Campuses:

ADMINISTRATIVE POLICY

Acceptable Use of Information Technology Resources
Responsible University Officer: Vice President for Information Technology
Policy Owner: Vice President for Information Technology
Policy Contact: Brian Dahlin

POLICY STATEMENT

Computers and other information technology resources are essential tools in accomplishing the University's mission. Information technology resources are valuable community assets to be used and managed responsibly to ensure their integrity, confidentiality, and availability for appropriate research, education, outreach and administrative objectives of the University of Minnesota. University community members are granted access to these resources in support of accomplishing the University’s mission.

All users of University information technology resources, whether or not affiliated with the University, must follow University policies; federal, state and local laws; and contractual obligations. These include but are not limited to information security, data privacy, commercial use, and those that prohibit harassment, theft, copyright and licensing infringement, and unlawful intrusion and unethical conduct.

Units that grant guest access to information technology resources must make their guests aware of their acceptable use responsibilities.

Acceptable Use

Acceptable use includes, but is not limited to respecting the rights of other users, avoiding actions that jeopardize the integrity and security of information technology resources, and complying with all pertinent licensing and legal requirements.

Users must comply with applicable laws and regulations, contractual agreements, Board of Regents and Administrative policies, and licensing agreements.

Users must use only information technology resources they are authorized to use and only in the manner and to the extent authorized. Ability to access information technology resources does not, by itself, imply authorization to do so.

Users are responsible for protecting their University-assigned accounts and authentication (e.g., password) from unauthorized use.

Users must abide by the security controls on all information technology resources used for University business, including but not limited to mobile and computing devices, whether University or personally owned.

Users of information technology resources are responsible for the content of their personal communications and may be subject to liability resulting from that use. The University accepts no responsibility or liability for any personal or unauthorized use of its resources by users.

Unacceptable Use

Users are not permitted to share authentication details or provide access to their University accounts to anyone else.

Users must not circumvent, attempt to circumvent, or assist another in circumventing the security controls in place to protect information technology resources and data.

Users must not knowingly download or install software onto University information technology resources which may interfere or disrupt service, or does not have a clear business or academic use.

Users are prohibited from willingly engaging in activities that interfere with or disrupt network users, equipment or service; intentionally distribute viruses or other malicious code; or install software, applications, or hardware that permits unauthorized access to information technology resources.

Users must not engage in inappropriate use, including but not limited to:

  • Activities that violate state or federal laws, regulations or University policies.
  • Harassment.
  • Widespread dissemination of unsolicited and unauthorized electronic communications.

Users must avoid excessive use of system information technology, including but not limited to network capacity. Excessive use means use that is disproportionate to that of other users, or is unrelated to academic or employment-related needs, or that interferes with other authorized uses. Units may require users to limit or refrain from certain activities in accordance with this provision.

Privacy and Security Measures

Users must not violate the privacy of other users. Technical ability to access others’ accounts does not by itself imply authorization to do so.

The University takes reasonable measures to protect the privacy of its information technology resources and accounts assigned to individuals. However, the University does not guarantee absolute security and privacy. Users should be aware that any activity on information technology resources may be monitored, logged and reviewed by University-approved personnel or may be discovered in legal proceedings.

The University assigns responsibility for protecting its resources and data to system administrators, and data custodians, who treat the contents of individual assigned accounts and personal communications as private and does not examine or disclose the content except:

  1. as required for system maintenance including security measures;
  2. when there exists reason to believe an individual is violating the law or University policy; and/or
  3. as permitted by applicable policy or law.

Employees must understand that any records and communications they create related to University business, electronic or otherwise, may be subject to disclosure under the Minnesota Government Data Practices Act on a University or personally owned device.

The University reserves the right to employ security measures. When it becomes aware of violations, either through routine system administration activities or from a complaint, it is the University's responsibility to investigate as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.

Enforcement

Individuals who use information technology resources to violate a University policy, law(s), contractual agreement(s), or violate an individual’s rights, may be subject to limitation or termination of user privileges and appropriate disciplinary action, legal action, or both. Alleged violations will be referred to the appropriate University office or law enforcement agency.

The University may temporarily deny access to information technology resources if it appears necessary to protect the integrity, security, or continued operation of these resources or to protect itself from liability.

Individuals or units should report non-compliance with this policy to University Information Security (abuse@umn.edu). If you must report anonymously, use the University Ethics Point confidential reporting system.

Special Situations

Units within the University may define additional conditions of use for information technology resources or facilities under their control. Such additional conditions must be consistent with or at least as restrictive as any governing Board of Regents or Administrative policy, and may contain additional details or guidelines.

REASON FOR POLICYRETURN TO TOP

The purpose of this policy is to outline the acceptable use of information technology resources at the University of Minnesota in order to:

  • Comply with legal and contractual requirements.
  • Protect the University against damaging legal consequences.
  • Safeguard these resources.
SubjectContactPhoneFax/Email
Primary Contact(s) Brian Dahlin 612-625-1505 bdahlin@umn.edu
Information Security University Chief Information Security Officer 612-625-1505 abuse@umn.edu
Legal Advice General Counsel 612-624-4100 ogcweb@umn.edu

DEFINITIONSRETURN TO TOP

Information Technology Resources (IT Resources)
Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are University owned, leased, operated or provided by the University or otherwise connected to University resources, such as cloud and Software-as-a-Service (SaaS), or any other connected/hosted service provided.
Security Measures
Processes, software, and hardware used by system and network administrators to ensure the confidentiality, integrity, and availability of information technology resources and data. Security measures may include reviewing files for potential or actual policy violations and investigating security-related issues.
Unit
Any organizational entity within the University . Includes, but is not limited to colleges, departments, centers, institutes, offices and programs.
University Community Member
University faculty, staff, students, and alumni are generally defined as members of the University community. The General Counsel may designate additional groups as members of the University Community.
User
Individuals or entities permitted to make use of University information technology resources, including students, staff, faculty, alumni, guests, sponsored affiliates, and other individuals who have an association with the University.

RESPONSIBILITIESRETURN TO TOP

User
  • Review, understand, and comply with policies, laws and contractual obligations related to access, acceptable use, and security of information technology resources.
  • Consult with University Information Security on acceptable use issues not specifically addressed in this policy.
  • Report possible violations of this policy to University Information Security (abuse@umn.edu).
Campus, College, and Department Administrators
  • Work with University Information Security to investigate alleged violations of this policy.
  • Report possible violations of this policy to University Information Security (abuse@umn.edu).
Technical Staff
  • Respond to questions from users related to appropriate use of information technology resources.
  • Work with University Information Security to investigate alleged violations of this policy.
  • Report possible violations of this policy to University Information Security (abuse@umn.edu).
University Chief Information Officer
  • Designate individuals who have the responsibility and authority for information technology resources.
  • Designate individuals who have the responsibility and authority for establishing policies for access to and acceptable use of information technology resources.
  • Designate individuals who have the responsibility and authority for monitoring and managing system resource usage.
  • Designate individuals who have the responsibility and authority for investigating alleged violations of this policy.
University Chief Information Security Officer
  • Delegate authority and responsibility for investigating violations of this policy.
  • Designate individuals who have the responsibility and authority to refer violations to appropriate University offices or law enforcement agencies for resolution or disciplinary action.
  • Designate individuals who have the responsibility and authority to employ security measures and ensure that appropriate and timely action is taken on acceptable use violations.
Office of Information Technology (OIT) – University Information Security
  • Investigate possible violations of this policy.
  • Refer alleged violations to appropriate University offices and law enforcement agencies for resolution or disciplinary action.
  • Ensure that appropriate and timely action is taken on alleged violations.
  • Coordinate with Internet Service Providers and law enforcement agencies on violations of this policy.
University Police Department
  • Respond to alleged violations of criminal law.
  • Coordinate all activities between the University and outside law enforcement agencies.
General Counsel
  • Provide legal advice to University staff to insure compliance with state and federal law including the classification of University data.

RELATED INFORMATIONRETURN TO TOP

Related Board of Regents Policies

Related Administrative Policies

Related Laws and Regulations

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Minnesota Government Data Practices Act
  • Payment Card Industry – Data Security Standard (PCI-DSS)
  • Computer Fraud and Abuse Act, 1986
  • Electronic Communications and Privacy Act

Related Appendix

Other

  • Mass Email Requirements and Guidelines
Amended:
August 2015 - Comprehensive review. Minor Revision. Update policy statement to include relevant policy content from other sections of the policy or appendix; update contacts, appendices, definitions, responsibilities, and related information section; remove administrative procedure on Reporting Violations of Acceptable Use of Information Technology Resources, remove administrative procedure on Taking Disciplinary Action, remove appendix University Network Operational Continuity, remove appendix Using Information Technology.
Amended:
August 2010 - The following appendices have been superceded by Administrative Policy: Securing Private Data, Computers and Other Electronic Devices:
  • Anti-Virus Standard
  • Critical Server Identification Guideline
  • Information Technology Support Guidelines
  • Information Technology Support Staffing Standard
  • Mac OS X Basic Desktop Security Guidelines
  • Password Standard
  • Physical Security for Critical Servers Guideline
  • Secure Data Deletion Standard
  • Securing Microsoft Domain Controller Standard
  • Securing Private Data Standard
  • Security Patch Application Standard
  • Server Security Guidelines
  • University Network Management Guidelines
  • Windows 2000/XP Basic Desktop Security Guidelines
  • Windows Vista Basic Desktop Security Guidelines

The following appendix was superceded by Administrative Policy: Wireless Network Infrastructure:

  • Wireless Access Point Technical Standards
Amended:
September 2007 - Added Windows Vista Basic Desktop Security Guidelines to Related Information and Appendices.
Amended:
July 2007 - Added Physical Security of Servers guideline to Related Information and Appendices.
Amended:
May 2007 - Updated Duluth Contacts.
Amended:
November 2006 - Added Password Standard to related information and appendices.
Amended:
October 2006 - Added Mac OS X Basic Desktop Security Guidelines to Related Information and to Appendices (Appendix P).
Amended:
May 2006 - Added this sentence to policy statement: "Units, campuses that grant guest access to University information technology resources must make their guests aware of User Rights and Responsibilities."
Amended:
April 2005 - Revised definitions and responsibilities section and procedure 2.8.1.1. Added Appendix N: Examples of Reportable Security Incidents and Appendix O: Critical Server Identification Guideline. These changes made to address issues related to HIPPA.
Amended:
July 2004 - Appendix E: OIT Securing Network Infrastructure Guideline was changed to a standard, and content was significantly revised. Title is now: University Network Standards for Network Security & Operational Continuity. Appendix G: Protecting Private Data Guidelines upgraded to Standards. Added Appendix L and M: Information Technology Support Staffing Standard, and Information Technology Support Guidelines.
Amended:
April 2004 - Title for appendix A is now: Using Information Technology Resources Standards to more accurately reflect that it is required. Appendix A was listed as a "guideline" before formal definitions of guidelines and standards were established.
Amended:
January 2004 - Critical Security Updates and Patches Guideline is now a Standard. Added OIT Server Installation Security Guidelines and OIT Windows 2000/XP Desktop Installation Guidelines to Related Information and Appendices.
Amended:
August 2003 - Added Procedure 2.8.1.3 - Notifications for Copyright Infringement.
Amended:
March 2003 - Added Critical Security Updates & Patches Guideline and Secure Data Deletion Standard to Related Information and Appendices. Amended: October 2002 - Updated contacts section and Reporting Violations procedure with correct email address and phone number for abuse complaints.
Amended:
September 2002 - Added links to Securing Network Infrastructure Guideline, Securing Microsoft Domain Controller Guideline and Protecting Private Data Guideline to Related Information and Appendices.
Amended:
May 2002 - Added links to OIT Anti-Virus Standards and OIT Wireless Access Point Technical Standards to Related Information and to Appendices.
Amended:
September 2001 - Added link to University Network Management Guidelines in Related information.
Amended:
July 2000 - Updated Appendix A and Related Information sections.
Amended:
April 1999 - Updated and reordered Contacts section, and Procedure 2.8.1.1, Reporting Violations.
Amended:
August 1998 - Revised Policy Statement, Responsibilities, Definitions and Appendix A: Guidelines for Using Information Technology Resources. Updated and reorganized related information section. Intent of the revision is to more clearly address issues related to commercial use, spamming, University ownership of data, and University liability for personal or unauthorized use. Title changed from Acceptable Use of Computers, Networking, and Information Technology to Acceptable Use of Information Technology Resources. Responsible Officer changed from Executive Vice President and Provost to Chief Information Officer.
Amended:
December 1997 - Responsible Officer changed from Senior Vice President of Academic Affairs to Executive Vice President and Provost.
Effective:
December 1996

Document Feedback

Date Revised

August 2015

Date Effective

December 1996