Section: Information Technology
Policy Number: 926Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19; 6/11/20
End User Computing (EUC) consists of but is not limited to programs, spreadsheets, databases, report writers, and applications created and used by end users. EUC is used to extract, store, sort, calculate and compile St. John’s University (St. John’s) data to perform queries, analyze trends, make business decisions, or summarize operational and financial data and reporting results. EUC involves technology used by end users, outside of the Administrative ERP system (BANNER) and systems not managed by the IT Department. Any cloud computing solution used by the end users also forms part of the EUC.
EUC is the primary gateway to the organization’s sensitive information and business applications. Implementation of appropriate information security controls for EUC can mitigate the risk to data and IT systems. Consequently, end user protection is critical to ensuring a robust, reliable, and secure IT environment.
The purpose of this policy is to:
St. John’s provides an array of Computing Resources to support its instructional, research and administrative functions. This policy, including its supporting standards, formal processes, and procedures apply to all members of the University Community who use St. John’s Computing Resources and is in force whether working onsite at a St. John’s facility or from a remote location.
The Information Technology department may take all reasonable actions to ensure the integrity of the St. John’s information and computing resources, including prevention of damage to data and equipment, irrespective of any asserted privacy interests.
St. John’s relies on EUC during its normal course of business and intends to protect the confidentiality, availability, and integrity of information created during its business, education, research, and other activities.
In using EUC-related resources, the end user (extracting, manipulating, summarizing, and analyzing their EUC data) must take appropriate risk management actions, including but not limited to, inventory and risk ranking to minimize risks.
The Information Technology department develops, maintains, and communicates EUC standards and trains users on how to be compliant with these standards.
End users must certify to the Chief Information Officer (CIO) their compliance with the policy and the standards annually. The CIO also monitors and certifies St. John’s-wide compliance with the policy and standard to the Chief Financial Officer (CFO) annually.
The following are the definitions relevant to the policy:
St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.