Welcome to iMpact, the Ross School Intranet!

Once a year, we ask the Ross community members to review and agree to the Terms of Service via iMpact.

The agreements cover subjects such as information security, sensitive data, and copyright. The agreements ensure that members of the Ross community understand and follow the University policies and state and federal laws concerning the appropriate use of information technology.

This page contains the terms of service for your respective community group (faculty/staff/student).

At the time of renewal, iMpact will prompt you to agree to them in order to use Ross IT resources. The review should take 5-10 minutes.

• When you first log in to iMpact on or after the terms’ release, iMpact will prompt you to complete the review.
• You may defer once, but you must complete it at the next login.

Introduction to Proper Use of Information Technology

As a member of the Ross School and the University of Michigan community, you must abide by the highest standards of responsibility to your colleagues -- the students, faculty, staff, and external users who share this environment -- and comply with University policies and state and federal laws concerning appropriate use of information technology.

Please be Aware of Your Responsibilities. Non-compliance is considered a serious breach of community standards and may result in disciplinary or legal action, including the loss of access to technology and information services!

You will be guided through a series of Proper Use Policies listed on the right. You will be asked to agree to each in order to use Ross information technology resources. This should take 5-10 minutes and you will only be asked to view these once a year. You will have an opportunity to repeat any section. You also have the opportunity to revisit any of these sequences within iMpact at a later time under the Technology section of iMpact.

Computer Security & Security Incidents

Information systems allow access to private and sensitive data, including names, photos, and various electronic identifiers, like your Uniqname.

Unauthorized disclosure, even if accidental, may have a serious adverse effect on the University's reputation, resources, services, or individuals.

Examples of a security incident include:

• Unauthorized use of computer systems or data.
• Unusual behavior you observe on your computer or your network connection that might be the result of a virus or network attack.
• Sharing of UM passwords, MCards or other forms of identity
• Loss or theft of equipment used to store private or sensitive data. This could be a laptop, a thumb drive, a DVD or even a printout.
• Loss of personally identifiable information, such as health information, social security numbers, etc.

Remain Secure. When using University-sponsored services like Google Apps and DropBox, be sure your connection is secure and encrypted if using a wireless internet connection, or use a hard-wire Ethernet connection. A secure and encrypted wireless connection such as MWireless will usually ask for authentication.

You are expected to promptly report an information security incident, security breach or loss of sensitive data to Ross IT immediately, even when you are not sure that private or sensitive data was involved.

For more information, refer to the Security policy links under policies on this page. For Information on Security Incident Reporting please refer to SPG 601.25.

Secure Personal Devices (Faculty & Staff)

We live in a mobile world and you may find it necessary to access or maintain sensitive University data on your personally owned devices; your home computer, a computer you use at a hotel when traveling for business or pleasure, or your mobile phone and tablet.

Best practices to maintain your personal device include, at a minimum, up-to-date, device-appropriate security safeguards, such as:

• Setting up a PIN, passcode or password to access your device.
• Using a U-M VPN (Virtual Private Network) to access information over untrusted networks (such as a hotel guest network).
• Encrypting your device hard drive.
• Installing a device tracking device (such as FindMyPhone), and similar.
• Regularly updating your device with security software and virus patches.
• Using two factor authentication.
• Others as appropriate given the sensitivity of the data you are accessing.

In the event of a University security breach, and as part of a data security investigation, the University may request to inspect your personal devices.

You are expected to report any loss of your personally owned device that has access to University information to Ross IT immediately at 615-3000 or RossITSupport@umich.edu, even when you are not sure that sensitive data were involved.

For more information, please refer to the University policy on the Security of Personally Owned Devices in SPG 601.33 and follow recommendations to secure and manage your personal device.

Secure Sensitive Data (Faculty & Staff)

The Office of the Chief Information Security Officer (CISO) is responsible for the development, implementation, monitoring, and enforcement of University data security policies. These policies have been recently updated, and affect all faculty and staff.

Sensitive institutional data are data whose unauthorized disclosure may have a serious adverse effect on the University's reputation, resources, services, or individuals. Data protected under federal or state regulations, or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive, whether stored locally or with a cloud provider. This includes administrative, teaching and learning, clinical, and research data, as well as Social Security numbers, student application data, and any other data regulated by FERPA or HIPAA compliance guidelines.

• All University information is classified into one of four levels based on its sensitivity and risk of harm to individuals and the university if the information is subject to a breach or unauthorized disclosure. The classification levels are explained at this link: https://www.safecomputing.umich.edu/protect-the-u/safely-use-sensitive-data/classification-levels
• The University has established minimum security controls appropriate for safeguarding data based on the data’s classification level.
• These controls and policies also apply to third-party vendors who collect, process, share, or maintain university institutional data, whether managed or hosted internally or externally.
• These controls and policies also apply to sensitive institutional data classified as Restricted or High that are accessed or maintained through the personally owned devices of members of the U-M community.

Violations of data security policies may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this policy or its associated Standards may be limited or removed.

Any U-M department or unit found to have violated data security policies may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.

Accessing institutional data ranges from simply reading your University email, depending on its content or the content in attachments to that email, to accessing data on a University system, such as WolverineAccess, M-Pathways, eResearch, and Canvas, to accessing your documents and spreadsheets stored on file systems such as Google Drive and DropBox. Browsers can cache sensitive data on your personal device even when you might not think you have saved documents with sensitive data.

For more information, please refer to the University policy on Information Security in SPG 601.27 and the ITS web site Safely Use Sensitive Data. Specific questions about data classification levels and controls can be directed to the Office of the Chief Information Security Officer (CISO).

Protect Your University Access Credentials

You must guard and protect your access credentials to University systems as you would your Social Security or Credit Card number.

Your Uniqname and password together are used to access various computers and information systems, like the Ross School's iMpact portal and the University's services via Wolverine Access.

Your MCard gives access to certain buildings, resources, and services. Your digitized MCard photo is used for security, identification, and internal business purposes.

By default, the Ross School uses your MCard photo within iMpact, our information portal, and other business systems. Your photo is used as part of your Profile and in the Ross Directory, which are useful for personal networking with your Ross colleagues. For students, your photo is also used to create Seating Charts, Class Rosters, and Face Cards.

You have the option to allow the use of your MCard photo or not. You may also upload a suitable photo of your choice in its place. You may opt out now at the bottom of this page or change your preference at any time on your iMpact profile screen.

It is absolutely against University policy for you to share your access to University systems with anyone, for any purpose, except for authorized classroom and program use within the University.

• NEVER give anyone access to computer network resources with your Uniqname and password.
• NEVER loan your MCard.
• NEVER share your two-factor authentication.

For more information, refer to the MCard photo policy link under policies on this page.

• Passwords are like toothbrushes - Don't share them with friends, and change them regularly!
• Avoid writing down your password with your Uniqname on the same sheet of paper.
• Never walk away from a computer without logging out or using a password protected screen saver.
• Password-lock your personal computer when not in use.
• Strong passwords are essential, but they aren't enough - Add a layer of security for your personal information with Two-Factor Authentication, required for some systems.
• Be aware of wireless networks that are not encrypted; your access credentials can be stolen.

I understand that the protection of my University access credentials is my responsibility, and that to share them with others is a breach of University policy.

Recording of Activities at Ross

The Ross School of Business, acting on behalf of the Regents of the University of Michigan, may make photographs, audio recordings, and/or video recordings ("Recordings") of various activities at Ross. These activities and Recordings can be categorized into three major types:

• Classroom Recordings, for academic purposes, such as posting course content online to enrich the teaching and learning experience.
• Event Recordings, such as speakers in Robertson Auditorium, which can have an academic purpose but are also used for marketing the School.
• Public Space Recordings, in spaces such as the Wintergarden, which are primarily used for marketing.

By participating in these activities, you understand that the University may make Recordings of you, and you authorize the University to make Recordings of you and to use them in perpetuity, anywhere, in any medium including, but not limited to: print and electronic publications, video stream, podcasts, and broadcast media. The Recordings belong to the University and you will not receive payment or any other compensation in connection with the Recordings.

The University may also use, reproduce, distribute, publicly display, or make derivatives of any works of authorship (such as speeches, printed handouts, or presentation slides) that you make available to the University in connection with classes, events, and other activities.

Students are not permitted to make their own recordings of classroom activities without the express written consent of the faculty member teaching the course.

If you have personal concerns about Classroom Recordings, you are encouraged to bring them to the instructor teaching the course, so accommodations can be discussed. If you have personal concerns about Event or Public Space Recordings, you can in many cases choose to not participate, or to watch the recorded video after the event. You also are encouraged to register your concerns with the event sponsor and/or the Marketing & Communications Department at RossCommunications@umich.edu, so accommodations can be discussed.

Observe Copyright & Licensing

Do Not Infringe the Copyright in Music, Movies, Books, Articles, Cases, Reports, or any other work of authorship! The acquisition or distribution of infringing material is a serious offense and opens you and university up to potential liability.

Do Not Duplicate and Distribute Copyrighted Material! This includes copying and distributing to others anything retrieved from the library, from Canvas or from your professors. If you are a student, staff member or faculty, please contact Kresge Library (kresge_library@umich.edu) if you have questions about what may or may not be shared.

Do Not Install Illegally Obtained Software! It is also protected by copyright and licensing laws.

Communicate Responsibly

No Commercial Email or Spamming - Email, iMpact messaging, and group lists are for academic and professional use only.

Respect our Alumni - The Alumni messaging services are only for your individual use to obtain career advice, connect with others, etc.

Absolutely NO Surveying, divulging alumni contact information to third parties, or sending mass emails to alumni without coordinating with and the explicit consent of the Development and Alumni Relations Office.