Acceptable Use Policy for Computing and Network Services
Authority to Change : Definitions : Purpose : Reports of Violations
II. Responsibility Lawful Use : Copyrights : Proper Authorization : Account Ownership :
Personal Identification : Contracts : External Data Networks : Access to Data :
For-profit Use : Incidental Personal Use : Threats and Harassment :
Modification of Data or Equipment : Removal of Data or Equipment : Foreign Devices :
Technology Purchases
III. Security Level of Security : Concealed Identity : Unauthorized Data Access : Security Compromise :
Data Interception : Denial of Service : Personal Responsibility
IV. Enforcement Procedures
Sanctions
I. General Information
Authority to Change
Because University policies are subject to change, this document may change from time to time. Authority to change this document rests with the President of Lincoln University and/or the Board of Curators.
Definitions
- User: any person using Lincoln University computing resources
- Network: interconnection via a networking protocol. This includes the Internet and intranet(s), the campus LAN, or any other Local, Wide, Municipal, or Campus networking protocol to which users have access.
- Email: any message in electronic format sent over the network. The terms "electronic mail" and "email" are interchangeable.
- Web page: any page containing HTML that is viewable by a browser via the network.
- Web site: any collection of similar web pages, having the same base URL
- ITS: Lincoln University's Information Technology Services (formerly known as OIT: Lincoln University's Office of Information Technology).
- Computing resource: computers, terminals, printers, networks, modem banks, and related equipment, as well as data files or documents managed or maintained by residing on disk, tape, or other media. Computing resources also include computer rooms, laboratories, offices, and furnishings operated or maintained by LU ITS.
- Internet Services: any computing resources that are accessed via the Internet
- Computer Hardware: Computer parts physically existing inside or around a computer, including the monitor, the CPU (central processing unit), memory, internal and external drives and storage devices, keyboard, mouse, and peripherals, such as printers, scanners, speakers, etc.
- Computer Software: Instructions executed by a computer, as oppose to the physical device (hardware) on which they run, and consisting of two main types, "system" and "application".
Purpose
The purpose of these policies is to assure that:
- The University community is informed about the application of policies and laws to University computing resources;
- Computing resources are used in compliance with those policies and laws;
- Users of computing resources are informed about how concepts of privacy and security apply to those resources; and
- Disruptions to University Information Technology services are minimized.
Reports of Violations
Users must report any evidence of violation of these policies to appropriate ITS personnel and/or other University authorities. Users must not conceal or help to conceal or "cover up" violations by any party. The policies described herein are those that Lincoln University intends to use in normal operation of its computing resources.
II. Responsibility
Lawful Use
All use of computing resources is subject to Federal, State, and local law and University regulations.
Copyrights
Users must observe intellectual property rights, in particular the software copyright law.
Proper Authorization
Except in cases of explicitly authorized external access, such as for incoming electronic mail, anonymous ftp or similar services, or specially authorized external users, Lincoln University computing resources are limited to members of the LU community. Users must not permit or assist any unauthorized person in accessing ITS facilities.
Authorization for other external use of the University's computing resources by outside organizations or individuals requires written approval of the President, and will be granted only when that use is determined to further the University's mission.
Account Ownership
Another person may not use an account assigned to an individual. Faculty, students and staff are individually responsible for the proper use of their accounts, including proper password protection and appropriate use of computing resources.
Personal Identification
Users of University computing resources, including microcomputers, workstations, printers, or other public facilities must show identification upon request by members of the Lincoln University Department of Public Safety, ITS staff, or any other authorized University official.
Contracts
All use of University computers and networks must be consistent with all contractual obligations of the University, including limitations defined in software and other licensing agreements
External Data Networks
Users shall observe all applicable policies of external data networks when using such networks, including sites visited via the Internet.
Access to Data
Users must allow ITS personnel access to data files kept on ITS systems for the purpose of systems backups or diagnosing systems problems, including rules violations.
For-profit Use
Without specific authorization, all activities using Lincoln University computing resources for personal profit or for the direct financial benefit of any non-LU organization are prohibited. However, this is not meant to restrict normal communications and exchange of electronic data, consistent with the University's education and research roles that may have an incidental financial or other benefit for an external organization. For example, it is appropriate to discuss products or services with companies doing business with LU or to contribute to Usenet bulletin boards discussing issues relating to commercial products. (See, for example, Attachment I, "MOREnet Acceptable Use Policy".)
Incidental Personal Use
Incidental personal use of University computing resources may be allowed when such use does not interfere with University operations, does not compromise functioning of the University's network, or interfere with the user's employment or other obligations to the University.
Threats and Harassment
University computing resources may not be used to threaten or harass any person. A user must cease sending messages or interfering in any way with another user's normal use of computing resources if the aggrieved user makes a reasonable request for such cessation. The University's Sexual Harassment policy is extended to include harassment via computing resources.
Modification of Data or Equipment
Without specific authorization, users of ITS computing or network facilities may not cause, permit, or attempt any destruction or modification of data or computing or communications equipment, including but not limited to alteration of data, reconfiguration of control switches or parameters, or changes in firmware. This rule seeks to protect "data, computing, and communications equipment" owned by ITS, LU University, or any other person or entity. "Specific authorization" refers to permission by the owner or designated administrator of the equipment or data to be destroyed or modified.
Removal of Data or Equipment
Without specific authorization by the owner or designated administrator, users may not remove any University owned or administered equipment or documents from a University facility.
Foreign Devices
Without specific authorization, users must not physically or electrically attach any foreign device (such as an external disk, printer, or video system) to ITS equipment or networks.
Technology Purchases
All computer software and hardware purchases must be submitted to ITS for review, before purchase orders will be processed. ITS staff will review each recommendation/request in terms of compatibility, server resources, licensing agreements, etc.
Hardware and software requests that affect instructional or open labs must be made at least one month prior to the semester start date, to coordinate server resources and to investigate compatibility issues with other campus software.
III. Security
Level of Security
Unless otherwise guaranteed, users should regard the network communication infrastructure as not secure from invasive technologies. ITS policy will ensure the greatest degree of confidentiality possible. (See "Privacy Considerations" below.)
Concealed Identity
Users may not intentionally conceal their identity when using University computing resources.
Unauthorized Data Access
Users may not make or attempt any deliberate, unauthorized access to or changes in data on a University computing resource, for example to read personal communications of other users or to access confidential University files.
Security Compromise
Users shall not defeat or attempt to defeat or circumvent ITS security systems, such as by "cracking" or guessing user identifications or passwords or by compromising room locks or alarm systems.
Data Interception
Users may not intercept or attempt to intercept data communications not intended for that user's access, for example, by "promiscuous" bus monitoring or wiretapping.
Denial of Service
Users may not deny or interfere with or attempt to deny or interfere with service to other users, e.g., by means of "resource hogging," distribution of computer worms or viruses, etc.
Personal Responsibility
Users are responsible for the security of their Lincoln accounts and passwords. Any user changes of password must follow published guidelines for good passwords. Accounts and passwords are normally assigned to single users and may not to be shared with any other person without ITS authorization. Users must report any observations of attempted security violations.
IV. Enforcement Procedures
Any actual or suspected violation of the policies within this document must be brought to the attention of the Chief Information Officer, other appropriate ITS personnel, and/or other University authorities.
ITS is authorized by University regulations to enforce these policies and regulations. Such enforcement may include temporary or permanent reduction or elimination of access privileges with prior notification and approval by the Administration, except in extraordinary cases in which any delay may seriously threaten the integrity of facilities, user services or data. In such extraordinary cases, ITS must, as soon as possible, notify the administration of any actions taken including a statement describing the act, conduct or circumstances compelling ITS to act without prior notice and approval of the Administration. When ITS believes it necessary to preserve the integrity of facilities, user services, or data, ITS may, with prior notice and approval of the Administration, suspend any account, whether or not the account owner (the user) is suspected of any violation. ITS will attempt to notify the user of any such action.
Sanctions
Violators of this policy will be subject to the existing student or employee disciplinary procedures. Sanctions may include the loss of computing privileges. Illegal acts involving Lincoln computing and networking resources may also subject users to prosecution by state and federal authorities.
V. Privacy Considerations
ITS policy is to ensure the greatest degree of confidentiality in treating user data on LU systems and networks consistent with available technology and the need for system backups, troubleshooting, etc. Users are to be aware of the following considerations.
- Data storage and communications are not perfectly secure. Software and physical limitations can compromise security. While the ITS will make every effort to minimize such exposures, the risks still exist.
- Data files residing on disk are periodically backed up to magnetic tape, and some backups are kept for long periods of time. In the future, all user files may be backed up this way, although some "scratch" or transient files may not. (Unless otherwise stated for particular systems, ITS cannot guarantee the availability of backups to restore user files deleted through user error.)
- Certain utility programs allow users to view other users' activity on a computer system or network.
- Users must be aware of the protection level assigned to their files and directories. The user must take responsibility for the proper use of commands to set any other desired protection level.
- Certain system activities are routinely logged, and the logs may be readable by other users. Logging is the collection of statistics and the diagnosis of system problems. Logging includes, but is not restricted to: tracking web sites visited by campus users, email origination and destinations, file transfers both on and off campus, activity within administrative and academic software applications.
- In cases of suspected violations of LU Computing and Network Services' policies, especially unauthorized access to ITS systems, the manger of the ITS facility concerned may authorize - after consultation and approval by LU administration - even more detailed session logging. This detailed session logging may involve a complete keystroke log of an entire session of a user's activity within a program or application. In addition, the manage of the ITS facility concerned may - after consultation and approval by LU administration - authorize limited searching of user files to gather evidence on a suspected violation. Notification will include details of that user's activity unless an overriding Administration or governmental authority prohibits it.
- On certain systems, users may have the option of encrypting data files. While this may offer good security against unwanted access, the proper use of encryption is the responsibility of the user. If the encryption key is lost, ITS cannot recover the data.
- Privacy depends on users keeping their account password secure. Users must have "good" (difficult to guess or "crack") passwords and must not share their passwords with other persons.
This list indicates a number of limitations of user privacy and confidentiality. Notwithstanding these limitations, ITS will make all reasonable efforts to maintain confidentiality of user data. Users of LU computer resources (including ITS staff) are forbidden to, without specific authorization or purpose, "browse" another user's files. Any such "browsing" incidences will subject the suspected employee to disciplinary action pursuant to the Lincoln University Rules and Regulations (if the suspected employee is a Lincoln University employee) and, possibly, to the LU Code of Student Conduct (if the suspected employee is also a LU student).