CHAPTER 1200 Information Technology Services

1220 Applications, Data and Integration

Policies in this section govern access to and use of information technology applications, data and integration.

1221 Access to Enterprise Information Resources and Services

1221.1 Enterprise Accounts

Policy:

This policy covers eligibility for core accounts to access enterprise information resources and services such as the Cal Poly Portal, email, calendar, Common Management System (CMS), learning management system (LMS) and directory services. Enterprise accounts are provided to account owners according to the primary role or relationship with the University. Accounts are targeted for deletion when the owner no longer meets eligibility requirements, there is no longer an active role or relationship.

Objectives:

Access to enterprise information resources and services is tied to the role or relationship an individual has with the university. Account types are:

  • Applicants and Students: Applicant and student accounts are created for those officially associated with the university via Admissions. Students lose access to their email upon graduation or after not attending classes for three (3) quarters and lose access to the My Cal Poly portal eight (8) quarters after graduation.
  • Faculty and Staff: Faculty and staff accounts are created for those officially associated with the university via Academic Personnel or Human Resources. Faculty lose access to their accounts when they have not taught a class in four (4) terms. Staff lose access to their accounts when their status becomes inactive in Cal Poly Human Resources systems. (Exception: See Emeritus status.)
  • Emeritus: Faculty and staff emeritus retain their email and calendar accounts as an emeritus benefit. Access to other enterprise systems is not included in this benefit.
  • Auxiliary: Auxiliary accounts are created for individual and organizational entities associated with recognized University auxiliaries, on a cost-recovery basis.
  • Affiliate: Affiliate accounts are used for individuals who are not officially associated with the university who require access to University resources in support of instructional, administrative or institutional needs of the University. Affiliate accounts are sponsored and paid for by a recognized University organization. Affiliate accounts expire annually unless renewed by the sponsoring organization.
  • Organizational (Club, Department, Unit or Service): Organizational accounts include university club, department, unit, committee or service accounts.

Cases where eligibility is disputed or unclear will be escalated to Information Technology Services for review and resolution, in consultation with the appropriate offices of record.

ITS works with the offices of record, sponsors, and service providers to adjust privileges when the individual's role or relationship changes. ITS will expedite the account expiration process, up to and including the immediate revocation of all privileges, with written authorization from the appropriate information authority, e.g., Academic Personnel for faculty, Human Resources for staff, vice president for Student Affairs for students.

Back to top

1221.2 Authentication Services

Policy:

The purpose of the authentication services policy is to protect campus resources from unauthorized use. Cal Poly requires all users to authenticate their individual identity and eligibility to use those resources. Information Technology Services assigns unique identification and authentication credentials (Cal Poly username and password) to each user for this purpose. The person to whom the credentials are assigned is the only authorized user of the Cal Poly username and password.

Objectives:

ITS designs, implements and operates Cal Poly’s centralized authentication services, including the assignment of Cal Poly username and password to users of enterprise resources. The Cal Poly user name and password provide login access to enterprise electronic services. Having a user name and password is not, however, sufficient to authorize individuals to use those services. Each service defines the criteria for service provisioning and authorizes the individual according to those criteria.

ITS assigns, activates, de-activates, revokes or otherwise modifies a user’s credentials based on the user’s verified identity and current university affiliations in official University record systems. Owners and administrators of University applications and services shall utilize the University’s standard authentication service and credentials to validate the identity of all users of the application or service unless otherwise exempted.

Back to top

1221.3 Cal Poly Username

Policy:

Each account is assigned a unique Cal Poly username and a temporary password. Cal Poly usernames are created and assigned following a standard naming convention to ensure their uniqueness and suitability as identifiers. Account owners may not specify or personally choose their Cal Poly usernames. Individuals may not possess more than one concurrently active Cal Poly username. Cal Poly usernames assigned to individuals are not re-used.

Objectives:

ITS will replace the automatically assigned username with a different username only if the replacement complies with the University’s standard naming standard and one of the following conditions exists:

  • The account owner legally changes their name, registers the change in the official University database, and requests a replacement username;
  • The existing Cal Poly username represents a credible danger to the health or safety of the account owner; or
  • The Cal Poly username produced by the algorithm results in a combination of characters considered offensive or inappropriate by either the account owner or the University.

Exceptions in the assignment or reassignment of usernames must be approved by Information Technology Services.

Back to top

1221.4 Cal Poly Password

Policy:

To avoid unauthorized access to IT resources, holders of Cal Poly usernames must follow established rules for creating and using, and reporting the suspected compromise of, passwords corresponding to a Cal Poly username.

The Cal Poly password must be changed immediately upon issuance, when an account is compromised or suspected to be compromised, and at least annually thereafter. Account owners must affirm their knowledge and understanding of their responsibilities relative to information security and the appropriate use of information resources each time they change the password. The Cal Poly passwords for individual accounts must never be shared with anyone else or re-used for any non-University service. Shared passwords for organizational accounts, development environments or test environments must be safeguarded against unauthorized access.

Back to top

References for CAP 1221

  1. Date approved by the President: April 23, 2020
  2. Effective Date: April 23, 2020
  3. Responsible Department/Office(s): Vice President for Information Technology Services
  4. Revision History: Not applicable/New
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. Cal Poly IT Security Standard for Passwords
    2. Account types
    3. ICSUAM 7100
  6. Laws, Regulations and/or Codes of practice referred to herein or related to this policy:
    1.  

1222 Electronic Mail

Policy

The purpose of this policy is to ensure electronic mail (email) remains available and reliable to support Cal Poly’s mission. This policy applies to all users (individuals, departments and organizations) of the campus-wide Cal Poly email system.

Email is a critical service for teaching, learning and scholarly research; academic experiences; and business and administrative processes. All users must comply with applicable laws and university policies affecting the use of email, including but not limited to responsible use, computer accounts, passwords, information security, copyright law and software licensing. Violation of Cal Poly email policies may result in disciplinary action dependent upon the nature of the violation.

SPECIFIC PROHIBITIONS:

  • Intentional and unauthorized access to another individual’s or organization’s email
  • Sending confidential or sensitive content unless using appropriate encryptions methods
  • Sending "spam", chain letters, or any other type of unauthorized widespread distribution of unsolicited email
  • Using email for partisan political or lobbying activities
  • Sending messages violating the CSU Standards for Student Conduct Title 5.2 §41301. Using electronic communications, including email, with the intent to annoy, harass or physically threaten other individuals is prohibited.
  • Using a false or alias email address in order to impersonate another or send fraudulent communications
  • Using email to transmit materials in a manner violating copyright laws.
  • Using State resources, including e-mail, for anyone's personal or political gain. This includes promoting off-campus sales and services.
  • Sending unsolicited and unauthorized messages to large numbers of users. Official mailings to large numbers of users must conform to the broadcast electronic message policy
  • Sending a large volume of unsolicited mail in an attempt to disrupt a user, a business operation or their site
  • Operating an unauthorized e-mail reflector. Authorized reflectors include calpoly.edu and alumni.calpoly.edu.

1222.1 Broadcast Electronic Message Policy

Policy

This policy is provided to reduce the incidence of complaints from potential misuse of broadcast messaging and large mailings. Broadcast messaging and large mailings are unsolicited email sent in large quantities to communicate urgent, time-critical or other essential university information to large segments, or all, of the entire campus community. Broadcast messaging and large mailings, when sent according to this policy, are an efficient, cost-effective and environmentally friendly use of technology to disseminate information.

The President and all vice presidents are authorized to send broadcast messages meeting the criteria of urgency or critical University information. Each vice president is individually responsible for the appropriate content and frequency of broadcast email and is responsible for directing and monitoring its use by assigned staff within their offices and divisions.

Other users wishing to send broadcast messages to large segments, or all, of the campus community must request authorization from a vice president or the president, and use a broadcast mail tool provided by Information Technology Services.

Objectives:

Broadcast messages are sent to campus distribution lists based on campus role (for example, faculty, student, employee, emeritus). Broadcast messages are appropriate for:

  • Messages to carry out the business of the University
  • Messages about changes in University policy or time sensitive issues
  • Messages to a select group of people (e.g. faculty, staff, students, members of a specific school or department, etc.) with content related to their specific role within the University
  • Urgent messages about emergencies and university infrastructure conditions or activities that potentially affect most of the recipients

Broadcast messages must use an approved campus distribution list and meet the following criteria:

  • Other means of communication are not timely, and timely announcement via other methods could not be accommodated
  • An appropriate target audience can be determined
  • Could be of significant benefit to all of the targeted audience
  • Prevents significant inconvenience that the lack of the information would cause to the targeted audience
  • Must comply with applicable university policies on use of State resources
  • Must be sent from a department or organization account using the tool provided by Information Technology Services to facilitate approval and ensure technology accessibility
  • Must be approved by the president, a division vice president, or designee.

Units within the university, such as a college or department, may initiate broadcast messages containing official university business to their own constituent groups without seeking the approval of a vice president, but should still observe these criteria. Email messages not meeting the criteria of urgency or critical University information, should seek other methods of communication.

Large mailings are those sent to more than 1,000 email addresses. Users are prohibited from sending large mailings except as defined in the large mailing procedures referenced at the end of this policy.

Large group mailings are permitted only if sent to electronic distribution lists for the purpose for which they were created. For example, class distribution lists are for use by classes in class discussions and dissemination of information within the context of the specified class. Student club distribution lists are for disseminating official club information. All other distribution lists are for use by specific units or members to disseminate or share information. Use of such distribution lists for the purpose of large mailing by unauthorized personnel violates this policy.

Back to top

1222.2 Email as an Official Means of Communication

Cal Poly must be able to communicate quickly and efficiently with employees, students and affiliates in order to conduct official university business. Campus email is an official means of campus communication, and may be used as the sole method of communication for some campus matters. Official university communications are sent to a university-assigned email address (username@calpoly.edu). All employees, students and affiliates are responsible to receive and read official email communication in a timely manner and take necessary action when appropriate. This also applies when university emails are redirected to a non-university email account.

Objectives:

Email is an appropriate, cost-effective, convenient and timely means to transmit official campus communications. An official communication occurs when an individual or campus entity sends email or other message pertinent to conducting University business, including notification of University-related actions.

Official email communications will be sent to a University-assigned email address (username@calpoly.edu) and may be the sole method for notification. Other methods may be used when authorized by the individual (e.g., text messaging) or approved by the University (e.g., portal notifications) for this purpose. Additional or other methods of communication will be used if required by law or other contractual obligations (e.g., notification of disciplinary and legal actions).

Email sent as official campus communication is expected to comply with applicable laws and campus policies, including those referenced in this policy, and are subject to the same public records, privacy and records retention requirements and policies as other official campus communications.

Back to top

References for CAP 1222

  1. Date approved by the President: April 23, 2020
  2. Effective Date: April 23, 2020
  3. Responsible Department/Office(s): Vice President for Information Technology Services
  4. Revision History: Not applicable/New
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. Email as an Official Means of Communication
    2. Broadcast messages
    3. Large mailings
    4. Information Classification and Handling Standard
  6. Laws, Regulations and/or Codes of practice referred to herein or related to this policy:
    1.  

1223 Official Identification Card (PolyCard)

POLICY:

This policy clarifies how Cal Poly official identification cards (PolyCards) are issued by Information Technology Services (ITS). The PolyCard provides proof of status with Cal Poly and provides access to many resources provided by the University (e.g., library, athletic events, campus dining).

PolyCards are issued to currently active students, faculty, staff and emeriti who are provisioned in Cal Poly’s identity management system. ITS issues one PolyCard to each eligible individual based on the individual’s primary affiliation with the University. The name appearing on the PolyCard is the cardholder’s official (primary) name on record with the University.

OBJECTIVES:

PolyCards are the property of Cal Poly, not the individual cardholder, and the University governs all uses of the PolyCard. The PolyCard itself is non-transferable. Unauthorized use, sharing, alteration or duplication for fraudulent purposes will result in immediate confiscation of the card and may result in disciplinary or legal action. PolyCards become invalid upon termination of affiliation with the University and must be surrendered as part of the employee separation process.

Use of the PolyCard for campus services must be reviewed and approved by ITS and other appropriate campus authorities using established procedures. Approved uses of the PolyCard must conform to all applicable laws and policies including Cal Poly’s Information Security Program, Responsible Use Policy, Confidentiality-Security Agreements, and Family Educational Rights and Privacy Act (FERPA).

Use of PolyCard photographs is subject to applicable policies and laws.

  • In accordance with the Family Education Rights and Privacy Act (FERPA), a student’s ID card photograph is part of his or her educational record. As directory information, it can be released to campus officials for education related and University purposes. The University will not release a student photograph outside the institution, unless permitted or required by law.
  • State and auxiliary employee and other non-student photographs are protected by the California Civil Code Information Practices Act and will not be released unless permitted or required by law.
  • Requests to release photos must be in writing and approved by Information Technology Services. Except in an emergency where health and safety are an issue, a photographic release form signed by the affected individual must be on file prior to the release of the photo.

Data collected and stored electronically in conjunction with the uses of the PolyCard is subject to the same restrictions and guidelines noted above. While the PolyCard office does not track individual card use, it may provide general demographic data to campus service providers on the use of their services. 

Back to top

References for CAP 1222

  1. Date approved by the President: April 23, 2020
  2. Effective Date: April 23, 2020
  3. Responsible Department/Office(s): Vice President for Information Technology Services
  4. Revision History: Not applicable/New
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. Cal Poly PolyCard Services
  6. Laws, Regulations and/or Codes of practice referred to herein or related to this policy:
    1. US Department of Education statement on FERPA and student photos
    2. California Civil Code Information Practices Act regarding non-student photos