Acceptable Use of Information Technology Resources
- Vice President and CIO, Office of Information Technology
- Chief Information Security Officer, Office of Information Technology
- Brian Dahlin
Computers and other information technology resources are essential tools in accomplishing the University's mission. Information technology resources are valuable assets to be used and managed responsibly to ensure their integrity, confidentiality, and availability for appropriate research, education, outreach and administrative objectives of the University of Minnesota. University community members are granted access to these resources in support of accomplishing the University’s mission.
All users of University information technology resources, whether or not affiliated with the University, are responsible for their appropriate use, and by their use, agree to comply with all applicable Board of Regents policies; University Administrative policies; federal, state and local laws; and contractual obligations. These include but are not limited to information security, data privacy, commercial use, and those that prohibit harassment, theft, copyright and licensing infringement, and unlawful intrusion and unethical conduct.
Units that grant guest access to information technology resources must make their guests aware of their acceptable use responsibilities. The University accepts no responsibility or liability for any personal or unauthorized use of its resources by users.
Acceptable use includes, but is not limited to, respecting the rights of other users, avoiding actions that jeopardize the integrity and security of information technology resources, and complying with all pertinent licensing and legal requirements. Users with access to University of Minnesota information technology resources must agree to and accept the following:
- Only use information technology resources they are authorized to use and only in the manner and to the extent authorized. Ability to access information technology resources does not, by itself, imply authorization to do so.
- Only use accounts, passwords, and/or authentication credentials that they have been authorized to use for their role at the University.
- Protect their University-assigned accounts and authentication (e.g., password, and/or authentication credentials) from unauthorized use.
- Only share data with others as allowed by applicable policies and procedures, and dependent on their assigned role.
- Comply with the security controls on all information technology resources used for University business, including but not limited to mobile and computing devices, whether University or personally owned.
- Comply with licensing and contractual agreements related to information technology resources.
- Comply with intellectual property rights (e.g., as reflected in licenses and copyrights).
- Accept responsibility for the content of their personal communications and may be subject to any personal liability resulting from that use.
Unacceptable use includes and is not limited to the following list. Users are not permitted to
- Share authentication details or provide access to their University accounts with anyone else (e.g., sharing the password).
- Circumvent, attempt to circumvent, or assist another in circumventing the security controls in place to protect information technology resources and data.
- Knowingly download or install software onto University information technology resources, or use software applications, which do not meet University security requirement, or may interfere or disrupt service, or do not have a clear business or academic use.
- Engage in activities that interfere with or disrupt users, equipment or service; intentionally distribute viruses or other malicious code; or install software, applications, or hardware that permits unauthorized access to information technology resources.
- Access information technology resources for which authorization may be erroneous or inadvertent.
- Conduct unauthorized scanning of University information technology resources.
- Engage in inappropriate use, including but not limited to:
- Activities that violate state or federal laws, regulations, or University policies.
- Widespread dissemination of unsolicited and unauthorized electronic communications.
- Engage in excessive use of system information technology, including but not limited to network capacity. Excessive use means use that is disproportionate to that of other users, or is unrelated to academic or employment-related needs, or that interferes with other authorized uses. Units may require users to limit or refrain from certain activities in accordance with this provision.
Privacy and Security Measures
Users must not violate the privacy of other users. Technical ability to access others’ accounts does not, by itself, imply authorization to do so.
Users play an important role in the protection of their personal information. All faculty, staff and students are required to use all available user specific security controls provided by the University (including multi-/two-factor authentication) and meet the user specific controls in Administrative Policy: Information Security to assist in the protection of University assets and the protection of their personal information and assets. Failure on the part of faculty, staff or students to employ in good faith the available security controls and to secure their personal information appropriately will mean that the University will not reimburse the faculty, staff or student for the loss of misdirected salary, expense reimbursements, financial aid or any other assets.
Employees must understand that any records and communications they create related to University business, electronic or otherwise, on a University or personally owned device, may be subject to disclosure under the Minnesota Government Data Practices Act.
The University takes reasonable measures to protect the privacy of its information technology resources and accounts assigned to individuals. However, the University does not guarantee absolute security and privacy. Users should be aware that any activity on information technology resources may be monitored, logged and reviewed by University-approved personnel or may be discovered in legal proceedings. The University assigns responsibility for protecting its resources and data to technical staff, data owners, and data custodians, who treat the contents of individual assigned accounts and personal communications as private and do not examine or disclose the content except:
- as required for system maintenance including security measures;
- when there exists reason to believe an individual is violating the law or University policy; and/or
- as permitted by applicable policy or law.
The University reserves the right to employ security measures. When it becomes aware of violations, either through routine system administration activities or from a complaint, it is the University's responsibility to investigate as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.
Individuals who use information technology resources that violate a University policy, law(s), regulations, contractual agreement(s), or violate an individual’s rights, may be subject to limitation or termination of user privileges and appropriate disciplinary action, legal action, or both. Alleged violations will be referred to the appropriate University office or law enforcement agency.
The University may temporarily deny access to information technology resources if it appears necessary to protect the integrity, security, or continued operation of these resources or to protect itself from liability.
Individuals or units should report non-compliance with this policy to University Information Security (email@example.com). To report anonymously, use the University UReport confidential reporting system.
Units within the University may define additional conditions of use for information technology resources or facilities under their control. Such additional conditions must be consistent with or at least as restrictive as any governing Board of Regents or Administrative policy, and may contain additional details or guidelines.
Reason for Policy
The purpose of this policy is to outline the acceptable use of information technology resources at the University of Minnesota in order to:
- Comply with legal, regulatory, and contractual requirements.
- Protect the University against damaging legal consequences.
- Safeguard these resources.
|Primary Contact(s)||Brian Dahlinfirstname.lastname@example.org|
|Information Security||University Information Securityemail@example.com|
|Legal Advice||General Counselfirstname.lastname@example.org|
- Data Custodian
- The University designated individual responsible for serving as a steward of University data in a particular area (e.g., principal investigator (PI)).
- Data Owner
- The individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research). Where there is a designated University compliance officer, the compliance officer is generally the data owner.
- Use of University information technology resources in ways that have the purpose or effect of adversely affecting the safety, security, or privacy of others. This form of harassment may include but is not limited to: 1) computer or other electronic communications that are repeated, unwelcome, and likely to humiliate, threaten or intimidate, 2) electronic monitoring of the whereabouts of others, and 3) unauthorized accessing of others’ personal online accounts and information. See the University Policy Library for policies that cover other types of harassment (e.g. Administrative Policy: Sexual Harassment, Sexual Assault, Stalking and Relationship Violence).
- Information Technology Resources (IT Resources)
- Facilities, technologies, and information resources used for information retrieval, processing, transfer, storage, and communications in support of University research, education, outreach, and administrative needs. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, licensed information resources, and research and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are University owned, leased, operated or provided by the University or otherwise connected to University resources, such as cloud and Software-as-a-Service (SaaS) or Infrastructure-as-a-service (IaaS), or any other connected/hosted service.
- Personal Assets
- Personally owned mobile and computing devices, including but not limited to a smartphone, tablet, or computer.
- Personal Information
- Information that relates to the community member as an individual, including but not limited to bank account number and social security number.
- Security Measures
- Processes, software, and hardware used by system and network administrators to ensure the confidentiality, integrity, and availability of information technology resources and data. Security measures may include reviewing files for potential or actual policy violations and investigating security-related issues.
- Any organizational entity within the University. Includes, but is not limited to colleges, departments, centers, institutes, offices and programs.
- University Community Member
- A University community member is a student, faculty, or staff member, University guest, alumni, volunteer, contractor, or employee of an affiliated entity.
- Individuals or entities permitted to make use of University information technology resources, including students, staff, faculty, alumni, guests, sponsored affiliates, and other individuals who have an association with the University.
- Review, understand, and comply with policies, laws and contractual obligations related to access, acceptable use, and security of information technology resources.
- Consult with University Information Security on acceptable use issues not specifically addressed in this policy.
- Protect personal information and personal assets used to access personal information or University data.
- Follow the user specific security controls in Administrative Policy: Information Securityon personal assets, including but not limited to encryption, patching, virus protection, and two-factor authentication.
- Report possible violations of this policy to University Information Security (email@example.com). To report anonymously, use the University UReport confidential reporting system.
- Campus, College, and Department Administrators
- Work with University Information Security to investigate alleged violations of this policy.
- Report possible violations of this policy to University Information Security (firstname.lastname@example.org).
- Data Custodian, Data Owner, Technical Staff
- Protect the privacy of users, unless designated as University-approved personnel to monitor, examine or disclose this information.
- Respond to questions from users related to appropriate use of information technology resources.
- Work with University Information Security to investigate alleged violations of this policy.
- Report possible violations of this policy to University Information Security (email@example.com).
- University Chief Information Officer
- Designate individuals who have the responsibility and authority for information technology resources.
- Designate individuals who have the responsibility and authority for establishing policies for access to and acceptable use of information technology resources.
- Designate individuals who have the responsibility and authority for monitoring and managing system resource usage.
- Designate individuals who have the responsibility and authority for investigating alleged violations of this policy.
- University Chief Information Security Officer
- Delegate authority and responsibility for investigating violations of this policy.
- Designate individuals who have the responsibility and authority to refer violations to appropriate University offices or law enforcement agencies for resolution or disciplinary action.
- Designate individuals who have the responsibility and authority to employ security measures and ensure that appropriate and timely action is taken on acceptable use violations.
- Office of Information Technology (OIT) – University Information Security
- Investigate possible violations of this policy.
- Refer alleged violations to appropriate University offices and law enforcement agencies for resolution or disciplinary action.
- Ensure that appropriate and timely action is taken on alleged violations.
- Coordinate with Internet Service Providers and law enforcement agencies on violations of this policy.
- University Police Department
- Respond to alleged violations of criminal law.
- Coordinate all activities between the University and outside law enforcement agencies.
- General Counsel
- Provide legal advice to University staff to insure compliance with state and federal law including the classification of University data.
- Identify groups to include as University community members.
Related Board of Regents Policies
Related Administrative Policies
- Managing University Records Retention
- Copyright Ownership
- Data Security Breach
- Information Security
- Sexual Harassment, Sexual Assault, Stalking and Relationship Violence
Related Laws, Regulations, and Contracts
- Health Insurance Portability and Accountability Act (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- Minnesota Government Data Practices Act
- Payment Card Industry Data Security Standard (PCI DSS)
- Gramm–Leach–Bliley Act (GLBA)
- Computer Fraud and Abuse Act, 1986
- Electronic Communications and Privacy Act
- Mass Email Requirements and Guidelines
- Practice Safe Computing- General Information on Available Security Controls
- Recognize and Report Information Security Incidents
- October 2019 - Comprehensive Review.
- Clarified and modified policy statement section
- Updated the appendices
- Updated and added definitions/responsibilities to align with definitions/responsibilities in other Information Security policies
- Moved the Notifications for Copyright Infringement procedure to FAQ
- Updated Related Information to remove a since retired policy and add a link to recognize and report information security incidents
- Added an associated procedure Report Information Security Incidents. The review of the procedure is part of the comp review for Data Security Breach.
- Update the definitions to align with the definitions in the other information security policies
- Update the responsibilities to add Data Custodians and Data Owners
- Update the Related Information section to remove the Internal Access to and Sharing University Information policy that was retired June 2019 and add a link to Recognize and Report Information Security Incidents
- January 2019 - Establishing that reimbursements of salary, expenses, financial aid, and any other forms of reimbursement will not be provided if the original disbursement is stolen due to the individual not enabling available security controls that would have prevented the theft.
- August 2015 - Comprehensive review. Minor Revision. Update policy statement to include relevant policy content from other sections of the policy or appendix; update contacts, appendices, definitions, responsibilities, and related information section; remove administrative procedure on Reporting Violations of Acceptable Use of Information Technology Resources, remove administrative procedure on Taking Disciplinary Action, remove appendix University Network Operational Continuity, remove appendix Using Information Technology.
- August 2010 - The following appendices have been superceded by Administrative Policy: Securing Private Data, Computers and Other Electronic Devices:
- Anti-Virus Standard
- Critical Server Identification Guideline
- Information Technology Support Guidelines
- Information Technology Support Staffing Standard
- Mac OS X Basic Desktop Security Guidelines
- Password Standard
- Physical Security for Critical Servers Guideline
- Secure Data Deletion Standard
- Securing Microsoft Domain Controller Standard
- Securing Private Data Standard
- Security Patch Application Standard
- Server Security Guidelines
- University Network Management Guidelines
- Windows 2000/XP Basic Desktop Security Guidelines
- Windows Vista Basic Desktop Security Guidelines
The following appendix was superceded by Administrative Policy: Wireless Network Infrastructure:
- Wireless Access Point Technical Standards
- September 2007 - Added Windows Vista Basic Desktop Security Guidelines to Related Information and Appendices.
- July 2007 - Added Physical Security of Servers guideline to Related Information and Appendices.
- May 2007 - Updated Duluth Contacts.
- November 2006 - Added Password Standard to related information and appendices.
- October 2006 - Added Mac OS X Basic Desktop Security Guidelines to Related Information and to Appendices (Appendix P).
- May 2006 - Added this sentence to policy statement: "Units, campuses that grant guest access to University information technology resources must make their guests aware of User Rights and Responsibilities."
- April 2005 - Revised definitions and responsibilities section and procedure 126.96.36.199. Added Appendix N: Examples of Reportable Security Incidents and Appendix O: Critical Server Identification Guideline. These changes made to address issues related to HIPPA.
- July 2004 - Appendix E: OIT Securing Network Infrastructure Guideline was changed to a standard, and content was significantly revised. Title is now: University Network Standards for Network Security & Operational Continuity. Appendix G: Protecting Private Data Guidelines upgraded to Standards. Added Appendix L and M: Information Technology Support Staffing Standard, and Information Technology Support Guidelines.
- April 2004 - Title for appendix A is now: Using Information Technology Resources Standards to more accurately reflect that it is required. Appendix A was listed as a "guideline" before formal definitions of guidelines and standards were established.
- January 2004 - Critical Security Updates and Patches Guideline is now a Standard. Added OIT Server Installation Security Guidelines and OIT Windows 2000/XP Desktop Installation Guidelines to Related Information and Appendices.
- August 2003 - Added Procedure 188.8.131.52 - Notifications for Copyright Infringement.
- March 2003 - Added Critical Security Updates & Patches Guideline and Secure Data Deletion Standard to Related Information and Appendices. Amended: October 2002 - Updated contacts section and Reporting Violations procedure with correct email address and phone number for abuse complaints.
- September 2002 - Added links to Securing Network Infrastructure Guideline, Securing Microsoft Domain Controller Guideline and Protecting Private Data Guideline to Related Information and Appendices.
- May 2002 - Added links to OIT Anti-Virus Standards and OIT Wireless Access Point Technical Standards to Related Information and to Appendices.
- September 2001 - Added link to University Network Management Guidelines in Related information.
- July 2000 - Updated Appendix A and Related Information sections.
- April 1999 - Updated and reordered Contacts section, and Procedure 184.108.40.206, Reporting Violations.
- August 1998 - Revised Policy Statement, Responsibilities, Definitions and Appendix A: Guidelines for Using Information Technology Resources. Updated and reorganized related information section. Intent of the revision is to more clearly address issues related to commercial use, spamming, University ownership of data, and University liability for personal or unauthorized use. Title changed from Acceptable Use of Computers, Networking, and Information Technology to Acceptable Use of Information Technology Resources. Responsible Officer changed from Executive Vice President and Provost to Chief Information Officer.
- December 1997 - Responsible Officer changed from Senior Vice President of Academic Affairs to Executive Vice President and Provost.
- December 1996