HOME

 

Computer, Network, and Information Systems Access, Use, Control & Security

Purpose

To establish minimum criteria for access, controls, use and security for university computers, networks and information systems.

General

This policy is effective at all company locations and represents the minimum requirements that must be in place.  Individual areas that have computers and networks may have additional controls and security, but they are in addition to this policy.

Definition of Terms

Information System - an electronic data storage and retrieval system used to store and process computerized data.  Such a system may include, but is not limited to, computers, terminals, peripherals, networks, software, and data.

Computer Abuse - includes, but is not limited to, unauthorized access, update, or use; interference with operation; unauthorized access to data, including software; and "impersonation" to gain access.

Computer Account - an authorization for an individual to access a specific university owned computer system for university related activities.  Accounts are a privilege and access to an account can be revoked at the discretion of the appropriate director, manager, department head, or a member of the Office of Information Technology.  All computer accounts are restricted so that the user can only access a limited set of application programs and has, at most, restricted access to university computers, networks, and information systems.

Network - a collection of independent computing systems, together with a mechanism that allows them to reliably exchange information with one another.

Password - an alphanumeric character string that acts as a key for a user to access a specific computer account.  It differs from the User ID ("UID") since the UID is known or can be determined by any user of the system.  The password is private knowledge of the user and must not be shared.

System User - Any employee of the university who uses any university computer, network, or information system resource or service.

Policy

University computers, networks, and information systems shall be used only for university related activities and in fulfillment of university's mission.

Due care shall be exercised by system users to protect university computers, networks, and information systems from unauthorized use, disclosure, alteration, or destruction.

Responsibilities

The Executive Director of IT - shall set overall policy regarding computers, networks, and information systems use and protection.

The Executive Director of IT - shall develop and implement university-wide policies, controls, and procedures to protect the university computers, network, and information systems from intentional or inadvertent modification, disclosure or destruction, as well as monitoring user adherence to these policies; arbitrating and resolving issues and problems pertaining to ownership, accessibility and updating responsibility of university's data resources; and educating the user community to the ethical usage of computer information and network facilities.

Management, Directors, Supervisors, and Department Heads - shall ensure that all system users within their area of accountability are aware of their responsibilities as defined in this policy.  Specifically, they are responsible for validating the access requirements of their staff according to their job functions, prior to submitting requests for the provision of access, and for insuring a secure physical environment with regard to university computers, networks, and information systems.

In addition, they are responsible for requesting a user identification code, password, and initial basic capabilities for new system users; requesting access for system users to needed production applications, both on-line and batch; coordinating requests by authorized system users for computerized institutional data for ad hoc reporting and analysis; ensuring that all data accessed or received is used in accordance with university policy; coordinating access and security procedures for system users transferring to or from other positions within the university; ensuring that cessation of access to the university computers and information systems by system users terminating employment is promptly requested; and addressing and reporting violations of university data access and use policies and agreements to appropriate authorities.

System User - shall ensure that he/she makes use of services and facilities only as required in the performance of his/her job function.  Each person is responsible for all transactions occurring during the use of his/her user ID and/or password.  Computer accounts and passwords must not be shared with anyone under any circumstances unless the Executive Director of IT specifically approves an exception.  Only exceptional requests, which document an extraordinary situation, may be considered.  All requests and approvals must be in writing.

System users must:

Safeguard university computers, networks, and information systems, and report any breach of security or compromise of safeguards to his/her immediate supervisor, who will then forward any such report to the Executive Director of IT.

Abide by the terms of software licensing agreements and copyright laws.

System users must NOT:

Perform any act intentionally, which will impair the operation of university computers, networks, or information systems.

Use the computer, network, or information systems resources to gain unauthorized access to remote computers.

Attempt to modify in any way a computer file or program, which university supplies.

Run, install, or cause to be installed, on any university computer, network, or information system any software without prior authorization, obtained in writing, from the Executive Director of IT.

Attempt to circumvent protection schemes or uncover security loopholes.

Use university computers, networks, and information systems for personal financial gain.

Deliberately perform acts that are wasteful of computing resources.  These acts include but are not limited to, sending mass mailings or chain letters, obtaining unnecessary output, creating unnecessary multiple jobs or processes, creating unnecessary network traffic, or printing, storing on any system, or moving across the network, any excessively large document or file.

Place any of the following types of information or software on any university computers, networks, or information systems:

  • Material which infringes upon the rights of another person or organization;
  • Abusive, profane, or sexually offensive material;
  • Pirated software, destructive software, pornographic materials, libelous statements, or any material which may be injurious to another;
  • Advertisements for commercial purposes.

Harass others by sending annoying, threatening, libelous, or offensive messages.

Attempt to monitor another user's data communications, nor read, copy, change, or delete another user's files or software, without permission of the owner.

Play games using any university computers, networks, or information systems unless for instructional purposes and specifically authorized to do so by the Executive Director of IT.

It is a further responsibility of each system user to read and understand this policy.  Ignorance of this policy does not excuse violations.

Access to university computers, networks, information systems, accounts, and resources is limited only to those which an individual has been authorized to use by the university.  Authorization for such access, including the purpose of the account, issuance of passwords, and designation of computer accounts, must be approved in writing through the respective director, manager, supervisor, Department Head, or their authorized representative.  The unauthorized use of university computers, networks, information systems, accounts, or resources, the unauthorized use of another person's computer account, and providing false or misleading information for the purpose of obtaining access to any of such, is prohibited and will be subject to the sanctions described in this policy.

The University shall not be liable for, and the user assumes the risk of, loss of data, or interference with files resulting from university's efforts to maintain the privacy and security of university's computer, network, and information systems.

All software, data, or any other files produced by system users on university computers, networks, or information systems are the property of the university. This includes, but is not limited to, the contents of all EMAIL correspondence.  As such, the university has the right to examine all such software, data, and files.

In order to protect the security of university computers, networks, and information systems, and the integrity of the information against unauthorized or improper use, and to protect authorized users and others from the effects of unauthorized or improper usage, the university reserves the right to: limit, restrict, or terminate any account holder's usage and inspect, copy, remove or otherwise alter any software, data, file, or system resources, which reside on university computers, networks, or information systems, with or without prior notice to the user.  The university also reserves the right to periodically check and to take any actions necessary to protect university computers, networks, and information systems.

The computers and data stored therein are the property of the university and there should be no expectation of privacy.  The university reserves and will exercise the right to review, audit, intercept, access and disclose all matters on university EMAIL systems and hard drives at any time, with or without notice, and such access may occur during or after hours.

Any system user engaging in computer abuse or unauthorized use, disclosure, alteration, or destruction of university computers, network, or information systems and/or any other violation of this policy shall be subject to appropriate action such as (i) a limitation on a user's access to some or all university systems, (ii) the initiation of legal action by the university, including, but not limited to, criminal prosecution under the appropriate laws, (iii) the requirement of the violator to provide restitution for any improper use of service, and (iv) disciplinary sanctions, which may include dismissal.

Many work-related activities require the use of computers, networks and systems of the university.  In the event of an imposed restriction or termination of access to some or all university computers and systems, a user involved in computer related work activities may be required to use alternative facilities, if any, to satisfy the obligation of such work activity.  However, users are advised that if such alternative facilities are unavailable or not feasible, it may be impossible to complete requirements for work responsibility.  The university views misuse of computers as a serious matter, and will make no exceptions to restrictions on access to its facilities even if the user is unable to complete work responsibilities as a result.

The Internet policy which follows is an extension of the University Computer, Network, and Information Systems Access, Control, Use and Security Policy that is currently in effect; its purpose is to mitigate the risk of connecting to the Internet.

Internet Policy

Any connection between the university network and the Internet presents the opportunity for non-university users to attempt to access university systems and information.  It is therefore extremely important that such a connection is secure, controlled, and monitored.  It is also important that university users use the Internet only for university related activities in fulfillment of the university's mission and that they use the Internet to increase productivity rather than for non-company purposes that could adversely affect the responsiveness of critical systems on the network.  Any use not expressly permitted is prohibited.  The Office of Information Technology department will log and audit Internet use to ensure compliance.

Permitted and Prohibited Internet Services    

EMAIL

Permitted Uses:

  • Sending and receiving email messages with enclosures for university purposes
  • Sending and receiving short text messages with no enclosures for non-company purposes

Prohibited Uses:

  • Forwarding email chain letters or mass mailings
  • Sending or arranging to receive mail enclosures for personal reasons
  • Sending sensitive information by email over the Internet
  • Opening files received from the Internet without performing a virus scan

Web

Permitted Uses:

  • Any user approved for Web access may connect to and view any Web page for well-defined company purposes
  • Any user may print such Web pages

Prohibited Uses:

  • Installation of Web server software on any university computer, network or information system without written permission from the Office of Information Technology
  • Connection to Web sites related to sex, illegal drugs, criminal skills, hate speech, on-line gambling, sports, entertainment, on-line merchandising, humor, or job search
  • Connection to any site for non-company reasons

Downloads

Permitted Use:

  • Any user approved to download files from a particular site may download files from that site if such files are scanned for viruses, the Office of Information Technology has approved any software installed on user's workstation, and purchase of any required software license is approved

Prohibited Uses:

  • Downloading any file from a non-approved site; permission to download files is granted on a site-by-site basis, and permission will be granted only for trusted, major commercial sites
  • Downloading software without approval to purchase required license
  • Downloading from any site for non-company purposes at any time

Newsgroups and Mailing Lists                      

Permitted Uses:

  • Any user with approved access to newsgroups may access newsgroups that have been previously requested and approved, if such access is for university purposes
  • Any user with email access may place their email address on email mailing lists that have been previously requested and approved by the Office of Information Technology, if such activity is for company purposes

Prohibited Uses:

  • Accessing any newsgroup for non-company reasons
  • Adding one's email address to unapproved mailing lists
  • Submitting messages to newsgroups
  • Accessing newsgroups related to sex, illegal drugs, criminal skills, hate speech, on-line gambling, sports, entertainment, on-line merchandising, humor, or job search

Social Media

Permitted Uses:

  • Only approved employees may use social media, which should include but is not limited to, blogs, wikis, microblogs, message boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and services that permit users to share information with others
  • All social media access should be for the purpose of the university

Prohibited Uses:

  • Employees are forbidden from using social networks to post or display comments about co-workers, supervisors, or university employees that are vulgar, obscene, threatening, and harassing
  • Employees may not use social networks to disclose any confidential or proprietary information about the university or its employees, customers or business partners