Acceptable Use Policy

February 28, 2022

Purpose

The purpose of this Acceptable Use Policy is to establish minimum criteria for acceptable use of St. George’s University and University Support Services (collectively the Enterprise), Information Systems.  This policy also strives to support the Office of Information Technology (IT) in maintaining a safe and welcoming Enterprise environment by defining acceptable forms of Enterprise electronic communications.

Scope

This policy applies to all users across the Enterprise’s technological environment and represents the minimum requirements for acceptable Information System use.  Individual facilities and business units may require additional security controls, as needed.  Users of Enterprise Information Systems includes any individual or system with access to Enterprise resources.

Additionally, the Enterprise recognizes that secure and acceptable use of its communication resources is an integral part of its security program.  Regulating the use of electronic communications, such as internet, email, social media, and telephones, is necessary to provide a safe environment for students, faculty, and staff as well as to protect the Enterprise from reputational loss.

Definitions

  • Authorization: Access privileges granted to a user, program, or process, or the act of granting those privileges
  • Electronic Communications: resources owned or managed by the Enterprise, including Enterprise issued email addresses or Enterprise maintained mailing lists. This also applies to any publicly accessible electronic communications involving Enterprise students, faculty, or staff
  • Information System: A set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information
  • Information System Abuse: Intentional or reckless misuse, alteration, disruption, or destruction of information processing resources
  • Network: Any information system implemented with a collection of interconnected components
  • Non-Public Information(or Enterprise Data): Information of which, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the interest or conduct of Enterprise business, or the privacy to which individuals are entitled
  • Password: A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization

Roles and Responsibilities

  • Office of Information Technology (IT):The Office of Information Technology is responsible for maintaining this Acceptable Use Policy and implementing controls to prevent and detect abuse of Enterprise systems and resources.
  • Chief Information Officer:The Executive Director of IT is responsible for setting overall policy regarding Enterprise computers, networks, and information systems use and protection.
  • IT Security:The IT Security division is responsible for advising IT on what controls and technologies must be used to monitor and detect unacceptable system use, and for performing monitoring and detection of system misuse.
  • IT Leadership:IT Leadership is responsible for periodically reviewing this policy and for educating the user community about ethical and secure use of Enterprise information systems.
  • Directors, Supervisors, and Department Heads:Management must ensure that all system users within their area of accountability are aware of the responsibilities defined in this policy and must demonstrate a commitment to secure and acceptable system use.

Policy Statement

Acceptable Use

  • Any connection between the Enterprise’s network and/or devices and the Internet presents an opportunity for outside adversaries to access Enterprise systems and non-public information. With this in mind, all users must interact with the Internet safely and in compliance with this policy.
  • All use of Internet communication methods, including but not limited to E-Mail, social media, and messaging apps, must comply with this policy as well as the Social Media Policy.
  • Regarding protection of intellectual property, all individuals will abide by the laws and Enterprise policies to be enforced as defined by the Federal Copyright Act of 1976
  • Mass E-Mail
      • Sending e-mail to large groups of recipients at once must be reserved for those situations where another method of contact is not practical
      • For administrators, all general announcements to students, faculty, and staff must be made through Enterprise Communications
      • All bulk e-mail messages from students must be directed through the Dean of Students Office.
      • Any user with approved access to E-Mail mailing lists may access those mailing lists, provided such access is for business or educational purposes.

Unacceptable Use of Enterprise Resources

The following actions are considered unacceptable use of the Enterprise’s Information Systems and/or Electronic Communications.   Al Enterprise Users must not:

  • Store non-public information on personal devices that are not managed by a mobile device manager.
  • Perform any act intentionally or irresponsibly, which may impair the operation of Enterprise Information Systems.
  • Make unauthorized alterations of the security or network configuration of any Enterprise Information System.
  • Share passwords, PINs, tokens, MFA devices, or other authentication information with anyone, including but not limited to coworkers or administrative staff.
  • Solicit passwords, PINs, tokens, or other authentication information from anyone, including but not limited to coworkers or administrative staff.
  • Utilize Enterprise systems to gain unauthorized access to remote systems or attempt to circumvent any security protections or authentication systems.
  • Users of Enterprise Information Systems must not employ a false identity
  • Run or install any piece of software on any Information System, whether intentionally or unintentionally, without prior authorization from IT.
  • Use Enterprise Information Systems or Electronic Communications systems for personal financial gain, including but not limited to crypto mining and conducting non-enterprise business.
  • Deliberately perform acts that are wasteful of computing resources.
  • Use Enterprise Information Systems in a manner that would constitute harassment, invasion of privacy, threat, defamation, or intimidation.
  • Users may not initiate or participate in malicious activity with the intent to cause harm to the Enterprise.
  • Users communicating via E-Mail may not forward chain letters, send non-public information such as PII by E-Mail, or use “auto-forward” rules to send E-Mail to a non-Enterprise accounts.
  • Users must not provide false or misleading information for the purpose of obtaining additional access rights or manipulating access rights in any way that violates the Enterprise Access Management Policy.
  • Place any of the following types of information or software on any Enterprise information systems:
    • Material which infringes upon the rights of another person or organization including but not limited to copyrights, TM, or IP infringement
    • Abusive, profane, or sexually offensive material
    • Pirated software, destructive software, pornographic materials, libelous statements, or any material which may be injurious to another
    • Advertisements for commercial purposes
    • Threatening, libelous, or offensive messages
  • Play any game using Enterprise Information Systems, unless that game is instructional, and has been specifically approved by IT
  • Connect to websites related to sex, illegal drugs, criminal skills, hate speech, online gambling, or Peer 2 Peer networks

Policy Disclaimers

  • Enterprise Information systems and data stored therein are the property of the Enterprise. The Enterprise reserves the right to limit, restrict, or terminate any user’s account and inspect, copy, remove, or otherwise alter any software, data, or file on any Enterprise Information System. The Enterprise also reserves, and will exercise, the right to review, audit, intercept, access, and disclose all communications or data on Enterprise Information Systems at any time.
  • All users of the Enterprise should be aware of the limitations to their privacy when using Enterprise Information Systems
  • The Enterprise will not be liable for any personal data loss resulting from efforts to maintain the privacy and security of Enterprise Information Systems
  • The Enterprise views the misuse of information systems as a serious matter and will make no ad-hoc exceptions to this policy. Exceptions to this Acceptable Use Policy must be formally requested, in accordance with the Enterprise Policy Lifecycle and Governance Policy.
  • Personal Use

The Enterprise is not responsible for any loss or damage incurred by an individual as a result of the individual’s personal use of Enterprise electronic communication resources. Individual utilization of Enterprise electronic communications for personal purposes is acceptable, provided the individual’s actions do not interfere with their obligations to the Enterprise or incur undo costs to the Enterprise in the form of monetary or reputational loss.

Ignorance of this policy does not excuse violations.

Referenced Documents