IT Resource Acceptable Use (VII.A.2)
Volume VII: Information Technology
Chapter A: Acceptable Use
Responsible Executive: Vice President for Information Technology
Responsible Office: Office of the Vice President for Information Technology
Date Issued: July 30, 2004
Date Last Revised: April 1, 2012
TABLE OF CONTENTS
Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Who Should Know This Policy
Website Address for This Policy
Related Documents, Forms and Tools
History and Updates
This policy applies to all uses of University IT Resources. Any individual or entity using IT Resources consents and agrees to comply with all of the terms and conditions set forth in this policy, all other applicable University policies and regulations, and applicable local, state and federal laws and regulations concerning the use of IT Resources.
The following uses of IT Resources are prohibited:
- Circumvention of any security measure of Purdue University or another entity.
- Intentional use, distribution or creation of viruses, worms or other malicious software.
- Unauthorized copying or unauthorized distribution of licensed software or copyrighted material.
- Accessing data that is not publicly available, does not belong to the user and for which the user does not have explicit permission to access; or accessing IT Resources in a manner designed to circumvent access limitations to public or restricted-access data (e.g., replicating a database by automated queries) without permission.
- Use of IT Resources for organized political activity that is inconsistent with the University’s tax-exempt status.
- Use of IT Resources that disables other IT Resources, consumes disproportionate IT Resources such that other users are denied reasonable access to those resources or materially increases the costs of IT Resources.
- Use of IT Resources that violates any local, state or federal law or regulation or any other University policy or regulation, including without limitation, Purdue policies on Data Classification and Governance (VII.B.6), Anti-Harassment (III.C.1) and Violent Behavior (IV.A.3).
- Use of IT Resources for any purpose that could lead directly or indirectly to Financial Conflicts of Interest, unless such use has been approved in advance in accordance with Purdue policies on Individual Financial Conflicts of Interest (III.B.2) and Conflicts of Commitment and Reportable Outside Activities (III.B.1). Any approval of the use of IT Resources under such policies is at the sole discretion of the University and must:
- Comply with all University software licenses and other intellectual property agreements,
- Comply with all University policies and practices,
- Comply with federal and state laws and regulations,
- Not generate additional costs to the University, and
- Not interfere with University work or use of IT Resources.
- Comply with all University software licenses and other intellectual property agreements,
In most instances, non-Purdue sources of email, Internet access or other information technology services must be used for activities that are unrelated to the University’s mission. Modest, incidental and non-recurring personal uses of IT Resources are tolerated as part of the daily learning and work of all members of the University community, provided that use does not violate any other applicable University policy or regulation.
All users of IT Resources are held responsible for any actions performed using their IT Resource accounts. Violations of this policy or any other University policy or regulation may be subject to revocation or limitation of IT Resource privileges as well as other disciplinary actions or may be referred to appropriate external authorities.
The University makes no warranties of any kind, whether expressed or implied, with respect to the IT Resources it provides. The University will not be responsible for damages resulting from the use of IT Resources, including, but not limited to, loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a University employee, or by any user’s error or omission. The University specifically denies any responsibility for the accuracy or quality of information obtained through IT Resources, except material that is presented as an official University record.
This policy outlines the responsible use of all University IT Resources. The University provides IT Resources to support its ongoing missions of discovery, delivery and engagement.
This policy covers students, faculty, staff and all individuals or entities using any IT Resource and all uses of such IT Resources.
Deans and Directors
Department Heads and Chairs
Any other individual or entity using IT Resources
This policy does not cover personally-owned technology devices that are not connected to or otherwise using University IT Resources.
This policy does not apply to cyber-security research activities that, by their very nature, violate the scope of this policy. Such research must be carried out in a manner that employs sufficient and appropriate safeguards to contain the research to pre-defined and intended University IT Resources. Such research must be safeguarded from conception to termination of the research. In addition, such research must not interfere with or compromise the operation or security of other University IT Resources. Faculty, staff and students conducting cyber-security research are strongly encouraged to consult with their campus or departmental IT staff to ensure that appropriate safeguards are in place for that research.
ITaP Security and Policy
Campus Specific Questions
Calumet: Information Services
219-989-2888, option 2
Fort Wayne: Information Technology Services
North Central: Information Services
West Lafayette: ITaP Security and Policy
Financial Conflicts of Interest
This term is used as defined in the University’s policy on Individual Financial Conflicts of Interest (III.B.2).
This term is used as defined in the University’s policy on Incident Response (VII.B.3).
All computing, network and information technology assets provided by or for the University to further its missions. Examples of IT Resources include, but are not limited to:
- Wireless access (such as PAL use)
- Network bandwidth (such as Internet connectivity or ResNet use)
- Mobile devices (such as cellular phones, smart phones, pagers and laptop computers)
- Electronic information resources and the data contained in those resources
- E-mail facilities
- Peripherals (such as printers, copiers and fax machines)
Purdue, University and Purdue University
Any campus, unit, program, association or entity of Purdue University, including but not limited to Indiana University-Purdue University Fort Wayne, Purdue University Calumet, Purdue University North Central, Purdue University West Lafayette, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide.
Indiana University-Purdue University Fort Wayne, Purdue University Calumet, Purdue University North Central.
ITaP Networks and Security and Each Regional Campus Area Designated as Responsible for Information Assurance, Security and Awareness Activities
- Facilitate the establishment and maintenance of standards and technical reference materials to support this policy and post such information online.
Centralized and Departmental IT Units and IT Resource Owners (and designees)
- Implement and monitor compliance with this policy and related standards on IT Resources within their areas of responsibility.
- Ensure that reasonable measures have been taken to secure IT Resources within their areas of responsibility. Physically secure IT Resources within their areas of responsibility. IT Resources may require differing levels of physical security depending on the classification of the data that they process, the systems they access and their cost.
Users of IT Resources
- Use IT Resources in compliance with all applicable laws and University policies.
- Be familiar with and consult online security standards and technical reference materials as applicable to their use of IT Resources.
- Physically secure and safeguard IT Resources within the user's possession and control depending on the classification of the data that they process, the systems they access, and their cost.
- Report violations of this policy and/or suspected IT Incidents immediately and in accordance with the University’s policy on Incident Response (VII.B.3).
Establishment and Maintenance of Standards
Each campus will establish, maintain and make available online standards and technical reference materials to support this policy. For the West Lafayette campus, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide, ITaP Security and Policy will facilitate this process. For the Regional Campuses, the area designated on each Regional Campus as responsible for information assurance, security and awareness activities under the Policy on Delegation of Administrative Authority and Responsibility for Information Assurance, Security and Awareness (WL-4) will facilitate this process.
Centralized and departmental IT units and IT Resource owners and their designees must follow campus standards issued in support of this policy. These areas may also issue additional guidelines, procedures or other requirements regarding the use and security of IT Resources within their areas of responsibility. Specific reference materials may vary from department to department.
Security Policy Exceptions
Purdue University information security policies institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for IT Resources and underlying data, occasionally exceptions will exist. In the event that a unit does not believe it can fulfill the requirements of this policy or its related standards and guidelines, the unit must request a policy exception.
For the West Lafayette Campus, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide, policy exception requests shall be directed to ITaP Security and Policy.
For the Regional Campuses, policy exception requests shall be directed to the area designated on each Regional Campus as responsible for information assurance, security and awareness activities under the Policy on Delegation of Administrative Authority and Responsibility for Information Assurance, Security and Awareness (WL-4).
- Anti-Harassment (III.C.1): www.purdue.edu/policies/ethics/iiic1.html
- Conflicts of Commitment and Reportable Outside Activities (III.B.1): www.purdue.edu/policies/ethics/iiib1.html
- Data Classification and Governance (VII.B.6): www.purdue.edu/policies/information-technology/viib6.html
- Delegation of Administrative Authority and Responsibility for Information Assurance, Security, and Awareness (WL-4): www.purdue.edu/policies/west-lafayette/wl-4.html
- Incident Response (VII.B.3): www.purdue.edu/policies/information-technology/viib3.html
- Individual Financial Conflicts of Interest (III.B.2): www.purdue.edu/policies/ethics/iiib2.html
- Violent Behavior (IV.A.3): www.purdue.edu/policies/facilities-safety/iva3.html
Security Incident Reporting Information:
April 1, 2012: Significant revisions have been made to update this policy from its original version, issued July 30, 2004. It also has been formatted in the current policy template.
November 18, 2011: Policy number changed to VII.A.2 (formerly V.4.1).
There are no appendices to this policy.