Employment Component Policy Brief May 20, 2013 By: Andrew Hahn/Candace McTeer
The purpose of this policy brief is to provide a deeper understanding of the Employment Component of the Mason LIFE Program. This brief will explore the process of assigning students to worksites (both on and off campus), the Work Specialty Area upon completion of the program, the priority system established in Person Centered Meetings, and the role of families in these processes.
The LIFE Program is designed so that all students receive a wide-variety of work experiences in conjunction with their academic experiences throughout their four years at George Mason University. The idea is to provide each student with a multitude of experiences so that upon graduation each individual will be in the best position to reach their full potential as members of the work force.
The Employment Coordinator actively pursues various opportunities for both on and off campus employment based on student interests. Beginning in the spring semester of a student’s first year and continuing every subsequent semester of enrollment, he or she will receive an on-campus work placement through the weekly employment class. Some of the placements include the Aquatic and Fitness Center, the Office of the President, Mail Services, the Broadside (student newspaper), among a host of others. A comprehensive list of on-campus work placements may be found in Appendix A. The placements are determined by availability, student interests discussed in Person Centered Planning meetings, and seniority. Each week, the student works at the on-campus job site for approximately ninety minutes with a one-on-one Employment Support Staff, carefully matched by the Employment Coordinator and trained in basic supported employment skills. After work, the student returns to the classroom and completes a work journal with his or her support staff; logging the progress of work skill development. Twice a semester, the student fills out a “Request for Time-Off” form and remains in the classroom during normal work time to update his or her professional portfolio, which includes resumes, skills, interests, work evidence, and supports. Also during the classroom sessions, the students participate in various activities (i.e. career development bingo or role-play of typical scenarios faced in the workplace) to emphasize and reinforce employment skills learned on the job-site. If a student is seen fit after a few weeks to work independently by his or her Employment Support Staff, the work site, the Employment Coordinator, and most importantly-the student, modifications will be made to his or her support such as providing faded support, solely travel support, or even complete independence. For example, an Employment Support Staff may travel with the student to a job placement on campus such as the Office of the President, but leave the student to do his/her work independently, while providing periodic check-ins to ensure the work is being done efficiently and accurately.
Aside from the on-campus employment experience, Mason LIFE Employment has continuous relationships with off-campus worksites such as the Jewish Community Center, the Fairfax City Public Library, Northern Virginia Family Services, Linden Resources, and Sunrise Senior Living, among many others. A comprehensive list of off-campus work placements may be found in Appendix B. Students are again placed in these experiences based on seniority, interest, and availability. Additionally, a student may have an interest in a certain field or employment placement, and thus the Employment Coordinator will, in conjunction with the student, pursue opportunities in said field, for example, the airport.
Finally, the Mason LIFE Program proudly offers a Congressional Hill Internship program in which students participate in an all-day internship on Capitol Hill on either Mondays or Fridays. Students and their one-on-one Employment Support Staff travel together to and from Capitol Hill via the Orange Line on the DC Metrorail. The Employment Coordinator works with the House of Representatives Administration Committee in order to place each student in one office in the morning (10:00am to 12:00pm) and a different office in the afternoon (1:00pm to 3:00pm). Students’ participation in this program is granted based upon seniority and their ability to prove their reliability and work-ethic in their on-campus placements. In addition, a stipend is provided to students in their third and fourth years (not to exceed 2 semesters) by the HSC Foundation.
Beginning with the Mason LIFE Class of 2014, the certificate of completion, will demark a Work Specialty Area based upon their employment experiences, in addition to the already noted concentration. Some specialty areas that are currently being pursued are Public Works, Community Outreach, Office/Clerical, Customer Service, and Child Care. The specialty area that the student would like to explore is discussed in the mandatory Person Centered Planning meetings. During these meetings, held on Tuesdays at either 10:00am or 11:30am, the student, all component coordinators, and the student’s SPED manager are present. Family members are encouraged to participate either in-person or by conference call. These meetings are most essential during the student’s first and fourth year of program and may be scheduled as needed throughout their time at Mason LIFE. The purpose of the meeting is to construct a plan of action to maximize a student’s growth and development to prepare him or her for future endeavors, keeping the student’s wants and interests at the forefront of that plan. While family input is helpful, ultimately decisions are left in the hands of the student. During these meetings, besides discussing progress and establishing ideas for future growth in all components of the program, a priority system is established. This rank order determines which component of the program, whether a catalogue class (Exploration Component) or work experience (Employment Component), outranks the other in importance to the student in the event of scheduling conflicts.
The Mason LIFE Employment Component is designed to give all students a wide array of work experiences, both on and off campus, throughout their four years at Mason LIFE. While first choice of placement cannot be guaranteed each semester, by the end of the four years the students will not only have earned a Work Specialty Area indicated on their certificate of completion, but will also have experienced an incredibly wide variety of work placements in professional environments.
As illustrated by Appendices A and B containing comprehensive lists of work sites, the opportunities for growth in the workplace through the Employment Component are quite numerous.
On-Campus Placements Mason Inn Johnson Center Library: Data Entry Johnson Center Library: Circulation Sodexo Dining Services The Broadside Mail Services Recycling Assistive Technology Initiative Assistive Technology Lab Child Development Center Print Services: Copy Center Print Services: Front Office Mason LIFE Office LEAD Office Recreation and Athletic Complex (RAC) Aquatic and Fitness Center (AFC) Office of Disability Services AIM-VA (Accessible Instructional Materials) Purchasing and Accounts Payable Office of the President Facilities Center for Consciousness and Transformation Office of Diversity and Equity
Off-Campus Placements Humane Society of Fairfax County Alzheimer’s Family Day Center Ronald Regan National Airport: Traveler’s Aid Sunrise Senior Living The Jewish Community Center of Northern Virginia Fairfax City Public Library Odyssey Hospice Northern Virginia Family Services Fairfax Visitor Center and Museum Linden ResourcesDownload link: Employment Policy Brief
FERPA Compliance Policy
Mason LIFE Program Policy Brief Graduation and Certificates Heidi J. Graff Robin E. Moyher
Students completing their four years with The Mason LIFE Program will graduate with a George Mason Certificate of Completion with a catalog concentration and a work specialty area. Breaking this down in pieces, there are three main areas of importance. First, the Certificate of Completion is only awarded to those students who have been enrolled in the Mason LIFE Program for four years or eight semesters within a five year period. The coursework is determined by Person Centered Planning meeting with the following courses required for at least one semester for completion: Human Sexuality and Personal Relationships Fundamentals, Mason Exploration, Developing Self-Regulation Strategies, Employment, Independent Living, Fitness, Literature, Writing, Mathematics, and Banking. These are all offered the fall of the freshman year. Community Access can be taken anytime during the eight semesters. Those students who have mastered travel training can opt out of this class and the requirement can be waived. The last requirement is the Senior Seminar class that is mandatory the spring of senior year. Students must make sufficient academic progress as marked by their equivalent grade point average to stay as an enrolled member of the university.
The second area of importance is the catalog concentration. Students have the ability to participate or audit in catalog or special topics classes beginning the second semester of their first year. Some students will participate in one course a semester while other will be enrolled in two classes. This is contingent upon the student and his/her goals. With successful finishing of each course, as noted by test scores, work products, performances (when appropriate), and homework, the grade will be entered on the academic record or transcript. The selection of each special topics class is determined at the Person Centered Planning Meetings with the goal to establish an area that the student would like to study while at the university. These special topics classes fall under the Exploration Component, with the idea being that the students are free to explore areas of knowledge. A support staff attends the class with the student and the student is also enrolled in a two hour support class where homework and projects can be accomplished. It is this process that creates the catalog concentrations. There are three, four, and five class concentrations noted on the Certificate of Completion. So, for example, a student has audited three classes in the discipline of theatre, the student would have the three course Theatre and Performing Arts Concentration noted on their Certificate. If a student participated in four communications classes, the student would have the four course Communications Concentration noted on their Certificate. A five class concentration is denoted as a Comprehensive Concentration. Students have the ability to have more than one concentration.
The last importance component of the certificate is the work specialty area. During the first semester, students are enrolled in a classroom based employment class, to refine resumes and work behaviors as well as discuss various positions. After successful completion, students begin to have work experiences. Most students are placed on-campus with a support staff member and then by their third and fourth year, the students have the opportunity to explore off campus placements. It is through these experiences that student begin to cluster skills to form the work specialty area. Some specialty areas that are currently being pursued are Public Works, Community Outreach, Office/Clerical, Customer Service, and Child Care.Download link: Graduation and Certificates
Mason LIFE Policy-Seizure Disorders
No Need to Call an Ambulance
- if we know the student has seizure disorder, and
- if the seizure ends in under five minutes, and
- if consciousness returns without further incident, and
- if there are no signs of injury or physical distress.
However, the support staff must inform the next level of supervisor and the student’s family will be contacted.
An Ambulance Should Be Called
- if the seizure has happened in water.
- if we do not know if the person has seizure disorder, as this is the first time.
- if the seizure continues for more than five minutes.
- if a second seizure starts shortly after the first has ended.
- if the person has another condition such as diabetes or heart disease.
- if consciousness does not start to return after the shaking has stopped.
- if the person has any difficulty breathing after the seizure.
The support staff must inform the next level of supervisor IMMEDIATELY and the student’s family will be contacted.
During the Seizure Activity
First aid for epilepsy is basically simple. The goal is to keep the person safe until the seizure stops naturally by itself. These are the key things to remember:
- Keep calm and reassure other people who may be nearby.
- Don't hold the person down or try to stop his movements.
- Time the seizure with your watch.
- Clear the area around the person of anything hard or sharp.
- Loosen ties or anything around the neck that may make breathing difficult.
- Put something flat and soft, like a folded jacket, under the head.
- Turn him or her gently onto one side. This will help keep the airway clear. Do not try to force the mouth open with any hard implement or with fingers. It is not true that a person having a seizure can swallow his tongue. Efforts to hold the tongue down can cause injury.
- Don't attempt artificial respiration except in the unlikely event that a person does not start breathing again after the seizure has stopped.
- Stay with the person until the seizure ends naturally.
- Be friendly and reassuring as consciousness returns.
- Always stay to help the person get home.
Scholarship award criteria
Scholarship application requirements
Parents Notification Policy
Responsible Use of Computing
This policy applies to all persons who use Mason’s Computing Resources, including but not limited to Mason employees, students, visitors, and contractors.
II. Policy Statement
Mason provides and maintains its general computing services to support the education, research, and work of its employees and students. At the same time, Mason desires to protect all users’ rights to an open exchange of ideas and information.
This policy sets forth the responsibilities of the users of Mason’s Computing Resources.
Because it is impossible to anticipate all the ways in which individuals can damage, interrupt, or misuse Mason’s Computing Resources, this policy focuses on a few simple rules.
This policy allows for investigations of complaints involving the misuse of Mason’s Computing Resources, including complaints of sexual harassment, violations of Mason’s Honor Code, and violations of federal, state, and local laws. Violations of this policy may result in revocation of access, suspension of accounts, disciplinary action including dismissal, or prosecution. Evidence of illegal activity will be turned over to the appropriate authorities.
“Mason’s Computing Resources” means all computers, systems, workstations, networks, networking equipment, peripheral devices, servers, and any other university property attached to Mason’s network. Mason’s Computing Resources also include all software, programs, files, documents, and databases stored in Mason computing systems.
“Information Technology Services (ITS)” means the university department that is responsible for IT equipment and services within the Mason campus system.
“User” means any person who uses Mason’s Computing Resources.
Access to Mason’s Computing Resources is a privilege granted on a presumption that every member of the Mason community will responsibly exercise this privilege by preserving the security, confidentiality, availability, and integrity of Mason’s Computing Resources.
A. All Users. It is the responsibility of all Users to read and follow this policy and all applicable laws and procedures. In addition, when using Mason’s Computing Resources, Users must adhere to the following rules:
RULE 1: Use Mason’s Computing Resources only for the purpose of supporting the educational, research, and administrative needs of the University
• Users may not use Mason’s Computing Resources for recreation or entertainment if such use interferes with the educational, research and/or administrative needs of the University.
RULE 2: Do not use Mason’s Computing Resources to violate other policies or laws
• Do not use Mason’s Computing Resources to violate laws or Mason policies, including but not limited to Mason’s Honor Code, Human Resources policies, or Standards of Conduct.
• Do not extend the Mason network without explicit permission from ITS Network Engineering and Technology. The unauthorized use of routers, switches, wireless access points, and other devices is prohibited by University policy.
• Do not use Mason’s Computing Resources to transmit, store, display, download, print, or intentionally receive obscene material. State employees must also be aware of state laws prohibiting the use of state equipment to access, store, print, or download sexually explicit content.
RULE 3: Use only the Mason account(s) you are authorized to use
RULE 4: Do not use any Mason’s Computing Resources for inappropriate purposes
A non-exhaustive list of example restrictions follows:
• Do not sell access to Mason’s Computing Resources.
• Do not engage in commercial activity not sanctioned by Mason, except for incidental personal use.
• Do not intentionally deny or interfere with any network resources.
• Do not use or access any Mason’s Computing Resources, or read or modify university-owned files, without proper authorization.
• Do not use Mason’s Computing Resources to in any way misrepresent or impersonate someone else.
• Do not violate copyright laws and licenses.
• Do not violate university policy or federal, state, or local laws.
RULE 5: Honor the privacy of other Users
• Do not access the contents of another User’s files without express authorization from that User.
• Do not intercept or monitor any network communications meant for another person or purpose.
• Do not transmit or distribute personal or private information about individuals without express authorization from the individuals affected.
• Do not create or use programs (e.g., keyloggers) that secretly collect information about Users.
RULE 6: Do not allow another User to access your accounts
Users may be held responsible for actions related to their specific account(s). If a person violates any policies, his or her actions can be traced back to the username, and the account holder may be held responsible.
B. University Employees. Mason faculty and staff, as state employees, are subject to the Freedom of Information Act, §2.2-3700, et seq., of the Code of Virginia, and all applicable state and federal rules and regulations. When using Mason’s Computing Resources, employees must:
• comply with any statute or regulation applicable to university employees including, but not limited to, Commonwealth of Virginia DHRM Policy 1.75 and Code of Virginia § 2.2-2827 prohibiting employees from accessing, downloading, printing or storing sexually explicit materials.
• comply with more specific requirements for the use of Mason’s Computing Resources which are related to job duties and which are communicated through other university policies and standards.
• All employees who must access sexually explicit content to perform their job must obtain University Approval (Procedure to Obtain an Exception for Sexually Explicit Materials) prior to using Mason’s Computing Resources for such work. Faculty and researchers must obtain such approval from the Office of the Provost, and all other employees must obtain such approval from the Office of the Senior Vice President.
• Suspected policy violations should be referred to the appropriate supervisor or department, which may include Internal Audit and Management Services or University Police. In addition, if such violation constitutes fraud, waste, or abuse, the suspected violation can be reported to the State Fraud, Waste, and Abuse Hotline.
V. University Responsibilities
The University acknowledges that personal email, electronic files, and websites maintained on Mason equipment are part of an electronic information environment. While this policy endeavors to maintain User confidentiality, it cannot create, nor should faculty or staff members presume, any expectation of privacy.
The University reserves the right to inspect all User files and communications for all lawful purposes, including but not limited to investigating allegations of illegal activity, violations of Mason policies, or to protect the integrity and security of network systems. The University will investigate all complaints involving personal web sites hosted on university resources and will remove or block material or links to material that violate federal or state law or University policy.
The University considers any violation of this policy to be a serious offense and reserves the right to copy and examine any files or information on Mason’s Computing Resources related to suspected unacceptable use and to protect its resources from systems and events that threaten or degrade operations.
The University may choose to suspend a User’s access to its resources in connection with an investigation. Users are not entitled to any expectation of privacy. User files, network transmissions, computer sessions, data, and/or communications may be shared with appropriate investigating officials.
Regarding employees, the consequences of policy violation will be commensurate with the severity and frequency of the offense and may include termination of employment.
Regarding students, the consequences of policy violations will be commensurate with the severity and frequency of the offense and may include suspension or expulsion.
In addition, consequences of policy violation may include, but are not necessarily limited to, the following:
• Notification—alerting a User to what appears to be an inadvertent violation of this policy in order to educate the User to avoid subsequent violations.
• Warning—alerting a User to the violation, with the understanding that any additional violation will result in a greater penalty.
• Loss of computer and/or network privileges—limitation or removal of computer and/or network privileges, either permanently or for a specified period of time.
• Restitution for damages—requiring reimbursement for the costs of repair or replacement of computer-related material, equipment, hardware, software, data and/or facilities; such reimbursement shall include, but not necessarily be limited to, the cost of additional time spent by university employees due to the violation.
• Penalities—if applicable, the violator may be subject to criminal or civil penalties.
The violation of copyright, licenses, or personal privacy or the publishing of obscene materials or child pornography may result in civil or criminal legal actions as well as university disciplinary actions.
VII. Copyright Infringement
Because the University is the Internet Service Provider (ISP) for the Mason community, it is held to strict copyright compliance standards as defined in 17 U.S.C., the Higher Education Opportunity Act, and other mandates. The process described here, called “Stop It,” will be used to communicate with Mason students or employees alleged to have violated copyright law. This process will be employed when Mason’s Computing Resources have been used to download or upload media illegally using peer-to-peer file sharing software or other methods.
The University does not actively search for instances of copyright infringement or monitor a specific individual’s network activity. However, notices of copyright violations affiliated with an individual’s account are cumulative throughout his/her time at Mason.
Stop It #1 Notice
1. The User is made aware that illegal infringing activity may have taken place via his/her Mason account.
2. The User is required to remove the stated infringing material and any peer-to-peer file sharing software used for this purpose from his/her computer.
Stop It #2 Notice
1. The User is made aware that this is the second instance of illegal infringing activity on his/her Mason account. Receipt of a second notice generally indicates a pattern of downloading rather than a single, incidental event.
2. The User is required to remove the stated infringing material and any peer-to-peer file sharing software used for this purpose from his/her computer.
3. The User must meet with the Head of the Copyright Office, within a prescribed time, to discuss alternative, legal sources of in-copyright content.
4. The User must write, sign and date a letter stating that the infringing materials and peer-to-peer file sharing software have been removed from his/her computer. The Copyright Office retains this letter.
5. If the User does not meet with the Head of the Copyright Office within the prescribed time, that individual will be partitioned from the Mason network until such time the Stop It #2 requirements are fulfilled.
Infringing activity associated with a student’s account may result in immediate partition from the Mason network and may result in a referral to the Office of Student Conduct. Repeat copyright violations associated with an employee’s account may result in civil or criminal legal actions as well as university disciplinary actions.
A. Effective Date:
The policies herein are effective October 20, 1997. This policy shall be reviewed and revised, if necessary, annually.
B. Date of Most Recent Review:
March 19, 2015
IX. Timetable for Review
This policy, and any related procedures, shall be reviewed every three years or more frequently as needed.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: 10/07/02
Revisions approved: 1/08/08
Revisions approved: 3/19/2015Document link: http://universitypolicy.gmu.edu/policies/responsible-use-of-computing
Physical and Logical Access Security
This policy applies to all academic and operational departments and offices at all George Mason University locations, owned and leased. The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors.
This policy governs the physical and logical access to all university systems and applications to protect the privacy, security, and confidentiality of university systems, especially highly sensitive systems, and the responsibilities of institutional units and individuals for such systems.
II. POLICY STATEMENT
Information and related systems maintained by the University centrally and within departments and offices are vital assets that need to be available to employees who have a legitimate need for them, consistent with the University’s responsibility to preserve and protect such information resources by all appropriate means.
To provide reliable and accurate data to the University community, information resources must be protected from natural and human hazards. Policies and practices must be established to ensure that risks are eliminated or mitigated using best practices validated by security professionals. Employees accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, and must accurately present the data in any use.
The function of this policy is to enhance and help define the policies and procedures of an IT security program to protect university IT systems and data from credible threats, whether internal or external, deliberate or accidental.
It is the policy of the university to use all reasonable IT security control measures to:
a. Protect university information resources against unauthorized access and use
b. Maintain the integrity of university data
c. Ensure university data residing on any IT system is available when needed
d. Comply with the appropriate federal, state and other legislative, regulatory and industry requirements
Protecting information resources includes:
- Physical protection of information processing facilities and equipment
- Assurance that application and data integrity are maintained
- Assurance that information systems perform their critical functions correctly, in a timely manner, and under adequate controls
- Protection against unauthorized access to protected data through logical access controls
- Protection against unauthorized disclosure of information
- Assurance that systems continue to be available for reliable and critical information
- Assurance that the security and forensic needs of the university are met
Additionally, information entered, processed, stored, generated, or disseminated by information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside the university. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Proper account management procedures, security monitoring, and logging practices are required to provide this type of protection of data.
The following principles are the main components of the security policy for physical and logical access that itemizes the standards to which all university information systems and applications must adhere.
- All university systems and their applications will be classified by the university’s Information Security Officer or designee according to their sensitivity with respect to data confidentiality, system availability, and data integrity.
- Once classified, the system’s or the application’s minimum authentication and authorization requirements must be determined by the System Owner and documented according to risk and sensitivity.
- All systems and applications will have documented policies and procedures for:
a. approving and terminating access
b. obtaining and disabling temporary accounts
c. consistent periodic review and assessment of all accounts for continued needs
with documentation as evidence of the review
d. locking accounts after a period of inactivity, with the period of time appropriate to the sensitivity of the system and associated risks
e. logging configurations and review
The organization responsible for an information system is responsible for the prompt deactivation or disabling of accounts when necessary including but not limited to accounts subject to the following circumstances:
a. the accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual’s employment or when continued access is no longer required
b. the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location
c. the accounts for employees who are not working due to any sort of leave, disability or other authorized purpose, or when continued access is no longer required, shall be temporarily disabled for a period consistent with the employee’s personal usage needs and duration of absence
d. the accounts for employees suspended for more than one day for disciplinary reasons shall be disabled
- There will be no anonymous “guest” accounts on any system classified as sensitive.The organization responsible for an information system shall issue a unique account to each individual authorized to access that information resource.
- Accounts on all systems will use non-shared, unique passwords. In the instances when systems classified as sensitive must use a shared account in order to do business, strong mitigating controls must be documented and practiced. In these unique situations, the proposed controls can be reviewed by the Information Security Officer. Those systems residing on a guest network are exempt from this requirement.
- Physical and logical access to any system will be granted based on least privilege. When establishing accounts, standard security principles of “least privilege” to perform a function must always be used, where administratively feasible. Access privileges should be limited to those that the user has a genuine need for to complete job responsibilities and functions. For example, a root or administrative privileged account must not be used when a non-privileged account will do. Privileges must never be granted “in case” a user might need them.
- Access security designs for all systems will be group or role based and privileges assigned to groups or roles will be based on least privilege.
- Access privileges granted to each individual user will adhere to the principles of separation of duties. Technical or administrative users, such as programmers, System Administrators, Data Base Administrators, security administrators of systems and applications must have an additional, separate end-user account to access the system as an end-user to conduct their personal business.
- Passwords or PINs are required on all University issued mobile devices such as PDA’s and smart phones.
- No passwords for any system may be stored or transmitted in clear text.
To provide for the security and forensic needs of the university, all servers not administered by central Information Technology Unit (ITU) must follow these logging standards. These standards do not apply to workstations. Exceptions to these standards must be evaluated and approved by the IT Security Office.
1. At the unit or department level, a program for documenting and implementing information security monitoring and logging practices must be put in place.
2. At the unit or department level
a. A person in a responsible position needs to be assigned the responsibility of developing and implementing information security logging capabilities
b. The person in this role must develop and implement detailed procedures for reviewing and administering the logs
3. Logging must be enabled to include at a minimum:
a. The event
b. The user ID associated with the event
c. The time the event occurred
4. IT system event logs must be routinely monitored in real time:
a. Log review must include the ability to correlate log information with other automated tools
b. The solution must be able to identify suspicious activities
c. The solution must provide for alert notification
5. The process for responding to malicious events and type of action to be taken must be documented.
6. Prohibit Keystroke loggers from being installed or any other unauthorized monitoring from taking place.
Access: The ability to use, modify or manipulate an information resource or to gain entry to a physical area or location.
Access Control: The process of granting or denying specific requests for obtaining and using information and related information processing services or resources and to enter a specific physical facility, such as a building or designated room containing information resources. Accompanying the process are procedures that monitor access. The purpose of access controls is to prevent unauthorized access to IT systems.
Availability: Protection of IT systems and data to ensure timely and reliable access to and use of information to authorized users.
Confidentiality:The protection of sensitive information so that it is not disclosed to unauthorized individuals, entities or processes.
Information Security Officer (ISO):The individual designated by the chief information officer to be responsible for the development, implementation, oversight, and maintenance of the university’s IT security program.
Integrity:The protection of data or IT so that data has not been intentionally or accidentally been modified or deleted in an unauthorized and undetected manner.
Least Privilege: The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. The enforcement of least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and defining the user’s role which includes those privileges only.
Logical Access Control: Logical access controls provide a technical means of controlling what information a user can utilize, the programs the user can run, and the modifications the user can make. These controls are computer-based and can prescribe not only who or what process is to have access to a specific information resource but also the type or level of access that is permitted, such as use, change, or view.
Physical Security: The physical safeguards that protect against unauthorized access, can detect attempted or actual unauthorized access and can activate an effective response. These measures are required to control access to information resources and assets.
Depending on the classification of the information resource, the appropriate physical security safeguards such as progressively restricted security zones, locked doors, access control systems, intrusion alarm systems, and other provision will be implemented.
Separation of Duties: The “separation of duties” is defined as the assignment of responsibilities such that no one individual or function has control over an entire process. The principle of “separation of duties” manages conflict of interest, the appearance of conflict of interest, and potential fraud.
Server: A server is a system (software and suitable computer hardware) that responds to requests across the Mason network or the Internet, if hosted off campus, to provide, or help to provide, a network service. All systems that are intentionally configured to be accessible via the internet are considered to be servers. A system may only be accessible from the university network but provides a server service and therefore is a server.
System Owner: The System Owner is the person responsible for operation and maintenance of a university IT system. With respect to IT security, the System Owner’s responsibilities include establishing security awareness and training capabilities that ensure that all IT System Users receive training appropriate to their role, maintaining compliance with university and state security policies and standards in all IT system activities, and maintaining compliance with requirements specified by Data Owners for the handling of data processed by the system.
Vice presidents, deans, department heads and their staffs are responsible for the security, confidentiality, availability and integrity of data and systems to the extent that they have access and or access control.
This policy also places responsibility on department heads and directors to encourage appropriate computer use as specified in Responsible Use of Computing Policy, ensure compliance with information technology policies and standards by people and services under their control, and implement and monitor additional procedures as necessary to provide appropriate security of information resources within their area of responsibility.
Departments and administrative offices shall develop, manage and review local operating policies and procedures to create the proper security practices for the logical and physical security of information resources.
The Information Technology Unit (ITU) is responsible for establishing and maintaining the physical security of the central computing facilities, including shared file servers managed by ITU, the university’s communications network, and data for which the ITU is the custodian. ITU will maintain access to centrally-managed computing systems, the campus network, and fileservers managed by ITU.
All users of university information technology resources are required to adhere to detailed requirements included in the Responsible Use of Computing Policy as well as other university policies related to the security of information technology resources.
System owners must have documented procedures for access control and must be able to produce the documented procedures when required for auditing purposes. Evidence of account approval, termination, and disabling must be available when required for auditing purposes.
Failure to honor the requirements set forth in this policy may result in disciplinary or administrative action.
VI. EFFECTIVE DATE AND APPROVAL
This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of Mason’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: February 25, 2010
Revised: January 27, 2014Document link:http://universitypolicy.gmu.edu/policies/physical-and-logical-access-security
This policy applies to all academic and operational departments and offices at all George Mason University locations, owned and leased. The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors. This policy governs the privacy, security, and confidentiality of university data, especially highly sensitive data, and the responsibilities of institutional units and individuals for such data.
George Mason University maintains data essential to the performance of university business. These data are valuable assets. State and federal laws identify the types of data to which access and storage must be restricted. This policy incorporates federal and state standards, and establishes responsibilities for all elements of university data in terms of confidentiality, integrity, and availability.
The greatest benefit the university can provide to the community is data that is shared and used with care. This benefit is diminished through misuse, misinterpretation, or unnecessary restrictions on access. Although a large portion of university data are shared with the public, some data are restricted by the privacy protections established in laws or policies. To comply with these mandates and to protect the university community as a whole, the university has the right and the obligation to protect, manage, secure, and control data under its purview.
A. University Data
University data are any data required to conduct the operations of the university. University data are divided into two main categories: protected data and public use data. Protected data include two sub categories: highly sensitive and restricted.
i. Protected Data – Highly Sensitive: Data that (1) by their personal nature can lead to identity theft or exposure of personal health information, or (2) a researcher, funding agency or other research partner has identified as highly sensitive or otherwise requiring a high level of security protection. Some examples are: data classified as secret by the Federal government, data that is often involved in identity theft (e.g. SSNs), data described in the Health Insurance Portability and Accountability Act (HIPAA) as needing to be secured, and data that could lead to financial theft (e.g. credit card information). See Appendix A for a list of the types of data classified as Protected Data – Highly Sensitive. This list is updated annually by the Information Security Officer.
ii. Protected Data – Restricted: Data that by their very nature or regulation, are private or confidential and must not to be disclosed except to a previously defined set of authorized users. Some examples are: data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, minutes from confidential meetings, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.
iii. Public Use Data: Data intended for general public use. An example is the university’s on-line directory.
B. Key Personnel Responsible for the Protection of University Data (See Appendix B)
President: The president of George Mason University, as the head of a Commonwealth of Virginia state agency, has ultimate responsibility for the university’s security program and the protection of restricted and highly sensitive data and critical system assets. The president has delegated these responsibilities to members of the president’s Executive Council.
Chief Information Officer: The Executive Council member designated by the university president to have executive oversight of the university’s IT security program and for the evaluation and classification of data.
Chief Data Stewards:
Senior Vice President The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with employees, contractors, and affiliates. In this role, the senior vice president determines who has access to such data, how it can be stored, and how it must be protected. The senior vice president may delegate responsibility for certain data sets to others via formal memoranda.
Provost The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with students and faculty in performance of their teaching and research activities. In this role, the provost determines who has access to such data, how it can be stored, and how it must be protected. The provost may delegate responsibility for certain data sets to others via formal memoranda.
Information Security Officer (ISO):The individual designated by the chief information officer to be responsible for the development, implementation, oversight, and maintenance of the university’s IT security program.
System Owner: The System Owner is the person responsible for operation and maintenance of a university IT system. With respect to IT security, the System Owner’s responsibilities include establishing security awareness and training capabilities that ensure that all IT System Usersreceive training appropriate to their role, maintaining compliance with university and state security policies and standards in all IT system activities, and maintaining compliance with requirements specified by Data Owners for the handling of data processed by the system.
Data Owners: Deans, vice presidents, associate vice presidents, directors, managers, or others authorized by the Chief Data Stewards to manage a subset of data. The delegation of this authority and responsibility is accomplished by written instructions. This person is responsible for ensuring that University data security policies are followed and for developing internal controls to ensure data security and privacy.
System Administrator: A System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian. Their responsibilities can include administration at the system infrastructure layer and/or system application layer. Any given system may have more than one System Administrator depending on the size and complexity of the system. The System Administrator assists with the day-to-day administration of the university’s IT systems, and implements security controls and other requirements of the IT security program on IT systems for which the System Administrator has been assigned responsibility. System Administrators are responsible for documenting and enabling user access to a domain of university data on those IT systems. System Administrators also maintain records of IT System Users authorized for highly sensitive data related to those IT systems. Responsibilities and related security resources can be found at http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm.
Data Custodians: An individual who has been authorized to be in physical or logical possession of data by the Data Owner. Data Custodians are responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage and for providing and administering general controls, such as back-up and recovery systems. A Data Custodian may also be a System Administrator.
Data Processors: An individual authorized by data owners to enter, modify, or delete data. Data Processors are responsible and accountable for the completeness, accuracy, and timeliness of the data assigned to them.
IT System Users: Any university employee, contractor, affiliate, or duly authorized member of the community who can access restricted and/or highly sensitive university data but does not modify or delete that data. For the purposes of the responsibilities section in this policy, IT System Users include all who have the capacity to access university data. All IT System Users, whether they be Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access, as prescribed in this policy.
Privacy and Security Compliance Team: A select group of deans, directors, coordinators, vice presidents, and other employees, representing their respective departments, who, under the leadership of the chief of staff, are responsible for developing policies and providing direction for overall institutional data management.
Customer: Any employee, student, or individual not associated with the university from whom highly sensitive data is collected.
Encryption is the conversion of data into a form that is unreadable by an unauthorized user or process. Encrypted data must be decrypted (converted back to original form) prior to use. The university’s centrally managed encryption method requires a key for encryption and decryption. Data Custodians must employ encryption as a means of protecting highly sensitive data.
Access to university data is provided to university employees for the conduct of university business. Protected data, as defined by this policy, will be made available to employees who have a genuine need for it. This may include data collected from students, faculty, staff, contractors, members of the community, or those who have no affiliation with the university. Employees accessing such data must observe the requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data used in any type of reporting function. Individual units or departments that have stewardship responsibility for portions of protected university data must establish internal controls to ensure that university policies are enforced. All IT System Users, not just Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access or store, as prescribed in this policy.
i. The university forbids the disclosure of protected data in any medium except as approved in advance by a Data Owner. The use of any protected university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Each IT System User will be responsible for the consequence of any misuse of university data.
ii. The university forbids the storage of highly sensitive data on any data storage device or media other than a centrally managed server approved for the storage of highly sensitive data or a secure networked file storage area. If an individual is required to store highly sensitive data for a business need, that individual must obtain permission from the Chief Data Steward. The written request for authorization must state the unique business need, the type of data that will be stored, the type of data storage device that will be used, and the mitigating controls that will be employed to protect the highly sensitive data. The centrally managed encryption program is required for storing any highly sensitive data on any type of device or media. If the centrally managed encryption program is not compatible with the storage device or method, another mitigating control must be used and approved by the Information Security Officer.
See Appendix C for authorization procedures and forms that require the user to state the business need and agree to accept the responsibility to protect the highly sensitive data. Any university employee, student or non-university individual who stores highly sensitive university data without proper permissions and protection measures is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
iii. Should a security breach occur, the Computer Security Incident Response Team (CSIRT) will investigate and discuss with the chief information officer as to whether or not the matter is referred to law enforcement authorities through the University Police Department. The assistant vice president for Human Resources will review all matters involving university employees. The dean of students will review all matters involving students. The Office of University Counsel will review matters involving individuals not affiliated with the university.
iv. All individuals accessing university data at George Mason University are required to comply with federal and state laws and university policies and procedures regarding data security of highly sensitive data. Any university employee, student or non-university individual with access to university data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
C. The Duties of Key Personnel
Authorization for access to and the maintenance and security of all university data, particularly highly sensitive data, is delegated to specific individuals within their respective areas of responsibility.
Chief Data Stewards Responsibilities
- Establish policies and direction for the overall security and privacy of all University data, particularly highly sensitive data, within their respective areas of responsibility.
- Identify and appoint Data Owners for units within their areas of responsibility.
- Appoint appropriate representative individuals to the Privacy and Security Compliance Team.
System Owner Responsibilities
- Require that all users of the system complete required IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.
- Manage system risk and develop any additional IT security procedures required to protect the system in a manner commensurate with risk.
- Maintain compliance with university IT security policies and standards in all IT system activities.
- Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
- Designate a System Administrator for the system. See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfmfor a list of System Administrator responsibilities.
Data Owners Responsibilities
- Ensure that access and protection requirements consistent with university policies and the data classification are in place and responsive to business needs.
- Ensure the accuracy and quality of all data within their area.
- Communicate data protection requirements to the System Owner.
- Annually review with appropriate Data Custodians the current set of highly sensitive data access authorizations and, as appropriate, update authority granted each user.
- Ensure that authorized users of highly sensitive data are trained on their responsibilities associated with their approved access to that data.
- Report any possible breach in computer security or illicit use of highly sensitive data to the Support Center who will then notify the IT Security Office for CSIRT action.
- Review appeals to decision to deny access to university data within their area of responsibility.
Systems Administrators Responsibilities
(See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm for more details on requirements and responsibilities)
Note: Responsibility for the security of certain systems may belong to the Information Technology Unit if the unit or department has signed a service level agreement with the ITU to manage the server.
- Identify possible security gaps that may leave systems vulnerable to attacks or hackings and take remedial actions to make the systems secure.
- Ensure the usability, reliability, availability, and integrity of information systems and their data, including serving as liaisons between all parties with interests in such systems.
- Follow established formal procedures and tools as determined by their respective Data Owner to enable access for authorized Data Processors and IT System Users. This includes ensuring that all specified approvals have been granted before providing an IT System User access to highly sensitive data.
- Maintain documentation of users who are authorized access to highly sensitive data on IT systems to which they have been assigned. Where abuses of that authorization are discovered, make authorization withdrawal recommendations to the appropriate Data Owner.
Data Custodian Responsibilities
- Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
- Use IT systems in a manner consistent with university policies and procedures.
- A Data Custodian may also be a System Administrator.
Data Processors Responsibilities
- Ensure the accurate input and presentation of data. Each Data Processor will be responsible for any intentional misrepresentation of data.
- Ensure the maintenance of data integrity. Upon recognizing that any data elements are in error, the Data Processorwill notify the appropriate Data Owner.
IT System Users Responsibilities
- Read and, based on types of data accessed, comply with the relevant directions for “Computer Security” found athttp://itsecurity.gmu.edu/.
- Use restricted and highly sensitive data only as required by the employee’s job responsibilities and authorized by appropriate Data Custodian.
- Respect and protect the confidentiality and privacy of individuals whose records they access.
- Report any possible breach in computer security or illicit use of restricted and/or highly sensitive data to the Data Owner of the IT System User’s unit.
Privacy and Security Compliance Team Responsibilities
- Ensure the university complies with state and federal regulations on security and privacy of university data.
- Educate the university community about trends in security and privacy that have the potential to affect how the university does business.
- Recommend to the president of George Mason University remedial action(s) to identified problems.
- Review policies and procedures developed by each department or unit to ensure that these departments or units have appropriate security measures that will protect university data from compromise or unauthorized access, modification, destruction, or disclosure.
D. Organizational and Individual Responsibilities for Access Control to Highly Sensitive Data
i. No one is permitted to access highly sensitive data unless the Data Owner has given written permission, either through established business processes or specific memorandum. Assuming the user has documented permission to access the data, the user must not store the data unless written approval has been granted to do so through the use of the online form that requires the user to describe the unique business need for storage and the mitigating security controls.
ii. Each department or business unit will have documented procedures, consistent with the university’s security policies, which preserve and protect highly sensitive data and are designed to accomplish these goals:
- Ensure the security and confidentiality of customer information.
- Protect against any anticipated threats to the security or integrity of such information.
- Guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
iii.Each Data Owner will have a documented set of procedures for reviewing requests to access, modify, or update highly sensitive data.
iv. The IT Security Office will be available to assist each department or business unit by reviewing their access and data security procedures. If needed, the Privacy and Security Compliance Team will review to ensure compliance with this policy.
v. Members of the university community may appeal any decision that denies access to university data. Appeals are to be made to the appropriateData Owner.
E. Public Requests for Protected Data
Requests by the public for protected data made through the Virginia Freedom of Information Act [University Administrative Policy #1117–Virginia Freedom of Information Act Requests] or other applicable law will be reviewed by the Office of University Counsel prior to any release of data.
IT System Users authorized to access highly sensitive data are required to participate in data security training commensurate with the type and use of such data. This training will be recommended annually to the Chief Data Stewards by a team drawn from the Research Office, University Life, Office of Human Resources, and the Information Security Office. Managers are to train, or arrange for training, for all current employees who have or will have access to highly sensitive university data prior to granting access to such data.
VI. EFFECTIVE DATE AND APPROVAL
The policies herein are effective May 4, 2005. This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: August 1, 2005
and March 2, 2009
Revised: January 29, 2013Document link:http://universitypolicy.gmu.edu/policies/data-stewardship
Sexual Harassment Gender-Based Harassment and Interpersonal Violence Policy
Student Communication Policy
Student Travel Policy
Students are only allowed to travel into DC with a support staff member if the following events are happening Vigils, Protests or Social Justice Activities.
These types of events can be very overwhelming for our students and could lead to problematic situations.
Any request should be discussed with the Coordinator, Assistant Director, or Director.