University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
POLICY
University of Minnesota
University of Minnesota
University M logo on red background
ADMINISTRATIVE POLICY
Home : Information Technology : Acceptable Use and Information Security

Acceptable Use of Information Technology Resources

Effective Date: December 1996
Last Update: August 2010
Responsible University Officer:
  • Vice President for Information Technology
Policy Owner:
  • Vice President for Information Technology
Policy Contact:
CONSULTED WITH: University Senate

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

Computers, networks and electronic information systems are essential resources for accomplishing the University's mission of instruction, research, and service outreach. The University grants members of the University community shared access to these resources in support of accomplishing the University's mission.

These resources are a valuable community asset to be used and managed responsibly to ensure their integrity, security, and availability for appropriate educational and business activities. All authorized users of these resources are required to use them in an effective, efficient, and responsible manner.

Users must be aware of User Rights and Responsibilities, which outline liability for personal communication, privacy and security issues, and consequences of violations. Users should also be aware of the University's Rights and Responsibilities, as well as any additional requirements of their individual unit or campus. Units, campuses that grant guest access to University information technology resources must make their guests aware of User Rights and Responsibilities. A list of relevant University information technology policies, standards, and guidelines is available in the Appendices section.

REASON FOR POLICY

The purpose of this policy is:

  • to safeguard the integrity of computers, networks, and data, either at the University or elsewhere;
  • to ensure that use of electronic communications complies with University policies;
  • to protect the University against damaging legal consequences.

PROCEDURES

FORMS/INSTRUCTIONS

There are no forms associated with this policy.

APPENDICES

FREQUENTLY ASKED QUESTIONS

There is no FAQ for this policy.

ADDITIONAL CONTACTS

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-625-1505

University of Minnesota - Twin Cities Campus

Subject
Contact
Phone
Fax/Email
Threatening behavior
- Emergency
- Non-emergency
- Advice


U Police

911
612-624-3550
 
Legal Advice
General Counsel
612-624-4100
 
Computer Misuse
- Emergency/In-Progress Attacks
- After-the-Fact Reports and Account Misuse
 

612-301-4357 (1-HELP)

University of Minnesota - Duluth

Subject
Contact
Phone
Fax/Email
Computer Misuse
UMD Help Desk
218-726-8847
Emergency
UMD Police
218-726-7000 or 911
 
Non-emergency UMD
UMD Help Desk
218-726-8847
 
Policy Interpretations (UMD only)
Linda Deneen
218-726-7588
 

University of Minnesota - Morris

Subject
Contact
Phone
Fax/Email
Computer Misuse
 
320-589-6378
Threatening or criminal behavior
- Emergency & nonemergency
UMM Campus Security
320-589-6000
 
Policy Interpretations (UMM only)
David Loewi
320-589-6397
 

DEFINITIONS

Acceptable Use
This term consists of these related concepts:
  • Information/data and systems may only be used by authorized individuals to accomplish tasks related to their jobs. Use of the information and systems for personal gain, personal business, or to commit fraud is prohibited.
  • Information not classified as Public must be protected, and must not be disclosed without authorization. Unauthorized access, manipulation, disclosure, or secondary release of such information constitutes a security breach, and may be grounds for disciplinary action up to and including termination of employment.
Authorized User
Individual or entity permitted to make use of University computer or network resources. Authorized users include students, staff, faculty, alumni, sponsored affiliates, and other individuals who have an association with the University that grants them access to University information technology resources. Some users may be granted additional authorization to access institutional data as authorized by the data owner or custodian.
Data Custodian
Representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy and applicable state and federal laws.
Information Technology Resources
Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, instructional materials. This definition is not all inclusive but rather reflects examples of University equipment, supplies and services.
Security Incident
An intentional or accidental occurrence affecting information or related technology in which there is a loss of data confidentiality or integrity, or a disruption and/or denial of availability.
Security Measures
Processes, software, and hardware used by system and network administrators to ensure the confidentiality, integrity, and availability of the information technology resources and data owned the University and its authorized users. Security measures may include reviewing files for potential or actual policy violations and investigating security-related issues.

RESPONSIBILITIES

User's Rights and Responsibilities
Members of the University community are granted access to information technology resources in order to facilitate their University-related academic, research, and job activities. The Regents Policy on Academic Freedom extends to information resources that are available electronically. However, by using these resources, users agree to abide by all relevant University of Minnesota policies and procedures, as well as all current federal, state, and local laws. These include but are not limited to University policies and procedures related to harassment, plagiarism, commercial use, security, and unethical conduct, and laws prohibiting theft, copyright and licensing infringement, unlawful intrusions, and data privacy laws.
When guests are granted access to information technology resources they must abide by all relevant University of Minnesota policies, as well as all current federal, state, and local laws. These include but are not limited to University policies and procedures related to harassment, plagiarism, commercial use, security, and unethical conduct, and laws prohibiting theft, copyright and licensing infringement, unlawful intrusions, and data privacy laws.
Users are responsible for:
  • reviewing, understanding, and complying with all policies, procedures and laws related to access, acceptable use, and security of University information technology resources;
  • asking systems administrators or data custodians for clarification on access and acceptable use issues not specifically addressed in University policies, rules, standards, guidelines, and procedures; and
  • reporting possible policy violations to the appropriate entities listed in this document (in the Contacts and Procedures sections).
Liability for Personal Communications
Users of University information technology resources are responsible for the content of their personal communications. The University accepts no responsibility or liability for any personal or unauthorized use of its resources by users.
Privacy and Security Awareness
Users should be aware that although the University takes reasonable security measures to protect the security of its computing resources and accounts assigned to individuals, the University does not guarantee absolute security and privacy. Users should follow the appropriate security procedures listed in the Using Information Technology Resources appendix to assist in keeping systems and accounts secure.

The University assigns responsibility for protecting its resources and data to system administrators and data custodians, who treat the contents of individually assigned accounts and personal communications as private and does not examine or disclose the contents except:

  1. as required for system maintenance including security measures;
  2. when there exists reason to believe an individual is violating the law or University policy; and/or
  3. as permitted by applicable policy or law.
Consequences of Violations
Access privileges to the University's information technology resources will not be denied without cause. If in the course of an investigation, it appears necessary to protect the integrity, security, or continued operation of its computers and networks or to protect itself from liability, the University may temporarily deny access to those resources. Alleged policy violations will be referred to appropriate University investigative and disciplinary units. For example, alleged violations by students may be directed to the Student Judicial Affairs office. The University may also refer suspected violations of law to appropriate law enforcement agencies. Depending on the nature and severity of the offense, policy violations may result in loss of access privileges, University disciplinary action, and/or criminal prosecution.
The University's Rights and Responsibilities
As owner of the computers and networks that comprise the University's technical infrastructure, the University owns all official administrative data that resides on its systems and networks, and is responsible for taking necessary measures to ensure the security of its systems, data, and user's accounts. The University does not seek out personal misuse. However, when it becomes aware of violations, either through routine system administration activities or from a complaint, it is the University's responsibility to investigate as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.
Individual units within the University may define additional conditions of use for resources or facilities under their control. Such additional conditions must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions.
Roles and responsibilities for specific University entities and individuals are defined in greater detail below.
Chief Information Officer
  • Designate individuals who have the responsibility and authority for information technology resources.
  • Establish and disseminate enforceable rules regarding access to and acceptable use of information technology resources.
  • Establish reasonable security policies and measures to protect data and systems.
  • Monitor and manage system resource usage.
  • Investigate problems and alleged violations of University information technology policies.
  • Refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action.
Campuses, Colleges, or Departments
  • Create, disseminate and enforce conditions of use that are consistent with University-wide policies for the University facilities and/or resources under their control.
  • Monitor the use of University resources under their control.
  • Investigate problems and alleged violations of University information technology policies.
  • Refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action. Possible policy violations should be reported to the appropriate entity as listed in the Contacts section of this document.
Data Custodians
  • Grant authorized users appropriate access to the data and applications for which they are stewards, working with University data security and network personnel to limit access to authorized users with a legitimate role-based need.
  • Review access rights of authorized users on a regular basis.
  • Respond to questions from users relating to appropriate use of system/network resources.
  • Implement and oversee processes to retain or purge information according to University records retention schedules.
  • Determine the criticality and sensitivity of the data and/or applications for which they are stewards; determine which University data is public and private based on University definitions, in consultation with the University's Office of Records and Information Management.
  • Ensure that appropriate security measures and standards are implemented and enforced for the data under their control, in a method consistent with University policies and sound business practices. The security measures implemented should be based on the criticality, sensitivity, and public or private nature of the data, and may include methodologies, change management, and operational recovery plans.
  • Investigate problems and alleged violations of University information technology policies.
  • Refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action.
System/Network Administrator
  • Take reasonable action to ensure the authorized use and security of data, networks, and the communications transiting the system or network.
  • Participate and advise as requested in developing conditions of use or authorized use procedures.
  • Respond to questions from users relating to appropriate use of system/network resources.
  • Cooperate with appropriate University departments and law enforcement officials in investigating alleged violations of policy or law.
Office of Records and Information Management
  • Assist data custodians in classifying information as public or private. Secure official rulings from the Office of the General Counsel on public and private information.
University Police Department
  • Respond to alleged violations of criminal law.
  • Coordinate all activities between the University and outside law enforcement agencies.
General Counsel
  • Provide legal advice on official rulings on public, private and confidential information.
University Office of Information Technology Security
Protect the University network, systems, and data. Coordinate with designated campus, collegiate, or unit technical and security staff to ensure the confidentiality, integrity, and availability of University systems and ensure that appropriate and timely action is taken. Determine if an on-site technical security evaluation is necessary and if any mitigation steps will be required. Coordinate with the unit technical/security staff to assure that appropriate diagnostic, protective, remedial, and other actions are taken as necessary to protect University resources. Coordinate with the appropriate University offices (compliance, legal, human resources, and student conduct) as well as external Internet Service Providers (ISPs) and law enforcement as necessary.

RELATED INFORMATION

Related Policies

Campus-specific Policies

University of Minnesota - Duluth
Policy on the Appropriate Use of Information Technology
University of Minnesota - Morris
UMM Computing Ethics Policy
State of Minnesota:
Federal:
  • Computer Fraud and Abuse Act, 1986
  • Electronic Communications and Privacy Act
  • Family Educational Rights and Privacy Act (FERPA)

HISTORY

Amended:
August 2010 - The following appendices have been superceded by Administrative Policy: Securing Private Data, Computers and Other Electronic Devices:
  • Anti-Virus Standard
  • Critical Server Identification Guideline
  • Information Technology Support Guidelines
  • Information Technology Support Staffing Standard
  • Mac OS X Basic Desktop Security Guidelines
  • Password Standard
  • Physical Security for Critical Servers Guideline
  • Secure Data Deletion Standard
  • Securing Microsoft Domain Controller Standard
  • Securing Private Data Standard
  • Security Patch Application Standard
  • Server Security Guidelines
  • University Network Management Guidelines
  • Windows 2000/XP Basic Desktop Security Guidelines
  • Windows Vista Basic Desktop Security Guidelines

The following appendix was superceded by Administrative Policy: Wireless Network Infrastructure:

  • Wireless Access Point Technical Standards
Amended:
September 2007 - Added Windows Vista Basic Desktop Security Guidelines to Related Information and Appendices.
Amended:
July 2007 - Added Physical Security of Servers guideline to Related Information and Appendices.
Amended:
May 2007 - Updated Duluth Contacts.
Amended:
November 2006 - Added Password Standard to related information and appendices.
Amended:
October 2006 - Added Mac OS X Basic Desktop Security Guidelines to Related Information and to Appendices (Appendix P).
Amended:
May 2006 - Added this sentence to policy statement: "Units, campuses that grant guest access to University information technology resources must make their guests aware of User Rights and Responsibilities."
Amended:
April 2005 - Revised definitions and responsibilities section and procedure 2.8.1.1. Added Appendix N: Examples of Reportable Security Incidents and Appendix O: Critical Server Identification Guideline. These changes made to address issues related to HIPPA.
Amended:
July 2004 - Appendix E: OIT Securing Network Infrastructure Guideline was changed to a standard, and content was significantly revised. Title is now: University Network Standards for Network Security & Operational Continuity. Appendix G: Protecting Private Data Guidelines upgraded to Standards. Added Appendix L and M: Information Technology Support Staffing Standard, and Information Technology Support Guidelines.
Amended:
April 2004 - Title for appendix A is now: Using Information Technology Resources Standards to more accurately reflect that it is required. Appendix A was listed as a "guideline" before formal definitions of guidelines and standards were established.
Amended:
January 2004 - Critical Security Updates and Patches Guideline is now a Standard. Added OIT Server Installation Security Guidelines and OIT Windows 2000/XP Desktop Installation Guidelines to Related Information and Appendices.
Amended:
August 2003 - Added Procedure 2.8.1.3 - Notifications for Copyright Infringement.
Amended:
March 2003 - Added Critical Security Updates & Patches Guideline and Secure Data Deletion Standard to Related Information and Appendices. Amended: October 2002 - Updated contacts section and Reporting Violations procedure with correct email address and phone number for abuse complaints.
Amended:
September 2002 - Added links to Securing Network Infrastructure Guideline, Securing Microsoft Domain Controller Guideline and Protecting Private Data Guideline to Related Information and Appendices.
Amended:
May 2002 - Added links to OIT Anti-Virus Standards and OIT Wireless Access Point Technical Standards to Related Information and to Appendices.
Amended:
September 2001 - Added link to University Network Management Guidelines in Related information.
Amended:
July 2000 - Updated Appendix A and Related Information sections.
Amended:
April 1999 - Updated and reordered Contacts section, and Procedure 2.8.1.1, Reporting Violations.
Amended:
August 1998 - Revised Policy Statement, Responsibilities, Definitions and Appendix A: Guidelines for Using Information Technology Resources. Updated and reorganized related information section. Intent of the revision is to more clearly address issues related to commercial use, spamming, University ownership of data, and University liability for personal or unauthorized use. Title changed from Acceptable Use of Computers, Networking, and Information Technology to Acceptable Use of Information Technology Resources. Responsible Officer changed from Executive Vice President and Provost to Chief Information Officer.
Amended:
December 1997 - Responsible Officer changed from Senior Vice President of Academic Affairs to Executive Vice President and Provost.
Effective:
December 1996

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2013 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on December 9, 2013