Acceptable Use Policy
December 18th, 2023
Purpose
The purpose of this Acceptable Use Policy is to establish minimum criteria for acceptable use of St. George’s University, Medforth Global, HESS, and University Support Services, subsidiaries and affiliates (collectively the Enterprise), Information Systems. This policy also strives to support the Office of Information Technology (IT) in maintaining a safe and welcoming Enterprise environment by defining acceptable forms of Enterprise electronic communications.
Scope
This policy applies to all users across the Enterprise’s technological environment and represents the minimum requirements for acceptable Information System use. Individual facilities and business units may require additional security controls, as needed. Users of Enterprise Information Systems include any individual or system with access to Enterprise resources.
Additionally, the Enterprise recognizes that secure and acceptable use of its communication resources is an integral part of its security program. Regulating the use of electronic communications, such as internet, email, social media, and telephones, is necessary to provide a safe environment for students, faculty, and staff as well as to protect the Enterprise from reputational loss.
Definitions
- Authorization: Access privileges granted to a user, program, or process, or the act of granting those privileges
- Electronic Communications: resources owned or managed by the Enterprise, including Enterprise issued email addresses or Enterprise maintained mailing lists. This also applies to any publicly accessible electronic communications involving Enterprise students, faculty, or staff
- Information System: A set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information
- Information System Abuse: Intentional or reckless misuse, alteration, disruption, or destruction of information processing resources
- Network: Any information system implemented with a collection of interconnected components
- Non-Public Information (or Enterprise Data): Information of which, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the interest or conduct of Enterprise business, or the privacy to which individuals are entitled
- Password: A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization
Roles and Responsibilities
- Office of Information Technology (IT):The Office of Information Technology is responsible for maintaining this Acceptable Use Policy and implementing controls to prevent and detect abuse of Enterprise systems and resources.
- Chief Information Officer:Is responsible for setting overall policy regarding Enterprise computers, networks, and information systems use and protection.
- IT Security:The IT Security division is responsible for approving exceptions to the policy and advising IT on what controls and technologies must be used to monitor and detect unacceptable system use, and for performing monitoring and detection of system misuse.
- IT Leadership:IT Leadership is responsible for periodically reviewing this policy and for educating the user community about ethical and secure use of Enterprise information systems.
- Directors, Supervisors, and Department Heads:Management must ensure that all system users within their area of accountability are aware of the responsibilities defined in this policy and must demonstrate a commitment to secure and acceptable system use.
Policy Statement
Acceptable Use
- Any connection between the Enterprise’s network and/or devices and the Internet presents an opportunity for outside adversaries to access Enterprise systems and non-public information. With this in mind, all users must interact with the Internet safely and in compliance with this policy.
- All use of Internet communication methods, including but not limited to E-Mail, social media, and messaging apps, must comply with this policy as well as the Social Media Policy outlined in the Employee Handbook.
- Regarding protection of intellectual property, all individuals will abide by the laws and Enterprise policies to be enforced as defined by the Federal Copyright Act of 1976.
- Mass E-Mail
-
-
- Sending e-mails to large groups of recipients at once must be reserved for those situations where another method of contact is not practical
- For administrators, all general announcements to students, faculty, and staff must be made through Enterprise Communications
- All bulk e-mail messages from students must be directed through the Dean of Students Office.
- Any user with approved access to E-Mail mailing lists may access those mailing lists, provided such access is for business or educational purposes.
-
Unacceptable Use of Enterprise Resources
The following actions are considered unacceptable use of the Enterprise’s Information Systems and/or Electronic Communications. All Enterprise Users must not:
- Store non-public information on personal devices that are not managed by the Enterprise’s mobile device manager or mobile application manager
- Store or send non-public information outside of Enterprise Systems unless one of the following is true;
- Have permission from the data owner
- The Enterprise has a legal agreement with the 3rd party
- Approval from IT Security
- Perform any act intentionally or irresponsibly, which may impair the operation of Enterprise Information Systems.
- Use personal email to conduct Enterprise business
- Make unauthorized alterations of the security or network configuration of any Enterprise Information System.
- Share passwords, PINs, tokens, MFA devices, or other authentication information with anyone, including but not limited to coworkers or administrative staff.
- Solicit passwords, PINs, tokens, or other authentication information from anyone, including but not limited to coworkers or administrative staff.
- Utilize Enterprise systems to gain unauthorized access to remote systems or attempt to circumvent any security protections or authentication systems.
- Users of Enterprise Information Systems must not employ a false identity.
- Run or install any piece of non-approved software, or hardware, on any Information Systems, whether intentionally or unintentionally that:
- Bypasses security controls
- Anonymizes, hides, proxies, or tunnels network traffic, including but not limited to Tor, VPN software, usage of proxy servers
- Allows remote control or remote access to a system. This point does not restrict temporary screen sharing via meeting software where more than one person is present
- Misrepresent your availability during work hours to the Enterprise
- Backup data to non-enterprise systems
- Use Enterprise Information Systems or Electronic Communications systems for personal financial gain, including but not limited to crypto mining and conducting non-enterprise business.
- Deliberately perform acts that are wasteful of computing resources.
- Use Enterprise Information Systems in a manner that would constitute harassment, invasion of privacy, threat, defamation, or intimidation.
- Users may not initiate or participate in malicious activity with the intent to cause harm to the Enterprise.
- Users communicating via E-Mail may not forward chain letters, send non-public information such as PII by E-Mail, or use “auto-forward” rules to send E-Mail to a non-Enterprise accounts.
- Users must not provide false or misleading information for the purpose of obtaining additional access rights or manipulating access rights in any way that violates the Enterprise Access Management Policy.
- Place any of the following types of information or software on any Enterprise information systems:
- Material which infringes upon the rights of another person or organization including but not limited to copyrights, trademarks, or intellectual property infringement
- Abusive, profane, or sexually offensive material
- Pirated software, destructive software, pornographic materials, libelous statements, or any material which may be injurious to another
- Advertisements for commercial purposes
- Threatening, libelous, or offensive messages
- Play any game using Enterprise Information Systems, unless that game is instructional, and has been specifically approved by IT
- Use Peer 2 Peer file sharing services
- Connect to websites that promote illegal behavior related to drugs, sex, criminal activity, gambling, and copyrighted material.
- Remove any software installed by the Enterprise, without prior authorization from IT.
- Modify system configurations that bypass security controls or prevent Enterprise Management software from functioning, without prior authorization from IT.
Breach of Policy
- Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.
Policy Disclaimers
- Enterprise Information systems and data stored therein are the property of the Enterprise. The Enterprise reserves the right to limit, restrict, or terminate any user’s account and inspect, copy, remove, or otherwise alter any software, data, or file on any Enterprise Information System. The Enterprise also reserves, and will exercise, the right to review, audit, intercept, access, and disclose all communications or data on Enterprise Information Systems at any time.
- All users of the Enterprise should be aware of the limitations to their privacy when using Enterprise Information Systems
- The Enterprise will not be liable for any personal data loss resulting from efforts to maintain the privacy and security of Enterprise Information Systems
- The Enterprise views the misuse of information systems as a serious matter and will make no ad-hoc exceptions to this policy. Exceptions to this Acceptable Use Policy must be formally requested and approved by IT Security.
- Personal Use; The Enterprise is not responsible for any loss or damage incurred by an individual as a result of the individual’s personal use of Enterprise electronic communication resources. Individual utilization of Enterprise electronic communications for personal purposes is acceptable, provided the individual’s actions do not interfere with their obligations to the Enterprise or incur undo costs to the Enterprise in the form of monetary or reputational loss.
Ignorance of this policy does not excuse violations.
Referenced Documents