IT Policies and Procedures

1.1. CUNY Security Policies

CUNY SPH is governed by IT security policies set by CUNY Central. These cover, among other things, user responsibilities, the CUNY policy on anti-virus software, accessibility, and web site privacy.

1.2. Handling Non-Public University Information

1.2.1. What is Non-Public University Information (NPUI)?

FERPA classifies protected information into three categories: educational information, personally identifiable information, and directory information. Educational information and personally identifiable information are considered Non-Public University Information by CUNY.

CUNY’s information security policies require all personnel to secure NPUI, which includes:

• Social Security numbers
• Debit and credit card numbers
• User IDs with passwords
• Student records (GPAs, transcripts, grades, test results)
• Health records
• Drivers Licenses or other government-issued identification
• The following is considered “Directory Information” and does not fall under FERPA security considerations:
• student’s name, mailing address, e-mail address and telephone number
• previous institution(s) attended
• enrollment status
• dates of attendance, graduation, or expected date of graduation
• diplomas, honors or awards received
• extracurricular activities

1.2.2. Guidelines for protection of NPUI on the GSPHHP SharePoint platform

• NPUI must be stored securely, and only be accessible to school officials with a legitimate interest.
• School officials may not disclose NPUI without written permission from the student.
• Do not store non-public university information on third-party cloud storage systems (e.g. Dropbox, Google Drive). The GSPHHP SharePoint platform should be used to store and share any and all protected data / information.
• Do not download or copy NPUI to a personal computer or removable storage device. If you must work with protected information from a personal computer, use the online versions of Microsoft Office applications that are available on the GSPHHP SharePoint platform.
• Never provide a report, spreadsheet, or other list of student data to an outside agency without specific prior approval.
• Be wary of unsolicited links or attachments delivered via email – these are usually attempts to “phish” for your usernames and / or passwords. The GSPHHP will never send you an email asking you to verify your credentials. Please report all suspicious emails to the Helpdesk – helpdesk@sph.cuny.edu.

1.3. Access to resources for non-SPH users

1.3.1 Explanation and Purpose

The CUNY Graduate School of Public Health and Health Policy (CUNY SPH) engages with external (non-CUNY) partners in carrying out its mission to “provide a collaborative and accessible environment for excellence in education, research, and service in public health, to promote and sustain healthier populations in New York City and around the world, and to shape policy and practice in public health for all.” Our non-CUNY partners may, under certain circumstances, require access to non-public SPH electronic materials in order to carry out joint projects. This will require that they obtain a temporary SPH email and/or domain account.

SPH domain accounts are required for access to SPH computers, printers, data center, and SharePoint. An SPH email account may be requested if the nature of the work requires all email communication to remain within the CUNY domain.

1.3.2. Procedure

Requests to provide non-CUNY partners with SPH email and/or domain accounts must be made by an SPH employee/project sponsor by completing the SPH Person of Interest (POI) Email and Domain Account Request Form (https://sharepoint.sph.cuny.edu/admin/_layouts/15/DocIdRedir.aspx?ID=GSPHHP-1229388126-396). A POI is a non-employee and non-CUNY student who requires access to a CUNY resource. Requests must be approved by the sponsor’s supervisor, the School’s Chief Information Officer (CIO) and the Senior Associate Dean for Administration or designee. If approved, an SPH email and/or domain account will be granted for the remainder of the current fiscal year (July 1 – June 30), subject to annual renewal.

2.1. Employee on-boarding and off-boarding

2.1.2. On-boarding

All new hire requests (Tax-levy, and RF) must be submitted to HR using the SharePoint Position Request form.

Submitting the form initiates the on-boarding process. The following workflow is processed:

1. Form is submitted to HR and Finance Offices for initial approval
2. Once approved, information is submitted to Facilities for space planning
3. Regular hiring process commences
4. Once a person is identified to fill the position, HR initiates on-boarding
5. The new employee is then on-boarded by IT and Facilities

IT steps –

1. Assigning library barcode
2. Assigning phone number (if needed)
3. Requesting email account
4. Updating SharePoint Employee database
5. Facilities steps –
6. Assigning space

Once on-boarding is complete, notifications are sent to:

• New Employee (on personal email address)
• Supervisor
• Public Safety – for ID card generation
• HR
• Communications Team – to update the CUNY SPH directory and website

2.1.3. Off-boarding

Currently under development – ETA Winter 2018

2.2. Student on-boarding and off-boarding

2.2.1. On-boarding

Student on-boarding is initiated by the Admissions Office (link) and is conducted in batches. On-boarding begins 1 month before the start of a regular semester (Fall, and Spring), and 2 weeks before the start of the Summer term.

The following workflow is processed for every batch of students –

1. Office 365 accounts are requested from CIS
2. SPH Domain accounts are created
3. Library barcodes are assigned
4. Information is distributed to Students
5. Information is distributed to Public Safety – for ID card generation
6. Information is distributed to Communications Team – to update SPH mailing lists
7. CUNYfirst and BlackBoard profiles are updated

2.2.2. Off-boarding

Students are off-boarded on graduation or withdrawal from SPH programs. The following workflow is processed –

1. SPH Domain accounts are disabled
2. Office 365 accounts are downgraded to email-only (no access to software)
3. Information is distributed to all internal stakeholders