All users of University IT resources are required to use them in an ethical, professional, and legal manner. This policy applies to all users of the University’s information technology (IT) resources, regardless of location or person's affiliation.

Users must be granted University IT resource accounts in accordance with the Accounts Provisioning and De-provisioning Standard.

1. Acceptable Use Requirements:
   All users agree to ensure the confidentiality and integrity of the University’s IT resources. All users must:

   • Abide by the policies, standards, and procedures for appropriate usage for the University’s IT resources that they access, including the Acceptable Use Standards and Procedures.
   • Respect the intended use of all the University’s IT resources and public IT resources, typically for supporting the mission of the University. All unauthorized use is prohibited. Unauthorized use includes, but is not limited to bitcoin mining, circumventing IT resources safeguards (i.e., hacking), or impeding the IT activities of others. Incidental personal use is permitted. (See policy PRM-011: Use of Working Time and University Equipment for Personal or Commercial Purposes.)
   • Follow the rules and regulations governing the use of public IT resources and University equipment. The University expects all users to cooperate in using public IT resources for their intended purposes and in discontinuing their access when requested to do so.
   • Report known or reasonable suspicion of misuse of University IT resources (See policies: GOV-002: Reporting Fraudulent Transactions, HRM-002: Issuance and Use of University Identification Cards, FIN-044: Use of the University Travel and Expense Card, STAF-003: Statement of Students’ Rights and Responsibilities).
   • Complete all required security training required to obtain and/or maintain access, which includes all users of the High Security Virtual Private Network (HSVPN) and all users of systems governed by legal, regulatory, or contractual obligations requiring security training.

   Users should:

   • Complete either the University’s or Health System’s online security awareness training at least annually.

   Users must not:

   • Divulge or share passwords, PINs, private keys, hardware tokens, or similar authentication elements with anyone else.
   • Obtain or attempt to obtain unauthorized access to the University’s IT resources;
   • Circumvent or attempt to circumvent security controls on the University’s IT resources; nor
   • Allow unauthorized users access to the University’s IT resources.
   • Exploit sessions left open, or otherwise misappropriate, assume, or steal the “identity” of another user (see Authentication Standard and for UVA Health System employees, please see UVA Health System Policy IT-002: Use of Electronic Information and Systems);
   • Violate the privacy of others through access or use of the University’s IT resources. (See policy IRM-012: Privacy and Confidentiality of University Information and UVA Health System Policy IMN-001: Requirements Concerning Confidential Information.)
   • Use the University’s IT resources to access, use, copy, distribute, or otherwise reproduce or make available to others any copyright-protected materials, including digital materials and software, [see Digital Millennium Copyright Act (DMCA)] except as permitted under copyright law (especially with respect to “fair use”) or specific license.

   In addition to the above, all Non-Student Users:

   • Must not utilize University-owned or University-leased computer equipment to access, download, print or store any information infrastructure files or services having sexually explicit content (see § 2.2-2827. Restrictions on State Employee Access to Information Infrastructure) except to the extent required in conjunction with a bona fide, University-approved research project or other University-approved undertaking.
   • Are subject to State Policy 1.75: Use of Electronic Communications and Social Media.
   • Must disclose to their supervisor any potential conflicts related to their access to information or ability to transact in a University system containing sensitive or highly sensitive data. (See policy IRM-003: Data Protection of University Information for the definitions of sensitive data and highly sensitive data.) For example, an individual who has access to a University system that records grades or student financial information and is also a parent of an enrolled student must disclose that potential conflict. (Supervisors should consult SEC-037: Networks, Systems, and Facilities Access & Revocation and the Issue & Return of Tangible Personal Property for what to do with reported conflicts.)
   • Are prohibited from commercial use of IT Resources and University Records, but incidental personal use is permitted. (See policy PRM-011: Use of Working Time and University Equipment for Personal or Commercial Purposes.)

2. University IT Resources:
   All users agree to protect the University’s IT resources.

   • Only Information Technology Services (ITS), Health Information and Technology, or their designees are authorized to:
     
     • attach networking equipment (including, but not limited to, routers, switches, wireless access points, Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS) servers, etc.) to the University network or modify University network infrastructure (e.g., building copper and fiber cable plant, outlet wiring) (see Network Equipment Standard); or
     • provide for external physical connections to the University’s network (e.g., connections to an external internet service provider) (see External Physical Connections Standard).
   • Persons responsible for the University’s IT resources must maintain these resources in a secure state in accordance with applicable legal, regulatory, and contractual requirements, as well as University policies, standards, and procedures. (See policy IRM-004: Information Security of University Technology Resources and UVA Health System policy IMN-001: Requirements Concerning Confidential Information.)
   • Users must protect all data accessed or used. Users must recognize that certain data are sensitive and must limit their access to such data to authorized uses in direct performance of their official duties. (See policy IRM-003: Data Protection of University Information.)
   • Users must recognize that the use of certain data is restricted by legal, regulatory, and/or contractual , requirements, as other University policies (such as IRM-006: Mass Digital Communications; IRM-013: Issuance of an Emergency Notification; and EXT-015: Endorsement of External Entities and Products).

3. Compliance with Policy:
   Any misuse of data or IT resources or failure to comply with the requirements of this policy may result in limitation or revocation of access to University IT resources. In addition, failure to comply with the requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies. Violation of this policy may also violate federal, state, or local laws.

   Questions about this policy should be directed to University Information Security (InfoSec).