University Information Technology Policies
A complete list of IT policies can be found on the CSU Policy Library, which provides the full text of university policies along with links to related procedures, documents and resources.
Acceptable Use for Computing and Networking Resources
Computing and data systems, equipment, and services at CSU are valuable and limited resources that serve a large number and variety of users. The purpose of this policy is to establish what constitutes acceptable use of these resources in order to assure that they are available to everyone as needed for the University’s business needs.
Accessibility of Electronic Information and Technologies
The University seeks to deploy Electronic and Information Technology (EIT) designed, developed, or procured to be accessible to everyone, including those who use assistive technologies. This policy complements the Inclusive Physical and Virtual Campus Policy, which aims to state and affirm CSU’s commitment to creating and sustaining a welcoming, accessible, and inclusive campus.
Central Administrative Data Governance
The purpose of this policy is to formalize policies, procedures, and oversight for the CSU administrative data environment, balancing the issues of providing and accommodating access while ensuring that there are reasonable and prudent safeguards to protect and preserve the security, integrity and privacy of those data.
Domain Name Services
The Domain Name Service (DNS) provides a translation between computer names and numeric Internet Protocol (IP) addresses. EDUCAUSE manages all of the domains under the top-level “.edu” domain and has delegated the second-level domain “colostate.edu” to CSU. This document describes the University’s policy regarding how names in the colostate.edu domain are to be allocated.
Electronic Communications to Students
This policy exists to define the environment for students to receive official University communications that are necessary for their activities at CSU. There are various elements covered by this policy, encompassing their CSU electronic identity, and the infrastructure used for such communications. This policy limits the use of certain information systems and data provided by the university for purposes of communicating with students via email and text messaging.
Information Technology Security
CSU’s IT Security policies are presented in five sections: (1) general policies and guidelines that pertain to the University’s overall IT environment, and are the responsibility of the department owning the IT environment, (2) mandatory, minimum IT security policies that are to be applied to every CSU IT system, (3) specific requirements to protect credit card information, as mandated by the credit card industry, (4) policies for the use of external Cloud resources to store CSU data, and (5) defines the governance of these policies.
Information Collection and Personal Records Privacy
This policy addresses access to and use of certain personally identifiable information stored in paper or electronic form.
Mobile Communications
The purpose of this policy is to provide mobile communications devices and services for use by University employees, primarily for non-compensatory University business purposes. Recognizing that these devices are susceptible to use for personal purposes and that a reasonable amount of personal use may be permitted without significantly increasing the University’s costs, it is necessary to adopt a policy governing such personal use and providing for business processes to implement the policy.
Network Identity (NetID)
CSU’s Network Identity (NetID) system provides a simplified and secure form of authentication and authorization across multiple university electronic systems and services. The purpose of this policy is to define the NetID, require that all students and university employees have one, and supply guidance as to how the NetID is used at CSU.
Red Flags
CSU developed the Red Flags Fiscal Policy as an Identity Theft Prevention Program pursuant to the Federal Trade Commission’s Red Flags Rule. This program was developed with oversight and approval of the Board of Governors of the Colorado State University System.
Division of IT Standards & Processes
Change Freeze Periods
The Division of IT sets standard change freeze periods during the start and end of each term, see Change Freeze Periods for the standard schedule as well as additional change freeze dates for specific systems.
Classroom Standards
See Classroom Support Services for information on general and AV classroom standards.
Credit Card Security
Merchants at Colorado State University that take credit card payments for goods and services are required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), whether conducting e-commerce, mail-order/telephone-order, mobile, or retail transactions.
Data Security
Preserving and ensuring the confidentiality, integrity and availability of sensitive information are the hallmarks of information security. In addition, certain federal, state, local and university regulations may apply depending on the type of data and application. For more information about securing research, please visit IT: Research Security and Compliance and OVPR: Controlled Unclassified Information.
Email Sending Limits
See Email Sending Limits for the sending limitations that apply to Colorado State and CSU Pueblo Microsoft 365 (M365) email accounts.
Operating System Requirements
Devices used to access CSU resources are required to use software that is supported by the vendor and patched against vulnerabilities, this includes the operating system (OS) running the device. See End-of-Life and Out-of-Support Operating Systems for more information.
Security review for major IT purchases
In order to comply with state and federal requirements, as well as the CSU IT Security Policy, all major IT purchases (those exceeding the dollar threshold for Documented Quotes) must go through a security review before the request for purchase will be approved. The Procurement department will forward all major purchase requests to DoIT for review. A security review may request additional information from the vendor, so this part of the process has the potential to slow the acquisition. To avoid undue delays, anyone planning to purchase a major IT system or service may request an evaluation in advance.
To directly request a security review in advance, please email Chief Information Security Officer, Steve Lovaas.
For more details on this process, see IT Purchase Security Review.
Technology Standards
The Division of IT provides support and training for software products that are current standards across campus, see Minimum Technology Standards for more information.
Telecom Standards & Agreements
See Networking & Telecommunications Policies & Agreements for information on phone policies, service rates, design standards, and communication room agreements.