×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û

B. Acceptable Use Policy

1.Ìý Ìý±Ê³Ü°ù±è´Ç²õ±ð

The information technology resources provided by the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û) and its component institutions support the educational, instructional, research, and administrative activities of the University System and those institutions. Use of these resources is a privilege that is extended to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members. Inappropriate or improper use of these shared resources can impede or negatively impact availability for the rest of the community. As such, all community members are required to behave in a responsible, ethical, and legal manner during that use.

This policy defines acceptable use of information technology resources at ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions and outlines the responsibilities and obligations of community members who are granted access to or use of these resources. Specifically, this policy supports the following objectives:

  • Safeguarding the confidentially, availability, integrity, and privacy of institutional information and enterprise information technology resources
  • Providing a reliable information technology environment for all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members
  • Guaranteeing use of enterprise information technology resources is consistent with the principles and values that govern use of other ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and component institution resources (e.g., facilities)
  • Confirming that enterprise information technology resources are used for their intended purposes

2.   Scope

This policy applies to anyone who utilizes ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources, and all uses of those resources, irrespective of where the resources are being used. This includes students, faculty, staff, contractors, vendors, prior students/alumni, parents, volunteers, and external customers utilizing services provided by ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û.

For purposes of this policy only, any individual who is authorized to access or use a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution information technology resource is considered a member of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community.

This policy covers the use of all information and information technology resources owned, managed, licensed, or entrusted to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or one of its component institutions, regardless of who is providing those resources, how they are being provided, or how they are being accessed. Referred to throughout this policy as institutional information and ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources, this includes, but is not limited to:

  • Information technology resources administered by Enterprise Technology & Services (ET&S) or contracted vendors
  • Information technology resources administered or managed by individual administrative, academic, or business units
  • Institutionally owned endpoint devices
  • Institutional telecommunication services including voicemail
  • Personally owned endpoint devices that connect to any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network
  • Devices, regardless of device ownership, that connect to any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resource, including students’ use of devices

Business Application Owners or Technology Service Owners have the authority to establish more restrictive requirements governing use of those resources in their care. When there are additional use restrictions for a specific information technology resource, individuals who need access to that resource shall be informed of those restrictions, and agree to abide by them, prior to access being granted.

3.   Audience

This Policy applies to all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members granted access to any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resource.

4.   Policy Statement

4.1   Information Technology Resources are Shared

4.1.1   ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û provides information technology resources to authorized members of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community and others in support of each ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û component institution’s mission and the mission of the University System.

4.1.2   To ensure access to and reliability of this shared resource, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions shall safeguard the confidentiality, integrity, availability, and privacy of these information technology resources and the institutional information captured, stored, processed, transmitted, or otherwise managed by them.

4.1.3   ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and component institution policies that govern freedom of expression, discriminatory harassment, and related matters in the context of standard written expression, also govern electronic expression as well. This Policy addresses circumstances that are particular to information technology resources and is intended to augment, but not to supersede, other relevant ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and component institution policies.

4.2   Community Member Rights and Responsibilities

4.2.1   Members of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community shall be provided with the use of information technology resources. While accessing and using these resources, community members shall have a reasonable expectation of:

  • reliable use of these shared resources
  • protection from abuse and intrusion by others sharing these resources

4.2.2   Community members shall be responsible for exercising good judgment in the use of those resources including respecting the rights and privacy of others, respecting the security and integrity of the information technology resources they are given access to, and observing all relevant laws, regulations, contractual obligations, and ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û policies and standards.

4.2.3   Any suspicious activity related to enterprise or institutional accounts or information technology resources shall be reported immediately according to the Cybersecurity Incident Reporting process.

4.3   Acceptable Use

4.3.1   Acceptable Use of information technology resources is always ethical, reflects academic integrity, and shows restraint in the consumption of shared resources.

4.3.2   It demonstrates respect for intellectual property, ownership of data, information technology resource security, and freedom from intimidation and harassment.

4.3.3   The following are explicitly defined as acceptable:

4.3.3.1   Use that supports the administrative, academic, research, outreach, service, and operational mission of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and each of its component institutions.

4.3.3.2   Use of information technology resources for which the community member has been authorized to access and use so long as that use adheres to the intended use of those resources.

4.3.3.3   Use that protects the intellectual property of others and the rights of copyright holders of music, videos, images, texts, and other media.

4.4   Prohibited Use

4.4.1   Use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources that is illegal, disruptive, or that has the potential to negatively impact other community members or shared information technology resources is prohibited.

4.4.2   Use that violates a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution policy, a contractual obligation, or that subverts the mission of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û, or its component institutions is prohibited.

4.4.3   Additionally, the following uses of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources are explicitly prohibited:

4.4.3.1   Unauthorized Use

4.4.3.1.1   Use or attempted use of any information technology resources without permission.

4.4.3.1.2   Use of another community member’s credentials, even if the community member gives their permission.

4.4.3.1.3   Sharing any password associated with enterprise or component institution credentials in violation of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Password Policy.

4.4.3.1.4   Allowing or enabling use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources by any individual or organization that is not affiliated with ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or one of its component institutions.

4.4.3.2   Illegal Use

4.4.3.2.1   Use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources in violation of civil or criminal law at the federal, state, or local levels or in violation of any regulation.

4.4.3.2.2   Use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources to libel, slander, harass, defame, intimidate, or threaten anyone.

4.4.3.2.3   Use that violates copyright laws through inappropriate reproduction or dissemination of copyrighted material.

4.4.3.3   Inappropriate Use

4.4.3.3.1   Use that is inconsistent with the University System's non-profit status.

4.4.3.3.2   Use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources for profit and/or commercial use, including non-×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution business purposes.

4.4.3.3.3   Use for the purpose of lobbying that connotes ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution involvement in or endorsement of any political candidate or ballot initiative.

4.4.3.3.4   Attempting to alter or reconfigure any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resource without proper authorization.

4.4.3.3.5   Use that results in the display of obscene, lewd, or sexually harassing images or text in a public area or location that can be in view of others.

4.4.3.4   Damaging Use

4.4.3.4.1   Use that damages the integrity of information technology resources, whether they belong to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or not.

4.4.3.4.2 Use of information technology resources to gain unauthorized access to networks or other information technology resources, whether they belong to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or not.

4.4.3.4.3   Use that seeks to circumvent, defeat, or attempt to defeat information technology resource security controls.

4.4.3.5   Disguised Use

4.4.3.5.1   Use that attempts to alter or obscure the identity of the community member or the identity of an endpoint or other connected device while communicating with any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network

4.4.3.5.2   Masquerading as or impersonating others or otherwise using a false identity without authorization, while accessing and/or utilizing ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.

4.4.3.6   Disruptive Use

4.4.3.6.1   Use that impedes, interferes with, impairs, or otherwise causes harm to the activities of other community members (e.g., consumption of excessive bandwidth, distribution of malicious programs, spamming internal distribution lists).

4.4.3.6.2   Removal of any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û-owned or administered information technology resource from its normal location without authorization.

4.5   Privacy

4.5.1   Student educational records stored on or accessible via ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources shall only be shared and used in accordance with the Family Educational Rights and Privacy Act of 1974 (FERPA). Handling requirements for information protected by FERPA are provided in the Protected Information Handling Standard.

4.5.2   While all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members shall have a reasonable expectation to a certain degree of privacy related to their use of information technology resources provided by ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions, there are specific circumstances under which access to information or information technology resource use for a specific community member shall be authorized for ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û officials, ET&S personnel, law enforcement, other community members, or other external parties.

4.5.3   Some of those circumstances allow for this access without the knowledge and/or consent of the impacted community member.

4.5.4   The rules governing when and how that access is granted and to whom it can be granted for allowable circumstances shall be documented in the Access to Password Protected Information Standard.

4.5.5   ET&S reserves and retains the right to access, affect, and inspect information technology resources, and the information stored within those resources, without the consent of community members, to the extent necessary to manage and administer those resources (e.g., backup and caching of information and communications, the logging of activity, monitoring of general usage patterns, and other activities necessary or convenient for the provision of service).

4.6   Use of Personally Owned Devices

4.6.1   ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions shall allow community members to connect personally owned devices to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û networks and to use personally owned endpoint devices to access approved institutional information and ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources on-campus or remotely.

4.6.2   While this is an acceptable use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources, community members who choose to use personally owned devices to connect to and/or access any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resource shall agree to the following:

4.6.2.1   Connecting to a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network with a personally owned endpoint or other device implies consent for ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions to perform security scans on that device while connected to the network.

4.6.2.2   Any personally owned device connecting to a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network must be registered with the appropriate component institution.

4.6.2.3   Unregistered devices may be blocked from accessing ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û networks or other information technology resources.

4.6.2.4   All personal endpoint devices connecting to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources must meet the requirements defined in the Endpoint Management Standard.

4.6.2.5   Personally owned endpoint devices used by ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees to conduct ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution business that are involved in a cybersecurity incident may be searched as part of the internal ET&S investigation or any investigation by law enforcement.

4.6.3   Although use of personally owned endpoint devices or other devices to connect to or use ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources is considered acceptable use, these devices shall not be used to host websites, applications, or services, across any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network, for a non-×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution organization, without specific authorization from the Chief Information Security Officer (CISO).

4.7 Personal Use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Information Technology Resources

4.7.1   Incidental personal use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources is allowed (e.g., internet access, accessing personal e-mail) as long as it is consistent with this Policy, and any applicable administrative, academic, or business unit policies, procedures, and guidelines, and it does not:

4.7.1.1   Interfere with the performance of an employee’s job or other responsibilities.

4.7.1.2   Consume a disruptive amount of information technology resources.

4.7.1.3   Violate any other ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or component institution policies.

4.7.2   While this is considered an acceptable use, supervisors may impose further limits on use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources for non-work purposes, in accordance with normal supervisory procedures.

4.8   Network Infrastruture

4.8.1   Unless specifically authorized, by the Chief Information Security Officer (CISO), community members shall not connect networking equipment (e.g., routers, hubs, sniffers) to any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network, nor operate network services (e.g., routing, name service, multicast services) on any endpoint or other device attached to a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network.

4.8.2   Community members shall not attempt to modify or tamper with any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û wired and/or wireless network services nor to extend these information technology resources beyond the limits provided.

4.8.3   Unauthorized information technology resources connecting or attempting to connect to a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network may be denied access, have access terminated, and/or be banned from future access.

4.8.4   Detailed requirements for obtaining authorization to connect to a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network shall be provided in the relevant ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Standards.

4.9   Loss of Access to Shared Information Technology Resources

4.9.1   ET&S may temporarily deactivate or restrict an individual's access to one or more shared information technology resources, even in the absence of a suspected AUP violation, when necessary to preserve the confidentiality, integrity, and/or availability of those and other information technology resources.

4.10   Acceptable Use Violations

4.10.1   If a community member observes or is otherwise aware of an alleged violation of this Policy, they should report the matter to the CISO.

4.10.2   The CISO, based on the details of the alleged violation, may investigate and, if appropriate, refer the matter to the appropriate ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û institution’s disciplinary authorities as outlined in the Enforcement section below.

4.11   Policy Maintenance

4.11.1   This Policy and the related standards shall be reviewed and maintained regularly, but no less than once per year.

5.   Enforcement

Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).

Non-compliant technology and/or activities may be mitigated as deemed necessary by the CISO and/or CIO.

Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

6.   Exceptions

Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the Cybersecurity Exception Standard.

7.   Roles and Responsibilities

7.1   Business Application Owners/Technology Service Owners

7.1.1   Adhere to the rules governing access to specific community member institutional information and/or information technology resources defined in the Access to Password Protected Information Standard.

7.1.2   When warranted:

7.1.2.1   Establish more restrictive requirements governing use of information technology resources in their care.

7.1.2.2   Provide ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with any additional requirements governing use of that specific information technology resource prior to granting access to that resource.

7.1.2.3   Ensure ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members agree to abide by information technology specific requirements before access is granted.

7.2   Chief Information Security Officer (CISO)

7.2.1   Determine if alleged violations of this policy require investigation or further action.

7.2.2   Refer violations of this policy, where appropriate, to the relevant ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û institutional disciplinary authority.

7.2.3   Document issues of clarity within this policy or the related standards raised by ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members.

7.2.4   Ensure issues with this policy raised by ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members are resolved in a timely manner through revision of this policy and the related standards, if needed.

7.2.5   Ensure this policy and related standards are reviewed and maintained regularly, but no less than once per year.

7.3   ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Community Members

7.3.1   Observe all relevant laws, regulations, contractual obligations, and ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û policies and standards in relation to their access and use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and component institution information technology resources.

7.3.2   Exercise good judgement in the use of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.

7.3.3   Respect the rights and privacy of other community members.

7.3.4   Respect the security and integrity of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.

7.3.5   Protect all enterprise and component institution credentials (username and password) issued to them.

7.3.6   Report any suspicious activity related to enterprise or institutional accounts or information technology resources immediately according to the Cybersecurity Incident Reporting process.

7.3.7   Avoid engaging in any prohibited use of information technology resources including the connection of networking equipment to any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network and modification or tampering with any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network service.

7.3.8   Understand the ramifications of using a personally owned endpoint or other device to access ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.

7.3.9   Report alleged violations of this policy to the CISO.

7.4   Enterprise Technology & Service (ET&S)

7.4.1   Provide information technology resources in support of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and component institution missions and objectives.

7.4.2   Safeguard the confidentiality, integrity, availability, and privacy of institutional information and ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.

7.4.3   Cooperate, upon the advice of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û General Counsel’s Office (GCO), with any local, state, or federal investigation involving or pertaining to use of institutional information or ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.

7.4.4   Adhere to the rules governing access to specific community member institutional information and/or information technology resources defined in the Access to Password Protected Information Standard.

8.   Definitions

See the ET&S Cybersecurity Policy & Standard Glossary for full definitions of each term.

  • Acceptable Use
  • Anti-virus
  • Authorization
  • Availability
  • Business Application Owner
  • Chief Information Security Officer
  • Confidentiality
  • Copyright
  • Credentials
  • Cybersecurity Incident
  • Encryption
  • Endpoint Device
  • Exception
  • Information Technology Resource
  • Information
  • Institutional Information
  • Integrity
  • Intellectual Property
  • Password
  • Personally Owned Device
  • Policy
  • Privacy
  • Prohibited Use
  • Standard
  • Technology Service Owner
  • Username
  • ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Community Member
  • Vulnerability

CONTACT INFORMATION

For ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, and Compliance (GRC) via this .

All other requests can be submitted here: .