- Data eDiscovery
- Data Retention
- Data Storage
- User Accounts
- User Device Security
- Software and Cloud Services
All browsing history for devices will be retained for a minimum of 90 days.
Student web history will only be provided by request of the Honor Council, Deans, Division Directors, or Head of School.
Faculty/Staff web history will only be provided by request of a direct supervisor, or the Head of School.
All email and similar communications (MS Teams) will be retained for a minimum three years even if deleted by the owner. See how data is retained in the Data Retention section.
OIT will only provide copies of electronic communications to the following parties:
- A direct supervisor for a faculty staff member.
- A division director or dean of students for a member of the student body in the same division.
- The head of school for anyone that has an account in the system.
- Court orders and subpoenas must go through the Head of School.
All email communications will be stored for three years. After an email has been retained for three years, it will be allowed to be permanently deleted from the system. If an email has not been deleted by the user beyond the three year retention, then it will remain until it is deleted by the user.
All printers will purchased, maintained, and serviced by OIT. Printers will placed on the network in locations that will provide the most accessibility to many users. Printers that are shared will secure print jobs by using a release station which allows users to retrieve prints when they are physically at the printer.
All documents printed to the printers will be tracked by logging information about the print job. Some of which includes when the print was printed, by which person, how many pages, to which printer, and from which computer the print was sent. An image of the printed document will also be stored in a central location for up to 30 days.
Home grade, personal, ink jet printers are not allowed on campus. Some reasons for this are:
- There are very high cost when printing per page.
- The cannot be networked and shared on an enterprise network.
- Break frequently
- Low Quality compared to Laser
Copiers are leased by the Business Office. The Business Office will maintain a service contract on the copier for repairs. Repairs on copiers should be reported to the copier repair company as indicated by the label on the copier. OIT will be responsible for setting up and troubleshooting printing directly to the copier. OIT will also maintain tracking on the copier as defined in the Auditing section.
OIT will only create accounts upon request from these sources:
- Human Resources – New hires will be reported to OIT once all HR requirements have been met. Accounts will be created at the request of HR and distributed to the new employee in a sealed envelope.
- Admissions – Students that are Accepted/Enrolled will have new accounts created. Accounts will be given to the student at the beginning of the year by Advisor. Any student entering mid-year will be contacted by OIT or Advisor to distribute account information.
OIT must have 24-48 hours after initial notice before accounts will be created.
OIT will not create accounts that will be shared between multiple users. For example: an email account with a shared username and password.
When an employee is terminated or a student leaves DA the account will be deactivated. OIT reserves the right to revoke access to a user account at anytime. The following situations also may apply to a user account:
- Students in the senior class that graduate from DA will have access to their account till Dec 31st of the year they graduate.
- Students that leave DA by not re-enrolling will be deactivated on June 30th.
- Students that leave mid-year will be deactivated at the time of departure.
- Faculty and Staff that leave DA at the end of a school year will be deactivated on June 30th.
All passwords must meet the following criteria:
- Minimum of 10 characters
- Cannot be a password you have ever used before
- Must contain a combination of 3 out of the 4 following types of characters:
- UPPER Case
- lower CaseBase
- 10 digits (0-9)
- Special Characters (<>!@#$%)
- Cannot contain your username or parts of your full name that exceed three consecutive characters
- Cannot contain similar string positions to your previous password
Most user accounts must change password a minimum of twice a year and must meet the criteria defined in Password Requirements. User accounts that have access to sensitive information must be changed at least every 90 days. Users will start to be notified daily 15 days ahead of the password expiration. When a password expires, the account will be locked out.
Users must familiarize themselves with the proper ways they will be notified of a password expiration. This is so users can recognize possible scams from outside sources. This information can be obtained through the support portal and regular user training.
All Faculty and Staff are required to implement multi-factor authentication for their user accounts. OIT will enable and enforce MFA on Faculty Staff accounts. This requires Faculty and Staff to use a mobile device to provide MFA with their account.
All services provided by OIT will use a common password authentication database. This provides the end-user with one account username and password to login to all systems. This is often referred to as Single-Sign On (SSO). This provides OIT with more secure manor for protecting data, eases account management, and makes it easier for users to login.
Sometimes exceptions must be made for services that do not offer an SSO option. OIT will evaluate the best way to implement login credentials for each service.
User Device Security
All user devices must be protected from malicious software and content using software installed on the device. This includes:
- Application Control by whitelisting or blacklisting applications allowed to execute on the device.
- Protection from malicious code by preventing spy-ware, ad-ware, and viruses through heuristics and real time scanning.
- Web content by blocking sites that are known to spread malicious code, compromise privacy, or classified as being a risk by industry security organizations.
All devices will be kept up to date with the latest versions of software including, but not limited to, security updates to the operating system.
Macbooks: Operating system minor updates will be tested internally for a minimum of one week before being released to all devices. In most scenarios, users will have the option to delay the update installation for one week. After one week, the minor updates will be applied automatically. Major operating system releases (like Catalina) will be tested internally for an extended period of time until it has been approved for release to all devices.
iOS: iOS Devices will be updated to the latest minor version automatically upon release from Apple. Major upgrades to iOS will be updated automatically after thorough testing.
Users that have a mobile device (iPad/Laptop) are responsible for maintaining their own device backups. OIT will not be responsible for lost data on a device that has not been properly backed up. OIT will provide the end-user with the tools or hardware required to keep the device backed up.
- iOS devices will backed up using iCloud by the user.
- Laptops will be backed up to encrypted external hard drives provided to the user when the device is issued.
Devices that are owned by users that have access to sensitive information must have full disk encryption. All external drives used for backups must also be encrypted. All devices owned by all Faculty and Staff must have full disk encryption. This includes desktops, laptops, iOS devices, and external drives.
Software and Cloud Services
All software whether it is cloud based, network installed, or installed on a device must be approved by OIT before it is considered for use by the school. This includes a full range from something as minor as an iOS application to something more school wide like a cloud based systems. Many factors must be considered before a software is approved. Some of which includes:
- How does the software fit in with other systems.
- Does it offer a single sign-on experience to limit the amount of user accounts required by the end-user.
- Does the software implement the proper security policies.
- How the software will be managed and paid for.
- How does the software fit into the long term plan for the school.