Lawriter - OAC - 3356-4-09 Acceptable use of university technology resources.

3356-4-09 Acceptable use of university technology resources.

(A) Policy statement. University technology resources are provided to the university community to support its academic and administrative functions in accordance with its teaching, research, and service missions. These resources are intended to be used for the educational and business purposes of the university in compliance with this policy.

(B) General statement.

(1) Technology resources (computing, networking, data and network services) are provided to the university community in order to fulfill the mission of the university.

(2) While the university recognizes the importance of academic freedom and freedom of expression, as a public employer, the university also has a responsibility to comply with all federal and state laws and regulations, as well as the obligation to fulfill its mission.

(3) Use of university-owned technology to access resources other than those supporting the academic, administrative, educational, research and services missions of the university or for more than limited, responsible personal use conforming to this policy is prohibited.

(4) Technology resources provided by the university are the property of the university. University-owned technology is not intended to supersede the need for technology purchases for personal purposes.

(5) As the university is a public entity, information in an electronic form may also be subject to disclosure under the Ohio public records act to the same extent as if they existed on paper. All use is subject to the identification of each individual using technology resources (authentication).

(6) Use of technology is subject to the requirements of legal and ethical behavior and is intended to promote a productive educational and work environment.

(C) Policy. All users of the university-owned technology resources (computing, networking and data), regardless of affiliation with the university, must:

(1) Use only those technology resources that they are authorized to use and use them only in the manner and to the extent authorized.

(2) Protect the confidentiality, integrity and availability of technology resources.

(3) Comply with all federal, Ohio, and other applicable law as well as applicable regulations, contracts, and licenses.

(4) Comply with all applicable policies at Youngstown state university ("YSU").

(5) Respect the right of other technology users to be free from harassment or intimidation.

(6) Respect copyrights, intellectual property rights, and ownership of files and passwords.

(7) Respect the privacy of other users and their accounts, regardless of whether those accounts are securely protected.

(8) Respect the finite capacity of technology resources and limit use so as not to consume an unreasonable amount of or abuse those resources or to interfere unreasonably with the activity of other users or to disrupt the authorized activities of the university.

(9) Limit personal use of university technology resources so that such use does not interfere with one's responsibilities to the university.

(10) Not attempt to circumvent information technology security systems or the university "Information Security Practice."

(11) Not use any radio spectrum space on any YSU-owned or YSU-occupied property, unless it is part of an approved wireless services deployment by the university.

(12) Not use technology resources for personal commercial purposes or for personal financial or other gain unless specifically approved by the university.

(13) Not state or imply that they speak on behalf of the university without authorization to do so and not use university trademarks and logos without authorization to do so.

(D) Scope. This policy applies to all users and uses of university-owned technology resources (including those acquired through grant processes) as well as to any non-YSU and/or remote technology devices while connected to the YSU network.

(E) User responsibilities.

(1) By accepting employment being admitted as a student or asking for any guest technology resource privileges, users implicitly agree to adhere to this policy and agree to the university "Information Security Practice."

(2) Users are responsible for any activity performed using their usernames and passwords except when account security is compromised by actions beyond the user's control.

(3) Users are responsible for any activity performed on university-owned technology devices assigned to them except when the device is compromised by actions beyond the user's control.

(4) There is no expectation of personal privacy when using university resources. (See paragraph F of this rule .)

(5) Potential violations regarding use of technology resources should be reported to the appropriate supervisor(s) or manager(s).

(6) Users are responsible for ensuring that critical data are backed up and available to be restored for systems not administered by information systems technology. This includes critical information contained on technology devices oriented to individual use (e.g., desktops, laptops, smart phones, and similar such devices).

(7) Users are responsible for maintaining data in compliance with the university records retention plan.

(8) Users are responsible for ensuring that sensitive information to which they have access is guarded against theft. (See rule 3356-4-13 of the Administrative Code for more information.)

(9) Personal use of computing resources not otherwise addressed in this policy or these procedures will generally be permitted if such use does not consume a significant amount of resources, does not interfere with the performance of an individual's job or other university responsibilities, and is otherwise in compliance with university policies.

(F) No expectation of privacy.

(1) The university does not routinely monitor specific individual end-user usage of its technology resources. However, the university does routinely monitor technology resource usage in the normal operation and maintenance of the university's computing, network and data resources. This monitoring includes the caching and backing up of data and communications, the logging of activity, the monitoring of general usage patterns, the scanning of systems and networks for anomalies and vulnerabilities, the filtering of malicious traffic, and other activities that are necessary for the rapid and efficient delivery of services. Technology users should be aware that there is no expectation of privacy associated with the use of university technology resources.

(2) When authorized by the office of the general counsel, the university may also specifically monitor the activity and accounts of individual end-users of university technology resources, including login sessions, file systems, and communications.

(3) When authorized by the appropriate university executive (president or vice president), the university may access end-user accounts, files, or communications used for university business when needed by a supervisor or assigned personnel for university business and the end-user is unavailable.

(4) The university, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications, to appropriate university personnel, student conduct, or law enforcement agencies and may use those results in appropriate university disciplinary proceedings.

(5) Personal computing devices:

(a) Personal computing devices (laptops, desktops, tablets, cellular phones) are restricted to the campus wireless network or the residence hall network.

(b) No personal computing devices will be allowed to connect to the wired campus network (excluding the residence hall network).

(c) Personal computing devices must comply with university "Information Security Practice" when using the campus wireless network or other provided university technology resource.

(d) Personal computing devices used to conduct university business are subject to public records requests.

(e) Personal hubs, routers, switches, or wireless access points are prohibited from being connected to either the university's wired or wireless network.

(G) Security. The university employs various measures (i.e., the university's "Information Security Practice") to protect the security of information technology resources and user accounts; however, users should be aware that the university cannot provide good security without user participation. Users should increase their technology security awareness and fully employ access restrictions for their accounts, including using strong passwords, guarding passwords diligently and changing passwords regularly to help safeguard their use of technology.

(H) Additional policy ramifications. Users must abide by all applicable restrictions, whether or not they are built into the computing system, network or information resource and whether or not they can be circumvented by technical or other means. Individuals who engage in electronic communications with persons in other states or countries or on other systems or networks may also be subject to the laws of those states and countries and the rules and policies of those technology systems and information resources.

(I) Examples of unacceptable use:

(1) As a further aid to policy compliance, the following non-exhaustive list is provided of activities that are prohibited.

(a) Using technology resources to engage in fraud, defamatory, abusive, unethical, indecent, obscene, pornographic and/or unlawful activities is prohibited.

(b) Using technology resources to procure, solicit, or transmit material that is in violation of sexual, racial or other harassment or hostile workplace laws is prohibited.

(c) Any form of harassment by electronic means (e.g., email, web access, phone, paging), whether through language, content, frequency or size of messages is prohibited.

(d) Making fraudulent offers of products, items or services using any university technology resource is prohibited.

(e) Using technology resources for unauthorized or inappropriate financial gain, unauthorized solicitation, or activities associated with a for-profit business, or engaging in an activity that involves a conflict of interest. (Refer to rules 3356-7-01 and 3356-7-19 of the Administrative Code.)

(f) Creating or forwarding chain letters, Ponzi, or other pyramid schemes is prohibited.

(g) Broadcasting of unsolicited mail or messages is prohibited. Examples include chain letters, virus hoaxes, spam mail, and other email schemes that may cause excessive network traffic. Sending large numbers of electronic mail messages for official university purposes necessitates following the university's procedures for the electronic distribution of information.

(h) Sending junk mail or advertising material to individuals who did not specifically request such material (email spam) is prohibited.

(i) Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed is prohibited.

(j) Unauthorized copying and downloading of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music and films and the installation of any copyrighted software for which an active license has not been procured is prohibited.

(k) Circumventing user authentication or security of any host, network or account is prohibited. This includes, but is not limited to, monitoring by use of keylogging or session logging.

(l) Revealing your account password to others or allowing use of your account by others is prohibited. This prohibition extends to family, other household members, friends and/or co-workers.

(m) Attempting to log onto another user's account (secured or otherwise) is prohibited.

(n) Sending electronic communications in such a way that masks the source or makes it appear to come from another source is prohibited.

(o) Personal use beyond limited responsible use is prohibited.

(2) Individual university staff may be exempted from these restrictions on a case-by-case basis (with written authorization according to the university "Information Security Practice") in the course of performing legitimate job responsibilities.

(3) Special procedures exist and must be followed to ensure that accounts for employees are secured with passwords known to only the account holder but may be changed at the request of the area supervisor and approved by the supervisor's vice president or the president.

(4) Under no circumstances is an employee of Youngstown state university authorized to engage in any activity that is unethical or illegal under local, state or federal law while utilizing university-owned resources.

(J) Enforcement.

(1) The office of the chief technology officer may suspend and/or restrict either an individual's or a device's access to the university network resource if:

(a) It is deemed necessary to maintain the security or functionality of the network resource.

(b) It is deemed necessary to protect the university from potential liability.

(c) The account, system, or device is believed to have been either compromised or is in violation of this policy.

(2) The office of the chief technology officer must immediately report the enforcement action and the justification for the action to the vice president of student affairs, vice president for finance and administration, or provost (or their designee), as applicable. The university may permanently suspend all technology access of anyone using the university network resource until due process has been completed by student conduct, employee administrative discipline and/or law enforcement agencies.

Replaces: 3356:1-14-11

Effective: 9/1/2013
Promulgated Under: 111.15
Statutory Authority: 3356
Rule Amplifies: 3356
Prior Effective Dates: 6/16/03, 5/28/11, 6/17/13