1. Approval and adoption and revision
   Approved by the Information Technology Manager on March 21, 2023.
2. Purpose
   Provide oversight on the purchase and control of computing equipment used by Athletics staff members.
3. Scope
   This policy applies to all computer and communications devices owned or operated by Intercollegiate Athletics excluding cell phones.
4. Policy
   1. General
      All devices must adhere to Penn State University acceptable use policies (AD96).
   2. Budget
      1. Any device purchased, regardless of budget, will be the property of ICA and strictly controlled by Athletics IT. Initial purchase of computer hardware for newly created positions will be purchased using the department’s funds. Future upgrades and replacements on these devices will be funded by the Athletics IT budget. Devices for staff members requiring specialized hardware or software will be discussed on an individual basis. Funding for these devices will be discussed individually as well.
      2. All IT-related purchases must be made through the Office of Athletics IT. Requests will be made in writing through the team’s senior administrator, and budget information must be supplied at the time of order.
   3. Workstations
      1. If a new workstation (laptop or desktop) purchase is required, the models of choice will be determined by Athletics IT.
         1. Available models will be determined by Penn State’s Dell Standard Configurations selection which is renewed yearly and Apple’s availability in their store.
         2. Preferred workstations will be determined by Athletics IT based on cost, ease of deployment and maintenance, and need.
            1. Dell workstations will be the default brand.
            2. Athletics IT will discuss purchasing requirements with departments that require specific hardware due to software needs.
      2. Workstations will remain within the department in which it was purchased unless otherwise noted.
   4. Other Devices
      1. Athletics IT will provide a list of preferred printers, tablets, other computer peripherals, and other devices.
      2. All purchases are subject to approval by a budget administrator and Athletics IT.
   5. Useful Life
      Athletics IT will replace the primary computer at their expense when the useful life of the product has been reached. Useful life is defined as the duration of time between purchase and when the device’s functionality is limited, obsolete or can no longer function due to hardware or software limitations.
   6. AntiVirus & Vulnerability Scanning
      1. All Athletics-issued devices will have an antivirus platform applied during imaging.
         1. Athletics-issued devices will comply with Penn State policies regarding which software packages are deemed necessary.
         2. Athletics IT will use various methods to achieve full compliance on all devices.
         3. All antivirus solutions will automatically update to ensure compliance.
      2. All Penn State networks issued to Athletics will allow scanning by Penn State automated vulnerability scanners unless otherwise noted.
         1. In the event that Penn State automatic vulnerability scanners detect an issue, Athletics IT will take appropriate action to rectify the incident, including but not limited to removal of the device from Penn State networks.
   7. Software Patching
      1. BigFix (IBM Endpoint Manager)
         1. Software installations, patches, fixes, and scripts can be run from the BigFix console by all IT personnel. Monthly, all common software applications with patches are pushed by the console to all applicable workstations. Servers are excluded from BigFix patching.
      2. WSUS
         1. Critical and Severe patches are automatically assigned and delivered as released by Microsoft to workstations and servers. Other security patches need to be manually approved by IT personnel after successful testing and delivered to downstream machines.
         2. JAMF
            1. All Athletics-issued Apple devices are bound to the JAMF infrastructure.
      3. Patching Schedules
         1. BigFix (IBM Endpoint Manager)
            1. Patches are usually delivered overnight to avoid interruption to users unless warranted due to criticality.
         2. WSUS
            1. Workstations
               Workstations check in every ten hours for available updates. Any updates marked Critical or Severe are automatically accepted. Other updates manually approved by IT will be downloaded at this point. Installation is required to be performed no longer than two days after installation. The user may choose to postpone updates until that deadline after which the workstation will automatically apply the update.
            2. Servers
               Servers check in every ten hours for available updates. Any updates marked Critical or Severe are automatically accepted. Other updates manually approved by IT will be downloaded at this point. Installation occurs during the patching window applied using Group Policy rules set up during domain registration. Certain servers are excluded from automatically patching on a schedule and require manual reboots.
            3. Micros
               Micros terminals located in Beaver Stadium are patched prior to the fall football season. Patches are then suspended for the duration of the semester. Micros terminals in other venues are patched as normal workstations.
            4. XOS
               XOS terminals are patched prior to the fall football season and after the season ends. Feature updates to new Windows versions are limited to the approved versions by the vendor.
         3. JAMF
            1. Athletics-issued Macs are bound to the JAMF infrastructure. OS patching is performed manually by IT personnel. Macs which utilize highly specific software such as Photoshop, Premiere, or HUDL may avoid OS updates. “Dot” releases are patched automatically as released by Apple.
      4. Patch Testing
         1. Patches will be tested on a small subset of computers before being pushed to all Athletics computers. Once considered safe, the patches are pushed to all applicable devices.
   8. Life Cycle
      When a device has reached its end of life, it shall be subject to this policy.
      1. Definition
         1. A device is deemed to be at “end of life” when its usefulness to the Athletics department has been exceeded, or if the vendor support on the device has been exceeded and the device’s security posture is reduced as a result.
      2. Reissuing Devices
         1. Devices that have not yet reached their end of life and can be reissued to employees will have their system reimaged using the same hard drive. All machines will be reimaged with the latest approved operating system unless an exception is granted.
      3. Sanitization of Data
         1. All hard drives, tablets, or cell phones are to be wiped of data before being reissued to new users. Devices which have reached end of life or beyond repair and warranty are sent to Penn State Surplus & Salvage for destruction of data and recycling of the device.

1. Approval and adoption and revision
   Approved by the Information Technology Manager on March 17, 2023.
2. Purpose
   To manage Penn State user accounts and access to Athletics network resources.
3. Scope
   This policy applies to all users, computers and communications devices owned or operated by Intercollegiate Athletics.  This policy also applies to any computer or communications devices that are present in an Athletics facility or Athletics operated network that are not owned or operated by Intercollegiate Athletics and have a need to communicate with any Athletics operated communications device.
4. Policy
   1. Account Creation
      1. Account creation in the Enterprise Active Directory is only performed by the Penn State Accounts department and is not directly managed by Athletics IT.
      2. All classification of accounts is determined by Penn State Accounts.
      3. Access to ICA resources requires Athletics IT employees to place user accounts into appropriate Group Policy Security Groups.
   2. Account Removal
      1. Resignations
         1. User accounts are maintained by Penn State Accounts and will be disabled according to the current Penn State policies.
         2. Access to Athletics resources will be removed by removing the user’s inclusion in the appropriate Group Policy Security Groups.
      2. Terminations
         1. Terminated employees will have their account disabled at the time indicated by Human Resources.
         2. User accounts are maintained by Penn State Accounts and will be disabled according to the current Penn State policies.
         3. Access to Athletics resources will be removed by removing the user’s inclusion in the appropriate Group Policy Security Groups.
5. EAD Organizational Unit Structure
   1. User Accounts are maintained by Penn State Accounts.
   2. To control resource availability for ICA, users are placed into security groups.
      1. Athletics Employees are placed into a top-level security group that controls access to computer logins, wireless connectivity, and VPN access.
      2. Employees are placed into a departmental security sub-group that controls access to certain departmental resources such as video shares or remote terminal applications.
6. Monthly Audits
   On a monthly basis, ICA Human Resources provides a list of current Athletics employees. Athletics IT will make any changes required.

1. Approval and adoption and revision
   Approved by the Information Technology Manager on March 21, 2023.
2. Purpose
   To obtain all network access requests in electronic format and to properly handle expired accounts.
3. Scope
   This policy applies to all users, computers and communications devices owned or operated by Intercollegiate Athletics. This policy also applies to any computer or communications devices that are present in an Athletics facility or Athletics operated network that are not owned or operated by Intercollegiate Athletics and have a need to communicate with any Athletics operated communications device.
4. Policy
   1. Network Access Requests
      All requests for network access are created via the Request for Network Access online form that formally submits the request to the Athletics IT support staff. Employees shall not request access for themselves. Newly hired employees will have their access request filed by their direct supervisor. 
   2. Wired & Wireless Access
      1. All Athletics-issued devices excluding mobile devices may connect to the Athletics networks through ethernet or wireless connectivity. All requests for physical connections are subject to section 4.1 of this policy. Devices which utilize wireless connectivity will be preconfigured through OS imaging software prior to deployment of the device.
      2. Remote access to the Athletics network will be controlled through one or more VPNs in which EAD security groups will be utilized. In the case of Athletics-controlled VPNs, personal devices will not be allowed to connect. If a remote VPN operated by Penn State is used to access Athletics networks, Penn State policies apply regarding device usage.
      3. Athletics will utilize a variety of software to monitor network connections and traffic in conjunction with Penn State’s automated solutions.
      4. Unauthorized devices connecting to the Athletics networks will be disconnected.
      5. Traffic on Athletics networks may be monitored and analyzed for security purposes.
5. Enforcement
   Granting of the requested network access will be done exclusively by the Athletics IT department.

1. Approval and adoption and revision
   Approved by the Information Technology Manager on March 20, 2023.
2. Purpose
   This document will describe the policies regarding the distribution and use of cellular devices by Intercollegiate Athletics (ICA) employees.
3. Scope
   This policy applies to all cellular devices owned, operated or managed by Intercollegiate Athletics.
4. Policy
   1. Device Deployment
      1. An ICA employee must receive approval from the appropriate Management Team representative or Sport Administrator to receive a cellular device. The approval must be forwarded to the IT department before a cellular device can be issued.
      2. ICA will provide employees with an AT&T issued cellular device as per our agreement with AT&T.  Employees who wish to choose a phone beyond the offered models (higher memory, larger screen size, different manufacturer) must receive approval from the appropriate Management Team representative or Sport Administrator, as the costs increases significantly with these additions.
      3. All Athletics-issued Apple devices will be managed by the Penn State JAMF service.
         1. Devices will be required to adhere to best practices for security purposes.
         2. Devices will have preinstalled software and settings that Athletics IT and Penn State deem necessary for operation.
      4. Android mobile devices currently are not managed centrally by an MDM.
   2. Billing
      1. Monthly service charges will be directly billed to the ICA finance office and paid by individual department budgets. App purchases are not included in the monthly service charges and are billed directly to the employee.
      2. ICA issued devices will be upgraded at no cost to the employee but to the department, no less than the renewal date of the individual phone contract. Employees will be notified by the IT department when their upgrade is due. The old phone must be returned to the IT department within a week of the receipt of upgrade. The security code, pin and all cloud-based logins must also be removed upon return of the phone.
      3. A base-model protective case can be purchased with the device. The cost of the case will be directly billed to the department.
      4. All accessories, other than the department issued case, will be the financial responsibility of the individual user and are not to be paid for using purchasing cards or directly billed to the account. This includes car chargers, Bluetooth devices, charging cases etc.
   3. Ownership & Data
      1. A device purchased by ICA is ICA property. The device must be turned in to IT or HR on the last day of employment or immediately upon request.
      2. Due to litigation holds in place for Athletics, data must be preserved at all times including when the phone is returned to HR or the IT department. The device must not be reset prior to returning the device to IT. The security code, pin and cloud-based logins must also be removed upon return of the phone.
      3. The use of a cell phone by an employee is for the benefit of the University, rather than the convenience of the employee.
   4. Compliance
      1. To comply with all Penn State and NCAA regulations, certain staff positions may be required to utilize an Athletics-issued cell phone.
      2. To comply with all Penn State and NCAA regulations, usage logs from cell phones may be passed on to Penn State and Athletics Compliance departments on a monthly basis.
   5. This policy is subject to change by ICA at any time.

5.0        Cross References
Other Policies in this Manual should also be referenced, especially the following:

FN21 Non-Office Telecommunications Services (Formerly BS19)

1.0        Approval and adoption and revision

Approved by the Information Technology Manager on March 28, 2023.

2.0        Purpose

To provide the authority for authorized members of the Office of Information Technology and the University’s Security Office to conduct a security audit on any system within Intercollegiate Athletics in accordance with University Policy AD95.

Audits may be conducted to:

• Ensure integrity, confidentiality and availability of information and resources
• Investigate possible security incidents and ensure conformance to the Intercollegiate Athletics security policies
• Monitor user or system activity where appropriate (e.g. system compromise is suspected, policy violations are suspected, complaints have been received, etc.).
• Ensure validity of user accounts

3.0          Scope

This policy applies to all computer and communications devices owned or operated by Intercollegiate Athletics.  This policy also applies to any computer or communications devices that are present in an Athletics facility or Athletics operated network that are not owned or operated by Intercollegiate Athletics.

4.0          Policy

When requested, and for the purpose of performing an audit, any access needed will be provided to members of the Athletics or University security teams.  Users and/or support personnel must ensure that any hardware or software installed for the purposes of filtering traffic such as a firewall appliance or personal firewall software allow unrestricted traffic to and from all systems authorized to conduct security audits at the departmental or University Security Office levels.

This access may include:

• User level and/or system level access to any computer or communications device
• Access to information (electronic, hardcopy, etc.) that may be produced, transmitted, or stored on Intercollegiate Athletics equipment or premises
• Access to work areas (offices, cubicles, storage areas, etc.)
• Access to interactively monitor and log traffic on the Intercollegiate Athletics network

At no time shall anyone other than those authorized within Athletics or the University be permitted to scan computers or devices connected to an Athletics operated network or capture (e.g. sniff) any traffic on an Athletics operated network.

5.0          Enforcement

Anyone found violating this policy will be subject to disciplinary action by his or her Administrative unit, Intercollegiate Athletics, or the University.

Athletics or University Security Office personnel will immediately terminate network access to any system found to be scanning systems or capturing traffic in violation of this policy.  Individuals found to be in violation of local, Commonwealth or Federal regulations or laws will be referred to the University Security Office for case disposition.​