IRM-002: Acceptable Use of the University’s Information Technology Resources

Date: 10/23/2017 Status: Final

Last Revised: 05/16/2020

Policy Type: University

Contact Office: University Information Security (InfoSec)

Oversight Executive: Vice President and Chief Information Officer

Applies To:

Academic Division, the Medical Center, the College at Wise, and University-Associated Organizations.

Table of Contents:

Policy Statement

Acceptable Use Requirements
Compliance with Policy

Procedures

Reason for Policy:

Use of the University’s information technology (IT) resources shall support the basic missions of the University in teaching, research, public service, and healthcare. Users of the University’s IT resources are responsible for using these resources appropriately and respecting the rights of others.

Definition of Terms in Statement:

Information Technology (IT) Resources:
All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data regardless of the source of funds including, but not limited to:
- Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
- Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
- Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
- Software including, but not limited to: applications, databases, content management systems, web services, and print services;
- Electronic data in transmission and at rest;
- Network and communications access and associated privileges; and
- Account access and associated privileges to any other IT resource.
Non-Student Users:
All users except for those whose sole affiliation with the University is student or applicant.
Public Information Technology (IT) Resources:
IT resources that are available to broad groups of users within the University community. They include but are not limited to: public-access computer facilities, shared multi-user computing systems, and the network services that Information Technology Services (ITS) and all other University schools and departments manage. The word “public,” in this context, describes a resource that is available broadly to members of the University community. It does not imply that these resources are available to persons from outside the University community.
University Equipment:
University owned or leased property used to assist in performing an activity or function (e.g., hand tools, power tools, audio-visual equipment, etc.). University equipment does not include University infrastructure (e.g., networks, buildings, etc.); office furnishings that remain in the location designated for their use (e.g., desks, file cabinets, bookcases, etc.); or telephone and computing resources that are covered by other specific policies.
User:
Everyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, University-Associated Organization employees, guests, and affiliates of any kind.

Policy Statement:

All users of University information technology (IT) resources are required to use them in an ethical, professional, and legal manner. This policy applies to all users of the University’s information technology resources, regardless of location or affiliation.

Users must be granted University IT resource accounts in accordance with the Accounts Provisioning and De-provisioning Standard.

Acceptable Use Requirements:
All users agree to abide by these conditions:
1. Respect the integrity of the University’s IT resources.
  Users must:
  - Become familiar with and abide by the guidelines for appropriate usage for the University’s IT resources that they access.
  Users must not:
  - Divulge or share passwords, PINs, private keys, hardware tokens, or similar authentication elements to anyone else, and they must not exploit sessions left open, or otherwise misappropriate, assume, or steal the “identity” of another user (see Authentication Standard and for UVA Health System employees, please see UVA Health System Policy IT-002: Use of Electronic Information and Systems);
  - Obtain or attempt to obtain unauthorized access to the University’s IT resources;
  - Circumvent or attempt to circumvent security controls on the University’s IT resources; nor
  - Allow unauthorized users access to the University’s IT resources.
2. Protect the University’s IT resources.
  - Only Information Technology Services (ITS), Health Information and Technology, or their authorized designees may:
    - attach networking equipment (including, but not limited to: routers, switches, wireless access points, Dynamic Host Configuration Protocol/Domain Name System servers, etc.) to the University network or modify University network infrastructure (e.g., building copper and fiber cable plant, outlet wiring) (see Network Equipment Standard); or
    - provide for external physical connections to the University’s network (e.g., connections to an external internet service provider) (see External Physical Connections Standard).
  - Persons responsible for the University’s IT resources must maintain these resources in a secure state in accordance with applicable laws and regulations, contractual requirements, as well as related policy, associated security standards, and procedures. (See policy IRM-004: Information Security of University Technology Resources and UVA Health System policy IMN-001: Requirements Concerning Confidential Information.)
  - Users must protect all data accessed or used. Users must recognize that certain data are sensitive and must limit their access to such data to authorized uses in direct performance of their official duties. (See policy IRM-003: Data Protection of University Information.)
  - Users must recognize that the use of certain data is restricted by contractual requirements, laws, and regulations, as well as other University policies relevant to the data in question, such as IRM-006: Mass Digital Communications; IRM-013: Issuance of an Emergency Notification; and IRM-001: Web Site Advertising.
3. Respect and not violate the privacy of others through access or use of the University’s IT resources. (See policy IRM-012: Privacy and Confidentiality of University Information and IMN-001: Requirements Concerning Confidential Information.)
4. Respect the intended use of all the University’s IT resources, typically for University research, instruction, public service, health care, student services, and administrative purposes. All unauthorized use is prohibited. For Non-Student Users, commercial use is prohibited, but incidental personal use is permitted. (See policy PRM-011: Use of Working Time and University Equipment for Personal or Commercial Purposes.)
5. Respect the rules and regulations governing the use of IT facilities and equipment. The University expects all users to cooperate in using public IT resources for their intended purposes and in discontinuing their access when requested to do so.
6. Not use the University’s IT resources to access, use, copy, distribute, or otherwise reproduce or make available to others any copyright-protected materials, including digital materials and software, [see Digital Millennium Copyright Act (DMCA)] except as permitted under copyright law (especially with respect to “fair use”) or specific license.
7. Abide by the Acceptable Use Standards.
8. Report known or reasonable suspicion of misuse of University IT resources (See policies: GOV-002: Reporting and Investigation of Fraudulent Transactions, HRM-002: Issuance and Use of University Identification Cards, FIN-044: Use of the University Travel and Expense Card, STAF-003: Statement of Students’ Rights and Responsibilities).
9. Should successfully complete either the University’s or Health System’s online security awareness training at least annually.
10. Complete University-provided information security awareness training at least annually by all users of the High Security Virtual Private Network (HSVPN) and all users of systems governed by contracts, laws, or regulations that require it.
In addition to the above, all Non-Student Users:
1. Are subject to State Policy 1.75: Use of Electronic Communications and Social Media.
2. Not utilize agency-owned or agency-leased computer equipment (e.g., University equipment) to access, download, print or store any information infrastructure files or services having sexually explicit content (see § 2.2-2827. Restrictions on State Employee Access to Information Infrastructure) except to the extent required in conjunction with a bona fide, agency-approved research project or other agency-approved undertaking.
3. Must disclose to their supervisor any potential conflicts related to their access to information or ability to transact in a University system containing sensitive or highly sensitive data. (See policy IRM-003: Data Protection of University Information for the definitions of sensitive data and highly sensitive data.) For example, an individual who has access to a University system that records grades or student financial information and is also a parent of an enrolled student must disclose that potential conflict. (See SEC-037: Networks, Systems, and Facilities Access & Revocation and the Issue & Return of Tangible Personal Property.)
Compliance with Policy:
Any misuse of data or IT resources or failure to comply with the requirements of this policy may result in limitation or revocation of access to University IT resources. In addition, failure to comply with the requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies. Violation of this policy may also violate federal, state, or local laws.

Questions about this policy should be directed to University Information Security (InfoSec).

Procedures:

Acceptable Use
Standards and Procedures
Standards	Procedures
Connecting Network Equipment	Connecting Network Equipment
External Physical Network Connections	External Physical Network Connections
Copyright of Digital Materials	Copyright of Digital Materials
Accounts Provision/Deprovisioning
Authentication
Electronic Access Requirements	Exceptions
Virginia.edu Subdomain Naming Standard

Responsible Computing Handbook for Faculty and Staff
Responsible Computing Handbook for Students

Major Category: Information Resource Management

Next Scheduled Review: 10/23/2020

Approved by, Date: Policy Review Committee, 06/27/2017

Revision History: Revised 5/16/20.

Supersedes (previous policy): Ethics in Computer Usage, Obscene Material, Sexually Explicit Material, Communications Systems Policy, Copyright Protection, Digital Copyright Protection, Information Access

Policy Directory

IRM-002: Acceptable Use of the University’s Information Technology Resources

Contact Info:

Search form

IRM-002: Acceptable Use of the University’s Information Technology Resources