Acceptable Use Agreement
Access to Technology and Information Resources
Employees

• Introduction
• Information Governance
• Information Classification
• Usage Responsibilities
• Secure Usage
• Legal Usage
• Ethical Usage
• Facilitative Usage
• Policies and Laws
• Sanctions
• Assent

Introduction

You have been directed to this Acceptable Use Agreement for Access to Technology and Information Resources as a new or continuing faculty, staff, hourly, or affiliated employee at Indiana University.

Access to Indiana University data and information, and access to IT accounts, systems, and applications, is based on your need for access and your assent to use that access appropriately. These services are integral to the operation of the university, and security and privacy laws and other institutional policies protect much of the information.

Therefore, before you can be granted access, you must read and agree to follow these acceptable usage standards, and must accept responsibility to preserve the security and confidentiality of information that you access, in any form, including oral, print, or electronic formats.

Read the information below carefully. It begins with an explanation of how data use is governed within IU, and then sets out user responsibilities. Although these general provisions apply to all IU information and IT accounts, systems, and applications, please be aware that managers of certain services or information types may require you to complete additional agreements and/or training.

↑ top

Information Governance Explained

The university has assigned the following roles concerning data and information.

Ownership: Indiana University is the owner of the university's institutional data and information.

Data Stewards: These are senior university officials who have planning and policy-level stewardship responsibility for specific segments of the university's information resources (usually within functional areas). Data Stewards establish standard rules, guidelines, and profiles for information access, and also make recommendations and decisions about individual requests to access information. The responsibility for such recommendations may be delegated to a Data Manager.

Data Managers: These are university officials and their employees who have operational-level responsibility for information management activities related to the access, capture, maintenance, and dissemination of data and information.

↑ top

Information Classification Explained

Institutional Data is defined as a data or information element that satisfies one or more of the following criteria:

• it is relevant to planning, managing, operating, or auditing a major administrative function of the university
• it is referenced or required for use by more than one organizational unit
• it is included in an official university administrative report; or
• it is used to derive an element that meets the criteria above

Data Stewards apply the following criteria to classify institutional data and information into four levels:

• Public
• University-internal
• Restricted
• Critical

Public data is defined as data to which little to no restrictions apply. The general public may be granted access to such data.

University-internal data is defined as data that may be accessed by all eligible employees of the university, without restriction, in the conduct of university business. This should be the "default" classification for all data.

Restricted data may not be accessed without specific authorization, or only selective access may be granted because of legal, ethical, or other constraints.

Critical data is defined as data by which inappropriate handling could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals.

↑ top

Usage Responsibilities

The following points detail your responsibilities as you access, use, or handle information or information technology (IT) at IU.

Secure Usage

You agree to:

• Never share your account password(s) or passphrase(s), or SafeWord card PIN, with anyone, including friends, roommates, family, or IU staff.
• Select strong password(s) and passphrase(s) and change them regularly.
• Be mindful that different computer systems and applications provide different levels of protection for information, and seek advice on supplemental security measures, if necessary. For example, a mobile laptop provides inherently less protection than a desktop computer in a locked office. Therefore, the level of protection provided to information accessed or stored using a laptop is to be supplemented by using additional safeguards such as encryption technology, enhancing physical security, restricting file permissions, etc.
• Respect the university's information and system security procedures (i.e., never attempt to circumvent or "go around" security processes).
• Make appropriate use of the tools provided (e.g., strong passphrase, virus detection, encryption software, encrypted transmission, training, etc.) to uphold the security of the university's IT systems and applications, and the confidentiality of information stored on them.
• Take steps to understand "phishing attacks," computer viruses, and other destructive software, and take steps to protect your accounts from such threats (e.g., never reply to emails asking for account passwords or passphrases, never open unsolicited email attachments, never click unknown links, use virus scanning software, apply system patches in a timely manner, etc.).
• Immediately notify your campus Support Center if you believe your account credentials (e.g., user ID, password, passphrase, SafeWord card PIN, etc.) have been compromised.
• Maintain information in a secure manner to prevent access, viewing, or printing by unauthorized individuals.
• Secure unattended computers (e.g., log off, lock, or otherwise make inaccessible), even if you will only be away from the computer for a moment.
• Store Restricted and Critical data securely (e.g., on secure servers, in locked file cabinets, etc.).
• Securely dispose of Restricted and Critical information (e.g., by shredding, disk wiping, physical destruction, etc.).
• Never copy and/or store Restricted or Critical data outside of institutional systems (e.g., on desktop workstations, laptops, USB drives, personally owned computers, etc.) without proper approval from the senior executive officer of the department and only in cases where it is absolutely necessary for the operation of the department.
• Take appropriate steps to secure information (e.g., password protection, encryption, etc.) on mobile storage devices (e.g., laptops, USB drives, cell phones, etc.).
• Ensure, in the rare cases where Critical data has been approved for use and storage outside of institutional systems, that the data are appropriately encrypted, especially on mobile storage devices (e.g., laptops, cell phones, USB drives, CD-ROMs).
• Ensure, in the rare cases where it is necessary to email Critical data, that the data are sent to the correct recipient and only via encrypted email methods.

Legal Usage

You agree to:

• Use information and IT for legal purposes only.
• Respect and comply with all copyrights and license agreements.
• Never use your access to information or IT to harass, libel, or defame others.
• Never damage equipment, software, or data belonging to others.
• Never make unauthorized use of computer accounts, access codes, or devices.
• Never monitor or disrupt the communications of others, except in the legitimate scope of your assigned university duties.
• Never use IT to view or distribute child pornography.
• Abide by applicable laws and policies with respect to access to, use, disclosure, and/or disposal of information.
• Report unauthorized access to, inadequate protection of, and inappropriate use, disclosure, and/or disposal of information, immediately to your campus Support Center.

WARNING: Unauthorized distribution of copyrighted material using Indiana University's information technology resources -- including sharing copyrighted music, movies, and software through peer-to-peer applications like Limewire, BitTorrent, MP3Rocket, Frostwire, etc. using Internet access provided by IU -- is against the law and university policy. In addition to sanctions the university may impose, unlawful file sharing may subject you to legal penalties. This includes both civil penalties (having to pay money to the copyright holder in a lawsuit) and criminal penalties (fines and jail time). See filesharing.iu.edu for further information.

Ethical Usage

You agree to:

• Access institutional information only in the conduct of university business and in ways consistent with furthering the university's mission of education, research, and public service.
• Use only the information needed to perform assigned or authorized university duties.
• Never access any institutional information to satisfy your personal curiosity.
• Use information and IT in ways that foster the high ethical standards of the university.
• Never use information or IT to engage in academic, personal, or research misconduct.
• Never access or use institutional information (including public directory information) for your own personal gain or profit, or the personal gain or profit of others, without appropriate authorization.
• Respect the confidentiality and privacy of individuals whose records you may access.
• Preserve and protect the confidentiality of all University-internal, Restricted, or Critical information as a matter of ongoing responsibility.
• Never disclose University-internal, Restricted, or Critical data (as defined by policy; see above) or distribute such data to a third party in any medium (including oral, paper, or electronic) without proper approval, and in the case of Restricted or Critical data, without a contract processed through or waived by the IU Purchasing Department.

Facilitative Usage

You agree to:

• Never cause community or shared resources to be inaccessible or unusable.
• Use shared information technology resources efficiently.
• Regularly delete unneeded files and information from your accounts (if not required to retain them as outlined in university policy or records management schedules).
• Avoid overuse of network bandwidth, information storage space, printing facilities, paper, processing capacity, or other shared information technology resources.
• Never send mass email (i.e. unsolicited bulk email or spam) without appropriate approval.
• Never send or respond to chain email.

↑ top

Policies and Laws

You should be aware that institutional policies, federal and state laws, and contractual obligations exist that provide further protections to certain types of information, or that may influence how you handle information. Data Managers of certain applications and information types may require you to complete additional training to familiarize you with these. Examples include:

• IT-01: Appropriate Use of IT Resources: Establishes appropriate usage requirements.
• IT-07: Privacy of Electronic Information and IT Resources: Establishes the procedures and circumstances under which an individual's electronic accounts and files may be accessed by others.
• IT-12: Security of IT Resources: Establishes appropriate security requirements.
• Family Educational Rights and Privacy Act (FERPA) Provides students rights of access to their education records and generally prohibits the disclosure of student education records without the prior written consent of the student.
• Health Insurance Portability and Accountability Act (HIPAA) Imposes various privacy and security requirements on personal health information collected or maintained by certain units of the university.
• Financial Services Modernization Act of 1999 ("Gramm Leach Bliley") and accompanying FTC Standards for Safeguarding Customer Information Requires universities to develop and implement an information security program designed to protect nonpublic personal information gathered and maintained with respect to certain financial activities, most commonly student financial aid activities, other lending activities, and check-cashing activities.
• The Fourth Amendment to the US Constitution, and various federal and state laws concerning access by law enforcement to information Establishes the procedures and circumstances under which law enforcement authorities may gain access to institutional data. All warrants, subpoenas, and other legal requests, demans, or orders seeking access to institutional data or systems must be forwarded immediately to the IU Office of the Vice President and General Counsel.
• State of Indiana Access to Public Records Act With some exceptions, provides for public access to government records, including records of public universities like IU.  All requests for records under the Indiana Access to Public Records Act must be forwarded immediately to the IU Office of the Vice President and General Counsel.
• Indiana Code 4-1-10 With some exceptions, makes it a crime to disclose more than the last four digits of someone's Social Security number to someone outside of the university.
• Indiana Code 4-1-11 With some exceptions, requires that the university promptly notify individuals when a breach of electronic systems security reasonably appears to have resulted in unauthorized access to individuals' unencrypted personal information, including Social Security numbers, credit and debit card numbers, driver's license numbers, and financial account numbers or access codes.
• Indiana Code 24-4-14 With some exceptions, requires that the university securely dispose of records with unencrypted personal information in them including Social Security numbers, credit card numbers, driver's license numbers, and financial account numbers or debit card numbers in combination with security or access codes or passwords.
• State invasion of privacy laws Generally prohibit the disclosure of personal information about an individual when doing so would be highly offensive to a reasonable person.
• State libel/defamation laws Generally prohibit false statements that harm another's reputation.
• Payment Card Industry Data Security Standards (PCI-DSS) A contractual obligation when accepting credit cards for payment (or contracting for others to do so on IU's behalf), it requires strict security safeguards be applied to protect credit card numbers and associated data from unauthorized access. At IU, the Treasury Department oversees all credit card processing activities.

↑ top

Sanctions

Failure to comply with these standards will be dealt with seriously, and may result in sanctions relating to your use of information or IT resources (such as suspension or termination of access, or removal of online material); to your employment (up to and including immediate termination of employment, in accordance with applicable university policy); to your studies within the university (such as student discipline in accordance with applicable university policy). Illegal acts involving IU information or IT may also be subject to prosecution by state or federal authorities and may result in civil or criminal liability.

↑ top

Assent

To be entrusted with access to Indiana University data and information, and access to IT accounts, systems, and applications, new or continuing faculty or staff employees must accept these responsibilities and standards of acceptable use. By accepting these terms, you agree to follow these rules in all of your interactions.

If you choose not to accept these standards of behavior, you may be denied access to information and/or information technology.

I have read, understand, and agree to abide by the practices outlined in this agreement.

↑ top

Copyright © The Trustees of Indiana University | Copyright Complaints