Information Technology: Acceptable Use

Section I:  Access to Information Technology Facilities

• Governing Principles
1. In support of its essential mission to enhance educational, economic and cultural opportunities for the people of West Kentucky, Murray State University offers information technology resources to its students, faculty and staff. These resources contribute to the work of all members of the University community. They advance the scholarly pursuit of knowledge and those administrative functions necessary for the operation of the University.
2. Users of the University's information technology facilities are required to comply with and be subject to the MSU Information Technology Acceptable Use guidelines, University policies, and federal and state statutes. The University reserves the right to amend this document at any time without prior notice.
3. All information technology users are expected to demonstrate respect for the rights of other users and to promote fair use by all, enabling necessary access to all.
4. User access to information technology resources is contingent upon prudent and responsible use.
• Authorization and Equity of Access

  University information technology resources are provided to faculty, staff, and students for the purposes of study, research, service and other academic and university related activities. Access to information technology resources is granted to an individual by MSU for that individual's sole use in furthering the University’s mission and purpose. Information technology resources must be shared among users in an equitable manner. The user may not participate in any behavior that unreasonably interferes with the fair use of information technology resources by another.

• Acknowledgement of Receipt Authorization

  Signature on an account application form, acceptance of a user ID, or online registration denotes that the applicant has read and understands the guidelines available and also denotes acceptance of this Acceptable Use document.

• Priority for Access and Resource Allocation

  The priority guiding information technology access and resource allocation is teaching and learning.  Service, research and administrative priorities will be determined as they support teaching and learning.

Section II:  Security of University Information Technology Resources

• Protection of Information Technology Resources and Institutional Data

  To protect the integrity of the University's information technology facilities and the users thereof against unauthorized or improper use of those facilities, MSU reserves the right, without notice, to temporarily limit or restrict any individual's use and to inspect, copy, remove, or otherwise alter any data, file, or system resource which may undermine the authorized use of any information technology facility.

• Investigation and Review of Policy Infractions
1. University sanctions are imposed by the appropriate university authority and may include, but are not limited to, limitation or revocation of access rights and/or reimbursement to the university for all costs incurred in detecting and proving the violation of these rules, as well as from the violation itself.
2. Users must use only those information technology resources which the University has authorized for their individual use. The unauthorized use of information technology resources or providing false or misleading information for the purpose of obtaining access to information technology facilities is prohibited and may be regarded as a criminal act and will be treated accordingly. Users may not use University information technology facilities to gain unauthorized access to other institutions, organizations, or individuals.
3. Failure to comply with one or more of the specific requirements of this policy may jeopardize access to or use of Murray State facilities and services and could result in a review and investigation into the identified violation.
4. Supervisors of systems and facilities have the authority to immediately terminate any program or access that is suspected to be inappropriate or detrimental to operations.
• Control and Licensing of Software
• All users are expected to comply with all intellectual property laws including copyright law.
1. Users may not copy, distribute, display, or disclose third party proprietary software without prior authorization from the licenser. Proprietary software may not be installed on systems not properly licensed for its use. The University does not condone or authorize the copying or possession of illegal software. University students and employees are prohibited from copying software illegally and possessing illegal copies of software, whether for course-related, job-related, or private use. Any violations of this policy is the personal responsibility of the user. The University assumes no liability for such acts. 
2. Any user who suspects or has knowledge of copyright or intellectual property law violations must immediately report this activity to the University Chief Information Officer. Failure to report such activity will be considered a violation of the Information Technology Acceptable Use Policy.
• Individual Privacy
• Users are authorized to access, use, copy, modify, delete or grant others access to their personal files or data, as specified in this policy. However, users are not authorized to perform any of these functions on another user's account or a University system unless specifically authorized by the account holder, job description, the Chief Information Officer or designee, or the appropriate system administrator.
1. Users may not monitor another user's data communications.
2. User privacy is not to be violated. However, user privacy is subject to all University policies.  As such, authorized individuals may access and disseminate private information in performance of their official job duties.  Unauthorized personal use of a user’s private information is prohibited .
3. Failure to protect the privacy of others by intentionally or unintentionally permitting access to systems or data is unacceptable. Violations of this requirement include, but are not limited to:
• Leaving confidential or protected information on a screen where it could be viewed by unauthorized individuals
• Giving a personal password to someone else
• Leaving a personal password where it can easily be found
• Allowing someone to use a system signed on under a personal password
• Knowingly failing to report a personal password that has been used by another person, with or without permission
• Leaving a system  signed on and accessible while unattended
• Confidentiality
• The unauthorized release of any personal or confidential information may violate state and federal law and will not be tolerated. Failure to protect confidential information is unacceptable.
1. Users are responsible for their information technology accounts; they should maintain secure passwords and take precautions against unauthorized access to their information technology resources. Users may be charged with a violation if someone uses their accounts inappropriately.
• General Security
• General security infractions include, but are not limited to:
1. Using information technology resources for unauthorized remote activities
2. Deliberately causing system failure, disruption, or compromising system security
3. Intentionally obscuring, changing, or forging of the date, time, physical source, logical source, or other label or header information on data or electronic communications
4. Unauthorized interception of electronically transmitted information without prior written authorization from the Chief Information Officer  or designee
5. Performing an act which will adversely impact the operation of computers, terminals, peripherals, or networks. This includes, but is not limited to, tampering with components of a local area network (LAN) or the high-speed backbone network, otherwise blocking communication lines, or interfering with the operational readiness of a computer

Section III:  Ethical Practices

• Expectations
• All users are expected to conduct themselves in a legal, professional, fair, considerate, and ethical manner. Each individual should use equipment safely, responsibly and only for its intended function.  Users should keep all equipment clean and in good operating condition.
• Protection and Maintenance of Equipment
1. Protection and maintenance of equipment includes, but are not limited to:
• Having only authorized staff perform installations
• Plugging all equipment into an Underwriter's Laboratory approved surge protector or uninterruptible power supply
• Locating equipment according to manufacturer’s specifications.  Equipment should be protected from extreme heat or cold, excessive humidity, smoke, dust, overloaded circuits, stressed or worn cords, or any other potentially damaging situation
• Keeping food and beverages away from equipment
• Scheduling routine maintenance
2. Equipment, software, tools, supplies, etc., are not to be removed from their assigned locations without authorization from the administrator responsible for those items.
3. Repair or replacement of any item damaged when used for purposes other than those related to University functions or when used without authorization will be at the user's expense. Unpaid debts incurred in this manner will be handled in accordance with the usual Accounting and Financial Services procedures.
• Harassing, Offensive, Profane, and Abusive Material
• University information technology resources may not be used in a harassing, offensive, profane, or abusive manner.  The perception or reaction of affected persons is a major factor in determining if a specific action is in violation of this policy.
• Commercial Use
• University information technology resources may not be used for personal or commercial profit. Individuals may not use information technology resources for any commercial purpose without prior written authorization from the Chief Information Officer, or designee.

Section IV: Violations

• Procedure for Reporting Violations
• Violations should be reported to the faculty/immediate supervisor of the individual, the Chief Information Officer, or the administrator responsible for the system that was breached or misused. The notified party will inform the appropriate University official.  Violations may result in one or more of the following actions:
1. Verbal or written warning with reference to appropriate policy
2. Suspend access either temporarily or permanently
3. File a formal Employee Disciplinary Report (EDR), if the individual is an employee
4. Formally submit student infractions to the Vice President for Student Affairs
5. Consult with the University Attorney and/or Public Safety, who may file civil or criminal charges.
6. Refer complaints of harassment or discrimination to the Office of Equal Opportunity
7. For any individuals outside of the immediate University community, send a written notice of the infraction to the employer, principal, or entity that initiated access for that person
• Procedure for Appeal
• Appeals may be filed using existing procedures for staff, faculty, and students. All other appeals will go to the Vice President for Administrative Services for disposition.

Section V:  Administration of Policy

• Procedure for Development, Review and Modification of this Policy
1. The Policy Review Subcommittee of the Information Technology Advisory Committee will be a body comprised of at least four members of the larger committee in addition to the Chief Information Officer. The Policy Review Subcommittee will meet at the call of the Chief Information Officer.
2. Proposals for new policies and/or modifications to existing policies will be forwarded to the Chief Information Officer. The proposals and comments will be brought before the ITAC Policy Review Subcommittee by the Chief Information Officer.
• Communication of Policy
• Signature on an account application form, acceptance of a user ID, or online registration denotes that the applicant has read and understands the guidelines available and also denotes acceptance of the Information Technology Acceptable Use Policy.
• The policy is available online at http://campus.murraystate.edu/aup/ and in print form in Waterfield Library.
• Other Information Technology Policies
• Departments with their own information technology labs will adhere to the same general operating guidelines as established by this policy.

---

Glossary of Terms

Technical Terms used in the Technology Policy

• Access Rights Permission to use an MSU information technology resource according to appropriate limitations, controls, and guidelines.
• Commercial purpose A goal or end involving the buying and/or selling of goods or services for the purpose of making a profit.
• Data A representation of facts, concepts, or instructions suitable for communication, interpretation, or processing by human or automatic means.
• Disk Space Allocation the amount of disk storage space assigned to a particular user by University Information Systems or the appropriate system administrator.
• Fair Use Use of information technology resources in accordance with this policy, within the rules of an individual MSU facility, and so as not to unreasonably interfere with the use of the same resources by others.
• File A collection of data treated as a unit.
• Inappropriate use of authority or special privilege Use of one's access right(s) or position in a manner that violates the rules of use of those privileges as specified by the Chief Information Officer, or designee, or the appropriate system administrator.
• Information Technology Resource Any information technology/network equipment, facility or service made available to users by Murray State University.
• Password A string of characters that a user must supply to meet security requirements before gaining access to a particular information technology resource.
• Prudent and Responsible Use Use of information technology resources in a manner that promotes the efficient use and security of one's own access right(s), the access rights of other users, and MSU information technology resources.
• Remote Activity Any information technology action or behavior that accesses remote site facilities via an MSU information technology resource.
• Remote Site Any information technology/network equipment, facility, or service not part of, but connected with, MSU information technology resources via a communications network.
• System Administrator Any individual authorized by the Chief Information Officer, the Provost/Vice President, or a designee to administer a particular information technology hardware system and/or its system software.
• Transmission The transfer of a signal, message, or other form of information from one location to another.
• Unauthorized Act With the exception of information technology actions or behaviors permitted in this policy, any act performed without the explicit permission of the Chief Information Officer, or designee, or the appropriate system administrator.
• Usage Record Information or data indicating the level of usage of information technology resources by a particular user.
• User Any individual -- whether student, staff, or individual external to MSU -- who uses MSU information technology resources.
• User ID A character string that uniquely identifies a particular user of MSU information technology resources.