IRM-002: Acceptable Use of the University’s Information Technology ResourcesDate: 10/23/2017 Status: Final
Use of the University’s information technology (IT) resources shall support the basic missions of the University in teaching, research, public service, and healthcare. Users of the University’s IT resources are responsible for using these resources appropriately and respecting the rights of others.
Information Technology (IT) Resources:
All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data regardless of the source of funds including, but not limited to:
- Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
- Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
- Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
- Software including, but not limited to: applications, databases, content management systems, web services, and print services;
- Electronic data in transmission and at rest;
- Network and communications access and associated privileges; and
- Account access and associated privileges to any other IT resource.
All users except for those whose sole affiliation with the University is student or applicant.
Public Information Technology (IT) Resources:
IT resources that are available to broad groups of users within the University community. They include, but are not limited to: public-access computer facilities, shared multi-user computing systems, and the network services that Information Technology Services (ITS) and all other University schools and departments manage. The word “public,” in this context, describes a resource that is available broadly to members of the University community. It does not imply that these resources are available to persons from outside the University community.
Everyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, foundation employees, guests, and affiliates of any kind.
All users of University information technology (IT) resources are required to use them in an ethical, professional, and legal manner. This policy applies to all users of the University’s information technology resources, regardless of location or affiliation.
Users must be granted University IT resource accounts in accordance with the Accounts Provisioning and De-provisioning Standard.
Respect the integrity of the University’s IT resources.
- Become familiar with and abide by the guidelines for appropriate usage for the University’s IT resources that they access.
Users must not:
- Divulge or share passwords, PINs, private keys, hardware tokens, or similar authentication elements to anyone else, and they must not exploit sessions left open, or otherwise misappropriate, assume, or steal the “identity” of another user (see Authentication Standard);
- Obtain or attempt to obtain unauthorized access to the University’s IT resources;
- Circumvent or attempt to circumvent security controls on the University’s IT resources; nor
- Allow unauthorized users access to the University’s IT resources.
Protect the University’s IT resources.
Only Information Technology Services (ITS), Health Information and Technology, or their authorized designees may:
- attach networking equipment (including, but not limited to: routers, switches, wireless access points, Dynamic Host Configuration Protocol/Domain Name System servers, etc.) to the University network or modify University network infrastructure (e.g., building copper and fiber cable plant, outlet wiring) (see Network Equipment Standard); or
- provide for external physical connections to the University’s network (e.g., connections to an external internet service provider) (see External Physical Connections Standard).
- Persons responsible for the University’s IT resources must maintain these resources in a secure state in accordance with related policy and associated security standards and procedures. (See policy IRM-004, Information Security of University Technology Resources.)
- Users must protect all data accessed or used. Users must recognize that certain data are sensitive and must limit their access to such data to authorized uses in direct performance of their official duties. (See policy IRM-003, Data Protection of University Information.)
- Users must recognize that the use of certain data is restricted by other University policies relevant to the data in question, such as IRM-006, Mass Electronic Mailings; IRM-013, Mass Text Messaging for Emergency Alerts; and IRM-001, Web Site Advertising.
- Only Information Technology Services (ITS), Health Information and Technology, or their authorized designees may:
- Respect and not violate the privacy of others through access or use of the University’s IT resources. (See policy IRM-012, Privacy and Confidentiality of University Information.)
- Respect the intended use of all the University’s IT resources, typically for University research, instruction, public service, health care, student services, and administrative purposes. All unauthorized use is prohibited. For Non-Student Users, commercial use is prohibited, but incidental personal use is permitted. (See policy PRM-011, Use of Working Time and University Equipment for Personal or Commercial Purposes.)
- Respect the rules and regulations governing the use of IT facilities and equipment. The University expects all users to cooperate in using public IT resources for their intended purposes and in discontinuing their access when requested to do so.
- Not use the University’s IT resources to access, use, copy, distribute, or otherwise reproduce or make available to others any copyright-protected materials, including digital materials and software, [see Digital Millennium Copyright Act (DMCA)] except as permitted under copyright law (especially with respect to “fair use”) or specific license.
- Abide by the Acceptable Use Standards.
In addition to the above, all Non-Student Users:
- Must successfully complete either the University’s or Health System’s online security awareness training at least annually, which includes acceptance of the Electronic Access Agreement.
- Are subject to the State Use of Internet and Electronic Communication Systems Policy.
- Must not except to the extent required in conjunction with a bona fide, agency-approved research project or other agency-approved undertaking, no user shall utilize agency-owned or agency-leased computer equipment to access, download, print or store any information infrastructure files or services having sexually explicit content (see § 2.2-2827. Restrictions on State Employee Access to Information Infrastructure).
Compliance with Policy:
Any misuse of data or IT resources may result in limitation or revocation of access to University IT resources. In addition, failure to comply with the requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies. Violation of this policy may also violate federal, state, or local laws.
Questions about this policy should be directed to the Contact Office.