CHAPTER 1200 Information Technology Services

1221.1 Enterprise Accounts

Policy:

This policy covers eligibility for core accounts to access enterprise information resources and services such as the Cal Poly Portal, email, calendar, Common Management System (CMS), learning management system (LMS) and directory services. Enterprise accounts are provided to account owners according to the primary role or relationship with the University. Accounts are targeted for deletion when the owner no longer meets eligibility requirements, there is no longer an active role or relationship.

Objectives:

Access to enterprise information resources and services is tied to the role or relationship an individual has with the university. Account types are:

• Applicants and Students: Applicant and student accounts are created for those officially associated with the university via Admissions. Students lose access to their email upon graduation or after not attending classes for three (3) quarters and lose access to the My Cal Poly portal eight (8) quarters after graduation.
• Faculty and Staff: Faculty and staff accounts are created for those officially associated with the university via Academic Personnel or Human Resources. Faculty lose access to their accounts when they have not taught a class in four (4) terms. Staff lose access to their accounts when their status becomes inactive in Cal Poly Human Resources systems. (Exception: See Emeritus status.)
• Emeritus: Faculty and staff emeritus retain their email and calendar accounts as an emeritus benefit. Access to other enterprise systems is not included in this benefit.
• Auxiliary: Auxiliary accounts are created for individual and organizational entities associated with recognized University auxiliaries, on a cost-recovery basis.
• Affiliate: Affiliate accounts are used for individuals who are not officially associated with the university who require access to University resources in support of instructional, administrative or institutional needs of the University. Affiliate accounts are sponsored and paid for by a recognized University organization. Affiliate accounts expire annually unless renewed by the sponsoring organization.
• Organizational (Club, Department, Unit or Service): Organizational accounts include university club, department, unit, committee or service accounts.

Cases where eligibility is disputed or unclear will be escalated to Information Technology Services for review and resolution, in consultation with the appropriate offices of record.

ITS works with the offices of record, sponsors, and service providers to adjust privileges when the individual's role or relationship changes. ITS will expedite the account expiration process, up to and including the immediate revocation of all privileges, with written authorization from the appropriate information authority, e.g., Academic Personnel for faculty, Human Resources for staff, vice president for Student Affairs for students.

1221.2 Authentication Services

Policy:

The purpose of the authentication services policy is to protect campus resources from unauthorized use. Cal Poly requires all users to authenticate their individual identity and eligibility to use those resources. Information Technology Services assigns unique identification and authentication credentials (Cal Poly username and password) to each user for this purpose. The person to whom the credentials are assigned is the only authorized user of the Cal Poly username and password.

Objectives:

ITS designs, implements and operates Cal Poly’s centralized authentication services, including the assignment of Cal Poly username and password to users of enterprise resources. The Cal Poly user name and password provide login access to enterprise electronic services. Having a user name and password is not, however, sufficient to authorize individuals to use those services. Each service defines the criteria for service provisioning and authorizes the individual according to those criteria.

ITS assigns, activates, de-activates, revokes or otherwise modifies a user’s credentials based on the user’s verified identity and current university affiliations in official University record systems. Owners and administrators of University applications and services shall utilize the University’s standard authentication service and credentials to validate the identity of all users of the application or service unless otherwise exempted.

1221.3 Cal Poly Username

Policy:

Each account is assigned a unique Cal Poly username and a temporary password. Cal Poly usernames are created and assigned following a standard naming convention to ensure their uniqueness and suitability as identifiers. Account owners may not specify or personally choose their Cal Poly usernames. Individuals may not possess more than one concurrently active Cal Poly username. Cal Poly usernames assigned to individuals are not re-used.

Objectives:

ITS will replace the automatically assigned username with a different username only if the replacement complies with the University’s standard naming standard and one of the following conditions exists:

• The account owner legally changes their name, registers the change in the official University database, and requests a replacement username;
• The existing Cal Poly username represents a credible danger to the health or safety of the account owner; or
• The Cal Poly username produced by the algorithm results in a combination of characters considered offensive or inappropriate by either the account owner or the University.

Exceptions in the assignment or reassignment of usernames must be approved by Information Technology Services.

1221.4 Cal Poly Password

Policy:

To avoid unauthorized access to IT resources, holders of Cal Poly usernames must follow established rules for creating and using, and reporting the suspected compromise of, passwords corresponding to a Cal Poly username.

The Cal Poly password must be changed immediately upon issuance, when an account is compromised or suspected to be compromised, and at least annually thereafter. Account owners must affirm their knowledge and understanding of their responsibilities relative to information security and the appropriate use of information resources each time they change the password. The Cal Poly passwords for individual accounts must never be shared with anyone else or re-used for any non-University service. Shared passwords for organizational accounts, development environments or test environments must be safeguarded against unauthorized access.

1222.1 Broadcast Electronic Message Policy

Policy

This policy is provided to reduce the incidence of complaints from potential misuse of broadcast messaging and large mailings. Broadcast messaging and large mailings are unsolicited email sent in large quantities to communicate urgent, time-critical or other essential university information to large segments, or all, of the entire campus community. Broadcast messaging and large mailings, when sent according to this policy, are an efficient, cost-effective and environmentally friendly use of technology to disseminate information.

The President and all vice presidents are authorized to send broadcast messages meeting the criteria of urgency or critical University information. Each vice president is individually responsible for the appropriate content and frequency of broadcast email and is responsible for directing and monitoring its use by assigned staff within their offices and divisions.

Other users wishing to send broadcast messages to large segments, or all, of the campus community must request authorization from a vice president or the president, and use a broadcast mail tool provided by Information Technology Services.

Objectives:

Broadcast messages are sent to campus distribution lists based on campus role (for example, faculty, student, employee, emeritus). Broadcast messages are appropriate for:

• Messages to carry out the business of the University
• Messages about changes in University policy or time sensitive issues
• Messages to a select group of people (e.g. faculty, staff, students, members of a specific school or department, etc.) with content related to their specific role within the University
• Urgent messages about emergencies and university infrastructure conditions or activities that potentially affect most of the recipients

Broadcast messages must use an approved campus distribution list and meet the following criteria:

• Other means of communication are not timely, and timely announcement via other methods could not be accommodated
• An appropriate target audience can be determined
• Could be of significant benefit to all of the targeted audience
• Prevents significant inconvenience that the lack of the information would cause to the targeted audience
• Must comply with applicable university policies on use of State resources
• Must be sent from a department or organization account using the tool provided by Information Technology Services to facilitate approval and ensure technology accessibility
• Must be approved by the president, a division vice president, or designee.

Units within the university, such as a college or department, may initiate broadcast messages containing official university business to their own constituent groups without seeking the approval of a vice president, but should still observe these criteria. Email messages not meeting the criteria of urgency or critical University information, should seek other methods of communication.

Large mailings are those sent to more than 1,000 email addresses. Users are prohibited from sending large mailings except as defined in the large mailing procedures referenced at the end of this policy.

Large group mailings are permitted only if sent to electronic distribution lists for the purpose for which they were created. For example, class distribution lists are for use by classes in class discussions and dissemination of information within the context of the specified class. Student club distribution lists are for disseminating official club information. All other distribution lists are for use by specific units or members to disseminate or share information. Use of such distribution lists for the purpose of large mailing by unauthorized personnel violates this policy.

1222.2 Email as an Official Means of Communication

Cal Poly must be able to communicate quickly and efficiently with employees, students and affiliates in order to conduct official university business. Campus email is an official means of campus communication, and may be used as the sole method of communication for some campus matters. Official university communications are sent to a university-assigned email address (username@calpoly.edu). All employees, students and affiliates are responsible to receive and read official email communication in a timely manner and take necessary action when appropriate. This also applies when university emails are redirected to a non-university email account.

Objectives:

Email is an appropriate, cost-effective, convenient and timely means to transmit official campus communications. An official communication occurs when an individual or campus entity sends email or other message pertinent to conducting University business, including notification of University-related actions.

Official email communications will be sent to a University-assigned email address (username@calpoly.edu) and may be the sole method for notification. Other methods may be used when authorized by the individual (e.g., text messaging) or approved by the University (e.g., portal notifications) for this purpose. Additional or other methods of communication will be used if required by law or other contractual obligations (e.g., notification of disciplinary and legal actions).

Email sent as official campus communication is expected to comply with applicable laws and campus policies, including those referenced in this policy, and are subject to the same public records, privacy and records retention requirements and policies as other official campus communications.