Responsible Use of Information Technology Policy

This policy was formulated to provide a secure and reliable computing environment at the University at Albany that will facilitate and encourage the exchange of ideas and information as well as protect the freedom of speech rights of the members of the University community. It establishes basic rights for all users and describes expectations for responsible use to ensure those rights.

I. General Principles

This section sets forth the ten basic policy principles. Situations or behaviors not specifically mentioned in sections II and III may be addressed through application of these basic principles.

II. User Rights and Responsibilities

This section highlights policy specifics related to privacy, copyright, software, harassment, defamation, accessing computing resources, abuse of computer resources, reporting unauthorized use, and the web.

III. System Administrator Rights and Responsibilities

This section describes system administrators and highlights specific expectations for system administrators, whether they be professional staff, faculty or student administrators.

IV. Amendments

Comments and suggestions regarding these policies may be sent to the Computer Usage Committee via email to the committee chair at lisc-cu@uamail.albany.edu.

I. General Principles

Access to modern information technology is essential to the University at Albany's mission of providing the students, faculty and staff with educational services of the highest quality. The pursuit and achievement of the mission of education, research, and public service require that the privilege of using computing systems and software, internal and external data networks, as well as access to the World Wide Web, be made available to the entire campus community.

The preservation of that privilege for the full community requires that each faculty member, staff member, student, and any other user comply with institutional and external policies for appropriate use. To assist and ensure such compliance, the University at Albany establishes the following policy which supplements all applicable SUNY wide policies, including sexual harassment, patent and copyright, and student and employee disciplinary policies, as well as applicable federal and state laws.

1. Use of University at Albany computing and network resources shall be consistent with: the education, research and public service mission of the State University of New York; all federal and state regulations; and this policy document.
   

2. This policy applies to all University at Albany computing and network resources, including host computer systems, campus-sponsored computers and workstations, software, data sets, and communications networks, whether accessed directly or indirectly.
   

3. This policy applies to all users of campus computing and network resources including faculty, staff, and students.
   

4. Information technology provides an important means for both public and private communication. Users and system administrators will respect the privacy of person-to-person communications in all forms including telephone, electronic mail and file transfers, graphics and television to the fullest extent possible under applicable law and policy. The principle of academic freedom will apply to public communication in all these forms.
   

   Specifically, the University respects freedom of expression in electronic communications on its computing and networking systems. Although this electronic speech has broad protections, all University community members are expected to use the information technology facilities considerately with the understanding that the electronic dissemination of information, particularly on the computing and networking systems, makes it accessible to a broad and diverse audience. The University expects all users to respect the Principles for a Just Community when communicating via the University information technology facilities.

5. Other than publicly designated official University sites, the University at Albany does not generally monitor or restrict content residing on campus systems or transported across its networks.
   

6. If there is reasonable cause to believe that a user has violated this responsible use policy, state or federal laws, or contractual obligations, the University reserves the right to take any of the following actions:
   
   • to have staff access the computer systems and networks including individual login sessions
     
   • limit an individual's access to its networks
     
   • remove or limit access to University computers and/or materials posted on University computers.
   
   
7. In the normal course of system maintenance, both preventive and troubleshooting, staff members operating the computer systems may be required to view files. Staff are required to maintain the confidentiality and privacy of information in such files unless otherwise required by law or University policy.
   

8. Campus servers and computing services should be properly configured so as not to pose a security risk or otherwise adversely affect existing University servers and services. All University system and network administrators are expected to implement practices to satisfy "due diligence" in respect to security requirements.
   

9. The University recognizes and acknowledges employee incidental use of its computing and network resources within the guidelines (see appendix) established for such use.

10. This policy may be supplemented with additional guidelines by units that operate their own computers or networks, e.g., University Libraries or ResNet, provided such guidelines are consistent with this policy.

II. User Rights and Responsibilities

1. Privacy: The University will make every effort to respect the privacy of an individual's computer files. Each user must respect the privacy and integrity of other computer users. No user should view, copy, alter or destroy another's personal electronic files without permission (unless authorized or required to do so by law or policy). Although users are prohibited from using computing resources to monitor electronic communications, all users should be aware that personal computer files are distributed on a public network which cannot guarantee absolute privacy or security.
   
   

2. Copyright: Original works of authorship and creative expressions that are more than ideas or facts and which are fixed in a tangible medium of expression (print, artwork, visual images, music, electronic materials) may be protected by copyright unless they are in the public domain. When duplicating copyrighted materials for educational use, it is advisable to secure the permission of the copyright holder in advance of the act of duplication.
   

3. Software: Most software that the University provides to its students, employees, and other users is licensed by the University, or third parties, and is protected by copyright and other laws, together with licenses and other contractual agreements. Users are required to respect and abide by the terms and conditions of software use and redistribution licenses. Such restrictions may include prohibitions against copying programs or data for use on the University network or for distribution outside the University; against the resale of data or programs, or the use of them for non-educational purposes or for financial gain outside of the academic mission; and against public disclosure of information about programs (e.g., source code) without the licensee's authorization.

   All University business will be conducted using legally licensed software. Managers are responsible for ensuring that only licensed software is installed on department computers. Managers are required to maintain documentation regarding purchases of software and conduct departmental self-audits to assure continued compliance with applicable agreements.
   
   University employees who knowingly and/or intentionally make, acquire or use illegal copies of computer software shall be considered to be acting outside the scope of their employment and as such may not be eligible for legal defense by the Office of the Attorney General under the Public Officers Law.

4. Harassment, Defamation: As in other aspects of behavior in campus life, civility is expected at all times. No user should, under any circumstances, use campus computers or the University network to harass any other person. Similarly, users may not use computing resources to defame, slander, or libel.
   

5. Accessing Computing Resources:
   

   This section outlines guidelines on the use of computer accounts, user room facilities, and the campus network. At all times, users are expected to practice reasonable conservation measures (such as regularly cleaning up their mail files and practicing efficient file management).

   A. Accounts:
   

   Computer and network access accounts are to be used for the University-related activities for which they are assigned.
   
   

   • Sharing of access: Computer accounts, passwords, and other types of authorization are assigned to an "owner," who is then responsible for the account and all activities generated by the account.
     
     
   • Unauthorized access: You may not run or otherwise configure software or hardware to allow access by unauthorized users.
     

   • Termination of access: When you cease being a member of the campus community (e.g., withdraw, graduate, terminate employment, or otherwise leave the university), or if you are assigned a new position and/or responsibilities within the State University system, your access authorization must be reviewed. You must not use facilities, accounts, access codes, privileges or information for which you are not authorized in your new circumstances.
     

   B. User Room Facilities

   User rooms on campus are primarily provided for the use of the University at Albany community. User rooms are a limited communal resource, and, therefore, users must abide by certain restraints and courtesies, including all rules and guidelines posted in each facility. For example, the use of some programs may be limited to off-peak hours in the public facilities.
   

   C. The Campus Network

   The rules that govern the use of the University at Albany's network are based on the premise that the network is a communal resource. The people who use it agree to abide by certain restraints and courtesies. These are detailed in various documents, including the University's Community Rights and Responsibilities document, the ResNet Participants' Agreement incorporated into the Residence Hall License, and this policy.

6. Abuse of Computer Resources:

   Abuse of campus computer resources is prohibited and includes, but is not limited to:

   • Circumventing Security: Users are prohibited from attempting to circumvent or subvert any system's security measures. Users are prohibited from using any computer program or device to intercept or decode passwords or similar access control information.
     

   • Breaching Security: Deliberate attempts to degrade the performance of a computer system or network or to deprive authorized personnel of resources or access to any University at Albany computer or network is prohibited. Breach of security includes, but is not limited to, the following:
     · Creating or knowingly propagating viruses.
     · Hacking
     · Password cracking
     · Unauthorized viewing of other's files
     

   • Chain Letters: The propagation of chain letters (e-mail requesting that the reader send on the message to multiple others) is prohibited. Virus hoax announcements generally fall in this category.
     

   • Unauthorized Servers: Initiating and operating unauthorized servers (e.g., gaming, IRC, FTP, file sharing applications, e-mail) on University servers or systems, particularly those that extend University network and computing resources to non-affiliates of the University, is prohibited.
     

   • Unauthorized Monitoring: A user may not use computing resources for unauthorized monitoring of electronic communications.
     

   • Flooding/E-Mail Bombs: Sending massive e-mail in a deliberate attempt to overwhelm a system is prohibited.
     

   • Private Commercial Purposes: The computing and networking resources of campus shall not be used for personal or private commercial purposes or for financial gain outside the academic mission.
     

   • Violations of Copyright: Written permission from the copyright holder may be required to duplicate for educational use or any other purpose copyrighted material. This includes duplication of audio tapes, videotapes, photographs, illustrations, images, audio files, computer software, and all files or other information, whether in digital format or otherwise.
     

   • Political Advertising or Campaigning: The use of campus computers and networks shall be in accordance with University policy on use of University facilities for political purposes (SUNY Administrative Procedures Manual Policy 008, See Appendix A.).
     

7. Web Policy

   This policy exists to help the creators of Web pages at the University at Albany take advantage of this powerful communications tool, yet avoid the pitfalls that can lead to confusion and complaints. Individual schools and colleges, as well as departments and programs, may have their own guidelines for publishing professional, organizational, and instructional web pages. However, these are supplemented and superseded by this University-wide policy.

   1. Official Home Pages
      
      1. The University at Albany home page is an official publication of the University. All materials, including text and photographs, appearing on the home page or subsequent official home pages of specific departments are copyrighted and may not be reproduced without written permission from the copyright holder.
         
         

      2. Home pages linked to the University at Albany home page may be created by academic departments, programs, centers or institutes, governance groups, and administrative departments.
         
         
      3. Official home pages are a reflection of the University. It is important for all contributors to ensure that their information is well-organized, accurate, and timely, and the web pages presentation complies with NYS Technology Policy 99-3: Universal Accessibility for NYS Web Sites.
         
         A primary contact person must be identified for the creation and maintenance of all official home pages. The contact is designated by the department or unit head. The contact for an official page must be a University at Albany faculty or staff member, and an email address for the contact person must be included on the organization main page. The contact person is responsible for periodically reviewing and updating the web page information.

      4. Recognized student groups may create home pages that are linked to the University at Albany home page with the approval of the Office of Student Life.
         

      5. Developers of University at Albany official pages may include the University logo in its original form on the main page of the site; contact the Office of Media & Marketing for an original logo file.
         

      6. Subordinate official home pages must contain a path back to the home page of the University (http://www.albany.edu).

   2. Personal Home Pages
      1. Personal home pages are posted without prior review by University administrators. Authors of web pages are expected to use good judgment with respect to the effect of their page content on the broad and diverse audience that accesses the University web site.
         

      2. Personal pages may not contain any of the University at Albany logos or any other University copyrighted materials or images.
         

      3. When individual or personal home pages are linked from official pages, the University requires that there be a clear and explicit indication at the point of transition from official to personal Webspace. This indication must explicitly state that any opinions, views or endorsements of any kind encountered on personal pages are not the policy of the University but are of a personal nature.
         

      4. No material included in personal home pages may violate any laws, including but not limited to those regarding obscenity, harassment of others or copyright.
         

      5. Personal web pages may not be used for commercial purposes or financial gain outside of the academic mission.
         

8. Limitations
   
   1. The issuance of a password or other means of access is to assure appropriate confidentiality and does not guarantee privacy for personal or improper use of university equipment or facilities.
      

   2. The University at Albany provides reasonable security against intrusion and damage to files stored on the central facilities. The campus also provides some facilities for archiving and retrieving files specified by users, and for recovering files after accidental loss of data. However, the campus is not responsible for unauthorized access by other users or for loss due to power failure, fire, floods, etc. The University at Albany makes no warranties with respect to Internet services, and it specifically assumes no responsibilities for the content of any advice or information received by a user through the use of the University at Albany's computer network or email systems.
      

   3. Users should be aware that campus computer systems and networks may be subject to unauthorized access, tampering, or generation of fraudulent email messages.
      

III. System Administrator Rights and Responsibilities

System administrators are those individuals who directly support the integrity and operations of computing systems. As users of the system they administer, they have the same rights and responsibilities as any other user of the system including respect for the privacy of other users' information. In addition, they have a primary responsibility to ensure the availability, usefulness, integrity and security of the systems they manage. In this capacity their rights exceed those of other users of the systems. They generally have access rights that allow them the ability to read, write, or execute any/all files on the system(s) under their purview. Because of this, the professional ethics of system administrators must be at the highest level and their professional ethical conduct must be beyond reproach. The following itemizes specific rights and responsibilities of the system administrator.

1. Adequate Hardware and Software: Before any server is installed and placed on the campus network, the system administrator should ascertain that the machine is in an appropriate state to be placed on a shared network. The system administrator should also ascertain that the resource requirements (hardware and software) and system management requirements (people) for both current and future needs are either in place or planned for, to keep the machine in "top running order."

2. Legal Licensing: The system administrator must ensure that hardware and software products are installed consistent with license agreements.

3. Monitoring: The system administrator monitors for performance and capacity planning. The system administrator monitors to ensure that the system resources are not being misused. Multi-user systems are by definition and design shared resources. One user can either intentionally or inadvertently take over the system thereby rendering the resources unavailable for others. The system administrator is responsible for monitoring and interceding where needed to prevent misuse or misappropriation of system resources.

4. Security Alerts and Updates: The system administrator is responsible for monitoring sources of system alerts and for applying operating system and software product "patches" and security upgrades in a timely manner.

5. Precautionary Scans: System administrators must take precautions to safeguard systems against "corruption, compromise or destruction." This includes performing scans for diagnostic problem resolution purposes of the systems they maintain or assessing network traffic into or out of systems they maintain.

6. Confidentiality and Privacy of User Files: In the course of carrying out their duties, the system administrator must avoid viewing the contents of a user's files or messages. If such content becomes known to the system administrator, it should be treated as confidential and private.

7. Security Breaches: If the system administrator, in the performance of duties, uncovers information that indicates a breach of security has occurred, the system administrator must take action. System administrators cannot capriciously shut down user accounts, services, or systems. However, in those instances where a security incident is suspected that will endanger the security and integrity of both the system and the files and data of others, the system administrator may shut down specific accounts or close access to services or systems that appear to be associated with the problem. These may include possible perpetrators as well as victims of the security breach. Immediately after such an action, the system administrator should notify his or her supervisor and initiate appropriate review processes to follow up on such an action.

8. Policy Violations and Criminal Activity: If the system administrator, in the performance of duties, uncovers information that an individual is acting inconsistent with this policy, or discovers evidence of criminal activity, the system administrator must report such findings to the appropriate authority.

Sanctions and Reporting of Policy Violations

Violators of this policy are subject to the existing student or employee disciplinary procedures. Sanctions may include the loss of computing privileges. Illegal acts involving University at Albany computing and networking resources may also subject users to prosecution by state and federal authorities.

University employees learning of misuse of computing resources shall notify the appropriate supervisor, system manager, department manager, or area Vice President.

Appendix: Incidental Use of Information Technology

Incidental personal use of computing resources at the University at Albany is an exception to the general prohibition against the use of University equipment for anything other than official state business.

The parameters of the exception are:

• the incidental personal use of computing resources facilitates the user's proficiency; or

• there is no additional cost to the state; or

• an analogy to incidental use of telephones can be made; or

• an analogy to personal use of library resources can be made.

• result in financial gain for the user;

• be for business purposes where the business is owned by the employee or the work is done for another business (including consulting); faculty/staff who do extensive paid consulting are expected to obtain services through an Internet Service Provider that handles the bulk of such correspondence and associated research.

• interfere with assigned job responsibilities; or

• be in violation of existing security/access rules.

This policy was developed by the Computer Usage Committee of the University at Albany's University Senate's Council on Libraries and Information Systems (LISC). The policy was approved by LISC on December 4, 2000 and by the University Senate on December 11, 2000. The Computer Usage Committee continues to meet regularly to execute its responsibilities of continual review, development, and maintenance of the University at Albany computer usage policies.

The development of this policy was expedited by the extant policies of several other institutions including the University at Buffalo, the State University of New York at Stony Brook, Cornell University, University of Texas, SAGE (the Systems Administrator Guild Special Technical Group of USENIX), University of Hawaii, Georgetown University, Rensselaer Polytechnic Institute, Pennsylvania State, Rochester Institute of Technology, and Auburn University.

IV. Amendments

1. General Principles for Electronic Mailings (Senate Bill No. 0102-17, Approved April 2, 2002)


1. Importance of Email to the University at Albany

Electronic mail (e-mail) is an important resource for academic, administrative, and extra-curricular communications at the University at Albany and is an essential element of the University's day-to-day operations.


2. Impact of Bulk Mailings

Bulk electronic mailings to large groups of students or employees as a means of information dissemination have a significant and adverse impact on University network and computing resources. Therefore, messages intended for campus-wide distribution require the following:
• Notice of presidential or vice presidential approval
• A contact point for those seeking additional information
• A web link to further details, as appropriate
• Instructions on how to unsubscribe


3. Listserv Lists for Mass Mailings

For mass electronic mailings, the University encourages the establishment of listserv lists. Any member of the University at Albany community may start their own listserv. These lists can be used to communicate with interested members of the population regarding University events, activities, and general campus information. Some of the benefits derived from the use of listserv lists include:
• An individual's particular interests determine subscription to a list.
• List subscribers have the option of un-subscribing from any listserv special interest list.
• As members of a list, an individual can expect to receive only e-mail messages appropriate to the topic of that list.
• Listserv messages can take advantage of embedded URLs to link subscribers to web pages containing additional details and information.


4. Emergency Communications

Emergency communications regarding health and safety issues are exceptions to the general restrictions and recommendations described above.