Â̾ÞÈËÊÓƵ

B. Acceptable Use Policy

B. Acceptable Use Policy

1.Ìý Ìý±Ê³Ü°ù±è´Ç²õ±ð

The information technology resources provided by the Â̾ÞÈËÊÓƵ (Â̾ÞÈËÊÓƵ) and its component institutions support the educational, instructional, research, and administrative activities of the University System and those institutions. Use of these resources is a privilege that is extended to Â̾ÞÈËÊÓƵ community members. Inappropriate or improper use of these shared resources can impede or negatively impact availability for the rest of the community. As such, all community members are required to behave in a responsible, ethical, and legal manner during that use.

This policy defines acceptable use of information technology resources at Â̾ÞÈËÊÓƵ and its component institutions and outlines the responsibilities and obligations of community members who are granted access to or use of these resources. Specifically, this policy supports the following objectives:

  • Safeguarding the confidentially, availability, integrity, and privacy of institutional information and enterprise information technology resources
  • Providing a reliable information technology environment for all Â̾ÞÈËÊÓƵ community members
  • Guaranteeing use of enterprise information technology resources is consistent with the principles and values that govern use of other Â̾ÞÈËÊÓƵ and component institution resources (e.g., facilities)
  • Confirming that enterprise information technology resources are used for their intended purposes

2.   Scope

This policy applies to anyone who utilizes Â̾ÞÈËÊÓƵ information technology resources, and all uses of those resources, irrespective of where the resources are being used. This includes students, faculty, staff, contractors, vendors, prior students/alumni, parents, volunteers, and external customers utilizing services provided by Â̾ÞÈËÊÓƵ.

For purposes of this policy only, any individual who is authorized to access or use a Â̾ÞÈËÊÓƵ or component institution information technology resource is considered a member of the Â̾ÞÈËÊÓƵ community.

This policy covers the use of all information and information technology resources owned, managed, licensed, or entrusted to Â̾ÞÈËÊÓƵ or one of its component institutions, regardless of who is providing those resources, how they are being provided, or how they are being accessed. Referred to throughout this policy as institutional information and Â̾ÞÈËÊÓƵ information technology resources, this includes, but is not limited to:

  • Information technology resources administered by Enterprise Technology & Services (ET&S) or contracted vendors
  • Information technology resources administered or managed by individual administrative, academic, or business units
  • Institutionally owned endpoint devices
  • Institutional telecommunication services including voicemail
  • Personally owned endpoint devices that connect to any Â̾ÞÈËÊÓƵ network
  • Devices, regardless of device ownership, that connect to any Â̾ÞÈËÊÓƵ information technology resource, including students’ use of devices

Business Application Owners or Technology Service Owners have the authority to establish more restrictive requirements governing use of those resources in their care. When there are additional use restrictions for a specific information technology resource, individuals who need access to that resource shall be informed of those restrictions, and agree to abide by them, prior to access being granted.

3.   Audience

This Policy applies to all Â̾ÞÈËÊÓƵ community members granted access to any Â̾ÞÈËÊÓƵ information technology resource.

4.   Policy Statement

4.1   Information Technology Resources are Shared

4.1.1   Â̾ÞÈËÊÓƵ provides information technology resources to authorized members of the Â̾ÞÈËÊÓƵ community and others in support of each Â̾ÞÈËÊÓƵ component institution’s mission and the mission of the University System.

4.1.2   To ensure access to and reliability of this shared resource, Â̾ÞÈËÊÓƵ and its component institutions shall safeguard the confidentiality, integrity, availability, and privacy of these information technology resources and the institutional information captured, stored, processed, transmitted, or otherwise managed by them.

4.1.3   Â̾ÞÈËÊÓƵ and component institution policies that govern freedom of expression, discriminatory harassment, and related matters in the context of standard written expression, also govern electronic expression as well. This Policy addresses circumstances that are particular to information technology resources and is intended to augment, but not to supersede, other relevant Â̾ÞÈËÊÓƵ and component institution policies.

4.2   Community Member Rights and Responsibilities

4.2.1   Members of the Â̾ÞÈËÊÓƵ community shall be provided with the use of information technology resources. While accessing and using these resources, community members shall have a reasonable expectation of:

  • reliable use of these shared resources
  • protection from abuse and intrusion by others sharing these resources

4.2.2   Community members shall be responsible for exercising good judgment in the use of those resources including respecting the rights and privacy of others, respecting the security and integrity of the information technology resources they are given access to, and observing all relevant laws, regulations, contractual obligations, and Â̾ÞÈËÊÓƵ policies and standards.

4.2.3   Any suspicious activity related to enterprise or institutional accounts or information technology resources shall be reported immediately according to the Cybersecurity Incident Reporting process.

4.3   Acceptable Use

4.3.1   Acceptable Use of information technology resources is always ethical, reflects academic integrity, and shows restraint in the consumption of shared resources.

4.3.2   It demonstrates respect for intellectual property, ownership of data, information technology resource security, and freedom from intimidation and harassment.

4.3.3   The following are explicitly defined as acceptable:

4.3.3.1   Use that supports the administrative, academic, research, outreach, service, and operational mission of Â̾ÞÈËÊÓƵ and each of its component institutions.

4.3.3.2   Use of information technology resources for which the community member has been authorized to access and use so long as that use adheres to the intended use of those resources.

4.3.3.3   Use that protects the intellectual property of others and the rights of copyright holders of music, videos, images, texts, and other media.

4.4   Prohibited Use

4.4.1   Use of Â̾ÞÈËÊÓƵ information technology resources that is illegal, disruptive, or that has the potential to negatively impact other community members or shared information technology resources is prohibited.

4.4.2   Use that violates a Â̾ÞÈËÊÓƵ or component institution policy, a contractual obligation, or that subverts the mission of Â̾ÞÈËÊÓƵ, or its component institutions is prohibited.

4.4.3   Additionally, the following uses of Â̾ÞÈËÊÓƵ information technology resources are explicitly prohibited:

4.4.3.1   Unauthorized Use

4.4.3.1.1   Use or attempted use of any information technology resources without permission.

4.4.3.1.2   Use of another community member’s credentials, even if the community member gives their permission.

4.4.3.1.3   Sharing any password associated with enterprise or component institution credentials in violation of the Â̾ÞÈËÊÓƵ Password Policy.

4.4.3.1.4   Allowing or enabling use of Â̾ÞÈËÊÓƵ information technology resources by any individual or organization that is not affiliated with Â̾ÞÈËÊÓƵ or one of its component institutions.

4.4.3.2   Illegal Use

4.4.3.2.1   Use of Â̾ÞÈËÊÓƵ information technology resources in violation of civil or criminal law at the federal, state, or local levels or in violation of any regulation.

4.4.3.2.2   Use of Â̾ÞÈËÊÓƵ information technology resources to libel, slander, harass, defame, intimidate, or threaten anyone.

4.4.3.2.3   Use that violates copyright laws through inappropriate reproduction or dissemination of copyrighted material.

4.4.3.3   Inappropriate Use

4.4.3.3.1   Use that is inconsistent with the University System's non-profit status.

4.4.3.3.2   Use of Â̾ÞÈËÊÓƵ information technology resources for profit and/or commercial use, including non-Â̾ÞÈËÊÓƵ or component institution business purposes.

4.4.3.3.3   Use for the purpose of lobbying that connotes Â̾ÞÈËÊÓƵ or component institution involvement in or endorsement of any political candidate or ballot initiative.

4.4.3.3.4   Attempting to alter or reconfigure any Â̾ÞÈËÊÓƵ information technology resource without proper authorization.

4.4.3.3.5   Use that results in the display of obscene, lewd, or sexually harassing images or text in a public area or location that can be in view of others.

4.4.3.4   Damaging Use

4.4.3.4.1   Use that damages the integrity of information technology resources, whether they belong to Â̾ÞÈËÊÓƵ or not.

4.4.3.4.2 Use of information technology resources to gain unauthorized access to networks or other information technology resources, whether they belong to Â̾ÞÈËÊÓƵ or not.

4.4.3.4.3   Use that seeks to circumvent, defeat, or attempt to defeat information technology resource security controls.

4.4.3.5   Disguised Use

4.4.3.5.1   Use that attempts to alter or obscure the identity of the community member or the identity of an endpoint or other connected device while communicating with any Â̾ÞÈËÊÓƵ network

4.4.3.5.2   Masquerading as or impersonating others or otherwise using a false identity without authorization, while accessing and/or utilizing Â̾ÞÈËÊÓƵ information technology resources.

4.4.3.6   Disruptive Use

4.4.3.6.1   Use that impedes, interferes with, impairs, or otherwise causes harm to the activities of other community members (e.g., consumption of excessive bandwidth, distribution of malicious programs, spamming internal distribution lists).

4.4.3.6.2   Removal of any Â̾ÞÈËÊÓƵ-owned or administered information technology resource from its normal location without authorization.

4.5   Privacy

4.5.1   Student educational records stored on or accessible via Â̾ÞÈËÊÓƵ information technology resources shall only be shared and used in accordance with the Family Educational Rights and Privacy Act of 1974 (FERPA). Handling requirements for information protected by FERPA are provided in the Protected Information Handling Standard.

4.5.2   While all Â̾ÞÈËÊÓƵ community members shall have a reasonable expectation to a certain degree of privacy related to their use of information technology resources provided by Â̾ÞÈËÊÓƵ and its component institutions, there are specific circumstances under which access to information or information technology resource use for a specific community member shall be authorized for Â̾ÞÈËÊÓƵ officials, ET&S personnel, law enforcement, other community members, or other external parties.

4.5.3   Some of those circumstances allow for this access without the knowledge and/or consent of the impacted community member.

4.5.4   The rules governing when and how that access is granted and to whom it can be granted for allowable circumstances shall be documented in the Access to Password Protected Information Standard.

4.5.5   ET&S reserves and retains the right to access, affect, and inspect information technology resources, and the information stored within those resources, without the consent of community members, to the extent necessary to manage and administer those resources (e.g., backup and caching of information and communications, the logging of activity, monitoring of general usage patterns, and other activities necessary or convenient for the provision of service).

4.6   Use of Personally Owned Devices

4.6.1   Â̾ÞÈËÊÓƵ and its component institutions shall allow community members to connect personally owned devices to Â̾ÞÈËÊÓƵ networks and to use personally owned endpoint devices to access approved institutional information and Â̾ÞÈËÊÓƵ information technology resources on-campus or remotely.

4.6.2   While this is an acceptable use of Â̾ÞÈËÊÓƵ information technology resources, community members who choose to use personally owned devices to connect to and/or access any Â̾ÞÈËÊÓƵ information technology resource shall agree to the following:

4.6.2.1   Connecting to a Â̾ÞÈËÊÓƵ network with a personally owned endpoint or other device implies consent for Â̾ÞÈËÊÓƵ and its component institutions to perform security scans on that device while connected to the network.

4.6.2.2   Any personally owned device connecting to a Â̾ÞÈËÊÓƵ network must be registered with the appropriate component institution.

4.6.2.3   Unregistered devices may be blocked from accessing Â̾ÞÈËÊÓƵ networks or other information technology resources.

4.6.2.4   All personal endpoint devices connecting to Â̾ÞÈËÊÓƵ information technology resources must meet the requirements defined in the Endpoint Management Standard.

4.6.2.5   Personally owned endpoint devices used by Â̾ÞÈËÊÓƵ employees to conduct Â̾ÞÈËÊÓƵ or component institution business that are involved in a cybersecurity incident may be searched as part of the internal ET&S investigation or any investigation by law enforcement.

4.6.3   Although use of personally owned endpoint devices or other devices to connect to or use Â̾ÞÈËÊÓƵ information technology resources is considered acceptable use, these devices shall not be used to host websites, applications, or services, across any Â̾ÞÈËÊÓƵ network, for a non-Â̾ÞÈËÊÓƵ or component institution organization, without specific authorization from the Chief Information Security Officer (CISO).

4.7 Personal Use of Â̾ÞÈËÊÓƵ Information Technology Resources

4.7.1   Incidental personal use of Â̾ÞÈËÊÓƵ information technology resources is allowed (e.g., internet access, accessing personal e-mail) as long as it is consistent with this Policy, and any applicable administrative, academic, or business unit policies, procedures, and guidelines, and it does not:

4.7.1.1   Interfere with the performance of an employee’s job or other responsibilities.

4.7.1.2   Consume a disruptive amount of information technology resources.

4.7.1.3   Violate any other Â̾ÞÈËÊÓƵ or component institution policies.

4.7.2   While this is considered an acceptable use, supervisors may impose further limits on use of Â̾ÞÈËÊÓƵ information technology resources for non-work purposes, in accordance with normal supervisory procedures.

4.8   Network Infrastruture

4.8.1   Unless specifically authorized, by the Chief Information Security Officer (CISO), community members shall not connect networking equipment (e.g., routers, hubs, sniffers) to any Â̾ÞÈËÊÓƵ network, nor operate network services (e.g., routing, name service, multicast services) on any endpoint or other device attached to a Â̾ÞÈËÊÓƵ network.

4.8.2   Community members shall not attempt to modify or tamper with any Â̾ÞÈËÊÓƵ wired and/or wireless network services nor to extend these information technology resources beyond the limits provided.

4.8.3   Unauthorized information technology resources connecting or attempting to connect to a Â̾ÞÈËÊÓƵ network may be denied access, have access terminated, and/or be banned from future access.

4.8.4   Detailed requirements for obtaining authorization to connect to a Â̾ÞÈËÊÓƵ network shall be provided in the relevant USNH Standards.

4.9   Loss of Access to Shared Information Technology Resources

4.9.1   ET&S may temporarily deactivate or restrict an individual's access to one or more shared information technology resources, even in the absence of a suspected AUP violation, when necessary to preserve the confidentiality, integrity, and/or availability of those and other information technology resources.

4.10   Acceptable Use Violations

4.10.1   If a community member observes or is otherwise aware of an alleged violation of this Policy, they should report the matter to the CISO.

4.10.2   The CISO, based on the details of the alleged violation, may investigate and, if appropriate, refer the matter to the appropriate Â̾ÞÈËÊÓƵ institution’s disciplinary authorities as outlined in the Enforcement section below.

4.11   Policy Maintenance

4.11.1   This Policy and the related standards shall be reviewed and maintained regularly, but no less than once per year.

5.   Enforcement

Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).

Non-compliant technology and/or activities may be mitigated as deemed necessary by the CISO and/or CIO.

Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

6.   Exceptions

Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the Cybersecurity Exception Standard.

7.   Roles and Responsibilities

7.1   Business Application Owners/Technology Service Owners

7.1.1   Adhere to the rules governing access to specific community member institutional information and/or information technology resources defined in the Access to Password Protected Information Standard.

7.1.2   When warranted:

7.1.2.1   Establish more restrictive requirements governing use of information technology resources in their care.

7.1.2.2   Provide Â̾ÞÈËÊÓƵ community members with any additional requirements governing use of that specific information technology resource prior to granting access to that resource.

7.1.2.3   Ensure Â̾ÞÈËÊÓƵ community members agree to abide by information technology specific requirements before access is granted.

7.2   Chief Information Security Officer (CISO)

7.2.1   Determine if alleged violations of this policy require investigation or further action.

7.2.2   Refer violations of this policy, where appropriate, to the relevant Â̾ÞÈËÊÓƵ institutional disciplinary authority.

7.2.3   Document issues of clarity within this policy or the related standards raised by Â̾ÞÈËÊÓƵ community members.

7.2.4   Ensure issues with this policy raised by Â̾ÞÈËÊÓƵ community members are resolved in a timely manner through revision of this policy and the related standards, if needed.

7.2.5   Ensure this policy and related standards are reviewed and maintained regularly, but no less than once per year.

7.3   Â̾ÞÈËÊÓƵ Community Members

7.3.1   Observe all relevant laws, regulations, contractual obligations, and Â̾ÞÈËÊÓƵ policies and standards in relation to their access and use of Â̾ÞÈËÊÓƵ and component institution information technology resources.

7.3.2   Exercise good judgement in the use of Â̾ÞÈËÊÓƵ information technology resources.

7.3.3   Respect the rights and privacy of other community members.

7.3.4   Respect the security and integrity of Â̾ÞÈËÊÓƵ information technology resources.

7.3.5   Protect all enterprise and component institution credentials (username and password) issued to them.

7.3.6   Report any suspicious activity related to enterprise or institutional accounts or information technology resources immediately according to the Cybersecurity Incident Reporting process.

7.3.7   Avoid engaging in any prohibited use of information technology resources including the connection of networking equipment to any Â̾ÞÈËÊÓƵ network and modification or tampering with any Â̾ÞÈËÊÓƵ network service.

7.3.8   Understand the ramifications of using a personally owned endpoint or other device to access Â̾ÞÈËÊÓƵ information technology resources.

7.3.9   Report alleged violations of this policy to the CISO.

7.4   Enterprise Technology & Service (ET&S)

7.4.1   Provide information technology resources in support of Â̾ÞÈËÊÓƵ and component institution missions and objectives.

7.4.2   Safeguard the confidentiality, integrity, availability, and privacy of institutional information and Â̾ÞÈËÊÓƵ information technology resources.

7.4.3   Cooperate, upon the advice of the Â̾ÞÈËÊÓƵ General Counsel’s Office (GCO), with any local, state, or federal investigation involving or pertaining to use of institutional information or Â̾ÞÈËÊÓƵ information technology resources.

7.4.4   Adhere to the rules governing access to specific community member institutional information and/or information technology resources defined in the Access to Password Protected Information Standard.

8.   Definitions

See the ET&S Cybersecurity Policy & Standard Glossary for full definitions of each term.

  • Acceptable Use
  • Anti-virus
  • Authorization
  • Availability
  • Business Application Owner
  • Chief Information Security Officer
  • Confidentiality
  • Copyright
  • Credentials
  • Cybersecurity Incident
  • Encryption
  • Endpoint Device
  • Exception
  • Information Technology Resource
  • Information
  • Institutional Information
  • Integrity
  • Intellectual Property
  • Password
  • Personally Owned Device
  • Policy
  • Privacy
  • Prohibited Use
  • Standard
  • Technology Service Owner
  • Username
  • Â̾ÞÈËÊÓƵ Community Member
  • Vulnerability

CONTACT INFORMATION

For Â̾ÞÈËÊÓƵ community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to Cybersecurity Governance, Risk, and Compliance (GRC) via this .

All other requests can be submitted here: .