Policy 926 - End User Computing Policy

Section: Information Technology
Policy Number: 926
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20

Policy Statement

End User Computing (EUC) consists of but is not limited to programs, spreadsheets, databases, report writers, and applications created and used by end users.  EUC is used to extract, store, sort, calculate and compile St. John’s University (St. John’s) data to perform queries, analyze trends, make business decisions, or summarize operational and financial data and reporting results.  EUC involves technology used by end users, outside of the Administrative ERP system (BANNER) and systems not managed by the IT Department.  Any cloud computing solution used by the end users also forms part of the EUC.

EUC is the primary gateway to the organization’s sensitive information and business applications.  Implementation of appropriate information security controls for EUC can mitigate the risk to data and IT systems. Consequently, end user protection is critical to ensuring a robust, reliable, and secure IT environment.

The purpose of this policy is to: 

  • set out the rules for effectively managing EUC
  • place safeguards regarding access to EUC
  • mitigate potential risks associated with the use of EUC

Scope and Applicability

St. John’s provides an array of Computing Resources to support its instructional, research and administrative functions. This policy, including its supporting standards, formal processes, and procedures apply to all members of the University Community who use St. John’s Computing Resources and is in force whether working onsite at a St. John’s facility or from a remote location.

The Information Technology department may take all reasonable actions to ensure the integrity of the St. John’s information and computing resources, including prevention of damage to data and equipment, irrespective of any asserted privacy interests. 


St. John’s relies on EUC during its normal course of business and intends to protect the confidentiality, availability, and integrity of information created during its business, education, research, and other activities.

In using EUC-related resources, the end user (extracting, manipulating, summarizing, and analyzing their EUC data) must take appropriate risk management actions, including but not limited to, inventory and risk ranking to minimize risks.

The Information Technology department develops, maintains, and communicates EUC standards and trains users on how to be compliant with these standards.

End users must certify to the Chief Information Officer (CIO) their compliance with the policy and the standards annually. The CIO also monitors and certifies St. John’s-wide compliance with the policy and standard to the Chief Financial Officer (CFO) annually.


The following are the definitions relevant to the policy:

  • Computing Resources: All St. John’s information processing resources including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
  • Institutional Data: All data owned or licensed by St. John’s.
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.
  • End User: Anyone who uses technology-related resources.


St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.

Related Policies, Standards or Regulations