Information technology (“IT”), encompasses a vast and growing array of computing and electronic communications facilities and services. These facilities and services provide the means for Tusculum College students, faculty and staff to meet their daily requirements in meeting the overall mission of the College.
Users of these IT resources have a responsibility not to abuse those resources and to respect the rights of the members of the community as well as the College itself.
This IT Appropriate Use Policy (the “Policy” or “AUP”) provides guidelines for the appropriate use of Tusculum College IT resources as well as for the College’s access to information about and oversight of these resources.
Most IT use parallels familiar activity in other media and formats, making existing College policies important in determining what use is appropriate.
Using electronic mail (“email”) instead of standard written correspondence, for example, does not fundamentally alter the nature of the communication, nor does it alter the guiding policies.
College policies that already govern freedom of expression and related matters in the context of standard written expression govern electronic expression as well. This Policy addresses circumstances that are particular to the IT arena and is intended to augment but not to supersede other relevant College policies.
- Definitions– The following definitions apply to the Tusculum College Appropriate Use Policy:
- IT Systems – These are the computers, terminals, phones, switches/hubs, printers, networks, modem banks, online and offline storage media and related equipment, software, and data files that are owned, managed, or maintained by students, faculty and staff of Tusculum College. For example, IT Systems include institutional and departmental information systems, faculty research systems, desktop computers, the College’s campus network, and College general access computer clusters.
- Users – A “User” is any person, whether authorized or not, who makes any use of any Tusculum College IT System from any location.
- Systems Authority – While Tusculum College is the legal owner or operator of all IT Systems, it sometimes delegates oversight of particular systems to other departments or to a specific individual. That department of individual would then be responsible and would have “Systems Authority” for that particular system.
- Systems Administrator – Systems Authorities may designate another person as “Systems Administrator” to manage the particular system assigned to him or her. Systems Administrators oversee the day-to-day operation of the system and are authorized to determine who is permitted access to particular IT resources.
- Certifying Authority – This is the Systems Administrator or other College authority who certifies the appropriateness of an official College document for electronic publication in the course of College business.
- Specific Authorization – This means documented permission provided by the applicable Systems Administrator.
- Purpose– The purpose of this Policy is to ensure an information technology infrastructure that promotes the basic missions of the College in teaching, learning, research, and administration. In particular, this Policy aims to promote the following goals:
- To ensure the integrity, reliability, availability, and superior performance of IT Systems;
- To ensure that use of IT Systems is consistent with the principles and values that govern use of other College facilities and services;
- To ensure that IT Systems are used for their intended purposes; and
- To establish processes for addressing policy violations and sanctions for violators.
- Scope – This Policy applies to all Users of IT Systems, including but not limited to College students, faculty, and staff. It applies to the use of all IT Systems. These include systems, networks, and facilities administered by the Tusculum College Department of Information Systems (TCDIS), as well as those administered by individual schools, departments, College laboratories, and other College-based entities.
Use of IT Systems, even when carried out on a privately owned computer that is not managed or maintained by Tusculum College, is governed by this policy.
- Use of IT Systems– Although this Policy sets forth the general parameters of appropriate use of IT Systems, faculty, students, and staff should consult their respective governing policy manuals for more detailed statements on permitted use and the extent of use that the College considers appropriate in light of their varying roles within the community. In the event of conflict between IT policies, this Appropriate Use Policy will prevail.
- Appropriate Use – IT Systems may be used only for their authorized purposes — that is, to support the research, education, clinical, administrative, and other functions of Tusculum College. The particular purposes of any IT System as well as the nature and scope of authorized, incidental personal use may vary according to the duties and responsibilities of the User.
- Proper Authorization – Users are entitled to access only those elements of IT Systems that are consistent with their authorization.
- Specific Proscriptions on Use – The following categories of use are inappropriate and prohibited:
- Use that impedes, interferes with, impairs, or otherwise causes harm to the activities of others. Users must not deny or interfere with or attempt to deny or interfere with service to other users in any way, including by “resource hogging,” misusing mailing lists, propagating “chain letters” or virus hoaxes, “spamming” (spreading email or postings widely and without good purpose), or “bombing” (flooding an individual, group, or system with numerous or large email messages). Knowing or reckless distribution of unwanted mail or other unwanted messages is prohibited. Other behavior that may cause excessive network traffic or computing load is also prohibited.
- Use that is inconsistent with Tusculum College’s non-profit status. The College is a non-profit, tax-exempt organization and, as such, is subject to specific federal, state, and local laws regarding sources of income, political activities, use of property, and similar matters. As a result, commercial use of IT Systems for non-College purposes is generally prohibited, except if specifically authorized and permitted under College conflict-of-interest, outside employment, and other related policies. Prohibited commercial use does not include communications and exchange of data that furthers the College’s educational, administrative, research, clinical, and other roles, regardless of whether it has an incidental financial or other benefit to an external organization. Use of IT Systems in a way that suggests College endorsement of any political candidate or ballot initiative is also prohibited. Users must refrain from using IT Systems for the purpose of lobbying that connotes College involvement, except for authorized lobbying through or in consultation with the College’s Administrative Offices.
- Harassing or threatening use. This category includes, for example, display of offensive, sexual material in the workplace and repeated unwelcome contacts with another.
- Use damaging the integrity of College or other IT Systems. This category includes, but is not limited to, the following six activities:
- Attempts to defeat system security. Users must not defeat or attempt to defeat any IT System’s security — for example, by “cracking” or guessing and applying the identification or password of another User, or compromising room locks or alarm systems. (This provision does not prohibit, however, ITS or Systems Administrators from using security scan programs within the scope of their Systems Authority.)
- Unauthorized access or use. The College recognizes the importance of preserving the privacy of Users and data stored in IT systems. Users must honor this principle by neither seeking to obtain unauthorized access to IT Systems, nor permitting or assisting any others in doing the same. For example, a non-College organization or individual may not use non-public IT Systems without specific authorization. Privately owned computers may be used to provide public information resources, but such computers may not host sites or services for non-College organizations or individuals across the College network without specific authorization. Similarly, Users are prohibited from accessing or attempting to access data on IT Systems that they are not authorized to access. Furthermore, Users must not make or attempt to make any deliberate, unauthorized changes to data on an IT System. Users must not intercept or attempt to intercept or access data communications not intended for that user.
- Disguised use. Users must not conceal their identity when using IT Systems, except when the option of anonymous access is explicitly authorized. Users are also prohibited from masquerading as or impersonating others or otherwise using a false identity.
- Distributing computer viruses. Users must not knowingly distribute or launch computer viruses, worms, or other rogue programs.
- Modification or removal of data or equipment. Without specific authorization, Users may not remove or modify any College-owned or administered equipment or data from IT Systems. This includes the loading of “pirated” software.
- Use of unauthorized devices. Without specific authorization, Users must not physically or electrically attach any additional device (such as an external disk, printer, or video system) to IT Systems.
- Use in violation of law. Illegal use of IT Systems — that is, use in violation of civil or criminal law at the federal, state, or local levels — is prohibited. Examples of such uses are: promoting a pyramid scheme; distributing illegal obscenity; receiving, transmitting, or possessing child pornography; infringing copyrights; and making bomb threats. With respect to copyright infringement, Users should be aware that copyright law governs (among other activities) the copying, display, and use of software and other works in digital form (text, sound, images, and other multimedia). The law permits use of copyrighted material without authorization from the copyright holder for some educational purposes (protecting certain classroom practices and “fair use,” for example), but an educational purpose does not automatically mean that the use is permitted without authorization.
- Use in violation of College contracts. All use of IT Systems must be consistent with the College’s contractual obligations, including limitations defined in software and other licensing agreements.
- Use in violation of College policy. Use in violation of other College policies also violates this AUP. Relevant College policies include, but are not limited to, those regarding sexual harassment and racial and ethnic harassment, as well as College, departmental, and work-unit policies and guidelines regarding incidental personal use of IT Systems.
- Use in violation of external data network policies. Users must observe all applicable policies of external data networks when using such networks.
- Free Inquiry and Expression – Users of IT Systems may exercise rights of free inquiry and expression consistent with the limits of the law.
- Personal Account Responsibility – Users are responsible for maintaining the security of their own IT Systems accounts and passwords. Any User changes of password must follow published guidelines for passwords. Accounts and passwords are normally assigned to single Users and are not to be shared with any other person without authorization by the applicable Systems Administrator. Users are presumed to be responsible for any activity carried out under their IT Systems accounts or posted on their personal web pages.
- Encryption of Data – Users are encouraged to encrypt files, documents, and messages for protection against inadvertent or unauthorized disclosure while in storage or in transit over data networks. Users encrypting information are encouraged to use only endorsed software and protocols. Users who elect not to use endorsed encryption software and protocols on IT Systems are expected to decrypt information upon official, authorized request. (See Section V, “Conditions of College Access,” below.) A staff member may only encrypt with the permission of his or her supervisor.
- Responsibility for Content – Official College information may be published in a variety of electronic forms. The Certifying Authority under whose auspices the information is published is responsible for the content of the published document. Users also are able to publish information on IT Systems or over Tusculum College’s networks. Neither the College nor individual Systems Administrators can screen such privately published material nor can they ensure its accuracy or assume any responsibility for its content. The College will treat any electronic publication provided on or over IT Systems that lacks a Certifying Authority as the private speech of an individual user.
- Personal Identification – Upon request by a Systems Administrator or other College authority, Users must produce valid College identification.
- Computer Resources Code of Ethics
- Ethical and Responsible Use – All Users of any institutionally maintained electronic data, data files, software, and networks are expected to handle the resource in a responsible and ethical manner. A User’s access to IT resources ceases when it invades the right of personal and/or institutional privacy; results in the destruction of personal and/or institutional property; demonstrates a potential for loss, embarrassment, litigation to the individual and/or institution; or causes a limited resource to be used in a wasteful or careless manner.
- Confidentiality – All information processed through Computer Systems is considered sensitive and/or confidential. The responsibility for the release or discussion of data is assigned to the official custodian of the data file(s). Access to information is based on a legitimate “need to know” and directly related to assigned duties.
- Examples of Irresponsible Use – The following examples attempt to convey the intent of irresponsible and/or unethical use: violation of the Family Educational Rights and Privacy Act of 1974; use of the resource for obscene material; deliberate wasteful use of the resource; unauthorized altering of hardware, software, or data; piracy of data or software belonging to another person; or careless use of the resource which may result in the release of restricted information.
- Code for Computer Resource Use
- Ethical and Responsible Use – Computer resources at Tusculum College are available to autorized students, faculty, staff and off-campus constituents. Access to these resources is obtained from the Systems Administrator and is granted with the understanding that they will be used as stated in the request and in keeping with the idea that one’s interest ceases when it invades the right of personal and/or institutional privacy, results in the destruction of personal and/or institutional property, demonstrates a potential for loss, embarrassment, litigation to the individual and/or institution, or because of an otherwise irresponsible use of a limited resource. It is the policy of the office to avail these resources to as many users as possible and, to the extent possible, keep the number of restraints and restrictions on the individuals to a minimum with the ability to provide service to all who request use.
- Ethical and Responsible Use – For such a policy to work, it is essential that users observe responsible and ethical behavior in the use of the resources. In an effort to assist the user community in effective use of the limited computer resources, it seems reasonable to highlight some specific responsibilities and type of behavior that represent abuse of a User’s privileges. The examples do not constitute a complete list but are intended to convey the intent of the code.
- Users should not damage or attempt to damage equipment or to modify or attempt to modify equipment so that it does not function as originally intended. It is equally wrong to damage or modify or attempt to damage or modify the software components: operating system, compilers, utility routines, etc
- Users should not use or attempt to use an account without autorization from the owner of the account. Users have the responsibility of protecting their accounts through the proper use of passwords, but the fact that an account is unprotected does not imply permission for an unauthorized person to use it. Further, accounts are to be used only for the purposed for which they have been established. Additionally, it is wrong to use a college-sponsored account for funded research, personal business, or consulting activities. There are special accounts for such purposes.
- Users should not use private files without authorization. Owners of such files should take precautions and use security mechanisms available. However, the fact that a file is not protected does not make it right for anyone to access it, unless it is specifically designated as a public access file. It is equally wrong for anyone to change or delete a file that belongs to anyone else without authorization. Violation or property rights and copyrights covering data, computer programs, and documentation is also wrong. In the event of accidental access of private files, confidentiality of those files must be maintained.
- Any deliberate wasteful use of resources is irresponsible; it encroaches on others’s use of facilities and deprives them of resources. Printing of large unnecessary listing and the playing of games solely for entertainment are examples of such abuse. Users are expected to be aware of the resources they are using and to make resonable efforts to use these resources efficiently.
- Administrators, faculty, staff of the Office of Computer Systems, and others in positions of trust within the Tusculum College community have a professional responsibility to insure that the equipment, software, and services provide the most efficient levels of support and consider the needs of the total user community. Such persons in positions of trust who misuse computing resources or take advantage of their positions to access data not required in the performance of their duties are displaying unprofessional behavior.
- All state and federal copyright laws will be abided by at all times. Users must not copy any part of a copyrighted program or its documentation that would be in violation of the law or the licensing agreement without the written and specific permission of the copyright holder.
- Conditions of College Access– The College places a high value on privacy and recognizes its critical importance in an academic setting. There are nonetheless circumstances in which, following carefully prescribed processes, the College may determine that certain broad concerns outweigh the value of a User’s expectation of privacy and warrant College access to relevant IT Systems without the consent of the User. Those circumstances are discussed below, together with the procedural safeguards established to ensure access is gained only when appropriate.
- Conditions – In accordance with state and federal law, the College may access all aspects of IT Systems, without the consent of the User, in the following circumstances:
- When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the IT Systems; or
- When required by federal, state, or local law or administrative rules; or
- When there are reasonable grounds to believe that a violation of law or a significant breach of College policy may have taken place and access and inspection or monitoring may produce evidence related to the misconduct; or
- When such access to IT Systems is required to carry out essential business functions of the College; or
- When required to preserve public health and safety
- Process – Consistent with the privacy interests of Users, College access without the consent of the User will occur only with the approval of the Provost (for faculty users), the Provost/Vice Presidents (for staff users), the Dean of Students (for student users), except when an emergency entry is necessary to preserve the integrity of facilities or to preserve public health and safety. The College, through the Systems Administrators, will log all instances of access without consent. Systems Administrators will also log any emergency entry within their control for subsequent review by appropriate College authority. A User will be notified of College access to relevant IT Systems without consent, pursuant to Section V. A. (1-5); depending on the circumstances, such notification will occur before, during, or after the access, at the College’s discretion.1.0 NOTICE TO USERS: It is the policy of Tusculum College to protect all institutional computing resources including, but not limited to, hardware and software, consisting of the actual equipment being supplied by the college as well as the programs and related materials used in conjunction therewith. In accordance with local, state, and federal law, indiscriminate examination of individual’s files is not permitted, nonetheless as a means of maintaining the integrity and security of those aforementioned resources.
1.1 Tusculum College retains the right to inspect accounts and files stored on any system owned, maintained and/or leased by said College. While no prior authorization by individual users is required to inspect those files and accounts, you are, by virue of accepting the account offered by Tusculum College and “logging” on to its computing equipment, granting to the college prior unrestricted permission, subject to college policy, to review, examine and/or otherwise view, by any method a e sole discretion of the College and without any aditional advance notice to said user, any account and/or file stored on college computer resources.
2.0 Should such a review take place, you will be given notice, as a couresyonly, of the results of said review within a reasonable time after the review is completed. While use of college computing resources for personal use is strictly forbidden, should you have materials for which you have reasonable expectation of privacy or which you consider to be confidential for any reason, you should retain those materials on a disk which can be secured as you would any other personal items or materials which you consider private in nature.
- User access deactivations – In addition to accessing the IT Systems, the College, through the appropriate Systems Administrator, may deactivate a User’s IT privileges, whether or not the User is suspected of any violation of this policy, when necessary to preserve the integrity of facilities, user services, or data. The Systems Administrator will attempt to notify the User of any such action.
- Use of security scanning systems – By attaching privately owned personal computers or other IT resources to the College’s network, Users consent to College use of scanning programs for security purposes on those resources while attached to the network.
- Logs – Most IT systems routinely log user actions in order to facilitate recovery from system malfunctions and for other management purposes. All Systems Administrators are required to establish and post policies and procedures concerning logging of User actions, including the extent of individually-identifiable data collection, data security, and data retention.
- Encrypted material – Encrypted files, documents, and messages may be accessed by the College under the above guidelines. S ee Section IV F, above
- Conditions – In accordance with state and federal law, the College may access all aspects of IT Systems, without the consent of the User, in the following circumstances:
- Enforcement Procedures
- Complaints of Alleged Violations – An individual who believes that he or she has been harmed by an alleged violation of this Policy may file a complaint in accordance with established College Grievance Procedures (including, where relevant, those procedures for filing complaints of sexual harassment or of racial or ethnic harassment) for students, faculty, and staff. The individual is also encouraged to report the alleged violation to the Systems Authority overseeing the facility most directly involved, or to the TCDIS, which must investigate the allegation and (if appropriate) refer the matter to College disciplinary and/or law enforcement authorities.
- Reporting Observed Violations – If an individual has observed or otherwise is aware of a violation of this Policy, but has not been harmed by the alleged violation, he or she may report any evidence to the Systems Authority overseeing the facility most directly involved, or to the TCDIS, which must investigate the allegation and (if appropriate) refer the matter to College disciplinary and/or law enforcement authorities.
- Disciplinary Procedures – Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff, and students, as outlined in the Faculty Handbook, Staff Personnel Policies, various student regulations, and other applicable materials. Staff members who are members of College-recognized bargaining units will be disciplined for violations of this policy in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units.
- Penalties – Individuals found to have violated this policy may be subject to penalties provided for in other College’s policies dealing with the underlying conduct. Violators may also face IT-specific penalties, including temporary or permanent reduction or elimination of some or all IT privileges. The appropriate penalties shall be determined by the applicable disciplinary authority in consultation with the Systems Administrator.
- Legal Liability for Unlawful Use – In addition to College discipline, Users may be subject to criminal prosecution, civil liability, or both for unlawful use of any IT System.
- Appeals – Users found in violation of this policy may appeal or request reconsideration of any imposed disciplinary action in accordance with the appeals provisions of the relevant disciplinary procedures.
- Policy Developement – This Policy may be periodically reviewed and modified by the TCDIS and IT staffs, who may consult with relevant College committees, faculty, students, and staff.