3.   Policy on Operations and Maintenance

3.3   The Chancellor also shall establish procedures to ensure the prudent management of environmental health and safety in compliance with applicable state and federal laws. Those procedures shall include a Council on Environmental Health and Safety, with representation from each component institution. These procedures shall also include, where appropriate, delegations of authority to the component institutions, and a mechanism for measuring compliance through appropriate means including periodic environmental audits. The Chancellor shall provide to the Financial Affairs Committee an annual report describing the state of the University System's environmental health and safety efforts, including the findings of any environmental audit conducted during the reporting period.

.USY Administrative Board - VI. Property Policies

F. Operation and Maintenance of Property

1.   University System Authority

2.   Delegation of Authority

2.2   The component institutions' operations and maintenance programs shall include procedures establishing prudent property management practices and ensuring compliance with applicable Board of Trustees and University System policies and state and federal laws. Those programs shall designate specific institutional officials to be responsible for ensuring institutional compliance with program requirements.

3.   Policy on Environmental Health and Safety

3.1.1   It is the policy of the University System of New Hampshire (USNH) to maintain a reasonably safe environment for its students, faculty and other academic appointees, staff, and visitors.

3.1.2   Operations at each component institution shall be conducted in compliance with applicable regulations, and when appropriate, with accepted health and safety standards.

3.1.3   A Council on Environmental Health and Safety is responsible for overall coordination and assessment of System-wide environmental health and safety efforts. The Council is chaired by the UNH Director of Environmental Health and Safety and includes representation from each component institution to be designated by the institution's chief executive officer. The Council shall meet quarterly to share current information, and shall provide to the Presidents and then to the Chancellor an annual report describing the state of the University System's environmental health and safety.

3.2   Responsibility

3.2.1   Presidents are responsible for the implementation of the Environmental Health and Safety policy at their respective component institutions.

3.2.2   Vice Presidents, Deans, Directors, Department Chairs, principal investigators, supervisors, and all other employees are responsible for compliance with this policy as it relates to operations under their control.

3.3   Campus Program Elements and Objectives

3.3.1   Presidents and Vice Presidents shall enact programs for environmental health and safety and such programs will be in compliance with applicable health and safety standards promulgated by federal, state and local agencies. In the absence of appropriate statutes and governmental regulations, the published standards of nationally recognized professional health and safety organizations would serve as guides. Appropriate working relationships with official regulatory agencies pertinent to environmental health and safety are recommended and encouraged.

3.3.2   Each component institution shall establish a written mission statement to outline operating policies, procedures and guidelines, as well as training for compliance with applicable environmental health and safety objectives listed below.

3.3.3   The written statement and programs for health and safety and environmental compliance shall include, but not be limited to the following program elements and objectives.

3.3.3.1   Injury and Illness Prevention

3.3.3.1.1   Objectives: The objectives are (1) to provide the means by which workplace hazards are identified, and, as dictated, corrected in a timely manner; employees are to be informed of the specific hazards associated with their jobs and are to be trained in the appropriate safe work practices; employees can communicate, without f ear of reprisal, their concerns about work area safety, and (2) to integrate existing and future compliance programs and environmental health and safety technical disciplines in a manner to ensure statutory and regulatory compliance in an efficient and logical approach. These programs and disciplines are discussed below.

3.3.3.1.2   Compliance Programs/Technical Disciplines

3.3.3.1.2.1   Industrial Hygiene: The practice of recognition, evaluation and control of potentially harmful substances and physical agents in the work area. The scope of this program shall include, but not be limited to, toxic materials, air quality in controlled environments, elements of physical exposure such as lighting, noise and temperature, and asbestos abatement.

3.3.3.1.2.2   General Safety: Identification and correction of factors which contribute to the incidence of accidental injury shall be maintained. The scope of these efforts shall include environmental conditions, engineering and design, maintenance of facilities and equipment, and the human factor.

3.3.3.1.2.3   Radiation Safety: Applicable regulations and appropriate standards shall be observed in the use of radioactive materials and radiation-producing machines. Appropriate guidelines shall be followed relating to the proper use, storage, and disposal of radioactive materials.

3.3.3.1.2.4   Fire Protection: Program activities shall be sustained which serve to protect life and property from fire. Facilities shall be maintained and operated in compliance with applicable regulations and accepted standards of fire safety and protection.

3.3.3.1.2.5   Occupational Health and Medicine: Appropriate resources and technology shall be applied to the recognition and response to occupational diseases and injury. Preventive health measures and surveillance techniques shall be utilized in a manner consistent with regulatory guidelines, accepted industry standards, and campus policy. The purpose of this program is the maintenance of reasonable standards for the health and safety of campus personnel and students.

3.3.3.1.2.6   Disaster Preparedness: Preparedness programs shall facilitate appropriate technical response to disasters and plan for the coordination of diverse response organizations and activities. Appropriate emergency response plans shall be maintained for each campus and steps taken to ensure adequate familiarity with the plan on the part of campus personnel.

3.3.3.1.2.7   Biological Safety: Applicable regulations and accepted standards governing the use, storage, and disposal of hazardous biological substances shall be observed. Conscientious surveillance shall be maintained and resources and technology applied to the handling of bio-hazardous substances consistent with regulatory controls and/or recognized health and safety standards.

3.3.3.1.2.8   Diving Safety: Diving operations under the auspices of the University of New Hampshire shall be conduced in compliance with appropriate regulations, safety standards, and campus policy.

3.3.3.2   Hazardous Materials and Environmental Management

3.3.3.2.1   Objectives: The objectives are: (1) to comply with statutory and regulatory requirements for hazardous materials inventory and emissions reporting; and (2) to collect, classify, and pack for shipment all hazardous waste for proper disposition.

3.3.3.2.2   Compliance Programs

3.3.2.2.1   Hazardous Waste Management: Procedures and facilities shall be maintained to allow for the preparation and ultimate disposal of hazardous waste produced by the campus. All applicable laws and regulations shall be used to establish standards for compliance.

3.3.2.2.2   Hazardous Materials Inventory and Reporting: This program develops and maintains campus hazardous materials inventories for the purpose of complying with regulations related to hazardous communication, community right-to-know, air emissions, building/fire codes, and emergency preparedness.

4. Policy on Use of Technological Resources

4.2 Definitions. For purposes of this policy the following terms shall have the indicated meanings:

4.2.1 "Technological resources" shall include, but not be limited to, telephones, voice mail applications, desktop computers, computer networks and electronic mail applications.

4.2.2 "Institutional technological resources" means those technological resources owned or operated by the University System or one of its component institutions.

4.2.3 "Non-institutional technological resources" means those technological resources that are neither owned nor operated by the University System or one of its component institutions.

4.3 Scope. This policy applies to access and use of technological resources by faculty, staff, administrators, students, and any other person whether inside or outside the academic community. This policy also applies to the access and use of non-institutional technological resources used in the performance of official duties by faculty, staff, or administrators, but only to the extent of such use.

4.4 Delegation of Authority. The institutions within the University System shall adopt policies governing access to and use of institutional technological resources. Institutional policies shall be consistent with applicable BOT and USY policies, and shall:

4.4.1 Establish standards of conduct which users are expected to meet, including the extent to which technological resources may be used for non-institutional purposes;

4.4.2 Notify users of privacy and security issues related to their use of the institution's technological resources;

4.4.3 Provide (an) effective mechanism(s) to inform users of the relevant institutional policies and train them in the proper use of technological resources;

4.4.4 Establish a policy on the retention, archiving, and deletion of information resident on technological resources owned or operated by the institution;

4.4.5 Establish a process whereby appropriate institutional officials may access, copy, and/or delete information resident in any technological resource owned or operated by the institution, such process to permit said actions only when justified by legitimate institutional interests;

4.4.6 Establish appropriate security mechanisms to protect the information resident in any technological resource against unauthorized access;

4.4.7 Establish a mechanism for receiving reports of violations of the institutional policies on the access to and use of technological resources and for appropriately responding to such reports.

4.5 General rules. The following general rules apply to the use of and access to technological resources anywhere within the University System and its component institutions:

4.5.1 The University System and its component institutions shall retain ownership over the records resident on the technological resources covered by this policy. In the case of faculty, staff, or administrators using non-institutional technological resources for institutional purposes, this policy applies only to records created for those institutional purposes. The institution's ownership of the record shall have no effect on the ownership of the copyright or other intellectual property rights related to information contained in the record, which rights may or may not reside with the institution.

4.5.2 The University System and its component institutions shall retain the right to access, copy, and delete, in accordance with policies established under subsection 4.4.5, above, information resident in technological resources covered by this policy. In the case of faculty, staff, or administrators using non institutional technological resources for institutional purposes, this policy applies only to records created for those institutional purposes.

5. Information Technology Security Policy

5.2 Information Technology Security Organization

USNH will establish and maintain an organizational structure with clearly assigned responsibilities for oversight and enforcement of USNH IT resources security, and a process for maintaining accountability for activities and system configurations that are inconsistent with the policy.

5.3 Physical and Environmental Security

USNH and each USNH institution, manager, provider and user of USNH IT resources is responsible for protecting, to the best of its ability, USNH IT resources. USNH and all USNH institutions, providers and users of USNH IT resources will institute and follow procedures, within their level of responsibility and authority, to protect those IT resources from loss, damage, compromise and unauthorized access, by creating a safe environment for the housing and use of those assets.

5.4 Computer, Network and Telecommunications Management

5.4.1 Network Management. USNH and providers and managers of USNH IT resources must manage the secure operation of the network environment and must do so in a manner that is consistent with a commitment to privacy and applicable USNH privacy policies.

5.4.2 Successful Operation of USNH Network Resources. USNH institutions will create appropriate policies and procedures to ensure and safeguard its IT resources from interference, threats, or other undesirable effects. In addition to IT resources, these policies and procedures shall include consideration for non-IT resources as well as consideration for devices not owned by the USNH either attached or unattached to the network.

5.4.3 Prevention of Loss, Modification or Misuse of Information Exchanged Between Organizations. All USNH institutions, providers and users of USNH IT resources will institute measures to safeguard the flow of data and information into and out of the networks.

5.4.4 Protection of Wireless Air Space. USNH institutions will manage the wireless spectrum to minimize interference between wireless networks and other devices using radio frequencies.

5.5 System Development & Maintenance

5.5.1 Security in Operational Systems and Prevention of Loss, Modification or Misuse of User Data in Application Systems

The appropriate level of protection must be incorporated into operational systems throughout the development process. Especially in cases where the data is sensitive or requires protection because of the risk and magnitude of loss or harm that could result from improper operation, manipulation or disclosure.

5.5.2 Protection of Confidentiality, Authenticity and Integrity of Information

USNH will protect the confidentiality, authenticity and integrity of information.

Conducting IT Projects and Support Activities in a Secure Manner. Changes and updates to systems and data must be traceable to accountable individuals and source documents under a defined management process.

5.5.4 Maintaining Security of Application System Software and Data

All USNH institutions and providers of USNH IT resources will provide and implement reasonable and adequate security measures to protect the information stored in IT resources.

5.6 Disaster Recovery and Business Continuity Management Planning

5.6.1 Disaster Recovery and Response Management Plan. USNH and each USNH institution will develop, keep current, and publish adequate disaster recovery plans to minimize the effects of a disaster and support restoration of USNH critical operations following a disastrous event.

5.6.2 Business Continuity Plan. A "Business Continuity Plan" shall be developed and implemented at all USNH institutions to facilitate the re-establishment and continuance of critical business functions after a disaster occurs.

5.7 System Access Control

5.7.1 Control Access to Information. Protect computer systems and resources from theft, destruction, unauthorized alteration or exposure, or other potential compromise resulting from inappropriate intentional, negligent acts, or omissions.

5.7.2 Control Access to Systems. Access to systems will be limited to staff who have a need to access them as determined by job responsibilities.

5.8 User Awareness & Training

5.8.1 Reducing Risks of User Error, Theft, Fraud or Misuse of Facilities. USNH institutions and providers of USNH IT resources will institute measures to reduce risks of user error, theft, fraud or misuse of IT resources, by providing appropriate user information and training.

5.8.2 Educating Users about Information Technology Security Threats and Concerns. USNH and its member institutions will communicate to all constituents their responsibility for protecting the technology environment, and provide the information necessary to help them protect IT resources against threats.

5.9 Compliance

5.9.1 Compliance with federal, state and local laws, USNH and institutional policies, and contractual obligations. The use and operation of USNH IT resources will comply with federal, state and local laws, USNH and institutional policies, and contractual obligations.

5.9.2 Providing information concerning laws, policies and contractual obligations. All USNH institutions, providers and managers of USNH IT resources will institute procedures to inform users and administrators of IT resources about applicable laws, policies and contractual obligations.

5.9.3 Procedures for adjudicating security violations. Violations of this security policy constitute unacceptable use of IT resources and may violate other USNH policies and/or state and federal law. Suspected or known violations should be reported to the IT Security Officer at USNH or member institutions.

5.9.4 Performing a Security Audit Process. All USNH institutions, providers and managers of USNH IT resources will periodically conduct an audit of security of IT resources.

5.10 Asset Classification & Control

5.10.1 Maintaining Appropriate Information Technology Inventory Controls. All USNH institutions, providers, managers and users of USNH IT resources will develop and maintain a comprehensive inventory of critical information assets.

5.10.2 Inventories of assets help ensure that effective asset protection takes place, and may also be required for other business purposes, such as health and safety, insurance, or financial (asset management) reasons. The process of compiling an inventory of assets is an important aspect of risk management. An organization needs to be able to identify its assets and the relative value and importance of these assets. Based on the information an organization can then provide levels of protection commensurate with the value and importance of the assets. An inventory should be drawn up and maintained of the important assets associated with each information system. Each asset should be clearly identified and its ownership and security classification agreed [upon] and documented together with its current location.

5.10.3 Safeguarding Information Sensitivity. All USNH institutions, providers, managers and users of USNH IT resources will establish methods to identify, classify, and where necessary, restrict access to institutional data so as to recognize sensitivity, protect confidentiality or safeguard privacy as required by law, institutional policy or ethical considerations.