3.11 Acceptable and Appropriate Use
- Purpose
This Acceptable Use Policy constitutes a campus-wide policy that applies to all users and is intended to allow for the proper use of all Piedmont University information technology resources. This policy is in place to protect the faculty, staff, students and University from illegal or damaging actions by individuals, either knowingly or unknowingly.
This policy sets forth the manner in which Piedmont University institutional systems are to be used in general, and particularly when collecting, creating, using, sharing, and disposing of institutional data. This policy is further supported by the following policies:
- Data Classification Handling Policy
- Privacy Policy
- Email Account Retention Policy
- Physical Access Policy
- User Accounts and Access Management
- Lost/Stolen Devices Policy
- Incident Response
- Policy
Definitions
Institutional Data – all information that is created, discovered, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf regardless of ownership or origin. Such information is institutional data regardless of the ownership of any device, machine, or equipment used to create, discover, collect, store, access, display, or transmit the information.
Institutional Systems – The electronic and physical systems owned, leased, licensed, managed, or otherwise provided by Piedmont University used to create, discover, collect, store, access, display, or transmit, Institutional Data. Institutional Systems include, without limitation, desktop computers, laptops, servers, printers, scanners, copiers, research equipment, telephone systems, email systems, networks, databases, and cloud storage services, other software applications and services, and other devices, machines, equipment, and hardware. Institutional Systems, such as software applications, that have been loaded onto a device, machine, or other equipment that is not owned, leased, or otherwise provided by Piedmont University, continue to be subject to the provisions of this policy.
Confidential Information - is information or data that is deemed confidential by law, regulation or University policy or which contains information that is highly private or personal or could lead to identity theft if mishandled.
- Policy Statement
The University’s institutional systems support the University’s mission, including all University-related activities. Each user of these institutional systems, like those of other University resources and activities, is responsible for using the systems in accordance with all applicable laws and regulations, University policies, procedures, guidelines, standards, and student, faculty, and employee policies and procedures manuals, and University licenses and other contracts. All use of institutional systems must be consistent with Piedmont U. values and mission and University expectations for ethical behavior.
Authorized Users
All users should familiarize themselves with the contents of this policy and demonstrate the highest respect for the rights of others in their use. Access to the University's information technology (IT) resources is a privilege that may be limited or revoked if an individual violates University policies or state or federal laws. Authorized users are:
- Current faculty and staff of the University;
- Students who are currently enrolled in the University; and
- Authorized guests and vendors, whose access does not interfere with the access of resources by others, result in the loss of data or other resources, violate school policy, or any other laws
User Access and Password Protection
User access to information technology resources is granted to an individual by the University solely for his or her own use. To help protect the integrity, security, and privacy of user accounts the University employees should not share passwords with any other employee unless expressly authorized to do so by the appropriate University authority with responsibility for the account. Keeping passwords secure and attending to an account while logged on are fundamental to the security of every user account. Sharing access with another individual undermines this security and leaves it vulnerable to abuse by others. Sharing or transferring access may also jeopardize the security of the entire information technology system.
Securing access also helps protect against unauthorized activities on an account for which an individual could be held personally responsible. For example, if someone else uses an account with the account holder's permission and violates University policy, the account holder can be charged with the violation and made subject to the same student or employment disciplinary action as the actual user.
Users should immediately report any suspected unauthorized use of their username or other suspicious activity to their system administrator.
Conduct and Behavior
All users should observe the same standards of ethical conduct and courteous behavior that govern non-electronic vocal/written communications and other personal interactions whenever they use the University's IT resources. Use by University employees that is unrelated to their official position should be reasonable and limited in both time and resources and must not interfere with University functions or the employee's performance of employment responsibilities. Conduct and behavior violations may result in limiting or even denial of access to these resources, as well as employment disciplinary action.
User Privacy, Integrity and Operational Security
The privacy of all users and the integrity and operational security of the University's information technology system must be respected by all. University IT resources must not be used to attempt unauthorized access to private information maintained by users or by the University, even if that information is not securely protected or is otherwise available. The fact that an individual account and its data may be unprotected does not confer either an ethical or legal right to access it. Unauthorized access to private information constitutes a violation of this policy, and possibly state or federal law. This type violation may result in serious disciplinary charges, up to and including termination.
To the highest possible standard, Piedmont University strives to preserve individuals' privacy. However, users must recognize that data created on the University network remains the property of the University. Because of the need to protect the network, administration cannot guarantee the confidentiality of information stored on any network device belonging to the University. The University reserves the right to monitor equipment, systems, and network traffic at all times and also reserves the right to audit network systems on a periodic basis to ensure compliance with this policy.
Users should be aware that most institutional systems are backed up on a routine basis to ensure the ability to recover from computer or network failures or disturbances. Backup procedures are generally not designed or intended for long-term storage of files. However, all users should be aware that files or email messages that they have deleted may still persist on backups and may therefore be subject to disclosure in a duly authorized investigation.
Internet, Intranet, and Extranet- related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Piedmont University. These systems are to be used for business purposes in serving the interests of the University in the course of normal operations. Appropriate use should always be legal, ethical, and show restraint in the consumption of University resources. Also, appropriate usage should demonstrate the respect for intellectual property, ownership of data, system security mechanisms, and individual rights to privacy and freedom from intimidation, harassment and unwarranted annoyances. Inappropriate use exposes the University to risks including virus attacks, compromise of network systems and services, as well as legal issues.
Misuse of IT Resources
Users must not use University information technology resources in the commission of any illegal or otherwise unauthorized act. Users must agree to strict adherence to this principle. Violation of state or federal laws is inconsistent with ethical and responsible use of University IT resources and is strictly prohibited. In addition to possible civil and criminal penalties, illegal use can result in severe employment discipline, up to and including termination. The University will cooperate fully with law enforcement officials regarding criminal investigations of any use of its IT resources in violation of this principle.
Unauthorized Commercial Use
Users must not use University information technology resources for any unauthorized commercial purposes or for personal gain or profit. These IT resources are provided in support of the University's educational, research and administrative activities. Other uses, such as those that indirectly support this mission, including reasonable and limited personal use, while permissible, must necessarily receive a lower priority. Unauthorized commercial use of University resources is inappropriate and inconsistent with the University's mission.
User Responsibility
All users will sign a statement affirming they have read, understand, and intend to comply with the policy provisions prior to gaining access to the Piedmont University's data systems and networks. Due to the rapid nature of change in both information technologies and their applications, the University may amend this policy whenever deemed necessary or appropriate. All members of the University community are given notice of this policy by virtue of its publication and are subject to it on the same basis. Ignorance of this policy does not relieve any user of his or her responsibilities under the policy. Users are encouraged to periodically review this policy in order to understand their rights and responsibilities.
Identity Theft Prevention Program
Millions of Americans have their identities stolen each year, where thieves may drain consumer accounts, damage their credit, and even threaten their physical or medical safety. In response to the growing threat of identity theft, Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) primarily targeting financial organizations that deal with individual credit accounts. The law was later expanded to include identity theft in any organization where personal information is used in the normal course of business.
In November 2007, the Federal Trade Commission finalized Red Flag Rules to encourage fraud prevention through recognition and detection of warning signs of potential identity theft. Piedmont University aims to prevent identity theft and fraud on two fronts:
- By implementing data security practices that make it more difficult to gain unauthorized access to personal or identifying information that may be used to open or access accounts, and
- By teaching faculty and staff to recognize and detect Red Flags that may be warning signs of potential identity theft and take steps to prevent fraud from occurring.
Piedmont University has an Identity Theft Prevention Policy to protect all new and existing accounts. In addition to data security, this policy is intended to prevent and stop theft and fraudulent use of personal data to help protect students, faculty, staff, and other constituents from damages related to fraudulent activity. Responsibility for developing, implementing and updating this Program lie with the Piedmont University's Information Technology and Business Offices. The offices are responsible for program administration, ensuring appropriate training of the University's staff on the Program, reviewing any staff reports regarding the detection of Red Flags on the identified covered accounts and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program. University employees are expected to notify the program administrator immediately once they become aware of an incident of identity theft or of the University's failure to comply with the program so that immediate and appropriate action can be taken.
More information on the subject is available by downloading Piedmont University's Identity Theft Prevention Program policy document.
Responsibility to Protect Access Provided to Institutional Systems
Piedmont U. institutional systems are provided to authorized individuals for University-related purposes. All access and use must be properly controlled in a manner defined by management, and consistent with individual roles and job responsibilities. Authorized access to institutional systems is generally expected to end when a user no longer has an official connection to the Piedmont U. community.
Persons associated with the Piedmont U. community are entrusted with access to institutional systems on an individual basis. Users are not permitted to extend access further to any other person by any means, including sharing access by providing a password or by other means, providing unauthorized redistribution of services or data, or otherwise obfuscating or misrepresenting the true identity of the user.
Users are expected to take reasonable steps to prevent unauthorized access and use. These steps include, but are not limited to, information security controls, such as the configuration of hardware and software, the use of anti-virus software, firewalls, and encryption; and assisting with remediation in the event of a detected or suspected vulnerability or compromise. Users are also required to comply with all University procedures, guidelines, standards, and handbooks that reduce the risk that malicious software could affect the confidentiality, availability, or integrity of institutional data, and that protect institutional data by establishing handling and other requirements.
Individuals may not attempt to gain unauthorized access to institutional systems, whether through hacking, password mining, or any other means, or interfere or attempt to interfere with the proper working of institutional systems.
Limitations on the Personal Use of Institutional Systems
All users of institutional systems are expected to respect the priority of University business and keep the personal use of institutional systems to a minimum. University users may use institutional systems for incidental personal purposes if such use does not:
- Directly or indirectly interferes with the University's operation of institutional systems.
- Interfere with the user's employment or other responsibilities and obligations to the University.
- Burden the University with noticeable incremental costs or otherwise.
- Involve activities for commercial gain.
Use of institutional systems to access or use institutional data for a personal purpose is prohibited.
Notwithstanding the statement of permitted uses above,
- Managers have the discretion and authority to limit or prohibit the personal use of institutional systems.
- Any such use must also comply with all applicable laws and regulations, University policies, procedures, guidelines, standards, and student, faculty and employee handbooks, and University licenses and other contracts, and must be consistent with Piedmont U.’s values and mission and University expectations for ethical behavior.
Responsibility to Not Engage in Prohibited or Restricted Activities
Whenever individuals use the University’s institutional systems, they are required to comply with the laws and regulations and the University policies, procedures, guidelines, standards, and student, faculty, and employee handbooks that apply to the information accessed, stored, used, transmitted, or displayed using these systems. These requirements include, but are not limited to, laws, regulations, and policies that apply to:
- Political or commercial activities affecting the non-profit, tax-exempt status of the University (including as discussed below).
- Use of copyrighted information.
- Use of the University’s names, insignias, and other trademarks.
- Libel, slander, and defamation.
- Harassment, including sexual or sex and/or gender-based harassment.
- Actions involving child pornography and/or obscene material.
Restrictions on Political Activities.
As a nonprofit, tax exempt 501(c)(3) organization, Piedmont University is prohibited by federal law from participating in or intervening in (including the publishing or distributing of statements), any political campaign on behalf of (or in opposition to) any candidate for public office. Individuals may not use University resources for political purposes in a manner that suggests the University itself is participating in campaign activity, fundraising, or other political or commercial activities. This policy does not prohibit use of University resources to discuss or examine political topics or issues of public interest, so long as it does not involve advocacy for or against a particular candidate and the use is consistent with the University’s Policy on Political Activities. Registered student organizations may use University resources for political activities when the use is consistent with policy 3.58 – Partisan Political Activity.
Responsibility to Comply with Local and System Policies and Practices
The University employs various administrative, technical, and physical controls to reduce inherent risks associated with using institutional systems and to safeguard institutional data. However, security cannot be guaranteed solely with centralized controls. College, school, division, departmental, and individual controls, policies, and practices should establish and maintain appropriate access control and security, such as anti-virus software, firewalls, and secure storage areas for physical media; management of user accounts, proper authentication, and verification of identity, including two-factor authentication; and authorized forms of encryption for institutional data and institutional systems.
Users must comply with the policies, guidelines, and standards for each specific set of institutional systems they access and with the policies, guidelines, or standards established by colleges, schools, divisions, and departments. When the policies, guidelines, or standards established by the University, or by a college, school, division, or department, or for a specific system, are more restrictive than those established by this policy, then the more restrictive provisions will take precedence.
Responsibility to not Interfere with Management Controls for Institutional Systems
Administrative, physical, and technical controls serve to reinforce Piedmont U.’s interpretations of responsible use, verify trust placed in individuals, and limit their authorization to institutional systems and institutional data. Disabling, removing, damaging, circumventing, or interfering with such controls threatens the entire network of institutional systems, and is a violation of this policy. Anyone who seeks to or gains unauthorized access to an institutional system or institutional data is in violation of this policy.
Under management direction, the University performs testing and audits of its security controls to help ensure they are working as intended. Users are prohibited from probing or testing security controls of any institutional system unless such actions have been expressly approved in writing by an authorized employee responsible for the security of such system or such actions are expressly included among the security evaluation responsibilities of the employee’s position.
When an institutional system has been, or is suspected of having been, compromised or may not be operating under appropriate management control - and in order to protect the confidentiality, integrity, or availability of institutional systems, institutional data or to otherwise protect the University - management may disable, disconnect, or contain any account, device or system, prior to, during, or upon completion of an investigation.
Responsibility to Avoid Resource Exhaustion and Disrupting Use by Others
Operation of institutional systems must respect the finite capacity of those systems and limit use so as not to consume an unreasonable amount of systems capacity or to interfere unreasonably with the activity of other users. The University may require users of institutional systems to limit, schedule, coordinate, or refrain from specific uses in order to ensure that adequate resources are available to all users.
University Administration of System Use
The University places a high value on privacy and recognizes its critical importance in an academic setting. While Piedmont U. does not routinely monitor individual usage of resources, normal operation and maintenance of resources requires logging of activity, backup and caching of data, and other activities necessary to provide services and ensure adherence to laws and regulations and University policies.
In accordance with state and federal law, the University may, at its sole discretion and without notice to the individual:
- Access any University institutional system activity (including viewing the contents and records of any individual communication) of individuals without notice whenever there is reasonable cause to believe that a law, regulation, contract, or any Piedmont U. policy is being or has been violated, or that such actions are needed to protect the health or safety of the individual or other persons.
- Utilize the results of any general or individual monitoring, including the contents and records of individual communications, in appropriate University disciplinary proceedings or in litigation or other legal proceedings.
- Disclose the results of any such monitoring, including the contents and records of individual communications, to appropriate University personnel; local, state, or federal law enforcement or administrative agencies; or pursuant to legal process (such as a subpoena).
- After the employment of an individual who was either faculty or staff ends, access such individual’s University institutional system activity (including the contents and records of any individual communication) if there is a legitimate University business reason.
Appendix A – Revision Table
Document Owner: LaMica Justice, Chief Information Officer
|
Document History
|
Rev #
|
Name
|
Date
|
Description
|
Signature
|
1.0
|
LaMica Justice
|
5/14/2024
|
Initial draft
|
Electronically signed
|
1.1
|
|
|
Initial release
|
|