UBIT Policy: Use of Software Applications at UB

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: July 27, 2023

ON THIS PAGE:

Summary

The University at Buffalo (UB, university) acknowledges the importance of software and web-based services in enhancing productivity and collaboration among faculty, staff, and students. The use of software applications comes with potential security and privacy risks that can compromise university data and systems. This policy outlines the approval requirements for software applications used by university personnel and students. 

Statement

The University at Buffalo (UB, university) is committed to protecting the confidentiality, integrity, and availability of data important to the university’s mission. Software applications may have the ability to transmit, process, or store university data on a software platform or service. Software applications must have formal university approval to prevent the unintended disclosure of protected or restricted university data. Many free and low-cost software applications do not have the appropriate security protections in place that are required when accessing university data. This policy applies to all software used by faculty, staff, and students at the University at Buffalo, regardless of the source of the software.

Software Requirements

The UB permits the use of software applications which meet the following conditions:

  1. Legal Software Use: All software used at the university must be legally licensed and used in accordance with the license agreement. Unlicensed software is strictly prohibited. This includes respecting copyright laws, not engaging in any illegal activities using the software, and not using the software to harm others or damage university property.
  2. Compliance with University Policies: All software usage must comply with all university’s policies and must meet UBIT’s standards for data security, accessibility, privacy, and acceptable use of technology.
  3. Software Acquisition: All software applications must undergo a risk and accessibility assessment conducted by EDI and the VPCIO. The risk assessment will evaluate the software application's security, privacy, accessibility, and compliance with relevant laws and regulations.
  4. Data Classification: Software applications will be approved for use based on the highest appropriate level of data classification and data type used. If a higher level of data classification is needed the software must be reevaluated.
  5. Security Measures: All software applications must provide appropriate security measures, such as encryption, access control, and multi-factor authentication. All software must be maintained to adhere to the latest security patches.
  6. Compliance: All software applications must be compliant with relevant laws and regulations, such as FERPA, HIPAA and Section 508.

Third Party / Plug-In Software Applications:

Some software providers offer third-party software applications (3rd party app) and plug-in software which are not governed by the university’s software agreement. Each 3rd party app / plug-in is subject to its own terms, conditions, and privacy statements, and may pose a security risk if not properly vetted. All 3rd party apps / plug-ins are subject to the same requirements as traditional software applications and will be evaluated using the same standards, regardless of the application’s host platform.

Disclaimer

All software must comply with all applicable State and Federal laws and regulations as well as all university policies and standards and may be subject to a legal review.

Non-Compliance

The VPCIO reserves the right to remove any software application that poses a risk to university data and systems without notice.

Background

The university community collects, possesses, and uses a large amount of data to conduct university business. Some of this data is sensitive in nature and requires protection to comply with laws and regulations. 

Applicability

This policy applies to all software used by faculty, staff or students when conducting university business. Including but not limited to:

  • Free software 
  • IITG software 
  • Personally procured software
  • Software purchased or provided by SUNY

Definitions

Software: The programs and related information used by a computer. These include but are not limited to:

  • Cloud-based software 
  • Courseware
  • Desktop software 
  • Third-party / Plug-in applications
  • Web-based software/services

Responsibility

Data Trustee

Departmental/node IT

  • Ensures that all software has been properly requested, reviewed, and approved prior to use.
  • Ensures the data is approved for release to the software vendor.

Software Application Review Committee

  • Reviews software application requests

Contact Information

Information Security Officer
 201 Computing Center
Buffalo, NY 14260
Phone: 716-645-6997
Email: sec-office@buffalo.edu        
Website: http://security.buffalo.edu

Vice President and Chief Information Officer
517 Capen Hall          
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
 Website: http://www.buffalo.edu/ubit.html

University Links

Data Access Procedures

Data Risk Classification

Deleting Data Securely from Devices

Handling Data Safely Training

Mobile Communication Devices

Protection of University Data Policy

Record Retention and Disposition

Safety and Security Camera Applicable Use Policy

Technology Guidance for Remote Computing and Telecommuting

UB Minimum Security Standards for Desktops, Laptops, Mobile and Other Endpoint Devices

UB Minimum Server Security and Hardening Standards

Related Links

Section 508 of the Rehabilitation Act of 1973

Family and Educational Rights and Privacy Act (FERPA)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

State University of New York Privacy Policy

NYS P08-005 Accessibility of Web Based Information and Applications