- Introduction
- University Policies
- University Libraries Policies
- Cross References
INTRODUCTION:
The following policies/guidelines apply to staff use of Libraries workstations (including laptops and notebooks), software, network space, and related technology.
UNIVERSITY POLICIES:
Libraries employees must comply with all University policies relating to privacy, security, the use of software, hardware, and the University Network. Policies are available in the Penn State Policy site. The most important University policies are referenced below:
- Policy FN14, Use of University Tangible Assets, Equipment, Supplies and Services: "All tangible assets (including equipment, software, audio-visual material, theatrical costumes, etc.) owned, leased or operated by the University are to be used in the conduct of University programs and activities at University owned or leased locations. ...University tangible assets and services may not be used for personal gain, by employees for purposes outside the scope of their employment (see also Policy HR35,) or by students beyond their instructional requirements.
- Policy AD95 Information Assurance and IT Security.
- Policy AD96 Acceptable Use of University Information Resources.
UNIVERSITY LIBRARIES POLICIES:
Equipment Provided
The University Libraries may provide each employee with
A single workstation
Standard suite of software
Employees are expected to use Libraries or University provided equipment in order to ensure proper security and license compliance.
Principle of Least Privilege
PSU Policy AD95 references Standard – Access, Authentication , and Authorization which states that individuals must be granted the minimum access sufficient to complete their job responsibilities. Individuals with multiple accounts or that are granted privileged access must use the least privileged account for day-to-day activities; privileged accounts will only be used when the elevated privilege is required by the system or application.
Defend Point software is provided on all library employee workstations as the method to temporarily elevate privileges for software installations, etc.
Provisioning and Revocation of Access to Library Accounts and Resources
Compliance with PSU AD95 and the Standard – Access, Authentication, and Authorization requires that under normal circumstances, authorized access must be revoked as promptly as possible after notification of a status change has been received; preferably within 72 hours when the individual:
Permanently leaves/departs the University or when employment, student, or other status is terminated for whatever reason.
Transfers from one position to another with different responsibilities and levels of access required.
In the event that an individual is separated from the University with cause, authorized access must be revoked in coordination with the Office of Human Resources, Office of Student Affairs, or other responsible party, who will determine the appropriate timing based on the specific circumstances.
Note that revoking authorized access may be accomplished independently of disabling or removing an individual’s user account, depending on the security controls of the systems in use.
PII Scanning
Workstations in areas designated as having the potential to interact directly with Data Categories 3or 4 are included in automatic PII scanning
CROSS REFERENCES:
Other Policies in this manual should also be referenced, especially the following:
Policy AD95 Information Assurance and IT Security
Policy AD96 Acceptable Use of University Information Resources
Standard - Access, Authentication, and Authorization Management
Effective Date: March 2003
Date Approved: March 10, 2003 (Dean's Library Council)
Revision History (and effective dates):
- October 2021 - Revised policy
- May 2019 - Renamed (from - University Libraries Staff Information Technology Use Policies) and refreshed content
- November 2007 – Revised policy
- March 10, 2003 – New policy
Last Review Date: October 2021