OM 9.1.4 - Acceptable Use
Effective Date: January 2023 |
Policy Contact: Office of Information Technology |
1 Purpose
Clarkson University's technology infrastructure exists to support the academic and administrative activities needed to fulfill the University's mission. All information technology resources of the University shall only be used in a lawful manner and in support of instructional, research and service missions sanctioned by the University. Access to these resources is granted to each individual for a specific purpose. Proper use of the resources must be consistent with that purpose.
The purpose of this Acceptable Use Policy is to clearly establish each member of the University's role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable Clarkson University to implement a comprehensive system-wide Information Security Program.
2 Scope
This policy applies to all users of computing resources owned, managed or otherwise provided by the University. Individuals covered by this policy include, but are not limited to all workforce members, service providers and research associates with access to the University's computing resources and/or facilities. Also covered are all individuals receiving services from the University including full and
part-time students, conference attendees and other campus guests. Computing resources include all Clarkson University owned, licensed or managed hardware and software, email domains and related services and any use of the University's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
3 Policy
Following the same standards of common sense, courtesy and civility that govern the use of other shared facilities, acceptable use of information technology resources generally respects all individuals' privacy and the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All users of Clarkson University's computing resources must adhere to the requirements enumerated below.
3.1 Fraudulent and Illegal Use
Clarkson University explicitly prohibits the use of any information system for fraudulent, illegal or unethical purposes. While using any of the University's information systems, a user must not engage in any activity that is contrary to University policy or illegal under local, state, federal, and/or international law. As a part of this policy, users must not:
- Violate the rights of any individual or company involving information protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products or media types that are not appropriately licensed for use by Clarkson University or the individual
- Use copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the organization does not have a legal license in any way which violates copyright law
- Export software, technical information, encryption software, or technology in violation of international or regional export control laws
- Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services
Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be unethical, fraudulent or illegal, must notify his/her manager or Dean of Students Office immediately.
If any user creates any liability on behalf of Clarkson University due to inappropriate use of the University's resources, the user agrees to indemnify and hold the organization harmless, should it be necessary for Clarkson University to defend itself against the activities or actions of the user.
3.2 Confidential Information
Clarkson University has both an ethical and legal responsibility for protecting confidential information in accordance with its Data Classification Policy. To that end, there are some general positions that the organization has taken:
- Transmission of data classified as Clarkson Private or Clarkson Confidential by personally-owned messaging technologies (for example, e-mail, instant messaging, SMS, chat, ) is prohibited.
- Clarkson Confidential information must only be stored or transmitted in an appropriately encrypted form regardless of its location or
- The storage of Clarkson Private information on personally owned devices (including but not limited to phones, tablets, computers) and personally owned media (including but not limited to USB drives, floppy, CD, DVD, Blu-ray, ) is prohibited. Clarkson University issued (encrypted) USB flash drives are authorized. Mobile devices that access Restricted information will utilize appropriate device encryption techniques, be physically secured when not in use and located to minimize the risk of unauthorized access.
3.3 Incident Reporting
Clarkson University is committed to responding to security incidents involving personnel, University-owned information or University-owned information assets. As part of this policy:
- The loss, theft or inappropriate use of University access credentials (e.g. passwords, key cards or security tokens), assets (e.g. laptop, cell phones), or other information will be reported to the IT HelpDesk.
- Any University community member will not prevent another member from reporting a security incident.
3.4 Malicious Activity
Clarkson University strictly prohibits the use of information systems for malicious activity against other individuals, the University's information systems themselves, or the information assets of other parties.
3.4.1 Denial of Service
Individuals must not:
- Perpetrate, cause, or in any way enable disruption of Clarkson University's information systems or network communications by denial-of-service methods;
- Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or
- Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system or
3.4.2 Confidentiality
Individuals must not:
- Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the individual is not an intended recipient or logging into a server or account that the individual is not expressly authorized to access;
- Facilitate use or access by non-authorized users, including sharing their password or other login credentials with anyone, including other campus community members, family members, or friends;
- Use the same password for Clarkson University accounts as for other non-Clarkson University access (for example, personal ISP account, social media, benefits, email, );
- Attempt to gain access to files and resources to which they have not been explicitly granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another individual's password; or
- Make copies of another person's files without that person's knowledge and
- Base passwords on something that can be easily guessed or obtained using personal information (e.g. names, favorite sports teams, ).
All encryption keys employed by individuals must be provided to the Office of Information Technology if requested, in order to perform functions required by this policy.
3.4.3 Impersonation
Individuals must not:
- Circumvent the user authentication or security of any information system;
- Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
- Create and/or use a proxy server of any kind, other than those provided by Clarkson University, or otherwise redirect network traffic outside of normal routing with authorization; or
- Use any type of technology designed to mask, hide, or modify their identity or activities electronically.
3.4.4 Network Discovery
Users must not:
- Use a port scanning tool targeting either Clarkson University's network or any other external network, unless this activity is a part of the user's normal job functions, such as a member of the Office of Information Technology conducting a vulnerability scan, or IT staff utilizing tools in a controlled environment. Use of such tools may also be permitted during the course of an officially-sanctioned academic pursuit.
- Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the user, unless this activity is a part of the user's normal job functions, such as a member of the Office of Information Technology conducting a vulnerability scan, or IT staff utilizing tools in a controlled environment. Use of such tools may also be permitted during the course of an officially-sanctioned academic
3.5 Objectionable Content
Except in the pursuit of a sanctioned academic pursuit, Clarkson University strictly prohibits the use of University information systems for accessing or distributing legal content that other users may reasonably find objectionable. Exception may also be granted in the context of an on-campus residence where all occupants arrive at a consensus regarding the content. Otherwise, users must not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials considered to be:
- Political
- Racist
- Sexually-explicit
- Violent or promoting violence
3.6 Hardware and Software
Whenever data classified as Clarkson Private or Clarkson Confidential may be accessed, transmitted, stored or processed, Clarkson University strictly prohibits the use of any hardware or software that is not purchased, installed, configured, tracked, and managed by the University. In this case, users must not:
- Install, attach, connect or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any University information system without the knowledge and permission of the Office of Information Technology;
- Download, install, disable, remove or uninstall software of any kind, including patches of existing software, to any organizational information system without the knowledge and permission of the organization;
- Take Clarkson University equipment off-site without prior
3.7 Messaging
The University provides a robust communication platform for users to fulfill its mission. Users must not:
- Automatically forward electronic messages of any kind, by using client message handling rules or any other mechanism;
- Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
- Solicit electronic messages for any other digital identifier (e.g. e-mail address, social handle, ), other than that of the poster's account, with the intent to harass or to collect replies; or
- Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.
3.8 Personal Use
Personal use is defined as use of information technology resources in a manner that does not directly support the instructional, research and service missions sanctioned by the University. When engaging in Personal Use, the individual assumes all responsibility and liability associated with Personal Use. The University makes no warranty express or implied as to the suitability or availability of any information technology resource when engaged in Personal Use. Limited personal use of information technology resources is permitted when all of the following conditions are met:
- There is a negligible or zero cost to the University
- Any use is brief
- Any use occurs infrequently
- The use does not interfere with the performance of any other University employees' official duties
- The use does not compromise the confidentiality, integrity or availability of any University information system, software or data
- The use is not in support of for-profit or commercial enterprise
- The use is not for the gain of an University employee, individual or organization external to the University
4 Roles and responsibilities
Clarkson University reserves the right to protect, repair, and maintain the University's computing equipment and network integrity. In accomplishing this goal, Clarkson University IT personnel or their agents are responsible for maintaining user privacy, including the content of personal files and Internet activities. Any information obtained by IT personnel about a user through routine maintenance of the University's computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of Clarkson University's computing resources.
All users of University information systems are expected to follow the same standards of common sense, courtesy and restraint that govern the use of other University facilities and resources. Specifically, all users are responsible to:
- Conduct themselves in an ethical manner and be respectful of the rights and diversity of all members of the University community and their guests
- Support the principles of academic freedom and free inquiry and expression
- Recognize and honor the intellectual property rights of others
- Maintain a climate which does not interfere with the studies, work or living environment of any member of the University community
Department supervisors / managers are responsible for ensuring their staff are aware of, understand, and comply with all organization policies.
5 Enforcement
Enforcement is the responsibility of the offices of Human Resources and Information Technology and where applicable, Dean of Students. Users who violate this policy may be denied access to the organizational resources and may be subject to penalties and disciplinary action both within and outside of Clarkson University. The University may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary
to do so in order to protect the integrity, security, or functionality of the University or other computing resources or to protect Clarkson University from liability.
Users are subject to disciplinary rules described in the Operations Manual or Student Regulations as applicable.
6 Exceptions
Exceptions to the policy may be granted by the CIO, or by their designee. All exceptions must be reviewed annually.
7 References
- US 45 CFR Subchapter C (HIPAA)
- New York State Information Security Breach and Notification Act
- New York State SHIELD Act
- NIST 800-53
- FIPS-199
- PCI DSS 1
- New York Civil Practice Law and Rules § 4509
8 Related Documents
- Information Security Policy
- Data Classification Policy
- Data Classification and Handling Procedure
9 Responsible Department
Office of Information Technology
10 Policy Authority
This policy is issued by the Chief Information Officer and approved by the University President for Clarkson University.
11 Revision History