Below is the document summarizing the comments that I received on the proposed AUP at the Faculty Senate Meeting of March 2005 and comments from individuals and committees across campus after its presentation. I presented this document at the Security Review Board meeting this afternoon (6 April 2005), and it was well received.
The next step is to convene a small group to work through these ideas. This small group will consist of Muly, Ridenour, Dewey, Leatherman, and myself. The meeting time is being set up.
We are to report either suggestions for changes, or a new policy. The group is to report to the Security Review Board on May 4.
ACCEPTABLE USE POLICY
This document presents a summary of comments regarding the AUP from discussions at the March 2005 Faculty Senate meeting and private comments from individuals and committees around campus. More detailed comments on specific sections of the document are found in my memo to Candace White of 11 March 2005 regarding the AUP.
The AUP is a very important expression of the relationships between the administration, the faculty, the students, and other groups regarding the use and security of our electronic commons. We as the Faculty stand ready and willing to work with OIT regarding the articulation of these relationships.
The Acceptable Use of Information Technology Resources establishes the standards and guidelines for the responsible and acceptable use of University of Tennessee--Knoxville area campus information technology (IT) resources. This standard applies to all students, faculty, staff, and friends of the Knoxville area campus while using or handling the Knoxville area campus's information technology resources. The Knoxville area campus, as defined for this document, is defined in Appendix A of the Information Technology Security Strategy. All Knoxville area campus users are required to be familiar with and comply with this standard.
The term "information technology (IT) resources" addressed in this document is defined but not limited to any computers, computer systems, networks (e.g., routers, switches), software applications, or other devices that are owned by the Knoxville area campus. All devices connected to the Knoxville area campus network that are not owned by the Knoxville area campus are expected to follow the principles in this standard. IT resources include all electronic information, institutional data, documents, messages, programs or system software, or configuration files that are stored, executed, or transmitted via Knoxville area campus computers, networks, or other information systems.
1. IT resources are valuable assets strategically provided to enhance the core functions of the Knoxville area campus system. The use of Knoxville area campus IT resources is a privilege extended in good faith to authorized students, faculty, staff, and friends for purposes relating to education, research, service, and administration. Responsible and acceptable use preserves the confidentiality, integrity, and availability of IT resources and establishes user accountability. Unauthorized use of IT resources is strictly prohibited Authorized individuals using IT resources owned or managed by the Knoxville area campus are expected to know and comply with Knoxville area campus standards, and all applicable laws.
2. The Knoxville area campus, including it's computing and networking facilities, is a forum for the exchange of ideas. The Knoxville area campus cannot protect users from the presence of material they may find offensive. The presence of such material, however, must not be represented or construed as an endorsement or approval by the Knoxville area campus.
3. Connection to the Knoxville area campus network is a privilege based on adherence to this standard. If violations are detected, use of IT resources may be suspended as necessary and may include additional sanctions such as termination of access, disciplinary review, expulsion, termination of employment, legal action, and/or other appropriate disciplinary action.
4. For purposes of this standard, e-mail includes point-to-point messages, postings to newsgroups and listservs, and any electronic messaging involving computers and computer networks. Organizational e-mail accounts, including those used by student organizations, are held to the same standards as those for individual use by members of the Knoxville area campus.
5. While the Knoxville area campus recognizes the role of privacy in an institution of higher learning and every attempt will be made to honor that ideal, there should be no expectation of privacy of information stored on or sent through Knoxville area campus-owned information systems and communications infrastructure.
6. The University of Tennessee is subject to the provisions of the Tennessee Public Records Act. This Act and various federal and state laws provide for significant exceptions to disclosure. These exceptions include but are not limited to: student records, research records, certain employee information, individually identifiable medical information, certain financial information of individuals, and information which, if released, would damage the safety and security of the university. All requests, including subpoenas, to review or receive copies of Knoxville area campus records or information should be referred to the Office of Public Relations. The Office of Public Relations will review the request, determine the parties that need to be involved in evaluation of the request, and determine whether the information should be disclosed under the Tennessee Public Records Act.
7. The Knoxville area campus also reserves the right to preserve or inspect any information transmitted through or stored in its computers, including e-mail communications and individual login sessions, without notice when:
a. There is reasonable cause to believe the user has violated or is violating this standard, any campus guidelines or procedures established to implement this standard, or any other Knoxville area campus standards;
b. An account appears to be engaged in unusual or unusually excessive activity;
c. The user has voluntarily made information accessible to the public such as a Web page;
d. It is necessary to do so to protect the confidentiality, integrity, or availability of the Knoxville area campus's IT resources or to protect the Knoxville area campus from liability;
e. It is otherwise permitted or required by law, such as subpoena or court order.
8. All users are expected to act in a responsible, ethical, and legal manner with the understanding that Knoxville area campus IT resources are used in a format that may be accessible by the public. Users should respect other users, including others' expectations of confidentiality, freedom of expression, and intellectual property rights.
9. Minimal personal use is allowed and is sometimes necessary. Employees should use discretion when using the Knoxville area campus's IT resources. Therefore, minimal personal use of these resources is permitted by this standard, except when such use:
a. Is excessive or interferes with the performance of the user's Knoxville area campus responsibilities.
b. Results in additional incremental cost or burden to the Knoxville area campus's IT resources.
c. Is otherwise in violation of this standard.
d. Breaks any state or federal law.
The prohibition against using Knoxville area campus IT resources for personal gain does not apply to scholarly activities, including the writing of textbooks or preparation of other teaching materials by faculty members, as recognized in the Statement of Policy on Patents, Copyrights, and Licensing. Consulting and other activities that relate to the faculty member's professional development are also not included in the prohibition of using IT resources for personal gain. For approved consulting and other activities, see policies on compensated outside services in campus/unit faculty handbooks.
10. Knoxville area campus IT resources are provided for use in conducting authorized university business. Using these resources for personal gain or illegal or obscene activities is prohibited. Users observing an instance or occurrence of any of the following activities are expected to report their observance to the appropriate law enforcement authority. Although not an inclusive list, examples of such use include theft, fraud, gambling, copyright infringement, sound or video recording piracy, hacking, and either viewing or distributing child pornography.
11. The use of Knoxville area campus IT resources to attempt unauthorized use, interfere with the legitimate use by authorized users of other computers or networks elsewhere which includes misrepresentation of his or her identity to other networks (e.g., IP address "spoofing") from Knoxville area campus IT resources is prohibited. Users are responsible for adhering to the standards and principles of any external network. The Knoxville area campus cannot and will not extend any protection to users who violate external network standards. Abuse of networks or computers at other sites through the use of Knoxville area campus IT resources will be treated as an abuse of Knoxville area campus IT resource privileges.
12. Performing, participating in, encouraging, or concealing any unauthorized use or attempts of unauthorized use of Knoxville area campus IT resources which includes any misrepresentation of his or her identity or relationship to the Knoxville area campus for the purpose of accessing or attempting unauthorized access to Knoxville area campus IT resources is prohibited.
13. Tennessee's Little Hatch Act prohibits the use of university resources on behalf of any party, committee, agency, or candidate for political office (Tennessee Code Annotated 2-19-206). Students, faculty, staff, and friends should not use Knoxville area campus computers, printers, letterhead, e-mail and surface mail systems, facilities, or other resources to engage in such activity.
14. Modification or reconfiguration of the software, data, or hardware of any Knoxville area campus IT resource (e.g., system/network administration, internal audit) without appropriate authorization or permission is prohibited.
15. It is prohibited to:
a. Knowingly create, install, execute, or distribute any malicious code or another surreptitiously destructive program on any Knoxville area campus IT resource, regardless of the result (reference the Malicious Code Prevention Standard),
b. Use a system attached to Knoxville area campus resources to capture data packets (e.g., "sniffer") except for authorized or other official Knoxville area campus business without a prior waiver of this standard,
c. Use Knoxville area campus IT resources to transmit abusive, threatening, or harassing material, chain letters, spam, or communications prohibited by state or federal laws,
d. Launch denial of service attacks against other users, systems, or networks,
e. Abuse the standards of any newsgroups, mailing lists, and other public forums through which they participate from a Knoxville area campus account,
f. Connect any computer or network system to any of the Knoxville area campus's networks (e.g., direct connection, direct dial-in access) without employing reasonable and available technical and security standards - which, at a minimum, requires user identification and authentication (reference the Network Access Standard),
g. Use Knoxville area campus IT resources in a way that violates any applicable patent protection and authorizations, copyrights, license agreements, other contracts, state or federal laws, or Knoxville area campus rule or regulation.
h. Access (e.g., read, write, modify, delete, copy, move) another user's files or electronic mail without the owner's permission regardless of whether the operating system allows this access to occur.
i. Knowingly or willingly interfere with the security mechanisms or integrity of UT IT resources. Users shall not attempt to circumvent data protection schemes or exploit security loopholes.
j. Connect devices to the network which may negatively impact the network. Such devices include, but are not limited to:
-Wireless Access Points, switches, hubs, bridges, or routers
-DHCP servers or any device that acts as a DHCP server
-DNS servers or any device that acts as a DNS server
k. Any device that consumes a disproportionate amount of network bandwidth
16. Further restrictions may be imposed upon personal use by a user's supervisor or in accordance with normal supervisory procedures concerning the use of Knoxville area campus equipment.
System & Network Administrator Responsibilities:
17. Each departmental unit is responsible for security on their systems and networks and may apply more stringent security standards than those detailed herein while connected to UT IT resources; however, they must follow these principles as a minimum or risk losing connectivity to UT networks.
18. System and network administrators are responsible for ensuring appropriate security is enabled and enforced in order to protect the UT network to which it is connected.
19. System and network administrator privileges on UT IT resources confer substantial authority as well as responsibility for all other connected systems and networks. Administrators must make every effort to remain familiar with the changing security technology that relates to their systems and continually analyze technical vulnerabilities and their resulting security implications. Stored authentication data (e.g., password files, encryption keys, certificates, personal identification numbers, and access codes) must be appropriately protected with access controls, encryption, shadowing, etc.
20. All users of Knoxville area campus resources must adhere to the definitions for information and systems classification as defined in the Information Classification Standard.
21. All users of information systems at Knoxville area campus are responsible for knowing and adhering to the definitions concerning information and systems classification as defined in the Information Classification Standard.
22. It is the standard of the Knoxville area campus to maintain the security of IT resources. All users of information technology resources are required to take appropriate measures to address the security of those resources.
23. All computers connected to a Knoxville area campus network must have current anti-virus protection measures in place as defined in the Knoxville Malicious Code Prevention Standard.
24. All devices connected to the Knoxville area campus network must maintain reasonable current patch levels as defined in the Knoxville Network Access Standard.
25. Users are responsible for saving or archiving their e-mail. The Knoxville area campus retains e-mail only for system recovery and backup purposes. The recommended retention time is 14 to 30 days.
26. Knoxville area campus personnel, approved by the Chief Information Officer, will routinely scan Knoxville area campus networks for devices vulnerable to known security weaknesses, computers not running antivirus software, and devices which could negatively impact the performance of the overall network.
27. Abuse of Knoxville area campus standards, abuse of Knoxville area campus IT resources, or abuse of other sites through the use of Knoxville area campus IT resources may result in termination of access, disciplinary review, expulsion, termination of employment, legal action, and/or other appropriate disciplinary action. Notification will be made to the appropriate Knoxville area campus office (e.g., appropriate office for student conduct matters, Human Resources, General Counsel, the police department with campus jurisdiction) or local and federal law enforcement agencies. Reference the Network Access Termination Standard.
28. System administrators and designated security officers will, when necessary, work with other Knoxville area campus offices such as the police department with campus jurisdiction, appropriate office for student conduct matters, schools' and colleges' disciplinary councils, General Counsel, Human Resources, and others in the resolution of security incidents.
29. The Information Security Officer or designate is authorized to isolate and/or disconnect systems from the network while assessing any suspected or reported security incident in order to minimize risk to the rest of the Knoxville area campus network. Reference the Network Access Termination Standard.
30. Any device connected to a Knoxville area campus network which is vulnerable to attack may be removed from the network until the owner verifies that the device has been properly patched. Reference the Network Access Standard and the Network Access Termination Standard.
31. Any computer connected to a Knoxville area campus network which is infected with a virus or not running antivirus software, when available, shall be removed from the network until the owner can verify that the virus has been removed and that antivirus software is installed. Reference the Network Access Standard, the Malicious Code Prevention Standard, and the Network Access Termination Standard.
32. Any computer connected to a Knoxville area campus network which has antivirus software installed but is not reasonably current on virus definition files shall be removed from the network until the owner can verify that current definition files are installed. Reference the Network Access Standard, the Malicious Code Prevention Standard, and the Network Access Termination Standard.
33. Any device connected to a Knoxville area campus network which degrades the performance of the network may be removed from the network.
34. In the event of a legal investigation, the Knoxville area campus reserves the right to isolate the system and "lock it down" to preserve evidence during investigation by law enforcement agencies.
REPORTING SECURITY INCIDENTS & INFRACTIONS
35. Users are expected to report, as defined in the Knoxville area campus Information Classification Standard, any information concerning instances in which they suspect or have obtained evidence that the above principles have been or are being violated.
36. If at any time a user receives an electronic communiquÈ that places the user in peril or leads the user to believe that a criminal act may be pending, the user is expected to immediately report the matter to campus or local law enforcement authorities.
SOFTWARE LICENSE AGREEMENTS
37. Each software package includes a license agreement that details restrictions on the use of the software. The Knoxville area campus expects software users to follow the provisions in these license agreements regarding copying, improvements, number of concurrent users, and similar provisions, even though the Knoxville area campus has not signed the license agreements and does not agree to be bound by certain other provisions of the agreements.
38. License agreements differ among software publishers. It is important that users read and understand the license agreement for each software package.
39. Because of the unique nature of computer software, the federal copyright law recognizes two limited exceptions to the usual prohibitions against copying or altering copyrighted work. If the copy or adaptation does not meet one of the following exceptions, it is a violation of federal law. The licensee or purchaser of software may: a. Make one backup copy for use in the event that the original disk is damaged or destroyed beyond use. The backup copy must be destroyed if the license for the underlying computer program is discontinued.
b. Make a copy or adaptation if the new copy or adaptation is an essential step in utilizing the program on the licensee's or purchaser's computers. Any additional copy or adaptation must be an essential step in utilizing the program, and not merely for convenience.
40. Questions about computer software use not addressed by this standard or questions about specific license agreements should be directed to the Information Security Officer.
EXCEPTIONS PROCESS STRATEGY
41. Standards are management instructions indicating a course of action. Compliance with standards is mandatory. Nevertheless, exceptions may be allowed to achieve certain business requirements or other special circumstances. The Information Security Exception Standard and Form defines the process for reviewing and approving these requests.
VIOLATIONS & ENFORCEMENT
42. Any violation of this standard should be reported to the Knoxville area campus's Information Security Officer via email at email@example.com. Violations of this standard can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action.
ADMINISTRATION & INTERPRETATIONS
43. This standard shall be administered by the Information Security Officer. Questions regarding this standard should be directed to the Information Security Officer.
AMENDMENT or TERMINATION OF THIS STANDARD
44. The University of Tennessee--Knoxville area campus reserves the right to modify, amend or terminate this standard at any time via the normal review process.
To offer suggestions or comments about this web site, please click here.