Policy on Responsible Use of Information Technology Resources

Printable Version in PDF Format (Get Adobe Acrobat)

History

• Policy Number: SP.04.005
• Version: Original
• Drafted By:
• Approved By: Richard R. Rush
• Approval Date:
• Effective Date:
• Supersedes:

Purpose

The purpose of this policy is the effective and efficient use of information technology resources in support of the University’s mission of education, research, and public service. This policy is intended to ensure

1. the integrity, reliability, and good performance of University resources;
2. that these resources are used appropriately and efficiently for their intended purposes; and
3. that appropriate measures are in place to assure the policy is enforced. 

Background

The current Policy Statement, Use of Internet (http://www.csuci.edu/its/itpolicy/internet_policy_6-2003.pdf) was signed by the President in 1998 but has not been formally reviewed.  The proposed document includes references to a wider list of federal and state laws and CSU policies that affect the use of campus information technology resources.

Information Technology consists of computers and other devices attached to and using University resources, its networks, and the applications they support, such as electronic mail and access to the World Wide Web. These technologies are critical to the multifaceted mission of the University, a mission that includes teaching, research, and public service. Information technology offers increased opportunities for communication and collaboration and has changed the way we conduct business as a University:

• All students, faculty,administrators,  and staff have e-mail.
• All members of the University can obtain computer accounts.
• Every campus dorm room has a connection to the Internet.
• Students submit assignments via e-mail.

These are but a few of the many examples of how information technology is connected to many activities at  the University. While these resources help the University function, they also require responsible use from every user. Your actions can affect people all around the world. You must use these technologies responsibly and with respect.

The Responsible Use Policy is based on policies from a number of universities.  Links to these policies can be found on the last page of this document.

Policy

Accountability

Vice President for Finance and Administration, Information Security Officer, Information Technology management, Human Resources Department; Vice President for Academic Affairs

Applicability

Administrators, faculty, staff, students, visitors and others who access or use CSU Channel Islands information technology resources. All existing laws (federal, state and local), California State University and CSU Channel Islands regulations and policies apply to users of CSU Channel Islands information technology resources, including not only laws and regulations that are specific to computers and networks, but also those that may apply generally to personal conduct. This may also include laws of other states and countries where material is accessed electronically via University resources by users within those jurisdictions or material originating within those jurisdictions is accessed via University resources. Additional computer and network use policies, terms and conditions may be in place for specific information technology resources offered by the campus.

Definition(s)

Information Technology Resources-Any information technology resource, service, or network system, including but not limited to computers, workstations, servers, networks, storage devices, peripheral equipment, input/output and connecting devices, data processing functions, information databases, on-line applications, instructional technology resources, email systems and related records, programs, software and documentation.

Network-The associated equipment, computers and transmission media used for the purpose of sending and receiving data, voice or video signals

Text

A. Guiding Principles

The following principles underlie this policy and should guide its application and interpretation:

1. As an academic institution, we place great value on freedom of thought and expression. The University community encompasses a wide array of opinions, views, approaches, and temperaments. We would like all those associated with the University to exercise their freedoms in a mature, responsible, and respectful manner, and we encourage them to do so. But we do not punish or prevent expression that may be offensive but that violates no specific law or University regulation. Freedom of thought, inquiry, and expression is a paramount value of the CSU Channel Islands community. To preserve that freedom, the community relies on the integrity and responsible use of University resources by each of its members.
2. Information technology resources are provided to support the University's mission of education, research and service. To ensure that these shared and finite resources are used effectively to further the University's mission, each user has the responsibility to:
1. use the resources appropriately and efficiently;
2. respect the freedom and privacy of others;
3. protect the stability and security of the resources; and
4. understand and fully abide by established University policies and applicable laws.

1. Although the current or potential design, capability or functionality of the information technology resources may be inadequate because of resource or design constraints, users must still use those resources responsibly.

Users of information technology resources are expected to uphold the highest academic standards in accordance with University policies and practices.

B. Policy Application

As a general guideline, the institution regards the law to be the primary source of guidance in assuring the effective application of this policy and its procedures and practices. The principle of academic freedom is a key factor. The University's role in supporting or acting to enforce such law is critical to how this policy will be applied.

1. The accessibility of certain University information technology resources, such as network-based services, implies a degree of risk that the existence, viewing or receipt of certain information or content may be offensive. As a matter of policy, the University protects expression by members of its community and does not wish to become an arbiter of what may be regarded as "offensive" by some members of the community. However, in exceptional cases, the appropriate officials (as defined in Section D) may decide that such material directed at individuals or groups presents a hostile environment under federal and state law and that certain restrictive actions are warranted.

2. The University reserves the right to limit access to its resources when policies or laws are violated, and to use appropriate means to safeguard its resources, preserve network and system integrity, and ensure continued service delivery at all times. These means include:
1. monitoring routing information of communications across its network services;
2. monitoring transaction records residing on University resources;
3. scanning systems attached to the CSU Channel Islands network for security problems;
4. disconnecting systems that have become a security hazard; and
5. restricting the material transported across the network or posted on University systems.

Appendix 2 includes some questions and answers about what you can expect with respect to privacy, free speech and other topics.

3. Referenced documents within the policy to external documents are provided for the convenience of readers. They should not be viewed as implying that the referenced document is being incorporated into this policy except as stated or otherwise specified in the policy itself.

C. Policy Provisions

This section is not intended to provide a full accounting of applicable laws and policies. Rather, it is intended to highlight major areas of concern with respect to responsible use of CSU Channel Islands' resources and specific issues required by law or CSU policy. Users of CSU Channel Islands information technology resources are expected to comply with and obey applicable laws and follow CSU system-wide policy.

1. Authorized Use / Access
1. Access to CSU Channel Islands’ information technology resources is a right and a privilege granted to faculty, staff and students in support of their studies, instruction, duties as employees, official business with the University, and/or other University-sanctioned activities. Access may also be granted to individuals outside of CSU Channel Islands for purposes consistent with the mission of the University.
2. Access to the University's information technology resources does not imply the right to use those resources. The University reserves the right to limit, restrict, remove or extend access and privileges to material posted on, or communications via its information technology resources, consistent with this policy, applicable law or as the result of University disciplinary processes, and regardless of the originating access point.
3. With the exception of implicitly publicly accessible resources such as public web sites, access to CSU Channel Islands information technology resources may not be transferred or extended by members of the University community to outside individuals or groups without prior approval of the Vice President of Finance and Administration. Such access must be limited in nature and fall within the scope of the educational mission of the institution. The requesting University official is expected to ensure that such access is not abused.
4. Incidental personal use is permitted as stipulated by law.  Incidental Union communication is permitted under this policy. All use not consistent with this policy may be considered unauthorized use.

2. Examples of Misuse
1. In accordance with California State Penal Code Section 502, CSU Channel Islands Policy on Computer Related Crimes, CENIC CalREN-2 Acceptable Use Policy, and other policies and laws, activities and behaviors that threaten the integrity of computer networks or systems are prohibited on both University-owned and privately-owned equipment operated on or through University resources. These activities and behaviors include but are not limited to:

• • • •  Intentional interference with or disruption of computer systems and networks and related services, including but not limited to the propagation of computer “worms”,  “viruses” and “Trojan Horses”
      • Intentionally or carelessly performing an act that places an excessive load on a computer or network to the extent that other users may be denied service or the use of electronic networks or information systems may be disrupted
      • Failure to comply with authorized requests from designated University officials to discontinue activities that threaten the operation or integrity of computers, systems or networks
      • Negligently or intentionally revealing passwords or otherwise permitting the use by others of University-assigned accounts for computer and network access. Individual password security is the responsibility of each user.
      • Accessing or attempting to access files or systems without authorization
      • Unauthorized attempts to circumvent data protection schemes or uncover security vulnerabilities, including unauthorized scanning of ports, computers and networks
      • Attempting to alter any University computing or network components without authorization or beyond one's level of authorization, including but not limited to bridges, routers, hubs, wiring, and connections
      • Utilizing network or system identification numbers or names that are not assigned for one's specific use on the designated system
      • Using campus resources to gain unauthorized access to any computer system and/or using someone else's computer without their permission
      • Providing unauthorized services or accounts on University computers or via University networks to other users from a personal computer.
      • Registering a CSU Channel Islands IP address with any other domain name
      • Violating terms of applicable software licensing agreements or copyright laws
      • Consciously or intentionally wasting information technology resources, including but not limited to any excessive or inappropriate use. This includes any misuse that would hinder, impede or preclude other user’s access or use of any University computing resources
      • Using electronic mail or other information technology resources to harass others
      • Posting materials on electronic bulletin boards or transmitting materials that violate existing laws or the University’s codes of conduct
      • Sending any fraudulent electronic transmission
      • Using information resources for unauthorized monitoring of electronic communications

D. Compliance and Enforcement

1. Roles and Responsibilities

The following list describes roles and respective responsibilities associated with policy compliance and enforcement:

Vice President for Finance and Administration

• The Vice President for Finance and Administration is authorized by the President to ensure that the appropriate processes to administer the policy are in place, communicated and followed by the University community.
• The Vice President for Finance and Administration, appropriate Vice President, the President, Director of Human Resources, Associate Vice President for Academic Affairs or designee will:
  • inform users about the policy;
  • receive and respond to complaints;
  • collect and secure evidence as required;
  • advise and assist University offices on the interpretation, investigation and enforcement of this policy;
  • consult with University Legal Counsel on matters involving interpretation of law, campus policy, or requests from outside law enforcement agencies and/or legal counsel; and
  • maintain a record of each incident and its resolution to inform future policy changes.

Information Security Officer and Information Technology management

• These positions will ensure that suspected violations are reported to the appropriate administrative office.

Vice President of Academic Affairs

• For issues involving faculty, the Vice President of Academic Affairs ensures that the resultant actions receive the proper and immediate attention of the appropriate University officials, law enforcement, outside agencies, and disciplinary/grievance processes in accordance with due process.

Vice President of Student Affairs

• For issues involving students, the Vice President of Student Affairs ensures that the resultant actions receive the proper and immediate attention of the appropriate University officials, law enforcement, outside agencies, and disciplinary/grievance processes in accordance with due process.

Human Resources Department

• The Human Resources Department ensures that the resultant actions receive the proper and immediate attention of the appropriate University officials, law enforcement, outside agencies, and disciplinary/grievance processes in accordance with due process.

2. Enforcement and Penalties

An investigation will be conducted based upon any one of the following events:

1. Receipt by Information Technology of at least one complaint about a specific incident;
2. Discovery of a possible violation in the normal course of administering information technology resources.

If a violation of University policy and applicable laws occurs, enforcement will be as follows.

First offense and minor infractions of this policy, when accidental or unintentional, are generally resolved informally by the unit administering the resource, i.e., the appropriate supervisor for the individual’s department and division. This may be done through e-mail or in-person discussion and education. Examples of minor infractions include consuming excessive resources or overloading computer systems.

Repeated offenses or serious violations may lead to disciplinary action under existing disciplinary policies and procedures for students and employees, employee contract provisions where appropriate, private civil action, other administrative liability and/or criminal charges. Serious incidents of non-compliance include but are not limited to unauthorized use of computer resources, attempts to steal passwords or data, unauthorized use or copying of licensed software, repeated harassment, or threatening behavior.

Appeals of University actions resulting from enforcement of this policy will be handled through existing disciplinary/grievance processes for students and employees.

E. Reporting Misuse

Suspected infractions of this policy should be reported to the following offices/officials:

• Faculty Infractions
  • Suspected infractions by University faculty will be reported to the Dean of the Faculty.
  • Staff Infractions
    • Suspected infractions by University administration and staff shall be reported to the staff member’s immediate supervisor
    • Student Infractions
      • Suspected infractions by University students shall be reported to the Vice President of Student Affairs.
    • Faculty, Staff and Student Infractions
      • All offices and/or officials that receive reports of misuse shall report suspected infractions to the Vice President for Finance and Administration or designee, in order to maintain record of each incident.

In addition, the following offices/officials may be notified as deemed appropriate based upon the facts and circumstances:

• Faculty Infractions (one of the following offices)
  • Vice President for Academic Affairs
  • Associate Vice President for Academic Affairs, Faculty Affairs
  • Staff Infractions
    • Human Resources
    • Student Infractions
      • Admission and Records. (If the incident involves inappropriate use of CSU Channel Islands student information. The registrar is responsible for investigating reports of Family Educational Rights and Privacy Act of 1974 (FERPA) violations and maintaining records.)
    • Faculty, staff or student
      • CSU Channel Islands University Police should be contacted if an individual's health and safety appears to be in jeopardy.

F. Policy Review and Practices Oversight

The Vice President for Finance and Administration, Information Security Officer and Information Technology management are responsible for application of this policy and reporting violations to the appropriate campus administrators.  Appropriate campus committees will review policies and procedures regularly. The current version of the policy will be posted and maintained on the CSU Channel Islands web site.

Exhibit(s)

Appendix 1
References and Works Cited

CENIC CalREN-2 Acceptable Use Policy

http://www.cenic.org/CR2_aup.html

California Computer Crime Law, California Penal Code, Sections 502 and 502.1 

International, Federal, State and Local Law Information
http://www.csuci.edu/its/policy.htm

California Government Code, Section 8314

California Public Records Act

Information Practices Act of 1977 - Places specific requirements on state agencies for collection, use, maintenance and dissemination of information relating to individuals. http://www.leginfo.ca.gov/cgi-bin/calawquery?codesection=civ&codebody=1798&hits=20

CSU "Records Access Manual"

Overview and FAQs from the CSU Office of General Counsel on campus compliance with the California Public Records Act, Information Practices Act of 1977, and Family Educational Rights and Privacy Act (FERPA)

More information on current Assembly Bills and other California Laws can be accessed at the web site http://www.leginfo.ca.gov/

In addition to the works cited above and in the policy itself, computer policies and procedures from the following institutions were consulted, adapted and/or reviewed in developing this policy:

• Authority SUNY Potsdam
• Brown University (http://www.brown.edu/Facilities/CIS/policy/aup.html)
• California Polytechnic State University Pomona
• California Polytechnic State University, San Luis Obispo
• California State University Fresno (http://www.csufresno.edu/ait/aitgen99.htm)
• California State University Long Beach (http://www.csulb.edu/~policy/)
• California State University Northridge
• Colorado State University
• Cornell University
• Georgetown University
• Lewis & Clark College
• Princeton University
• University of California Berkeley
• University of Delaware
• University of Oregon
• University of Pennsylvania (http://www.upenn.edu/computing/help/doc/passport/policies.html)
• Yale University

As a user of IT at the University, there are certain things you can expect.

• Is my e-mail private? E-mail stored on University-operated mail servers requires a password for access and is therefore protected on the mail server, based upon the security and strength of that password. However, almost anyone may have seen your e-mail. For example, in remedying problems with an e-mail system, the system administrators may become aware of the contents of some messages.
• Are my files private? The University respects the contents of your files and does not review file content. However, system administrators may become aware of file content while dealing with some system problems. Usage logs are frequently kept to diagnose such problems. Furthermore, the University will comply with the lawful orders of courts, such as subpoenas and search warrants. This compliance has included providing, when required, copies of discussions on University operated mailing list servers, discussion threads on news servers, or other information ordered by the court. The University does not monitor personal Web pages for the purpose of determining content. However, when credible evidence of illegal or otherwise impermissible activity is reported, appropriate action will be taken. The University does not review electronic communication for the purpose of determining whether impermissible activity is occurring. However, in the course of assuring the viability of the University’s network, system administrators may become aware of activity that poses a risk to the network’s proper operation. In such cases, staff may need to disable or block access to ports involved in traffic levels deemed to pose a risk to the network’s optimal functioning. Also, during the process of diagnosing potential problems to the network’s proper functioning, any information obtained that indicates possible unauthorized distribution of copyrighted materials may be referred  for further investigation. 

• What can I do about being harassed? If you feel you are being harassed, please report the problem to Student Judicial Services or to the Information Security Office. If you feel your safety is threatened, call the Police at 911. (Rudeness by itself, however, is not harassment, and neither are other boorish behaviors.)
• What happens if someone complains about me? If the complaint has no merit, nothing will happen—you will not even be notified. If the complaint does have merit, then most likely you will get an e-mail message reminding you of the rules for using our information technology infrastructure.