Policy Title | Acceptable Use Policy |
---|---|
Policy Category | Operational Policies |
Original Policy Approval Date | February 9, 2022 |
Policies Superseded | Policy dated June 20, 2019 |
Responsible Office | Provost |
Related Policies | None |
Frequency of Review | 5 Years |
Date of Next Review | February 2027 |
I. Scope
This Acceptable Use Policy (“Policy”) applies to all Users of Computing Resources and/or facilities owned, managed, or otherwise provided by Arcadia University (“University”). Individuals covered by this Policy include, but are not limited to, all faculty, staff, non-Arcadia Employees, and students with access to the University’s Computing Resources and/or facilities. Computing Resources include, but are not limited to, all University-owned, -licensed, or -managed hardware and software, email domains, and related services, and any use of the University’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
II. Policy Statement
The University’s technology infrastructure exists to support the academic and administrative activities needed to fulfill the University’s mission. Access to these resources is a privilege that should be exercised responsibly, ethically, and lawfully.
The purpose of this Policy is to clearly establish the role of each member of the University community in protecting its information assets, and to communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable the University to implement a comprehensive system-wide information security program.
The University will make reasonable efforts to respect Users’ privacy. However, Users do not have, and should not expect, any right to privacy for communications transmitted or stored on the University’s Computing Resources. Additionally, in response to a judicial order or any other action required by law or permitted by University policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the University, the University may authorize a University official or an authorized agent, to access, review, monitor, and/or disclose computer files associated with a User’s account. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the University’s rules, regulations or policy, or when access is considered necessary to conduct University business due to the unexpected absence of a User or to respond to health or safety emergencies.
III. Policy
Activities related to the University’s mission take precedence over computing pursuits of a more personal or recreational nature. Any use of the University’s Computing Resources that disrupts the University’s mission is prohibited. Following the same standards of common sense, courtesy, and civility that govern the use of other shared facilities, acceptable use of Computing Resources generally respects all individuals’ privacy, but is subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All Users of the University’s Computing Resources must adhere to the requirements enumerated below as well as other applicable University policies that may be implemented from time to time, as well as all federal, state, and local laws, including copyright and licensing laws. Use of computing resources signifies your understanding and agreement with this Policy.
1. Fraudulent and Illegal Use
The University explicitly prohibits the use of any Computing Resources for fraudulent and/or illegal purposes. While using any of the University information systems, a User must not engage in any activity that is illegal under local, state, federal, and/or international law. As a part of this policy, Users must not:
- Violate the rights of any individual affiliated with the University involving information protected by copyright, trade secret, patent, or other intellectual property right, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by the University.
- Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the University does not have a legal license or qualifies under Fair Use Index of the US Copyright Act.
- Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
- Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.
- Gambling or any activities that are illegal, violate any other University policy, or are contrary to the University’s interest.
Any User that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify the appropriate authority identified in University’s Staff Handbook, Faculty Handbook, Code of Conduct, Student Handbook, or the employees manager immediately.
If any User creates any liability on behalf of the University due to inappropriate use of the University’s Computing Resources, the User agrees to indemnify and hold the University harmless, should it be necessary for the University to defend itself against the activities or actions of the User.
2. Confidential Information
The University has both an ethical and legal responsibility for protecting confidential information in accordance with its Data Classification defined in the Data Governance Policy. To that end, the University has adopted the following policies with regard to confidential information:
- Transmission of University confidential information by end-user messaging technologies (for example, email, instant messaging, SMS, chat, etc.) that is unencrypted is prohibited.
- The writing or storage of confidential information on mobile devices (for example, phones, tablets, USB drives) and removable media is prohibited. Mobile devices that access confidential information will be physically secured when not in use and located to minimize the risk of unauthorized access. Refer to the data classifications found in the Data Governance Policy.
- All University employees and service providers will use approved workstations or devices to access University’s data, systems, or networks. Non-University owned workstations that store, process, transmit, or access confidential information are prohibited. Accessing, storage, or processing confidential information on any other device is prohibited.
- All University portable workstations will be securely maintained when in the possession of University Authorized Users. Such workstations will be handled as carry-on (hand) baggage on public transport. They will be concealed and/or locked when in private transport when not in use.
- Photographic, video, audio, or other recording equipment will not be utilized in secure areas.
- All confidential information stored on workstations and mobile devices must be encrypted.
- All University Authorized Users who use University-owned workstations will take all reasonable precautions to protect the confidentiality, integrity, and availability of information contained on the workstation.
- University Authorized Users who move electronic media or information systems containing confidential information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized use.
- University Authorized Users will activate their workstation locking software whenever they leave their workstation unattended or will log off from or lock their workstation when their shift is complete.
3. Harassment
The University is committed to providing a safe and productive environment, free from harassment, for all University community members. For this reason, Users must not:
- Use University information systems to harass any other person via email, telephone, or any other means,
- Actively procure or transmit material that is in violation of the University’s Policy Prohibiting Sexual Harassment and Sexual Misconduct or Non-Discrimination and Non-Harassment Policy or similar laws, or
- Engage Computing Resources in any behavior that is in violation of the University’s Code of Conduct and/or Student Handbook, or other University policy.
If a User feels they are being harassed through the use of the University’s information systems, the user should report it, as described in the Policy Prohibiting Sexual Harassment and Sexual Misconduct or Non-Discrimination and Non-Harassment Policy.
4. Incident Reporting
The University is committed to responding to security incidents involving community members, University-owned information, or University-owned information assets. As part of this Policy:
- The loss, theft, or inappropriate use of University access credentials (e.g. passwords, key cards or security tokens), assets (e.g. laptop, cell phones), or other information will be reported to the IT Help Desk immediately.
- A University Authorized User will not prevent another member from reporting a security incident.
5. Malicious Activity
The University strictly prohibits the use of information systems for malicious activity against other Users, the University’s information systems themselves, or the information assets of other parties. Any examples of malicious activity listed within this policy should not be construed as exhaustive lists, and the University reserves the right to determine whether an authorized user’s activities constitute a violation of this policy.
6. Denial of Service
Users must not:
- Perpetrate, cause, or in any way enable disruption of the University’s information systems or network communications by denial-of-service methods;
- Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or
- Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system, or network.
7. Confidentiality
Users must not:
- Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the User is not an intended recipient or logging into a server or account that the User is not expressly authorized to access;
- Facilitate use or access by non-authorized Users, including sharing their password or other login credentials with anyone, including other Users, family members, or friends;
- Use the same password for University accounts as for other non- University access (for example, personal ISP account, social media, benefits, email, etc.);
- Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another User’s password;
- Make copies of another User’s files without that User’s knowledge and consent;
- All encryption keys employed by Users must be provided to Information Technology if requested, in order to perform functions required by this Policy; or
- Base passwords on something that can be easily guessed or obtained using personal information (e.g. names, favorite sports teams, etc.). See the Information Technology website for more information about password guidelines and best practice.
8. Impersonation
Users must not:
- Circumvent the User authentication or security of any information system;
- Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
- Create and/or use a proxy server of any kind, other than those provided by the University, or otherwise redirect network traffic outside of normal routing without authorization; or
- Use any type of technology designed to mask, hide, or modify their identity or activities electronically.
9. Network Discovery
Users must not:
- Use a port scanning tool targeting either the University’s network or any other external network, unless this activity is a part of the User’s normal job functions, such as a member of the Office of Information Technology, conducting a vulnerability scan, and faculty utilizing tools in a controller environment.
- Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the User, unless this activity is a part of the User’s normal job functions.
10. Objectionable Content
The University strictly prohibits the use of University information systems for accessing or distributing content that other Users may find objectionable unless authorized for University business operations, by the Cabinet member leading the unit. The foregoing is not designed to infringe upon academic freedom(s). Users must not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials considered to be:
- Harassing or derogatory in regards to a political purpose;
- Sexually-explicit;
- Violent or promoting violence;
- Discriminatory on the basis of race, color, creed, national or ethnic origin, religion, political belief, gender, gender identity or expression, genetic information, sex, sexual preference and/or orientation, union membership, age (as defined by law), disability (provided the employee can perform the essential functions of the job with reasonable accommodation or without the need for accommodation) or military or Veterans’ status;
- Messages of a religious or political nature for the purpose of proselytizing;
- Any behavior that is in violation of the University’s Staff Handbook, Faculty Handbook, Code of Conduct and/or Student Handbook, Policy Prohibiting Sexual Harassment and Sexual Misconduct, Non-Discrimination and Non-Harassment Policy or other University policy.
11. Hardware and Service
The University strictly prohibits the use of any hardware peripherals or software that is not purchased, installed, configured, tracked, and managed by the University. Users must not:
- Install, attach, connect or remove hardware containing storage or the ability to copy, backup, or install files or other software;
- Download, install, disable, remove or uninstall software of any kind, including patches of existing software, to any University information system without the knowledge and permission of the University;
- Use personal flash drives, or other USB based storage media in the transfer and storage of Level 1 Restricted and Level 2 Sensitive data (as outlined in the Data Governance Policy) without prior approval from IT; or
- Take University equipment off-site without prior authorization from Information Technology (please see IT Website for information on remote work options/resources).
12. Messaging
The University provides a robust communication platform for Users to fulfill its mission. Users must not:
- Automatically forward electronic messages of any kind, by using client message handling rules or any other mechanism;
- Intentionally send unsolicited electronic messages, such as “junk mail” or other advertising material, to individuals who did not specifically request such material (“spam”);
- Solicit electronic messages for any other digital identifier (e.g. e-mail address, social handle, etc.), other than that of the User’s own account, with the intent to harass another individual; or
- Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.
13. Remote Working
When working remote, a User must:
- Follow guidelines set forth is the University’s approved Alternative Work Assignment Policy.
- Be given explicit approval from their direct supervisor (in consultation with Human Resources).
- Safeguard and protect any University-owned or -managed computing asset (e.g. laptops and cell phones) to prevent loss or theft.
- Not utilize personally-owned computing devices for University work, including transferring University information to personally-owned devices, unless approved by the Chief Information Officer (“CIO”) or their designee. It is understood that adjunct faculty are not provided computers and therefore will need to utilize their own devices for completing their duties. Adjunct faculty should not transfer and/or store Level 1 Restricted and Level 2 Sensitive data (as outlined in the Data Governance Policy) without prior approval from IT.
- Take reasonable precautions to prevent unauthorized parties from utilizing computing assets or viewing University information processed, stored, or transmitted on University-owned assets.
- Not create or store confidential or private information on local machines unless a current backup copy is available elsewhere.
- Not access or process confidential information in public places or over the public, insecure networks.
14. Other
In addition to the other prohibitions contained in this Policy, Users must not:
- Use the University’s information systems for commercial use or personal gain.
IV. Roles and Responsibilities
Arcadia University reserves the right to protect, repair, and maintain the institution’s computing equipment and network integrity. In accomplishing this goal, Arcadia University IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and Internet activities. Any information obtained by IT personnel about a user through routine maintenance of the institution’s computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of Arcadia University’s computing resources.
V. Enforcement
Users who violate this policy may be denied access to the University’s Computing Resources and may be subject to penalties and disciplinary action both within the University, up to and including separation from the University, and external to the University, including investigation and/or prosecution by local, state, or federal authorities. The University may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the University’s or other Computing Resources, or to protect the University from liability. The University is not liable for the actions of anyone connected to the internet through the University’s Computing Resources. All Users will assume full liability—legal, financial, or otherwise—for their actions.
Users are subject to disciplinary rules described in the Staff Handbook, Faculty Handbook, Student Handbook and Code of Conduct, and other policies and procedures governing acceptable behavior.
VI. Exceptions
Exceptions to the policy may be granted by the CIO, or by the CIO’s designee. All exceptions must be reviewed annually or more frequently if deemed necessary and/or appropriate by the CIO.
VII. References
- The Gramm – Leach Bliley Act (GLBA)
- Family Educational Rights and Privacy Act (FERPA)
- NIST 800-53
- FIPS-199
- PCI DSS 3.1
- Code of Ethics of the American Library Association
VII. Definitions
Authorized Users – all Users of Technology Resources including, but not limited to, employees, temporary employees, faculty, students, alumni, campus visitors, contractors, vendors, consultants and their related personnel, and other users authorized by the University to access its systems and networks.
Computer Resources – assigned computer accounts, email services, and the shared University Network which includes resources and facilities operated by the University, whether owned, leased, used under license or by agreement, including, but not limited to: telephones (including mobile devices) and telephone equipment, voice mail, SMS, mobile data devices, desktop and laptop computers. Email, chat, facsimiles, mail, any connection to the University’s network or use of any part of the University’s network to access other networks, connections to the Internet that are intended to fulfill information processing and communications functions, communication services, hardware, including printers, scanners, facsimile machines, any off-campus computers and associated equipment provided for the purpose of University work or associated activities.
Information Systems – any system that creates, collects, stores, and processes data.
Non-Arcadia Employees – all personnel affiliated with third parties with which the University is associated.
University refers to Arcadia University, its colleges, schools, affiliates, divisions and subsidiaries.
IX. Effective Date
The Effective Date of this Policy is the date that it is signed by the President.
X. Date of Approval
February 9, 2022