanges.
Secure File Transfer Protocol (SFTP): For encrypted file transfers over the network.
Secure Shell Protocol (SSH): For encrypted remote access and file transfers.
Connecting via IT-Approved Virtual Private Network (VPN): To ensure secure and encrypted
communication channels for accessing sensitive data.
Encrypted Email Solutions: IT-approved platforms such as Microsoft 365 with encryption-enabled
communication.
End-to-End Encryption Tools: For messaging and data sharing, as approved by IT.
Secure Cloud File Sharing Platforms: Only IT-authorized cloud services with built-in
encryption (e.g., OneDrive, or similar services)
Referenced Policies:
All data transfers and the use of portable drives/devices must comply with the university's
broader data security, privacy, and acceptable use policies. Staff and faculty are
required to consult IT for guidance when dealing with highly sensitive or regulated
data to ensure compliance with applicable regulations and institutional guidelines
804.2.7 History:
August 9, 2009: Initial Policy (IT Best practices)
August 2, 2016: Updated
September 7, 2016: Submitted for adoption
December 12, 2024: Updated
March 19, 2026: Policy Reviewed
805 - Copyright Observance
All users of University-owned computers will abide by copyright laws and licensing
agreements. No software should be loaded on any University computer in violation of
licenses or laws. Copyrighted software must be used only in accordance with its license
or purchase agreement. Users do not have the right to reprint, use unauthorized copies
of software, or make or attempt to make unauthorized copies of software.
In addition to federal and state laws prohibiting the theft of software, Troy University
prohibits copyright licensing infractions from or on any component of the University's
information technology systems. Troy University will not be liable for copyright or
licensing infringements by any student, faculty or staff member.
805.1History:
March 19, 2026: Policy Reviewed
806 - Privacy Rights
Troy University respects every individual's right to privacy in the electronic forum
and prohibits use of University computers, including personally owned computers linked
via University telecommunications equipment to other systems, from violating such
rights. Attempts to read another person's electronic mail, access another's files,
access electronic records containing information concerning another person, or use
of another person's password are examples of violations of privacy rights.
There are important University concerns that place some legitimate restrictions on
the privacy of programs, data files and electronic mail on the University's information
technology systems. Instructors may monitor class accounts of students in their courses.
Authorized technical personnel may access accounts for the purpose of maintaining
computers or network systems. Authorized technical personnel may also monitor accounts
and network activity to detect violations of this policy.
806.1 History:
March 19, 2026: Policy Reviewed
807 - Courtesy
Computer accounts should be used for their assigned purposes. For example, an account
assigned to a student for a specific course should be used for work related to that
course.
All computer and network users engaged in activities not directly connected to study,
research, or University-related services should willingly yield their computer terminals
to others ready to use University computers and networks for their University-related
work.
Excessive use of paper, making electronic mass mailings, and using University owned
computers and network resources for personal monetary gain are some examples of abuses
of Troy information technology facilities.
Certain types of communications are expressly forbidden on Troy's computer systems
and networks. This includes the random mailing of messages, the sending of obscene,
pornographic, harassing, nuisance, abusive, or threatening material, and the use of
the facilities for commercial or political purposes.
University-owned public access computers will not be used for games unless specifically
authorized by a faculty member for educational purposes.
807.1 History:
March 19, 2026: Policy Reviewed
808 - Sanctions
The University may take disciplinary and/or legal action against any individual who
violates any information technology usage policy. Violations of Troy University's
information technology usage policy are treated like any other violation of the Standards
of Conduct as outlined in the Oracle, Troy's student handbook, and applicable faculty
and staff handbooks. Violators may also be billed for illegal use of the computer
systems. Any changes caused by misuse may lead to the violator being temporally or
permanently suspended from Troy Technology facilities. Those violating statutory requirements
may be prosecuted.
808.1 History:
March 19, 2026: Policy Reviewed
809 - Liability
Troy University hereby expressly and explicitly disclaims any liability and/or responsibility
for violations of this policy.
809.1 History:
March 19, 2026: Policy Reviewed
810 - Coordination of Technology Implementation
Departments or units wishing to implement a new technology process (including applications
software) or new technology infrastructure (equipment and/or networks) must submit
a proposal to the Chief Technology Officer(CTO) for review and approval. The CTO's
director committee will review the requests. The committee shall be composed of the
Chief Technology Officer and the major unit directors for Information Technology.
This process is designed to ensure continuity and compatibility of technology equipment
and software used by the University. All technology infrastructure and multi-user
software are to be vetted through the Chief Technology Officer (CTO). The Chief Technology
Officer should issue procedures for implementing this policy. Any disputes arising
from decisions issued by the CTO will be mediated by the Senior Vice Chancellor for
Finance and Administration
810.1 History:
Approved: Cabinet, August 8, 2007
Updated: 13 May 2019
OPR: SVC, Administration
Review: Annually
March 19, 2026: Policy Reviewed
811 - CyberSecurity Policy
811.1
Responsibilities
811.1.1 Chief Information Security Officer
The Chief Information Security Officer is responsible for creating and maintaining
a cyber security program and leading the Troy University Cybersecurity team. The purpose
of the cyber security program is to maintain the confidentiality, integrity, and availability
of Troy University IT Resources and Troy University data. In addition, the Chief Information
Security Officer, or a designee, is responsible for leading the investigation of and
response to cyber security incidents. The response to any incident will be developed
in collaboration with the data steward, Troy University Marketing and Communication,
Legal Affairs, and other campus offices as appropriate.
811.1.2 Users
Troy University IT Resource users (IT Resource users include both students and employees)
are responsible for protecting the security of all data and IT Resources to which
they have access. This includes implementing appropriate security measures on personally
owned devices which access Troy University IT Resources. In addition, users are required
to keep their accounts and passwords secure in compliance with the Troy University
Password Policy.
Troy University employees may grant IT Resource guest access to third parties (e.g.,
visiting scholars), after consultation with Troy University IT. Any Troy University
employee who grants guest access to IT Resources is responsible for the actions of
their guest users.
811.1.3 Research
Troy University recognizes the value of research in the areas of computer and network
security. During the course of their endeavors, researchers may have a need to work
with malicious software and with systems that do not adhere to the security standards
as prescribed by the Chief Information Security Officer. Researchers are responsible
for their actions and must take all necessary precautions to ensure that their research
will not affect other Troy University IT Resources or users. In addition, researchers
are responsible for making all appropriate notifications to those that may be affected
by their research. Troy University IT provides an Academic Computing Network for such
activities; unless otherwise approved, these efforts should take place on the Academic
Computing Network.
811.1.4 Network Management
The Office of Information Technology (OIT) is responsible for planning, implementing,
and managing the Troy University network, including wireless connections.
The following network appliances cannot be implemented at Troy University without
prior written approval by OIT or a Unit's IT lead:
Routers
Switches
Hubs
Wireless access points
Voice over IP (VOIP) infrastructure devices
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
Virtual Private Networking (VPN)
Consumer grade network technologies
Other networking appliances that may not be included in this list
Units or individuals who install any of the technologies listed above are responsible
for capturing network traffic logs and storing them for a minimum of 365 days or an
appropriate amount as negotiated with the OIT network team.
Network traffic logs should include the following information:
Source MAC address
Source and destination IP address
Physical interface (where applicable)
Date and time
User account where available (e.g. VPN logs)
811.1.5 System Administration
Every Troy University owned IT Resource (including virtual resources such as virtual
machines and cloud based services) must have a designated system administrator. The
Troy University expectation is that every Troy University owned IT Resource will be
professionally managed by the unit technical support team unless prevailing regulations
dictate otherwise.
The system administrator is responsible for proper maintenance of the machine, even
if the system administrator is not a member of the unit technical support team. This
responsibility must be acknowledged and documented. In addition, the machine must
be accessible to the unit technical support team for incident management purposes
unless legal restrictions will not allow such access.
Negligent management of a Troy University owned IT Resource resulting in unauthorized
user access or a data breach may result in the loss of system administration privileges.
System administration responsibilities for all Troy University owned IT Resources,
including those that are self-administered, include the following:
Complying with all applicable Troy University IT policies and procedures
Performing an annual cyber security self-assessment for the set of IT Resources administered
Working with the unit technical support team to establish the following:Installing
and running endpoint security/management agents that have been approved by Troy University
Cyber Security (a link to a list of these is provided on the IT website)
Establishing an appropriate backup strategy and performing regular system backups
Regularly updating the operating system and other applications installed on the machine
Using, where possible and practical, central Troy University IT services for system
login and account management (e.g. Active Directory)
811.2
Scope
All Troy University IT resource users and all Troy University IT resources are covered
by this policy.
811.3
Policy Terms
Endpoint
Laptop computers, desktop computers, workstations, group access workstations, mobile
devices, USB drives, personal network attached storage.
Troy University IT Resources
Troy University owned Computers, Networks, Devices, Storage, Applications, or other
IT equipment. “Troy University owned” is defined as equipment purchased with either
Troy University funding (including sources such as Foundation funds etc.) or Sponsored
Research funding (unless otherwise specified in the research agreement).
811.4
Procedures
811.4.1 Incident Reporting
If a Troy University IT Resource user suspects that a security incident has occurred
or will occur, they should report the suspicion immediately to the system administrator
or unit technical lead. Users may also report the suspected security incident directly
to the Troy University Cybersecurity team by sending an email to
security@troy.edu
System administrators and unit technical leads who have identified any of the following
security events should report the suspected security event to the Troy University
Cybersecurity team:
Any occurrence of a compromised user account
Any breach or exposure of Category 3 sensitive data (see Data Access Policy)
Any occurrence of a server infected with malware
Three or more simultaneous occurrences of endpoints infected with malware
Any other instance of malware or suspected intrusion that seems abnormal
811.5
Enforcement
Violations of this policy may result in loss of Troy University system and network
usage privileges, and/or disciplinary action, up to and including termination or expulsion
as outlined in applicable Troy University policies.
811.6
Related Information
811.7 History:
March 19, 2026: Policy Reviewed
812 - Data Privacy Policy
812.1
Policy Statement
Troy University provides information technology resources to faculty members, staff
and students for the purpose of furthering Troy University's mission and conducting
Troy University business. While personal use of such systems is permitted, as per
the Information Technology Acceptable Usage policy, personal communications and files
transmitted over or stored on Troy University systems are subject to the same regulations
as business communications.
Troy University is committed to respecting the privacy expectations of its employees
and students; however, consistent with this policy, electronic information that is
transmitted over or stored in Troy University systems and networks is subject to being
audited, inspected and disclosed to fulfill administrative or legal obligations which
may include, but are not limited to, the following:
is necessary to comply with legal requirements or process (e.g., Alabama Open Records
Act or subpoena);
may yield information necessary for the investigation of a suspected violation of
law or regulations, or of a suspected infraction of Troy University or Board of Trustee
policy;
is needed to maintain the security of Troy University computing systems and networks;
is needed for system administrators to diagnose and correct problems with system software
or hardware;
may yield information needed to deal with an emergency;
is needed for the ordinary business of Troy University to proceed, (e.g., access to
data associated with an employee who has been terminated/separated or is pending termination/separation,
is deceased, is on extended sick leave, or is otherwise unavailable);
is necessary to comply with a written request from the Senior Vice-Chancellor for
Student Affairs, or designee, on behalf of the parents, guardian, or personal representative
of the estate of a deceased student; or
is for research authorized by Troy University under a data use agreement that precludes
the disclosure of personally identifiable information.
812.2
Scope
This policy governs access to the files and communications transmitted on or stored
in Troy University's IT Resources.
Any individual whose personal files and communications exist on a Troy University
IT Resource by virtue of unauthorized access will have no expectation of privacy.
812.3
Definitions
Information Technology Resources (IT Resources)
Computers, Networks, Devices, Storage, or other IT equipment
812.4
Procedures
812.4.1 Application, System, and Network Login Banner
Where possible, all Troy University applications and systems (excluding endpoints
and mobile devices) must display the following login banner to all users prior to
authentication of user credentials:
812.4.2 Terms of Use
This information technology resource is the property of Troy University and is available
for authorized use only, in accordance with Institute IT policies. Any and all files
on this system are subject to being audited, inspected and disclosed to authorized
system administrators and/or law enforcement personnel to fulfill administrative and/or
legal obligations. By using this system, I acknowledge these terms.
812.4.3 Requests for Access
All requests for access to information that is transmitted over or stored on Troy
University systems and networks should be directed to the CTO or designee. The determination
of whether access to information is necessary to fulfill administrative or legal obligations
is made by the CTO or designee, and may not be made at the departmental or unit level.
Business Continuity
Refer to Security Standards and Procedures for detailed procedures.
Deceased Students
Refer to Security Standards and Procedures for detailed procedures.
Emergency
Refer to Security Standards and Procedures for detailed procedures.
Legal Requirements
Refer to Security Standards and Procedures for detailed procedures.
Research
Refer to Security Standards and Procedures for detailed procedures.
System Integrity
Refer to Security Standards and Procedures for detailed procedures.
Violation of Law or Policy
Refer to Security Standards and Procedures for detailed procedures.
812.5
Enforcement
Violations of the policy may result in loss of system, network, and data access privileges,
administrative sanctions (up to and including termination or expulsion) as outlined
in applicable Troy University disciplinary procedures, as well as personal civil and/or
criminal liability.
812.6 History:
March 19, 2026: Policy Reviewed
813 - GLBA Information Security Program
813.1
Reason For Policy
This Information Security Plan ("Plan") describes safeguards implemented by Troy University
to protect covered data and information in compliance with the FTC's Safeguards Rule
promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided
to:
Ensure the security and confidentiality of covered data and information;
Protect against anticipated threats or hazards to the security or integrity of such
information; and
Protect against unauthorized access to or use of covered data and information that
could result in substantial harm or inconvenience to any customer.
This Information Security Program also identifies mechanisms to:
Identify and assess the risks that may threaten covered data and information maintained
by Troy University;
Develop written policies and procedures to manage and control these risks;
Implement and review the program; and
Adjust the program to reflect changes in technology, the sensitivity of covered data
and information and internal or external threats to information security.
813.2
Policy Statement
GLBA mandates that Troy University appoint an Information Security Program Coordinator,
conduct a risk assessment of likely security and privacy risks, institute a training
program for all employees who have access to covered data and information, oversee
service providers and contracts, and evaluate and adjust the Information Security
Program periodically.
813.2.1 Information Security Program Coordinator(s)
The Chief Technology and Security Officer and Vice-Chancellor of Finance and Business
Affairs have been appointed as the coordinators of this Program at Troy University.
They are responsible for assessing the risks associated with unauthorized transfers
of covered data and information and implementing procedures to minimize those risks
to Troy University. Internal Audit personnel will also conduct reviews of areas that
have access to covered data and information to assess the internal control structure
put in place by the administration and to verify that all departments comply with
the requirements of the security policies and practices delineated in this program.
813.2.2 Identification and Assessment of Risks to Customer Information
Troy University recognizes that it is exposed to both internal and external risks,
including but not limited to:
Unauthorized access of covered data and information by someone other than the owner
of the covered data and information
Compromised system security as a result of system access by an unauthorized person
Interception of data during transmission
Loss of data integrity
Physical loss of data in a disaster
Errors introduced into the system
Corruption of data or systems
Unauthorized access of covered data and information by employees
Unauthorized requests for covered data and information
Unauthorized access through hardcopy files or reports
Unauthorized transfer of covered data and information through third parties
Recognizing that this may not represent a complete list of the risks associated with
the protection of covered data and information, and that new risks are created regularly,
Troy University Cyber Security will actively participate and monitor appropriate cybersecurity
advisory groups for identification of risks.
Current safeguards implemented, monitored and maintained by Troy University Cyber
Security are reasonable, and in light of current risk assessments are sufficient to
provide security and confidentiality to covered data and information maintained by
Troy University. Additionally, these safeguards reasonably protect against currently
anticipated threats or hazards to the integrity of such information.
813.2.3 Employee Management and Training
References and/or background checks (as appropriate, depending on position) of new
employees working in areas that regularly work with covered data and information (e.g.
Cashiers Office, Financial Aid) are checked/performed. During employee orientation,
each new employee in these departments receives proper training on the importance
of confidentiality of student records, student financial information, and all other
covered data and information. Each new employee is also trained in the proper use
of computer information and passwords. Training includes controls and procedures to
prevent employees from providing confidential information to an unauthorized individual,
as well as how to properly dispose of documents that contain covered data and information.
These training efforts should help minimize risk and safeguard covered data and information.
813.2.4 Physical Security
Troy University has addressed the physical security of covered data and information
by limiting access to only those employees who have a legitimate business reason to
handle such information. For example, financial aid applications, income and credit
histories, accounts, balances and transactional information are available only to
Troy University employees with an appropriate business need for such information.
Furthermore, each department responsible for maintaining covered data and information
is instructed to take steps to protect the information from destruction, loss or damage
due to environmental hazards, such as fire and water damage or technical failures.
813.2.5 Information Systems
Access to covered data and information via Troy University's computer information
system is limited to those employees and faculty who have a legitimate business reason
to access such information. Troy University has policies and procedures in place to
complement the physical and technical (IT) safeguards in order to provide security
to Troy University's information systems. These policies and procedures, listed in
Section 3 below, are available upon request from the Chief Security Officer.
Social security numbers are considered protected information under both GLBA and the
Family Educational Rights and Privacy Act (FERPA). As such, Troy University has discontinued
the use of social security numbers as student identifiers in favor of the Troy ID#
as a matter of policy. By necessity, student social security numbers will remain in
the student information system; however, access to social security numbers is granted
only in cases where there is an approved, documented business need.
813.2.6 Management of System Failures
Troy University Cyber Security has developed written plans and procedures to detect
any actual or attempted attacks on Troy University systems and has an Incident Response
Plan which outlines procedures for responding to an actual or attempted unauthorized
access to covered data and information. This document is available upon request from
the Chief Security Officer.
813.2.7 Oversight of Service Providers
GLBA requires Troy University to take reasonable steps to select and retain service
providers who maintain appropriate safeguards for covered data and information. This
Information Security Program will ensure that such steps are taken by contractually
requiring service providers to implement and maintain such safeguards. The Security
Program Coordinator(s) will identify service providers who have or will have access
to covered data, and will work with the Office of Legal Affairs and other offices
as appropriate, to ensure that service provider contracts contain appropriate terms
to protect the security of covered data.
813.2.8 Continuing Evaluation and Adjustment
This Information Security Program will be subject to periodic review and adjustment,
at least annually. Continued administration of the development, implementation and
maintenance of the program will be the responsibility of the designated Information
Security Program Coordinator(s), who will assign specific responsibility for technical
(IT), logical, physical, and administrative safeguards implementation and administration
as appropriate. The Information Security Program Coordinator(s), in consultation with
the Office of Legal Affairs, will review the standards set forth in this program and
recommend updates and revisions as necessary; it may be necessary to adjust the program
to reflect changes in technology, the sensitivity of student/customer data, and/or
internal or external threats to information security.
813.3
Policy Terms
Covered data and information
Covered data information for the purpose of this program includes student financial
information (defined below) that is protected under the GLBA. In addition to this
coverage, which is required under federal law, Troy University chooses as a matter
of policy to include in this definition any and all sensitive data, including credit
card information and checking/banking account information received in the course of
business by Troy University, whether or not such information is covered by GLBA. Covered
data and information includes both paper and electronic records.
Pretext calling
Pretext calling occurs when an individual attempts to improperly obtain personal information
of Troy University customers so as to be able to commit identity theft. It is accomplished
by contacting Troy University, posing as a customer or someone authorized to have
the customer's information, and through the use of trickery and deceit (sometimes
referred to as Social Engineering), convincing an employee of Troy University to release
customer-identifying information.
Student financial information
Student financial information is that information that Troy University has obtained
from a student or customer in the process of offering a financial product or service,
or such information provided to Troy University by another financial institution.
Offering a financial product or service includes offering student loans to students,
receiving income tax information from a student's parent when offering a financial
aid package, and other miscellaneous financial services. Examples of student financial
information include addresses, phone numbers, bank and credit card account numbers,
income and credit histories and Social Security numbers, in both paper and electronic
format.
813.4
Procedures
813.4.1 Related Policies, Standards and Guidelines
Troy University has adopted comprehensive policies, standards, and guidelines relating
to information security, which are incorporated by reference into this Information
Security Program. They include:
813.4.1.1 Policies
Cyber Security Policy
Unit-Level Network Usage Policies
Data Access Policy (including Sensitive Data & Server Registration)
Credit Card Processing Policy
813.4.1.2 Standards
Data Protection Safeguards
813.4.1.3 Communication
Upon approval, this policy shall be published on the Troy University website. The
following offices and individuals shall be notified via email and/or in writing upon
approval of the program and upon any subsequent revisions or amendments made to the
original document:
Senior Vice-Chancellors
Deans
Vice-Chancellors
Chairs
Department Heads
Unit-level business officers
Internal Auditing
813.5
Related Information
Gramm-Leach-Bliley Act
FTC: Final Rule--Standards for Safeguarding Customer Information (16 CFR Part 314)
FTC: Final Rule--Privacy of Consumer Financial Information (16 CFR Part 313)
FTC Guidance: Financial Institutions and Customer Data--Complying with the Safeguards
Rule
NACUA Cyber Security Resources Page
NACUBO GLB Act Resources Page
813.6 History:
March 19, 2026: Policy Reviewed
814 - Credit Card Processing Policy
814.1
Policy Statement
814.1.1 The approval process for all credit card processing activities
The Senior Vice Chancellor of Financial Affairs or delegate must approve all credit
card processing activities at the Troy University prior to entering into any contracts
or purchasing equipment. This requirement applies regardless of the transaction method
used (e.g. online processing at Troy University, outsourced to a third party, or swipe
terminals).
All technology implementation associated with the credit card processing must be in
accordance with the Credit Card Processing Procedures and approved by the Chief Technology
Officer prior to entering into any contracts or purchasing equipment.
All credit card numbers must be handled in accordance with the Data Access Policy
requirements for category 4 data. Please contact OIT Information Security for assistance
with interpretation and implementation. However, instances of P-card numbers or corporate
cards where 4 or fewer numbers are functionally present may be handled as category
3 data. Any conflicts between the requirements of the Data Access Policy and the Credit
Card Processing Procedures will be resolved in favor of the Credit Card Processing
Procedures.
814.1.2 Units approved for credit card processing activities must maintaining the
following standards
Provide appropriate training to all employees handling systems with credit card numbers
including both personnel within the unit handling the credit card transactions and
appropriate personnel in the Office of Information Technology.
Create, maintain and test annually business continuity/disaster recovery plans and
system compromise response plans.
All outsourcing agreements must meet the standards set forth in the Credit Card Processing
Procedures.
All servers storing or processing credit card numbers will be housed with the Office
of Information Technology. All servers and POS Terminals will be administered in accordance
with the requirements of the Credit Card Processing Procedures.
Credit card numbers will be retained for a maximum of 90 days. The only exception
is transactions for future events, which may be retained up to 180 days from the transaction
date. All media used for credit card numbers must be destroyed when retired from this
use. All hardcopy must be shredded by at least a cross-cut shredder prior to disposal.
Access to credit card numbers must be restricted to the minimum number of people possible.
No employee may have access to credit card numbers until he or she has attended the
Credit Card Processing Policy Training and has tendered written acknowledgement of
receipt of a copy of this policy, the Credit Card Processing Procedures and other
appropriate policies (e.g., Data Access Policy, Service Certification Process and
Procedure, and unit level security policy). After completion of these requirements,
the unit head may issue, in writing, authorization for the employee's access. No employee
will have access to credit card numbers without such written authorization.
Each unit responsible for credit card processing must complete audits quarterly on
all systems storing or processing credit card numbers to ensure compliance with this
policy and the associated procedures. The Office of Information Technology will participate
in these audits. Annual audits must be performed by Office of Information Technology
Information Security to confirm the results of the quarterly audits.
All computers handling, processing, or storing credit card numbers must be registered
in accordance with the revised Computer and Network Usage Policy.
814.2
Scope
All academic units, administrative units, organizations, and employees of the Troy
University or that use systems or networks supported Troy University must abide by
this policy.
This policy specifically addresses all credit card processing by the Troy University.
All POS terminals handling credit card numbers (in full or truncated) and all servers
receiving, storing, or transmitting credit card numbers (in full or truncated) are
subject to this policy. An exemption is provided for P-card numbers provided the credit
card number are functionally truncated to four digits or less.
814.3
Policy Terms
Application Server
The computer hosting the application that the general end-user or the point-of-sale
(POS) terminal connects
Category III Data Sensitive
This information is considered private and should be guarded from disclosure; However,
public disclosure of this information due to a system compromise generally does not
result in financial fraud or violation of State and/or Federal law. Examples include
intellectual property information, private directory listings, and contract negotiations.
Category IV Data Highly Sensitive
Any disclosure of this information, intentional or otherwise, may contribute to financial
fraud and/or violate State and/or Federal law. Examples include Social Security numbers,
credit card numbers, financial institution account numbers, and employee and student
health records.
Cardholder Information Security Program (CISP)
The formal data protection program mandated by Visa
Card Verification Value 2 (CVV2)
An additional verification code used in transaction processing
Credit Card Number
Any part or all of the unique number identifying the account for a financial transaction
Database Servers
The computer storing the sales and/or credit card numbers
eCommerce Application
Any internet-enabled financial transaction application, whether a buying application
or selling application
Employee
Any employee (as defined by the Employee Handbook) faculty, student employee, or contractor
employed by a third party and providing services to the Troy University
Encryption
Scrambling data in a recoverable format
Firewall
A network device or host-based software implementation designed to restrict network
access to a computer
Hashing
Scrambling data in an unrecoverable but verifiable format
The computer storing the sales and/or credit card numbers
eCommerce Application
Any internet-enabled financial transaction application, whether a buying application
or selling application
Employee
Any employee (as defined by the Employee Handbook) faculty, student employee, or contractor
employed by a third party and providing services to the Troy University
Encryption
Scrambling data in a recoverable format
Firewall
A network device or host-based software implementation designed to restrict network
access to a computer
Intrusion Detection System (IDs)
A network monitoring device for recognition of attempts to compromise monitored systems
ISO 17799
The International Standards Organization document defining computer security standards.
The credit card vendors may have based their policies on this standard.
POS Terminal
Point-of-Sale (POS) computer terminals either running as standalone systems or connecting
to a server either at the Troy University or remotely off site
Purchase Cards (P-Cards)
Credit cards obtained by Troy University through a customer agreement with a bank
for procurement purposes.
Site Data Protection Program (SDP)
The formal data protection program mandated by MasterCard
Swipe Terminal
POS credit card terminals
Two-factor Authentication
Authentication requiring two different methods confirming identity typically based
on something the user has (e.g. a card, a key, a fingerprint) and something the user
knows (e.g. a password)
Web Development
The design, development, implementation and management of the front-end of the eCommerce
application
814.4
Procedures
814.4.1 Executive Summary
These procedures are required in direct support of the Troy University Credit Card
Processing Policy and were included in the original approval of the policy. This document
sets forth the technical details and procedural requirements for implementing credit
card processing at the Troy University or outsourcing that processing to a third party.
The procedures' scope, revisions, exceptions, and compliance are noted in the Credit
Card Processing Policy.
The procedures are separated into the following general areas of interest:
814.4.2 Computer system security requirements
All computers handling credit card numbers must have the following in place:
A host-based firewall technology preventing connections from all ports except a specific
subset (e.g. 443 for secure web transactions, IP restricted port 22 for system administration).
All firewall rules must be documented and modifications approved in keeping with the
Service Certification Process.
All Microsoft Windows computers must run anti-virus software.
File integrity monitoring to an external system for critical system and application
files for inappropriate/unauthorized modifications. Reviews for potential changes
must occur daily.
System logging or auditing to an external server for all critical operating system
modifications (e.g. all logins, unauthorized file access attempts) and maintain the
log for at least 6 months
A single function (e.g. application or database) is implemented per server.
Security patches must be tested and, if possible, applied within one week of vendor
release. All patches must be applied or documentation explaining the implementation
problem within 30 days.
A change log must be maintained for all servers.
Passwords must be at least 8 characters long and require complex passwords (inclusion
of a number or special character), expire after 90 days or less, not reuse the last
4 passwords, and stored in an encrypted or hashed format.
All accounts must be disabled after 30 days of inactivity and, if not re-enabled and
actively used, removed after an additional 60 days. The only exception is emergency
accounts used for system recovery and not used regularly.
All system patches must be applied to a new computer before connecting to the network.
All default account names and default passwords must be changed before connecting
to the network.
All computer security configurations and services/daemons must be reviewed before
connecting to the network
Perform vulnerability testing on associated computers every 30 days with penetration
testing at least annually.
Only allow computer access by uniquely assigned and auditable IDs.
814.4.3 Connectivity security requirements
All computers handling credit card numbers must have the following provisions in place
for network and modem connectivity:
A network-based firewall preventing inappropriate/unauthorized access from outside
the academic/business unit or specific authorized computers.
An intrusion detection system monitoring for unauthorized access attempts.
24/7 monitoring for network-based firewall and IDs systems for potential penetrations
and 24/7 on-call expertise for potential security incidents.
Two-factor authentication for routers servicing all computers connecting to, handling,
processing, or storing credit card numbers.
Specific authorization for modem connections. All modem connection must be outbound
only.
All data transfers and administrative access must be in an encrypted format (e.g.
SSL, SSH, IPSEC).
814.4.4 Credit card number storage requirements
Credit card numbers must be protected by encryption, hashing, or truncation. No complete
credit card numbers will be stored on computers owned by the Troy University in an
unprotected manner. Standard encryption algorithms must use at least 128bit key. Minimum
key lengths will be increased as computing processing power improves. Minimum key
lengths for new encryption technologies must be provided with these guidelines prior
to implementation. Keys must be in a single accessible location with back-ups. Keys
must be changed every 90 days and old keys must be deleted/destroyed after an additional
30 days.
The following additional requirements apply to computers storing credit card numbers
and network connectivity beyond those noted in "Computer System Requirements" and
"Connectivity Security Requirements":
Accounts must lock-out after six or fewer invalid login attempts and require manual
re-enabling.
Sessions must time-out after 15 minutes.
All accesses to credit card numbers must be logged.
All root access activities must be logged to an external server.
The system must not be openly accessible from any public network.
The computer's IP address must not be available outside the local subnet.
A dedicated firewall must be in place specifically for computers storing credit card
numbers to preventing any public access to protected systems. Access is only permitted
by exception by both IP and port.
Credit card numbers must not be stored in multiple locations with the exception of
backups.
CVV2 information must not be stored beyond the transaction authorization point.
Two-factor authentication is recommended.
814.4.5 Physical security requirements
All servers storing credit card numbers must have the following provisions in place:
The servers must be in the Network Operations Center (NOC) for the Office of Information
Technology. Servers placed in a separate locked room within the NOC or within locked
racks. Video surveillance must be maintained on the servers. All access to servers
by anyone except employees specifically approved for access to the credit card numbers
must be escorted continuously.
The NOC must log all room access (maintained for at least 90 days), maintain video
surveillance of room ingress and egress, and provide identification for easily distinguishing
employees, visitors, and inappropriate access. Visitors must be issued a NOC ID that
must be returned or issued a temporary ID and continuously escorted.
All backup media must be secured on site, off site, and in transit. All transportation
must be handled by approved Institute employees or bonded couriers.
814.4.6 Outsource requirements
Any unit may select to outsource their credit card transaction processing. This option
transfers the risk to the outsourced service. Approval for credit card transaction
processing must follow the standard approval process.
Contracts must address these elements:
Compliance with all appropriate credit card company security requirements.
Service level agreements.
Defining data retention and destruction requirements.
814.4.7 Review process of credit card transaction processing request
Document the business need for accepting credit card transactions in a new unit or
location.
Meet with Financial Services for justification and approval of business case.
Meet with Information Security to evaluate options and costs for implementation (using
existing facilities, implementing separate facilities, or outsourcing transaction
processing).
Meet with the CTO or designee for the Office of Information Technology for technical
approval of implementation.
Meet with Troy University Legal Affairs to ensure all contracts meet federal, state,
and contractual requirements.
814.4.8 Communication
Upon approval, this policy shall be published on the Troy University Office of Information
Technology website under policies and will be the Business Office web site.
The following offices and individuals shall be notified via email and/or in writing
upon approval of the policy and upon any subsequent revisions or amendments made to
the original document:
Senior Vice-Chancellors
Deans
Vice-Chancellors
Chairs
Internal Auditing
814.4.9 Revisions and Exceptions
This policy may be revised only by signature by the Chancellor of Troy University.
The Senior Vice-Chancellor of Finance and the CTO may grant exceptions to this policy
or revise the Credit Card Processing Procedures document by mutual agreement.
814.5
Enforcement
Failure to comply with this policy and the associated required procedures by employees
will be deemed a violation of Institute policy and subject to personnel action up
to and including termination as noted in the Employee Handbook and/or the Faculty
Handbook. Technology that does not comply with this policy and the associated required
procedures is subject to disconnection of network services or confiscation of equipment
pending review and approval of processes, procedures, and/or equipment.
814.6 History:
March 19, 2026: Policy Reviewed
815 - Identity Theft Prevention Program
815.1
Reason for Policy
Troy University developed this Identity Theft Prevention Program ("Program") pursuant
to the Federal Trade Commission's (FTC) Red Flags Rule. The Red Flags Rule implements
Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After consideration
of the size and complexity of Troy University's operations and account systems, and
the nature and scope of Troy University's activities, Troy University determined that
this Program was appropriate.
815.2
Policy Statement
815.2.1 Requirements of the Red Flags Rule
Under the Red Flags Rule, Troy University is required to establish an Identity Theft
Prevention Program. The program must contain reasonable policies and procedures to:
Identify relevant Red Flags for new and existing covered accounts, and incorporate
those Red Flags into the Program;
Detect Red Flags that have been incorporated into the Program;
Respond appropriately to any Red Flags that are detected in order to help prevent
and mitigate Identity Theft; and
Ensure the Program is updated periodically to reflect changes in risks to students
or to the safety and soundness of Troy University from Identity Theft.
815.2.2 Oversight
Responsibility for developing, implementing, and updating this Program lies with an
Identity Theft Committee (Committee) for Troy University. The Committee is headed
by the CTO who is the Program Administrator. Troy University's CTO, the representative
of Legal Affairs and Risk Management, and such other individuals as may be appointed
by the Chancellor of Troy University comprise the remainder of the committee membership.
The Program Administrator is responsible for ensuring appropriate training of Troy
staff on the Program, for reviewing any staff reports regarding the detection of Red
Flags and the steps for preventing and mitigating Identity Theft, determining which
steps of prevention and mitigation should be taken in particular circumstances, and
considering periodic changes to the Program.
815.2.3 Staff Training and Reports
Troy staff responsible for implementing the Program shall be trained either by or
under the direction of the Program Administrator in the detection of Red Flags and
the steps to be taken when a Red Flag is detected. Troy employees are expected to
notify the Program Administrator once they become aware of an incident of Identity
Theft or of Troy University's failure to comply with this Program.
At least annually, or sooner if requested by the Program Administrator, Troy staff
responsible for development, implementation, and administration of the Program shall
report to the Program Administrator on compliance with this Program. The report should
address such issues as effectiveness of the policies and procedures in addressing
the risk of identity theft in connection with the opening and maintenance of Covered
Accounts, service provider arrangements, significant incidents involving identity
theft and management's response, and recommendations for changes to the Program.
815.2.4 Service Provider Arrangements
In the event Troy University engages a service provider to perform an activity in
connection with one or more Covered Accounts, Troy University will take the following
steps to ensure the service provider performs its activity in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate the risk of Identity
Theft:
Require, by contract, that service providers have such policies and procedures in
place; and
Require, by contract, that service providers review Troy University's Program and
report any Red Flags to the Program Administrator or Troy University employee with
primary oversight of the service provider relationship.
815.2.5 Non-disclosure of Specific Practices
For the effectiveness of the Identity Theft Prevention Program, knowledge about specific
Red Flag identification, detection, mitigation, and prevention practices may need
to be limited to the Committee who developed this Program and to those employees with
a need to know them. Any documents that may have been produced or are produced in
order to develop or implement this program that list or describe such specific practices
and the information those documents contain are considered confidential and should
not be shared with other Troy employees or the public. The Program Administrator shall
inform the Committee and those employees with a need to know the information of those
documents or specific practices which should be maintained in a confidential manner.
815.2.6 Program Updates
The Committee will periodically review and update the Program to reflect changes in
risks to students and the soundness of Troy University from Identity Theft. In doing
so, the Committee will consider Troy University's experiences with Identity Theft
situations, changes in Identity Theft methods, changes in Identity Theft detection
and prevention methods, and changes in Troy University's business arrangements with
other entities. After considering these factors, the Program Administrator will determine
whether changes to the Program, including the listing of Red Flags, are warranted.
If warranted, the Committee will update the Program.
815.3
Scope
All employees, students, affiliates, contractors, consultants, vendors, or other consumers
of Covered Accounts data, and all Troy data (electronic, paper or otherwise) that
could be leveraged to conduct identity theft from Covered Accounts are covered by
this policy.
815.4
Policy Terms
Covered Accounts
All student accounts or loans that are administered by Troy University, including
tuition payment plans, federal and school loans involving multiple payments, and campus
payment cards.
Identifying Information
Any name or number that may be used, alone or in conjunction with any other information,
to identify a specific person, including: name, address, telephone number, social
security number, date of birth, government issued driver's license or identification
number, alien registration number, government passport number, employer or taxpayer
identification number, student identification number, computer's Internet Protocol
address, or routing code.
Identity Theft
A fraud committed or attempted using the identifying information of another person
without authority.
Program Administrator
The individual designated with primary responsibility for oversight of the Identity
Theft Prevention Program.
Red Flag
A pattern, practice, or specific activity that indicates the possible existence of
Identity Theft.
815.5
Responsibilities
815.5.1 Program Administrator
This policy confirms the need for an Information Security organization, which is responsible
for ensuring Troy compliance with this policy, and maintaining this policy as business
processes, technology, and methods of identity protection improve. The Program Administrator
monitors the activities of and works with the Data Stewards on the development and
implementation of campus unit level Identity Theft Prevention Programs
815.5.2 Identity Theft Committee
The Identity Theft Committee is responsible for confirming incidents of identity theft
and determining the appropriate course of action when incidents occur. Additionally,
the committee is responsible for supporting the Program Administrator in ensuring
the ongoing success of the Identity Theft Prevention Program.
815.5.3 Data Stewards
Data Stewards are responsible for developing and implementing Identity Theft Prevention
within their purview. Data Stewards report to the Program Administrator on their activities
in implementing unit level Identity Theft Programs.
815.6 Enforcement
Individuals covered by the scope of this policy are expected to: a) respect the confidentiality
and privacy of individuals whose records they access; b) observe any restrictions
that apply to sensitive data; and c) abide by applicable laws, policies, procedures,
and guidelines with respect to access, use, or disclosure of information.
Individuals who become aware of potential Identity Theft are expected to report such
an incident per the procedures defined by the Identity Theft Prevention Program Administrator.
The Program Administrator will report violations to the appropriate Faculty and/or
Employment body. Violations of this policy may result in loss of usage privileges,
administrative sanctions (including termination or expulsion) as outlined in applicable
Troy University disciplinary procedures, as well as personal civil and/or criminal
liability.
815.7 History:
March 19, 2026: Policy Reviewed
816 - External Hosting Policy
816.1
Introduction
This Policy describes the requirements for appropriate and approved use of externally
hosted Troy University Systems and/or Data.
816.2
Policy History
The effective date of this Policy is May 14, 2019.
816.3
Policy Text
External hosting of Systems and/or Data can be categorized as the following models:
Software as a Service (SaaS) is a software distribution model in which applications
are hosted by a vendor or service provider and made available to customers over a
network, typically the Internet.
Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage
and network capacity over the Internet. The service delivery model allows the customer
to rent virtualized servers and associated services for running existing applications
or developing and testing new ones.
Infrastructure as a Service (IaaS) is a provision model in which an organization outsources
the equipment used to support operations, including storage, hardware, servers and
networking components. The service provider owns the equipment and is responsible
for housing, running and maintaining it.
For the purpose of this document, the term cloud computing services is used to encompass
SaaS, PaaS, and IaaS.
For external hosted Systems and/or Data, each System Owner shall ensure that the Systems
protections described in Technology Policy Section 800 and on the Troy IT Best Practices
guides are implemented as well as compliance with requirements in the Technology Policy,
Section 800, data classification and encryption.
If Sensitive Data and/or Confidential Data are stored on cloud computing services,
the relevant contracts must be approved by the University's Procurement Services and
such System's protections must be assessed by the Information Security Office prior
to implementation and reassessed on a periodic basis thereafter, as determined by
the level of risk. Currently, vendors are requested to submit HECVAT documentation
prior to contract signing.
In addition to other University policies, the following requirements which must be
followed in the use of cloud computing services:
816.3.1 Pre-requisite Requirements
Consult with appropriate data owners, process owners, stakeholders, and subject matter
experts during the evaluation process. Also, consult with the Legal Office or the
Information Security Office for guidance.
Contractual requirements:
Both the University and vendor must declare the type of Data that they might transfer
back and forth because of their relationship. A contract must have clear terms that
define the Data owned by each party. The parties also must clearly define Data that
must be protected.
The contract must specifically state what Data the University owns. It must also classify
the type of Data shared in the contract according to the University's Data Classification
policy requirements. Departments must exercise caution when sharing Sensitive or Confidential
Data (as defined by Troy's Data Classification Policy) within a cloud computing service.
The contract must specify how the vendor can use University Data. Vendors cannot use
University Data in any way that violates the law or University policies.
Ensure a Service Level Agreement (SLA) with the vendor exists that requires:
Clear definition of services;
Agreed upon service levels;
Performance measurement;
Problem management;
Customer duties;
Disaster recovery;
Termination of agreement;
Protection of sensitive information and intellectual property; and
Definition of vendor versus customer responsibilities, especially pertaining to backups,
incident response, and data recovery.
Cloud computing services should not be engaged without developing an exit strategy
for disengaging from the vendor and/or service while integrating the service into
normal internal business practices and/or business continuity and disaster recovery
plans. The University must determine how Data would be recovered from the vendor.
A proper risk assessment must be conducted by the Information Security Office prior
to any third party hosting or cloud computing service arrangement.
816.3.2 Intellectual property and copyright materials
Troy University marks, images, and symbols are owned by the University and may not
be used or reproduced without the permission of the Office of Communications.
Review Copyright Policy and understand the appropriate use of intellectual property
including copyrights, trademarks, and patents.
816.3.3 Privacy and data security
Information that the University has classified as “Sensitive Data”, "Confidential
Data”, “Internal Data”, or “Public Data” may be used only in accordance with the policy
related to the classification of information which may be found in the Data Classification
Policy.
Personally Identifiable Information (PII) may only be used in compliance with information
protected by federal, state or local laws and regulations or industry standards, such
as HIPAA, HITECH, FERPA, the Alabama Information Security Breach and Notification
Act, similar state laws and PCI-DSS.
Student information may only be used in compliance with FERPA guidelines.
Protected Health Information (PHI) may only be used in compliance with HIPAA requirements.
Export Controlled Information may only be used in compliance with U.S. export control
regulations (ITAR, EAR).
816.3.4 Data availability and records retention
Ensure that all academic, administrative, or research related data are retained according
to the records retention requirements.
Back-up data regularly to ensure that records are available when needed, as many providers
assume no responsibility for data-recovery of content.
816.3.5 Supplemental Requirements
The requirements lists set forth in this Policy are not comprehensive and supplemental
controls may be required by the University to enhance security as necessary.
816.4 History:
March 19, 2026: Policy Reviewed
817 - Data Governance
817.1
Introduction
This Policy describes the management of all Troy University data.
817.2
Policy History
The effective date of this Policy is May 14, 2019. Last update June 29, 2022.
817.3
Policy Text
TROY University is committed to providing a widely-available campus computing environment
consistent with the institution's mission of teaching, research and service. Equal
to this commitment is the responsibility of the organization to ensure the integrity
of TROY University data and to encourage and enforce confidential, legal and ethical
standards of management and use of these data. An important aspect of this responsibility
is TROY University's continuing compliance with all applicable federal and state laws
governing disclosure of information in these databases.
All data captured using TROY University assets are resources of TROY University. This
policy applies to data critical to the administration of TROY University. TROY University
is the Data Owner of data which may reside in different database systems, on different
machines and in printed form. Data in aggregate may be thought of as forming a logical
database.. This terminology does not imply that these data now or in the future should
reside in a single physical database. It recognizes that regardless of where the data
reside, there are some general principles of data management that should be applied
in order to maintain the confidentiality, integrity and availability of TROY University's
information resources. In addition, legal and ethical standards of use apply to all
data available to TROY University computer users. These data include, but are not
limited to, information in report form (printed or electronic); data stored on TROY
University systems, local area networks and individual workstations; and transportable
storage media and cloud, externally-hosted solutions.
TROY University considers violation of any of these general policies and standards
to be a serious offense and reserves the right to copy and examine any files or information
resident on TROY University computer systems allegedly related to inappropriate use.
Violators are subject to disciplinary action as prescribed in the appropriate TROY
University staff or faculty handbook. Offenders may also be subject to prosecution
under applicable federal state and local statutes.
Complete data governance policy and data management framework is available at
817.4 History:
March 19, 2026: Policy Reviewed
818 - Troy University AI Use Policy
818.1 Purpose
To establish baseline expectations for the secure, responsible, and compliant use
of artificial intelligence (AI) technologies across Troy University.
818.2 Scope
Applies to all employees, contractors, volunteers, student workers, and any third-party
vendor or partner working on behalf of Troy University.
818.3 Definitions
AI Tool
: Any technology that uses machine learning, large language models (LLMs), or other
AI methods to generate content, perform decision support, or analyze data.
Institutional Data
: Any data defined under Troy University's Data Classification Standard as
Protected
Sensitive
, or
Public
818.4 Requirements
AI tools may only be used with
Protected
or
Sensitive
institutional data if the tool has been formally approved by the Office of IT.
AI tools may only be accessed using Troy University login credentials if the tool
has been reviewed and approved by IT, regardless of whether the data involved is classified
as Public.
Copying/pasting or uploading institutional data (including but not limited to reports,
emails, student records, personnel files, or research data) into unapproved AI tools
is
prohibited
Any third-party vendors using AI tools while providing services to the University
must adhere to this policy and agree to terms that ensure data protection.
Employees must not connect AI tools to university systems or APIs without IT
and security review.
In cases of uncertainty, assume the tool is
not safe
and consult IT.
818.5 Compliance
Violations of this policy may result in removal of access to technology resources
and may be subject to disciplinary action under existing Troy University policies.
818.6 Oversight
The Office of IT will coordinate periodic reviews of approved tools, update guidance
based on emerging threats, and ensure alignment with TROY's Acceptable Use, Security,
and Cloud policies.
818.7 History:
March 19, 2026: Policy Reviewed
Cookie Acknowledgment
This website uses cookies to collect information and to improve your browsing experience. Please review our privacy statement for more information.
US