I. Policy Purpose 2
III. Policy Scope 3
V. Conditions of University Access 6
VI. Enforcement Procedures 7
Arkansas State University-Jonesboro (ASU-J) invests substantial and sufficient resources to acquire and operate information technology (IT) assets, such as hardware, software, and Internet connections, etc. The University has a responsibility to manage its resources in the most efficient and effective manner possible and in compliance with all laws, regulations, and sound business practices, while at the same time protecting and preserving the right to academic freedom. Effective management of information technology resources will assure students, faculty, and staff adequate access to information and technology over the long term. The following regulations are established to define acceptable uses of University information resources, and to assure that information technology resources promote the basic functions of the University in teaching, learning, research, administration, and public service. These regulations apply to any individual accessing the Arkansas State University information technology infrastructure and associated resources.
IA. Need for a Technology Resources Use Policy
The 83rd General Assembly of the Arkansas State Legislature passed House Bill 2403 into law as ACT 1287 of 2001. This Act requires all State agencies to develop appropriate use policies. Moreover, ASU-J must manage certain legal risks regarding employment and student conduct issues. Information and Technology Services has no current written guidelines within which to set policy for employment issues outside of individually interpreted common understandings. This policy complies with ACT 1287 of 2001.
These regulations apply to any individual or entity accessing the Arkansas State University information technology infrastructure and associated resources.
Although this policy sets forth the general parameters of appropriate use of IT resources, faculty; students; and staff should consult their respective governing policy manuals for more detailed statements on permitted use and the extent of use that the University considers appropriate in light of their varying roles within the community. In the event of conflict between handbook IT policies and the University Appropriate Use Policy, the Appropriate Use Policy will prevail.
IT resources may be used only for their authorized purposes -- that is, to support the research, education, administrative, and other functions of Arkansas State University. The particular purposes of any IT resource as well as the nature and scope of authorized, incidental personal use may vary according to the duties and responsibilities of the User.
A) Proper Authorization. Users are entitled to access only those elements of IT resources that are consistent with their authorization. Access is limited to members of the ASU-J community, including faculty, staff, students, and other specifically authorized individuals.
B) Ownership. Subject to intellectual property rights policy, all data stored on University computers belongs to the University, unless specifically stated elsewhere or agreed to by the appropriate university official.
C) Privacy. Users agree to access only data that they are authorized to use and/or view. Privacy in an electronic environment should never be assumed, and cannot be guaranteed. Because Arkansas State University is a state agency, all electronic communications and documents may be subject to the Freedom of Information Act.
D) Specific Proscriptions on Use. The following categories of use are inappropriate and prohibited:
1. Use in violation of law. Illegal use of IT resources -- that is, use in violation of civil or criminal law at the federal, state, or local levels -- is prohibited. Examples of such uses are: promoting a pyramid scheme; distributing illegal material; copyright infringements; and making bomb threats.
With respect to copyright infringement, Users should be aware that copyright law governs (among other activities) the copying, display, and use of software and other works in digital form (text, sound, images, and other multimedia). The law permits use of copyrighted material without authorization from the copyright holder for some educational purposes (protecting certain classroom practices and "fair use," for example), but an educational purpose does not automatically mean that the use is permitted without authorization.
2. Use that impedes, interferes with, impairs, or otherwise causes harm to the activities of others. Users must not deny, attempt to deny, or interfere with service to other users in any way, including by "resource hogging," misusing mailing lists, propagating "chain letters" or virus hoaxes, "spamming" (spreading email or postings widely and without good purpose), or flooding an individual, group, or system with numerous or large email messages. Other behavior that may cause excessive network traffic or computing load is also prohibited.
3. Use that is inconsistent with ASU-J's public service status. The University is a non-profit, public service organization and, as such, is subject to specific federal, state, and local laws regarding sources of income, political activities, use of property, and similar matters. As a result, commercial use of IT resources for non-ASU-J purposes is generally prohibited, except if specifically authorized and permitted under University conflict-of-interest, outside employment, and other related policies. Prohibited commercial use does not include communications and exchange of data that furthers the University's educational, administrative, research, and other roles, regardless of whether it has an incidental financial or other benefit to an external organization.
Utilization of IT resources in a way that suggests University endorsement of any political candidate or ballot initiative is also prohibited. Users must refrain from using IT resources for the purpose of lobbying that connotes University involvement.
4. Harassing or threatening use. This category includes, for example, repeated unwelcome contacts with another.
5. Use damaging the integrity of University or other IT Resources. This category includes, but is not limited to, the following six activities:
a. Attempts to defeat system security. Users must not defeat or attempt to defeat any IT System's security -- for example, by "cracking", decoding, guessing or applying the identification or password of another User, or compromising system/data security mechanisms. (This provision does not prohibit, however, ITS or Systems Administrators from using security scan programs within the scope of their Systems Authority.)
b. Unauthorized access or use. The University recognizes the importance of preserving the privacy of Users and data stored in IT resources. Users must honor this principle by neither seeking to obtain unauthorized access to IT resources, nor permitting or assisting any others in doing the same. For example, a non-ASU-J organization or individual may not use non-public IT resources without specific authorization. Privately owned computers may be used to provide public information resources, but such computers may not host sites or services for non-ASU-J organizations or individuals across the ASU-J network without specific authorization. Similarly, Users are prohibited from accessing IT resources that they are not authorized to access. Furthermore, Users must not make or attempt to make any deliberate, unauthorized changes to data on an IT System. Users must not intercept or attempt to intercept or access data communications not intended for that user, for example, by "promiscuous" network monitoring, running network sniffers, or otherwise tapping phone or network lines.
c. Disguised use. Users must not conceal their identity when using IT Resources, except when the option of anonymous access is explicitly authorized. Users are also prohibited from masquerading as or impersonating others or otherwise using a false identity.
d. Distributing computer viruses. Users must not knowingly distribute or launch computer viruses, worms, or other rogue programs.
e. Modification or removal of data or equipment. Without specific authorization, Users may not remove or modify any University-owned or administered equipment or data from University property or IT resources.
f. Use of unauthorized devices. Without specific authorization, Users must not physically or electrically attach any additional device (such as an external disk, printer, or video system) to the IT infrastructure or related resources.
6. Use in violation of external data network policies. Users must observe all applicable policies of external data networks when using such networks.
The University places a high value on privacy and recognizes its critical importance in an academic setting. There are nonetheless circumstances in which, following carefully prescribed processes, the University may determine that certain broad concerns outweigh the value of a User's expectation of privacy and warrant University access to relevant IT resources without the consent of the User. Those circumstances are discussed below, together with the procedural safeguards established to ensure access is gained only when appropriate.
A. Conditions. In accordance with state and federal law, the University may access all aspects of IT resources, without the consent of the User, in the following circumstances:
1. When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the IT resources; or
2. When authorized by federal, state, or local law or administrative rules; or
3. When there are reasonable grounds to believe that a violation of law or a significant breach of University policy may have taken place and access and inspection or monitoring may produce evidence related to the misconduct; or
4. When such access to IT resources is required to carry out essential business functions of the University; or
5. When required to preserve public health and safety.
B. Process. Consistent with the privacy interests of Users, University access without the consent of the User will occur only with the approval of the President, and the Vice Chancellor for Academic Affairs (for faculty users), the Vice President for Finance and Administration (for staff users), the Vice Chancellor for Student Affairs as appropriate (for student users), or their respective delegates, except when an emergency entry is necessary to preserve the integrity of facilities or to preserve public health and safety. The University, through the Systems Administrators, will log all instances of access without consent. Systems Administrators will also log any emergency entry within their control for subsequent review by the President, Vice President for Finance and Administration, or other appropriate University authority. A User will be notified of University access to relevant IT resources without consent.
C. User access deactivations. In addition to accessing the IT resources, the University, through the appropriate Systems Administrator, may deactivate a User's IT privileges, whether or not the User is suspected of any violation of this policy, when necessary to preserve the integrity of facilities, user services, or data. The Systems Administrator will attempt to notify the User of any such action.
D. Use of security scanning systems. By attaching privately owned personal computers or other IT resources to the University's network, Users consent to University use of scanning programs for security purposes on those resources while attached to the network.
E. Logs. Most System Administrators routinely log user actions in order to facilitate recovery from system malfunctions and for other management purposes. All Systems Administrators are required to establish and post policies and procedures concerning logging of User actions, including the extent of individually identifiable data collection, data security, and data retention.
F. Encrypted material. Encrypted files, documents, and messages may be accessed by the University under the above guidelines.
A. Complaints of Alleged Violations. An individual who believes that he or she has been harmed by an alleged violation of this Policy may file a complaint in accordance with established University grievance procedures (including, where relevant, those procedures for filing complaints of sexual harassment or of racial or ethnic harassment) for students, faculty, and staff. The individual is also encouraged to report the alleged violation to the Systems Authority overseeing the facility most directly involved, or to the University Information and Technology Services unit, which must investigate the allegation and (if appropriate) refer the matter to University disciplinary and/or law enforcement authorities.
B. Reporting Observed Violations. If an individual has observed or otherwise is aware of a violation of this policy, but has not been harmed by the alleged violation, he or she may report any evidence to the Systems Authority overseeing the facility most directly involved, or to the University Information and Technology Services unit, which must investigate the allegation and (if appropriate) refer the matter to University disciplinary and/or law enforcement authorities.
C. Disciplinary Procedures. Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff, and students, as outlined in the Faculty Handbook, Staff handbook, various student handbooks (e.g., the Undergraduate Regulations for undergraduates, the relevant policy manuals for graduate and professional school students), and other applicable materials.
Systems Administrators and the Information and Technology Services unit may participate in the disciplinary proceedings as deemed appropriate by the relevant disciplinary authority. Moreover, at the direction of the appropriate disciplinary authority, Systems Administrators, and the Information and Technology Services unit are authorized to investigate alleged violations.
D. Penalties. Individuals found to have violated this policy may be subject to penalties provided for in other University policies dealing with the underlying conduct, that is, the Faculty handbook, the Staff handbook, and the Student Code of Conduct handbook. Individuals who are members of the ASU-J community are subject to all local, state, and federal statutes. Violators may also face IT-specific penalties, including temporary or permanent reduction or elimination of some or all IT privileges. The appropriate penalties shall be determined by the applicable disciplinary authority in consultation with the Systems Administrator.
E. Legal Liability for Unlawful Use. In addition to University discipline, Users may be subject to criminal prosecution, civil liability, or both for unlawful use of any IT System.
F. Appeals. Users found in violation of this policy may appeal or request reconsideration of any imposed disciplinary action in accordance with the appeals provisions of the relevant disciplinary procedures.