Policy # : 08-02
Effective: September 11, 2008
Revised: May 29, 2009
Section: Operations and Services
Subject: Private computers and their usage on college owned networks.
The purpose of this policy is to outline the acceptable use of private computers (those not purchased with University funds) within the College of Health and Human Development (CHHD).
To describe what responsibility users and ISS have when private computers are being used on the CHHD network.
POLICY APPLIES TO
This policy applies to faculty, staff, students, contractors, consultants, temporaries, and other workers in the College of Health and Human Development, including all personnel affiliated with third parties. This policy applies to all private equipment that is connected to the CHHD network.
Inappropriate computer use exposes all network “residents” to risks including virus attacks, compromise of systems and services, and possible litigation and dismissal from employment. CHHD computing systems are to be used strictly for business purposes to meet the administrative, academic and research needs of the College. Effective security is a team effort involving the participation and support of ISS and every CHHD employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to understand this policy and conduct their online activities accordingly.
ISS will allow the use of private computers (desktops and laptops not purchased with University funds) on CHHD owned and maintained networks provided the following criteria are met and validated by ISS staff:
- The owner of the private computer must have approval from their unit head (Department Head, School Director, or Center Director) to use the computer on the CHHD network. Obtain a copy of the form titled “HHD Private Computer Registration Form” in order to register the computer with ISS.
- The operating system must be of a type to allow the computer to join a domain. For Windows this means an enterprise level version of Windows XP, like XP Professional. For Apple computers Mac OS 10.4 or newer.
- The owner of the private computer must take responsibility for backing up the data they have stored on the computer. As described in the next step, all information on the computer’s drive will be erased during the registration process. Before the computer is incorporated into the ISS system, the owner must be satisfied that they have a usable copy of all their data. ISS will take no responsibility for the security or reinstallation of the owner’s personal data when the computer is being serviced. That is the owner’s responsibility.
- ISS will tag the computer with a unique service identifier number, enter it into our system, and erase the computer’s hard drive. Erasing the drive is necessary to make sure the computer does not contain any form of infection. ISS will then perform a fresh install of the operating system. ISS will configure the private computer in an identical manner to how they configure “public” computers. ISS will install the same software set that is used on a “public” computer. We may not be able to grant administrative privileges for a “local account” on the private computer based on future University regulations expected as part of the IPAS project.
- The owner of the private computer must complete a CHHD Computer Account Form. This will allow the computer to be connected to the CHHD Windows Domain so it will receive automatic virus updates and operating system patches.
- If the private computer has previously been tagged by ISS but has not been connected to the CHHD Windows Domain in the last three (3) months a fresh install of the operating system will again be needed as described above (hard drive erased again) to assure the health of the computer.
- ISS will not be responsible for any parts failures on the private computer while it is in the possession of ISS for configuration. Examples of possible parts failures are disk drives, memory, CD/DVD drives. This is not an exhaustive list- just some examples. The owner releases ISS from this responsibility in order to gain the convenience of using the computer on the College's network.
GENERAL COMPUTER USAGE GUIDELINES
- Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. In addition to the password requirements listed in the ISS policy 06-02, it is strongly recommend that system level passwords be changed quarterly, and user level passwords should be changed every six months.
- All PCs, laptops and workstations that have security logging capabilities must have basic OS level auditing turned on to facilitate tracking of user accounts in the event of a security breach or other unauthorized access.
- Because information contained on portable and remote computers is especially vulnerable, special care should be exercised. Portable systems, such as external hard drives and flash drives, containing sensitive university data should utilize encryption techniques to protect the data in the event of unauthorized physical access to the system.
- All computers used by the employee that are connected to the CHHD networks, whether owned by the employee or CHHD, should be continually executing approved virus-scanning software with a current virus database.
- Employees must use extreme caution when opening unsolicited e-mail attachments as they may contain viruses, harmful e-mail payloads, or system attacks/keystroke loggers.
- Employees must use extreme caution when clicking on links in web pages since the mere act of clicking on a link can cause a program to be installed and begin executing. This is the same as clicking on “Run” when you are doing a legitimate software installation.
- All systems connected to the CHHD network may only use IP addresses assigned by ISS or its delegates.
UNACCEPTABLE COMPUTER USAGE GUIDELINES
The following activities are prohibited. College IT professionals may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of CHHD authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing CHHD-owned resources.
The lists of prohibited activities presented below are by no means exhaustive, but are provided to form a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited, with no exceptions:
- Violations of the rights of any person or entity protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use in CHHD.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which CHHD or the end user does not have an active license is strictly prohibited.
- It is illegal to export software, technical information, encryption software or technology, in violation of international or regional export control laws. The College Computer Security Officer should be consulted prior to export of any material that is in question.
- Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Using a CHHD computing asset to engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
- Making fraudulent offers of products, items, or services originating from any CHHD account. Or, offers of products, items, or services for personal profit from any CHHD account.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. The only exception to this is when access is part of a security analysis performed by an authorized individual within the College or University. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information.
- Port scanning or security scanning is expressly prohibited unless prior approval is obtained from the ISS Network Security Officer.
- Executing any form of network monitoring which intercepts data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Circumventing user authentication or security of any host, network or account apart from assigned duties performed by College IT professionals.
- Interfering with or unsanctioned denying of service to any user other than the employee's host (for example, denial of service attack).
- Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the CHHD network apart from assigned duties performed by IT professionals.
- Providing information about, or lists of, CHHD employees to parties outside the University.
- Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (e-mail spam).
- Any form of harassment via email, telephone or paging, whether through content, language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for other email address, other than that of the poster's account, with the intent to harass or to collect replies.
- Creating or forwarding "chain letters" or "pyramid" schemes of any type.
- Use of unsolicited email originating from within CHHD's networks or other Internet service providers on behalf of, or to advertise, any service hosted by CHHD or connected via the College’s network.
- Posting identical or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
Any employee found to have violated this policy may be subject to disciplinary action by their Administrative unit, the College, or the University.