Policy 926 - End User Computing Policy

Section: Information Technology
Policy Number: 926
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

End User Computing (EUC) consists of but is not limited to programs, spreadsheets, databases, report writers, and applications created and used by end users. EUC is used to extract, store, sort, calculate and compile University data to perform queries, analyze trends, make business decisions, or summarize operational and financial data and reporting results. EUC involves technology used by end users, outside of the Administrative ERP system (BANNER) and systems not managed by the IT Department. Any cloud computing solution used by the end users also forms part of the EUC.

EUC is the primary gateway to the organization’s sensitive information and business applications. Implementation of appropriate information security controls for EUC can mitigate the risk to data and IT systems. Consequently, end-user protection is critical to ensuring a robust, reliable and secure IT environment.

The purpose of this policy is to: 

  • set out the rules for effectively managing EUC
  • place safeguards regarding access to EUC
  • mitigate potential risks associated with the use of EUC

Scope and Applicability

St. John’s University (St. John’s) provides an array of Computing Resources to support the instructional, research and administrative functions of the University. This policy, including its supporting standards, formal processes, and procedures apply to all members of the University Community who use the University Computer Resources and is in force whether working onsite at a University facility or from a remote location.

The Information Technology department may take all reasonable actions to ensure the integrity of the St. John’s information and computing resources, including prevention of damage to data and equipment, irrespective of any asserted privacy interests. 

Policy

St. John’s relies on EUC during its normal course of business and intends to protect the confidentiality, availability, and integrity of information created during its business, education, research, and other activities.

In using EUC-related resources, the end user (extracting, manipulating, summarizing, and analyzing their EUC data) must take appropriate risk management actions, including but not limited to, inventory and risk ranking to minimize risks.

The Information Technology department develops, maintains and communicates EUC standards and trains users on how to be compliant with these standards.

End users must certify to the Chief Information Officer (CIO) their compliance with the policy and the standards annually. The CIO also monitors and certifies University-wide compliance with the policy and standard to the Chief Financial Officer (CFO) annually.

Definitions

The following are the definitions relevant to the policy:

  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
  • Institutional Data: All data owned or licensed by the University
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.
  • End User: Anyone who uses technology-related resources.

Compliance

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • End User Computing Standards
  • Acceptable Use Policy
  • Acceptable Use Standards
  • Third Party Risk Management Policy (includes cloud computing)
  • Information Security Policy