Appropriate Use of Information Resources UPPS No. 04.01.07
Issue No. 7
Effective Date: 07/01/2015
Review: March 1 E3Y
Sr. Reviewer: Information Security Officer
01. POLICY STATEMENT
01.01 This document establishes policies and procedures for the appropriate use of information resources in order to:
a. achieve university-wide compliance with applicable statutes, regulations, and mandates regarding the management of information resources;
b. establish prudent and acceptable practices regarding the use of information resources; and
c. educate individuals about the responsibilities they assume when using Texas State University’s information resources.
02. RELATED DOCUMENTS
UPPS No. 01.04.11, Guidelines for Use of Texas State Logo, System Statement, Board of Regents List, and Equal Opportunity Statement
UPPS No. 01.04.27, Intellectual Property: Ownership and Use of Copyrighted Works
UPPS No. 04.01.01, Security of Texas State Information Resources
UPPS No, 04.01.02, Information Resources Identity and Access Management
UPPS No. 04.01.05, Network Use Policy
UPPS No. 04.01.06, University Websites
UPPS No. 04.01.08, Texas State Internet Domain Name Policy
03.01 Information Resources – include the following:
a. all physical and logical components of the university’s wired and wireless network infrastructure;
b. any device that connects to or communicates electronically via the university’s network infrastructure, including computers, printers, and communication devices, both portable and fixed;
c. any fixed or portable storage device or media, regardless of ownership, that contains university data;
d. all data created, collected, recorded, processed, stored, retrieved, displayed, or transmitted using devices connected to the university network;
e. all computer software and services licensed by the university;
f. support staff and services employed or engaged by the university to deploy, administer, or operate the above-described resources or to assist the university community in effectively using these resources; and
g. devices, software, or services that support the operations of Texas State University regardless of physical location (e.g., SAAS, PAAS, IAAS, cloud services).
03.02 NetID (Network Identifier) – the unique identifier used by the university to identify a person or other entity when accessing the university’s non-public information resources. Every NetID has an associated password that serves to authenticate the identity of the NetID owner. For a more extensive description of the NetID and other aspects of computer account management and access control, see UPPS No. 04.01.02, Information Resources Identity and Access Management.
In this policy, NetID also refers more generically to any other official identifier issued by Texas State. Likewise, the term “password” also refers to a PIN (personal identification number) or any secret access code used to verify a person as the owner of its corresponding identifier.
03.03 User – an individual or automated application or process with authorization to access an information resource by its owner, in accordance with the owner’s procedures and rules.
04. GENERAL GUIDELINES AND PRINCIPLES
04.01 Texas State provides each of its authorized users with a computer account, known as a Texas State NetID, that facilitates access to the university’s information resources. In accepting a Texas State NetID or any other access identifier, the recipient agrees to abide by all applicable Texas State policies and legal statutes, including all federal, state, and local laws. Texas State reserves the right at any time to limit, restrict, or deny access to its information resources and to take disciplinary or legal action against anyone in violation of these policies or statutes.
04.02 Applicable university policies and procedures include all Texas State University Policy and Procedure Statements (UPPS) and departmental policies and procedures that address the usage of Texas State information resources. Also applicable are university policies prohibiting harassment, plagiarism, or unethical conduct. Laws that apply to the use of Texas State’s information resources include laws pertaining to theft, copyright infringement, insertion of malicious software into computer systems, and other computer-related crimes. This policy applies to all university information resources, whether administered centrally or departmentally, and regardless of where they reside.
04.03 Texas State provides information resources for the purpose of accomplishing tasks related to the university’s mission. Texas State expects its faculty and staff to employ these resources as their first and preferred option for satisfying their business, research, or instructional needs. Thus, faculty and staff should engage third-party providers, in collaboration with the information resources manager (IRM) and information security officer (ISO), of such resources only after determining that university-provided resources do not adequately satisfy the business, research, or instructional need.
The university may restrict the use of or access to its information resources due to specific research, teaching, or other purposes in keeping with Texas State’s mission. Texas State’s computer information resources are not a public forum.
04.04 Texas State considers e-mail a significant information resource and an appropriate mechanism for official university communication. The university provides official university e-mail addresses and services to its students, faculty, staff, retirees, and organizational units for this purpose and to enhance the efficiency of educational and administrative processes. In providing these services, the university anticipates that e-mail recipients will access and read university communications in a timely fashion.
Current faculty, staff, students, and retirees may forward e-mail from their official university address to an alternate e-mail address at their own risk and subject to restrictions on transmission of confidential information (see Sections 04.09 and 07.02 of UPPS No. 04.01.01, Security of Texas State Information Resources). The university cannot guarantee and is not responsible for the delivery or protection of e-mail forwarded from the official university address to any other address. Individuals who forward university e-mail assume personal responsibility for its timely delivery and its protection from improper disclosure once it leaves the university network. For this reason, individuals who routinely receive or expect to receive e-mail containing confidential information should avoid establishing automated email forwards.
04.05 Consistent with the provisions of UPPS No. 04.01.02, Information Resources Identity and Access Management, and other applicable policies and statutes, students who have registered and paid their fees are allowed to use Texas State’s information resources for school-related and personal purposes. Personal use must not result in any additional expense to the university or violate restrictions detailed in Section 05.
04.06 Consistent with the provisions of UPPS No. 04.01.02, Information Resources Identity and Access Management, and other applicable policies and statutes, employees of Texas State are allowed to use Texas State’s information resources in the performance of their job duties. State law and university policy permit incidental personal use of Texas State information resources, subject to review and reasonable restrictions by the employee’s supervisor. Such personal use must not violate any applicable policies and statutes, must not interfere with the employee’s job performance, and must not result in any additional expense to the university.
04.07 Censorship is not compatible with the goals of Texas State. The university will not limit access to any information due to its content, as long as it meets the standard of legality. The university reserves the right, however, to impose reasonable time, place and manner restrictions on expressive activities that use its information resources.
04.08 Texas State’s information resources are subject to monitoring, review, and disclosure as provided in Section 07. of UPPS No. 04.01.02, Information Resources Identity and Access Management. Consequently, users should not expect privacy in their use of Texas State's information resources, even in the case of user’s incidental personal use.
04.09 Intellectual property laws extend to the electronic environment. Users should assume that works communicated through Texas State computer networks are subject to copyright laws, unless specifically stated otherwise.
04.10 The state of Texas and the university consider information resources as valuable assets. Further, computer software purchased or licensed by the university is the property of the university or the company from whom it is licensed. Any unauthorized access, use, alteration, duplication, destruction, or disclosure of any of these assets may constitute a computer-related crime, punishable under Texas and federal statutes.
05. INAPPROPRIATE USES OF INFORMATION RESOURCES
05.01 The following activities exemplify inappropriate use of the university's information resources. These and similar activities are strictly prohibited for all users:
a. use of university information resources for illegal activities or purposes. The university may deal with such use appropriately, and may report such use to law enforcement authorities. Examples of illegal activities or purposes include unauthorized access, intentional corruption or misuse of information resources, theft, and child pornography;
b. failure to comply with laws, policies, procedures, license agreements, and contracts that pertain to and limit the use of the university's information resources;
c. the abuse of information resources including any willful act that: endangers or damages any specific computer software, hardware, program, network, data, or the system as a whole, whether located on campus or elsewhere on the global Internet; creates or allows a computer malfunction or interruption of operation; injects a computer virus or worm into the computer system; sends a message with the intent to disrupt university operations or the operations of outside entities; produces output that occupies or monopolizes information resources for an unreasonable time period to the detriment of other authorized users; consumes an unreasonable amount of communications bandwidth, either on or off campus, to the detriment of other authorized users; or fails to adhere to time limitations that apply at particular computer facilities on campus;
d. use of university information resources for personal financial gain or commercial purpose;
e. failure to protect a password or Texas State NetID from unauthorized use;
f. falsely representing one’s identity through the use of another individual’s Texas State NetID or permitting the use of a NetID and password by someone other than their owner;
g. unauthorized attempts to use or access any electronic file system or data repository;
h. unauthorized use, access, duplication, disclosure, alteration, damage, or destruction of data contained on any electronic file, program, network, web page, or university hardware or software;
i. unauthorized duplication, use or distribution of software and other copyrighted digital materials (including copyrighted music, graphics, etc.). All software and many other digital materials are covered by some form of copyright, trademark, license or agreement with potential civil and criminal liability penalties. The copyright or trademark holder must specifically authorize duplication, use or distribution, or a specific exception of the Copyright Act, such as the Fair Use exception, the Library exception, or exceptions under the TEACH Act, must apply. See also UPPS No. 01.04.27, Intellectual Property: Ownership and Use of Copyrighted Works;
j. participating or assisting in the deliberate circumvention of any security measure or administrative access control that pertains to university information resources;
k. using university information resources in a manner that violates other university policies, such as racial, ethnic, religious, sexual, or other forms of harassment. See also UPPS No. 04.04.46, Prohibition of Discrimination or Harassment, and The Texas State University System (TSUS) Sexual Misconduct Policy;
l. using university information resources for the transmission of spam mail, chain letters, malicious software (e.g., viruses, worms, or spyware), or personal advertisements, solicitations or promotions;
m. modifying any wiring or attempting to extend the network beyond the port (i.e., adding hubs, switches or similar devices) in violation of the university’s network use policy (UPPS No. 04.01.05, Network Use Policy);
n. using Texas State’s information resources to affect the result of a local, state, or national election or to achieve any other political purpose (consistent with Texas Government Code §556.004);
o. using Texas State’s information resources to state, represent, infer, or imply an official university position without appropriate authorization;
p. unauthorized network scanning, foot printing, reconnaissance, or eavesdropping on information resources for available ports, file shares, or other vulnerabilities; and
q. unauthorized alteration or relay of network traffic (e.g., man in the middle attacks).
06. RESPONSIBILITIES OF USERS
06.01 Each user shall utilize university information resources responsibly and respect the needs of other users.
06.02 Each person is responsible for any usage of his or her Texas State NetID. Users must maintain the confidentiality of their passwords.
06.03 A user must report any abuse or misuse of information resources or violations of this policy to their department head or to the Office of the Vice President for Information Technology.
06.04 When using its information resources, the university encourages communications that reflect high ethical standards, mutual respect, and civility.
06.05 In using Texas State information resources, users shall adhere to applicable provisions of the university’s network use polices (see UPPS No. 04.01.05, Network Use Policy) and guidelines regarding the design and content of official communications and publications (see UPPS No. 01.04.11, Guidelines for Use of Texas State Logo, System Statement, Board of Regents List, and Equal Opportunity Statement).
06.06 Administrative heads and supervisors must report ongoing or serious problems regarding the use of Texas State information resources to the Office of the Vice President for Information Technology.
06.07 Each user shall immediately notify IT Security of the loss of any fixed or portable storage device or media, regardless of ownership, that contains university data (see Section 04.02 of UPPS No. 05.01.01, Texas State University Property and Equipment).
07. ACCESS TO UNIVERSITY INFORMATION RESOURCES BY AUDITORS
07.01 Consistent with Chapter III, paragraph 7.4 of The TSUS Rules and Regulations of the Board of Regents, the TSUS director of Audits and Analysis and auditors reporting to him or her, either directly or indirectly, while in the performance of their assigned duties, shall have full, free, and unrestricted access to all university information resources, with or without notification or consent of the assigned owner of the resources. The university shall afford this access consistent with Section 07. of UPPS No. 04.01.02, Information Resources Identity and Access Management.
07.02 The university shall provide state, federal, and other external auditors with access to university information resources with prior approval by the vice president for Information Technology.
08. LIABILITY FOR FAILURE TO ADHERE TO THIS POLICY
08.01 Failure to adhere to this policy may lead to the revocation of a user’s Texas State NetID, suspension, dismissal, or other disciplinary action by the university, as well as referral to legal and law enforcement agencies.
08.02 Statutes pertaining to the use of university information resources include the following:
a. The Federal Family Educational Rights and Privacy Act (commonly known as FERPA) – restricts access to personally identifiable information from students’ education records;
b. Texas – establishes information security requirements for Texas state agencies and public higher education institutions;
c. Texas Penal Code, Chapter 33: Computer Crimes – specifically prohibits unauthorized use of university computers, unauthorized access to stored data, or dissemination of passwords or other confidential information to facilitate unauthorized access to the university’s computer system or data;
d. Texas Penal Code, §37.10: Tampering with Governmental Record – prohibits any alteration, destruction, or false entry of data that impairs the validity, legibility or availability of any record maintained by the university;
e. United States Code, Title 18, Chapter 47, §1030: Fraud and Related Activity in Connection with Computers – prohibits unauthorized and fraudulent access to information resources, accessing a computer to obtain restricted information without authorization; altering, damaging, or destroying information on a government computer without authorization; trafficking in passwords or similar information used to gain unauthorized access to a government computer, and transmitting viruses and other malicious software;
f. Copyright Law, 17 U.S.C. §§101-1332, 18 U.S.C. §2318-2323 – forms the primary basis of copyright law in the United States, as amended by subsequent legislation. The Act spells out the basic rights of copyright holders and codifies the doctrine of ’fair use;’
g. Digital Millennium Copyright Act (DMCA), 17 U.S.C. §§512 as amended and 28 U.S.C. §4001 – The DMCA criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works. The Act amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of Internet service providers (like Texas State) for copyright infringement by their users, provided the service provider removes access to allegedly infringing materials in response to a properly formed complaint;
k. Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R 164 – sets security management requirements and broad management controls to protect the privacy of patient health information; and
l. Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541 – requires every federal agency to develop, document, and implement an agency-wide information security program. The law was amended by FISMA 2010, which changed the focus from paperwork compliance to continuous monitoring and threat mitigation.