1. General Comment. The Board of Trustees shall establish basic financial policies and be involved in strategies as they relate to financial support of operations, programmatic directions, and capital maintenance and development of Southern Illinois University. (3/13/03)
2. Annual Budget Requests to the Illinois Board of Higher Education. The President, working with the Chancellors, shall develop specific budget requests for SIUC, SIUE, and for the Office of the President for approval by the Board of Trustees and for submittal to the Illinois Board of Higher Education. (3/13/03, 3/24/16, 12/13/18, 3/28/19)
3. Annual Budget for Operations. The annual budget for operations will be developed by the Chancellors for SIUC and SIUE under the direction of the President and shall be submitted to the Board for approval. Budget development will take into consideration state appropriations and other revenue expectations; spending priorities and salary increase plans which will be approved by the Board. (3/13/03), (3/24/16), (12/13/18), (3/28/19)

1. Fund Depositories
   
   
   1. University accounts shall be held in the name of "Board of Trustees - Southern Illinois University." (3/13/03)
   2. The Board authorizes the Board Treasurer to open and maintain bank accounts and to make such arrangements for the conduct thereof as that officer shall deem proper. (3/13/03)
   3. The Treasurer will conduct banking activities in a manner that is in compliance with State Statute and applicable Board policy and that maintain safety of funds, sufficient liquidity and maximum investment return. (3/13/03)
   4. The Board Treasurer is authorized to designate temporary depositories at such locations at which a need for local banking services may arise to serve a University activity remote from the base campus. For such accounts the Board Treasurer may appoint an agent or agents with signature authority over such accounts provided, however:
      
      
      1. The amount maintained in each such banking facility should be the minimum required to conduct operations;
      2. A U.S. bank in the area be utilized if at all workable in the circumstances. (3/13/03)
2. Investments
   
   
   1. The Board Treasurer is given continuing authority to purchase, to sell, or to transfer between University accounts those securities held as investments and to oversee externally managed investments in accordance with University Guidelines promulgated by the President. (3/13/03)
   2. SIUC and SIUE will maintain the control records of such investments in a manner approved by the Board Treasurer. (3/13/03)
   3. A report on cash and investment activity shall be made at least quarterly to the President and the Board of Trustees. (3/19/15)
3. Financing
   
   
   1. The Treasurer oversees the issuance of revenue bonds or other forms of external financing. (3/13/03)
   2. The Treasurer is authorized to finance certain capital and other improvements from internal cash reserves as that officer deems appropriate in accordance with University Guidelines promulgated by the President. (3/13/03)

1. Contracts -- General
   

   The University Purchasing Directors of Southern Illinois University are authorized to rent from others, as necessity warrants, properties that in their opinion will help to satisfy the requirements of the administrative, educational, and auxiliary operations of the University. The University Purchasing Directors may negotiate lease contracts in which the University is the lessee subject to approval by the President prior to final execution of the document. The University Purchasing Directors may negotiate leases of University properties to others and give notice to vacate subject to approval by the President. (3/13/03, 04/14/11)
    

2. Approval - Fixed Improvement Projects

   Prior approval by the Board of Trustees is required before the commitment of funds can be made for requisitions for fixed improvements projects or annual needs by subdivision of work for renovation, repair, and maintenance activities where the entire project cost or annual need by subdivision of work is $500,000 or more.  The Board of Trustees shall approve the project, the budget, and major changes to the budget, defined as changes of 10 percent. The Board shall receive the bids and award all contracts.  (12/08/11)

   Prior approval by the Board of Trustees is not required if the fixed improvement project involving a commitment of less than $500,000, provided that the President's approval is obtained for projects of $100,000 or more.  (9/14/00, 2/12/09, 12/08/11)
    

3. Requisitions-Purchasing of Goods and Services, Approval and Reporting Requirements
   
   
   1. Policy Statement -- General: The Board of Trustees of Southern Illinois University has delegated to each University Purchasing Director, through appropriate administrative channels, the authority to purchase goods and services. All purchases are made in accordance with the Procurement Rules of the Chief Procurement Officer of Public Institutions of Higher Education, as approved by the Joint Committee on Administrative Rules, and filed with the Secretary of State.  (04/14/11)
   2. Approval Required: Approval is required by the Board for all purchasing contracts involving the commitment of $500,000 or more. This requirement also includes purchases requesting multiple deliveries over a period of time. Additional approval of a supplemental requisition will be required if the amount of the supplement is in excess of 10% of the amount originally approved. (3/13/03, 12/08/11)
   3. Authorization by the Board of Trustees is not required:
      
      
      1. for requisitions involving a commitment of less than $500,000, provided that the President's approval is obtained for commitments of $100,000 or more; (12/08/11)
      2. for requisitions involving expenditures of a routine nature necessary for normal and usual operation of the University, where there is only one source of supply or in actual practice no price selection is possible; such instances include, but are not limited to
         
         
         1. postal charges purchased from the Postmaster and locked in the postage meter machine;
         2. postage stamps, post cards, and bulk mailing;
         3. utilities (electrical energy, city water, and sewage charges, natural gas, and telephone charges); (3/13/03)
         4. freight, express, and interstate moving expenses;
         5. annual renewals for rental of various physical facilities;
         6. annual renewal insurance premiums in years subsequent to the year in which the original insurance was contracted.
         7. subscriptions to journals and periodicals;
         8. books and bound periodicals;
         9. professional and technical services;
         10. credit card encumbrances for usual and customary automotive service station charges. Repair work other than the minor or emergency type must have previous approval of Transportation Service.
         11. annual rental of equipment in years subsequent to the year in which the original requisition was approved for installation, such as data processing equipment, photo- static copiers, accounting machines, and similar items;
         12. annual maintenance contracts provided by a manufacturer or its agent for the equipment made by them. (3/13/03)
         13. payments for items from specific single-item appropriations, such as CDB lease rental payment, retirement contributions, and fire protection, but excluding capital items;
         14. in emergencies involving public health, public safety, or where immediate expenditure is necessary for repairs to University property in order to protect against further loss of or damage to University property, to prevent or minimize serious disruption in University services, or to insure the integrity of University records;
         15. where the goods or services are procured from another governmental agency;
         16. purchases of and contracts for office equipment and associated supplies when such contracts provide for prices that are equal to or lower than Federal General Services Administration contracts and when such contracts or pricing result in economical advantage to the University.
      3. for requisitions involving commodities and stock equipment for internal distribution through normal procedures of established storeroom and service units and resale necessary for normal and usual operation of the University, where there are various sources of supply. This category will include, but is not limited to, commodities and stock equipment for the following operations:
         
         
         1. Food Services
         2. Pharmacy
         3. Student Center Bookstore
         In the case of purchases which fall within the above-mentioned exceptions, the approval of the Board of Trustees is not required, but the appropriate internal approvals are required.  (2/12/09, 12/08/11)
         
         The various offices and departments of the University shall communicate their requirements for commitments to the appropriate office by means of a requisition. When properly approved, the document constitutes authority for making commitments according to the procedures described in these regulations.
   4. Monthly Reporting Procedure
      
      
      1. The Purchasing Offices of SIUC and SIUE shall prepare an information report monthly, summarizing all purchase orders and contracts against University funds for the period and shall submit such reports to the President and the Board of Trustees.
      2. The monthly reports to the President and the Board of Trustees shall also include those contracts and subcontracts with grantors deemed exempt from the Illinois Procurement Code, 30 ILCS 500/1-10(b)(2). (04/14/11)
      3. The report of Southern Illinois University Carbondale shall consist of two parts: one for SIUC excluding the School of Medicine and one for the School of Medicine. The Office of the President, the Office of the Board of Trustees and University-wide Services transactions will be included in the campus section where the transaction occurred. (3/13/03)
      4. Each part of each report shall be divided into three sections:
         
         
         1. a section entitled "Detailed Report of Speaking and Performing Fees, Consultants, and Architectural and Engineering Fees" that provides:
            
            
            1. a summarization of those orders under the state required bid amount which shows the total of the number of orders with an aggregate dollar total; (3/13/03, 12/08/11)
            2. a list of all orders of the state required bid amount or more containing information on order number, type of funds, vendor, brief description, and amount. (3/13/03, 12/08/11)
         2. a section on all other "Purchase Orders and Contracts" under $100,000 that provides:
            
            
            1. a summarization of those orders under the state required bid amount which shows the total of the number of orders with an aggregate dollar total; (3/13/03)
            2. a list of all orders between the state required bid amount and $100,000 containing information on order number, type of funds, vendor, brief description and amount. (3/13/03)
         3. a section on all orders of $100,000 or more containing information on order number, type of funds, brief description, amount, a list of bidders with amount of their bids, the number of vendors invited to bid and declining, information on Executive Committee or President's approval, and the basis of award if other than low bid meeting specifications. (3/13/03)
             
   5. Authorization of purchases by Illinois Public Higher Education Consortium (IPHEC) on behalf of the Board of Trustees of SIU is approved as follows:
      
      1. IPHEC is authorized, as agent and on behalf of the Board, to prepare specifications, advertise, receive, open, tabulate and evaluate competitive bids for such commodities, equipment, and services as may from time to time be designated by the University Purchasing Directors of Southern Illinois University. In all such activities, IPHEC shall identify the Board of Trustees as its principal.  (04/14/11)
      2. IPHEC shall report to the Board all of IPHEC's activities as such agent, its evaluation of the bids received, and its recommendations for award of contracts. Bids shall be accepted or rejected and contracts shall be awarded by and in the name of the Board of Trustees in accordance with procedures heretofore or hereafter established by the Board.
      3. All advertising, receiving, opening, recording, and tabulating of bids by IPHEC and the award of any contract shall be in accordance with the Procurement Rules of the Chief Procurement Officer of Public Institutions of Higher Education and in accordance with the provisions of the laws of the State of Illinois.
   6. Guidelines for Procurements Exempt from the Procurement Rules of the Chief Procurement Officer of Public Institutions of Higher Education.
      
      Occasionally it is convenient or necessary to vend or lease a privilege or property to the larger community. Examples include the food service franchise within a student union, concessions or broadcasting rights for sports or entertainment events, automatic vending services, and leases of property for uses compatible with the mission of the Board. Sales of a privilege or property do not involve the expenditure of University funds. Nevertheless, such sales do represent the bartering of a University asset in return for cash, services or goods, and most of the same procurement principles and standards should be applied.  (12/08/11)
      
      
      1. Principles
         
         
         1. The opportunity to submit a bid should be offered to any qualified supplier. Minor transactions may be offered on the basis of telephone bids or communicated in electronically transmitted form. When in the best interest of the University, transactions over the legal bid limit should be subject to formal competitive selection procedures. (3/13/03)
         2. The structure of the competitive selection process must be such as to assure bidders that the award was based on objective judgment of known criteria applied to a defined set of facts. It is not sufficient that the award is subjectively impartial; it must also be perceived as impartial. The President will promulgate Guidelines to ensure that such privileges are awarded competitively and impartially. (3/13/03)
      2. Standards
         
         Use of the following standards will aid in producing the perception that privileges are awarded competitively and impartially.
         
         
         1. Bid specifications should set forth clearly the extent of services or quality of goods to be provided and the form and time of payment of any cash.
         2. Bid specifications should state clearly the criterion or criteria for award, and no award shall be made which is materially influenced by any other factor.
         3. When technical competence as opposed to unique artistic or professional talent is all that is necessary to performance, a minimum standard of competence shall be clearly described and required as a condition or qualification for consideration of a bidder's proposal. To the extent fiscal stability of the supplier bears upon the performance expected, a minimum prerequisite should also be used. The capacity to furnish a performance bond will usually satisfy the latter concern. The important concern is to avoid subjective comparisons of technical or fiscal ability as a criterion for award whenever such comparisons can be avoided.
         4. Consultants should be used as necessary to achieve the clarity and quantifiability required by the preceding principles, to the end that awards may be on demonstrably objective bases so far as is possible. Where subjective judgments cannot be avoided they should be made on the basis of recommendations of disinterested experts on the subject.
         5. All submittals by bidders shall be received at a specified location via electronic transmission or in sealed packages or envelopes clearly labeled as a bid on a particular proposed transaction, and publicly opened (except proposals), read or described or otherwise made public. Only materials so received shall be considered in making an award. No material omission, pertinent to a criterion for award, may be waived, unless determined by the University Purchasing Director to be in the best interest of the University. No other communication by a bidder on the subject of the bid shall be received or considered if known, except requests for clarification of specifications prior to the bid opening; response to such requests may only be made by an amendment to specifications distributed to all potential bidders or in mandatory pre-bid meeting where all bidders must be present. Further clarification or documentation or other proof of representations in bid documents in hand are the only communications which may be received from a bidder after the bid opening. (3/13/03, 04/14/11)
      3. Procedures
         
         
         1. The office desiring to lease or lease purchase tangible personal property or vend a privilege or property of the University in return for cash, services, or goods shall utilize the same procedure as is mandated for procurement from University funds. A Requisition describing the functions required or stating the privilege or asset to be vended and the desired return shall be approved in the usual manner and submitted to the University Purchasing Director.
         2. The dollar limit above which Board of Trustees approval of a lease or lease purchase of tangible personal property is required is determined by the cost over the whole prospective period of a lease or renewals provided for therein, and approval shall be obtained before making any promise of payment or commitment of funds whatsoever.
         3. The University Purchasing Director will handle a tangible personal property lease or lease purchase or the procurement of the services or goods in the same manner as other procurements so far as possible.
         4. The Procurement Rules of the Chief Procurement Officer of Public Institutions of Higher Education will govern either directly, by inversion, or by analogy, to the extent feasible.
         (9/14/00, 04/14/11)
   7. Vendor Suspension or Debarment
      

      The Board authorizes the University Purchasing Directors to petition the State Purchasing Officer to suspend or the Chief Procurement Officer to debar a vendor from submitting future bids for violation of the Procurement Code and/or the Rules of the Chief Procurement Officer of Public Institutions of Higher Education. (12/08/11)

   8. Procurement of Search Firm Services
      
      The services of an external hiring search firm shall be retained by the University only as specified in this policy.  A search firm may be retained to assist the Board of Trustees in the recruitment, selection, and hiring of a President or Chancellor.  For all other positions, the Board of Trustees authorizes the President to retain an external hiring search firm to assist in the recruitment, selection, and hiring when a justifiable need is established and approved by the President based on any of the following qualifying criteria.
      
      1.  The position to be filled is of such a specialized nature or scope that use of an external search firm provides a more cost effective use of University resources.            
      2.  The position to be filled requires a level of professional search expertise exceeding that available internally to the University.            
      3.  The position to be filled is of such a critical nature or scope that it must be filled immediately, time being of the essence.            
      4.  The diversity of the applicant pool will be significantly enhanced by services provided by an external hiring search firm.  (11/08/12)    

1. The President, as the chief executive officer of Southern Illinois University, is responsible for the development and implementation of a program of internal audit.
2. The President will promulgate guidelines which give direction to the overall internal audit function of the University; these guidelines, as they are developed and amended, will be transmitted to members of the Board of Trustees.
3. Internal Audit Charter: This charter identifies the purpose, authority, and responsibility of the Internal Audit function at Southern Illinois University.  The Internal Audit function resides within the Office of Internal Audit, Compliance and Ethics.  (9/13/12)
   
   
   1. Purpose: The Internal Audit function was established within Southern Illinois University to conduct assurance reviews of operations and procedures and to report findings and recommendations to the institution's administration and to the Board of Trustees. All Internal Audit endeavors are to be conducted in accordance with applicable law, institutional objectives and policies, as well as professional ethics and standards.  Specifically, activities of the Internal Audit function will be carried out in accordance with the mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, Standards and the Definition of Interanl Auditing) as established by the Institute of Internal Auditors.  The Internal Audit function may report that its operations are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, only if the results of the quality assurance and improvement program support the statement. (11/9/06, 4/14/11, 9/13/12, 4/6/17)
   2. Authority
      
      
      1. The Internal Audit function reports administratively to the President, whose authority as chief executive officer is sufficient to assure a broad range of audit coverage and adequate consideration of effective action on internal audit findings and recommendations. The Internal Audit function has an independent, functional responsibility to the Audit Committee of the Board of Trustees for reporting on the adequacy and effectiveness of internal controls. (5/14/98, 3/13/03, 9/11/08, 9/13/12)
      2. While the Internal Audit function is an integral part of Southern Illinois University and functions in accordance with the policies established by the President and the Board of Trustees, it is essential for the internal audit activity to be independent of the activities audited. To enhance and ensure this independence, and with strict accountability for safekeeping and confidentiality, internal audit staff are authorized unlimited access to all records, personnel, and physical properties which the Executive Director of Audits has determined to be relevant to the performance of assigned audits. Consulting services may be performed, if conducted in accordance with applicable standards. (11/09/06, 4/14/11, 3/22/12, 9/13/12)
      3. In performing its work, the Internal Audit function shall assert no direct responsibility nor authority over activities reviewed. Therefore, its appraisal of activities does not relieve other persons in the organization of any responsibilities assigned to them.  Furthermore, when assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. (4/14/11, 9/13/12)
   3. Responsibility
      
      
      1. The Internal Audit function is responsible for providing Southern Illinois University's administrators and Board members with information about the adequacy and the effectiveness of its system of internal controls and quality of operating performance. To accomplish this responsibility, all institutional activities are subject to audit, including all governance activities and processes. (9/13/12, 2/2/15)
      2. The scope of internal auditing encompasses examining and evaluating the University's governance, operations and information systems against established standards in carrying out assigned responsibilities. Areas of review include (04/14/11, 2/2/15):
      3. 
         
         1. reliability and integrity of financial and operating information;
         2. compliance with policies, plans, procedures, laws, and regulations;
         3. safeguarding assets;
         4. effectiveness and efficiency of operations and programs;
         5. accomplishment of institutional goals and strategic objectives;
         6. evaluation of the potential for the occurrence of fraud and how the organization manages fraud risk;
         7. assessment of whether the Information Technology governance supports the University's strategies and objectives; and
         8. evaluate the effectiveness and contribute to the improvement of the governance and risk management processes. (4/6/17)
      4. The Executive Director of Audits is generally responsible for the administration of this policy and for functionally directing and effectively managing the internal audit activities throughout Southern Illinois University.  Specifically, the Executive Director of Audits (04/14/11):
         
         
         1. is responsible for communicating directly and interacting with the Audit Committee regarding the results of activity of the Internal Audit function.  The Chief Audit Executive must report periodically to senior management and the Audit Committee on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan.  Reporting must also include significant risk exposures and control issues, including fraud risk, governance issues, and other matters needed or required by the Audit Committee or senior management.  (9/13/12)
         2. must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.  The results of external assessments must be reported to senior management and the Audit Committee.
         3. must have direct and unrestricted access to senior management and the Audit Committee, and must identify and consider the expectations of senior management, the board and other stakeholders for internal audit opinions and other conclusions.  When an overall opinion is issued, it must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.
      5. Southern Illinois University administrators are responsible for providing internal auditors with timely access to records, personnel, and physical properties which the Executive Director of Audits has determined to be relevant and for making sure that prompt, pertinent, and comprehensive responses are made to audit recommendations.

1. Office of the Board of Trustees, the Office of the President, SIUC and SIUE shall have a records management program which will provide for the maintenance of records in an efficient and orderly manner and for the discarding of records no longer needed. Such program will comply with all state and federal regulations.
2. The details of the programs established will include those general guidelines herein established, and the program will become effective when submitted in writing to and approved by the President.
3. Each program will include consideration of the following:
   1. Retention Schedules
      1. Legal constraints
      2. Operational needs
      3. Archival value
   2. Storage and Retrieval
      1. Filing systems
      2. Medium
         1. Paper
         2. Microfilm
         3. Computer storage
         4. Microfiche
   3. Designation of individual responsible for the program
   4. Provisions for appropriate confidentiality of records
   5. Provision for identification of and special care of records vital to the continuation of operations in the event of disaster. (3/28/19)

1. The Higher Education Travel Control Board, as authorized by "An act in relation to State finance," sets travel regulations for all University employees. These regulations, and any changes that may be made, are considered as Board of Trustees travel policy. SIUC and SIUE, the Office of the President, and the Office of the Board of Trustees may have travel regulations that differ from these regulations so long as they are not inconsistent with the Higher Education Travel Control Board travel regulations.
2. Travel related expenditures for the President of Southern Illinois University shall be submitted to the Board of Trustees' Executive Committee, or other committee or individual(s) as designated by the Board, for approval, prior to reimbursement.  (07/24/14)

1. The President of Southern Illinois University is authorized, pursuant to authority granted to the Board of Trustees by State law, to direct the development of a University Self-Insurance Program. Where appropriate, the self-insurance program will replace the protections and administrative services historically provided to the University by commercial insurance companies. The program will include:
   1. Retention of risks by the University within its financial capabilities through the establishment of self-insurance limits to be determined by normal loss levels.
   2. Creation by the university of a self-insurance reserve, funded within the University's financial capabilities, in those amounts necessary to insure against potential liabilities. Protection against potential liabilities in excess of funds held in reserve would be provided through other University resources or the purchase of insurance coverage for amounts in excess of self-insurance reserve funds.
   3. Solicitation by the University, as needed, of claims adjustment and legal services to be paid from available resources on a "fee for service" basis.
   4. Initiation of internal risk management programs intended to reduce the University's exposure to potential liabilities.
2. Guidelines promulgated by the President direct the functioning of the University Risk Management and Self Insurance program. (3/13/03)

1. Information Security Plan Charter

   1. Southern Illinois University has established this Information Security Plan to:
      1. Ensure the security of information the University creates, receives, maintains, or transmits by providing for the confidentiality, integrity and availability of that information, regardless of the medium in which the asset is held or transmitted.
      2. Protect against reasonably anticipated threats or hazards.
      3. Protect against reasonably anticipated uses, disclosures, or losses that violate applicable laws, regulations, and/or policies.
      4. Identify roles and responsibilities for implementing this Information Security Plan.
   2. It is the collective responsibility of all users to ensure:
      1. Compliance with the policies, guidelines and procedures contained within this Information Security Plan.
      2. Confidentiality of information which SIU is required to protect from unauthorized access.
      3. Integrity and appropriate availability of information stored and/or processed by SIU.
      4. Compliance with applicable laws, regulations, and policies governing information security and privacy protection.
   3. Failure to comply with this Information Security Plan shall subject users to disciplinary action consistent with University policies and any applicable laws and/or regulations.
   4. This Information Security Plan shall apply to the following:
      1. All SIU information assets, including central and departmentally-managed computing resources.
      2. All employees of SIU, contractors, vendors or any other person with access to SIU computing resources or information assets. This includes non-SIU owned devices that may store protected[1] information.
      3. All SIU information assets regardless of medium (e.g. physical or electronic)
      4. All computing resources (e.g. networks, systems, applications, etc.) owned or managed by SIU.

2. Information Systems Privacy & Statement of Ethics

   Southern Illinois University takes justifiable pride in the electronic information systems provided to its faculty, staff, and students. These resources include computer systems, software, data sets, and communications networks. Members of the University community may use these resources only for purposes related to their studies, instruction, the discharge of duties as employees, official business with the University, or other University-sanctioned activities. Any other use, unless specifically authorized, is prohibited. Access to the University's electronic information systems is a privilege to which all University faculty, staff, and students may be granted access to varying degrees. Certain responsibilities accompany that privilege; understanding them is important for all users. Those within the University community who make use of these resources are subject to high standards of ethics to insure the privacy, security, and proper use of data. Recognized as a primary educational, research, and administrative asset, the University's electronic information systems should be protected from unauthorized modification, destruction, disruption or disclosure-whether accidental or intentional.

   1. User Responsibility for Security of Stored Information

      The user is responsible for correct and efficient use of the tools each electronic information system provides for maintaining the security of stored information.

      1. Individual users to whom computer accounts, passwords, and other types of security authorizations have been assigned must obey any express restrictions on disclosure of such authorizations to others. No otherwise authorized disclosure may be made until the proposed recipient of the disclosure has demonstrated familiarity with the security requirements for usage of the authorizations and agreed to comply with them.
      2. The user must strive to understand the level of protection each electronic information system automatically applies to files and supplement that protection, if necessary, for sensitive information.
      3. The user must be aware of computer viruses and other destructive computer programs, and take steps to avoid being either their victim or propagator.
      4. Use of computers by individuals implies that they accept responsibility for protecting any information (processed and/or stored under directories or accounts assigned to them) which is restricted, licensed, proprietary or protected by law or regulation.

   2. Confidentiality of Stored Information

      1. Information stored on electronic information systems is considered confidential, whether protected by the computer system or not, unless the owner intentionally, and with proper authority, makes that information available to other groups or individuals. The University assumes that computer users wish the information they store on central and campus shared computing resources to remain confidential.
      2. Requests for the disclosure of confidential information outside the University will be governed by the provisions of law, including but not limited to the Family Educational Rights and Privacy Act of 1974, the State Records Act, and the Illinois Freedom of Information Act. All such requests will be honored only when approved by university officials who are the legal custodians of the information requested, or when required by state or federal law, or court order.

   3. Inappropriate Usage

      Computing and networking resources may be used only in accordance with accepted University practice. Examples of inappropriate and unacceptable use of computing and networking resources include, without limitation:

      1. harassment;
      2. fraud or misrepresentation;
      3. destruction of or damage to equipment, software, or data belonging to the University or other computer and networking users;
      4. disruption or unauthorized monitoring of electronic communications;
      5. violations of computer system security;
      6. unauthorized use of computer accounts, access codes, or network identification numbers assigned to others;
      7. unauthorized use of computer and/or network facilities in ways that impede the computing activities of others;
      8. use of computing facilities for personal or business purposes unrelated to the mission of the University;
      9. violation of copyrights and software license agreements;
      10. violation of the usage policies and regulations of the networks of which the University is a member or has authority to use;
      11. violation of another user's privacy;
      12. academic dishonesty such as plagiarism or cheating;
      13. accessing, or attempting to access, another individual's or entity's data or information without proper authorization regardless of the means by which this access is attempted or accomplished;
      14. giving another individual access to data or information, or the means to access data or information, they are not authorized to access;
      15. obtaining, possessing, using, or attempting to use passwords or other information about someone else's account;
      16. inspecting, modifying, distributing, or copying data, mail messages, or software without proper authorization, or attempting to do so;
      17. concealing or misrepresenting user’s name, affiliation or other identifier to mask irresponsible or offensive behavior or unauthorized use of identifier of other individuals or entities;
      18. Violations under the applicable student conduct code, applicable faculty or other constituency code of ethics or conduct, or other University policies;
      19. tapping phone or data lines.

   4. Sanctions

      Violation of the policies described herein for use of computing resources will be dealt with seriously. Violators are subject to disciplinary procedures of the University and, in addition, may lose computing privileges. Illegal acts involving the University's computing and networking facilities may also be subject to prosecution by local, state, and federal authorities.

3. Plan Oversight

   Each campus shall:

   1. Identify an Information Security Officer;
   2. Assign joint responsibility for their information security plan to their Chief Information Officer and Information Security Officer or equivalent positions;
   3. Ensure appropriate University officers, offices or employees are appropriately authorized to implement, maintain, and enforce this plan;
   4. Implement guidelines, procedures and processes to address the requirements of this Information Security Plan;
   5. Regularly review their local information security plan materials;
   6. Maintain records of their information security plan activities in compliance with applicable University policies, regulations and guidelines, and local, state and federal law

   The campus Information Security Officers, or their designates, shall meet annually to review the SIU System Information Security Plan and suggest modification as required.

4. Plan Requirements

   Each campus shall maintain an information security plan that, at minimum, addresses the following:

   1. Guidelines

      1. Responsible/Acceptable Use

         Maintain acceptable or responsible use guidelines that include or address:

         1. Identification of appropriate university officers or offices/units responsible for decisions as to whether a particular use of computing and network resources conforms to University guidelines;
         2. General user responsibilities;
         3. User responsibilities for securing protected information;
         4. Impermissible use;
         5. Acceptable network and Internet use;
         6. Users expectations of privacy and confidentiality;
         7. Sanctions.
      2. Security Awareness and Training

         Ensure that workforce members receive training regarding:

         1. The acceptable use of computing resources;
         2. The regulatory requirements and liabilities of access to protected information;
         3. How to use information systems and security controls;
         4. Handling, storing and disposing of protected information;
         5. Individual responsibilities and roles related to maintaining institution integrity.
      3. Data Classification

         Maintain Standards and guidelines for the classification of information the University creates, receives, maintains, or transmits.

      4. Procurement

         Maintain standards and guidelines for the procurement of computing resources. Ensure that systems handling protected information are compliant with relevant requirements of applicable law and this Information Security Plan.

   2. Securing Systems, Hardware, Data, and Software

      1. Infrastructure Configuration Standards

         Maintain standards for the equipment, applications, and devices deployed to ensure predictable operability and security of those devices. These standards are mandatory for computing resources involved in the processing and storage of protected information.

      2. Change Management

         Ensure significant changes to computing resources are managed to establish that changes are reasonable and necessary; do not introduce unintended risk to the confidentiality, availability, or integrity of data; and are executed as planned.

      3. Workstation Security

         Ensure workstations are configured, maintained, and employed in a manner to ensure the confidentiality, integrity and available of the information they contain.

      4. Patch Management Standards

         Ensure information system software is regularly tested and updated to reduce risk of system vulnerability exploitation and malfunction.

      5. Malware Protection

         Ensure information systems and data are adequately protected from malware or other destructive computer programs.

      6. Physical Safeguards

         Maintain reasonable and appropriate protection for physical computing resources. Access to data centers, network closets, remote points of presence, etc. shall be appropriately restricted. Physical locations containing high-risk information assets shall receive additional protections. i.e. access logging, proximity badge access, video surveillance, etc.

      7. Data Backup

         Maintain standards for the backup, retention, recovery, and protection of critical data.

      8. Disposal Standards

         Maintain standards for reuse, destruction and disposal of computing devices and information. Disposal of physical assets and data must be done in accordance with applicable laws, regulations, and policies.

      9. Data Handling

         Maintain standards for the proper handling, tracking and disposal of protected information regardless of medium to prevent inadvertent disclosure.

      10. Network Security

          Maintain network standards that include:

          1. Network perimeter defense mechanisms including firewalls, virtual private networks, and intrusion detection/prevention
          2. Network partitioning mechanisms to ensure proper isolation of high-risk information
          3. Wireless network security and access control mechanisms

   3. Access Control

      1. Clearance & Authorization

         Ensure employees, contractors, vendors or any affiliates with access to computing resources or information assets are appropriately vetted by the appropriate University officials, managers, supervisors, and data stewards.

      2. Terminating Access

         Ensure timely termination of user access to information systems, as appropriate, to protect the confidentiality and integrity of those systems.

      3. Access Management

         Provide users the least privilege access to information systems necessary and appropriate to conduct University business need and perform University job duties.

      4. User Accounts and Passwords

         Require individually assigned accounts and strong passwords to ensure access to information systems is appropriate and adequately logged.

      5. Remote Access

         Ensure remote network and application access is appropriate to individual users’ roles and responsibilities.

   4. Business Continuity and Disaster Recovery Planning

      1. Disaster Recovery

         Ensure business systems and business processes are prioritized by mission impact to establish criticality in the event of catastrophic failure. Assign appropriate backup and redundancy processes to critical systems. Maintain and regularly test a disaster recovery plan.

      2. Business Continuity

         As appropriate, maintain procedures to ensure that critical University processes can continue in the event an information system is unavailable.

   5. Information Risk Management

      1. Risk Analysis

         Regularly undertake a formal analysis of the risks and vulnerabilities associated with the security of protected information contained in or accessed through University computing resources.

      2. Information Incident Management

         Investigate, document, report, and remediate information security incidents as appropriate and required.

      3. Inventory

         Maintain an inventory of systems and processes that store, process, manipulate or access protected information.

      4. Exception Management

         Ensure that exceptions to guidelines, policies and standards developed pursuant to this Information Security Plan are formally approved, documented and regularly reviewed in recognition of the balance between the rigidity and structure of standards with the necessity of effective operations and the limitations of available resources and technology.

[1] Information that is protected from release by state and/or federal law/regulation or would require SIU to provide notice to individuals and/or government agencies if information is lost, stolen or compromised; examples include protected health information (PHI/HIPAA), credit card numbers (PCI), banking information (GLBA), and protected student information (FERPA)

(07/24/14)

• Notice - Notice that the University is collecting information, what information is collected, how it is collected, and how it is used.
• Choice - Whether users have a choice on how personal information is used.
• Access - Whether users are given the opportunity to access the information on the Web sites to review and correct errors.
• Security - The steps the University has taken to ensure that user information is protected.

• Develop a Privacy Policy for its Web sites that is readily accessible by being located on the homepages and other places where personal information is collected and tracking technology is used.
• The University Privacy Policy shall comply with Public Act 93-0117 (State Agency Web Site Act) effective January 1, 2004 by identifying any technology used to collect information on or track individual users.
• The University Privacy Policy shall contain provisions that effectively disclose practices regarding notice, choice, access, and security.
• The University Privacy Policy shall be placed on all University Web sites whether they collect information or not.

1. The trademarks, service marks, logos, insignias, seals, designs, symbols, trade names, slogans, and logotypes developed by or associated with Southern Illinois University and any campus or unit of Southern Illinois University, hereinafter "SIU marks", whether registered or unregistered for federal and state trademark protection, shall be owned and controlled by the Board of Trustees of Southern Illinois University. All applications for registration of SIU marks pursuant to federal or state law shall be filed by the Office of General Counsel, at the request of the President or a Chancellor, in the name of and on behalf of the Board of Trustees of Southern Illinois University. Records of such applications shall be maintained in the Office of General Counsel and in a campus office designated by the Chancellor.
2. Any and all private or commercial uses of SIU marks by any person, group, association, corporation, institution, or other entity, including University Related Organizations, shall require the written consent and authorization by the Board of Trustees. For commercial uses, license agreements approved as to legal form by the Office of General Counsel and naming the Board of Trustees of Southern Illinois University as Licensor, shall be executed on behalf of the Board of Trustees by the Chancellors. Royalties received from such licenses shall be retained at the campus level for uses determined by each Chancellor.
3. Appropriate legal actions on behalf of the Board of Trustees to protect SIU marks from misappropriation and infringement by others shall be undertaken by the Office of General Counsel.
4. Each Chancellor is authorized to develop administrative regulations, policies, and procedural guidelines for the institutional use of respective SIU marks on the campus and for the commercial licensing of the SIU marks. Such regulations, policies, and guidelines shall identify the campus office(s) or official(s) responsible for overseeing administration and licensing of the SIU marks, serve to promote appropriate use of the SIU marks, and become effective when approved by the President.
5. A Chancellor may, with approval of the President, delegate full or partial authority created under this policy to a designated senior administrator as appropriate, including but not limited to the Dean of the School of Medicine.
   
   (11/08/07), (07/24/14), (3/24/16), (3/28/19)

1. Purpose:
   
   The public policy of the State of Illinois states "that all persons are entitled to full and complete information regarding the affairs of government and the official acts and policies of those who represent them as public officials and public employees" consistent with the limitations contained in Illinois' Freedom of Information Act (hereinafter "Act"). 5 ILCS 140/1 et. seq.

   Pursuant to Section 3(h) of the Act (5 ILCS 140/3), Southern Illinois University has promulgated policies governing access to public records of the University in conformity with the Act. The purpose of the policies are to provide timely access to public records in the possession of the University while, at the same time, protecting legitimate privacy interests and maintaining administrative efficiency within the requirements of the State Records Act. 5 ILCS 160/1 et. seq.

2. Definitions:
   
   FOIA: The Freedom of Information Act.
   
   Freedom of Information Act Office(r): The individual or office designated by the Chancellor for each campus, and the Dean and Provost of the SIU School of Medicine (SIUC, SIUE, and the School of Medicine) or for the President's office responsible for receiving and responding to requests for public records.
   
   FERPA: The Family Educational and Privacy Rights Act.
   
   Head of public body: The President of Southern Illinois University.
   
   Requester: A person or entity who submits a request for public records in accordance with the Act.
   
   Commercial purpose:  The use of any part of a public record, or information derived from public records, in any form for sale, resale, or solicitation or advertisement for sales or services.
   
   Business days: Calendar days, other than Saturdays and Sundays, legal holidays, and other University closures.  For purposes of calculating time periods for responses to requests, the calculation begins on the first business day after the public body receives the request.
   
   Any other terms which are defined in Section 2 of the Act shall have the same meaning for purposes of this policy.
3. Freedom of Information Act Office(r):
   
   The Chancellor of each campus and the Dean of the SIU School of Medicine shall each appoint a FOIA officer who shall have the authority to receive and respond to all FOIA requests for the campus. With respect to FOIA requests involving the SIU Board of Trustees and/or the President of the University, the President shall designate a FOIA officer for such requests. The contact information for each FOIA office(r) shall be posted on the website and shall be available through the President's Office, Chancellor's office at each of the campuses, and the Provost and Dean of the SIU School of Medicine.
   
   The FOIA office(r) is responsible for ensuring an appropriate response to requests for access to records under the Act. The FOIA office(r) shall:
   
   1. Implement these rules governing access to public records.
   2. Coordinate the efforts of other University employees and campuses under the Freedom of Information Act and this policy.
   3. Maintain and make available for public inspection pursuant to Section 4(a) and (b) of the Act, a brief description of the University and a brief description as to how the public may request public records.  This information shall also be posted on the University's website.
   4. Maintain and make available for public inspection pursuant to Section 5 of the Act a reasonably current list of the types or categories of records under the University's control.
   5. Assist the public in identifying requested records.
   6. Extend the time for acting on a request, if necessary, for any of the reasons specified in Section 3 of the Act.
   7. After records are located and reviewed, make the records available for inspection or deny access to the records in whole or in part.
   8. When applicable, explain in writing the reasons for denial of access, the names and titles of persons responsible for denial and inform the requester of his or her right to submit a request for review to the Public Access Counselor of the Illinois Attorney General's Office.
   9. Upon request for a copy of a record which is subject to public inspection, make a copy available upon compliance with fee and copyright requirements.
   10. Upon request, certify that a copy is a true copy.
   11. Upon failure to locate records, declare in writing to the requester that the University is not the custodian for such records or that the records cannot be found after diligent search.
   12. Upon request, provide information about what records are electronically available and how to access the records pursuant to Section 5 of the Act.
   13. Determine, pursuant to Section 6(b), whether a request for a reduction or waiver of any charge is appropriate because the specific purpose for the request is in the public's interest (i.e., health, safety and welfare) and not primarily for personal or commercial benefit.
   14. Maintain an electronic or paper copy of a written request, including all documents submitted with the request until the request has been complied with or denied.
   15. Create a file for the retention of the original request, a copy of the response, a record of written communications with the requester, and a copy of other communications.
   16. Maintain a public file of denials indexed according to type of record requested and type of exemption asserted by the University as required by Section 9(b) of the Act.
   17. Complete an annual training program provided by the Public Access Counselor. In the event a new FOIA officer is designated, the new officer shall complete the electronic training curriculum provided by the Public Access Counselor within 30 days after assuming the position.
4. Form and content of FOIA requests:
   
   FOIA requests shall be in writing and submitted to the appropriate FOIA office(r) identified in Section 3 above.  Requesters are encouraged to utilize the University's request form available on the University's website, but use of this form is not required.  The request may be submitted via personal delivery, mail, fax, or electronic mail.  All requests shall be date and time stamped upon receipt and logged in a centralized database with a notation for each response deadline.
   
   The University shall document and date all contacts between the University and the requester in the requester's file. 

   The requester shall include the following information in a request:

   1. The requester's full name, address, and telephone number;
   2. The date of the request;
   3. A brief description of the public records sought, being as specific as possible regarding dates; file designations, names, etc.;
   4. Whether the request is for inspection of public records, copies of public records, or both;
   5. Whether the information being requested is for a specific public purpose sufficient to reduce or waive any cost applicable to the request;
   6. Whether the request is for a commercial purpose pursuant to Section 3.1 of the Act; and
   7. If the request is being submitted on behalf of a business or financial institution, whether that business or financial institution issues credit and/or debit cards pursuant to the Southern Illinois University Management Act, 110 ILCS 520/16.
5. Authorized responses to FOIA requests:
   
   
   1. For all FOIA requests other than requests made for commercial purposes, the FOIA Office(r) shall respond to a request for public records in one of five ways:
      1. Approve the request in writing within five (5) business days after receipt of the request and either (i) provide the materials immediately, (ii) give notice that the materials shall be made available upon payment of reproduction costs and/or mailing costs, or (iii) give notice of the time and place for inspection of records. When a request is made for a record maintained in an electronic format, the University will produce it in the electronic format specified by the requester, if feasible. If it is not feasible to furnish the records in the specified electronic format, then it shall be furnished in the format in which it is maintained by the University, or in paper format at the option of the requester.
      2. Notify the requester within five (5) business days that either (i) the University does not maintain or possess the documents requested or that the requested documents could not be found after a diligent search and/or (ii) the written request is illegible, incomplete or incomprehensible and must be resubmitted to remedy the identified problem. The University is not obligated to create or maintain a public record solely to respond to a request.
      3. Notify the requester in writing within five (5) business days after receipt of the request that an additional five (5) business days will be necessary to determine a response and provide the requester with the specific reason for the delay consistent with the grounds identified in Section 3(e) of the Act, as well as the date the delayed response will be forthcoming. Where a categorical request creates an undue burden, the University shall send written notification within five (5) business days asking the requester to reduce the request to manageable proportions in accordance with Section 3(g) of the Act.
      4. Approve the request in part and deny it in part, in writing, within five (5) business days after receipt of the request, and notify the requestor of (i) the specific reason why part of the request has been denied, (ii) the University personnel responsible for the decision, and (iii) the availability of the right to review by the Public Access Counselor consistent with Section 9 of the Act.
      5. Deny the request in its entirety within five (5) business days after receipt of the request, and notify the requestor of (i) the specific reason the request has been denied, (ii) the University personnel responsible for the decision, and (iii) the availability of the right to review by the Public Access Counselor consistent with Section 9 of the Act.
         1. A denial of a request for public records shall be made in writing and shall state the reasons for the denial in accordance with either Section 3(g), Section 7, or Section 7.5 of the Act, and include the names and titles of individuals responsible for the decision.  It shall give notice of the requester's right to appeal to the Public Access Counselor of the Illinois Attorney General's Office and provide contact information for the Public Access Counselor.  It shall also inform the requester of the right to judicial review under Section 11 of the Act.  Exemptions expressly articulated under Section 7 or Section 7.5 of the Act are per se exempt from disclosure under the Act.
         2. When a denial of a request is based upon a law other than the Illinois Freedom of Information Act, such as FERPA, the requester shall be notified of the applicable statute and provision in writing.  The University's FERPA policy shall be consulted prior to disclosing any information about a student and that policy is incorporated by reference as if fully stated herein.
         3. When a denial of a request is based upon an express exemption from disclosure under Section 7 or Section 7.5 of the Act, the University shall, where possible, redact the exempt information and make the remaining information available for inspection and copying pursuant to Section 7(1) of the Act.
         4. When a denial is based on the exemptions contained in subsection 7(1)(c) or subsection 7(1)(f) of the Act, the requester and the Public Access Counselor will be notified of the intent to deny the request in whole or in part.  The notice shall include: (i) a copy of the request; (ii) the proposed response from the public body; and (iii) a detailed summary of the public body's basis for asserting the exemption.
         5. Categorical requests creating an undue burden shall be considered denied if the requester refuses the University's invitation to confer about reducing the request to manageable proportions in accordance with Section 3(g) of the Act.
         6. Copies of all denial notices shall be retained by the FOIA office(r) in a single central office file open to the public and indexed according to the type of exemption asserted.  The central office file for Southern Illinois University Carbondale is located at the Budget Office, Room 115 Anthony Hall, Carbondale, IL; Southern Illinois University Edwardsville is located at the Office of the Vice Chancellor for Administration,  Room 2228 Rendleman Hall, Edwardsville, IL; SIU School of Medicine is located at the Office of Human Resources, 327 W. Calhoun, Springfield, IL;, and for matters pertaining to the Board of Trustees or President and their immediate staff, Office of the President, located at the Stone Center, 1400 Douglas Drive, Carbondale, IL.
         7. The failure to respond to a written request within five (5) business days after receipt of request may be treated as a denial by the requester. A failure to respond within five (5) business days after an extension has been exercised may also be treated as a denial by the requester.
6. For FOIA requests made for commercial purposes, the FOIA Office(r) shall respond in one of three ways:
   1. Approve the request in writing within 21 business days after receipt of the request and either provide the records or provide the requester an estimate of the time required by the public body to provide the records requested and an estimate of the fees to be charged, which the University may require to be paid in full before copying the requested documents; or
   2. Deny the request within 21 business days pursuant to one or more of the exemptions set out in the Act and subject to Section 5(A)(5)(a) through (f) of this Policy; or
   3. Notify the requester within 21 business days that the request is unduly burdensome and extend an opportunity to the requester to attempt to reduce the request to manageable proportions.
   Unless the records are exempt from disclosure, the University will comply with a request within a reasonable period considering the size and complexity of the request and giving priority to records requested for non-commercial purposes.

The FOIA Office(r) shall respond to all written request for public records other than requests for commercial purposes, within five (5) business days after receipt of the request, and within 21 business days after receipt of a request for commercial purposes, unless otherwise authorized by this policy or law. The calculation of the time period for response begins on the first business day after the public body receives the request.

1. The initial five (5) business day time limit for non-commercial requests may be unilaterally extended by the University for another five (5) business days for the following reasons:
   1. the requested records are stored in whole or in part at other locations than the office having charge of the requested records;
   2. the request requires the collection of a substantial number of specified records;
   3. the request is couched in categorical terms and requires an extensive search for the records responsive to it;
   4. the requested records have not been located in the course of routine search and additional efforts are being made to locate them;
   5. the requested records require examination and evaluation by personnel having the necessary competence and discretion to determine if they are exempt from disclosure under section 7 or section 7.5 of this Act or should be revealed only with appropriate deletions;
   6. the request for records cannot be complied with by the public body within the time limits prescribed by subsection 3(d) without unduly burdening or interfering with the operations of the public body; or
   7. there is a need for consultation, which shall be conducted with all practicable speed, with another public body or among two or more components of a public body having a substantial interest in the determination or in the subject matter of the request.
2. When additional time is required for any of the reasons identified above, the public body must notify the requester by letter specifying (i) the reason for the delay and (ii) the date when either the records will be released or the denial of the request will be made. This letter must be sent within the original five (5) business day period. The extended time period cannot be longer than five (5) extra business days, and if a response is not made within that extended period, the request may be considered denied by the requester.
3. The requester and the public body may agree in writing to further extend the time for compliance for a period to be determined by the parties.

Generally, public records will be available for inspection at the FOIA offices designated above in Section 3 between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday, except on State holidays and other University closures.

The requestor shall be notified in writing within five (5) business days after receipt of the request when and where the records will be available for inspection.

The University will notify the requester of the availability of the records for inspection within five (5) business days after receipt of the request or as extended pursuant to the Act.

The written notification shall admonish of the requester of the following:

1. Space will be provided for the requester to inspect public records. Upon request, the University shall make whatever reasonable accommodations are necessary to remedy physical obstacles to inspection. Although appointments are not required, appointments are strongly encouraged to ensure record availability when and where the requester appears for inspection.
2. The University reserves the right to have designated personnel present throughout the inspection to maintain the integrity of the public records.
3. A requester shall not be permitted to take briefcases, bags, folders or other similar materials, or pens, into the inspection area.
4. A requester is allowed to take pencils and paper into the inspection area.
5. The requester shall identify and/or segregate during the course of inspection any documents the requester desires to have copied. All copying shall be completed by university employees at the cost specified in these policies.
6. There shall be no fee charged for the inspection of records.

Copies of public records shall be provided to the requester only upon payment of any fees that are due. There shall be no fee charged, however, for the University's cost of searching and reviewing the requested records. The availability of the record and the amount of the fee being charged shall be communicated to the requester within five (5) business days of receipt of the request, unless more time is authorized under the Act or this Policy.

1. Fees for copies of public records shall be assessed in accordance with Section 6 of the Act. A schedule of fees shall be available in each of the University's FOIA offices as required by Section 4 of the Act.
2. Fees may be reduced or waived if the requester satisfies the criteria set forth in Section 6(c) of the Act and specifies a public purpose upon which the request is based. Fees may also be waived for good cause at the discretion of the FOIA Office(r).
3. No fees will be charged for the first 50 pages of black and white, letter or legal sized copies. The charge for copying after the first 50 pages is $0.15 per single-sided letter or legal sized page, with an additional charge of $1.00 per document if certification of the document is requested. Microfilmed records are charged at a rate of $0.15 per single-sided paper page produced. If the records requested cannot be copied on the university's standard office copying equipment, or if the copies provided are in color or in a size other than letter or legal sized paper, the requester will be charged the actual costs incurred by the university.
4. Fees shall be waived if the requester is a State agency, a constitutional officer, or member of the General Assembly.
5. Payment shall be made by cash, check, or money order payable to the Southern Illinois University, and mailed or hand delivered to the FOIA Office(r).
6. If the requester is unwilling or unable to pick up the copies of requested records at the University's offices, the requester shall incur the costs of mailing or shipping the requested materials.
7. In accordance with federal law and/or regulations governing copyright, the University will not provide copies of records protected by copyright without (i) a written authorization or proof of a license from the copyright holder of record or (ii) a copyright acknowledgement signed by the requester attesting that the copied materials will not be used for any purpose other than personal use, private study, scholarship or research.

If a person's request for public records has been denied in whole or in part by the FOIA Office(r), that person may file a request for review with the Public Access Counselor of the Attorney General's Office no later than 60 days after the date of the denial. The request for review must be in writing, signed by the requester, and include (i) a copy of the request for access to records and (ii) any responses from the public body.

A person whose request has been denied by the University may file suit for injunctive or declaratory relief pursuant to Section 11 of the Act, in either the circuit court where the University's principal office is located or where the person denied access resides. All communications involving litigation and/or a court summons arising out of a denied request under the Act shall be transmitted to the President's Office, Chancellor's Office, or the Provost and Dean's Office as appropriate immediately upon receipt.

1. Policy Adoption
   
   Southern Illinois University ("University") developed this Identity Theft Prevention Policy ("Policy") pursuant to the Federal Trade Commission's ("FTC") Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This Policy was developed with oversight and approval of the Audit Committee. This Policy will be presented to the Southern Illinois University Board of Trustees for approval at the May 7, 2009 meeting.
2. Purpose
   
   The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a Covered Account or an existing Covered Account, as defined in section III, and to provide continued administration of the program in compliance with 16 C.F.R. Part 681. This Policy enables Southern Illinois University, in its capacity as a creditor to protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent new accounts with the least possible impact on business operations. This Policy applies to business practices used by employees when conducting business activity relating to a Covered Account. In order to obtain these objectives Southern Illinois University will:
   
   
   • Identify risks that signify potentially fraudulent activity within new or existing Covered accounts;
   • Detect risks when they occur in Covered accounts;
   • Respond to risks to determine if fraudulent activity has occurred and act if fraud has been attempted or committed; and
   • Update procedures periodically, including reviewing the accounts that are Covered and the identified risks that are part of the program.
3. Definitions and Program
   
   Red Flags Rule Definitions Used in this Program: “Identity Theft” is a “fraud committed or attempted using the identifying information of another person without authority.” A “Red Flag” is a “pattern, practice, or specific activity that indicates the possible existence of Identity Theft.” A “Covered Account” is a ‘continuing relationship established to provide a financial product or service' and includes all consumer accounts or loans that are administered by the University. “Program Administrator” is the individual designated with primary responsibility for oversight of the program. “Identifying information” is “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including: name, address, telephone number, social security number, date of birth, driver's license, student identification number, or network ID.
4. Administration of the Policy
   
   The Board of Trustees shall be responsible for establishing the Policy. Responsibility for implementation and oversight of the Policy is delegated to the chancellor, or his/her designee, at each campus.

Acknowledgement: Because many universities have been involved in drafting Identity Theft Protection Policies to be incompliance with changes in the laws, these policies may look similar. This policy was developed in accordance with Sections 114 and 315 of the Fair and Accurate Credit Transactions Act, the Fair Credit Reporting Act, and the Federal Trade Commission regulations and guidelines (16 CFR Part 68). Additionally, several other university policies were reviewed in creating this policy including: Purdue University, UCLA University, and Kalamazoo College.

It is the policy of Southern Illinois University to invest funds in a manner which will provide investment returns and security consistent with good business practices, while meeting the daily cash flow demands of the University, and conforming to all statutes governing the investments of funds. Funds of Southern Illinois University will be invested in accordance with the provisions of the Illinois Compiled Statutes, Chapter 30, Sections 235/0.01 ‑ 235/8, "The Public Funds Investment Act", the Policies of the Board of Trustees of Southern Illinois University, and covenants provided from the University's bond and Certificate of Participation issuance activities.

As provided in Illinois Compiled Statutes, Chapter 30, Sections 225 "The Public Funds Deposit Act," public funds of the University will be deposited in savings and loan associations, savings bank, or State or national banks in Illinois. 

A. Overall Risk Profile

The three basic objectives of Southern Illinois University's Investment Program are:

1. Safety of invested funds;
2. Maintenance of sufficient liquidity to meet cash flow needs;
3. Attainment of the maximum investment returns possible consistent with the first two objectives.

The achievement of these objectives shall be accomplished in the manner described below:

1. Safety of Invested Funds

The University will insure the safety of its invested funds by limiting credit and interest rate risks.  Credit risk is the risk of loss due to the failure of the security issuer or backer to meet promised interest or principal payments on required dates.  Interest rate risk is the risk that the market value of portfolio securities will fall or rise due to changes in general interest rates.  The physical security of the University's investments is also an important element of safety.  Detailed safekeeping requirements are defined in Section IV of this policy.

a. Credit risk will be mitigated by:

i) Limiting investments to those specified in the Illinois Public Funds Investment Act, which prohibits investment in corporate bonds with maturity dates longer than 270 days from the date of purchase;
ii) Prequalifying the financial institutions with which we will do business; and
iii) Diversifying the investment portfolio so that the failure of any one issue or backer will not place an undue financial burden on the University.

b. Interest rate risk will be mitigated by:

i) Maintaining significant balances in cash equivalent and other short maturity investments as changing interest rates have limited impact on these securities’ prices;
ii) Establishing maturity diversification targets, as outlined in section B below, that are consistent with the expected cash flows of the University.

2. Liquidity

The University's investment portfolio will be structured in such a manner that securities mature at the same time as cash is needed to meet anticipated demands. Additionally, since all possible cash demands cannot be anticipated, the portfolio should consist largely of securities with active secondary or resale markets.

3. Investment Returns

Investment returns on the University's investment portfolio is a priority after the safety and liquidity objectives described above. Investments are limited to relatively low risk securities in anticipation of earning a fair return relative to the risk being assumed. 

B. Maturity Diversification

The University's investment portfolio will be structured to provide that sufficient funds from investments are available every month to meet the University's anticipated cash needs.  Subject to the safety provisions outlined above, the choice in investment instruments and maturities will be based upon an analysis of anticipated cash needs, existing and anticipated revenues, interest rate trends, and specific market opportunities.

Based on a review of the University’s cash flows, assets (excluding debt financing funds) will be invested according to the following schedule:

The Treasurer will manage the investments to fall within the maturity ranges and target balances as listed in the table above.  However, circumstances may occur that cause the allocations to temporarily fall outside the prescribed ranges.

C. Definition of Funds

Funds for the purpose of this policy are all University funds which are available for investment at any one time.  Funds include those in the University's general operation and debt financing activities.

D. Prudence

Investments shall be made with judgement and care ‑ under circumstances then prevailing ‑ which persons of prudence, discretion and intelligence exercise in management of their own affairs, not for speculation but for investment, considering the probable safety of their own capital as well as the probable income to be derived.

The standard of prudence to be used by investment officials shall be the "prudent person" standard and shall be applied in the context of managing an overall portfolio. 

II. INVESTMENTS

This section of the Investment Policy identifies the types of instruments in which the University may invest its funds.

A. Eligible Securities

Southern Illinois University will make investments under the Public Funds Investment Act (Illinois Compiled Statutes Chapter 30, sections 235/0.01 ‑ 235/8).  This affords the University a number of investment opportunities including:

• • • Securities of the United States of America, its agencies, and its instrumentalities;
    • Interest bearing savings accounts, certificates of deposit, interest bearing time deposits, other direct obligations of any bank defined in the Illinois Banking Act;
    • Certain short term obligations of U.S. Corporations rated in the highest rating classification by at least two standard rating services provided such obligations do not mature in longer than 270 days from the time of purchase and the issuing entity has at least $500 million in assets (limited to 33% of portfolio);
    • Money market mutual funds provided they are comprised of only U.S. Treasuries, Agencies, and instrumentalities;
    • Public Treasurer's Investment Pool‑State Treasurer's Office;
    • Repurchase agreements of Government securities;
    • Other specifically defined repurchase agreements.

B. Diversification

Southern Illinois University will diversify its investments by security type, issue and maturity in order to reduce overall portfolio risks while striving to meet or exceed the benchmark average rate of return.  Obligations of the United States of America, its agencies, and its instrumentalities are eligible without limit.  No more than one-third of Southern Illinois University’s funds may be invested in short term obligations of corporations.

C. Collateralization Requirements

In accordance with the State Finance Act (30 ILCS 105/6a-1), deposits that exceed the amount of federal deposit insurance coverage shall be collateralized using eligible securities as listed in the Deposit of State Moneys Act (15 ILCS 520/11).  The collateral for various investments shall be held by third parties or in a separate trust department of a participating bank.    The collateralization level must be in an amount equal to at least market value of that amount of funds deposited exceeding the insurance limitation provided by the Federal Deposit Insurance Corporation or the National Credit Union Administration or other approved share insurers.

D. Release of Collateral 

Only the Treasurer and his designees shall be authorized to release securities pledged as collateral.  All requests for the release of collateral shall be confirmed in writing.

E. Confirmation

Receipts for confirmation of purchase of authorized securities should include the following information:  trade date, par value, rate, price, yield, settlement date, description of securities purchased, agency's name, net amount due, and third party custodial information.  These are minimum information requirements.

F. Pooling

The University will pool all operating cash for investment purposes to provide for efficiencies and economies in their management.  Proceeds related to revenue bond and certificate of participation financing activities will be pooled to the extent allowed under the covenants.

   III. SELECTION OF INVESTMENT ADVISORS, INVESTMENT MANAGERS, AND FINANCIAL INSTITUTIONS

A. Investment Advisors and Investment Managers

Investment advisors and investment managers who manage University funds must be registered with the Securities and Exchange Commission and carry adequate levels of insurance. The University will annually send a copy of the Investment Policy to investment advisors and investment managers who manage University funds. The University will follow the State’s Procurement Policy when issuing public Requests For Proposal in selecting its advisors and managers.

B. Qualification of Brokers, Dealers, and Financial Institutions

The University will only transact business with banks, savings and loan associations, and broker dealers who have been approved by the University. 

IV. INTERNAL CONTROL PROCEDURES

A. Purchase of Securities

The Treasurer will delegate authorization to purchase investment securities to employees, as needed.  A list of these authorized employees will be provided to each investment broker/dealer.  A confirmation of the purchase of authorized securities will be provided to the Treasurer.  All security transactions will be conducted “delivery versus payment.”

On occasion, there will be a need for the Treasurer to delegate authorization to a third party to purchase securities on behalf of the University. In these instances, a one-time delegation will be executed that clearly states the type of security, the amount to be purchased, the maturity date, and the purchase date. 

B. Safekeeping of Assets

All securities (except collateral) owned by the University will be held by its safekeeping agents.  The University will contract with a bank or banks for the safekeeping of securities which are owned by the University as a part of its investment portfolio or which have been transferred to the University under the terms of any repurchase agreements. Safekeeping reports shall be provided. 

C. Sale of Securities

The Treasurer will delegate authorization to initiate the sale of investment securities to employees, as needed.  A list of these authorized employees will be provided to each broker/dealer.  The proceeds of all sales transactions will be deposited into a University account.

D. Wire/ACH Transactions

Where possible, the University will use repetitive wire transfers and preformatted ACH transfers to restrict the transfer of funds to preauthorized accounts only.  When transferring funds to an account using a non-repetitive wire or a non-preformatted ACH transfer, the bank is required to call back a second pre-established employee for confirmation that the transfer is authorized.

   V. STRUCTURE AND RESPONSIBILITY

This section of the Policy defines the overall structure of the investment management program.

A. Responsibilities of the Finance Committee of the Board of Trustees 

The Finance Committee of the Board of Trustees will, upon recommendation of the Treasurer: 

• 1. review and recommend to full Board a written investment policy, consistent with the requirements of the Public Funds Investment Act including:

a. the definition of maturity ranges;
b. the allocation of funds;
c. the setting of benchmarks for evaluating investment performance.

2.  review quarterly investment reports.

3. approve the selection and assess the performance of investment managers.

B. Responsibilities of the Treasurer

The Treasurer is appointed by the Board of Trustees and is chief custodian of all funds held in the name of the Board of Trustees.  The Treasurer is responsible for recommending, as necessary, financial policies and procedures to ensure compliance with State and Federal laws, Board Policies and University Guidelines.  Investment oversight and banking relations are also responsibilities of the office. The Treasurer is responsible for providing the President and Board a quarterly report of cash and investment activities.

C. Investment Managers

The investment managers are accorded full discretion, within the limits set forth in this Statement of Investment Policy and investment guidelines, to (1) select individual securities, (2) adjust the maturity mix, where applicable, and (3) diversify their portfolios so as to limit the impact of large losses in individual investments on the total portfolio.

The investment managers will provide the Treasurer with a monthly report of investment activity and investment performance.

D. Ethics and Conflicts of Interest

Officers, employees and agents, including, but not limited to, investment managers, involved in the investment process shall refrain from personal business activity that conflicts with the proper execution of the investment program, or impairs their ability to make impartial investment decisions. They shall disclose any material financial interests that could be related to the performance of the University's investment portfolio. They shall also comply with all applicable Federal and State laws governing ethics and conflict of interest.

    VI. PERFORMANCE EVALUATION

The Treasurer will perform periodic reviews of the cash and investment activity to ensure that the safety, liquidity and performance of the investment portfolio is appropriate.

The Treasurer will provide a quarterly report of cash and investment activity to the President and Board of Trustees.

The Finance Committee of the Board of Trustees will review the performance of each portfolio and Total Fund relative to appropriate benchmarks on a quarterly basis.

The following benchmarks are currently being utilized: