Use of the University's network system or any of its components renders the user subject to, and constitutes the user's agreement to abide by, this Policy.
The University's network system and all its components (including hardware, software, web access, and voicemail) exist to support the University's academic mission. Access to the network is a privilege that should be exercised responsibly, ethically and lawfully. Acceptable use is governed by the following broad principles: the enhancement of the University's academic mission, the academic freedom of users, the reasonable privacy of users, and the maintenance of the integrity of computer resources.
Acceptable Use of Computing Resources
Activities related to the University's academic mission take precedence over computing pursuits of a more personal or recreational nature. Any use that disrupts the academic mission is prohibited.
Users have the responsibility to take prudent and reasonable steps to prevent unauthorized access to University computing resources. The user-ID and password system is designed to establish responsibility for computing resources and use. (Ownership and control of University computing resources, however, remain with the University. All encryption keys employed by users must be provided to Information Technology if requested in order to perform functions required by this policy). Acceptable use respects these identification and security mechanisms. Account owners are considered to be responsible for all activity associated with their account, whether on a University-owned or a personal computer. Likewise, proceeding beyond the login screen is not acceptable use if the account is not yours.
Following the same standards of common sense, courtesy and civility that govern the use of other shared University facilities, acceptable use of information technology resources generally respects all individuals' privacy, but subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance.
Any use of University resources for illegal, unauthorized business or commercial (this does not include on-line purchases of personal items) purposes, or for purposes which are contrary to the rules, regulations, policies and/or interests of the University, is prohibited.
Use of all network resources must respect the University's network access contracts and requirements.
Acceptable use is governed by current federal, state, and local laws covering, but not restricted to, the practices of theft and copyright infringement, as well as University rules, regulations and policies.
Abuse of networks or computers at other sites through the use of St. Lawrence University resources will be treated as an abuse of computing privileges at St. Lawrence University.
Wireless access points must be connected to the University's network with help from the IT staff. Unauthorized access points endanger network security and will be removed from the network and confiscated by IT staff immediately upon discovery.
Acceptable use respects the need for the operational integrity of the computer network. For example, the following activities and behaviors are prohibited:
- distributing computer viruses, worms, Trojan horse programs, e-mail "bombs," and chain letters;
- triggering system security features that result in the denial of service to other users;
- misconfiguring programs or equipment intentionally ;
- forging or counterfeiting e-mail messages;sending an e-mail message with a false or misleading user ID;
- altering or attempting to alter files or systems without authorization;
- scanning of networks for security vulnerabilities without authorization;
- attempting to alter any University computing or networking components (including, but not limited to, bridges, routers, and hubs) without authorization or beyond one's level of authorization;
- extending or re-transmitting any computer or network service without authorization ;
- accessing or viewing secured files or directories without authorization;
- violating the intellectual property rights of others.
University Responsibilities
The University reserves the right to protect, repair, and maintain University computing equipment and network integrity. In accomplishing this goal, University IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and Internet activities. Any information obtained by IT personnel about a user through routine maintenance of University computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of University computing resources.
Privacy
The University will make every reasonable effort to respect a user's privacy. However, faculty, staff and students do not acquire a right of privacy for communications transmitted or stored on University resources. In addition, in response to a judicial order or any other action required by law or permitted by official University policy or as otherwise considered reasonably necessary to protect and/or promote the legitimate interests of the University and the University community, the President (or if the President is unavailable, the Dean of Academic Affairs and Vice President the University) may authorize the Chief Information Officer(s), or an authorized agent, to access, review, monitor and/or disclose computer files associated with an individual's account. Before authorizing any action, the President (or Vice President) will first verify the authenticity of such a request. (Also see the Library section of this document for specific regulations regarding computers in Libraries.) Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or University rules, regulations or policy, or when access is considered necessary to conduct University business due to the unexpected absence of an employee or to respond to health or safety emergencies.
To the extent doing so will not impair a necessary University activity (and unless forbidden by law), a reasonable attempt will be made to contact the user to inform him or her after their computer files have been secured by IT but before IT reviews the files. If the user cannot be contacted, the Chief Information Officer(s) or an authorized agent will view the computer files related to the specific issue and, subject to the foregoing exceptions, will attempt to inform the user, in writing, indicating that the files have been reviewed.
General Privacy Issues Concerning E-mail and Network Security
Users should be aware that no computer system is entirely secure. Unauthorized individuals, working inside or outside of the University's system, may find ways to access files despite the University's best efforts to enforce security. Therefore, all users should be aware that the University cannot and does not provide any guarantee of user privacy.
Users should not expect total privacy of electronic mail (e-mail). IT staff may see the contents of e-mail due to addressing errors or as a result of maintaining the e-mail system. In those cases where IT staff view the contents of private e-mail, they are required to keep the contents confidential, subject to provisions of this policy. In addition, access is permitted as outlined in this policy. Also remember that e-mail sent off campus may be viewed by IT personnel at other institutions that may not have any considerations of privacy concerning e-mail.
Users should try to limit the storage of files containing personal information on the network because their privacy cannot be guaranteed.
Library Files and Public Access Computers
Library records for patrons of the SLU Libraries are protected by New York state law and by practices based on the Code of Ethics of the American Library Association.
New York State's CLS CPLR § 4509 states that:
"Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute."
Public Access Computers in University Libraries
Members of the St. Lawrence University community, students, faculty, and staff have first priority in the use of the library workstations.
The public workstations are for library research.
Users are asked to limit their stay at the computers during the library's busiest times.
Unacceptable use of computers in the reference area includes, but is not limited to, e-mail, any type of instant messaging, word processing, spreadsheets, games, chat rooms, and bulletin boards.
The Library reserves the right to restrict access to the workstation computers.
Intellectual Property
The University recognizes that copyright exists to "promote the progress of science and the useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries" (from Article I., Section 8, Clause 8 of the United States Constitution)
Acceptable use requires that all users recognize and honor the intellectual property rights of others, including copyright on software, music, video, text, pictures and graphics. The University may terminate network access to users who repeatedly infringe the intellectual property rights of others.
Servers
Owners and overseers of servers connected to the St. Lawrence University network must ensure that key security vulnerabilities are eliminated from these devices by obtaining, installing, and properly maintaining all appropriate service packs, security patches, and virus protection software. This policy applies to anyone in the University community who owns or oversees a server connected to the St. Lawrence University Network, including but not limited to:
- Faculty, staff, students, and other individuals who have servers connected to the St. Lawrence University network, even if those devices were acquired personally.
- In cases where vendor-owned and/or managed equipment is housed in departments/programs then the department or program chair will be presumed to be responsible for the server.
- If no one claims responsibility for a server, then the department or program chair for the department/program in which the server resides will be presumed to be responsible by default.
- Key security vulnerabilities vary depending upon the type of device. The list of examples provided below is not a comprehensive list of security vulnerabilities. Vulnerabilities will evolve over time as new threats and risks surface. Please check the IT web site for important messages concerning current vulnerabilities. Device owners and overseers are responsible for staying apprised of new vulnerabilities and acting promptly to address any new security gaps. It is important that owners and overseers of servers consult with IT concerning their specific needs at any time.
Examples of Key Security Vulnerabilities and Counter Measures:
- All device owners and users should ensure that passwords used on their devices are not easily guessable by attackers or by the password-guessing software that hackers use to break into machines. Passwords should consist of no fewer than 8 characters. They should begin and end with alpha characters, and should contain several numerals along the way. Never use a word that can be found in a dictionary, even a non-English dictionary. Including mixed cases is excellent for machines whose operating systems are case sensitive (such as Unix operating systems).
- Owners and overseers of servers should install and run antivirus software and maintain current virus definitions. Check with IT to be sure that you are running the latest version of antivirus software recommended for your machine.
- Owners and overseers of servers should apply security-related updates to the operating system running on their devices as soon as these updates become available from operating system vendors. Delays benefit only the hackers. The IT staff will apply security-related updates to machines administered by IT.
- Owners and overseers of servers should switch off unneeded Operating System services to eliminate the risk of their being exploited by hackers.
In cases where university network resources are threatened by improperly maintained, poorly configured, or misbehaving computing devices, Information Technology will act on behalf of the University to eliminate the threat by working with the relevant device owner or overseer to close security holes quickly. In circumstances where these collaborative efforts fail, if the responsible individual cannot be found, or if there is an urgent situation requiring immediate action and leaving no time for collaboration, the device will be disconnected from the network by Information Technology until the appropriate repairs are made.
Administration and Enforcement
The personnel of the IT department of St. Lawrence University will work with users to resolve issues or resolve disputes over acceptable use. When users fail to comply with requests made by the IT department to adopt the acceptable use practices described in this policy, such as concerning University policies or standards, contractual obligations, or federal or state laws, the University reserves the right to restrict the use of its informational resources and facilities and to limit access to its computers, systems, and networks.
Users are subject to disciplinary rules described in the student handbook, faculty handbook and/or rules governing employment at St. Lawrence University if they engage in activities that damage 1) IT property or the operational integrity of the St. Lawrence University network and/or 2) networks or computers at other sites through the use of St. Lawrence University IT resources, or they otherwise fail to comply with this policy.