Union Theological Seminary in the City of New York was founded in 1836 and incorporated in 1839 under a charter granted by the Legislature of the State of New York. Its programs are registered by the New York State Education Department.
Union Theological Seminary is accredited by the Commission on Accrediting of the Association of Theological Schools. The following degree programs are approved: M.Div., M.A., S.T.M., Ph.D. In addition, Union is accredited by the Middle States Commission on Higher Education.
To view Union Theological Seminary’s Title IX Policy (Revised Aug. 2020), click here*.
To view Union Theological Seminary’s Anti-Discrimination and Harassment Policy, click here.
*Revised August 2020
Commission on Accrediting of the Association of Theological Schools
For information regarding tuition costs, financial aid eligibility, types of loans, and withdrawals, please consult the Financial Aid page.
& Fire Safety Reports
Institutions of higher education are required by federal law to publicly disclose campus crime and fire statistics. Your personal safety and the security of the campus community are of vital concern to Union Theological Seminary. The annual security report is available below. The report includes statistics for the most recent three-year period concerning reported crimes that occurred on campus, in certain off-campus buildings or property owned or controlled by Union, and on public property within or immediately adjacent to and accessible from the campus. It also includes the previous year’s fire statistics of incidents in dormitories. This site also contains links to information regarding the local law enforcement department (26th precinct), and more on Union’s policies concerning campus security and the reporting of any crimes which may occur on the campus is forthcoming.
Related Link: http://maps.nyc.gov/crime/
Student's Right to Know (Consumer Information)
Contact Information for Assistance in Obtaining Institutional or Financial Aid Information
General Institutional Information
- Mission and Vision
- Academic Programs
- Financial Aid Information
- Services for Students with Disabilities: Services are handled via the Associate Dean for Student Affairs’ office, Student Handbook, pp. 19-22
- Student Diversity: Student Handbook, Policy of Non-Discrimination, p. 80 Also, our College Navigator entry
- Price of Attendance
- Refund Policy for Financial Aid: See R2T4 policy and Student Handbook, pp. 14-15
- Textbook Information: Union does not have a bookstore and encourages students to find textbooks at a low cost via a local bookstore or via Amazon.com. Required readings for courses are found on course reserve at the Burke Library, which is part of the Columbia University Libraries system
- Educational Programs
- Transfer of Credit Policy (no articulation agreements)
- Plagiarism Policy (Copyright Infringement): Student Handbook, pp. 11-12
- Computer Use and File Sharing: Student Handbook, Community Expectations, pp. 80-90
- Student Activities (Student Senate): Student Handbook, pp. 91-101
- Career and Job Placement Services: Coordinated via the Field Education Office and Associate Dean for Student Affairs’ Office. Student newsletter with job openings sent weekly during academic year and monthly in summer.
Student Financial Assistance
Student Handbook, pp. 31-36
2. Federal Student Financial Aid Penalties for Drug Law Violations: Student Handbook, pp. 24-30
3. Student Loan Information
Health & Safety
- Drug and Alcohol Abuse Prevention Program: Student Handbook, pp. 24-30
- Vaccination Policies: part of orientation
- Campus Security Policies, Crime Statistics and Crime Log: Student Handbook, pp. 45-76
- Annual security and fire safety reports
- Fire Safety Policies, Fire Statistics and Fire Log (On-Campus Housing Facilities): Student Handbook, pp. 45-76 Student Handbook
- Graduation Rates:
- Graduation Rate by Degree Program 2017
- MDiv (degree completed within 6 years): 93.75%
- MA (degree completed within 4 years): 75% (some of our MA students change to the MDiv degree)
- STM (degree completed within 2 years): 83.33%
- PhD (degree completed within 8 years): 33.33% (some of our PhD students need more than 8 years to complete their degree)
- Years to Completion for 2017 graduates
|2 to <3||2||16||1||0|
|3 to <4||26||1||0||2|
|4 to <5||7||0||0||1|
|5 to <6||2||1||0||1|
3. Job Placement Rates for Graduates 2015/2016
Student Learning Outcomes
|Entrance Questionnaire (2015)||MPR SAS (2017)||MRP FR (2017)||FSAS (2018)||FAR (2018)|
|The student demonstrates an …||n=46||n=40||n=40||n=37||n=38|
|1.1. Ability to identify, describe, analyze, and interpret biblical texts in their literary, historical, and multi-religious contexts.||2.63||3.6||3.65||3.95||4.08|
|1.2. Ability to identify, to describe, and to discuss significant periods, persons, and developments in the history of the Christian traditions(s).||2.39||3.17||3.38||3.76||4.11|
|1.3. Ability to recognize, explain, and to critically evaluate major theological themes, issues, and perspectives in Christian thought.||2.67||3.65||3.47||4.19||4.05|
|2.1. Awareness of and ability to substantively engage the thought and practices of other religious traditions [in reflection on the texts, history, theology or practices of the Christian tradition(s)].||2.59||3.17||2.95||3.95||4.24|
|3.1. Ability to work with persons of diverse backgrounds, to learn from differences, and to articulate one’s own cultural and social perspectives with acknowledgment of their limitations.||3.98||3.98||3.79||4.54||4.32|
|3.2. Ability to articulate contextually informed and world-engaged theological perspectives.||2.67||3.55||3.26||4.16||4.05|
|3.3. Ability to analyze and address contemporary ethical Issues from Christian and Interreligious perspectives.||2.96||3.33||2.87||4.22||4.03|
|4.1. Ability to incorporate the arts, cultural diversity, international and/or socio-economic dimensions of New York City into theological reflection.||2.7||3.35||3.1||3.84||3.53|
|5.1. Familiar with, informed about, and able to utilize traditional and contemporary forms of prayer, worship, and spiritual practices from Christian and /or other faith traditions for personal spiritual growth.||3.41||3.75||3.33||4.08||3.68|
|6.1. Familiar with, informed about, and able to utilize traditional and contemporary forms of prayer, worship, and spiritual practices from Christian and/or other faith traditions for the spiritual formation of others||2.78||3.25||3||3.84||3.75|
|7.1. Development of a vision of professional identity that is connected to the student’s abilities, aspirations, and faith tradition.||3.22||3.67||3.35||4.3||4.21|
|7.2 Development of a theologically and professionally informed model and style of ministry within particular ministerial contexts||2.39||3.25||3.08||4.27||4.11|
|8.1. Development of interpersonal insight and an ability to listen actively, communicate effectively, and to interact with others with honesty, empathy, compassion, and respect.||3.98||4.08||3.79||4.51||4.34|
|9.1. Ability to represent and lead a community or organization in and through public and communal contexts such as worship, preaching, congregational pastoral care, advocacy, teaching, written communication, and/or public speaking.||2.98||3.42||3.18||4.24||4.05|
|10.1. Ability to make accessible for particular congregations and communities interpretations of sacred texts that are based on the application of sound exegetical methods and principles.||2.26||3.2||2.95||3.95||3.97|
|Entrance Questionnaire (2016)||FSAS (2018)||FAR (2018)|
|RELIGIOUS HERITAGE||The student demonstrates an …||n=23||n=15||n=16|
|1. To develop a broad, critical understanding of Christian Traditions in their scriptural foundations, historical developments, and theological perspectives.||1.1. Ability to identify, describe, analyze, and interpret biblical texts in their literary, historical, and multi-religious contexts.||2.74||3.93||3.75|
|1.2. Ability to identify, to describe, and to discuss significant periods, persons, and developments in the history of the Christian traditions(s).||2.52||3.6||3.44|
|1.3. Ability to recognize, explain, and to critically evaluate major theological themes, issues, and perspectives in Christian thought.||2.83||n/a||3.31|
|2. To cultivate inter-religious awareness and deepen understanding of the Christian heritage through substantive engagement with the thought and practices of traditions other than Christianity||2.1. Awareness of and ability to substantively engage the thought and practices of other religious traditions [in reflection on the texts, history, theology or practices of the Christian tradition(s)].||2.48||3.73||3.63|
|3. To develop competencies in understanding social and cultural contexts that are significant for contemporary theology, the life of the church, and the promotion of justice in the world.||3.1. Ability to work with persons of diverse backgrounds, to learn from differences, and to articulate one’s own cultural and social perspectives with acknowledgement of their limitations.||3.83||4.47||4.13|
|3.2. Ability to articulate contextually informed and world-engaged theological perspectives.||3||3.93||4|
|3.3. Ability to analyze and address contemporary ethical Issues from Christian and Interreligious perspectives.||3.09||4.27||4.13|
|4. To enrich theological work by incorporating the arts and cultural diversity of New York City.||4.1. Ability to incorporate the arts, cultural diversity, international and/or socio-economic dimensions of New York City into theological reflection.||2.22||3.33||3.25|
|5. To attain competency in the student’s chosen concentration in preparation for further graduate studies, teaching, or for application in public, organizational, and non-academic contexts.||5.1 Ability to identify, describe, discuss, employ, communicate, and apply the sources, norms, methods, substantive content, and literature of the student’s chosen theological discipline||2.61||4.47||4.19|
|5.2 Capacity to integrate specialized competency in the student’s chosen concentration within theological reflection that is both informed by and applicable to contemporary issues and contexts||n/a||n/a||n/a|
|6. To attain competency in academic research and writing skills.||6.1 Ability to locate and to utilize relevant primary and secondary sources and relevant data for critical and constructive work in the student’s chosen concentration.||2.91||4.27||4|
|6.2 Ability to write a thesis-driven essay within the student’s chosen concentration that is clearly written, cogently argued, and sufficiently substantiated with properly cited references to scholarly resources||3||4.53||4|
|7. [track 1] To attain proficiency in a modern language (and in the case of the biblical concentration, a working knowledge of Hebrew and/or Greek). Required language varies by discipline so difficult to measure on assessment instruments; data reflected on student transcripts||7.1 Ability to read and accurately translate texts in French, German, or Spanish (and for biblical studies concentrators, in Hebrew or Greek)||n/a||n/a||n/a|
|FAR 2016||FSAS 2017||FAR 2017||FSAS 2018||FAR 2018|
|To what degree do you believe that you have achieved an advanced level of knowledge and understanding in your area of focused study?||3.5||3.6||3||3.56||3.5|
|Rate your ability to read and accurately translate texts in each of the following languages; required languages vary by discipline; student transcripts include data re. languages||n/a||n/a||n/a||n/a||n/a|
|FAR=Final Assessment Report (completed by advisor)|
|FSAS=final self-assessment survey (completed by student)|
5=very high degree
Use of Links
Throughout our Web pages, we provide links to other servers which may contain information of interest to our readers. We take no responsibility for, and exercise no control over, the organizations, views, or accuracy of the information contained on other servers.
Use of Text & Images
If you would like to publish information that you find on our Web site, please send your request to firstname.lastname@example.org. Where text or images are posted on our site with the permission of the original copyright holder, a copyright statement appears at the bottom of the page.
This Web site is designed to be accessible to visitors with disabilities, and to comply with federal guidelines concerning accessibility. We welcome your comments. If you have suggestions on how to make the site more accessible, please contact us at email@example.com.
We have created this statement in order to demonstrate our firm commitment to your privacy. We do not collect personally identifying information about you when you visit our site, unless you choose to provide such information to us. Providing such information is strictly voluntary. This policy is your guide to how we will handle information we learn about you from your visit to our Web site.
Reading or Downloading
We collect and store only the following information about you: the name of the domain from which you access the Internet (for example, aol.com, if you are connecting from an America Online account, or princeton.edu if you are connecting from Princeton University’s domain); the date and time you access our site; and the Internet address of the Web site from which you linked to our site.
We use the information we collect to measure the number of visitors to the different sections of our site, and to help us make our site more useful to visitors.
Online Profile Updates & Donations
If you complete the Profile update form and share your personally identifying information, this information will be use only to provide you with more target content. We may use your contact information to send further information about our organization or to contact you when necessary. You may opt-out of receiving future mailings; see the “Opt Out” section below.
You also may decide to send us personally identifying information, for example, in an electronic mail message containing a question or comment, or by filling out a Web form that provides us this information. We use personally identifying information from email primarily to respond to your requests. We may forward your e-mail to other employees who are better able to answer you questions. We may also use your email to contact you in the future about our programs that may be of interest.
We want to be very clear: We will not obtain personally identifying information about you when you visit our site, unless you choose to provide such information to us. Providing such information is strictly voluntary. Except as might be required by law, we do not share any information we receive with any outside parties.
If you sign up for one of our email lists, we’ll only send you the kinds of information you’ve requested. We won’t share your name or email address with any outside parties.
Kids & Privacy
For children who visit our site, special rules apply. We do not request personal information about children, such as first and last name or street address and city. When kids send email to us, their online contact information (email address) is not used to re-contact them and is not maintained in retrievable form.
Opting Out or Changing Contact Info
Our site provides users the opportunity to opt-out of receiving communications from through a special online form. You may choose to receive only specific communications or none at all. You may also update your contact information previously provided to us through another online form. You can not remove yourself from our database, but you can prevent unwanted communication.
Data Classification Guidelines
The purpose of this Guideline is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University as required by the University’s Information Security Policy. Classification of data will aid in determining baseline security controls for the protection of data.
This Policy applies to all faculty, staff and third-party Agents of the University as well as any other University affiliate who is authorized to access Institutional Data. In particular, this Guideline applies to those who are responsible for classifying and protecting Institutional Data.
Confidential Data is a generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with sensitive data.
A Data Steward is a senior-level employee of the Seminary who oversees the lifecycle of one or more sets of Institutional Data.
Institutional Data is defined as all data owned or licensed by the University.
Non-public Information is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline.
Sensitive Data is a generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with confidential data.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the Seminary should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:
|Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.|
|Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.|
|Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.|
Classification of data should be performed by an appropriate Data Steward. Data Stewards are senior-level employees of the Seminary who oversee the lifecycle of one or more sets of Institutional Data. See Information Security Roles and Responsibilities for more information on the Data Steward role and associated responsibilities.
Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student’s name, address and social security number, the data collection should be classified as Restricted even though the student’s name and address may be considered Public information.
On a periodic basis, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. This evaluation should be conducted by the appropriate Data Steward. Conducting an evaluation on an annual basis is encouraged; however, the Data Steward should determine what frequency is most appropriate based on available resources. If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.
The goal of information security is to protect the confidentiality, integrity and availability of Institutional Data. Data classification reflects the level of impact to the University if confidentiality, integrity or availability is compromised.
There is no perfect quantitative system for calculating the classification of a particular data element. In some situations, the appropriate classification may be more obvious, such as when federal laws require the University to protect certain types of data (e.g. personally identifiable information). If the appropriate classification is not inherently obvious, consider the security objective as it pertains to each data set.
Data Security Rider
This contract rider must be added to all contracts with any service provider (also known as “vendor” and “data processor”), if the service provider, in connection with its services creates, obtains, accesses (via records, systems, or otherwise), receives from or on behalf of Union Theological Seminary or uses in the course of its performance of the contract UTS restricted data which includes, but is not be limited to:
- Social Security numbers,
- Credit card numbers, data protected by the Payment Card Industry Data Security Standard (PCI DSS), or other financial account information,
- Data protected by the Family Educational Rights and Privacy Act, as set forth in 20 U.S.C. §1232g (“FERPA”),
- Data protected by the Gramm-Leach-Bliley Act (GLBA), Public Law No: 106-102, or data protected by any other applicable federal or state law or regulation.
- If Protected Health Information (PHI) as defined by HIPAA is being accessed, a Business Associate Agreement is required. Contact the university Director of Privacy for assistance.
UTS represents that it has necessary rights to provide the Covered Data and Information (CDI) to the vendor for the processing to be performed in relation to the services. The service provider agrees to the terms of this contract rider.
Data Definition: Covered data and information (CDI) includes paper and electronic data classified as “Restricted”, or otherwise sensitive data as defined by the Union Theological Seminary. This includes information supplied by the university or any individuals to the service provider.
Security Standards: UTS will determine the scope, purposes, and manner by which the CDI may be accessed and processed by the vendor. The vendor will process the CDI only as set forth in UTS’s written instructions. All of the service provider’s systems storing or processing CDI must comply with federal, state and local laws concerning data privacy, UTS’s Data Governance and Classification Policy, Vendor Minimum Safeguards, and where applicable, the European Union‘s General Data Protection Regulation (GDPR).
Service provider shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted CDI received from, or on behalf of university or any individuals. The service provider will extend these security standards obligations to all subcontractors by contract.
- Service provider must supply documentation of compliance with any applicable laws and regulations upon request.
- All systems and applications shall undergo vulnerability assessments, such as testing patch level, password security, and application security in accordance with industry best practices, or will provide reports upon request if conducted by a third party.
- Service provider agrees to allow UTS to perform regular pen testing/vulnerability scans (operating system, patch, and application) in accordance with industry best practices.
- Routine event monitoring will be performed by the service provider; the service provider will immediately identify events related to unauthorized activity and unauthorized access.
- Service provider shall agree to forward unmodified system (and other appropriate) logs to the UTS Director of Technology.
- The service provider shall agree to undergo regular security audits, preferably by certified third parties, occurring at least annually, and any identified issues must be resolved within 90 days of the audit report. UC may demand written proof of this audit at any time during the term of the contract.
- All services gathering Restricted data, or otherwise sensitive data as defined by UTS’s policies must utilize secure communication methods, such as TLS, and use a certificate from anapprovedindependentauthority.
- All file transmissions involving CDI, or otherwise sensitive data as defined by the seminary, must utilize secure communication methods; for example, TLS, SSH, SFTP.
- Service provider agrees to allow the use of Shibboleth authentication (or comparable authentication mechanism with seminary approval) if and when appropriate as requested by the university.
- Physical access to facilities where data is stored, whether production or backup, must reside within the continental United States. Any damage or unauthorized access to facilities must be reported to UC within 24 hours of its discovery. If any unauthorized access to UC’s CDI occurred, the service provider must consult with UC officials before notifying those affected by the unauthorized access.
Acknowledgment of Access to CDI: Service provider acknowledges that the Agreement allows the service provider access to CDI. Data access shall be limited to those with a “need to know” and controlled by specific individual(s). As required by law, at no time will UTS data be physically or logically accessible to a foreign national. The service provider must have procedures and solutions implemented to prevent unauthorized access, and the procedures will be documented and available for UTS to review upon request. All of the service provider’s employees with access to UTS’s CDI must be identified with names provided to the university upon request.
Prohibition on Unauthorized Use or Disclosure of CDI: Service provider agrees to hold CDI in strict confidence. Service provider shall not use or disclose CDI received from or on behalf of UTS (or any individuals) except as permitted or required by the Agreement, as required by law, or as otherwise authorized in writing by UTS. Service provider agrees not to use CDI for any purpose other than the purpose for which the disclosure was made.
International Data Transfers: In accordance with GDPR Article 44, Processor shall rely on a Valid Transfer Mechanism to transfer Personal Data for Processing (whether performed by Processor or by a Subprocessor) from the European Economic Area to another country.
Retention, Return or Destruction of CDI: Upon termination, cancellation, expiration or other conclusion of the Agreement, service provider shall return all CDI to UTS or, if return is not feasible, destroy any and all CDI. Destruction of CDI shall be carried out in accordance with UTS’s data retention policies. UC shall approve the method of data destruction prior to destruction. If the service provider destroys the information, the service provider shall provide UC with a certificate confirming the date and method of destruction of the data.
Maintenance of the Security of Electronic Information: Service provider shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted CDI received from, or on behalf of UTS or its students. These measures will be extended by contract to all subcontractors used by service provider.
Reporting of Unauthorized Disclosures or Misuse of Covered Data and Information: Service provider shall, within one day of discovery, report to UTS any use or disclosure of CDI not authorized by this Agreement or in writing by university. Service provider’s report shall identify:
- The nature of the unauthorized use or disclosure,
- The CDI used or disclosed,
- Who made the unauthorized use or received the unauthorized disclosure,
- What service provider has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure,
- The corrective action service provider has taken or shall take to prevent future similar unauthorized use or disclosure,
- Service provider shall provide such other information, including a written report, as reasonably requested by UTS.
Remedies: If UTS reasonably determines in good faith that service provider has materially breached any of its obligations under this contract, UTS , in its sole discretion, shall have the right to require service provider to submit a plan of monitoring and reporting; provide service provider with a fifteen (15) day period to cure the breach; or terminate the Agreement immediately if cure is not possible. Before exercising any of these options, UTS shall provide written notice to service provider describing the violation and the action it intends to take. Service provider shall defend and hold UTS harmless from all claims, liabilities, damages, or judgments involving a third party, including UTS’s costs and attorney fees, which arise as a result of service provider’s failure to meet any of its obligations under this contract. Nothing in this paragraph limits any other remedies available to UTS.
Note: Inclusion of data provided by individuals into the terms of the contract will depend upon the contract and may not be needed.
Acceptable Use of Information Technology Resources
Computers and other information technology resources are essential tools in accomplishing the Union Theological Seminary’s mission. Information technology resources are valuable assets to be used and managed responsibly to ensure their integrity, confidentiality, and availability for appropriate research, education, outreach and administrative objectives of the institution. Community members are granted access to these resources in support of accomplishing the stated mission.
All users of information technology resources, whether or not affiliated with the Seminary, are responsible for their appropriate use, and by their use, agree to comply with all applicable Seminary policies; federal, state and local laws; and contractual obligations. These include but are not limited to information security, data privacy, commercial use, and those that prohibit harassment, theft, copyright and licensing infringement, and unlawful intrusion and unethical conduct.
Union Theological Seminary accepts no responsibility or liability for any personal or unauthorized use of its resources by users.
Acceptable use includes, but is not limited to, respecting the rights of other users, avoiding actions that jeopardize the integrity and security of information technology resources, and complying with all pertinent licensing and legal requirements. Users with access to Union Theological Seminary’s information technology resources must agree to and accept the following:
- Only use information technology resources they are authorized to use and only in the manner and to the extent authorized. Ability to access information technology resources does not, by itself, imply authorization to do so.
- Only use accounts, passwords, and/or authentication credentials that they have been authorized to use for their role at the Seminary.
- Protect their assigned accounts and authentication (e.g., password, and/or authentication credentials) from unauthorized use.
- Only share data with others as allowed by applicable policies and procedures, and dependent on their assigned role.
- Comply with the security controls on all information technology resources used for school business, including but not limited to mobile and computing devices, whether seminary or personally owned.
- Comply with licensing and contractual agreements related to information technology resources.
- Comply with intellectual property rights (e.g., as reflected in licenses and copyrights).
- Accept responsibility for the content of their personal communications and may be subject to any personal liability resulting from that use.
Unacceptable use includes and is not limited to the following list. Users are not permitted to
- Share authentication details or provide access to their seminary accounts with anyone else (e.g., sharing the password).
- Circumvent, attempt to circumvent, or assist another in circumventing the security controls in place to protect information technology resources and data.
- Knowingly download or install software onto seminary’s information technology resources, or use software applications, which do not meet University security requirement, or may interfere or disrupt service, or do not have a clear business or academic use.
- Engage in activities that interfere with or disrupt users, equipment or service; intentionally distribute viruses or other malicious code; or install software, applications, or hardware that permits unauthorized access to information technology resources.
- Access information technology resources for which authorization may be erroneous or inadvertent.
- Conduct unauthorized scanning of information technology resources.
- Engage in inappropriate use, including but not limited to:
- Activities that violate state or federal laws, regulations, or University policies.
- Widespread dissemination of unsolicited and unauthorized electronic communications.
- Engage in excessive use of system information technology, including but not limited to network capacity. Excessive use means use that is disproportionate to that of other users, or is unrelated to academic or employment-related needs, or that interferes with other authorized uses. Units may require users to limit or refrain from certain activities in accordance with this provision.
Privacy and Security Measures
Users must not violate the privacy of other users. Technical ability to access others’ accounts does not, by itself, imply authorization to do so.
Users play an important role in the protection of their personal information. All faculty, staff and students are required to use all available user specific security controls provided by the Seminary as available (including multi-/two-factor authentication) and meet the user specific controls in Administrative Policy: to assist in the protection of assets and the protection of their personal information and assets. Failure on the part of faculty, staff or students to employ in good faith the available security controls and to secure their personal information appropriately will mean that the seminary will not reimburse the faculty, staff or student for the loss of misdirected salary, expense reimbursements, financial aid or any other assets.
Employees must understand that any records and communications they create related to seminary business, electronic or otherwise, on an assigned or personally owned device, may be subject to disclosure under New York State’s Data Practices laws.
The Seminary takes reasonable measures to protect the privacy of its information technology resources and accounts assigned to individuals. However, the University does not guarantee absolute security and privacy. Users should be aware that any activity on information technology resources may be monitored, logged and reviewed by Seminary-approved personnel or may be discovered in legal proceedings. The Seminary assigns responsibility for protecting its resources and data to technical staff, data owners, and data custodians, who treat the contents of individual assigned accounts and personal communications as private and do not examine or disclose the content except:
- as required for system maintenance including security measures;
- when there exists reason to believe an individual is violating the law or Seminary policy; and/or
- as permitted by applicable policy or law.
The Seminary reserves the right to employ security measures. When it becomes aware of violations, either through routine system administration activities or from a complaint, it is the Seminary’s responsibility to investigate as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.
Individuals who use information technology resources that violate a Seminary policy, law(s), regulations, contractual agreement(s), or violate an individual’s rights, may be subject to limitation or termination of user privileges and appropriate disciplinary action, legal action, or both. Alleged violations will be referred to the appropriate office or law enforcement agency.
The Seminary may temporarily deny access to information technology resources if it appears necessary to protect the integrity, security, or continued operation of these resources or to protect itself from liability.
Individuals or units should report non-compliance with this policy to a member of the senior staff in the organization.
Departments within the Seminary may define additional conditions of use for information technology resources or facilities under their control. Such additional conditions must be consistent with or at least as restrictive as any governing Board or Administrative policy, and may contain additional details or guidelines.
Information Security Program
Union Theological Seminary is required by the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program (“ISP”) and to appoint a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers.
This ISP is in addition to existing Union Theological Seminary policies and procedures that address various aspects of information privacy and security, including but not limited to, the Student Privacy Rights Policy (Family Educational Rights and Privacy Act Policy), the Information Security Policy, and the Computing Policy.
Union Theological Seminary has designated the Director of Information Technology as its ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP.
“Covered information” means nonpublic personal information about a student or other third party who has a continuing relationship with UTS, where such information is obtained in connection with the provision of a financial service or product by UTS, and that is maintained by UTS or on UTS’s behalf. Nonpublic personal information includes students’ names, addresses and social security numbers as well as students’ and parents’ financial information. Covered information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases.
Elements of the ISP
- Risk Identification and Assessment.UTS’s ISP identifies and assesses external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The ISP Coordinator will provide guidance to appropriate personnel in the central administration, academic units, and other university units in evaluating their current practices and procedures and in assessing reasonably anticipated risks to covered information in their respective areas. The ISP Coordinator will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
- Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered information.
- Information Systems.The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the university’s information systems, including network and software design as well as information processing, storage, transmission and disposal.
- Detecting, Preventing and Responding to Attacksand System Failures The ISP Coordinator will coordinate with the appropriate personnel or consulting group to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures.
- Designing and Implementing Safeguards. The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
- Overseeing Service Providers. The ISP Coordinator, in conjunction with Vice President for Finance and Operations, and appropriate contractors, will assist in instituting methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for covered information. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
- Adjustments to Program.The ISP Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to UTS’s operations or other circumstances that may have a material impact on the ISP.