I T

Acceptable Usage Policy - applies to all using UU technology

Last Updated by Information Technology April 2022

This AUP defines responsible and appropriate usage of Union University's information technology resources in fulfillment of the Mission of the University. It applies to everyone using the University's Information Technology Resources.

Responsible, appropriate usage is always ethical, reflects honesty in all work, shows stewardship in the consumption of shared resources, and is guided by Christian principles.

This AUP will not be static, due to the dynamic nature of technological advances. The University reserves the right to amend, to modify or to strengthen this AUP at any time and without prior notice, to maintain and to enhance the definition of acceptable usage.

I. Policy Objective

1. REASON FOR POLICY
   Because Clients may have access to (1) sensitive information due to their University roles and (2) shared resources, it is imperative that behavior and activities always comply with this AUP.
2. SCOPE OF POLICY AND ENTITIES AFFECTED
   The AUP governs use of all Information Technology Resources and all Client Resources, regardless of location. Each Client always assumes responsibility for his or her own behavior while utilizing any Information Technology Resources. Failure to comply with this AUP may adversely affect the Mission of the University and may result in Client disciplinary action.
   
   Additionally, the University reserves the right to remove or to restrict a Client's privileges and access to Information Technology Resources without notice, as needed to maintain appropriate and secure use of Information Technology Resources.
   
   Any knowledge of a violation of this AUP must be immediately reported to the employee's supervisor and to the Associate Vice President for Information Technology or his or her designee.

II. Definitions

Throughout this AUP, the following terms will have these specific associated meanings:

• Client - current or prospective students, current or prospective employees, alumni, retirees, volunteers or guests of the University who use Information Technology Resources
• Information Technology Resources - resources owned, leased, licensed or used by Union University that include but are not limited to software, hardware, wireless and physical networking equipment/services, telecommunication equipment, computer labs, workstations, media equipment, storage devices (CDs, DVDs, USB drives, network drives, removable drives, solid-state drives), cloud-based services (Microsoft OneDrive, Teams, etc.), internet service, email, externally-hosted or on-premise services, academic systems (Instructure Canvas LMS, etc.), Enterprise Information Systems (Ellucian Colleague, SelfService, Blackbaud Raiser's Edge, Microsoft SharePoint, Teams etc.), data/information, digital assets, etc.
• Client Resources - resources owned, leased, licensed or used by Clients to utilize Information Technology Resources in any ways that include but are not limited to computers, tablets, smartphones, displays, cloud-based services, gaming consoles, printers, etc.
• Information Technology - the group of designated University staff members who maintain Information Technology Resources (Information Technology is not responsible for installing, supporting or maintaining Client Resources.)

III. Policy Content

1. CLIENT ACCESS AND PRIVILEGES
   1. Access Provision
      

      The University provides appropriate access to Information Technology Resources, based on Client roles and requirements. Each student receives initial account access upon acceptance to the University. Each employee receives access on or before his or her official date of employment, as determined by the Office of Human Resources.

   2. Client Credentials
      

      Selected Clients (current students and current employees) will each be issued account credentials (a unique account name and a private password) to provide this access. Each of those Clients is responsible for all activities performed using his or her credentials.

      Each password is an essential element of the University's information security. A strong University password, different from the Client's non-University passwords, is the front line of protection. Each Client is responsible for maintaining password confidentiality by never sharing a password with another person. Each Client should change his or her password periodically at password.uu.edu, to help ensure a high level of University security.

      Any suspected unauthorized use of Client credentials must be reported immediately to IT Help at help@uu.edu or 731-661-HELP.

   3. Access Termination
      

      Each enrolled student's account access is disabled 182 days after the last date of the student's active enrollment at the University. For accepted students who did not enroll in classes, account access is disabled two days after the end date of the term for which the student applied. When account access ends, all files, email, and other content associated with the student's technology accounts will be deleted.

      Employee access will be terminated upon notification of the employee's separation by the Office of Human Resources. The employee's supervisor or other authorized University administrator may request from the Office of Human Resources that the employee's files, email, and other content be maintained for review or for reassignment to another employee.

      Information Technology Resources assigned to the employee (computer, monitors, laptop, printer, etc.) are subject to IT's Equipment Disposition policy, available in the Policies section of uu.edu/it/faculty and uu.edu/it/staff

   4. Use of Client Resources on University Networks
      

      Client Resources have access to use the University's wireless network to the extent that use does not pose security threats, network limitations, or potential/actual disruption of network services.

      Employees may connect Client Resources to the secure wireless network to access Information Technology Resources provided they adhere to the strict guidelines of data stewardship defined throughout this AUP.

      Clients are not allowed to use Client Resources on the University's wired network for any purpose without prior approval from Information Technology.

      Information Technology reserves the right to change or restrict Client Resource access to network access for the protection of Information Technology Resources, without prior notice.

2. ACCEPTABLE, UNACCEPTABLE AND UNAUTHORIZED USAGE
   1. Acceptable Usage of Information Technology Resources
      

      As stated in the AUP's Rationale, Clients receive access to Information Technology Resources in fulfillment of the Mission of the University. Usage guided by the Mission and the University's four Core Values is considered acceptable.

   2. Unacceptable Usage of Information Technology Resources
      

      Unacceptable, prohibited usage of Information Technology Resources includes but is not limited to:

      1. transmitting, displaying, printing, or storing any material/software in violation of any federal, state, or local laws including copyright law;
      2. transmitting, displaying, printing, or storing inappropriate material, including but not limited to:
         1. text, images, video, audio, or other digital content, with the purpose to harass, intimidate, threaten, abuse, illegally discriminate against, or offend another person on the basis of race, color, religion, sex (including gender identity, sexual orientation, and pregnancy), national origin, age, disability, or genetic information;
         2. sexually explicit, obscene, or pornographic comments or images;
         3. fraudulent content;
      3. using Information Technology Resources to harass or bother, whether or not an actual message is communicated, or where no purpose for communication exists, or where the recipient has expressed a desire for the communication to cease;
      4. disrupting or damaging administrative, academic, or related activities of another Client;
      5. violating or threatening to violate the privacy of another Client;
      6. forging email or other digital communications;
      7. distributing unsolicited or unwelcome email or other digital communications;
      8. installing or using any unauthorized Peer-to-Peer (P2P) file-sharing service;
      9. connecting Client Resources to Information Technology Resources except as allowed by AUP III.A.4;
      10. engaging in or promoting illegal, unethical, or harmful activities;
      11. engaging in any other practice or activity that, in the opinion of the University administration, constitutes unacceptable behavior, results in the misuse of Information Technology Resources, or jeopardizes the operation of Information Technology Resources.

      If, in the interest of authentic academic or administrative work, a Client needs to perform a specific task considered unacceptable, a request to perform the specific task must be submitted in advance by the student and his or her supervising employee, or by the employee and his or her supervisor, for review by the Associate Vice President for Information Technology.

      Commercial and not-for-profit uses of Information Technology Resources are prohibited unless formally authorized by University administration. Clients are expected to be responsible stewards of Information Technology Resources and to limit use to activities related to the Mission of the University.

   3. Usage of Learning Spaces
      

      Learning spaces include computing labs, discipline-specific labs, classrooms, libraries, various common areas, other venues, etc. and associated Information Technology Resources. Each learning space is available when not in use for a class, scheduled meeting, or other University-approved event. However, use may be subject to approval by the department responsible for the specific learning space.

      Clients are expected to use learning spaces in a responsible manner, as defined in this AUP. Clients must not cause disruption, display abusive or inappropriate behavior towards other Clients, or create disturbances.

   4. Usage of Workstations
      

      University-owned workstations in learning spaces, offices, and other University locations are configured with University-approved software and are maintained by Information Technology. Clients must not attempt to change the configuration on these workstations unless authorized in advance by Information Technology leadership. Unauthorized changes must be reported immediately to the Information Technology Help Desk help@uu.edu or 731-661-HELP.

3. PRIVACY AND INFORMATION TECHNOLOGY RESOURCES

   Information security is mandated by the federal government through the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and other legislation. Lack of compliance can result in substantial institutional fines as well as individual fines or imprisonment. Your part in this compliance is essential to the mission of Union University.

   1. Privacy Expectations for Information Technology Resources

      The University has no obligation to monitor file/message content residing on or flowing through the University's information systems. However, the University reserves the right to review or remove any message, file, database, media, or other material from its Information Technology Resources to secure and protect the data resources of the University.

      At any time, without prior notice and for any reason, the University reserves the right to examine or to monitor:

      1. any Information Technology Resources including email, voicemail, network/workstation/portable/hosted files, and directories;
      2. any Client Resource using or connected to Information Technology Resources;
      3. internet use of Clients using the University's wired or wireless network.

      These examinations are performed to assure compliance with this AUP, federal and state laws, and other University policies, to support internal investigations, to comply with legal requirements, such as a subpoena or court order, or to assist with the management of Information Technology Resources.

   2. Disclaimer of Responsibility for Damage to Data, Software, or Hardware

      The University uses access controls and other security measures to protect confidentiality, integrity, and availability of the information associated with Information Technology Resources. In keeping with these objectives, the University maintains the authority (1) to restrict or revoke any Client's access, (2) to inspect, copy, remove, or otherwise alter any Information Technology Resources that may undermine these objectives, and (3) to take any other steps deemed necessary to manage and to protect Information Technology Resources. The University disclaims any responsibility for loss or damage to data, software, or hardware that results from its efforts to meet these security objectives.

   3. Treatment of University Confidential and Proprietary Information

      University-generated programs, system files, programming codes, and related documentation are confidential and must not be removed, tampered with, altered, or destroyed when an employee, student worker, consultant, or contractor leaves the employ of the University.

   4. Treatment of Third-Party Confidential and Proprietary Information

      Unless specified otherwise by contract, all confidential or proprietary information, including software, databases, and system resources entrusted to the University by a third party must be protected by University employees as though it were the University's confidential information.

   5. Storage of Sensitive Information on Portable, Networked or Remote Resources

      Portable, networked, or remote data devices/systems can provide Clients convenient remote access to the University's data for business purposes. These devices/systems are included in the list of Information Technology Resources.

      Employees, including student workers, must protect any sensitive and personally identifiable information (PII) stored on portable, networked, or remote data devices/systems from unauthorized access.

      This must be done through the use of appropriate measures, including, but not limited to:

      1. disk and file encryption
      2. effective password protection
      3. up-to-date virus protection and malware detection/removal products
      4. use of data-destruction procedures when information is no longer needed
      5. use of practices for purging, overwriting, or degaussing equipment when ownership changes
      6. reasonable safeguards to prevent theft of the device and/or viewing protected information
      7. use of multi-factor authentication
      8. use of data loss prevention (DLP) services
      9. adherence to GLBA, GDPR, HIPPA, FERPA, and other regulatory requirements
      10. limitation of protected data and PII stored on the device to the "minimum necessary" to accomplish the purpose
      11. training in the use of PII by the employee's immediate supervisor, Information Technology, or the Office of Human Resources at the time of hiring.
   6. Privacy Expectations for Administrative Data

      It is imperative that all administrative data are received, stored, and maintained by University employees (including student workers) in a secure and confidential manner. This information is stored in a variety of formats including printed documents, electronic databases, digital files, and document images.

      The University is responsible for the accuracy, integrity, and confidentiality of this data. Data must be treated as confidential unless approved for public release. By law, certain electronic institutional data are confidential and may not be released without proper authorization to the appropriate requester. Professional or personal behavior can affect or threaten the security and confidentiality of University data.

      All employees accessing the University's Enterprise Information Systems are required to adhere to the following policies. They are required to sign the Employee Confidentiality Agreement upon employment. That agreement is included as an addendum to the Faculty Handbook, the Staff Handbook, the Student Employment Handbook, and all other relevant area-specific employee documents.

      1. Unauthorized use of any information in files maintained, stored, or processed by Information Technology Resources is prohibited.
      2. No Client is permitted to seek personal benefit or to allow others to benefit personally from the contents of any University data.
      3. No Client is permitted to distribute data except as defined by the University.
      4. No Client shall knowingly include, or cause to be included, in any record or report, a false, inaccurate, or misleading entry. No one will knowingly change or delete or cause to be changed or deleted an entry in any record or report, unless expressly authorized to do so and in accordance with Union University's Faculty Handbook, Staff Handbook, Student Employment Handbook, or other related policies and procedures.
      5. No official record or report, or copy thereof, shall be removed from the office where it is maintained or copied or printed via electronic means except in the authorized performance of a person's duties and in accordance with established procedures of the University. Copies made for the performance of a person's duties shall not be released to third parties except when required by a work assignment.
      6. Information Technology Resources, when not in use, must be locked by a standard operating-system, keypad, or other password-locking mechanism.
      7. No one is to aid, abet, or conspire with another to violate any part of these policies.
      8. Client responsibility for information security, confidentiality, and integrity continues after leaving a position or employment at the University.
      9. Clients must report violations to a supervisor or to the Office of Human Resources, as soon as possible.
4. INTELLECTUAL PROPERTY

   Respect for the intellectual property of others is essential to the Mission of the University. Unless specific ownership of intellectual property has been established in accordance with the University's Copyright & Intellectual Property Policies (see Faculty Handbook), the University retains legal ownership of the contents of all Information Technology Resources.

   The University's institutional data will not be released to internal or external entities, graduate students, or undergraduate students without expressed, written approval from University Administration.

   1. Copyright Laws

      Clients are expected to follow the University's Copyright & Intellectual Property Policies. Those policies adhere to laws regulating the use, distribution, and reproduction of copyrighted works. They also provide clear guidelines for permissible copying under the fair-use doctrine, while maximizing the educational benefits of using copyrighted materials in the classroom and in other educational settings.

      Works protected by copyright may not be accessed or distributed by file sharing, peer-to-peer technology, or any other method violating sections 501-513 of the United States Code Title 17.

   2. Software Licenses

      The University strongly supports strict adherence to license agreements and copyright holder notices. Duplication or distribution of software materials without the permission of the copyright owner is illegal.

      Only software that supports the Mission of the University should be used on Information Technology Resources. That software includes but is not limited to:

      1. software purchased and installed by Information Technology under a site agreement;
      2. software purchased as a single copy and installed by Information Technology on a single device;
      3. software developed by employees or students;
      4. public-domain software and software contributed to the University;
      5. freely available software that may not be in the public domain, such as software licensed under General Public License (GPL)
      6. software licensed under software-as-a-service (SaaS/cloud-based) agreement

      Illegal copies of copyrighted software may not be made or used on Information Technology Resources. The legal or insurance-indemnification protection of the University and its Trustees will not be extended to employees or students who violate copyright laws. Software not acquired by the University via an officially sanctioned mean as stated above will not be installed or operated on Information Technology Resources.

   3. Trial Licenses for Software

      Freeware, shareware, and trial-ware are covered by copyright and are subject to the terms and conditions defined by the holder of the copyright and by copyright policies of the University.

   4. Fair Use

      Unless permission from the copyright owner(s) is first obtained, making multiple copies of materials from magazines, journals, newsletters, software documentation, and other publications is prohibited unless it is both reasonable and customary. This notice of "fair use" is in keeping with copyright laws as referenced at copyright.gov

5. DISCIPLINARY ACTION

   Disciplinary action shall follow existing University policies and procedures governed by the applicable provisions of the Student Handbook, Faculty Handbook or Staff handbook, and by the applicable local, state, and federal laws.

   The following disciplinary sanctions outline some, but not necessarily all, actions that may be taken either singularly or in combination by the University against violators of this AUP:

   1. warning to notify the individual that continuation or repetition of specified conduct may be cause for other disciplinary action;
   2. reprimand in writing indicating further violation may result in more serious penalties;
   3. restriction of Information Technology Resource privileges for a specified period;
   4. University probation, suspension, or expulsion;
   5. restitution to reimburse the University for damage to or misuse of Information Technology Resources or facilities.

   During an investigation, any of these disciplinary sanctions may be applied until a final determination has been made in regard to the charges made against the individual. In the event that other University regulations are violated, additional penalties may be imposed. Information concerning illegal use of Information Technology Resources shall be turned over to law enforcement agencies for possible felony prosecution.

6. POLICY REVIEW PROCESS
   This policy will be periodically reviewed to make appropriate adjustments to the AUP, to update risk assessment and remediation, and to review and update material.

As a general goal, Union University's IT desires to provide technical systems that are reliable, secure, and responsive. It is critical for Union University to have a policy that addresses the usage of wireless networking, including aspects of security, compatibility, and radio-channel interference.

• No personally-owned wireless access points are to be connected to the University network.
• Any unapproved access point discovered in operation and connected to the University network is subject to being disabled and/or removed immediately and indefinitely.

Union University institutional data will not be released to internal, external, graduate or undergraduate students at this time. Adopted by the Senior Leadership Team - October 2, 2012

All applicable end-of-support or end-of-need computer/media equipment must be returned to Information Technology (IT) for proper disposition. This includes equipment purchased by IT, by individual departments, or through grants.

This policy applies to the following types of University-owned equipment:

• computers - desktops, laptops, monitors
• printers, scanners
• televisions, projectors, speakers, amplifiers, control boards
• power supplies, docking stations
• other similar items

It does not apply to scientific devices and similar equipment. If you have any questions regarding applicability, please contact IT.

No University-owned equipment will be sold to Union employees.

Background

Technology/media equipment often contains toxic elements such as mercury and lead. The Environmental Protection Agency dictates proper handling and disposal of hazardous materials. These regulations, as stated in the Resource Conservation and Recovery Act (RCRA), establish more restrictive requirements for institutions and organizations than for individual households. These requirements specify delivery of such equipment to an approved hazardous waste disposal facility or recycler, rather than to a solid waste landfill used for residential disposal.

Redeployment/Disposal of Computer Equipment

IT is responsible for the life cycle management of the University's IT hardware resources and will determine if the equipment should be redeployed, donated, sold or discarded.

Equipment determined to have remaining cash value will be sold to vendors of used equipment, non-profit organizations, or other vendors. Obsolete equipment may be (a) given to e-recyclers or (b) donated to non-profit organizations upon written request from the organization. Union University provides no support or warranty, implied or expressed, for any equipment sold or donated.

Information security and privacy standards are determined by governmental regulations, state and federal, and by University policies. In order to comply with such standards including FERPA and HIPAA, IT will erase all data from computer hard drives or other storage media to ensure that no data can be recovered. Union complies with the DOD (Department of Defense) standards DOD 5220.22-M for erasing data on storage media prior to the disposition of computer equipment. If the storage media cannot be erased according to these specifications, the storage media will be destroyed.