Helen A. Kellar Institute for Human disAbility - George Mason University

Sub-navigation:

Policies

Employment Policy Brief More Less

Employment Component Policy Brief
May 20, 2013
By: Andrew Hahn/Candace McTeer

The purpose of this policy brief is to provide a deeper understanding of the Employment Component of the Mason LIFE Program. This brief will explore the process of assigning students to worksites (both on and off campus), the Work Specialty Area upon completion of the program, the priority system established in Person Centered Meetings, and the role of families in these processes.

The LIFE Program is designed so that all students receive a wide-variety of work experiences in conjunction with their academic experiences throughout their four years at George Mason University. The idea is to provide each student with a multitude of experiences so that upon graduation each individual will be in the best position to reach their full potential as members of the work force.

The Employment Coordinator actively pursues various opportunities for both on and off campus employment based on student interests. Beginning in the spring semester of a student’s first year and continuing every subsequent semester of enrollment, he or she will receive an on-campus work placement through the weekly employment class. Some of the placements include the Aquatic and Fitness Center, the Office of the President, Mail Services, the Broadside (student newspaper), among a host of others. A comprehensive list of on-campus work placements may be found in Appendix A. The placements are determined by availability, student interests discussed in Person Centered Planning meetings, and seniority. Each week, the student works at the on-campus job site for approximately ninety minutes with a one-on-one Employment Support Staff, carefully matched by the Employment Coordinator and trained in basic supported employment skills. After work, the student returns to the classroom and completes a work journal with his or her support staff; logging the progress of work skill development. Twice a semester, the student fills out a “Request for Time-Off” form and remains in the classroom during normal work time to update his or her professional portfolio, which includes resumes, skills, interests, work evidence, and supports. Also during the classroom sessions, the students participate in various activities (i.e. career development bingo or role-play of typical scenarios faced in the workplace) to emphasize and reinforce employment skills learned on the job-site. If a student is seen fit after a few weeks to work independently by his or her Employment Support Staff, the work site, the Employment Coordinator, and most importantly-the student, modifications will be made to his or her support such as providing faded support, solely travel support, or even complete independence. For example, an Employment Support Staff may travel with the student to a job placement on campus such as the Office of the President, but leave the student to do his/her work independently, while providing periodic check-ins to ensure the work is being done efficiently and accurately.

Aside from the on-campus employment experience, Mason LIFE Employment has continuous relationships with off-campus worksites such as the Jewish Community Center, the Fairfax City Public Library, Northern Virginia Family Services, Linden Resources, and Sunrise Senior Living, among many others. A comprehensive list of off-campus work placements may be found in Appendix B. Students are again placed in these experiences based on seniority, interest, and availability. Additionally, a student may have an interest in a certain field or employment placement, and thus the Employment Coordinator will, in conjunction with the student, pursue opportunities in said field, for example, the airport.

Finally, the Mason LIFE Program proudly offers a Congressional Hill Internship program in which students participate in an all-day internship on Capitol Hill on either Mondays or Fridays. Students and their one-on-one Employment Support Staff travel together to and from Capitol Hill via the Orange Line on the DC Metrorail. The Employment Coordinator works with the House of Representatives Administration Committee in order to place each student in one office in the morning (10:00am to 12:00pm) and a different office in the afternoon (1:00pm to 3:00pm). Students’ participation in this program is granted based upon seniority and their ability to prove their reliability and work-ethic in their on-campus placements. In addition, a stipend is provided to students in their third and fourth years (not to exceed 2 semesters) by the HSC Foundation.

Beginning with the Mason LIFE Class of 2014, the certificate of completion, will demark a Work Specialty Area based upon their employment experiences, in addition to the already noted concentration. Some specialty areas that are currently being pursued are Public Works, Community Outreach, Office/Clerical, Customer Service, and Child Care. The specialty area that the student would like to explore is discussed in the mandatory Person Centered Planning meetings. During these meetings, held on Tuesdays at either 10:00am or 11:30am, the student, all component coordinators, and the student’s SPED manager are present. Family members are encouraged to participate either in-person or by conference call. These meetings are most essential during the student’s first and fourth year of program and may be scheduled as needed throughout their time at Mason LIFE. The purpose of the meeting is to construct a plan of action to maximize a student’s growth and development to prepare him or her for future endeavors, keeping the student’s wants and interests at the forefront of that plan. While family input is helpful, ultimately decisions are left in the hands of the student. During these meetings, besides discussing progress and establishing ideas for future growth in all components of the program, a priority system is established. This rank order determines which component of the program, whether a catalogue class (Exploration Component) or work experience (Employment Component), outranks the other in importance to the student in the event of scheduling conflicts.

The Mason LIFE Employment Component is designed to give all students a wide array of work experiences, both on and off campus, throughout their four years at Mason LIFE. While first choice of placement cannot be guaranteed each semester, by the end of the four years the students will not only have earned a Work Specialty Area indicated on their certificate of completion, but will also have experienced an incredibly wide variety of work placements in professional environments.

As illustrated by Appendices A and B containing comprehensive lists of work sites, the opportunities for growth in the workplace through the Employment Component are quite numerous.

Appendix A:

On-Campus Placements
Mason Inn
Johnson Center Library: Data Entry
Johnson Center Library: Circulation
Sodexo Dining Services
The Broadside
Mail Services
Recycling
Assistive Technology Initiative
Assistive Technology Lab
Child Development Center
Print Services: Copy Center
Print Services: Front Office
Mason LIFE Office
LEAD Office
Recreation and Athletic Complex (RAC)
Aquatic and Fitness Center (AFC)
Office of Disability Services
AIM-VA (Accessible Instructional Materials)
Purchasing and Accounts Payable
Office of the President
Facilities Center for Consciousness and Transformation
Office of Diversity and Equity

Appendix B:

Off-Campus Placements
Humane Society of Fairfax County
Alzheimer’s Family Day Center
Ronald Regan National Airport: Traveler’s Aid
Sunrise Senior Living
The Jewish Community Center of Northern Virginia
Fairfax City Public Library
Odyssey Hospice
Northern Virginia Family Services
Fairfax Visitor Center and Museum
Linden Resources

Download link: Employment Policy Brief
Graduation and Certificates More Less

Mason LIFE Program Policy Brief
April 2013
By Heidi Graff, Ph.D.

Graduation and Certificates Students completing their four years with The Mason LIFE Program will graduate with a George Mason Certificate of Completion with a catalog concentration and a work specialty area. Breaking this down in pieces, there are three main areas of importance. First, the Certificate of Completion is only awarded to those students who have been enrolled in the Mason LIFE Program for four years or eight semesters within a five year period. The coursework is determined by Person Centered Planning meeting with the following courses required for at least one semester for completion: Human Sexuality and Personal Relationships Fundamentals, Mason Exploration, Developing Self-Regulation Strategies, Employment, Independent Living, Community Access, Fitness, and Preparation and Planning for Study. Highly recommended but not required are at least one semester of Literature, Writing, Mathematics, Public Speaking Basics, and Banking.

The second area of importance is the catalog concentration. Students have the ability to participate or audit in catalog or special topics classes beginning the second semester of their first year. Some students will participate in one course a semester while other will be enrolled in two classes. This is contingent upon the student and his/her goals. With successful finishing of each course, as noted by test scores, work products, performances (when appropriate), and homework, the grade will be entered on the academic record or transcript. The selection of each special topics class is determined at the Person Centered Planning Meetings with the goal to establish an area that the student would like to study while at the university. These special topics classes fall under the Exploration Component, with the idea being that the students are free to explore areas of knowledge. A support staff attends the class with the student and the student is also enrolled in a two hour support class where homework and projects can be accomplished. It is this process that creates the catalog concentrations. There are three, four, and five class concentrations noted on the Certificate of Completion. So for example, a student has audited three classes in the discipline of theatre, the student would have the three course Theatre and Performing Arts Concentration noted on their Certificate. If a student participated in four communications classes, the student would have the four course Communications Concentration noted on their Certificate.

The last importance component of the certificate is the work specialty area. During the first semester, students are enrolled in a classroom based employment class, (E114) to refine resumes and work behaviors as well as discuss various positions. After successful completion, students begin to have work experiences. Most students are placed on-campus with a support staff member and then by their third and fourth year, the students have the opportunity to explore off campus placements. It is through these experiences that student begin to cluster skills to form the work specialty area. More information can be read about employment with the Mason LIFE Program in the Employment Component Policy Brief (Hahn and McTeer, 2013).

Download link: Graduation and Certificates
Mason LIFE Policy on Seizure Disorder More Less

Mason LIFE Policy-Seizure Disorders

No Need to Call an Ambulance

  • if we know the student has seizure disorder, and
  • if the seizure ends in under five minutes, and
  • if consciousness returns without further incident, and
  • if there are no signs of injury or physical distress.

However, the support staff must inform the next level of supervisor and the student’s family will be contacted.
An Ambulance Should Be Called

  • if the seizure has happened in water.
  • if we do not know if the person has seizure disorder, as this is the first time.
  • if the seizure continues for more than five minutes.
  • if a second seizure starts shortly after the first has ended.
  • if consciousness does not start to return after the shaking has stopped.

The support staff must inform the next level of supervisor IMMEDIATELY and the student’s family will be contacted.
During the Seizure Activity First aid for epilepsy is basically simple. The goal is to keep the person safe until the seizure stops naturally by itself. These are the key things to remember:

  • Keep calm and reassure other people who may be nearby.
  • Don't hold the person down or try to stop his movements.
  • Time the seizure with your watch.
  • Clear the area around the person of anything hard or sharp.
  • Loosen ties or anything around the neck that may make breathing difficult.
  • Put something flat and soft, like a folded jacket, under the head.
  • Turn him or her gently onto one side. This will help keep the airway clear. Do not try to force the mouth open with any hard implement or with fingers. It is not true that a person having a seizure can swallow his tongue. Efforts to hold the tongue down can cause injury.
  • Don't attempt artificial respiration except in the unlikely event that a person does not start breathing again after the seizure has stopped.
  • Stay with the person until the seizure ends naturally.
  • Be friendly and reassuring as consciousness returns.
  • Always stay to help the person get home.
Download link: Mason LIFE Policy on Seizure Disorder
Scope and Release Policy More Less

George Mason Important Compliant Polices 2013

For 1st Year Students and their Families only

A Domicile form which has been e-mailed to you must be completed prior to start of classes (August 26). Please note that those families who are in-state and DO NOT complete the form will be subject to out-of-state tuition. The form can be returned to Lynne Paraggio.

All incoming students must follow the guidelines for George Mason University student immunizations. Please review the site, http://shs.gmu.edu/immunizations/. October 1st is the deadline. Please e-mail your questions to immunize@gmu.edu.

As your students begin the Mason LIFE Program, we would like you to fill out the Supports Intensity Scale. This Scale has been e-mailed and needs to be filled out and returned to Dr. Graff (in person or via mail) by Orientation. This Scale is very simple, based on your first impression/instinct, so there’s no need to labor over it. The answers are based on what your student can do NOW, in August of 2013, and what sorts of supports he/she needs NOW (living at home, before the Program starts). All first-year students complete this form, and the LIFE staff will complete a second one during the students’ fourth year, to examine growth over time.

Scope of Services for Mason LIFE Students

Participants in the Mason LIFE Program are non-credit, certificate status and are not enrolled, degreed seeking students of George Mason University. The Mason LIFE Program is designed to address the unique needs of all the individuals attending; however, other parts of the University may not be specifically able or trained to meet those needs. Counseling and Psychological Services is not available for Mason LIFE students. Instead, the Mason LIFE program will provide in-house mental health services for situational issues. For acute mental health emergencies students, the university and the program will seek the assistance of 911 or an outside referral will be required.

Student Health Services is available for immunizations records and for immediate first aid care only. Mason LIFE students need to make other medical arrangements for continuous care issues. Sick health care will be provided by the Fairfax INOVA 24 Access on route 123, just off the GMU main campus. The cost of the care will be the responsibility of each student/family. Areas of concern for Mason LIFE students will be examined though Person Centered Meeting and, when deemed necessary, will be referred to the appropriate off campus service for assistance. All emergencies will be handled by calling 911 and if an individual needs an ambulance, that person/family will bear the transportation cost. Beyond each Mason LIFE student’s program of study, integration into the campus community via engagement of special topics classes, clubs, and organizations is encouraged. Mason LIFE Program Policies Student and Family Support - All students and families will follow and support the components of the Mason LIFE Program. Any concerns may be brought up in a person centered meeting by the student in order to advocate for individual academic needs and goals.

Student Pick-up – All non-residential students must arrange for a consistent pick-up time. The Mason LIFE Program will follow the notification process in order to ensure student safety and security.

Research – As part of the College of Education and Human Development, educational research projects are often conducted within the Mason LIFE Program. These opportunities offer another level of understanding in supporting specific areas of student development. Research is conducted at the undergraduate, Master’s, and PhD levels. Consent will be sought for PhD research when the scope of work is beyond the parameters of Mason LIFE Program curriculum framework.

All Mason LIFE students will be expected to abide by the student code of conduct as outlined, http://studentconduct.gmu.edu/university-policies/code-of-student-conduct/. Mason LIFE students will follow the policies of the judicial system and the recommendations of the Dean of Students. Any resulting disciplinary action will follow in accordance with GMU policies to include the permanent or temporary expulsion of a student.

I agree to follow all policies of George Mason University. In addition, I authorize all Departments of George Mason University including, but not limited to, Housing and Residential life, University Police Department, Dean of Students Office, Office of Judicial Affairs, and Student Health Services to exchange any and all information about me or my medical needs with the Mason LIFE Program. I understand this information is confidential and the purpose is to help refer me to appropriate services. This authorization is valid during the entire period of my participation in the Mason LIFE Program. In addition by my signature, I affirm I also understand the Mason LIFE Program student’s scope of service.

Office number, (703) 993-3905,
Office Manager, Lynne Paraggio, lparaggi@gmu.edu
Website: http://masonlife.gmu.edu/;
Policies: http://masonlife.gmu.edu/policies
Director, Heidi Graff, hgraff@gmu.edu

Coordinators:
Academic Coordinator, Suri Raut, sraut@gmu.edu;
Exploration Coordinator,Kudy Giwa-Lawal, kgiwa@gmu.edu;
Residential Housing Coordinator, Permon Mitchell, pmitche7@gmu.edu;
Employment Coordinator, Andrew Hahn, ahahn@gmu.edu

Download link: Scope and Release Policy
Special Topics Catalog Class Policy Brief More Less

Special Topics Catalog Class Policy Brief
February 4, 2013
By Heidi J. Graff

This policy brief is to provide a more comprehensive understanding of 1) the Exploration Program; 2) the priority process within Person Centered Meetings; 3)catalog classes; and 4) family involvement.

First, as a federally approved Comprehensive Transition Postsecondary program, the Mason LIFE Program is mandated to promote inclusive opportunities by having Mason LIFE Students participate in catalog classes. As such, the Exploration Component of the program was created. This component solely works to create opportunities for that participation by the development of Special Topics classes. The process is that the professor of record is contacted by the Exploration Coordinator to inquire about a Mason LIFE student participating in their class. Once approved, the syllabus is modified as are the assignments. A Support Staff is matched as a Mentor to help those students who may need assistance during class by taking notes or to give extra time to review the notes and course content after the class. The class is now called a Special Topics-Course Name (e.g., Special Topics-Beginning Modern Dance) as indicated on the student’s academic record. The class is not taken for credit but with the purpose of exposing the Mason LIFE student to a variety of topics and individuals.

Second, all Mason LIFE students must participate in a Person Centered Planning (PCP) Meeting. Family members may be present in-person or by conference call. All the Coordinators as well as the SPED Manager are present. The PCP meetings are held every Tuesday either at 10 or 11:30am. First year students must have the meeting during the first year and fourth year students must have the meeting prior to graduation. Second and third year students have meetings as needed but not more than one per year. During the meeting a plan is created for maximum growth with the student’s needs and wants being the focal point. The student is attending the university, so while family input is helpful, the student ultimately is the one responsible for the implementation and completion of the plan. Therefore, the student’s thoughts and options carry significant weight. During the PCP meeting, a consensus is reached regarding the student’s priority of each program component. For example, if work experiences are more important than taking a second Special Topics class, this is noted on the PCP planning sheet. As expected, there are occasions when there will be two choices of activities and a decision will be made based upon the priority order agreed upon at the meeting.

Third, catalog class approval notification is completed one week prior to the beginning of each semester. While the program would like more time, this is the timeframe of the university. Some last minute arrangements occur due to overall class size, room capacity, and the professor’s teaching style. The Director of the Mason LIFE Program is also each student’s Academic Advisor. It is the job of the Advisor to make final decisions with the student within the framework of the decisions discussed in the PCP meeting. Once a student is placed in a Special Topics class, there can be no changes. All class work can be individualized and the student is required to complete the class. The drop/add period is very small (concludes after the first week of classes) and the Registrar strongly frowns upon switching sections. Any changes past the drop/add period will have a financial penalty.

Fourth, since the scheduling period is so tight, the family must be active in the PCP meeting. That is the time to voice opinions. Once a student is scheduled, the family must encourage and reassure the student. Again, dropping the class is not an option. The Mason LIFE tuition covers taking most of the class (with the exception of individual music lessons and/or fees) and the support staff time. However, materials for the class, such as books, are an additional expense. Presumably, participating in catalog classes are one of the reasons the Mason LIFE student is at the university. Therefore, to have the student be successful, all parties involved, working with the student, must join together for continued growth.

Download link: Special Topics Catalog Class Policy Brief
Special Topics Courses Textbook Policy More Less

Special Topics Courses Textbook Policy

Students are required to buy textbooks for their Special Topics courses. When we modify the Special Topics course syllabus, we identify the coursework and assignments each student will complete based on their level of abilities. We factor-in reading levels when we adapt the reading materials. Buying the book allows the student to complete the necessary coursework and assignments as well as to prepare for participation during in class activities or discussions.

When students purchase the textbook (new or used), we transfer the book into electronic copies that have several features for ease of adaptation to facilitate students' learning. The features include: 1. Audio-which students can use to listen to the assigned chapter readings; 2. Text formatting-which we can add visual aids to and change the text formatting; and 3. Organized sections-which is printed as needed instead of carrying the whole book around each day. We adapt the chapter readings by simplifying the vocabulary and outlining the main/important points. Students receive the outlines for assigned chapter readings before each class and one of our support staff will discuss or review lecture notes/outlines with the students as well. We also use graphic organizers and applicable learning/comprehension strategies with each student to ensure they understand the concepts discussed in the readings and in class.

Please note that our assistive technology team will tear the textbook apart to scan the pages. When finished, they will put the book back together with a spiral bind. If you rent the book, the book store will not accept it after it's been torn apart.

Another option would be to purchase the electronic copy directly from the publisher. Although it might be less expensive, there are limitations. Please check the disclaimer and copyright information to ensure your purchase gives you rights to use the electronic version as described.

Remember our goal is to have the student explore the course content and be engaged with the class. Preparation is key and purchasing the book is part of that processs.

Download link: Special Topics Courses Textbook Policy
Mason LIFE Sick Policy More Less

Mason LIFE Sick Policy
January 2014

What happens if I wake up and I do not feel well?

  • The student must call Mrs. Paraggio at 703-993-3905 to let her know.
  • The parent(s)/guardian(s) will be called and informed of the student’s sickness.
  • The student will be allowed to rest until 11am.
  • The student and the parent(s)/guardian(s) must decide whether the student is well enough go to class, go to a physician, or go home.
  • By noon, if the student is not well enough to go to class, the student will be escorted to Urgent Care. At this time, as noted by the scope and service in your application and at orientation, Student Health Services is used for Immunizations and first aid treatment only.
  • The Mason LIFE staff will follow the recommendations of the Urgent Care Staff to determine if the student needs to go back to on/off campus housing, home or to the Emergency Room.
  • If the student is allowed to return to on/off campus housing, the student will be alone between the hours of 8:30 a.m. – 3:00 a.m. It then becomes the families responsibility to either let them remain alone or to come pick them up and take them home.

There is no RA on duty between the hours of 8:30 a.m. – 3:00 p.m.
George Mason University is not equipped with a Sick Bay
In case of extreme emergency, 911 will be call.

Download link: Mason LIFE Sick Policy
Policy 1301, Responsible Use of Computing More Less

Responsible Use of Computing

I. Scope

This policy applies to all persons who use Mason’s Computing Resources, including but not limited to Mason employees, students, visitors, and contractors.

II. Policy Statement

Mason provides and maintains its general computing services to support the education, research, and work of its employees and students. At the same time, Mason desires to protect all users’ rights to an open exchange of ideas and information.

This policy sets forth the responsibilities of the users of Mason’s Computing Resources.

Because it is impossible to anticipate all the ways in which individuals can damage, interrupt, or misuse Mason’s Computing Resources, this policy focuses on a few simple rules.

This policy allows for investigations of complaints involving the misuse of Mason’s Computing Resources, including complaints of sexual harassment, violations of Mason’s Honor Code, and violations of federal, state, and local laws. Violations of this policy may result in revocation of access, suspension of accounts, disciplinary action including dismissal, or prosecution. Evidence of illegal activity will be turned over to the appropriate authorities.

III. Definitions

“Mason’s Computing Resources” means all computers, systems, workstations, networks, networking equipment, peripheral devices, servers, and any other university property attached to Mason’s network. Mason’s Computing Resources also include all software, programs, files, documents, and databases stored in Mason computing systems.

“Information Technology Services (ITS)” means the university department that is responsible for IT equipment and services within the Mason campus system.

“User” means any person who uses Mason’s Computing Resources.

IV. Compliance

Access to Mason’s Computing Resources is a privilege granted on a presumption that every member of the Mason community will responsibly exercise this privilege by preserving the security, confidentiality, availability, and integrity of Mason’s Computing Resources.

A. All Users. It is the responsibility of all Users to read and follow this policy and all applicable laws and procedures. In addition, when using Mason’s Computing Resources, Users must adhere to the following rules:

RULE 1: Use Mason’s Computing Resources only for the purpose of supporting the educational, research, and administrative needs of the University

• Users may not use Mason’s Computing Resources for recreation or entertainment if such use interferes with the educational, research and/or administrative needs of the University.

RULE 2: Do not use Mason’s Computing Resources to violate other policies or laws

• Do not use Mason’s Computing Resources to violate laws or Mason policies, including but not limited to Mason’s Honor Code, Human Resources policies, or Standards of Conduct.
• Do not extend the Mason network without explicit permission from ITS Network Engineering and Technology. The unauthorized use of routers, switches, wireless access points, and other devices is prohibited by University policy.
• Do not use Mason’s Computing Resources to transmit, store, display, download, print, or intentionally receive obscene material. State employees must also be aware of state laws prohibiting the use of state equipment to access, store, print, or download sexually explicit content.

RULE 3: Use only the Mason account(s) you are authorized to use

RULE 4: Do not use any Mason’s Computing Resources for inappropriate purposes

A non-exhaustive list of example restrictions follows:
• Do not sell access to Mason’s Computing Resources.
• Do not engage in commercial activity not sanctioned by Mason, except for incidental personal use.
• Do not intentionally deny or interfere with any network resources.
• Do not use or access any Mason’s Computing Resources, or read or modify university-owned files, without proper authorization.
• Do not use Mason’s Computing Resources to in any way misrepresent or impersonate someone else.
• Do not violate copyright laws and licenses.
• Do not violate university policy or federal, state, or local laws.

RULE 5: Honor the privacy of other Users

• Do not access the contents of another User’s files without express authorization from that User.
• Do not intercept or monitor any network communications meant for another person or purpose.
• Do not transmit or distribute personal or private information about individuals without express authorization from the individuals affected.
• Do not create or use programs (e.g., keyloggers) that secretly collect information about Users.

RULE 6: Do not allow another User to access your accounts

Users may be held responsible for actions related to their specific account(s). If a person violates any policies, his or her actions can be traced back to the username, and the account holder may be held responsible.

B. University Employees. Mason faculty and staff, as state employees, are subject to the Freedom of Information Act, §2.2-3700, et seq., of the Code of Virginia, and all applicable state and federal rules and regulations. When using Mason’s Computing Resources, employees must:

• comply with any statute or regulation applicable to university employees including, but not limited to, Commonwealth of Virginia DHRM Policy 1.75 and Code of Virginia § 2.2-2827 prohibiting employees from accessing, downloading, printing or storing sexually explicit materials.
• comply with more specific requirements for the use of Mason’s Computing Resources which are related to job duties and which are communicated through other university policies and standards.

• All employees who must access sexually explicit content to perform their job must obtain University Approval (Procedure to Obtain an Exception for Sexually Explicit Materials) prior to using Mason’s Computing Resources for such work. Faculty and researchers must obtain such approval from the Office of the Provost, and all other employees must obtain such approval from the Office of the Senior Vice President.

• Suspected policy violations should be referred to the appropriate supervisor or department, which may include Internal Audit and Management Services or University Police. In addition, if such violation constitutes fraud, waste, or abuse, the suspected violation can be reported to the State Fraud, Waste, and Abuse Hotline.

V. University Responsibilities

The University acknowledges that personal email, electronic files, and websites maintained on Mason equipment are part of an electronic information environment. While this policy endeavors to maintain User confidentiality, it cannot create, nor should faculty or staff members presume, any expectation of privacy.

The University reserves the right to inspect all User files and communications for all lawful purposes, including but not limited to investigating allegations of illegal activity, violations of Mason policies, or to protect the integrity and security of network systems. The University will investigate all complaints involving personal web sites hosted on university resources and will remove or block material or links to material that violate federal or state law or University policy.

The University considers any violation of this policy to be a serious offense and reserves the right to copy and examine any files or information on Mason’s Computing Resources related to suspected unacceptable use and to protect its resources from systems and events that threaten or degrade operations.

The University may choose to suspend a User’s access to its resources in connection with an investigation. Users are not entitled to any expectation of privacy. User files, network transmissions, computer sessions, data, and/or communications may be shared with appropriate investigating officials.

VI. Sanctions

Regarding employees, the consequences of policy violation will be commensurate with the severity and frequency of the offense and may include termination of employment.

Regarding students, the consequences of policy violations will be commensurate with the severity and frequency of the offense and may include suspension or expulsion.

In addition, consequences of policy violation may include, but are not necessarily limited to, the following:

• Notification—alerting a User to what appears to be an inadvertent violation of this policy in order to educate the User to avoid subsequent violations.
• Warning—alerting a User to the violation, with the understanding that any additional violation will result in a greater penalty.
• Loss of computer and/or network privileges—limitation or removal of computer and/or network privileges, either permanently or for a specified period of time.
• Restitution for damages—requiring reimbursement for the costs of repair or replacement of computer-related material, equipment, hardware, software, data and/or facilities; such reimbursement shall include, but not necessarily be limited to, the cost of additional time spent by university employees due to the violation.
• Penalities—if applicable, the violator may be subject to criminal or civil penalties.

The violation of copyright, licenses, or personal privacy or the publishing of obscene materials or child pornography may result in civil or criminal legal actions as well as university disciplinary actions.

VII. Copyright Infringement

Because the University is the Internet Service Provider (ISP) for the Mason community, it is held to strict copyright compliance standards as defined in 17 U.S.C., the Higher Education Opportunity Act, and other mandates. The process described here, called “Stop It,” will be used to communicate with Mason students or employees alleged to have violated copyright law. This process will be employed when Mason’s Computing Resources have been used to download or upload media illegally using peer-to-peer file sharing software or other methods.

The University does not actively search for instances of copyright infringement or monitor a specific individual’s network activity. However, notices of copyright violations affiliated with an individual’s account are cumulative throughout his/her time at Mason.

Stop It #1 Notice

1. The User is made aware that illegal infringing activity may have taken place via his/her Mason account.
2. The User is required to remove the stated infringing material and any peer-to-peer file sharing software used for this purpose from his/her computer.

Stop It #2 Notice

1. The User is made aware that this is the second instance of illegal infringing activity on his/her Mason account. Receipt of a second notice generally indicates a pattern of downloading rather than a single, incidental event.
2. The User is required to remove the stated infringing material and any peer-to-peer file sharing software used for this purpose from his/her computer.
3. The User must meet with the Head of the Copyright Office, within a prescribed time, to discuss alternative, legal sources of in-copyright content.
4. The User must write, sign and date a letter stating that the infringing materials and peer-to-peer file sharing software have been removed from his/her computer. The Copyright Office retains this letter.
5. If the User does not meet with the Head of the Copyright Office within the prescribed time, that individual will be partitioned from the Mason network until such time the Stop It #2 requirements are fulfilled.

Infringing activity associated with a student’s account may result in immediate partition from the Mason network and may result in a referral to the Office of Student Conduct. Repeat copyright violations associated with an employee’s account may result in civil or criminal legal actions as well as university disciplinary actions.

VIII. Dates

A. Effective Date:

The policies herein are effective October 20, 1997. This policy shall be reviewed and revised, if necessary, annually.

B. Date of Most Recent Review:

March 19, 2015

IX. Timetable for Review

This policy, and any related procedures, shall be reviewed every three years or more frequently as needed.

Approved:

__/S_____________________
Maurice W. Scherrens
Senior Vice President

__/S______________________
Peter N. Stearns
Provost

Date approved: 10/07/02

Revisions approved: 1/08/08

Revised: 1/29/2013

Revisions approved: 3/19/2015

Document link: http://universitypolicy.gmu.edu/policies/responsible-use-of-computing
Policy 1312, Physical and Logical Access Security More Less

Physical and Logical Access Security

I. SCOPE

This policy applies to all academic and operational departments and offices at all George Mason University locations, owned and leased. The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors.

This policy governs the physical and logical access to all university systems and applications to protect the privacy, security, and confidentiality of university systems, especially highly sensitive systems, and the responsibilities of institutional units and individuals for such systems.

II. POLICY STATEMENT

Information and related systems maintained by the University centrally and within departments and offices are vital assets that need to be available to employees who have a legitimate need for them, consistent with the University’s responsibility to preserve and protect such information resources by all appropriate means.

To provide reliable and accurate data to the University community, information resources must be protected from natural and human hazards. Policies and practices must be established to ensure that risks are eliminated or mitigated using best practices validated by security professionals. Employees accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, and must accurately present the data in any use.

The function of this policy is to enhance and help define the policies and procedures of an IT security program to protect university IT systems and data from credible threats, whether internal or external, deliberate or accidental.

It is the policy of the university to use all reasonable IT security control measures to:

a. Protect university information resources against unauthorized access and use
b. Maintain the integrity of university data
c. Ensure university data residing on any IT system is available when needed
d. Comply with the appropriate federal, state and other legislative, regulatory and industry requirements

Protecting information resources includes:

  • Physical protection of information processing facilities and equipment
  • Assurance that application and data integrity are maintained
  • Assurance that information systems perform their critical functions correctly, in a timely manner, and under adequate controls
  • Protection against unauthorized access to protected data through logical access controls
  • Protection against unauthorized disclosure of information
  • Assurance that systems continue to be available for reliable and critical information
  • Assurance that the security and forensic needs of the university are met

Additionally, information entered, processed, stored, generated, or disseminated by information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside the university. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Proper account management procedures, security monitoring, and logging practices are required to provide this type of protection of data.

The following principles are the main components of the security policy for physical and logical access that itemizes the standards to which all university information systems and applications must adhere.

  1. All university systems and their applications will be classified by the university’s Information Security Officer or designee according to their sensitivity with respect to data confidentiality, system availability, and data integrity.
  1. Once classified, the system’s or the application’s minimum authentication and authorization requirements must be determined by the System Owner and documented according to risk and sensitivity.
  1. All systems and applications will have documented policies and procedures for:

a. approving and terminating access

b. obtaining and disabling temporary accounts

c. consistent periodic review and assessment of all accounts for continued needs
with documentation as evidence of the review

d. locking accounts after a period of inactivity, with the period of time appropriate to the sensitivity of the system and associated risks

e. logging configurations and review

The organization responsible for an information system is responsible for the prompt deactivation or disabling of accounts when necessary including but not limited to accounts subject to the following circumstances:

a. the accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual’s employment or when continued access is no longer required

b. the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location

c. the accounts for employees who are not working due to any sort of leave, disability or other authorized purpose, or when continued access is no longer required, shall be temporarily disabled for a period consistent with the employee’s personal usage needs and duration of absence

d. the accounts for employees suspended for more than one day for disciplinary reasons shall be disabled

  1. There will be no anonymous “guest” accounts on any system classified as sensitive.The organization responsible for an information system shall issue a unique account to each individual authorized to access that information resource.
  1. Accounts on all systems will use non-shared, unique passwords. In the instances when systems classified as sensitive must use a shared account in order to do business, strong mitigating controls must be documented and practiced. In these unique situations, the proposed controls can be reviewed by the Information Security Officer. Those systems residing on a guest network are exempt from this requirement.
  1. Physical and logical access to any system will be granted based on least privilege. When establishing accounts, standard security principles of “least privilege” to perform a function must always be used, where administratively feasible. Access privileges should be limited to those that the user has a genuine need for to complete job responsibilities and functions. For example, a root or administrative privileged account must not be used when a non-privileged account will do. Privileges must never be granted “in case” a user might need them.
  1. Access security designs for all systems will be group or role based and privileges assigned to groups or roles will be based on least privilege.
  1. Access privileges granted to each individual user will adhere to the principles of separation of duties. Technical or administrative users, such as programmers, System Administrators, Data Base Administrators, security administrators of systems and applications must have an additional, separate end-user account to access the system as an end-user to conduct their personal business.
  1. Passwords or PINs are required on all University issued mobile devices such as PDA’s and smart phones.
  1. No passwords for any system may be stored or transmitted in clear text.

To provide for the security and forensic needs of the university, all servers not administered by central Information Technology Unit (ITU) must follow these logging standards. These standards do not apply to workstations. Exceptions to these standards must be evaluated and approved by the IT Security Office.

1. At the unit or department level, a program for documenting and implementing information security monitoring and logging practices must be put in place.

2. At the unit or department level

a. A person in a responsible position needs to be assigned the responsibility of developing and implementing information security logging capabilities

b. The person in this role must develop and implement detailed procedures for reviewing and administering the logs

3. Logging must be enabled to include at a minimum:

a. The event

b. The user ID associated with the event

c. The time the event occurred

4. IT system event logs must be routinely monitored in real time:

a. Log review must include the ability to correlate log information with other automated tools

b. The solution must be able to identify suspicious activities

c. The solution must provide for alert notification

5. The process for responding to malicious events and type of action to be taken must be documented.

6. Prohibit Keystroke loggers from being installed or any other unauthorized monitoring from taking place.

III. DEFINITIONS

Access: The ability to use, modify or manipulate an information resource or to gain entry to a physical area or location.

Access Control: The process of granting or denying specific requests for obtaining and using information and related information processing services or resources and to enter a specific physical facility, such as a building or designated room containing information resources. Accompanying the process are procedures that monitor access. The purpose of access controls is to prevent unauthorized access to IT systems.

Availability: Protection of IT systems and data to ensure timely and reliable access to and use of information to authorized users.

Confidentiality:The protection of sensitive information so that it is not disclosed to unauthorized individuals, entities or processes.

Information Security Officer (ISO):The individual designated by the chief information officer to be responsible for the development, implementation, oversight, and maintenance of the university’s IT security program.

Integrity:The protection of data or IT so that data has not been intentionally or accidentally been modified or deleted in an unauthorized and undetected manner.

Least Privilege: The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. The enforcement of least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and defining the user’s role which includes those privileges only.

Logical Access Control: Logical access controls provide a technical means of controlling what information a user can utilize, the programs the user can run, and the modifications the user can make. These controls are computer-based and can prescribe not only who or what process is to have access to a specific information resource but also the type or level of access that is permitted, such as use, change, or view.

Physical Security: The physical safeguards that protect against unauthorized access, can detect attempted or actual unauthorized access and can activate an effective response. These measures are required to control access to information resources and assets.

Depending on the classification of the information resource, the appropriate physical security safeguards such as progressively restricted security zones, locked doors, access control systems, intrusion alarm systems, and other provision will be implemented.

Separation of Duties: The “separation of duties” is defined as the assignment of responsibilities such that no one individual or function has control over an entire process. The principle of “separation of duties” manages conflict of interest, the appearance of conflict of interest, and potential fraud.

Server: A server is a system (software and suitable computer hardware) that responds to requests across the Mason network or the Internet, if hosted off campus, to provide, or help to provide, a network service. All systems that are intentionally configured to be accessible via the internet are considered to be servers. A system may only be accessible from the university network but provides a server service and therefore is a server.

System Owner: The System Owner is the person responsible for operation and maintenance of a university IT system. With respect to IT security, the System Owner’s responsibilities include establishing security awareness and training capabilities that ensure that all IT System Users receive training appropriate to their role, maintaining compliance with university and state security policies and standards in all IT system activities, and maintaining compliance with requirements specified by Data Owners for the handling of data processed by the system.

IV. RESPONSIBILITIES

Vice presidents, deans, department heads and their staffs are responsible for the security, confidentiality, availability and integrity of data and systems to the extent that they have access and or access control.

This policy also places responsibility on department heads and directors to encourage appropriate computer use as specified in Responsible Use of Computing Policy, ensure compliance with information technology policies and standards by people and services under their control, and implement and monitor additional procedures as necessary to provide appropriate security of information resources within their area of responsibility.

Departments and administrative offices shall develop, manage and review local operating policies and procedures to create the proper security practices for the logical and physical security of information resources.

The Information Technology Unit (ITU) is responsible for establishing and maintaining the physical security of the central computing facilities, including shared file servers managed by ITU, the university’s communications network, and data for which the ITU is the custodian. ITU will maintain access to centrally-managed computing systems, the campus network, and fileservers managed by ITU.

All users of university information technology resources are required to adhere to detailed requirements included in the Responsible Use of Computing Policy as well as other university policies related to the security of information technology resources.

V. COMPLIANCE

System owners must have documented procedures for access control and must be able to produce the documented procedures when required for auditing purposes. Evidence of account approval, termination, and disabling must be available when required for auditing purposes.

Failure to honor the requirements set forth in this policy may result in disciplinary or administrative action.

VI. EFFECTIVE DATE AND APPROVAL

This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of Mason’s fiscal year, unless otherwise noted.

Approved:

__/S_____________________
Maurice W. Scherrens
Senior Vice President

__/S______________________
Peter N. Stearns
Provost

Date approved: February 25, 2010

Revised: January 27, 2014

Document link:http://universitypolicy.gmu.edu/policies/physical-and-logical-access-security
Policy 1114, Data Stewardship More Less

Data Stewardship

I. SCOPE

This policy applies to all academic and operational departments and offices at all George Mason University locations, owned and leased. The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors. This policy governs the privacy, security, and confidentiality of university data, especially highly sensitive data, and the responsibilities of institutional units and individuals for such data.

II. POLICY STATEMENT

George Mason University maintains data essential to the performance of university business. These data are valuable assets. State and federal laws identify the types of data to which access and storage must be restricted. This policy incorporates federal and state standards, and establishes responsibilities for all elements of university data in terms of confidentiality, integrity, and availability.

The greatest benefit the university can provide to the community is data that is shared and used with care. This benefit is diminished through misuse, misinterpretation, or unnecessary restrictions on access. Although a large portion of university data are shared with the public, some data are restricted by the privacy protections established in laws or policies. To comply with these mandates and to protect the university community as a whole, the university has the right and the obligation to protect, manage, secure, and control data under its purview.

III. DEFINITIONS

A. University Data

University data are any data required to conduct the operations of the university. University data are divided into two main categories: protected data and public use data. Protected data include two sub categories: highly sensitive and restricted.

i. Protected Data – Highly Sensitive: Data that (1) by their personal nature can lead to identity theft or exposure of personal health information, or (2) a researcher, funding agency or other research partner has identified as highly sensitive or otherwise requiring a high level of security protection. Some examples are: data classified as secret by the Federal government, data that is often involved in identity theft (e.g. SSNs), data described in the Health Insurance Portability and Accountability Act (HIPAA) as needing to be secured, and data that could lead to financial theft (e.g. credit card information). See Appendix A for a list of the types of data classified as Protected Data – Highly Sensitive. This list is updated annually by the Information Security Officer.

ii. Protected Data – Restricted: Data that by their very nature or regulation, are private or confidential and must not to be disclosed except to a previously defined set of authorized users. Some examples are: data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, minutes from confidential meetings, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.

iii. Public Use Data: Data intended for general public use. An example is the university’s on-line directory.

B. Key Personnel Responsible for the Protection of University Data (See Appendix B)

President: The president of George Mason University, as the head of a Commonwealth of Virginia state agency, has ultimate responsibility for the university’s security program and the protection of restricted and highly sensitive data and critical system assets. The president has delegated these responsibilities to members of the president’s Executive Council.

Chief Information Officer: The Executive Council member designated by the university president to have executive oversight of the university’s IT security program and for the evaluation and classification of data.

Chief Data Stewards:

Senior Vice President The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with employees, contractors, and affiliates. In this role, the senior vice president determines who has access to such data, how it can be stored, and how it must be protected. The senior vice president may delegate responsibility for certain data sets to others via formal memoranda.

Provost The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with students and faculty in performance of their teaching and research activities. In this role, the provost determines who has access to such data, how it can be stored, and how it must be protected. The provost may delegate responsibility for certain data sets to others via formal memoranda.

Information Security Officer (ISO):The individual designated by the chief information officer to be responsible for the development, implementation, oversight, and maintenance of the university’s IT security program.

System Owner: The System Owner is the person responsible for operation and maintenance of a university IT system. With respect to IT security, the System Owner’s responsibilities include establishing security awareness and training capabilities that ensure that all IT System Usersreceive training appropriate to their role, maintaining compliance with university and state security policies and standards in all IT system activities, and maintaining compliance with requirements specified by Data Owners for the handling of data processed by the system.

Data Owners: Deans, vice presidents, associate vice presidents, directors, managers, or others authorized by the Chief Data Stewards to manage a subset of data. The delegation of this authority and responsibility is accomplished by written instructions. This person is responsible for ensuring that University data security policies are followed and for developing internal controls to ensure data security and privacy.

System Administrator: A System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian. Their responsibilities can include administration at the system infrastructure layer and/or system application layer. Any given system may have more than one System Administrator depending on the size and complexity of the system. The System Administrator assists with the day-to-day administration of the university’s IT systems, and implements security controls and other requirements of the IT security program on IT systems for which the System Administrator has been assigned responsibility. System Administrators are responsible for documenting and enabling user access to a domain of university data on those IT systems. System Administrators also maintain records of IT System Users authorized for highly sensitive data related to those IT systems. Responsibilities and related security resources can be found at http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm.

Data Custodians: An individual who has been authorized to be in physical or logical possession of data by the Data Owner. Data Custodians are responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage and for providing and administering general controls, such as back-up and recovery systems. A Data Custodian may also be a System Administrator.

Data Processors: An individual authorized by data owners to enter, modify, or delete data. Data Processors are responsible and accountable for the completeness, accuracy, and timeliness of the data assigned to them.

IT System Users: Any university employee, contractor, affiliate, or duly authorized member of the community who can access restricted and/or highly sensitive university data but does not modify or delete that data. For the purposes of the responsibilities section in this policy, IT System Users include all who have the capacity to access university data. All IT System Users, whether they be Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access, as prescribed in this policy.

Privacy and Security Compliance Team: A select group of deans, directors, coordinators, vice presidents, and other employees, representing their respective departments, who, under the leadership of the chief of staff, are responsible for developing policies and providing direction for overall institutional data management.

Customer: Any employee, student, or individual not associated with the university from whom highly sensitive data is collected.

C. Encryption

Encryption is the conversion of data into a form that is unreadable by an unauthorized user or process. Encrypted data must be decrypted (converted back to original form) prior to use. The university’s centrally managed encryption method requires a key for encryption and decryption. Data Custodians must employ encryption as a means of protecting highly sensitive data.

IV. RESPONSIBILITIES

A. General

Access to university data is provided to university employees for the conduct of university business. Protected data, as defined by this policy, will be made available to employees who have a genuine need for it. This may include data collected from students, faculty, staff, contractors, members of the community, or those who have no affiliation with the university. Employees accessing such data must observe the requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data used in any type of reporting function. Individual units or departments that have stewardship responsibility for portions of protected university data must establish internal controls to ensure that university policies are enforced. All IT System Users, not just Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access or store, as prescribed in this policy.

B. Compliance

i. The university forbids the disclosure of protected data in any medium except as approved in advance by a Data Owner. The use of any protected university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Each IT System User will be responsible for the consequence of any misuse of university data.

ii. The university forbids the storage of highly sensitive data on any data storage device or media other than a centrally managed server approved for the storage of highly sensitive data or a secure networked file storage area. If an individual is required to store highly sensitive data for a business need, that individual must obtain permission from the Chief Data Steward. The written request for authorization must state the unique business need, the type of data that will be stored, the type of data storage device that will be used, and the mitigating controls that will be employed to protect the highly sensitive data. The centrally managed encryption program is required for storing any highly sensitive data on any type of device or media. If the centrally managed encryption program is not compatible with the storage device or method, another mitigating control must be used and approved by the Information Security Officer.

See Appendix C for authorization procedures and forms that require the user to state the business need and agree to accept the responsibility to protect the highly sensitive data. Any university employee, student or non-university individual who stores highly sensitive university data without proper permissions and protection measures is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

iii. Should a security breach occur, the Computer Security Incident Response Team (CSIRT) will investigate and discuss with the chief information officer as to whether or not the matter is referred to law enforcement authorities through the University Police Department. The assistant vice president for Human Resources will review all matters involving university employees. The dean of students will review all matters involving students. The Office of University Counsel will review matters involving individuals not affiliated with the university.

iv. All individuals accessing university data at George Mason University are required to comply with federal and state laws and university policies and procedures regarding data security of highly sensitive data. Any university employee, student or non-university individual with access to university data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

C. The Duties of Key Personnel

Authorization for access to and the maintenance and security of all university data, particularly highly sensitive data, is delegated to specific individuals within their respective areas of responsibility.

Chief Data Stewards Responsibilities

  1. Establish policies and direction for the overall security and privacy of all University data, particularly highly sensitive data, within their respective areas of responsibility.
  2. Identify and appoint Data Owners for units within their areas of responsibility.
  3. Appoint appropriate representative individuals to the Privacy and Security Compliance Team.

System Owner Responsibilities

  1. Require that all users of the system complete required IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.
  2. Manage system risk and develop any additional IT security procedures required to protect the system in a manner commensurate with risk.
  3. Maintain compliance with university IT security policies and standards in all IT system activities.
  4. Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
  5. Designate a System Administrator for the system. See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfmfor a list of System Administrator responsibilities.

Data Owners Responsibilities

  1. Ensure that access and protection requirements consistent with university policies and the data classification are in place and responsive to business needs.
  2. Ensure the accuracy and quality of all data within their area.
  3. Communicate data protection requirements to the System Owner.
  4. Annually review with appropriate Data Custodians the current set of highly sensitive data access authorizations and, as appropriate, update authority granted each user.
  5. Ensure that authorized users of highly sensitive data are trained on their responsibilities associated with their approved access to that data.
  6. Report any possible breach in computer security or illicit use of highly sensitive data to the Support Center who will then notify the IT Security Office for CSIRT action.
  7. Review appeals to decision to deny access to university data within their area of responsibility.

Systems Administrators Responsibilities
(See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm for more details on requirements and responsibilities)
Note: Responsibility for the security of certain systems may belong to the Information Technology Unit if the unit or department has signed a service level agreement with the ITU to manage the server.

  1. Identify possible security gaps that may leave systems vulnerable to attacks or hackings and take remedial actions to make the systems secure.
  2. Ensure the usability, reliability, availability, and integrity of information systems and their data, including serving as liaisons between all parties with interests in such systems.
  3. Follow established formal procedures and tools as determined by their respective Data Owner to enable access for authorized Data Processors and IT System Users. This includes ensuring that all specified approvals have been granted before providing an IT System User access to highly sensitive data.
  4. Maintain documentation of users who are authorized access to highly sensitive data on IT systems to which they have been assigned. Where abuses of that authorization are discovered, make authorization withdrawal recommendations to the appropriate Data Owner.

Data Custodian Responsibilities

  1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
  2. Use IT systems in a manner consistent with university policies and procedures.
  3. A Data Custodian may also be a System Administrator.

Data Processors Responsibilities

  1. Ensure the accurate input and presentation of data. Each Data Processor will be responsible for any intentional misrepresentation of data.
  2. Ensure the maintenance of data integrity. Upon recognizing that any data elements are in error, the Data Processorwill notify the appropriate Data Owner.

IT System Users Responsibilities

  1. Read and, based on types of data accessed, comply with the relevant directions for “Computer Security” found athttp://itsecurity.gmu.edu/.
  2. Use restricted and highly sensitive data only as required by the employee’s job responsibilities and authorized by appropriate Data Custodian.
  3. Respect and protect the confidentiality and privacy of individuals whose records they access.
  4. Report any possible breach in computer security or illicit use of restricted and/or highly sensitive data to the Data Owner of the IT System User’s unit.

Privacy and Security Compliance Team Responsibilities

  1. Ensure the university complies with state and federal regulations on security and privacy of university data.
  2. Educate the university community about trends in security and privacy that have the potential to affect how the university does business.
  3. Recommend to the president of George Mason University remedial action(s) to identified problems.
  4. Review policies and procedures developed by each department or unit to ensure that these departments or units have appropriate security measures that will protect university data from compromise or unauthorized access, modification, destruction, or disclosure.

D. Organizational and Individual Responsibilities for Access Control to Highly Sensitive Data

i. No one is permitted to access highly sensitive data unless the Data Owner has given written permission, either through established business processes or specific memorandum. Assuming the user has documented permission to access the data, the user must not store the data unless written approval has been granted to do so through the use of the online form that requires the user to describe the unique business need for storage and the mitigating security controls.

ii. Each department or business unit will have documented procedures, consistent with the university’s security policies, which preserve and protect highly sensitive data and are designed to accomplish these goals:

  1. Ensure the security and confidentiality of customer information.
  2. Protect against any anticipated threats to the security or integrity of such information.
  3. Guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

iii.Each Data Owner will have a documented set of procedures for reviewing requests to access, modify, or update highly sensitive data.

iv. The IT Security Office will be available to assist each department or business unit by reviewing their access and data security procedures. If needed, the Privacy and Security Compliance Team will review to ensure compliance with this policy.

v. Members of the university community may appeal any decision that denies access to university data. Appeals are to be made to the appropriateData Owner.

E. Public Requests for Protected Data

Requests by the public for protected data made through the Virginia Freedom of Information Act [University Administrative Policy #1117–Virginia Freedom of Information Act Requests] or other applicable law will be reviewed by the Office of University Counsel prior to any release of data.

V. TRAINING

IT System Users authorized to access highly sensitive data are required to participate in data security training commensurate with the type and use of such data. This training will be recommended annually to the Chief Data Stewards by a team drawn from the Research Office, University Life, Office of Human Resources, and the Information Security Office. Managers are to train, or arrange for training, for all current employees who have or will have access to highly sensitive university data prior to granting access to such data.

VI. EFFECTIVE DATE AND APPROVAL

The policies herein are effective May 4, 2005. This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.

Approved:

_/S______________________
Maurice W. Scherrens
Senior Vice President

_/S_______________________
Peter N. Stearns
Provost

Date approved: August 1, 2005
and March 2, 2009

Revised: January 29, 2013

Document link:http://universitypolicy.gmu.edu/policies/data-stewardship
Student Travel Policy More Less

Student Travel Policy

Students are only allowed to travel into DC with a support staff member if the following events are happening Vigils, Protests or Social Justice Activities.

These types of events can be very overwhelming for our students and could lead to problematic situations.

Any request should be discussed with the Coordinator, Assistant Director, or Director.