Information Technology

Policies and Practices

Policies

Computer Code of Ethics/Acceptable Use of Campus Network and Computing Systems

P​urpose

Computer abuse affects everyone who uses computing facilities and results in significant expense to the College. The same moral and ethical behaviors that apply in the non computing environment apply in the computing environment. Babson College treats access and use violations seriously. Access to the College computing facilities and information resources is a privilege granted to the College’s students, faculty, administrators, and staff. Access to the College’s computing facilities and information resources may be restricted or terminated at the College’s sole discretion based on the following factors: failure to comply with relevant laws and contractual obligations (including the terms of any license agreements); the risk of damage or loss to the College; the impact of a violation upon the community or third parties; and costs incurred by the College in responding to abuses of the system.

Policy Content and Guidelines​

​It is the responsibility of each member of the community to use the services provided by the College’s campus network and computing systems appropriately and in compliance with all College, town, county, state, and federal laws and regulations. Furthermore, users are expected to use computer, electronic mail, and network services in an effective, ethical, responsible and efficient manner consistent with the instructional, research, public service and administrative goals of the College. This policy covers all persons accessing a computer, telecommunications or network resource at Babson College, including the campus data network, electronic mail, file sharing, printing, world-wide web services, telephone services and cable television. College computing systems are College resources which may be provided to employees for business purposes. Computers and the information contained on them are the property of the College and may be accessed by College officials at any time.

College policy and relevant laws apply to use of the College’s network and computing services. Actions that are unacceptable in the College community are also unacceptable on the network, computing systems and other electronic services, including:

  • Harassment in any form.
  • Failure to respect the rights and property of others.
  • Forgery or other misrepresentation of one’s identity.
  • Distribution, re-distribution, attempted downloading, or downloading of copyrighted materials without the permission of the copyright owner.

In addition, these policies specific to Babson’s network and electronic services apply:

  • As a member of the Babson community, you may be issued a new Babson a​ccount or new email address at any time depending upon your role in the College (such as, but not limited to, where a student becomes an employee or an employee becomes a student).​​
  • College systems, networks and electronic services may only be used for legal purposes and to access only those systems, software, and data for which the user is authorized.​
  • College systems, networks and electronic services are provided only for uses consistent with the academic mission of the institution. They may not be used for private commercial or partisan political purposes, for personal gain, for unsolicited advertising, nor in any way that jeopardizes the College’s tax-exempt status. College facilities may not be used to provide Babson College network, internet access, cable television or telephone service to anyone outside of the Babson College community for any purpose. The College’s conflict of interest and consulting/outside employment policies also apply.
  • College facilities may not be used in ways that violate the privacy rights of individuals, the College’s confidentiality policy or related laws.
  • Information resources licensed by the College for the use of its students, faculty or staff may not be retransmitted outside of the College community. Examples include Encyclopedia Britannica (On-Line), site-licensed software, and commercial cable television service.
  • Network, cable TV and telephone services and wiring may not be modified or extended beyond the area of their intended use. This applies to all wiring, hardware and in-room jacks.
  • Computer users may not assign an IP number to their machines. IP numbers are assigned dynamically. Manually assigning an IP number to one’s machine may disrupt the network access of another user. Users with special needs may request a non-DHCP IP address from the IT Service Center.
  • All members of the Babson community who use the College’s computing resources must act responsibly. This includes, but is not limited to, respecting the rights of other computer users, abiding by all pertinent licensing and contractual agreements, and taking reasonable steps to protect the security of one’s computer and electronic identity (i.e. changing passwords frequently, logging off each time you leave your computer, locking computer, etc.).
  • All electronic and telephonic communication systems and all communications and stored information sent, received, created on or contained in the Babson systems are the property of the College and as such, are to be used for job-related purposes. While members of the Babson community may make incidental personal use of Babson technology resources, it must be done in accordance with all College policies and relevant laws and at a level that is determined to be reasonable with respect to the use of College resources.
  • You should not consider any material on these systems to be private. Even erased or deleted material may remain available. While the College respects the privacy of its users, the College reserves the right to look at, listen to or use anything on its systems and equipment, in its sole discretion, with or without notice, at any time and to by-pass any pass code. Circumstances for such action may include, but are not limited to, protecting the College from liability; complying with requirements of the law, regulations, or College policies; protecting the integrity, security, and proper functioning of the College’s computing systems; investigating violations of the law, regulations, or College policy; and enforcing College policy and adjudicating offenses.
  • The campus network is a shared resource. Therefore, network uses or applications which inhibit or interfere with the use of the network by others are not permitted. (For example, applications which use an unusually high portion of network bandwidth for extended periods of time, thus inhibiting the use of the network by others, are not permitted)
  • Users are required to know and obey the specific policies established for the systems and networks they access. They have a responsibility to stay informed of changes and adapt as needed. For any questions related to the computing policies at Babson please contact the IT Service Center.
  • Administrators of the network, computer systems and other electronic services have the responsibility to protect the rights of users, to set policies consistent with those rights, and to publicize those policies to their users. They have authority to control or refuse access to the network or other services to anyone who violates these policies or threatens the rights of other users.
  • Anybody who is active on any online communities (i.e. facebook.com, myspace.com, etc.) must be aware that any information, including personal weblogs and pictures, posted on these websites is public information. While the College does not typically review these online communities in an ongoing manner, if the College is made aware of any online posting which it deems to be problematic or indicative of policy violations, it reserves the right, but not the obligation, to respond.
  • Violations of the Computer Code of Ethics/Acceptable Use Policy will be treated as violations of College policy and may result in disciplinary action. Prosecution under state and federal laws may also apply.

Approval Dates

Updated on: November 20, 2007

This policy applies to Babson College students, faculty and staff.

Purpose

The purpose of this policy is to establish the types of devices and media that need to be encrypted and when encryption must be used. These guidelines have been established in order to protect the confidentiality of Babson College personal information on all Babson-owned portable computers, electronic devices and media capable of storing electronic data.

General/Definitions

Encryption is required for all Babson-owned portable computing devices that may be used to store personal information in accordance with applicable State and Federal law. ITSD will provide, install, configure and support data encryption where it is needed. Babson managed personal information shall not be stored on personally-owned portable computing devices.

Data Security Committee: A committee comprised of the Data Security Officers, the Vice President and General Counsel, the Director of Student Financial Services, the Associate Vice President for Human Resources and the Controller whose role is to identify and assess internal and external risks to the security, confidentiality, and integrity of sensitive paper and electronic records which contain personal information.

Data Security Liaison: The office, department and division designate who is responsible for restricting access to records and files containing personal information to those who need such information to perform their job duties; monitoring unauthorized use of or access to personal information within that office, department or division; and reporting any such unauthorized use of access to the DataSecurity Committee.

Encryption: A process by which data is transformed into a format that renders it unreadable without access to the encryption key and knowledge of the process used.

Encryption Key: A password, file or piece of hardware that is required to encrypt and decrypt information, essentially locking and unlocking the data.

File Based Encryption: A method for encrypting data at the file system level. Data is encrypted on an individual file basis. The whole drive is not encrypted.

Portable Computing Device: Any readily portable device or storage medium capable of storing College-managed electronic data. Examples include (but may not be limited to): laptop computer, netbook, smart phone, personal data assistant (PDA), USB hard drive, flash drive. For purposes of this policy, the portable computing devices considered in scope are limited to laptops, netbooks, USB hard drives and flash drives and Blackberries, to the extent technically feasible.

Personal information: An individual’s first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver’s license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident’s financial account. (Massachusetts General Law Chapter 93H)

Sensitive Information: Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain staff and student privacy.

Organizational Scope

This policy affects faculty, staff and students who are authorized to store personal information on Babson-owned portable computing devices. This policy applies to all Babson-owned portable computing devices storing Babson-managed personal information.

Policy Content and Guidelines

ITSD will provide file based encryption technology to protect laptops and other portable computing devices identified by the DataSecurity Committee and/or the Data Security Liaison as containing Babson-managed personal information.

Any Babson-owned portable computing device containing personal information must employ file based encryption as defined in this policy to protect this data. Conversely, any Babson-owned portable computing device not employing file based encryption must not store personal information.

Only file based encryption solutions approved by ITSD and configured according to standards set by ITSD may be utilized to satisfy the requirements of this policy. The encryption solution will centrally manage the file based encryption client software for all systems, including encryption format, key management and logging. ITSD will centrally maintain copies of encryption keys and encryption audit logs. The College retains the right to decrypt data using the centrally maintained key as required.

It is the responsibility of the Data Security Liaison in each organization to ensure that systems requiring encryption are identified, and that encryption is properly deployed on these systems.

Users must report any known, unencrypted personal information on portable computing devices to the IT Service Center at extension 4357 and request assistance in removing the data or acquiring encryption software.

It is a violation of this policy for anyone to attempt to disable, remove, or otherwise tamper with the encryption software. Failure to comply with this policy regarding the encryption of Personal Information may result in disciplinary action up to and including termination of employment.

Approval Agency

Executive Vice President/Executive Dean
Vice President for Administration and CIO Vice President and General Counsel

Approval Dates

This policy was originally approved on:
This version was approved on:
This version takes effect from:
This policy will be reviewed by:

Policy Sponsor

Director, IT Support Services

Contact

IT Support Services

Purpose

The purpose of this policy is to define standards for proper data sanitation and/or disposal of electronic storage media that has (or may have) contained personal information at Babson College.

General/Definitions

Electronic Storage Media: Any electronic device that can be used to store data. This includes but is not limited to internal and external hard drives, CDs, DVDs, Floppy Disks, USB drives, ZIP disks, magnetic tapes and SD cards.

Personal information: An individual’s first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver’s license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident’s financial account. (Massachusetts General Law Chapter 93H)

Sensitive Information: Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain staff and student privacy.

Sanitizing Storage Media: The National Institute of Standards and Technology (NIST) has defined four methods of data sanitization in NIST Special Publication SP 800-88 Rev. 1, Guidelines for Media Sanitization. These four methods are as follows:

  1. Disposal is defined as the act of discarding media with no other sanitization considerations. Examples of Disposal include discarding paper in a recycling container, deleting electronic documents using standard file deletion methods and discarding electronic storage media in a standard trash receptacle.
  2. Clearing is defined as a level of sanitization that renders media unreadable through normal means. Clearing is typically accomplished through an overwriting process that replaces actual data with 0’s or random characters. Clearing prevents data from being recovered using standard disk and file recovery utilities.
  3. Purging is defined as a more advanced level of sanitization that renders media unreadable even through an advanced laboratory process. In traditional thinking, Purging consists of using specialized utilities that repeatedly overwrite data; however, with advancements in electronic storage media, the definitions of Clearing and Purging are converging. For example, Purging a hard drive manufactured after 2001 only requires a single overwrite. For the purpose of this Policy, Clearing and Purging will be considered the same. Degaussing is also an acceptable method of Purging electronic storage media
  4. Destroying is defined as rendering media unusable. Destruction techniques include but are not limited to disintegration, incineration, pulverizing, shredding and melting. This is a common sanitization method for single-write storage media such as a CD or DVD for which other sanitization methods would be ineffective. This is also a common practice when permanently discarding hard drives.

Organizational Scope

This policy applies to all personnel who have responsibility for the handling and proper dispoal of electronic storage media at Babson College.

Policy Content and Guidelines

All electronic storage media should be sanitized (Cleared/Purged) prior to sale, donation, being moved to unsecured storage (for spare parts), or transfer of ownership. A transfer of ownership may include transitioning media to another individual or department at the College or replacing media as part of a lease agreement.

All electronic storage media must be destroyed when it has reached the end of its useful life and/or when other sanitizing methods are not effective (e.g. single-write media or media that is permanently write protected), provided that the destruction does not conflict with College data retention policies or any regulatory requirements (e.g. electronic discovery).

Approval Agency

Vice President for Administration and CIO Vice President and General Counsel

Approval Dates

This policy was originally approved on:
This version was approved on:
This version takes effect from:
This policy will be reviewed by:

Policy Sponsor

Director, Architecture & Development

Security and Passwords

Purpose and Scope

Information is a critical asset of Babson College (“the College”) and the protection of information assets is the primary goal of this Information Security Policy. All information created by or used in support of the College’s business is considered College information. Minimizing the risks associated with accidental, malicious or unauthorized disclosure, misuse, modification, destruction, loss and/or damage of this information is a goal the College is committed to achieving.

By identifying and monitoring security risks and mitigating those risks through the implementation of information security controls, the information security posture of the College is heightened and trust is established between the College and its various constituents and regulators.

Policy and Controls

This policy is established to protect the assets and interests of the College, to increase overall information security awareness, and to ensure a coordinated approach for implementing, managing and maintaining a control environment based on industry best practices. This policy sets the direction for protecting the information assets created and maintained by Babson’s faculty, staff, students, alumni, affiliates, and third party service providers. The objective of this policy is to align, over time and given available resources, College practices and policies with the industry standard information security framework published by ISO (International Organization for Standardization)/IEC (International Electrotechnical Commission) 27002, the recognized standard for the Babson College security program. This set of standards addresses various security requirements including risk assessment and treatment, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, incident management, business continuity and compliance.

Information security controls will be developed, updated, and published to ensure College information is adequately protected. These controls will be reviewed and updated as needed to ensure continued compliance with industry best practices and regulatory requirements. The information security controls apply to all departments, information processing platforms and systems owned, leased or managed by Babson College or by third parties acting on behalf of the College.

Information Security Governance

Additional details supporting this Information Security Policy are included in the Written Information Security Plan (WISP). The WISP sets forth College procedures for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Personal Information (as defined in the WISP).

The WISP is managed by the Information Security Officer & Enterprise Architect with oversight and direction from the College’s IT Steering Committee. The Chief Information Officer has overall responsibility for maintaining the information security program at the College and the Information Security Officer & Enterprise Architect has College-wide authority to conduct activities to secure the infrastructure and information assets as necessary to align with this policy and the WISP.

Approved by IT Steering Committee

May 10, 2018

Purpose

ITSD is establishing and refining security measures for Babson College’s technology structure. To aid in this procedure, a single user sign on process has been developed for email, Portal, and network access. These systems have synchronized user names and passwords. In order to keep these systems protected and align our processes with industry best practices, a new security policy will be implemented by 14 September 2009. Under this policy, students and faculty will be required to change their passwords at the beginning of each Fall and Spring semester. Administrative staff will be obliged to change their passwords every ninety (90) days.

Organizational Scope

This is a College-wide policy and applies to all students, faculty and administrative staff including employees at the Executive Conference Center, personnel in the Executive Education office, Sodexo employees, Barnes and Noble staff and any other person with a Babson user account. Alumni, Trustees and Advisors will be excluded from this policy at this time.

Policy Content and Guidelines

In terms of password administration, the following list provides requirements for establishing and maintaining passwords:

  • Passwords shall be 8–12 characters in length.
  • Passwords should be a combination of characters that does not have a meaning or relate to any personal information. Users may select characters from the following categories:
    • Alphabetical letters: a–z, or A–Z
    • Digits: 0–9
    • Special characters: ! @ $ % ^ * ( ) _ ~ + - = [ ] { } < >
  • Passwords shall be memorized. Passwords are not to be written down or stored by other means.
  • Passwords shall not be shared with any other person for any reason.
  • Passwords may not be reused. New passwords must differ by at least 1 character from the previous password.
  • Notification reminders will be displayed through Portal to users seven (7) days before their passwords expire.
  • Users should provide a secondary email address for the purpose of receiving a personal link to the password change window for the occasions where the user has forgotten her/his password. (Refer to the Secondary Email Address Policy for more specifics.)
  • Users who do not provide a secondary email address will be required to retrieve their new passwords in person at the IT Service Center, Horn 220. A Babson OneCard will be required as means of proper identification.
  • A list of users who have not reset their passwords within 30 days after the expiration will be sent to Human Resources on a regular basis for corrective action during this pilot phase.
  • Some systems (for example, ePerformance, HR Info, Power Campus, etc.) have their own password protection/reset policies. The application administrator for each of these systems will be responsible to ensure clients comply with those password reset policies as written.

If users have questions regarding the process for changing a password, they may call the ITSC at extension 4357.

Approval Agency

Executive Vice President/Executive Dean
Vice President for Administration and CIO

Approval Dates

This policy was originally approved on: 15 July 2009
This version was approved on: 1 September 2009
This version takes effect from: 14 September 2009
This policy will be reviewed by: 15 July 2010

Policy Sponsor

IT Support Services

Contact

IT Support Services

Purpose

ITSD is establishing and refining security measures for Babson College’s technology structure. To aid in this procedure, a single user sign on process has been developed for email, Portal, and network access. These systems have synchronized user names and passwords. In order to keep these systems protected and align our processes with industry best practices, a new secondary email address policy will be implemented by 14 September 2009. Under this policy, any new password required as a result of a user request (forgotten password, unable to utilize the automated password change process) will be communicated by means of a user’s secondary email address. Utilizing the secondary email account, ITSD will send the user a hyperlink that will transfer her/him to the password change process. Any user who does not have a secondary email address will be required to have her/his password reset in person at the IT Service Center, Horn 220. A user must provide a valid Babson OneCard as identification for the password change process in the IT Service Center.

Organizational Scope

This is a College-wide policy and applies to all students, faculty and administrative staff including employees at the Executive Conference Center, personnel in the Executive Education office, Sodexo employees, Barnes and Noble staff and any other person with a Babson user account. Alumni, Trustees and Advisors will be excluded from this policy at this time.

Definitions

Secondary Email Address: Any secure email account that is independent of the Babson College email system. The secondary email address must be established by users who currently have a Babson College account. This address is used as a means to provide a Babson account password change hyperlink in order to allow the user to easily change her/his password. A secondary email address may be established at no charge through sites such as Gmail.com or Yahoo.com, among others. Many users have already purchased secondary email accounts through vendors such as Comcast and Verizon.

Policy Content and Guidelines

The secondary email address will be used to provide a hyperlink for any Babson account user who has voluntarily requested a password change from the IT Service Center. The hyperlink will transfer the user to the Babson account password change page. For example, if a user cannot remember her/his password, the hyperlink will convey the user to the password change page without the need of her/his forgotten password. Requirements of the secondary email address are as follows:

  • The email address must be secure and provided by an entity other than Babson College.
  • A user’s Babson account password must not be used for the secondary email address password. A unique password must be employed for each individual email account.
  • The secondary email address will be entered within a user’s profile under ‘My Info’ in the Babson Portal.
  • Any user who does not provide a secondary email address as detailed above, must have her/his password reset in person at the IT Service Center, Horn 220.
  • At the IT Service Center counter, the password change process will not be available to any user who cannot display a valid Babson OneCard as identification.

Approval Agency

Executive Vice President/Executive Dean
Vice President for Administration and CIO

Approval Dates

This policy was originally approved on: 25 August 2009
This version was approved on: 27 August 2009
This version takes effect from: 14 September 2009
This policy will be reviewed by: 15 July 2010

Policy Sponsor

IT Support Services

Contact

IT Support Services

Purpose

The purpose of this policy is to define standards for connecting to the Babson College network from any remote host. These standards are designed to minimize the potential exposure to the College from damages which may result from unauthorized use of College resources. Damages include the loss of sensitive or personal data, intellectual property, damage to public image, and damage to critical internal systems.

General/Definitions

Affiliates: Personnel who are not faculty, staff or students at the College who require access to the Babson College network to perform work for the College.

Anti-virus: Software that protects computers from malicious programs when configured appropriately.

Firewall: An application intended to restrict access to a computer. The firewall application should be set to restrict access unless required by specific applications.

Personal Information: An individual’s first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver’s license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident’s financial account. (Massachusetts General Law Chapter 93H)

Remote Access: Any access to the Babson College network through a non-college controlled network, device, or medium. Remote access includes access from an employee’s home.

Sensitive Information: Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain staff and student privacy.

Spyware: Applications generally installed without the knowledge or consent of the user. These applications then monitor activity on the computer with the purpose of obtaining Sensitive Information or Personal Information that can then be sent to another location or used locally for malicious or undesirable purposes.

Organizational Scope

This policy applies to all College employees, students, contractors and Affiliates including vendors and agents with a College-owned or personally-owned computer or workstation used to connect to the Babson College network. This policy applies to remote access connections used to do work on behalf of Babson College including reading or sending email, viewing intranet web resources, and working with Babson College internal applications and data.

Policy Content and Guidelines

In general, Babson College Information Technology Services Division (ITSD) provides means for remotely accessing services ranging from publically available web sites to email to enterprise applications containing Personal Information. Most remote access will be available via the user’s web browser and will require only that generally accepted, standard precautions be followed. However, users requiring remote access to applications and data that contain Personal Information must submit a justification signed by the appropriate President’s Cabinet member to the Security Committee for approval. Only those users with that approval will be granted remote access.

General Remote Access Guidelines for Personal Computers

  1. It is the responsibility of Babson College employees, students, or Affiliates with remote access privileges to the College network to ensure that their remote access connection is given the same consideration as the user's on-site connection. This includes the following:
    1. Implement credible and reputable anti-virus software (the College provides anti-virus software for download). The software must be operating at all time, in real-time scan mode, the virus definition list should be updated at least once a day,and the user must schedule a weekly, full-system scan. Please refer to the documentation for the software being used or contact the Service Center at support@babson.edu if you require assistance.
    2. Implement anti-spyware to protect private information. The software must be operating at all times and the definition list must be maintained and up-to-date. Please refer to the documentation for the software being used or contact the Service Center at support@babson.edu if you require assistance.
    3. Enable the built-in firewall that is included in major operating systems (i.e., Windows and Macs).
    4. Check for vendor security updates and apply them. Periodically, security weaknesses in operating systems and/or applications are discovered and the vendor will then provide security updates to remediate these issues. Enable the automated feature in major operating systems (i.e., Windows and Macs) that checks for and applies security updates. If you have questions regarding the suitability of specific updates, please contact support@babson.edu.
    5. Establish strong password syntax (i.e., at least 8 alpha & numeric characters) and protect the password. A password is used to provide authentication to an application and/or system. Never share your password with anyone even family members.
    6. Limit your computer usage to yourself and restrict others from using it especially for internet access because they may unintentionally download malicious software (e.g., key logging program).
  2. It is the responsibility of Babson College employees, students and affiliates to review the College’s computing policies, including the following:
    1. Babson College Personal Information Security Plan
    2. Password Reset Policy
    3. Acceptable Use Policy
  3. Affiliates who require remote access privileges will be granted access on a case by case basis. Affiliate access may be requested by contacting the IT Service Center.
  4. No devices or software may be installed that allows remote access to the Babson College network such as modems, PC remote control software (e.g. gotomypc.com), wireless access points, or VPN servers. All remote access will be provided centrally by ITSD. Remote Access to Personal Information In addition to the general guidelines, remote access to applications and/or data containing Sensitive Information or Personal Information will only be granted to users utilizing a Babson laptop or PC. Furthermore, each case will be treated individually by the Security Committee, ITSD, and the Department Head and the appropriate remote access solution will be provided based on the situation, need, and particular circumstances. Remote access rights for these cases will be granted on a time-limited and renewable basis.

Termination of Remote Access Rights

A users remote access rights will be terminated:

  • Upon expiry for time limited rights
  • Upon separation from the College, in all cases
  • Upon termination of an Affiliate’s contractual relationship
  • In the event of violation of this or other College policies regarding information technology

Failure to comply with this policy regarding remote access connection to the Babson College network may result in disciplinary action including termination of employment.

Approval Agency

Vice President for Administration and CIO Vice President and General Counsel

Approval Dates

This policy was originally approved on:
This version was approved on:
This version takes effect from:
This policy will be reviewed by:

Policy Sponsor

Director, Architecture & Development

Mobile Devices

Purpose

This policy establishes guidelines for procurement, possession and appropriate use of College-owned Mobile Communications Devices (MCD). It also establishes guidelines for approval of an employee’s use of a MCD. This policy is designed to reduce unnecessary MCD costs to the College and to help ensure the confidentiality of College information.

General

MCDs are provided to improve customer service and to enhance business efficiencies. MCDs are not a personal benefit and shall not be a primary mode of communication, unless they are the most cost-effective means to conduct College business. Possessing an MCD is a privilege and all employees are expected to use them responsibly. Misuse of the College MCD may result in its revocation and possible disciplinary action against the employee.

Definitions

Data Security Committee: A committee comprised of the College’s Personal Information Security Officers, the Vice President and General Counsel, the Director of Student Financial Services, the Associate Vice President for Human Resources and the Controller whose role is to identify and assess internal and external risks to the security, confidentiality, and integrity of sensitive paper and electronic records which contain Personal Information.

Department Head: The director/manager of the department in which the employee works, or that individual’s designee. When this is ambiguous, the appropriate College Vice President is to be consulted for clarification.

Encryption: Encryption is the conversion of electronic data into a code which cannot be read by anyone except authorized parties.

Essential personal calls: These are defined as personal calls of minimal duration and frequency that are essential to allowing the employee to continue working and cannot be made at another time or from a different telephone. Examples of essential personal calls are calls to arrange for unscheduled or immediate care of a dependent or a family emergency, to alert others of an unexpected delay due to a change in work or travel schedule.

Mobile Communications Device: An MCD is a mobile phone, or smartphone, with PC-like functionality having features like email and internet browsing. Examples include: iOS, Android, and Windows Mobile. For purposes of this policy, the MCDs considered in scope are limited to iOS, Android, and Windows phones.

Personal Information: As defined under Massachusetts General Law Chapter 93H, an individual’s first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver’s license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident’s financial account. For the purposes of this Policy, Personal Information is deemed to include education records as defined under FERPA.

Sensitive Information: Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain employee and student privacy.

Organizational Scope

This policy affects faculty and staff who are authorized to use an MCD and associated wireless services for College business and who receive a College-provided MCD. This policy also governs MCDs acquired via grants and contracts awarded in Babson College’s name. It is effective as of January 1, 2015.

Policy Content and Guidelines

In general, Babson College will own MCDs or carry MCD contracts for permanent assignment to individual employees in limited cases as specified below.

The College may provide MCDs to the following employees:

  • President and members of the President’s Cabinet
  • Associate/Assistant Deans, Associate Vice President for Facilities Management and Planning, and Associate Vice President for Human Resources
  • Crisis Management Team members
  • Director of Public Safety or other critical safety personnel who are on call 24/7 as determined by the Department Head.
  • Director of Campus Life, Facilities Services, ITSD and critical employees who are on call 24/7 within these units as determined by the Department Head.

Mobile Communications Device Provision Justification

Justification for an MCD is determined by considering (but not limited to) the following criteria:

  • Safety requirements dictate that having mobile/remote communication capabilities is an integral part of performing job duties.
  • More than 50% of work is conducted away from the employee’s work station and the employee is required to be contacted on a regular basis.
  • Employee is on-call outside of normal work hours.
  • Senior officer or other critical decision maker.
  • Employee monitors and administers mission critical information systems during non-business hours.
  • The job requires the employee to be immediately accessible to receive and/or make frequent business calls outside of working hours.
  • Other special circumstances approved at the President’s Cabinet level.

Department Head Responsibilities

The Department Head is responsible for submitting the Mobile Communications Device Request/Justifica​​tion Form​ to the IT Service Center (ITSC). All MCDs will be distributed through the ITSC. No MCD will be dispensed without having the required MCD Request/Justification Form on file.

The ITSC will provide advice on the most appropriate MCD equipment; will determine appropriate plans; and will maintain overall responsibility for the distribution and billing for all MCDs. The Department/Division Head (or designee) is responsible for reviewing the monthly billing charges for MCDs provided within the Telecommunications monthly billing report and ensuring that overages, as a result of personal use, are paid by the employee. A detailed breakdown of billing charges is available from the ITSC upon request. If an employee is terminated, resigns, transfers or for any reason is no longer eligible for an MCD, the Department/Division Head (or designee) will return the MCD to the ITSC. When applicable, the ITSC may transfer the MCD to another employee within the Department/Division or to a new employee hired within ninety (90) days.

The ITSC also will determine whether the MCD should contain Encryption technology or other safeguards that allow for destruction of Personal Information or Sensitive Information if an MCD is lost or stolen.

Employee Responsibilities

Employees must comply with state and municipal laws regarding the use of mobile devices while driving and prevent MCD use that jeopardizes employee safety. The College does not condone any use of a wireless MCD while driving.

MCD voice transmissions are not secure. Employees must use discretion in relaying sensitive and/or personal Babson College business related information over an MCD. Because MCDs may store Personal Information, the Department/Division Head (or designee) must also provide departmental authorization for such activity. No Personal Information shall be stored on an MCD without the prior written approval of the Data Security Committee. Employees who are granted authorization to store Personal Information on an MCD must bring the MCD (if already distributed) to the ITSC for a security screening.

Use of MCDs for Personal Calls

Babson College provides MCDs to employees primarily for the purpose of conducting College business. However, with the recent updates to IRS regulations, the use of College owned and issued equipment to make or receive occasional, personal calls is allowed under reasonable circumstances and in the event of an emergency. Employees must realize that although personal calls made within the domestic calling region and under the usage limits provided by the employee’s plan do not result in additional charges, they do count toward the overall time limits established under the service agreement for all College employees. It is expected that the plan chosen will provide adequate coverage for all normal business needs and for any overage. Long distance or other charges realized by the employee for personal calls shall be the responsibility of the employee. Employees may arrange for recurring payroll deductions to cover personal calls.

Assumption of Liability

From and after the effective date of this policy, employees who are eligible for a College owned and issued MCD will not be allowed to transfer their personal phone number to the College plan while employed at Babson.

MCD Data Plans

Data plans for MCDs are provided for the purpose of conducting College business. Although personal use of data plans may not result in additional charges, it may count toward the overall limits established under a service agreement. It is expected that the plan chosen will provide adequate data coverage for all normal business needs and any overage or other added charges realized by the employee for personal use shall be the responsibility of the employee.

International Calls and Travel

Employees needing international voice and data services should contact the ITSC at x4357 or support@babson.edu at least two weeks in advance of any such requirement. Where possible, international voice and data services will be activated only for the duration of the travel period and will be deactivated at the end of the travel period. Wi-Fi networks should be used whenever possible and cellular voice/data plans reserved for special needs while traveling and when Wi-Fi is not available. International MCD voice and data coverage is not guaranteed, and it is the responsibility of the employee to determine if there is voice and data coverage in the countries that will be visited. All calls made and received, regardless of duration, and all text/media messages sent and received are charged at an additional roaming rate when traveling internationally, and the cost is the responsibility of the employee’s Department/Division. Data usage may be charged additional fees when roaming internationally, the cost of which is the responsibility of the employee’s Department/Division.

Note: The employee is responsible for notifying the ITSC when travel is complete so that any additional/unnecessary international services may be suspended.

Other Costs

Employees are responsible for the costs associated with applications (apps) and media not originally included with a device. Departments may have need for additional applications beyond what is provided with basic service plans, but these costs will be billed separately.

The ITSC will not provide ongoing troubleshooting services for those employees who elect to purchase devices which have not been recommended. The College will not assume liability for any operating issues that result from loading College applications onto personal MCDs with the employee’s authorization.

Lost or Stolen

Employees utilizing MCDs are required to notify Public Safety at 781-239-5555 immediately upon the loss or theft of their device. Public Safety will take appropriate action to ensure the confidentiality of College data, to the extent technically feasible. If theft is suspected, employees must promptly file a police report and cooperate with law enforcement that Personal Information and Sensitive Information is preserved.

Mobile Devices and Data Security

MCDs pose special risks to data security because they are highly portable and easily lost or stolen. In order to mitigate those risks, the College requires the following features/restrictions for College-owned MCDs:

Power-on password: A password will be required to turn on the device from an off state and from a timeout state. The password must be at least four characters in length and will be preconfigured at the ITSC when the device is delivered to the user. It is forbidden to use the same password that is used for any Babson account.

Security timeout: The device will go into a locked state after 1 minute of inactivity or when the device is locked manually. The power-on password will be required to return the device to its active state.

Failed login attempts: The device will allow 10 failed attempts to log into the device. Immediately following the 10th failed login attempt, all data will be wiped clean from the device.

Failure to comply with this policy regarding the use of MCDs may result in disciplinary action to include termination of MCD privileges and collection of any fees associated with the violation of this policy.

Approval Dates

This policy was originally approved on: ​1 July 2013
This version was approved on: 1 January 2015
This version takes effect from: 1 January 2015
This policy will be reviewed by: 1 July 2015​

Contact

IT Support Services

Policy Number

ITSC-MC001

Computer Hardware

Purpose

In an effort to minimize the total cost of ownership for desktop, laptop computers across the campus, Babson standardizes on a limited number of supported computer models. Currently the IT Service Center supports one desktop model and two laptop models with Microsoft Windows. An optional desktop and laptop model are also available for approved research purposes. The IT Service Center will fully support the hardware and Babson supplied software on these standard models. The IT Service Center will also provide limited hardware and software support for Apple desktops and laptops. Apple hardware must be sent to Apple for repairs.

All desktop and laptop computer hardware must be purchased through the IT Service Center. The College goal is to utilize only EPEAT Gold rated equipment. When required, limited purchases of EPEAT Silver and/or Bronze may be allowed on a case by case basis.

Organizational Scope

This is a College-wide policy and applies to all faculty and administrative staff including the Executive Conference Center and the Executive Education office. The IT Service Center will be responsible for tracking desktop/laptop computer assets owned by the College through the use of asset management software. It is the responsibility of managers/supervisors/Human Resources to notify the ITSC of any change in location or employee associated with the computer hardware.

Definitions

For purposes of this policy, unless otherwise stated, the following definitions shall apply:

Babson Standard Computer:  Any model desktop or laptop computer with a Microsoft Windows operating system selected by the IT Service Center as suitable for office, classroom, research or other use.  Any desktop or laptop computer that does not carry the exact type and model number as the Babson standard computer is considered non-standard. This may also include Apple hardware approved on a case by case basis (see Apple Computer below).

Desktop computer:  A personal computer (PC) in a form intended for regular use at a single location, as opposed to a mobile laptop. Desktop computers come in a variety of styles ranging from large vertical tower cases to small form factor models that can be tucked behind an LCD monitor. Babson desktops are supplied with a monitor, keyboard and a mouse. A second monitor is allowed for purchase by the Division or Department.

Laptop computer:  A laptop is a small mobile computer, typically weighing 3 pounds. Babson laptops purchased for individual computer use may be supplied with a port replicator, additional power supply, external monitor, external keyboard and mouse at an additional cost to the department/division. Tablet devices are not considered standard laptop computers and may not be a substitute for one.

Apple computer: A personal Macintosh computer, either a desktop or a laptop model, manufactured by Apple. Some examples include the iMac and the MacBook Pro. For the purposes of this policy, there is one standard Apple desktop model and one standard Apple laptop model. The cost differential for these computers (as compared to standard Windows hardware) is covered by the end user’s department/division. Apple hardware must be approved for purchase by the IT Service Center.

Individual computer:  The computer used by a single person (desktop or laptop) in an office, at home or while traveling. The hardware is not a shared resource and becomes the responsibility of one individual.

Instructor Workstation: A desktop computer installed in a media-equipped classroom which is centrally managed and funded. Classrooms are those rooms which are used for teaching and which are managed and maintained by Media and Production Services.

Lab Workstation: Desktop workstations with a full software load, located in either teaching or open-access areas. These computers typically have area specific software applications loaded and they are managed and funded centrally.

Port Replicator:  A device containing common PC ports such as HDMI, Display Port or USB ports, which allows the user to attach a portable computer to standard, non-portable devices such as a printer and monitor(s).

Public Workstation or Kiosk: This is a desktop or laptop computer placed in a public location and designated for access by anyone on the Babson campus.

Replacement Cycle:  The frequency in which desktop and laptop computers are replaced at Babson. Laptop computers are replaced every three (3) years, desktop computers are replaced every four (4) years. Apple computers may be replaced within the same cycle as Babson standard Windows computers.

Shared computer:  This is a computer used by more than one individual in a department or office. Users may be either full-time or part-time, student staff, faculty sharing an office or a laptop shared by members of a department. Shared laptop computers do not include the port replicator or external accessories.

Policy Content and Guidelines

All standard computer hardware is selected to provide a high level of computing power at a cost-effective price with an EPEAT Gold rating. This standard computer hardware is purchased, maintained and replaced through a centrally funded ITSD budget cost center. Central funding covers the replacement of the following types of computers: Individual Computer, Shared Computer, Instructor Workstation, Lab Workstation, Public Workstation and Kiosk. Any additional computers required by a department must be approved by the IT Service Center and purchased using departmental funds. Apple computers are a special case and their purchase must be approved by the IT Service Center. All associated cost differentials (as compared to standard Windows hardware) for Apple hardware are billed to the appropriate department/division.

Note that many repairs are not covered under warranty. Any costs for parts replaced as the result of damage not covered under warranty, up to and including full replacement, are billed to the respective department/division. If a desktop or a laptop is not returned as requested at end of lease, the department/division will be responsible for the lease buyout cost of the hardware.

Individual/Shared Computer for Existing Position

Each existing position at Babson that requires the use of a computer should have an appropriate computer allocated. When an existing position is open and then filled, the new employee is expected to use the previously assigned computer. If for some reason, other than unrepairable hardware, the computer previously assigned cannot be given to the new employee, the department will be responsible for the full cost of a new computer. When the hardware reaches the appropriate age, the computer will be replaced as part of the next centrally funded replacement cycle. Request for an Apple computer at the time of refresh must be approved by the IT Service Center. The cost differential between the Apple hardware and the Windows hardware will be funded through the department. Departmental funding for the cost differential will be required for each cycle. All Apple laptops will follow a three-year replacement cycle while a desktop will follow a four-year replacement cycle.

New Position

When a new position is created which requires the use of a computer, the full cost of the new computer will be borne one-time by the department. Any request for an Apple computer for a new position must be approved by the IT Service Center, and the cost will be fully funded by the department. When the hardware reaches the appropriate age, all Windows computers will be replaced at no charge to the department as part of each centrally funded replacement cycle. All Apple hardware will follow a three-year replacement cycle and the department must cover the cost difference between an Apple computer and a comparable Windows computer.

Non-Standard Computers

Non-standard computers, while allowed on the network, will only receive limited, best-effort support from the IT Service Center. Non-standard computers will not be replaced as part of the centrally funded replacement cycle.

Off-Cycle Purchases

The IT Service Center will attempt to keep all standard computers in synch with specified replacement cycles. However, needs may arise between cycles. In those cases, the IT Service Center will use its discretion as to when the computer should be cycled next. Regardless of the timing of the off-cycle purchase, the IT Service Center may recommend an upgrade to the computer (additional memory, hard drive, etc.) in lieu of replacement. Off-cycle purchases will, in general, not be funded centrally. Departments must seek their own funding.

In certain cases, departments may purchase Babson standard computers with their own funds for a very specific and required need. The IT Service Center will support these computers in the same way as centrally funded computers for as long as the computer model is considered a Babson standard. Once the warranty has expired, the department will need to replace the computer with a current standard model in order to maintain campus support. Replacements of these computers will not be centrally funded but will be the responsibility of the purchasing department.

Approval Agency:

Vice President and CIO

Approval Dates:

This policy was originally approved on:   1 July 2005

This version was approved on:  1 August 2022

This version takes effect from:  1 August 2022

This policy will be reviewed by:  1 August 2023

Contact

IT Enterprise Services

Purpose

Per Babson’s “Policy on International Travel and the Use of Electronic Devices Abroad,” Babson students, faculty and staff are prohibited from taking Babson-issued devices to “Elevated-Risk Destinations.”

When traveling to “Elevated-Risk Destinations,” if you would like to take a laptop, you are required to checkout a loaner laptop issued by the IT Service Center.

Process

The process to request a loaner laptop includes:

  • Email support@babson.edu two weeks prior to your travel date and request a loaner. Please include the following:
    1. Date of travel (both departure and return)
    2. Location of travel

Loaner machines will:

  • Have basic Office 365/OneDrive and Webex pre-installed, but no other software applications.
  • Have CrowdStrike/Carbon Black installed, allowing for heuristic monitoring of application behavior on the machine.
  • Have ESET EndPoint anti-virus installed, for the general health protection of the machine.
  • Have Computrace enabled on the device, allowing for remote wiping of data by IT Service Center staff should the device be lost or stolen while traveling.

Loaner machines will NOT:

  • Have Microsoft BitLocker drive encryption software enabled.
  • Be bound to the Babson domain, or have an account tied to your current Babson username/password credentials. Instead, a generic local administrator account will be set on the machine. You will be instructed on how to set up a local account password and/or set a fingerprint login for the device prior to your departure from the IT Service Center.

Faculty/Staff best practices

  • Store data in the cloud that require secure authentication to access, rather than on the loaner laptop's local hard drive.
  • Remain vigilant and aware of your surroundings to prevent over-the-shoulder password capture, and never leave the loaner laptop unattended.
  • Change your Babson password using a different computer upon you return to the United States via http://hub.babson.edu to prevent compromise of your account.
  • Be vigilantly aware of your surroundings to prevent over-the-shoulder password capture, and do not leave the loaner laptop unattended. Travelers are often targeted.
  • Contact the IT Service Center immediately in cases of loss or theft.
  • When you return from travel, do not connect your device to the Babson network. Return it immediately to ITSC, where it will be wiped.

Practices

The purpose of this practice is to define and communicate Google storage limits for Faculty, Staff, Students, and Alumni.

This change is due to Google eliminating free unlimited storage for Google Workspace for Education. Significant cost increases combined with the availability of new, alternative storage tools have led the College to limit Google Drive storage in Babson-provided Google Workspace accounts at a maximum of 15 GB per account as of March 31, 2023.

This practice applies to all Babson Google accounts, encompassing faculty, staff, students, alumni, affiliates and is in effect as of January 1, 2023.

Babson’s Information Technology division has a formal process for implementing new software or hardware at the College. The process requires an Administrative or Academic Department to submit a software request form, providing details on the business need, cost, support model, integrations, etc. for any new software/hardware, or major modifications to existing software.

Student Projects

Information Technology encourages and supports student entrepreneurship in the technology field.  Students who wish to implement software they have created as part of a course project need to partner with an Administrative or Academic Department, and the faculty or staff member in that department must submit the request and explain how they will support the product once the student graduates. 

Access the More in this section