Computer, Network, and Information Systems Access, Control, Use, and Security Policy

Purpose:

To establish minimum criteria for access, controls, use, and security of St. George's University (University) computers, networks, and information systems.

General:

This policy represents the minimum requirements that must be in place at all University locations. Individual areas that have computers and networks may have additional controls and security in addition to this policy.

Definition of Terms:

Information System: An electronic data storage and retrieval system used to store and process computerized data. Such a system may include, but is not limited to, computers, terminals, peripherals, networks, software, and data.

Computer Abuse: Includes, but is not limited to, unauthorized access, update, or use; interference with operation; unauthorized access to data, including software; and "impersonation" to gain access.

Computer Account: An authorization for an individual to access a specific University-owned computer system for University-related activities. Accounts are a privilege, and access to an account can be revoked at the discretion of the appropriate manager, dean, department head or the Executive Director of Information Technology. All computer accounts are restricted so that the user has access to a set of application programs and limited access to University computers, networks, and information systems.

Network: A collection of independent computing systems, together with a mechanism that allows them to exchange information with one another.

Password: An alphanumeric character string that acts as a key for a user to access a specific computer account. It differs from the User ID since the User ID is known or can be determined by any user of the system. The password is the private knowledge of the user and must not be shared.
System User: Any member of the faculty, student body, alumni, and/or employee, etc., of the University or administrative or associated organization who uses any University computer, network, or information system resource or service.

Policy:

  • University computers, networks, and information systems shall be used only for University related activities and in fulfillment of the University's mission.
  • Due care shall be exercised by system users to protect University computers, networks, and information systems from unauthorized use, disclosure, alteration, or destruction.

Responsibilities:

The Chancellor:

  • Shall set overall policy regarding computers, networks, and information systems use and protection.

The Executive Director of Information Technology:

  • Shall develop and implement University-wide policies, controls, and procedures to protect the University’s computers, network, and information systems from intentional or inadvertent modification, disclosure or destruction, as well as monitor user adherence to these policies; arbitrate and resolve issues and problems pertaining to ownership, accessibility and updating responsibility of the University's data resources; and educate the user community to the ethical usage of computer information and network facilities.

Management, Deans, and academic department heads:

  • Shall ensure that all system users within their area of accountability are aware of their responsibilities as defined in this policy. Specifically, they are responsible for validating the access requirements of their staff according to their job functions, prior to submitting requests for the provision of access, and for insuring a secure physical environment with regard to University computers, networks, and information systems.

In addition, they are responsible for:

  • Requesting a user identification code, password and initial basic capabilities for new system users within their areas of accountability;
  • Requesting access for system users to needed production applications, both on-line and batch;
  • Coordinating requests by authorized system users for computerized institutional data for ad hoc reporting and analysis;
  • Ensuring that all data accessed or received is used in accordance with University policy;
  • Coordinating access and security procedures for system users transferring to or from other positions with the University;
  • Ensuring that cessation of access to the University computers and information systems by system users terminating employment is promptly requested;
  • Addressing and reporting violations of University data access and use policies and agreements to appropriate authorities.

System users:

  • Shall ensure that they make use of services and facilities only as required in the performance of their job function. Users are responsible for all transactions occurring during the use of their user ID and/or password. Computer accounts and passwords must not be shared with anyone under any circumstances unless the Executive Director of Information Technology specifically approves an exception. Only exceptional requests that document an extraordinary situation will be considered. All requests and approvals must be in writing.

System users must:

  • Safeguard University computers, networks, and information systems, and report any breach of security or compromise of safeguards to their immediate supervisors, who will then forward any such report to the Executive Director of Information Technology.
  • Abide by the terms of software licensing agreements and copyright laws.

System users must NOT:

  • Perform any intentional act that impairs the operation of University computers, networks, or information systems.
  • Use the computer, network, or information systems resources to gain unauthorized access to remote computers.
  • Attempt to modify in any way a computer file or program supplied by the University.
  • Run, install, or cause to be installed any software on any University computer, network, or information system, without prior written authorization from the Executive Director of Information Technology.
  • Attempt to circumvent protection schemes or uncover security loopholes.
  • Use University computers, networks, and information systems for personal financial gain.
  • Deliberately perform acts that are wasteful of computing resources. These acts include, but are not limited to, sending mass mailings or chain letters, obtaining unnecessary output, creating unnecessary multiple jobs or processes, creating unnecessary network traffic, or printing, storing on any system, or moving across the network, any excessively large document or file.
  • Place any of the following types of information or software on any University computers, networks, or information systems:
    • Material which infringes upon the rights of another person or organization;
    • Abusive, profane, or sexually offensive material.
    • Pirated software, destructive software, pornographic materials, libelous statements, or any material which may be injurious to another.
    • Advertisements for commercial purposes.
    • Harass others by sending annoying, threatening, libelous, or offensive messages.
  • Attempt to monitor another user's data communications, or read, copy, change, or delete another user's files or software, without permission of the owner.
  • Play games using any of the University's computers, networks, or information systems unless for instructional purposes and specifically authorized to do so by the Executive Director of Information Technology.

It is a further responsibility of each system user to read and understand this policy. Ignorance of this policy does not excuse violations.

  • Access to University computers, networks, information systems, accounts, and resources is limited only to those individuals authorized by the University. Authorization for such access, including the purpose of the account, issuance of passwords and designation of computer accounts, must be approved in writing through the respective managers, deans, or academic department heads, or their authorized representatives. The unauthorized use of University computers, networks, information systems, accounts, or resources; the unauthorized use of another person's computer account; and providing false or misleading information for the purpose of obtaining access to any of such, are prohibited and will be subject to the sanctions described in this policy.
  • The University shall not be liable for, and the user assumes the risk of, loss of data or interference with files resulting from the University's efforts to maintain the privacy and security of the University's computer, network, and information systems.
  • All software, data, or any other files produced by system users on University computers, networks, or information systems are the property of the University. This includes, but is not limited to, the contents of all e-mail correspondence. As such, the University has the right to examine all such software, data, and files.
  • In order to protect the security of the University computers, networks, and information systems, and the integrity of the information against unauthorized or improper use, and to protect authorized users and others from the effects of unauthorized or improper usage, the University reserves the right to:
    • Limit, restrict or terminate any account holder's usage;
    • Inspect, copy, remove or otherwise alter any software, data, file, or system resources which reside on University computers, networks, or information systems, with or without prior notice to the user;
    • Periodically check and to take any actions necessary to protect University computers, networks, and information systems.
  • The University reserves and will exercise the right to review, audit, intercept, access and disclose all matters on the university's e-mail systems at any time, with or without notice, and such access may occur during or after hours.
  • Any system user engaging in computer abuse or unauthorized use, disclosure, alteration, or destruction of University computers, network, or information systems and/or any other violation of this policy shall be subject to appropriate action such as:
    • A limitation on a user's access to some or all University systems;
    • The initiation of legal action by the University, including, but not limited to, criminal prosecution under the appropriate laws;
    • The requirement of the violator to provide restitution for any improper use of service;
    • Disciplinary sanctions, which may include dismissal.
  • Many academic courses and work-related activities require the use of computers, networks and systems of the University. In the event of an imposed restriction or termination of access to some or all University computers and systems, a user enrolled in such courses or involved in computer-related activities may be required to use alternative facilities, if any, to satisfy the obligation of such courses or work activity. However, users are advised that if such alternative facilities are unavailable or not feasible, it may be impossible for them to complete their requirements. The University views misuse of computers as a serious matter, and will make no exceptions to restrictions on access to its facilities, even if the user is unable to complete course requirements or work responsibilities as a result.

Top