Policies & Procedures

The Information Security Office (ISO) maintains all Tulane University Information Technology Policies. For complete policy details please see the Information Security website.

Policies

See linked pages below for Tulane University information technology policies.

Acceptable Use

Overview

Tulane university grants individuals and departments access to sensitive, private and/or confidential electronic and hard copy information for the sole purpose of performing their assigned duties and roles. Every individual and department therefore holds a position of trust and must safeguard the confidentiality and integrity of the information they use. Users of all information systems of the University must abide by all relevant Federal, State and Local laws as well as University Policies on data privacy and confidentiality. These relevant laws include but are not limited to the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley Act (GLBA).

Applicable Laws

Tulane University has defined policies and procedures for complying with these applicable laws. Click on the following links to access relevant policies:

Administrative Account and Firewall Access Requests

1. Purpose

The University maintains several databases, applications and systems that contain or have access to private, sensitive and/or confidential information. To ensure that the information maintained within these systems remain secure, users should be granted access to these systems on a need to have basis only. That is, users should be granted access to a system only if that access is required for the performance of their job role and the level of access does not exceed that which will be necessary for the performance of that job role. Please contact the Information Security Officer (security@tulane.edu) if you require further information.

2. Service Level Agreement

Technology Services will endeavor to process account requests within one business day of receipt. However, please note that during busy periods and depending on staff availability, it can take up to three business days to process some account requests. 

3. Account Request Procedures

The following procedures should be followed when requesting for access to the following specific systems:

3.1 Affiliate Account Request Form

To request an affliate Email/LDAP account download and complete the account request form Affiliate Account Request Form

3.2 Banner, BDS, BRM, Datastore or TAMS Account Requests

Please visit https://tulane.service-now.com to request Banner, BDS, BRM, Datastore or TAMS  accounts. Log in to the Service Catalog with your Tulane University credentials and go to ‘Order Things.’ Click on the ‘Accounts’ link. Order the account you or your employee needs access to by selecting the respective account. Complete all required fields on the online form. The account request must be approved by your department head before it will be created. You must also agree to the confidentiality statements, either found on the form or  through email sent from Service-Now. Please contact the Technical Support and Network Operations Center (TSNOC) if you have any questions regarding ordering accounts through the Service catalog. The TSNOC can be reached at: Uptown: (504) 862-8888 or ext.  8888 Downtown: (504) 988-8888 or ext. 8-8888 Toll Free: (866) 276-1428

4. Firewall Access Requests

To request Firewall access, log in to the Service Catalog at https://tulane.service-now.com/ess with your Tulane University credentials. Go to ‘Order Things’ and click on the ‘Network Services’ link.

Data Storage and Retention

1. Overview

Research Data is often unique and irreplaceable. Typically, it has value extending many years beyond the termination of the project from which it was generated.

  • How likely is it the hardware, software or media will fail or become obsolete?
  • What would be the impact of any failure?
  • What security systems are in place?
  • What disaster recovery procedures are in place?
  • What is the availability of support by professional IT staff?

Researchers must ensure that all research data, regardless of format, is stored securely and backed up or copied regularly.

Storage and backup arrangements need to cover the life of the research project, and also the statutory minimum period of retention. In most cases, data will need to be kept for a minimum of 5 years after publication of the research results, so understanding your storage options and documenting your backup regime is an important part of data management planning.

By following the guidelines listed below you can make sound decisions regarding storage of your research data.

2. Data Storage Types

2.1 Networked drives

These are managed by IT staff centrally or within your School or College. It is highly recommended that you store your research data on regularly backed-up networked drives such as:

  • Fileservers managed by your research group or school.
  • Fileservers managed by Information Services.
  • Storage Area Network (SAN) - either an infrastructure SAN or the Tulane University SAN.

This will ensure that your data will be:

  • Stored in a single place and backed up regularly.
  • Available to you as and when required.
  • Stored securely minimizing the risk of loss, theft or unauthorized use.

2.2 Personal computers and laptops

Storing files on individual desktop or laptop PCs is not recommended.

Local hard drives (e.g. "the C: drive") are convenient for temporary working copies of data, but should not be used to permanently store master copies of research data. From time to time, local hard drives do fail and are often not backed-up. Local machines may also be replaced, upgraded, and/or re-allocated to other people, at which time data on those machines may be lost or at risk of being inappropriately accessed.It is not recommended that you store files on individual desktop or laptop PCs.

Local drives in PCs and laptops may be lost or stolen leading to an inevitable loss of your data with minimal or no chance of recovery.

2.3 External storage devices

The low cost and portability of removable media like CDs, DVDs and flash memory devices (i.e. USB memory sticks) makes them an attractive option for storage. These are rarely a suitable option for long-term retention of your research data, especially master copies:

  • Removable media are often not big enough for all the research data, so multiple disks or drives are needed. This can make accessing your data later on difficult, especially if you do not have good systems in place for identifying and describing the data.
  • Although use of CDs, DVDs and USB sticks is common, their longevity is not guaranteed, especially if they are not stored correctly (ideally in a steady range of about 65-71 degrees  Farenheit and 35 to 45% relative humidity). Estimated life of a CD, DVD stored at above 83 degrees and 50% humidity is as low as two years, far short of the minimum retention periods that apply to most research data.
  • In addition to being environmentally sensitive, removable media can be easily physically damaged (e.g. through magnetism or shocks). Errors with writing to the media ('burning') are also quite common.
  • Because they are so portable and data can be easily copied from them, removable media pose a risk in terms of data security. Devices are easily stolen, misplaced or lost, and often the data contained does not have access controls.

If you choose to use CDs, DVDs and USB flash drives (for example, for working data or extra backup copies), you should:

  • Ensure the products are encrypted and password protected.
  • Choose high quality products from reputable manufacturers.
  • Follow the instructions provided by the manufacturer for care and handling, including environmental conditions and labeling.
  • Regularly check the media to make sure that they are not failing, and periodically 'refresh' the data (that is, copy to a new disk or new USB flash drive).

2.4 Remote or online back-up services

These provide users with an online system for storing and backing-up computer files e.g. Dropbox or Mozy/ Typically, they:

  • Allow users to store and synchronize data files online and between computers.
  • Employ cloud computing storage facilities (e.g. Amazon S3).
  • Provide the first few gigabytes free and users pay for more facilities, including space.

3. Advantages

  • No user intervention required (change tapes, label CDs, perform manual tasks).
  • Remote backup maintains data offsite.
  • Most provide versioning and encryption.
  • Multi-platform.

4. Disadvantages

  • Restoration of data may be slow (dependent upon network bandwidth).
  • Stored data may not be entirely private (thus pre-encryption).
  • Service provider may go out of business.
  • Other legal seizures of actual physical server, making data access unavailable
  • Protracted intellectual property rights/copyright/data protection licenses.
Mobile Device Security Policy

1. Purpose

  This policy governs the security of mobile devices used to access Tulane University email resources for administrators, faculty and staff.   Tulane University requires all users to use a password to access University email. Currently there are mobile phones and tablets systems that store user passwords internally. However, these devices themselves often are not locked or otherwise secured. This configuration circumvents the University authentication requirement by automatically accessing email with saved credentials on unlocked mobile devices.  

2. Policy

Tulane University requires all users to use a password to access University email. Mobile devices used to access Tulane University email will be automatically configured to

Utilize 4-digit or longer PIN to lock devices.
Erase and reset the device in the case of 10 sequential login failures.  

3. Responsibilities

This policy is enforced at the email server level by the Information Security and Policy Office.  

4. Audits

Mobile devices configured to use Tulane email are subject to spot audits.  

5. Definitions

Mobile Device - for the purposes of this policy a mobile device is a phone, smartphone, or tablet with a cellular-capable connection.

Password Policy

1. Purpose

This policy establishes conditions for use of, and requirements for appropriate security for Tulane University accounts. These requirements are necessary to help ensure personal security and protect The University’s information systems resources.

Your password functions as a "key" that enables you to access the University's many electronic resources. This is the private part of your digital identity. You should protect and guard your password as you would your personal bank card and PIN. The Tulane Account provides access to a wide range of Tulane Internet services such as e-mail, myTulane, Library resources, E-Academy, secured Web sites, VPN,and Tulane-access computing labs. You may need additional University accounts for other services, including access to systems such as TAMS, SIS, and Datastore.

2. Scope

This policy applies to every person using a Tulane Account at any time or location.This includes all students, faculty, staff, alumni, retirees, and other University affiliates (including contractors and vendors with access to Tulane University systems).

3. Policy Statements

3.1 General

  • Passwords for newly activated Tulane Accounts must be changed at first use.This ensures that only the person who has been assigned the account knows the password.
  • Tulane Account passwords will expire once every 180 days.
  • Old passwords cannot be reused for 365 days. You are encouraged to avoid reusing old passwords, at all, if possible. See Guidelines on Passwords for tips on creating a strong password that is easy to remember but hard to “crack.”

3.2 Individual Responsibility

  • Create a strong password; see Guidelines on Passwords.
  • Change your password at least once every 180 days, or more frequently as needed. You are responsible for changing your password before it expires, to avoid disruption of access to Tulane services. See Password Expiration below for additional details.
  • Safeguard the password. You should not write down or store the password on paper or on a computer system where others might acquire it. See Password Protection Standards in the Guidelines on Passwords document for additional guidelines.
  • Never share the password, even with a best friend, roommate, or relative.
  • Reserve the Tulane Account User ID and password for Tulane University systems and services only. You should create a different username and password for external services such as stores, banks, music services, Websites, personally owned computers, or other systems.
  • Any use of the Tulane Account is assumed to be performed by the person assigned to that account. You are responsible for all activities associated with your account.

3.3 Password Expiration

  • You are encouraged to change your password before it expires, in order to avoid disruption of access to University services. Passwords can be changed at password.tulane.edu. At the first access, you must provide two security questions.
  • Two weeks before the password expires, an e-mail notification of the expiration date will be sent to you. This e-mail notification will be sent daily until the password is changed or expires. If the password has not been changed by expiration date, the account will be locked.
  • If you allow your password to expire you will need the correct answers to the two security questions to unlock the account. If the answers to the security questions are incorrect, you must contact the Help Desk to reinstate your Tulane Account access.
  • Your password should be changed immediately if you believe that it has been compromised (for example, if there is a possibility that another person may have viewed or acquired the password).

3.4 Access to Accounts

Tulane accounts for faculty and staff who disengage from the University should be deactivated with the following exceptions:

  • Email accounts and LDAP access for the Gibson portal for staff should be maintained for one month
  • Email accounts and LDAP access for the Gibson portal for faculty should be maintained for one year

4. Further Information

If you believe that your account or password has been compromised, change the password for the affected account. If your account has been compromised or you require more information, contact the Information Security Office at security@tulane.edu or (504) 988-8500.

User Account Policy

1. Purpose

This policy defines how network accounts, which provide access to Tulane computer resources, are provisioned, and maintained for Tulane’s faculty, staff, and students. These services include, but are not limited to email, wireless, VPN and access to services such as Blackboard or Banner. The usage of these services is provided for educational, academic, and administrative purposes, and must conform to all current Tulane policies and procedures.

2. Account Type

2.1 Employees

Employees are entitled to one account, which will provide access to email and other systems. This account is automatically created when a new faculty or staff member is added to the University’s HR/Payroll system. Every employee will be entitled to one account/email address. Please contact your hiring manager so that the personal information for the new employee can be entered into the PeopleFlow system.

Accounts for faculty who have left Tulane and are no longer employed will retain their user accounts in the system for 12 months after their termination date.

Accounts for staff who have left Tulane and are no longer employed will lose access to their accounts at the end of the work day of their termination date.

2.2 Students

Student accounts are created once a student has been entered into Banner as a matriculated student.  Every matriculated student will be entitled to one account and email address. Please contact the  Admission Office so that the personal information for the new matriculated student can be entered into Banner.

Student accounts expire one year after leaving the University.  If the student has achieved Alumni status (12 credit hours acheived) they are entitled to a Tulane email address for life.

2.3 Visiting Scholars or Professors  

Visiting Scholar accounts are created if they meet the appointment procedure specified at http://tulane.edu/provost/visiting‐scholars.cfm. Account requests must be submitted by the sponsoring department or unit. Account requests should have the approval of the Provost’s Office after all appointment criteria have been met.

Visiting Scholars’ accounts will expire every 12 months; extensions, however, may be requested with the approval of the Provost’s Office.

2.4 Contractors

Contractors who require Tulane system access or a Tulane email address to perform work on behalf of Tulane are entitled to one account/email address. Account requests must be submitted to Technology Services (TS) by the department initiating the contract. Contractor accounts will expire every 12 months; however, extension can be requested by the department initiating the contract.  Contractor’s accounts will be disabled as soon as they are flagged inactive in the system or when their expiration date has passed without a request for extension.

2.5 Affiliated Personnel

It is recognized that work requirements for those who are affiliated with Tulane, though not directly in its employ, may necessitate access to electronic service. Some of these affiliates are defined below:

Affiliates with Faculty Status:

  • non‐paid Adjunct Professors
  • non‐paid Clinical Professors
  • non‐paid Field Professors

Affiliates with Faculty Status must be entered into Banner and assigned to a course. Account requests for them must be made through the Registrar’s Office. Affiliates with Faculty Status who have left Tulane will retain their user accounts in the system for 2 semesters.  

Affiliates with Non‐Faculty Status:

  • non‐pay ROTC staff
  • Community Volunteer on behalf of Tulane
  • Religious staff

Account requests for Affiliates with Non‐Faculty Status must be made through TS and must include a sponsor and the explanation of the need for an account. Affiliates without Faculty Status will expire every 12 months. This type of accounts will be disabled as soon as they are flagged inactive in the system or when their expiration date has passed without a request for extension.  

2.6 Departmental and Organizational Accounts

Departments and Organizations can request generic accounts so that they can have a common mailbox or distribution. Account requests must be submitted to TS by the Department Head or approved organization delegate.

3. Email Privacy & Security

While Tulane University does not regularly monitor the content of electronic mail, the University reserves the right to inspect, monitor, copy, store, or disclose the contents of electronic mail messages as it sees fit.

Users may not perform acts that waste Messaging System resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending non‐work‐related mass mailings and chain letters, multiple copies of documents, creating unnecessary network traffic, or otherwise damaging Tulane’s reputation. Tulane reserves the right to disable mailboxes that are creating system‐wide problems and notify the appropriate campus IT organization that supports the mailbox owner.

4. Oversight

Responsibility for developing and updating this policy lies with an Account Entitlement (“Committee”) for Tulane. The Committee is headed by Hunter Ely, Chief Information Security Officer who can be reached at (504) 988‐8556. The Committee will be responsible for ensuring appropriate steps should be taken in particular cases and periodically reviewing this policy.

Procedures

SPHTM-IT maintains its own SOPs.