Skip to Main Content

You are here:

Rule 4-004A Acceptable Use Rev. 1

  1. PURPOSE AND SCOPE
    1. The purpose of this Acceptable Use Rule is to establish the general parameters for the use of IT Resources, Information Systems and Electronic Resources.
    2. This Rule supports section A, titled Acceptable Use, of the University of Utah Information Security Policy 4-004.
  2. DEFINITIONS
    The definitions provided in Policy 4-004: University of Utah Information Security Policy, apply for purposes of this Rule, including the following:
    1. Automated Monitoring - Service or function of an autonomous monitoring tool that correlates and analyzes audit logs and alerts across multiple security technologies.
    2. Electronic Resource - Any resource used for electronic communication, including but not limited to internet, Email, and social media.
    3. Email - A means for exchanging digital messages between two parties sent via any electronic means.
    4. Illegal Behavior - Any activity that it prohibited by local, state, or federal law or regulation.
    5. Information Asset - Data or knowledge stored in any electronic manner and recognized as having value for the purpose of enabling University to perform its business functions.
    6. Information System - An Application or group of Servers used for the electronic storage, processing, or transmitting of any University data or Information Asset.
    7. IT Resources - A Server, Workstation, Mobile Device, medical device, networking device, web camera or other monitoring device, or other device/resource that is a) owned by the University or used to conduct University business regardless of ownership; b) connected to the University's network; and/or c) that is creating, accessing, maintaining, or transmitting Information Assets and used for electronic storage, processing or transmitting of any data or information.
    8. Reasonable Suspicion - A legal term used to describe a set of circumstances that indicate the basis for taking some action in connection with an individual. in order to qualify as "reasonable", the suspicion must be tied to a particular employee rather than a group of employees, and the suspicion must be based on specific and articulable facts, along with rational inferences taken from those facts.
    9. Signature-based Detection - Identifying potential incidents by matching each input event against defined patterns that model malicious activity, and executing actions based on rules defined in the detection system. Signature-based detection systems are tuned to identify attacks with a level of accuracy that reduces the occurrence of false positive results.
    10. User - Any person, including students, staff, faculty, permanent and temporary employees, contractors, vendors, research collaborators, and third party agents, who accesses any University Electronic Resources, Information Systems, and/or IT Resources.
  3. RULE
    1. The University respects the privacy of employees, faculty, staff, students and other Users of IT Resources, Information Systems and Electronic Resources. Therefore the University does not, absent consent, specifically target an individual User to monitor, review, or access the contents of User email communications, User created electronic files, or a User's personal device being utilized as an IT Resource, except as set for in this Rule.
    2. The University reserves the right to limit or restrict the use of IT Resources, Information Systems, and Electronic Resources based on business reasons, technical priorities, and financial considerations, as well as when it is presented with reasonable suspicion of a  violation of University policies, contractual agreements, or local, state, federal or applicable international laws and regulations.
    3. The University monitors and reviews activities and content on its IT Resources, Information Systems, and Electronic Resources Utilizing Signature-based Detection and Automated Monitoring for the purposes of efficiency, security and operations.
    4. The University further reserves the right to monitor, review and access material stored on, processed, or transmitted through its IT Resources, Information Systems, and Electronic Resources at any time based on reasonable suspicion of Illegal Behavior. The University also reserves the right to access, monitor, and review information on IT Resources, Information Systems, and Electronic Resources for business operations purposes in the case of a User who is unable to perform University duties due to medical illness or emergency, unavailability, or refusal to perform duties.
    1. Authorized Use
      1. Authorized Users
        1. An authorized User is any individual who has been granted authority by the University to access its IT Resources, Information Systems, Information Assets, and Electronic Resources.
        2. Unauthorized use is strictly prohibited.
        3. If a User ceases being authorized to use University IT Resources, Information Systems, Information Assets, and Electronic Resources, or if such User is assigned a new position and responsibilities, any use for which that User is not specifically authorized in their new position or circumstances shall cease. A User must not engage in unauthorized use even if the User is mistakenly granted access to or unintentionally permitted to maintain IT Resources, Information Systems, Information Assets, and Electronic Resources.
      2. Personal Use
        1. The University allows Users to make reasonable and limited personal use of its IT Resources, Information Systems, and Electronic Resources to the extent that such use does not interfere with University duties. Individuals using the University's IT Resources, Information Systems, and Electronic Resources for personal business, political campaigning, or other commercial purposes must disclaim a connection between their activities and the University. The University reserves the right to prohibit personal use at any time without prior notice when there is reasonable suspicion of Illegal Behavior or a violation of University regulation has occurred or is occurring.
        2. Authorized Users are responsible for exercising good judgment regarding the reasonableness of personal use, but University management reserves the right to define and approve what constitutes reasonable personal use. Prior use of University Information Systems, Information Assets, and Electronic Resources for personal use does not constitute approval. Personal use of University Information Systems, Information Assets, and Electronic Resources must not interfere with work performance or with the University's ability to use its resources for business purposes. Personal use must not violate polices, statutes, contractual obligations, or other standards of acceptable behavior. All personal use must be consistent with University regulation.
      3. Email Use
        1. Information that is classified as Restricted should not be sent via Email, regardless of the recipient, without an approved business need and applicable technical controls. The use of encryption is required for Emails containing Restricted data sent to any non-University Email recipient as per the Data Classification and Encryption Rule.
      4. Social Media Use
        1. Users are prohibited from posting on behalf of the University to public newsgroups, websites, blogs, social media or other public media sites without prior management approval. Any social media postings that could reasonably be construed as being on behalf of the University must contain a disclaimer stating that the opinions expressed are strictly the User's own and not necessarily those of University, unless the User is authorized to post on behalf of the University.
      5. Cloud Provider Use
        1. Information that is classified as Restricted should not be stored with a cloud  provider unless there is a contractual agreement in place between the University and the cloud service provider that protects the confidentiality of the information and data.
    2. Responsible Use
      1. Ethical Use
        1. No User may act in ways that violate the Ethical Standards and Codes of Conduct established by the University.
      2. Protection of Confidential Information
        1. All Users must maintain the protection of the University's Confidential Information Assets. This requires Users to exercise precautions that include complying with University regulation and taking other precautions to guard Confidential data.
      3. Illegal Activities
        1.  Under no circumstances are Users authorized to engage in Illegal Behavior while  using University IT Resources, Information Systems, Information Assets, and Electronic Resources.
      4. Forgery of Communications
        1. Altering electronic communications to hide identity or impersonate another person is considered forgery and is prohibited.
      5. Soliciting Business
        1. Users must not use University IT Resources, Information Systems, Information Assets, and Electronic Resources for soliciting business, selling products, or otherwise engaging in commercial activities other than those expressly permitted by University management or other University regulation.
      6. Fraud
        1. Users must not use University IT Resources, Information Systems, Information Assets, and Electronic Resources to make fraudulent offers for products, items, or services, or make statements about warranty, expressly or implied.
      7. Bandwidth and Overuse
        1. Actions detrimental to Electronic Resources, or that negatively affect job performance are not permitted. Excessive use of the University's network bandwidth or other Electronic Resources is not permitted.
        2. Large file downloads or other bandwidth-intensive tasks that may degrade network capacity or performance should be performed during times of low University-wide usage.
        3. All Users must refrain from acts that waste University Electronic Resources or prevent others from using them.
    3. Internet Use
      1. Risk of Use
        1. Users access the Internet with University facilities at their own risk.
        2. The University is not responsible for material viewed, downloaded, or received by Users via the internet. Responsible attitudes and appropriate behavior are essential in using this resource.
        3. To protect personal safety and privacy, Internet Users should not give out personal information to others on public resources, without taking into consideration the risks of doing so.
      2. Internet Web Browsing
        1. Personal use of University systems to access the Internet is permitted during, before, and after business hours, as long as such use follows pertinent policies and guidelines and does not have an adverse effect on the University, its customers, or on the User's job performance.
    4. Privacy Expectations
      1. Monitoring
        1. The University's Information Security Office employees signature-based and automated monitoring activities to ensure compliance with federal, state, and University regulations.
        2. The University reserves the right to authorize specific individuals or groups, at times including contracted business partners, to utilize signature-based and automated monitoring activities to monitor IT Resources, Information Systems, and Electronic Resources to ensure compliance with federal, state, and University regulations.
      2. Privacy of Stored Personal Information and Electronic Communications
        1. University Users have diminished expectations of privacy for any personal information stored on, or sent or received utilizing University-owned IT Resources, Information Systems, and Electronic Resources.
        2. Notice to a User will be given when the University accesses a file or electronic communication generated or transmitted by a User, or generated or transmitted by a User's personal device being utilized as an IT Resource. No notice will be given if it is determined by the relevant Data Steward and/or Human Resources, in consultation with University's Office of General that notice will:
          1. Unduly impair an investigation of a violation of local, state, federal laws or applicable international laws or regulations;
          2. Seriously hamper the ability of the University to support its missions; or
          3. Result in significant bodily harm or significant property loss or damage.
      1. [Note: Parts IV-VII of this Regulation (and all other University Regulations) are Regulations Resource Information – the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
  4. RULES, PROCEDURES, GUIDELINES, FORM, and OTHER RELATED RESOURCES
    1. Rules
      1. TBD
    2. Procedures
      1. Policy 4-004 Procedures
    3. Guidelines
      1. TBD
    4. Forms
    5. Other Related Resources
      1. Acceptable Use Frequently Asked Questions
  5. REFERENCES
    1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
    2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
    3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
    4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
    5. NIST 800 Series, Federal Information Security Standards
    6. Policy 3-070: Payment Card Acceptance
    7. Policy 4-001: University Institutional Data Management
    8. Policy 4-003: World Wide Web Resources Policy
    9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
    10. Policy 6-400: Code of Student Rights and Responsibilities
    11. Policy 6-316: Code of Faculty Rights and Responsibilities
    12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
    13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
  6. CONTACTS
    1. Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
    2. Policy Officer: Chief Information Officer, 801-581-3100
    3. These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
    4. "A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases.... "
    5. "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library... .[and] bears the responsibility for determining -requirements of particular Policies... ." University Rule 1-001-III-B & E
  7. HISTORY
    1. Current version: Revision 1, effective date: April 4, 2016
      1. Approved by Academic Senate: May 4, 2015
      2. Approved by Board of Trustees: May 12, 2015
      3. Background information for this version

Rule: 4-004A Rev: 1
Date: April 4, 2016
Last Updated: 9/21/17