University of Wisconsin Oshkosh
Data Access & Data Security Policy: Appendixes


Table of Contents:

Appendix A - University of Wisconsin Oshkosh
Legal Custodians of Specific Records

Pursuant to s. 19.33(4), Wis. Stats., the following individuals are designated as University of Wisconsin Oshkosh Legal Custodians. This document supplements the University Data Access and Data Security Policy.

Academic and Unclassified Personnel Records

Office of the Vice Chancellor and Provost, acting through William Wresch Associate Vice Chancellor.

Affirmative Action and Classified Personnel Records

Office of the Director of Personnel/Director of Affirmative Action, acting through Mary E. Koepp, Personnel Director, Affirmative Action Director

Student Records

Office of the Director of Enrollment Management, acting through Daniel Edlebeck, Registrar.

Financial, Contractual, Business, and Related Records

Office of the Director of University Budgets, acting through Joel C. Edson, Executive Director, University Budgets and Administrative Services.

All Other Records

Office of the Chancellor, acting through Thomas R. Grogan, Special Assistant to the Chancellor.

Return to top.

Appendix B - University of Wisconsin Oshkosh
Current Data Stewards

This document supplements the University Data Access and Data Security Policy.

Student Systems

Personnel Data Base

College and University Financial System (CUFS)

Other Financial Systems

This document supplements the University Data Access and Data Security Policy.

Food Service

Residence Life

University Mailing

Testing and Research Services

Facilities and Equipment

Computing Resources

Return to top.

Appendix C - University of Wisconsin Oshkosh
Position Titles and Current Incumbents

This document supplements the University Data Access and Data Security Policy.

Chancellor: John E. Kerrigan

Provost/Vice Chancellor: Vicki Lord Larson

Associate Vice Chancellor: William Wresch

Assistant Vice Chancellor for Graduate School and Research: Patricia J. Koll

Assistant Vice Chancellor for Information Technology: John F. Berens

Director of Personnel: Mary E. Koepp

Director of General Accounting: Gary J. Moeller

Data Security Officer: William F. Wurzbach

Database Administrator: William F. Wurzbach

Return to top.

Appendix D - University of Wisconsin Oshkosh
Laws Related to Data/Information Issues

This document supplements the University Data Access and Data Security Policy.

FEDERAL: Privacy and Protection Act of 1974, Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment), 1986 Electronic Communications Privacy Act, and The Computer Fraud and Abuse Act of 1989.

STATE: Wisconsin Statutes 1992-93, (41st Edition) (Chapter 19, Public Records and Property, ss. 19.31 - 19.39; Chapter 939, Crimes - General Provisions, ss. 939.32(2), 939.50(3), 939.51(3), 939.66(4), 939.72(3); Chapter 943, Crimes Against Property, ss. 943.70).

Return to top.

Appendix E - 6.1 Requesting Authorization for Data Access

This document supplements the University Data Access and Data Security Policy.

The following cover letter and request forms may be used when making an initial request for data access for a new user of the Online Administrative Computing System. For modification of the data access profile of an already-existing user of the system, see 6.2 Modification of Existing Data Access Authorization.

Requests for initial campus network logons or email access fall outside the scope of this policy paper, and should be directed to Academic Computing Services, or emailed to ACSHELP@uwosh.edu.

Return to top.

Appendix F - 6.2 Modification of Existing Data Access Authorization

This document supplements the University Data Access and Data Security Policy.

Once a system logon has been established for a given user, following the procedures outlined in 6.1 Requesting Authorization for Data Access, future modification of that user's security profile may be effected in any of several ways, whichever is most convenient for the requestor. The only requirements are that, for the purposes of audit review, the request contain the following minimum information:

1. A short paragraph stating the name of the user for whom security profile modification is desired, the office in which they work, and the nature of the access requested. This may include, but is not limited to, new CICS transaction ids, generic requests for access to database-related programs, the ability to update specific fields on an already-accessible transaction screen, update capability against an existing dataset, a change of name, etc.

2. The signature, or a valid electronic equivalent, of the user's immediate supervisor or departmental chair.

3. A time-stamp, system-generated or hand-written, indicating the date and time of the modification request.

This request may take the form of an email message from the requestor's mail account or a handwritten or typed request, preferably on letterhead, sent through intercampus mail. The email request should be sent to Security@uwosh.edu . The intercampus mail request should be sent to the attention of the Data Security Officer.

Requests for initial access to the online College and University Financial System (CUFS), should direct their requests to the Director of General Accounting in the Budgets and Controller Office.

Again, as stated in 6.1 Requesting Authorization for Data Access, requests for modification of campus network logons or email access fall outside the scope of this policy paper, and should be directed to Academic Computing Services, or emailed to ACSHELP@uwosh.edu.

Return to top.

Appendix G - 6.3 Managing Systems for Employee Turnover

This document supplements the University Data Access and Data Security Policy.

In most cases, once a person has been assigned a particular security access profile, they will tend to keep that profile for an extended period of time, with very little, if any, change. Those modifications which do take place will usually be of the nature outlined in 6.2 Modification of Existing Data Access Authorization. Certain personnel activities, however, warrant a different course of action. These usually take the form of a departmental transfer, reclassification, termination, or retirement. In any situation such as this, the Data Security Officer should be notified in as timely a manner as possible of the pending event. This will allow the user's security profile to be modified to accommodate their new work responsibilities, and deny them access to information they no longer require for their work, or ensure that their logon is removed from the system, to preclude future unauthorized data access.

Notification to the Data Security Officer may take the form of a telephone call, an email message or a short note outlining the nature and timeframe of the personnel action. Email should be directed to Security@uwosh.edu. While most of this information will also be made available to the Data Security Officer by the Personnel Office, it will not be as timely as direct notification from the office of interest, and will not convey any information as to the identity of the replacement personnel involved, who may also require access modification. Coordination and cooperation between the Data Security Office and a client office will help ensure a smooth transition during the employee turnover process.

Return to top.

Appendix H - 6.4 Reporting Breaches of Data Security

This document supplements the University Data Access and Data Security Policy.

It is incumbent upon every user to adhere to security policies and procedures and to call to the attention of the Office of Information Technology those whom they feel are violating these procedures. Every effort will be made to ensure total anonymity. If a user should encounter or observe a flaw in system or network security, this discrepancy must be reported to the Office of Information Technology. Individuals must refrain from exploiting any such lapse in security.

For online administrative computing system security problems, notify the Data Security Officer by telephone, personal visit, inter-campus mail, or an email message sent to Security@uwosh.edu

For email, network or academic computing system violations, contact Academic Computing Services by telephone, personal visit, inter-campus mail, or an email message sent to ACSHELP@uwosh.edu .

For CUFS security violations, contact the Director of General Accounting in the Budgets and Controller Office.

Return to top.

Appendix I - 6.5 Requesting Computer System Activity Information

This document supplements the University Data Access and Data Security Policy.

The following cover letter and request form are used when requesting information regarding the activity of an individual on a University-controlled computer system. In all cases, this request should be initiated by an office previously designated for this purpose. Requests from unauthorized individuals will not be honored. The following are the appropriate offices to contact:

1. Individual requests for restraining action, eg. stop unsolicited or harassing email:

Students: contact the Dean of Students

Faculty/Academic Staff: contact the Associate Vice Chancellor

Classified Staff: contact the Personnel Director

2. Faculty or staff requests for system information regarding student activity:

contact the Dean of Students

3. Departmental requests for system information regarding faculty/staff system activity:

Faculty/Academic Staff: contact the Associate Vice Chancellor

Classified Staff contact: the Personnel Director

4. Outside agency requests for action or access to system information (e.g., system activity logs, login/logoff reports, etc.):

Contact the Network Administrator

Return to top.

Appendix J - 6.6 Sanctions for Unauthorized Data Access or Disclosure

This document supplements the University Data Access and Data Security Policy.

Violation of the policies described herein for use of computing resources will be dealt with seriously. Violators are subject to disciplinary procedures of the University, may lose computing privileges or account and network access, and may also be subject to prosecution by state and federal authorities under laws including, but not limited to: The Privacy and Protection Act of 1974; Wisconsin Statutes 199293, (41st Edition) (Chapter 19, Public Records and Property, ss. 19.31 19.39; Chapter 939, Crimes General Provisions, ss. 939.32(2), 939.50(3), 939.51(3), 939.66(4), 939.72(3); Chapter 943, Crimes Against Property, ss. 943.70); The Wisconsin Computer Crimes Act; The 1986 Electronic Communications Privacy Act; The Computer Fraud and Abuse Act of 1989. The sanction and appeal process will vary, depending upon the classification of the offender within the University community.

Suggested courses of action are described by, but are not limited to:

a. Student Wisconsin Administrative Code, Section UWS 14 and UWS 17. These regulations are also maintained in a separate document entitled Student Discipline Code, which is available in the Dean of Student's Office.

b. Classified Staff Administered by the Personnel Office, pursuant to the current University of Wisconsin System Classified Employees Work Rules; Chapter 230.34(1) of Wisconsin Statutes; Section Pers 24 of Wisconsin Administrative Code; and existing collective bargaining agreements.

c. Academic Staff / Faculty The University of Wisconsin Oshkosh Faculty and Academic Staff Handbook and specific departmental procedures, as warranted.

d. Other Subject to the procedures of the organization or group with which they are affiliated, revocation of computing privileges, and possible state and federal prosecution.

Return to top.

Click here to return to UW Oshkosh

Questions, comments, problems with our webserver, etc. can be mailed to webmaster@www.uwosh.edu

Last updated: February 25, 1997