• Faculty Handbook
• AP Faculty Handbook
• Classified Employee Handbook
• Wage Employee Handbook
• Student Handbook
• VA Department of Human Resource Management Policies
• Financial Procedures Manual

Policy #1207
Appropriate Use of Information Technology Resources

Date of Current Revision: April 2012
Responsible Office: Assistant Vice President Information Technology

1. PURPOSE

The purpose of this policy is to provide direction to members of the university community regarding safe and responsible use of technology resources and the responsibilities they have for protecting and efficiently using such resources at JMU.

2. AUTHORITY

The Board of Visitors has been authorized by the Commonwealth of Virginia to govern James Madison University. See Code of Virginia section 23-164.6; 23-9.2:3. The Board has delegated the authority to manage the university to the president.

STATE OR FEDERAL STATUTE AND/OR REGULATION

Consistent with the University’s Memorandum of Understanding granting Level II delegation from the Commonwealth under the Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 and in keeping with the other university technology policies, JMU exercises independent authority for issuing policy and establishing requirements related to technology management for the institution.

3. Definitions

Intellectual Property:
Anything developed by anyone covered by the university's intellectual property policy that fits one or more of the following categories:

• A potentially patentable machine, article of manufacture, composition of matter, process, or improvement in any of these; or
• An issued patent or trademark; or
• A legal right that inheres in a patent; or
• Anything that is copyrightable (in legal terms, this means anything that is an original work of authorship, fixed in a tangible medium or expression)

System Security Mechanism:
A procedure, program, or device used with a computer to implement or enforce access controls, auditing, authentication, confidentiality, authorization, policy settings or other security measures.

UserID:
The name you use to identify oneself when logging onto a computer system or online service. Both a username (user ID) and a password are required. In an Internet e-mail address, the username is the left part before the @ sign. The primary username assigned to members of the JMU community is also called an eID.

Domain name:

A human readable name used to describe a computer or network (e.g. www.jmu.edu) whose registration is coordinated by the Internet Corporation for Assigned Names and Numbers (ICANN). Each name corresponds to an IP address (e.g. 134.126.XX.XX) used for Internet addressing and routing.

4. APPLICABILITY

This policy is applicable to all individuals, including but not limited, to faculty, students, administrators, staff and affiliates, who have been given or obtained access to computer equipment, systems, networks, or other information technology owned or operated by James Madison University. The policy further includes any and all methods or means of access, whether initiated from on or off-campus. The policy applies to all university information technology resources and all privately owned resources that are connected to university systems or networks.

5. POLICY

Access to data, computer equipment, systems, and networks owned or operated by James Madison University is a privilege granted by the university and governed by certain regulations and restrictions. These include university policies, procedures and standards, as well as all applicable local, state, and federal laws.

The university provides authorized users the widest and most reliable system and network access possible. In return, the user agrees to abide by the regulations set forth in this and other university policies. This means that the user agrees to behave ethically, appropriately, and responsibly while using university systems and network resources. In particular, the university expects all users to:

• Respect intellectual property
• Respect the ownership and confidentiality of computer-based data, services, and system security mechanisms
• Respect individuals' rights to privacy and to freedom from intimidation or harassment
• Use and operate computing resources in a manner that minimizes the risk to privacy, data, services, and network operations
• Responsibly use shared resources in a way that does not adversely affect their availability to others
• Upon notification of activity or behavior that violates this policy, to discontinue such activity immediately
• Report inappropriate use
• Use resources and systems for their intended purposes and
• Respect the integrity of data.

At university management's discretion, files, data, or communications may be reviewed as necessary with cause; therefore, individuals are not entitled to any expectation of privacy with regard to their files, data, or communication.

Any person who has a question about this policy, or is concerned about a potential violation of their own or by another person, must contact the university's Information Security Officer or report the incident immediately to abuse@jmu.edu.

6. PROCEDURES

By using the university's information technology resources, each user accepts responsibility for his/her behavior, the operation of their computer, and all activities performed using their userID. S/he also agrees to conduct him/herself appropriately, especially as follows:

6.1 Respect Intellectual Property

Individuals shall:

• Not make or use illegal copies of copyrighted software, store such copies on university systems, or transmit such copies over university networks
• Follow all vendor licensing requirements
• Not otherwise infringe upon the copyrights of others
• Ensure that all use of copyrighted material accords with the fair-use provision
• Protect from unauthorized use any copyrighted material to which s/he has authorized access.

6.2 Respect the ownership and confidentiality of computer-based data, services, and system security mechanisms

Individuals shall:

• Access only files, data, and services that he/she owns
• Access only files, data, and services to which he/she has been given authorized access by the owner or official designee
• Not attempt or assist in attempts to gain unauthorized access to:
  • Passwords
  • Access control information
  • Data, services, computing resources, or network resources
  • Computing facilities
• Not use another person's password
• Not divulge passwords and other access control information to others
• Not conduct unauthorized scanning of computer network connected devices or systems.

6.3 Respect individuals' rights to privacy and to freedom from intimidation and harassment

Individuals shall:

• Not use computing resources, including the university network and email system, with the intention to harass, intimidate, threaten, or otherwise harm another person, whether directly or indirectly
• Not use unauthorized electronic means to eavesdrop, collect, or disclose information about others.

6.4 Use and operate computing resources in a manner that minimizes the risk to privacy, data, services and network operations

Due to the openness of JMU's network, virtually all systems connected to the network can access, be accessed, and provide information services remotely. Improper operation of any such system can result in the compromise or operational disruption of the JMU network and attached services and data. Thus, there are special requirements related specifically to network-connected computers. These requirements apply to all computers connected to or accessing the JMU network.

Though proper operation varies with environment and the technology being used, individuals shall ensure:

• available protection mechanisms, such as anti-virus software, are used on all computers connected to or accessing the JMU network
• software on computers connected to or accessing the JMU network is regularly updated to preclude exploits of known defects.
• software on computers connected to or accessing the JMU network is not configured in such a way that it allows the compromise of the computer; and that
• operators of computing resources connected to or accessing the JMU network use and operate those resources in ways that are appropriate to current levels of risk.

More specific requirements are communicated through the university’s STARTSAFE and RUNSAFE programs, security awareness training and in information technology-related Policies and Standards.

6.5 Responsibly use shared resources in a way that does not adversely affect their availability to others

Many JMU computing and network resources are shared. In order that these resources are available to the entire community, individuals must show cooperation and respect in their use. Individuals shall:

• Refrain from monopolizing system or network resources
• Respond to official requests to desist from activity that monopolizes resources by ceasing the activity causing the problem
• Not waste computer time, connection time, disk space, printer paper, manuals, or other resources.
• Not attempt or assist in attempts to adversely affect shared resources

6.6 Upon notification of activity or behavior that violates this policy, to discontinue such activity immediately and to report any inappropriate use of which they become aware.

• Send an e-mail to the abuse@jmu.edu or contact the Information Security Officer.

6.7 Use resources and systems for their intended purposes

Individuals shall:

• Not use computing resources for illegal or fraudulent activities
• Not use another person's password
• Not divulge passwords or other access control information to others
• Not use the university's systems or network for personal gain, for example:
  • By selling access to his/her userID or password, to university computing or to network resources
  • By performing work for profit or by another commercial action, using such resources in a manner not authorized by the university
• Not conduct political activity in a manner not authorized by the university
• Abide by:
  • All rules, regulations, policies and procedures adopted by the university
  • All rules and regulations posted in computing facilities, labs and printer areas
• Not use university resources or computers attached to the university network to falsify identity, for example by:
  • Providing "pass through" service
  • Sending electronic mail under forged headers
• Not engage in any activity that alters wired or wireless network connections, access points, topology, or physical wiring of university-owned resources
• Register network-connected computers as current rules, regulations, policies, and procedures specify
• Not register other domain names within JMU IP-address space without official university approval
• And, as university employees,
  • Not install or operate computer games on university-owned machines for purposes other than academic instruction
  • Not violate any statute or regulation applicable to university employees including but not limited to Commonwealth of Virginia DHRM Policy 1.75 (Use of Internet and Electronic Communication Systems) and Code of Virginia sections prohibiting employees from accessing sexually explicit materials.
  • Follow university development and maintenance guidelines while implementing or modifying systems.

7. RESPONSIBILITIES

Because of their leadership positions and control over resources, AVP’s, deans, academic/administrative unit heads and principal investigators (PIs) can play a critical role in the protection of JMU information resources. Specifically, their influence should be used to:

• Ensure that security is given appropriate consideration, along with functionality, performance, ease-of-use, cost, and availability, in the planning and implementation of new projects and services
• Make computer security a staffing, funding, and training priority. Additionally, PIs can specify the cost associated with security as a direct cost in grant proposals
• Encourage responsible attitudes and behaviors within the units they lead by communicating the importance of addressing security issues and by requiring all staff members to be accountable for the security of their network-connected devices
• Ensure units acknowledge that administering servers takes specialized skills and that they will have only qualified people do this work, and
• Ensure device owners and unit managers take swift action should a security breach occur and that they contact IT immediately.

By using the university's information technology resources, each and every user accepts responsibility for his/her behavior, the operation of their computer, and all activities performed using their userID.

8. SANCTIONS

8.1 Regarding employees, sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment.

8.2 Regarding students, sanctions will be commensurate with the severity and/or frequency of the offense and may include suspension or expulsion.

8.3 In addition, responses for violation of this policy may include, but are not necessarily limited to, the following:

• Notification:  alerting a user to what appears to be an inadvertent violation of this policy in order to educate the user to avoid subsequent violations.
• Warning: alerting a user to the violation, with the understanding that any additional violation will result in a greater penalty.
• Loss of computer and/or network privileges:  limitation or removal of computer and/or network privileges, either permanently or for a specified period of time.
• Restitution for damages:  requiring reimbursement for the costs of repair or replacement of computer-related material, equipment, hardware, software, data and/or facilities. In addition, such reimbursement shall include, but not necessarily be limited to, the cost of additional time spent by university employees due to the violation.

Finally the violator may be subject to criminal or civil penalties as they apply.

8.4 The university considers any violation to be a serious offense in its efforts to preserve the privacy, data, and services of individuals and the university. In the case an investigation is begun related to policy and/or legal violations, the university's officials reserve the right to access, examine, intercept, monitor, and copy the files, network transmissions, and/or on-line sessions of any user. The university may choose to suspend a user's access to its resources in connection with investigation of (but not limited to) any of the following:

• Violations or suspected violations of security and/or policies
• Activities which may be contributing to poor computer performance
• Computer malfunctions.

8.5 In connection with such investigations, users whose files, network transmissions, or computer sessions are affected are deemed to have acknowledged that:

• They are not entitled to any expectation of privacy with regard to their files, data or communications, which may be shared with the appropriate investigating officials. In general, the university will exercise discretion as far as is appropriate given the case
• The university's Office of Audit and Management Services (as well as appropriate JMU or external law enforcement agencies) may be notified of the violation and provided with information and materials relating to the investigation and/or violation.

9. EXCLUSIONS

None.

10. INTERPRETATION

Authority to interpret this policy rests with the President, and is generally delegated to the Assistant Vice President for Information Technology.

Previous Version: September 2010
Approved by the President: April 2002

Index Terms

Intellectual property
Information security
Abuse of technology
Use of technology