Policy 902 - Acceptable Use Policy

Section: Information Technology
Policy Number: 902
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

The purpose of this policy is to establish acceptable uses of computer equipment at St. John’s University (St. John’s). Wrongful use exposes St. John’s to risks including virus attacks, compromise of network systems and services, and legal issues. 

Scope and Applicability

This policy applies to the University Community.  Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.

Policy

Computing Resources are available for use only by University faculty, administrators, staff, student workers, students, alumni, interns and other authorized users and intended to advance the education, research, administration and the mission of the University. Accordingly, the University encourages and promotes the use of these resources by the University Community, within institutional priorities and financial capabilities. Access to and use of these resources and services are privileges and are used in compliance with all applicable laws and regulations and with the highest standards of ethical behavior.

Inappropriate use exposes the University to risks including virus attacks, compromise of network systems and services, legal issues and reputation damage. 

Below, the University sets forth terms and conditions for the use of Computing Resources. Listings of specific acceptable and unacceptable uses are illustrative examples and are not meant to be exhaustive.  The University is the sole and conclusive authority on questions relating to acceptable uses of its resources.  If a question about use arises, the use should be considered "prohibited" until IT Department directs otherwise.  

Acceptable Use

  • University proprietary information stored on electronic and computing devices whether owned or leased by the University, the employee or a third party, remains the sole property of the University. Proprietary information is protected through legal or technical means in accordance with all Information Security Policies, Standards & Procedures.
     
  • Theft, loss or unauthorized disclosure of University proprietary information are promptly reported to the Office of Public Safety.  
     
  • University proprietary information is only shared or used to the extent it is authorized and necessary to fulfill your assigned job duties.  
     
  • Employees are expected to exercise good judgment and ensure reasonableness when using University computing resources for personal uses. Individual units are responsible for creating guidelines concerning personal use of Internet/Intranet systems. In the absence of such guidelines, employees are guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.  
     
  • Employees must protect any classified materials being sent, received, stored or processed according to the level of classification assigned to it, including both electronic and paper copies. 
     
  • Employees must properly label classified materials in accordance with published guidelines so that they remain appropriately protected.
     
  • Employees must not transmit unprotected Personal Account Numbers (PANs) through a messaging platform such as emails, instant messengers or chat, etc. 
     
  • Employees must enter the correct recipient email address(es) so that classified information is not compromised.
     
  • Employees must not record credit/debit card Sensitive Authentication Data (Full Track Data – magnetic strip on the back of the card or the chip on the front of the card, CAV2/CVC2/CVV2/CID and PIN/PIN BLOCK) anywhere at any time.

Security and Proprietary Information

  1. All mobile and computing devices that connect to the internal network are compliant with the Mobile Computing Standard.
     
  2. System-level and user level passwords are compliant with the Password Standards as defined by the IT Department. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.  
     
  3. Administrative computing devices are secured with a password-protected screensaver with the automatic activation feature set to 15 minutes or less. Faculty and podium computing devices are secured with the automatic activation features set to 60 minutes or less. You must lock the screen or log off when the device is unattended.  
     
  4. Use of St. John’s computing and communications systems may be monitored and/or recorded for lawful purposes.
     
  5. Employees must be responsible for the protection of their provided user credentials. 
     
  6. Employees must be aware of the cardholder data security policy and procedure with the formal security awareness program implemented.
     
  7. Employees are required to acknowledge, at least annually, that they have read and understood the Information Security policy.

Unacceptable Use

The following activities are considered Improper Usage and are strictly prohibited, with no exceptions:  

  • Communication and Computing resources must only be used for University approved business/non-business purposes. 
     
  • Tampering with the anti-virus software installed on University owned or provided devices or networks or failing to use updated anti-virus software when accessing a University network.
     
  • Circumventing or attempting to circumvent software or hardware security systems. 
     
  • Altering system software or hardware configurations or disrupting or interfering with the delivery or administration of computer resources. 
     
  • Allowing another person to use their user ID/token and password on any University IT system. 
     
  • Leaving their user accounts logged in at an unattended and unlocked computer. 
     
  • Using another person’s user ID and password to access University IT systems.   
     
  • Leaving passwords unprotected (for example writing it down). 
     
  • Performing any unauthorized changes to University IT systems or information. 
     
  • Attempting to access data that the user is not authorized to use or access. 
     
  • Exceeding the limits of their authorization or specific business need to interrogate the system or data. 
     
  • Connecting any non-University authorized device to the University network or IT systems. 
     
  • Storing University data on any non-authorized University equipment. 
     
  • Giving or transferring University data or software to any person or organization outside the University without the authority of the University. 

Inappropriate Access of User Information

  • Attempting to access or accessing the University's or another user's account, private files, or email without the owner's permission. 
     
  • Attempting to access or accessing systems outside of the University without the authorization of that system’s owner. 
     
  • Using computing resources, including electronic mail, to send nuisance messages such as chain letters, junk mail and profane, obscene, threatening, libelous or harassing messages. 
     
  • Misrepresenting one's identity in electronic communication. 
     
  • Using computing resources to engage in conduct which intentionally interferes with others' use of shared computing resources.  This includes consuming gratuitously large amounts of system resources (e.g., Internet bandwidth, disk space, CPU time) and exceeding time limits where they have been established in University facilities such as computer labs and libraries. 
     
  • Using computing and/or electronic mail resources for commercial or personal profit-making purposes or for solicitation or for activities that violate local, state, or federal law. 
     
  • Intercepting or monitoring, or attempting to intercept or monitor, network communications or other communications not intended for that user's access without prior authorization. 
     
  • Displaying, posting, printing, or sending material that is contrary to the mission or values of the University.
     
  • Willful Infringement.
     
  • Allowing or assisting unauthorized users to gain access to computing resources. 
     
  • Installing software (including games) on University-provided computing equipment without obtaining authorization in advance.  The University reserves the right to remove software that violates this policy without advance notice to the user. 
     
  • Infringing upon the intellectual property rights of others in computer programs or electronic information, including plagiarism and unauthorized use or reproduction in violation of patents, trademarks and copyrights and/or software and other licensing agreements. (See “Copyrighted Material” provision).
     
  • Failing to comply with all applicable laws concerning the transmission, receipt or monitoring of wireless and wired communications. 

Copyright Infringement

The use of Computing Resources in violation of international and federal copyright laws is strictly prohibited.  These federal laws provide to the author of an original work, whether that work is a video, a sound recording, software, or printed material, the exclusive rights to reproduce, adapt, publish, perform and display that work.  Anyone other than the copyright holder is required to obtain the express permission of the copyright holder to use the work for any of these purposes.  

The University prohibits the use of its computing resources for Internet downloading and sharing of copyrighted music and video in violation of copyright laws.  In addition to violating University policy and the law, file-sharing programs (such as uTorrent, Transmission, and Vuze) that permit these activities also may impair the University's broadband system because their use causes a strain on the University's broadband capabilities and other network resources.  A copyrighted movie, television show or sound recording without permission of the copyright holder is a violation of University policy.  The University has, and will continue to create, technologies to identify and disable access to file-sharing websites that facilitate the violation of applicable law and University policy. In the event that you desire to legally download any file that may strain the University's broadband capabilities, please contact the IT Department to arrange for a time and place to do so.  

Fair Use of Copyrighted Material

Creation of internet content and other materials for educational, research and administrative purposes are in full compliance with current copyright laws. 

Internet / Intranet Content and Publishing

Consistent with the purposes for which University Computing Resources are intended, web content may be created and posted only in support of the instructional, research, and administrative objectives of the University.  Web content supporting unapproved commercial or business activities is prohibited.  

The University reserves the right to restrict web content or remove any part of such content for violation of these or any University policies, including for causing excessive traffic to the University's web servers. 

Indemnification

Each user is responsible for his or her own activities in using the University's computing resource and indemnifies and holds harmless to the University from any liability to the user or any third party arising out of the use of the computing resources by the user, or any loss of information existing or stored on the University's computing equipment or resources, including all files and electronic mail.

Intellectual Property Ownership Rights

Ownership of intellectual property produced through significant use of the University's computing equipment, networks, and information resources resides with St. John’s University.  If St. John’s has an Ownership Interest in the Invention, an Inventor must assign all rights, titles and interests to/in the Invention to St. John’s University, irrespective of obligations to third parties, and assist St. John’s in all phases of the filing application process. Detailed information is in Intellectual Property | St. John's University.

Definitions

The following are the definitions relevant to the policy:

  • Policy: A broad statement of principles that presents management’s position for each defined control area. Policies are mandatory and interpreted and supported by standards, guidelines, and procedures. Policies are intended to be long-term and guide the development of rules to address specific situations.
     
  • Standard: An enterprise-wide, mandatory directive that specifies a particular course of action. Standards support the Information Security Policy and outline a minimum baseline for policy compliance.
     
  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
     
  • Institutional Data: All data owned or licensed by the University.
     
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.

Compliance

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • 906 Email Policy
     
  • 904 Identification & Authentication Policy
     
  • 903 Access Control Policy
     
  • 909 Application Development Security Policy
     
  • Intellectual Property Policy