Acceptable Use of Computing Resources Policy
Use
of the University’s network system or any of its components renders
the user subject to, and constitutes the user’s agreement to
abide by, this policy.
The University’s
network system and all its components (including hardware, software, web access
and voice mail) exist to support the University’s academic mission. Access
to the network is a privilege that should be exercised responsibly, ethically
and lawfully. Acceptable use is governed by the following broad principles: the
enhancement of the University’s academic mission, the academic freedom
of users, the privacy of users, and the maintenance of the integrity of computer
resources.
Acceptable Use of Computing Resources
Activities
related to the University’s academic mission take precedence
over computing pursuits of a more personal or recreational nature.
Any use that disrupts the academic mission is prohibited and can be
restricted or denied.
Users have
the responsibility to take prudent and reasonable steps to prevent
unauthorized access to University computing resources. The user-ID
and password system is designed to establish responsibility for computing
resources and use (Ownership and control of University computing resources,
however, remain with the University. All
encryption keys employed by users must be provided to Information Technology
if requested in order to perform functions required by this policy.) Acceptable
use respects these identification and security mechanisms. Account owners are
considered to be responsible for all activity associated with their account,
whether on a University-owned or a personal computer. Likewise, proceeding
beyond the login screen is not acceptable use if the account is not yours.
Following
the same standards of common sense, courtesy and civility that generally
govern the use of other shared University facilities, acceptable use
of information technology resources respects all individuals’ rights to privacy, but
subject to the right of individuals to be free.
Any use
of University resources for illegal, unauthorized business or commercial
(this does not include on-line purchases of personal items) purposes,
or for purposes which are contrary to the rules, regulations, policies
and/or interests of the University, is prohibited.
Use of all
network resources must respect the University’s network access contracts
and requirements.
Acceptable
use is governed by current federal, state, and local laws covering,
but not restricted to, the practices of theft and copyright infringement,
as well as University rules, regulations, and policies.
Abuse of
networks or computers at other sites through the use of St. Lawrence
University resources will be treated as an abuse of computing privileges
at St. Lawrence University.
Wireless
access points must be connected to the University’s network with help
from the IT staff. Unauthorized access points endanger network security
and will be removed from the network by IT staff immediately upon discovery.
Acceptable
use respects the need for the operational integrity of the computer
network. For
example, the following activities and behaviors are prohibited:
• distributing
computer viruses, worms, Trojan horse programs, email “bombs,” and
chain letters;
• triggering
system security features that result in the denial of service to other users;
• misconfiguring
programs or equipment intentionally;
• forging
or counterfeiting email messages;
• sending
an email message with a false or misleading user ID;
• altering
or attempting to alter files or systems without authorization;
• scanning
of networks for security vulnerabilities without authorization;
• attempting
to alter any University computing or networking components (including, but
not limited to, bridges, routers, and hubs) without authorization or beyond
one’s level of authorization;
• extending
or re-transmitting any computer or network service without authorization;
• accessing
or viewing secured files or directories without authorization;
• violating
the intellectual property rights of others.
University Responsibilities
The University
reserves the right to protect, repair, and maintain University computing equipment
and network integrity. In accomplishing this goal, University IT personnel
or their agents must do their utmost to maintain user privacy, including the
content of personal files and internet activities. Any information obtained
by IT personnel about a user through maintenanceand/or repair of computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of University computing resources or appears to be in violation of the law.
Privacy
The University
will make every reasonable effort to respect a user’s privacy. Indeed,
though faculty, staff and students do not acquire a right of privacy for communications
transmitted or stored on University resources, our presumption is to respect
privacy except under the specific circumstances outlined in this policy. Those
circumstances include our need to respond to a judicial order or any other
action required by law, our need to enforce official University policy in response
to a specific evidence-based concern (this policy does not justify “surfing” for
possibly damaging information on anyone), and our need to gain access in order
to conduct University business due to the unexpected absence of an employee
or to respond to health or safety emergencies. Under any of these situations,
the President (or if the President is unavailable, the Vice President of the
University and Dean of Academic Affairs) may authorize an agent of Information
Technology to access, review, monitor and/or disclose computer files associated
with an individual’s account. Examples of University policies in
this context are:
• Student
Code of Responsibility (pp. 101-119, 2004-05 St. Lawrence University Student
Handbook
• Discriminatory
Harassment Policy (See “Policies” link on the University’s
website)
• Sexual Harassment
Policy (See “Policies” link on the University’s website)
• Academic
Honor Code (St. Lawrence University Student Handbook)
Before authorizing
any action stemming from University policy, the President (or in his
absence the Vice President of the University and Dean of Academic Affairs)
will first verify the authenticity of such a request, and make every
reasonable effort to consult with the officers of Faculty Council,
without revealing details that would identify any of the parties, so
that they may provide their input to the President and so that any
action taken will be known outside the senior administration of the
University. If the officers of Faculty Council
are unavailable and the action is so urgent that it is impossible to consult
with them before acting, then the President (or vice president) will inform
them as soon as possible afterwards about the action taken and the reasons
for it. Those officers advised are expected to maintain such confidentiality
as may be reasonably required by the particular circumstances, but in any event
not longer than three months (unless the President and officers of Faculty
Council agree that in a particular case a longer period of time is appropriate)
after which the President will disclose in general terms the nature of the
case, omitting details that might identify any of the parties. (Also
see the Library section of this document for specific regulations
regarding computers in libraries.)
To the extent
doing so will not impair a necessary University activity (and unless
forbidden by law), a reasonable attempt will be made to contact the
user to inform him or her after their computer files have been secured
by IT but before IT reviews the files. If the user cannot be contacted, the authorized agent of Information
Technology will view the computer files related to the specific issue and,
subject to the foregoing exceptions, will attempt to inform the user, in writing,
indicating that the files have been reviewed.
General Privacy Issues Concerning Email and Network Security
• Users should
be aware that no computer system is entirely secure. Unauthorized individuals,
working inside or outside of the University’s system, may find ways to
access files despite the University’s best efforts to enforce security. Therefore,
all users should be aware that the University cannot and does not provide any
guarantee of user privacy.
• Users should
not expect total privacy of electronic mail (e-mail). IT staff may see
the contents of e-mail due to addressing errors or as a result of maintaining
the e-mail system. In those cases where IT staff view the contents of
private e-mail, they are required to keep the contents confidential, subject
to provisions of this policy. In addition, access is permitted as outlined
in this policy. Also remember that e-mail sent off campus may be viewed
by IT personnel at other institutions that may not have any considerations
of privacy concerning e-mail.
• Users should
try to limit the storage of files containing personal information on the network
because their privacy cannot be guaranteed.
Library Files and Public Access Computers
Library
records for patrons of the SLU Libraries are protected by New York state law
and by practices based on the Code of Ethics of the American Library Association.
New York State’s CLS CPLR § 4509 states that:
”Library records, which contain names or other personally identifying
details regarding the users of public, free association, school, college and
university libraries and library systems of this state, including but not limited
to records related to the circulation of library materials, computer database
searches, interlibrary loan transactions, reference queries, requests for photocopies
of library materials, title reserve requests, or the use of audio-visual materials,
films or records, shall be confidential and shall not be disclosed except that
such records may be disclosed to the extent necessary for the proper operation
of such library and shall be disclosed upon request or consent of the user
or pursuant to subpoena, court order or where otherwise required by statute.”
Public Access Computers in University Libraries
• Members
of the St. Lawrence University community, students, faculty, and staff have
first priority in the use of the library workstations.
• The public
workstations are for library research.
• Users are
asked to limit their stay at the computers during the library’s busiest
times.
• Unacceptable
use of computers in the reference area includes, but is not limited to, e-mail,
any type of instant messaging, word processing, spreadsheets, games, chat rooms,
and bulletin boards.
• The Library
reserves the right to restrict access to the workstation computers.
Intellectual Property
The University
recognizes that copyright exists to “promote the progress of science
and the useful arts, by securing for limited times to authors and inventors
the exclusive right to their respective writings and discoveries” (from
Article I., Section 8, Clause 8 of the United States Constitution).
Acceptable
use requires that all users recognize and honor the intellectual property
rights of others, including copyright on software, music, video, text,
and pictures. The University may terminate network access to users
who repeatedly infringe the intellectual property rights of others.
Servers
Owners and
overseers of servers connected to the St. Lawrence University network
must ensure that key security vulnerabilities are eliminated from these
devices by obtaining, installing, and properly maintaining all appropriate
service packs, security patches, and virus protection software. This
policy applies to anyone in the University community who owns or oversees
a server connected to the St. Lawrence University Network, including
but not limited to:
1. Faculty, staff,
students, and other individuals who have servers connected to St. Lawrence
University network, even if those devices were acquired personally.
2. In cases where vendor-owned
and/or managed equipment is housed in departments/programs then the
department or program chair will be presumed to be responsible for
the server.
3. If no one claims
responsibility for a server, then the department or program chair for
the department/program in which the server resides will be presumed
to be responsible by default.
Key security
vulnerabilities vary depending upon the type of device. The list of examples
provided below is not a comprehensive list of security vulnerabilities. Vulnerabilities
will evolve over time as new threats and risks surface. Please check
the IT website for important messages concerning current vulnerabilities. Device
owners and overseers are responsible for staying apprised of new vulnerabilities
and acting promptly to address any new security gaps. It is important
that owners and overseers of servers consult with IT concerning their specific
needs at any time.
Examples of Key Security Vulnerabilities and Counter Measures:
• All device
owners and users should ensure that passwords used on their devices are not
easily guessable by attackers or by the password-guessing software that hackers
use to break into machines. Passwords should consist of no fewer than
8 characters. They should begin and end with alpha characters, and should
contain several numerals along the way. Never use a word that can be
found in a dictionary, even a non-English dictionary. Including mixed
cases is excellent for machines whose operating systems are case sensitive
(such as Unix operating systems).
• Owners and
overseers of servers should install and run anti-virus software and maintain
current virus definitions. Check with the IT department to be sure that
you are running the latest version of anti-virus software recommended for your
machine.
• Owners and
overseers of servers should apply security-related updates to the operating
system running on their devices as soon as these updates become available from
operating system vendors. Delays benefit only the hackers. The
IT staff will apply security-related updates to operating systems administered
by IT.
• Owners and
overseers of servers should switch off unneeded Operating System services to
eliminate the risk of their being exploited by hackers.
In cases
where university network resources are threatened by improperly maintained,
poorly configured, or misbehaving computing devices, Information Technology
will act on behalf of the University to eliminate the threat by working
with the relevant device owner or overseer to close security holes
quickly. In
circumstances where these collaborative efforts fail, if the responsible individual
cannot be found, or if there is an urgent situation requiring immediate action
and leaving no time for collaboration, the device will be disconnected from
the network by Information Technology until the appropriate repairs are made.
Administration and Enforcement
The personnel
of the IT department of St. Lawrence University will work with users
to resolve disputes over acceptable use. When users fail to comply
with requests made by the IT department to adopt the acceptable use
practices described in this policy, such as concerning University policies
or standards, contractual obligations, or federal or state laws, the
University reserves the right to restrict the use of its informational
resources and facilities and to limit access to its computers, systems,
and networks.
Users
are subject to disciplinary rules described in the student handbook,
faculty handbook and/or rules governing employment at St. Lawrence University
if they engage in activities that purposely damage 1) IT property or
the operational integrity of the St. Lawrence University network and/or
2) networks or computers at other sites through the use of St. Lawrence
University IT resources, or they otherwise fail to comply with this policy.
