Computer Usage Policy

Activation of your UTAD account indicates acceptance of the duties and responsibilities contained therein.

3364-65-05 Responsible Use Policy

(A) Policy statement The principles of academic freedom and freedom of expression apply to the use of university computing resources. So, too, however, do the responsibilities and limitations associated with those principles. Like the use of any other university-provided resource and like any other university-related activity, the use of computing resources is subject to the requirements of legal and ethical behavior within the university community. The legitimate use of a computer, computer system or network does not extend to whatever is technically possible. Although some limitations are built into computer operating systems and networks, those limitations are not the sole restrictions on what is permissible. Users of university computing resources shall comply with the "Responsible Use Standards" identified in this policy. (B) Purpose This policy establishes standards for the responsible use of university computing resources, identifies security enforcement measures, and potential consequences for violations. (C) Scope This policy applies to all users of university computing resources, whether affiliated with the university or not, and to all uses of those resources, whether on campus or from remote locations. Additional policies may apply to specific computers, computer systems or networks provided or operated by specific units of the university. Consult the operators or managers of the specific computer, computer system or network in which you are interested for further information. (D) Responsible use standards All users of university computing resources must: (1) Comply with all federal, Ohio and other applicable law, all generally applicable university rules and policies, and all applicable contracts and licenses. Examples of such laws, rules, policies, contracts and licenses include the laws of libel, privacy, copyright, trademark, obscenity and child pornography; the Health Insurance Portability and Accountability Act; the Family Educational Rights and Privacy Act; the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which prohibit "hacking," "cracking," and similar activities; the university's Code of Conduct; university policy 3364-50-01 Sexual harassment and other forms of harassment; and all applicable software licenses. Users who engage in electronic communications with persons in other states or countries or on other systems or networks should be aware that they may also be subject to the laws of those other states and countries and the rules and policies of those other systems and networks. Users are responsible for ascertaining, understanding and complying with the laws, rules, policies, contracts and licenses applicable to their particular uses. (2) Use only those computing resources which they are authorized to use and use them only in the manner and to the extent authorized. Ability to access computing resources does not, by itself, imply authorization to do so. Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding. Accounts and passwords may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the university. (3) Respect the privacy of other users and their accounts, regardless of whether those accounts are securely protected. Again, ability to access other persons' accounts does not, by itself, imply authorization to do so. Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding. (4) Respect the finite capacity of those resources and limit use so as not to consume an unreasonable amount of those resources or to interfere unreasonably with the activity of other users. Although there is no set bandwidth, disk space, CPU time or other limit applicable to all uses of university computing resources, the university may require users of those resources to limit or refrain from specific uses in accordance with this principle. The reasonableness of any particular use will be judged in the context of all of the relevant circumstances. (5) Refrain from using those resources for personal commercial purposes or for personal financial or other gain. Personal use of university computing resources for other purposes is permitted when it does not consume a significant amount of those resources, does not interfere with the performance of the user's job or other university responsibilities, and is otherwise in compliance with this policy. Further limits may be imposed upon personal use in accordance with normal supervisory procedures. (6) Refrain from stating or implying that they speak on behalf of the university and from using university trademarks and logos without authorization to do so. Affiliation with the university does not, by itself, imply authorization to speak on behalf of the university. Authorization to use university trademarks and logos on university computing resources may be granted only by the senior director of university marketing. The use of appropriate disclaimers is encouraged. (E) Security enforcement and privacy: The university employs various measures to protect the security of its computing resources and of their users' accounts. Users should be aware, however, that the university cannot guarantee such security. Users should therefore engage in "safe computing" practices by establishing appropriate access restrictions for their accounts, guarding their passwords and changing them regularly. Users should also be aware that their uses of university computing resources are not completely private. While the university does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the university's computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities which are necessary for the rendering of service. The university may also specifically monitor the activity and accounts of individual users of university computing resources, including individual log in sessions and communications without notice. The university, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications, to appropriate university personnel or law enforcement agencies and may use those results in appropriate university disciplinary proceedings. Communications made by means of university computing resources are also generally subject to Ohio's Public Records statute to the same extent as they would be if made on paper. (F) Violations: Users who violate this policy may be denied access to university computing resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Violations will normally be handled through the university disciplinary procedures applicable to the relevant user. For examples, alleged violations by students will normally be investigated, and any penalties or other discipline will normally be imposed, by the office of student judicial affairs. However, the university may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of university or other computing resources or to protect the university from liability. The university may also refer suspect violations of applicable law to appropriate law enforcement agencies. (G) Education for responsible use Use of information technology resources is subject to the user's agreement to adhere to the standards outlined in this policy. Upon assignment of a network password, each user will electronically accept that they have received and read the responsible use policy. The responsible use policy will be posted to the campus website to increase the ability of campus users to reflect on and consult the policy.

If you are, or will be, teaching or advising students at The University of Toledo, the following section applies to you:

myUT Faculty/Adviser Self-Service Duties and Responsibilities

The faculty and adviser self-service channel of the myUT web portal is a web-based interface to the Student Information System (SIS) database. This channel contains confidential information about the University of Toledo students. The Family Educational Rights and Privacy Act (FERPA) is a federal law that gives students certain rights regarding the confidentiality of their educational records. Use of the faculty self-service channel is restricted to properly authorized personnel for educational purposes. FERPA, as well as University policy, strictly prohibit the release of any information about a student that is not considered 'public' to any person(s) or organization(s) outside of the University without the express written consent of the student. Students also have the right to restrict the release of 'public' information and request that no information about them be released without their written consent. The University of Toledo considers ONLY the following student information to be 'public': * Student Name * Local Address and Phone Number * College and Major Field of Study * Full-Time or Part-Time Enrollment Status * Class Rank (Freshman, Sophomore, etc.) * E-mail address * Dates of Attendance * Degrees and Awards Received Posting of non-public information, including any part of a student's social security number, is a violation of FERPA and is therefore strictly prohibited. The myUT faculty/adviser self-service channel is accessible only to faculty and advisers via your UTAD account and password. Sharing your UTAD password or otherwise allowing anyone else to gain access to your account violates University of Toledo policy and is strictly prohibited. In order to activate UTAD accounts and access myUT, authorized personnel must agree to University FERPA guidelines and set their password. Passwords are considered confidential information and are not released to anyone, including co-workers.

If you are, or will be, working from the Health Science Campus, the following applies to you:

Information Systems Workstation Policy No.: 022

All Workstations on the Institutional Network must conform to standardized requirements to assure effective security, performance and support for the Network. Purpose To define Workstations and list associated requirements and procedures in order for those workstations to be permitted on the Network. Requirements and Procedures 1. Definition. Workstations are user-based computing devices with an operating system capable of interacting with other systems on the Institutional Network. These include desktop personal computers (PCs), laptop PCs, handhelds and any other network devices that a user can use to interact with other systems. Network-capable medical devices which do not meet this definition are considered to be Network Devices and must comply with the I.S. Network Devices Policy No. 023. 2. Required Elements. a. Novell Netware Client. The Novell Netware Client is an integral part of the security and management of the Network. All workstations that have the technical capability to run the Netware Client must authenticate to Netware when on the Network. b. Windows Domain Authentication. The Windows Domain is another integral part of the security and management of the Network. All workstations that have the technical capability to authenticate to the Windows Domain must do so when on the Network. Windows domain authentication provides additional management tools needed to secure and protect the Network. c. Local Admin Access. I.S. 1 must have the ability to gain local administrator access to all workstations regardless of operating system. Systems configured by I.S. will automatically conform to this requirement. Systems in which users have changed the local administrator access will be reimaged and the standard admin password will be applied or the system will be removed from the Network and become unsupported. d. Antivirus. Antivirus software is a fundamental component of network and workstation security. All windows workstations must run I.S. configured McAfee Antivirus and ePO agent. Macintosh users must run Virex with the virus definitions set to auto-update. All other operating systems must run appropriate antivirus software with the virus definitions updated automatically or weekly - excluding Linux and Unix operating system machines. e. Registered MAC address. All workstations must have the Ethernet hardware or MAC address registered with I.S. Any workstation without a registered MAC address may be removed from the network without notice. f. Physical Security. All workstations must be secured against theft and inappropriate access. Systems which access PHI2 must be located in a way that prevents viewing by individuals who should not have access to that information. Portable devices should be secured at all times and extra care must be taken to prevent loss or theft of the device. g. Operating Environment. i. Supported Operating Systems. 1. Windows XP 2. Windows 2000 3. Macintosh OS X ii. Supported Enterprise applications. Enterprise applications are those that impact many departments or functional areas. Check with the I.S. Help Desk at x4259 for questions regarding currently supported enterprise applications. iii. Support For User-installed software. User-installed software will not be supported by I.S. If user-installed software causes problems with the business operation of a workstation or with the network, the workstation will be reformatted and reimaged or the software will be removed at the discretion of I.S. Client Services. iv. Licensed Software. I.S. maintains institutional licensing for a broad range of clinical, business, academic, and research related software. Software with limited licensing may be restricted to functional areas, departments or individuals. Individual departments may be required to cover the costs of incremental licenses as determined by I.S. v. User/Department Specific Software. Software needed for the business operations of a department or an individual which is not covered by institutional licensing may be installed. The installation will be performed by I.S. The department and/or workstation user will be held responsible for maintaining the appropriate license with the software vendor. Any software which lacks appropriate license documentation will be removed. Users may be required to attest in writing to the legality of software licenses outside of the institutional licensing umbrella. vi. Re-image. Workstations with operational issues which cannot be easily repaired will be reimaged back to originally deployed state or current standard image as appropriate at the discretion of Client Services. vii. Unlicensed Software. As stated in the General Policy No. 01-072 "Responsible Use for Information Technology Resources, the responsibility for any fines or criminal penalties resulting from the use and/or installation of unlicensed software will be the responsibility of the user." h. Group/Policy/Administrator rights. As warranted, I.S. will implement workstation policies and administrator controls to protect the Network, improve workstation reliability and promote efficiency in the support of the workstations on our campus. These policies and controls will vary depending upon the physical location of the workstation and the primary use(s) of the workstation. i. Screen Saver. All workstations used to access confidential information including patient information must have a screen saver enabled. For areas in which the workstation location is in a public area the time should be set as short as possible. For workstations which are not shared by multiple users, a password should be set on the screen saver at the discretion of the supervisor. j. Configuration/Image Management Tool. Some workstations require excessive visits to correct workstation problems caused by users such as spy ware, junk ware, games, etc. These workstations will be required to have additional configuration management tools such as a Guard Card which will prevent unwanted changes to the workstation and allow for automatic reimaging. These workstations will be evaluated on a case-by-case basis at the discretion of I.S. Client Services. k. Prohibited. The following actions are prohibited. i. Disabling anti-virus ii. Manually assigned IP addresses iii. Spoofing MAC and/or IP addresses iv. Relocating equipment v. Unregistered PC on the network vi. Hardware changes inside PC case vii. Network monitoring viii. Attacks to systems or network devices 3. Personal, Non-Institutionally Owned Devices. Personal, non-Institutionally owned devices are prohibited on the Network but are permitted on the public wireless network. The primary reasons for this are the software licensing requirements, the security of the individual device as well as support. The license terms of most of the Instutions enterprise software does not extend to non-Institutionally owned devices. The second reason involves non-managed and non-supported equipment introducing problems into our production environment. Third, I.S. does not have the support resources to encompass non-standard hardware. Additionally, the I.S. department is not insured against damage to non-Institutionally owned devices. Finally, unsupported devices are a security risk which can jeopardize the supported devices on the network. 4. Non-compliance. Non-compliance with the terms of this policy can result in removal from the internal network. Additional disciplinary action may be taken up to and including possible termination. 5. Grandfathered Devices. Devices already installed on the Internal Network which do not conform to this policy will not be 'grandfathered'. These workstations will be brought into compliance at the discretion and prioritization of I.S. Client Services. The cooperation of users and departments is expected in this process. Exceptions must follow the exception process outlined below. A reasonable period of time will be granted for users or departments to apply for an exception at the discretion of the I.S. Department. 6. Violations. Violations of this policy will be subject to the Institution's disciplinary process and will result in disciplinary action up to and including termination. Minor violations will result in removal of the network device from the network at the discretion of I.S.. Criminal activity will be subject to applicable state and federal criminal code with appropriate law enforcement authorities notified as appropriate. 7. Exceptions. Exceptions are granted in extreme cases without effective alternatives and only when a significant clinical, academic/research or business need exists. a. Workstations outside the internal network. All workstations outside the internal network such as Web-X machines and other limited exceptions must still run virus protection and some form of workstation/personal firewall. These devices cannot rejoin the internal network without being examined and certified to be free of malicious software. b. Application Procedure. The Administrative Director of I.S must approve all exceptions. The approval process is initiated by the submission of a completed Exception Application. The need must be clearly demonstrated and will be weighed accordingly. Effective Date: 01/01/2005

By agreeing to this policy, I agree to abide by all of the conditions described above.