Technology Acceptable Use - Employees
Sponsor: |
Chief Information Officer |
---|---|
Contact: |
ITS Security Analyst |
Category: |
Information Security and Technology |
Number: |
1000.002 |
Effective Date: |
1995/04/01 |
Implementation History: |
Approved: 4/1/1995, Revised 3/1/2003, Corrected: 4/1/2003, Revised 4/18/2023 |
Keywords: |
Computer use statement, computer use, technology use, email, laptop, information security |
Background Information: |
Some version of this policy has been approved for SUNY Empire since 1995. The policy name was changed from Computer Use Statement Policy-Faculty and Staff to the current title in January of 2023. This policy was created or revised for compliance with SUNY Policy 6608, Information Security Guidelines: Campus Programs & Preserving Confidentiality |
Purpose
SUNY Empire’s technology infrastructure exists to support the institution and administrative activities needed to fulfill the institution’s mission. Access to these resources is a privilege that should be exercised responsibly, ethically, and lawfully.
The purpose of this Acceptable Use Policy is to clearly establish each member of the institution's role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable SUNY Empire to implement a comprehensive system-wide Information Security Program, as defined by the Information Security Policy.
This policy applies to all users of computing resources owned, managed, or otherwise provided by the institution. Individuals covered by this policy include but are not limited to all workforce members and service providers with access to the institution’s computing resources and/or facilities. Computing resources include all SUNY Empire owned, licensed, or managed hardware and software, email domains, and related services and any use of the institution’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
Privacy Information
SUNY Empire will make every reasonable effort to respect a user's privacy. However, employees do not acquire a right of privacy for communications transmitted or stored on the institution’s resources. In response to a judicial order, Freedom of Information Law request, E-Discovery requestor any other action required by law a SUNY Empire official or an authorized agent may access, review, monitor and/or disclose computer files associated with an individual's account. Additionally, in response to a violation of a SUNY Empire policy, to prevent the disruption of regular business, or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the institution, the President may authorize a SUNY Empire official or an authorized agent to access, review, monitor and/or disclose computer files associated with an individual's account.
Definitions
Mobile Devices – a portable computing device, e.g., laptop, cell phones, and tablets.
Secure Areas - ITS Data center, Office of Human Resources, Offices of Safety and Security, Office of Bursar, Office of Registrar.
Statements
Roles and Responsibilities - SUNY Empire reserves the right to protect, repair, and maintain the institution’s computing equipment and network integrity. In accomplishing this goal, SUNY Empire ITS personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and Internet activities. Any information obtained by ITS personnel about a user through routine maintenance of the organization’s computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of SUNY Empire’s computing resources.
Activities related to SUNY Empire mission take precedence over computing pursuits of a more personal nature. Any use that disrupts the institution’s mission is prohibited.
Following the same university policies on Affirmative Action, Bullying and Civility Standards in the Workplace, Non-Discrimination-Anti-Harassment, Sexual Harassment and Bias Related Crime, that protect the rights of individuals that work and interact with SUNY Empire, acceptable use of information technology resources generally respects all individuals' privacy, but subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All users of SUNY Empire’s computing resources must adhere to the requirements enumerated below.
Fraudulent and Illegal Use
SUNY Empire explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the institution’s information systems, a user must not engage in any activity that is illegal under local, state, federal, and/or international law. As a part of this policy, users must not:
- Violate the rights of any individual or company involving information protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by SUNY Empire.
- Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the institution does not have a legal license.
- Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
- Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.
Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify his/her manager immediately.
If any user creates any liability on behalf of SUNY Empire State University due to inappropriate use of the institution’s resources, the user agrees to indemnify and hold the institution harmless, should it be necessary for SUNY Empire to defend itself against the activities or actions of the user.
Confidential Information
SUNY Empire has both an ethical and legal responsibility for protecting confidential information in accordance with its Enterprise Data Classification, use of Text Messaging Service, General Data Protection Regulations Privacy, Payment Card Industry-Data Security Standard Policy, Adherence to the Family Educational Rights and Privacy Act of 1974, and Limiting the Use of Student Social Security Numbers Procedure, policies. As such;
- Transmission of social security numbers and credit card numbers, by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) is prohibited.
- Mobile devices that access confidential information will have physical controls to secure when not in use to minimize the risk of unauthorized access.
- All employees will use approved workstations or devices to access the institution’s data, systems, or networks.
- All the institution’s portable workstations will be securely maintained when in the possession of workforce members. Such workstations will be handled as carry-on (hand) baggage on public transport. They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.
- Photographic, video, audio, or other recording equipment will not be utilized in secure areas.
- All confidential information stored on workstations and mobile devices must be encrypted.
- All workforce members who use organization-owned workstations will take all reasonable precautions to protect the confidentiality, integrity, and availability of information contained on the workstation.
- Institution employees and affiliates who move electronic media or information systems containing confidential information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized use.
- Institution workforce members will activate their workstation locking software whenever they leave their workstation unattended or will log off from or lock their workstation when their shift is complete.
Incident Reporting
SUNY Empire is committed to responding to security incidents involving personnel, institution-owned information, or institution-owned information assets. As part of this policy:
- The loss, theft, or inappropriate use of information access credentials (e.g., passwords, or security tokens), assets (e.g., key cards, laptop, cell phones, tablets), or other information will be reported to the SUNY Empire IT Service Desk.
- All incidents regarding physical assets shall be escalated to the Office of Safety and Security.
- All incidents regarding access credentials and information shall be escalated to SUNY Empire’s Security Analyst.
- An organization workforce member will not prevent another member from reporting a security incident.
Malicious Activity
SUNY Empire strictly prohibits the use of information systems for malicious activity against other users, the organization’s information systems themselves, or the information assets of other parties.
Denial of Service
Users must not:
- Perpetrate, cause, or in any way enable disruption of SUNY Empire’s information systems or network communications by denial-of-service methods;
- Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or
- Intentionally develop or use programs to infiltrate a computer, computing system, or network, and/or damage or alter the software components of a computer, computing system, or network.
Confidentiality
All encryption keys employed by users must be provided to Information Technology if requested, in order to perform functions required by this policy.
Users must not:
- Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access;
- Facilitate use or access by non-authorized users, including sharing their password or other login credentials with anyone, including other users, family members, or friends;
- Use the same password for SUNY Empire accounts as for other non-SUNY Empire access (for example, personal ISP account, social media, benefits, email, etc.);
- Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another user’s password; or
- Make copies of another user’s files without that user’s knowledge and consent.
- Base passwords on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports teams, etc.).
Impersonation
Users must not:
- Circumvent the user authentication or security of any information system;
- Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
- Create and/or use a proxy server of any kind, other than those provided by SUNY Empire, or otherwise redirect network traffic outside of normal routing with authorization; or
- Use any type of technology designed to mask, hide, or modify their identity or activities electronically
Network Discovery
Users must not:
- Use a port scanning tool targeting either SUNY Empire’s network or any other external network, unless this activity is a part of the user’s normal job functions, such as a member of the Information Technology Services (ITS), conducting a vulnerability scan, and faculty utilizing tools in a controlled environment.
- Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the user unless this activity is a part of the user’s normal job functions.
Objectionable Content
SUNY Empire strictly prohibits the use of organizational information systems for accessing or distributing content that other users may find objectionable. Users may not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials that promotes sex, hate, alcohol, firearms, tobacco or are in violation of any SUNY Empire policy.
This is not intended to hinder individual freedom, academic curricula, research, intellectual discourse, this list is not an all-inclusive list of when objectionable content may be used at SUNY Empire. If unsure, please contact the SUNY Empire CIO.
Hardware and Software
SUNY Empire strictly prohibits the use of any hardware or software that is not purchased, installed, configured, tracked, and managed by the institution. Users must not:
- Install, attach, connect, or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any institutional information system without the knowledge and permission of ITS;
- Download, install, disable, remove, or uninstall software of any kind, including patches of existing software, to any institutional information system without the knowledge and permission of ITS;
- Use personal flash drives, or other USB-based storage media, without prior approval from their supervisor; or
- Take SUNY Empire equipment off-site without prior authorization from supervisor and equipment management.
Messaging
The organization provides a robust communication platform for users to fulfill its mission. Users must not:
- Automatically forward electronic messages of any kind, by using client message handling rules or any other mechanism.
- Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
- Solicit electronic messages for any other digital identifier (e.g. e-mail address, social handle, etc.), other than that of the poster's account, with the intent to harass or to collect replies; or
- Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.
Remote Working
When working remotely, the user must:
- Safeguard and protect any institution-owned or managed computing asset (e.g., laptops and cell phones) to prevent loss or theft.
- Take reasonable precautions to prevent unauthorized parties from utilizing computing assets or viewing SUNY Empire information processed, stored, or transmitted on institution-owned assets.
- Not create or store confidential or private information on local machines unless a current backup copy is available elsewhere.
- Not access or process confidential information in public places or over public, insecure networks.
- Only use approved methods for connecting to the organization (e.g., VPN).
Other
In addition to the other parts of this policy, users must not:
- Stream video, music, or other multimedia content unless this content is required to perform the user’s normal business functions;
- Use the institution’s information systems for commercial use or personal gain; or
- Use the institution’s information systems to play games for entertainment; this excludes usage for the university related business such as e-sports.
Enforcement
Enforcement is the responsibility of the institution’s President or Chief Information Officer (CIO). The President or CIO may authorize a SUNY Empire official or an authorized agent to act on their behalf. Users who violate this policy may be subject to discipline up to and including termination consistent with the terms and conditions of any applicable Collective Bargaining Agreement, if any. The institution may temporarily suspend an account when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the institution or other computing resources or to protect SUNY Empire from liability.
Exceptions to the policy may be granted by the Chief Information Officer (CIO), or by his or her designee. All exceptions must be reviewed annually.
Applicable Legislation and Regulations
The Gramm - Leach Bliley Act (GLBA)
Family Educational Rights and Privacy Act (FERPA)
General Data Protection Regulation (GDPR)
New York State Information Security Breach and Notification Act
NIST 800-171 SP Rev 2
FIPS-199
Related References, Policies, Procedures, Forms and Appendices
Information Security Policy
Non-Discrimination/Anti-Harassment Policy