MSCHE Technology Use Procedures

ADMINISTRA TIVE PROCEDURES Acceptable Use of Commission T echnology Pr ocedur es Effective Date: July 1, 2024 Contents I. Purpose II. Procedures for Acceptable Use of Commission T echnology III. Procedures for Acceptable Use of Commission Email and Other Communications Platforms IV. Procedures for Access Control and Monitoring V. Procedures for Annual Certification VI. Definitions I. Purpose The Mid-Atlantic Region Commission on Higher Education (MARCHE), doing business as the Middle States Commission on Higher Education (MSCHE or the Commission), seeks to ensure that Commission representatives access, maintain, and utilize Comm ission t echnology, incl uding but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices, in a secure, appropriate, and ethical manner. The purpose of these procedures is to implement the Comm iss ion’ s Information Security and Privacy Policy and Pr ocedur es and establish acceptable use of and access to Commission technology and infrastructure. Inappropriate use exposes the Commission to cybersecurity risks and inform ation security incidents. These proc edures apply to all Commission representatives. It is the responsibility of every Commission representative and Commission account user to know these guidelines and to conduct their activities accordingly. II. Procedur es for Acceptable Use of Commission T echnology A. Commission representatives will honor and adhere to all MSCHE policies and procedures in the acceptable use of Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts, and authorized devices and provide certification of their understanding of these requirements on an annual basis pursuant to the procedures provided in Section V. Procedures for Annual Certification. B. The Commission expects Commission representatives to recognize their role in representing MSCHE and conduct themselves in a professional and collegial manner at all times while conducting Commission business and accreditation activities or while maintaining, using, or accessing Commission technology. 1. Commission representatives will not harass, intimidate, or otherwise engage in harmful or negative speech or behaviors on Commission technology.

ADMINISTRA TIVE PROCEDURES 2. Commission expectations for professional and collegial conduct are outlined in the Acknowledgement of Ac ceptable Use of Commission T echnology certification. See Section V. Procedures for Annual Certification. C. Commission representatives will not allow anyone other than the individual assigned to their account and login credentials to access Commission technology, including but not limited to computer equipment, devices, platforms, software, operating system s, or network accounts, and authorized devices. D. Commission representatives will utilize strong password management for accessing Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts, and authorized devices and maintain security of their login credentials. 1. Commission representatives will not re-use passwords. 2. Commission representatives will not leave their account logged in and unattended at an unlocked computer or device. 3. Commission representatives will not share their individual password inform ati on with external individuals or or ganizations. E. Shared administrative account(s) may be necessary for business purposes, including but not limited to hosting events, managing communications, and responding to inquiries. 1. Login credentials to official Com mission a ccounts will only be shared between authorized Commission staf f and through a secure password management platform with password sharing. 2. Commission staf f will not distri bute or discuss shared administrative account login or password information with unauthorized staf f members or other individuals. F. Commission social media accounts and pages are only operated and acces sed by authorized Commission staf f. Commission social media accounts and/ or pages must be approved by the Commission’s President. G. Commission representatives will access the Commission technology, including but not limited to computer equipment, devices, platforms, software, operating system s, or network accounts, and authorized devices for the sole purpose of conducting of ficial Commission business. H. Commission staf f will use Commission technology and authorized devices to conduct official Comm ission busines s. Authorized devices are defined in Section VI. Definitions. 1. Authorized devices pose acceptable and minimal risk to the stability, performance, and security of the Commission’s network, as determined by the Commission’ s Information Systems Department and Executive Leadership T eam.

ADMINISTRA TIVE PROCEDURES 2. Authorized devices include Commission-issued laptops and cell phones and may include personal mobile devices that have been documented and approved by the Information Systems Department and Executive Leadership T eam. 3. Unauthorized devices pose unacceptable risk to the stability, performance, and security of the Commission’s systems and network. 4. Unauthorized devices include personal devices that have not been reviewed and approved by the Commission’s Information Systems Department and Executive Leadership T eam. 5. When an authorized device is not working or lost, Commission staf f may utilize an alternate device that is reviewed and approved by the Commission’s Information Systems Department and/or a member of the Executive Leadership T eam to conduct required Commission business. I. Commission representatives will truthfully and accurately represent themselves on Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices. J. Commission representatives will not circumvent user authentication or security processes of any Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices. K. Commission representatives will not initiate, cause, ef fectuate, or facilitate information security incidents or disruptions of network communications, including interfering with service to any users or hosts. Information security incidents are defined in Section VI. Definitions. L. Commission representatives will not alter Commission technology, which may include but is not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices. This includes unauthorized program, software, technical information, encryption software or technology, or file downloads, which may not be secure and put the system at risk. The export of any of the above is also prohibited unless authorized by the Executive Leadership T eam. M. Commission representatives will not solicit non-MSCHE business for personal gain or profit on Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices. N. Because Commission staf f work in a r emote of fi ce environment and have access to a broad array of Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts, and authorized

ADMINISTRA TIVE PROCEDURES devices, they are held to the highest standard of ethics, care, and security as part of their roles. 1. The Commission will maintain access to and administrative privileges to all Commission systems and software, including email, instant messaging or chat tools or platforms, and other communication platforms, on all devices that m ay be accessed by Commission staf f. 2. The Commission staf f wil l only use Commission technology, equipment and authorized devices to conduct of ficial Commission business. 3. Use of non-authorized Commission technology to conduct of ficial Commission business is prohibited. 4. The Commission staf f wil l establish a secure remote environm ent by s etting up password-enabled home W i -Fi with secure internet providers. 5. Remote work while traveling is expected for some Commission staf f as part of their job responsibilities. In these circumstances, Commission staf f will not download Commission materials over unsecure networks. 6. Commission staf f will delete downloaded materials and browser history upon completion of the accreditation activity while traveling on behalf of the Commission. 7. Commission staf f will not conduct business, including discussion of institutional matters, through text messaging or chat tools or platforms without express authorization by the Executive Leadership T eam. 1. The Executive Leadership team is authorized by the Commission President to use text messaging or chat tools or platforms as necessary to address critical Commission issues in a timely manner. 2. The use of text messaging or chat tools for authorized critical issues will be limited to specific instances identified by the Executive Leadership T eam. O. The Commission will provide training to Commission representatives on acceptable use of Commission technology and best practices for information security and privacy, ef fective July 1, 2024. 1. Peer evaluators will receive training on acceptable use of Commission technology during the Peer Evaluator Orientation. 2. Commissioners and Commission staf f will receive annual training on acceptable use and authorization of Commission technology and af filiat ed applications. III. Procedur es for Acceptable Use of Commission Email and Other Communications Platforms A. The Commission staf f wil l abide by the acceptable use requirements articulated in the Middle States Commission on Higher Education Employee Handbook.

ADMINISTRA TIVE PROCEDURES B. The Commission provides access to email and other types of communication platforms, including instant messaging and voicemail, to Commission staf f to support communications and business purposes. 1. MSCHE email and other types of communication should not be considered personal, and employees should expect no right to privacy with regard to MSCHE email and other types of communication provided to employees for business use. 2. The Commission retains rights and access to all MSCHE voicemail and email systems, including all email, instant messaging, and voicemail messages. 3. MSCHE may access the email, instant messaging, and voicemail systems of its employees at any time, without notice, and may be required to provide the content of those to others as required by law. C. The Commission staf f wil l conduct themselves in a professional and collegial manner in all email correspondence and on all communications platform s. 1. Commission staf f will not use t heir MSCHE email account or communications platforms for personal or non-organizational m att ers. 2. Commission staf f will not misrepresent themselves through Commission email or communications platforms. 3. Commission staf f will not use Commission email or other communications platforms to send, forward, or respond directly to materials that may be construed as political, obscene, threatening, of fensive, libelous, malicious, or harmful to the Commission. 4. Commission staf f will not use Commission email or communications platforms to send unsolicited or spam email. 5. Spam email received by Commission staf f will be forwarded to suppor t@msche.or g for security evaluation in accordance with the Commission’ s Information Security and Privacy Policy and Pr ocedur es and Information Security Incident Response Pr ocedur es. 6. Commission staf f will not use external, non -MSCHE accounts to conduct Commission business or accreditation activities without review by the Information Systems Department and Executive Leadership T eam. 7. Commission staf f will not forward emails to unapproved external email domains (including personal email accounts) without review by the Information Systems Department and Executive Leadership T eam. Exceptions that may be allowed include but are not limited to forwarding scanned receipts for reimbursement of travel expenses or human resources documents to a personal email account. 8. Commission staf f will forward Microsoft Outlook .PST files for calendar events to support@msche.org for approval prio r t o adding the file to their Outlook account. 9. Commission staf f will not use blind carbon copy (BCC) in email correspondence or to send mass email.

ADMINISTRA TIVE PROCEDURES 10. Commission staff will use acceptable risk managem ent and email management practices as identified by the Information Systems Department and Commission tra ining. D. Commission representatives will exercise good judgement and caution when opening email attachments. E. Commission representatives will comply with directives issued by the Inform ati on Systems Department and Executive Leadership T eam (EL T) to enforc e the security of all Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices. F. Commission representatives will promptly report suspected phishing or scam attempts by forwarding them to support@msche.or g for securit y evaluation in accordance with the Commission’ s Information Security and Privacy Policy and Pr ocedur es and Information Security Incident Response Pr ocedur es. G. The Commission will provide training to Commission representatives on email management practices and expectations for use of email to conduct Commission business as appropriate to their role. IV. Procedur es f or Access Control and Monitoring A. Proprietary information stored on authorized Commission technology (including but not limited to computer equipment, devices, platforms, software, operating systems, and network accounts owned or operated by the organization, Com mission r epresentatives, or third-party vendors) remain the property of the Commission. B. The Commission reserves the right to investigate, monitor, analyze, and audit equipment, devices, platforms, software, operating systems, and network accounts at any time and on a periodic basis to maintain security and privacy of the aforementioned areas in accordance with the Information Security and Privacy Policy and Pr ocedur es, and Information Security Incident Response Pr ocedur es. C. The Commission reserves the right to mandate remediation measures on Commission technology and authorized devices as necessary to ensure proper use and maintenance and ensure organizational ef ficiency and improvement. D. Commission representatives will access accreditation materials and confidential information solely to the extent that it is authorized by the position and necessary to conduct accreditation activities, fulfill job responsibilities, or maintain business functions.

ADMINISTRA TIVE PROCEDURES Commission representatives will not post, forward, print, or download sensitive or co nfidential materials outside of the fulfillment of accreditation activities, job responsibilities, and/or business functions. E. Commission representatives will promptly report the theft, loss, or unauthorized disclosure of Commission technology, including but not limited to computer equipment, devices, platforms, software, operating systems, or network accounts and authorized devices, or proprietary information to the Commission in alignm ent wit h the Commission’ s Information Security Incident Response Pr ocedur es. V. Procedur es for Annual Certification A. Commission representatives will certify annually that they have read and agree to adhere to the Commission’ s Acceptable Use of Commission T echnology Pr ocedur es and all other applicable policies and procedures as detailed in the Acknowledgement of Acceptable Use of Commission T echnology form, ef fecti ve April 1, 2024. 1. New Commission staf f hi red on or after April 1, 2024 will submit this form before being permitted to access Commission systems. 2. Commission representatives will certify annually in alignment with Commission policy and procedures. B. The Commission will maintain current and signed Acknowledgement of Acceptable Use of Commission T echnology forms for all Commission representatives in accordance with its Maintenance and Retention of Commission Recor ds Policy, Maintenance and Retention of Commission Recor ds Pr ocedur es, and Recor ds Retention Schedule. VI. Definitions. The following definitions are used and/or inferred in this policy and/or procedures: A. Accreditation activity. All activities (including but not limited to reviews, reports, visits) conducted by Commission representatives related to a member (accredited and candidate) or applicant instituti on’s accreditation phase, accreditation status, or scope of accreditation occurring throughout the accreditation review cycle and during monitoring activities. B. Accreditation materials. All documentation related to accreditation activities including but n ot limited to the institution’s written reports to the Commission, subm it ted evidence, team reports, institutional responses, confidential briefs, third-party comments, action notifications, substantive change requests, transcripts of proceedings, team rosters, and any correspondence of record. Accreditation materials are treated as confidential by

ADMINISTRA TIVE PROCEDURES Commission representatives, become part of the institutional record, and are retained in accordance with the Commission’s Maintenance and Retention of Commission Records Policy and Procedures. C. Authorized device. Devices that pose an acceptable and minimal risk to the stability, performance, and security of the Commission’s network, as determined by the Commission’s Information Systems Department and Executive Leadership Team. D. Commission representatives. Individuals who represent or serve the Commission including but not limited to peer evaluators, Commission staff, and Commissioners. E. Commission technology. Computer equipment, devices, platforms, software, operating systems, and network accounts that are owned, operated, leased, or administered by the Middle States Commission on Higher Education (MSCHE or the Commission). F. Confidential information. Confidential information includes, but is not lim it ed to, all information related to the institution and not generally known in spoken, printed, electronic or any other form or medium relating, directly or indirectly to business practices, policies and procedures, plans, strategies, agreements and contracts, pending or future transactions, trade secrets, negotiations, computer and information technology resources information, accounting information and records, and financial information. Confidential information shall not include information that was required to be disclosed by law, regulation, other lawful means or any information that is generally known to the public or in the public domain. G. Correspondence of record. Any written communication or correspondence between the institution and Commission staff related to the process of making decisions about an institution. Correspondence of record is not miscellaneous correspondence with no significant business value including but not limited to notes of appreciation, congratulations, letters of transmittal, plans for meetings, confirmations of dates for staff visits, invitations to attend conferences, and other personal communications of commissioners, peer evaluators, or Commission staff. Correspondence of record is confidential and stored as part of the institutional record. Correspondence of record does not include text messages and instant messages for these purposes, as the Comm iss ion staff are prohibited from using text messaging or instant messaging to conduct official commission business. H. Institutional record. The compilation of all materials and data the Commission has on file related to the applicant, candidate, or accredited institution, including but not lim it ed to all accreditation materials related to any accreditation activity, the record on file and transcripts for any proceeding, complaints, and any information or documents related to the institution collected by the Commission or received from external sources such as the government or other quality assurance agencies as part of ongoing monitoring activities.

ADMINISTRA TIVE PROCEDURES I. Information security incident(s). One or multiple related and identified inform ati on security events that can harm MSCHE’ assets or compromise its operations through unauthorized access to or breaches of Commission systems, information, or platforms. Unauthorized access to Commission systems, information, or platforms is considered to be a data breach. Such breaches may include but are not limited to: (1) Unauthorized disclosure, access, or compromise of confidential information; (2) Propagation of viruses, worms, Trojan horses, adware, spyware, or other computer malware; (3) Theft or loss of information systems or information assets, including computers, electronic media, or hardcopy documents containing confidential information; and (4) Unauthorized access to MSCHE facilities, including physical locations where MSCHE data may be stored by authorized third-parties. Other security events considered to harm Commission assets or compromise operations may include but are not limited to: (1) Abuse of information systems or information assets; and (2) Deliberate attempts by outsiders, Employees, or contractors to circumvent security controls or otherwise exceed authorized access. J. Litigation hold. The procedure used to cease the scheduled disposal, destruction, purging, or deletion of certain Commission records, regardless of any retention period(s) set forth in the Records Retention Schedule. K. Network. Information system(s) implemented with a collection of interconnected components, which may range from Commission-utilized systems and services, Wi-Fi, routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. (definition adapted from National Institute of Standards and Technology) L. Personal information or personal data. Also known as personally identifiable information (PII). Information that is identifiable to any person, including, but not lim ited t o, information that relates to a person’s name, health, finances, education, business, use or receipt of governmental services or other activities, addresses, telephone num bers, social security numbers, driver license numbers, other identifying numbers, and any financial identifiers. M. Record on file. A segment of the institutional record used in a Commission proceeding such as show cause appearance or appeals. It includes but is not limited to the accreditation materials for accreditation activities for the period of non-compliance (since the first non-compliance action), any information collected or received by the Commission as part of ongoing monitoring activities, transcripts from other proceedings, and correspondence of record. N. Records. For the purposes of the Information Security and Privacy Policy and Procedures, the term “records” includes all data, documents, or records that are created, accessed, received, used, or maintained as part of Commission accreditation or business activities. Records may be stored on any electronic or non-electronic media (e.g., paper, video or audio tape, microfilm or microfiche, or hard drive, disk, or other electronic

ADMINISTRA TIVE PROCEDURES storage device) or in any format (e.g., memos, spreadsheets, or email). Records do not include documents or materials that are created or received solely for reference or convenience or that do not relate to Commission business. Exam ples of materials that are not considered records include, but are not limited to: library materials, card and notebook indices, brochures, articles and publications referenced for convenience purposes, miscellaneous correspondence (such as confirming dates for staff visits, invitations to attend conferences), and other personal communications of comm ission ers, peer evaluators, or Commission staff. O. Third party vendors. Third party vendors perform certain services on behalf of and through a contract or agreement with the Middle States Commission on Higher Education. The Commission may provide these companies with access to Commission records, data, or other information, including personal information or personal data, to ca rry out the services they are performing for the Middle States Commission on Higher Education. Number: N/A V ersion: 2024 - 07 -01 EFFECTIVE v. 2024- 08 - 01 Effective Date: July 1, 2024 Created: 2024 Approval: Approved by Cabinet (Ma y 31, 2024) Initial Approval: Previously Issued: N/A (new p rocedures) Revisions: 2024- 08 -0 1 (editorial amendment); Related Documents: Antitrust Compliance Procedur es and Certifica tion Statement; Conflict of Interest: Commission Repr esentatives; Conflict of Inter est: Commiss ion Employees; Informatio n Security and Privacy Policy; Information Security an d Privacy Procedur es; Informa tion Security Incident Response Procedur es; Maintenance and Retention of Commission Records Policy; Maintenance and Retention of Commission Records Pr ocedu r es; Peer Evalu ators Policy; Peer Evaluators Procedur es; Federal regulations:

Acknowledgement of Acceptable Use of Commission Technology Information Security and Privacy Policy, Information Security and Privacy Procedures, and Acceptable Use of Commission Technology Procedures Effective Date: July 1, 2024 Commission Representative Role ☐ Commissioner ☐ Peer Evaluator ☐ Commission Staff ☐ Other: All Commission representatives will complete this certification statement online. Do not complete this form on paper or mail it to the Commission. By completion of the online Acknowledgement of Acceptable Use of Commission Technology, the individual certifies that: ☐ I have read and agree to uphold the Commission’s Information Security and Privacy Policy, Information Security and Privacy Procedures, and Acceptable Use of Commission Technology Procedures. ☐ I will adhere to best practices for information security and privacy as outlined in the Commission’s Information Security and Privacy Policy, Information Security and Privacy Procedures, and Acceptable Use of Commission Technology Procedures. ☐ I will also adhere to other applicable policies and procedures regarding confidentiality, standard of care, and Commission representative obligations for technology and relate d matters as outlined in Maintenance and Retention of Commission Records Procedures and Communication in the Accreditation Process Policy and Procedures. ☐ I will participate in Commission training and resources on information security and privacy. ☐ I will conduct myself in a professional and ethical manner when utilizing, accessing, interacting, or communicating with Commission systems, accounts, technology and/or other users. ☐ I will not use Commission devices, networks, systems, or technology to create, communicate, display, transmit, willfully receive, or store sexually explicit or pornographic material, hate speech, or other abusive or harassing materials, chats, and/or files. ☐ I will not share my password or login credentials with unauthorized users, organizations, or platforms.

☐ I will not connect unauthorized devices to or download from Commission systems, accounts, or technology or access these systems from an unsecure network. ☐ I will not misrepresent my identity on Commission devices, equipm ent, or syst ems, or at Commission facilities. ☐ I will not use Commission equipment, devices, networks, or premises for personal gain or business, including to solicit non-MSCHE business. ☐ I will treat Commission materials, equipment, and devices with care, sensitivity, and utmost regard for security when accessing materials in all spaces, and I will delete any downloaded materials from secured and approved devices upon conclusion of the project, meeting, or assignment. ☐ I will not leave my devices with access to Commission systems, accounts, or users unlocked or unattended in unsecure settings. ☐ I will perform appropriate maintenance on Commission infrastructure, accounts, or devices that I may access as instructed by the Commission’s Information Systems (IS) Department. ☐ I will immediately report unauthorized account or system access on my behalf or theft, loss, or damage of Commission equipment and devices upon discovery to the Commission by emailing support@msche.org. ☐ I have been informed of my responsibilities as a Commission representative to maintain the security and privacy of Commission materials, systems, and equipment. ☐ I will uphold all Commission policies and procedures that may not be listed in this acknowledgement and apply to security, privacy, and acceptable use of Co mmission technology. I hereby acknowledge and agree to uphold the Comm iss ion’s Information Security and Privacy Policy, Information Security and Privacy Procedures, and Acceptable Use of Commission Technology Procedures. Signature: _____________________________________ Date: Print Name: _____________________________________ Title: _____________________________________