Code of Computer Ethics and Acceptable Use Policy

Effective: July 1, 2004
Contact: Information Security Policy Committee (ISPC)

Contents

• Introduction
• 1. Privacy and Confidentiality
• 2. Exceptions to Privacy of Information
• 3. Protection of Information and Security Practices
• 3.1. Protection of Information
• 3.1.1. University Information
• 3.1.2. Individual Information
• 3.2. Password Security
• 3.3. User Security Practices
• 3.4. Security for IT Systems
• 3.5. Reporting Security Breaches
• 4. Unacceptable Use
• 4.1. Excessive Non-Priority Use of Computing Resources
• 4.2. Unacceptable System and Network Activities
• 4.3. Unauthorized Use of Intellectual Property
• 4.4. Inappropriate or Malicious Use of IT Systems
• 4.5. Misuse of Email and Communications Activities
• 5. Enforcement
• 5.1. Interim Measures
• 5.2. Suspension of Services and Other Action
• 5.3. Disciplinary Action

Introduction

Iowa State University's Code of Computer Ethics and Acceptable Use Policy provides for access to information technology resources and communications networks within a culture of openness, trust, and integrity. In addition, Iowa State University is committed to protecting itself and its students, faculty, and staff from unethical, illegal, or damaging actions by individuals using these systems.

Purpose

The purpose of this policy is to outline the ethical and acceptable use of information systems at Iowa State University. These rules are in place to protect students, faculty, and staff, i.e., to ensure that members of the Iowa State University community have access to reliable, robust IT resources that are safe from unauthorized or malicious use.

Insecure practices and malicious acts expose Iowa State University and individual students, faculty, and staff to risks including virus attacks, compromise of network systems and services, and loss of data or confidential information. Security breaches could result in legal action for individuals or the university. In addition, security breaches damage the university's reputation and could result in loss of services. Other misuses, such as excessive use by an individual, can substantially diminish resources available for other users.

Scope

The Code of Computer Ethics and Acceptable Use Policy is an integral part of the ISU Information Technology Security Policy (link to ISU Information Technology Security Policy) and applies to faculty, staff, and students as well as any other individuals or entities who use information and information technology at Iowa State University. This policy applies to all equipment owned or leased by Iowa State University and to any privately owned equipment connected to the campus network and includes, but is not limited to, computer equipment, software, operating systems, storage media, the campus network, and the Internet.

Securing and protecting these significant and costly resources from misuse or malicious activity is the responsibility of those who manage systems as well as those who use them. Effective security is a team effort involving the participation and support of every member of the Iowa State University community who accesses and uses information technology.

Therefore, every user of university IT resources is required to know the policies and to conduct their activities within the scope of the ISU Code of Computer Ethics and Acceptable Use Policy, the ISU Information Technology Security Policy, and the Standards, Guidelines, and Best Practices for IT Security. Failure to comply with this policy may result in loss of computing privileges and/or disciplinary action.

1. Privacy and Confidentiality

Iowa State University desires to provide the highest level of privacy possible for users of its information technology systems and to assure their rights of free speech and intellectual freedom are protected and uninhibited. At the same time Iowa State University is required by federal and state laws to keep certain information confidential. To the extent permitted by law and university policy, Iowa State University maintains and protects both the privacy of individuals and the confidentiality of official information stored on its information technology systems. Privacy and confidentiality must be balanced with the need for the university to manage and maintain networks and systems against improper use and misconduct.

2. Exceptions to Privacy of Information

Iowa State University may access, monitor, or disclose confidential or personal information residing on its information networks and systems in the following situations:

• State and Federal Law
  All information including the personal, academic, or research data and files residing on university systems is subject to state and federal laws and regulations requiring its disclosure.
• Access Accounts to Conduct Business or Research
  Faculty and staff may need access to accounts of other faculty and staff when that individual is not available but access is needed to conduct university business or further research. Approval to access the account should be given either by prior proxy access by the individual's account or by written approval by the individual's department head, Director, Dean, or Vice President.
• Investigation of Misconduct
  Iowa State University may access or monitor accounts and equipment during the course of an investigation of misconduct or violations of law by students or employees. Access must be approved in writing by the Vice President for Business and Finance, Vice President for Academic Affairs or other designee acting on the basis of university policy and law. In accessing the account or equipment university officials are expected to avoid accessing information that is personal and irrelevant to the investigation.
• Official University Business
  As part of their assigned responsibilities, Iowa State University faculty and staff may have access to confidential information and are restricted to using it only for purposes associated with the requirements of their position.
• Internal Administrative Disclosure
  Disclosure or use of any personal or confidential information for extraordinary circumstances must be approved in writing by the Vice President for Business and Finance, Vice President for Academic Affairs or other designee acting on the basis of university policy and law.
• Maintenance of ISU Network and Systems
  Iowa State University reserves the right to maintain its information systems; to audit networks and systems on a periodic basis to ensure compliance with security policies; and to locate, and to resolve security breaches or other situations that potentially impact the reliability, robustness, or security of the campus network and systems infrastructure. Individuals performing these functions or others may have access to personal and confidential information and are restricted to using it only for purposes associated with their position.
• Legal Process
  Iowa State University may disclose confidential or personal information in response to a lawfully issued subpoena, court order or other compulsory legal process.
• Health and Safety Emergency
  In the event of a health or safety emergency, Iowa State University may disclose confidential or personal information necessary and relevant to addressing the emergency situation.
• Authorization
  Iowa State University may access or disclose confidential or personal information relating to an individual student or employee upon the written authorization of the individual student or employee.

3. Protection of Information and Security Practices

The development of policy and practices to protect information and to increase security of information technology resources is an ongoing process. This document along with the ISU Information Technology Security Policy is intended to identify key security issues for which individuals, colleges, departments, and units are responsible. The third document, Policies, Standards, and Guidelines for Best Practices for IT Security, is an extension of the first two and includes the most current security requirements and recommendations adopted by the university. This Code of Computer Ethics and Acceptable Use Policy highlights acceptable and unacceptable use policies. Individuals are responsible for understanding these basic principles as well as for familiarizing themselves with and complying with additional policies and practices as they are defined in Policies, Standards, and Guidelines for Best Practices for IT Security.

3.1. Protection of Information

In a university environment students, faculty, and staff create, store and have access to many sources of information. The level of security practices required for various information types depends on who has created the information, who is maintaining the information, the nature of the information itself, and whether there are specific federal and/or state laws or university requirements or guidelines associated with the use and distribution of the information. Information can be defined very generally in many ways such as public, private, confidential, personal, academic, etc. For the purposes of this policy, information is categorized as either university information or individual information. Within university information, there are also very specific definitions for certain types of information.

3.1.1. University Information

As an institution, the university has many types of official information including student records, financial records, health and insurance records, personnel records, and other business records. In addition, colleges, departments, and other units may have other types of internal business information specific to their areas.

• Confidential information is defined by federal and/or state law and university policy and includes information such as student educational records, personnel information; financial information, and health and insurance records. All faculty, staff, and students are responsible for knowing and complying with university policies that apply to confidential information. For more specific information about confidential records see Section 2.4 of the University Policy Manual.
• Business information includes all other information created and maintained for the purpose of operating the university. All faculty and staff are responsible for knowing and complying with university policies that apply to business information, including the Retention Policy and Section 2.5.1 of the University Policy Manual.
• Colleges, departments and units are responsible for securing confidential and business information maintained on the systems under their authority as required by federal and/or state law and university security policy. In addition, they are responsible for developing appropriate security practices for their internal business information.
• Students, faculty and staff are responsible for accessing only that confidential or business information for which they are authorized and using that information only for the purposes for which it is intended. The Office of the Registrar maintains helpful information regarding confidentiality policies.
• Students, faculty and staff are required to comply with security practices established by the university or their college, department or administrative units to protect confidential or business information.

3.1.2. Individual Information

Individual information includes academic, research, personal and business correspondence, and other records created and managed by individual students, faculty, or staff. As creators and managers of this information, individuals are responsible for securing and protecting their information.

Individual information should be protected based on the level of risk associated with its loss or misuse. Colleges, departments, central information technology providers and other units may assist individuals by offering services including secure storage of files with systematic copying of data and/or archiving. Nonetheless, individual students, faculty and staff are ultimately responsible for securing their own information and should take action to assure their individual data is protected to the level they deem adequate.

3.2. Password Security

Users are responsible for the security of computer systems passwords, personal account passwords (Net ID passwords) and personal identification numbers (PINs) and will be held accountable for any activities linked to their accounts. Users must follow established university standards for maintaining and managing passwords.

3.3. User Security Practices

Users are required to be aware of and employ security practices established by the university and their colleges, departments or administrative offices to prevent unauthorized access to their computers. Security breaches can often be linked to the actions individuals take or fail to take when using information technology resources (e.g., leaving their computers logged into applications while away from their desks, storing written copies of passwords in obvious places, using insecure methods for transferring information).

3.4. Security for IT Systems

Computer systems can become transmitters of viruses, denial of service attacks, open file exchange services, and other malicious electronic activities. Email messages, websites, inter-relay chat, and other applications used by faculty, staff, and students are often the sources of these problems. To prevent these malicious activities, individuals are required to be aware of and comply with university policies relating to the use of these applications. Among specific requirements are the ongoing use of approved virus-scanning software, the timely application of security patches and upgrades to operating systems and other software, and prompt implementation of security measures posted by university, colleges, departments, or units in response to specific security threats.

3.5. Reporting Security Breaches

Effective security practice includes the prompt and appropriate response to breaches in security. It is, therefore, incumbent upon all individuals to report incidents in which they believe computer or network security has been jeopardized. In some cases local action is sufficient; in others, where the risk to confidential information or university-wide security is high, a university-level response will be implemented. Individuals are responsible for reporting security incidents and for taking action as recommended or directed by the security response team.

4. Unacceptable Use

Users are prohibited from engaging in any activity illegal under local, state, federal, or international law or in violation of university policy. The categories and lists below are by no means exhaustive, but attempt to provide a framework for activities that fall into the category of unacceptable use.

4.1. Excessive Non-Priority Use of Computing Resources

Priority for the use of information technology resources is given to activities related to the university's missions of teaching, learning, research, and outreach. University computer and network resources are limited in capacity and are in high demand. To conserve IT resource capacity for all users, individuals should exercise restraint when utilizing computing and network resources. Individual users may be required to halt or curtail non-priority use of information technology resources, such as recreational activities and non-academic, non-business services.

4.2. Unacceptable System and Network Activities

Unacceptable system and network activities include:

• Engaging in or effecting security breaches or malicious use of network communication including, but not limited to
  • obtaining configuration information about a network or system for which the user does not have administrative responsibility.
  • engaging in activities intended to hide the user's identity, to purposefully increase network traffic, or other activities that purposefully endanger or create nuisance traffic for the network or systems attached to the network.
• Circumventing user authentication or accessing data, accounts, or systems that the user is not expressly authorized to access.
• Interfering with or denying service to another user on the campus network or using university facilities or networks to interfere with or deny service to persons outside the university.

4.3. Unauthorized Use of Intellectual Property

Users may not use university facilities or networks to violate the ethical and legal rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations. Violations include, but are not limited to:

• Except as provided by fair use principles, engaging in unauthorized copying, distribution, display or publishing of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources; copyrighted music or video; and the installation of any copyrighted software without an appropriate license.
• Using, displaying or publishing licensed trademarks, including Iowa State University's trademarks, without license or authorization or using them in a manner inconsistent with terms of authorization.
• Exporting software, technical information, encryption software, or technology in violation of international or regional export control laws.
• Breaching confidentiality agreements or disclosing trade secrets or pre-publication research.
• Using computing facilities and networks to engage in academic dishonesty prohibited by university policy (such as unauthorized sharing of academic work, plagiarism).

4.4. Inappropriate or Malicious Use of IT Systems

Inappropriate or malicious use of IT systems includes:

• Setting up file sharing in which protected intellectual property is illegally shared.
• Intentionally introducing malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
• Inappropriate use or sharing of university-authorized IT privileges or resources.
• Changing another user's password, access, or authorizations.
• Using an Iowa State University computing asset to actively engage in displaying, procuring or transmitting material that is in violation of sexual harassment policy or laws, hostile workplace laws, or other illegal activity.
• Using an Iowa State computing asset for any private purpose or for personal gain. Refer to the University Policy Manual section 2.5(10).Abusing or misusing computer hardware or software.

4.5. Misuse of Email and Communications Activities

Electronic mail (email) and communications are essential in carrying out the activities of the university and to individual communication among faculty, staff, students and their correspondents. Individuals are required to know and comply with the university's Mass E-Mail Policy and Effective e-Communication. Some key prohibitions include:

• Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material, except as approved under the Mass E-Mail Policy and Effective e-Communication.
• Engaging in harassment via email, telephone, or paging, whether through language, frequency, or size of messages.
• Masquerading as someone else by using their e-mail or internet address or electronic signature.
• Soliciting email from any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
• Creating or forwarding "chain letters" or solicitations for business schemes.
• Using email originating from within Iowa State's networks for commercial purposes or personal gain.
• Sending the same or similar non-business-related messages to large numbers of email recipients or newsgroups.

5. Enforcement

The University Code of Computer Ethics and Acceptable Use Policy is enforced through the following mechanisms.

5.1. Interim Measures

The university may temporarily disable service to an individual or a computing device, when an apparent misuse of university computing facilities or networks has occurred, and the misuse:

• is a claim under the Digital Millennium Copyright Act (DMCA). (Link to DMCA procedure);
• is a violation of criminal law;
• has the potential to cause significant damage to or interference with university facilities or services;
• may cause significant damage to another person; or
• may result in liability to the university.

An attempt will be made to contact the person responsible for the account or equipment prior to disabling service unless forbidden by law enforcement authorities or central IT providers (AIT, ATS, and Telecommunications) determine immediate action is necessary to preserve the integrity of the university network. In any case, the user shall be informed as soon as possible so that they may present reasons in writing why their use is not a violation or that they have authorization for the use.

5.2. Suspension of Services and Other Action

Users may be issued warnings, may be required to agree to conditions of continued service, or have their privileges suspended or denied if:

• After hearing the user's explanation of the alleged violation, a central IT provider has made a determination that the user has engaged in a violation of this code or,
• A student or employee disciplinary body has determined that the user has engaged in a violation of the code.

For minor first-time violations the expectation is that a warning will be sufficient. For repeat violations temporary or permanent denial of access to or suspension of computing or network services will be considered.

5.3. Disciplinary Action

Violations of the ISU Code of Computer Ethics and Acceptable Use Policy may be referred for disciplinary action as outlined in the Student Information Handbook and applicable faculty and staff handbooks or collective bargaining agreement.