Information Security
CSU Channel Islands is committed to protecting the confidentiality, integrity and availability of campus information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. The Board of Trustees of the CSU has overall responsibility for the protection of information assets, and has established an Information Security Policy (ICSUAM 8000.0). It is the policy and practice of Channel Islands to abide by the letter and spirit of the CSU policy.
For a full description, view the CSU Information Security webpage: http://www.calstate.edu/icsuam/sections/8000/.
Responsible Use of Information Technology Resources
Accountability
The campus Chief Information Officer (CIO) is responsible for ensuring that a Responsible Use Policy is in place and enforced.
Applicability
This policy applies to all users (e.g., executives, managers, faculty, staff, students, guests, business partners, and others) of CSU data, computer networks, equipment, or computing resources. It is the collective responsibility of all users to ensure the confidentiality, integrity, and availability of information assets owned, leased, or entrusted to the CSU and to use CSU assets in an effective, efficient, ethical, and legal manner.
Text
General Principles
- Use of CSU resources shall be consistent with the education, research, and public service mission of the University, federal and state laws, applicable regulations, and CSU and campus policies.
- The Responsible Use Policy shall apply to all users of resources owned, leased, or entrusted to the CSU.
- It is the policy of the CSU to make academic and information technology resources and services accessible to all CSU students, faculty, staff, and the general public regardless of disability. Information regarding the Accessible Technology Initiative may be found at: http://www.calstate.edu/accessibility.
- The University shall respect individuals’ rights to use CSU resources free from intimidation and harassment.
- The University respects freedom of expression in electronic communications on its computing and networking systems. Although this electronic speech has broad protections, the information technology facilities considerately with the understanding that the electronic dissemination of information, particularly on the computing and networking systems, must be available to a broad and diverse audience.
- Other than publicly designated official University sites, the CSU does not generally monitor or restrict content residing on campus systems or transported across its networks.
- If there is reasonable cause to believe that a user has violated CSU or campus policy, federal/state laws, applicable regulations, or contractual obligations, the University reserves the right to take any of the following actions:
- To have appropriate staff (e.g. T&C staff) access the computing systems and networks including individuals login sessions.
- Limit an individual’s access to its networks.
- Remove or limit access to University computers and/or materials posted on University computers.
- “Reasonable cause” exists when facts and/or circumstances sufficiently convince a reasonable person to conclude:
- A violation of CSU or campus policy, state/federal law, applicable regulation, or contractual obligations has occurred.
- A member or group within the campus community has been detrimentally affected by some action.
- All investigations of CSU or campus policy violations, non-compliance with federal/state laws and applicable regulations or contractual agreements will be conducted in a fair and equitable manner following established CSU and campus procedures.
- In the normal course of system maintenance, both preventive and troubleshooting, system administrators and service providers may be required to view file and monitor content on the CSU and campus networks, equipment, or computing resources. These individuals shall maintain the confidentiality and privacy of information unless otherwise required by law or CSU/campus policy.
- All users (e.g., faculty, staff, students, business partners, etc.) are required to help maintain a safe computing environment by notifying appropriate campus officials of vulnerabilities, risks, and breaches involving campus technology.
User Responsibilities
- Unless otherwise authorized, the owner of an account on a campus information system or network resource is responsible for all activity initiated by the user and performed under his/her account. A user cannot be held responsible for activities that may occur without his/her knowledge (e.g., hacking). When such an event occurs, the user will be required to assist in the investigation of the incident.
- Account owners must appropriately protect their account and authentication credentials.
- Users who have been authorized to use a password-protected account must follow established procedures for setting, maintaining, and changing passwords and may not disclose the password or otherwise make the account available to others without explicit authorization per established procedures.
- With the exception of publicly accessible campus academic and information technology resources, users must not transfer or extend access to University academic and information technology resources to outside individuals or groups without prior approval of authorized University personnel. Such access must be limited in nature and fall within the scope of the educational mission of the University.
Responsible Use
- Users must not use campus information systems, data, or network resources for purposes that are inconsistent, incompatible, violate, or are in conflict with the University’s mission, federal/state law, applicable regulations, contractual agreements, or University regulations and policies.
- Users must not use a University owned/leased computer system without permission or authorization.
- Users must not add, delete, alter, or destroy data or software without authorization.
- Users may not make software available for copying on a computer without authorization or unauthorized copies of computer data or documentation.
- Harassment of others via University information systems or network resources is prohibited under California State Penal Code Section 653m, other applicable laws, and University policies. It is a violation of this policy to use electronic means to harass, threaten, defame, or otherwise cause harm to a specific individual or threaten groups of individuals, whether by direct or indirect reference, or by creating a hostile environment. Campus information systems or network resources must not be used to print, send, or store fraudulent or harassing messages and/or materials. No e-mail, messages (voice or electronic), or web pages may be created or sent that may constitute intimidating, hostile, or offensive materials based on gender, race, color, religion, national origin, sexual orientation, or disability.
- University information systems or network resources must not be used to store, distribute, or transmit obscene or offensive material. These restrictions may not prohibit such access or retention if such materials are being used for a specific academic purpose. Access, storage, and transmission of child pornography using CSU or campus resources ARE strictly prohibited at all times.
- Certain University facilities that provide information technology (e.g., computer labs, laboratories, offices, and libraries) do not provide a private environment for accessing electronic communications or other data. Therefore, users are advised to be aware of their responsibilities for appropriate behavior in public places. Some materials, which may be appropriate for scholarly inquiry in various disciplines, may have a strong possibility of creating an uncomfortable environment for other users. When an uncomfortable environment has been created, parties are encouraged to contact appropriate campus officials to seek assistance in resolving the conflict.
- Users must promptly report the loss or theft of any device which grants physical access to a University facility (e.g., keys, access cards or tokens).
- Users of campus information systems, data, or network resources must not purposefully misrepresent their identity, either directly or by implication, while communicating electronically. This provision is not intended to limit anonymity, where appropriate, but rather to address purposeful and deliberate use of false identities.
- Campus information systems, data, or network resources must not be used to imply University endorsement, including the support or opposition of the University with regards to any religious or political activity or issue. While using University information systems or network resources, users must not imply University endorsement of products or services of a non-University entity, without appropriate approval. Users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of the University unless authorized to do so.
- Effective information security is a team effort involving the participation and support of every user. A user who has knowledge (or reasonable suspicion) of a violation of this policy must follow the applicable procedures for reporting the violation to the appropriate personnel at his or her campus. A user must not prevent or obstruct another user from reporting a security incident or policy violation.
Network and Systems Integrity
- Individuals must not use University-owned/leased or privately-owned/leased technology resources in a manner that purposefully causes damage to or impairs campus information systems, data, or network resources. Such behaviors (e.g., disrupting services, or causing a denial of service to a computer system or network without authorization) are prohibited on both University-owned/leased and privately-owned/leased equipment operated on or through campus resources.
- In accordance with California State Penal Code Section 502 and other policies and laws, activities and behaviors that threaten the confidentiality, availability, and integrity of campus data, networks or information systems are prohibited on both University-owned/leased and privately-owned/leased equipment operated on or through University resources. These activities and behaviors include but are not limited to:
- Failure to comply with authorized requests from University personnel to discontinue activities that threaten the operation or integrity of information systems, data, or network resources.
- Providing unauthorized services or accounts on University information systems. University-authorized business and other activities directly related to the academic mission of the University are allowed; however, any information systems running services that may negatively impact management, reliability, or integrity of the University network or other University resources may be disconnected from the network.
- Users must appropriately protect their devices and credentials that provide access to University protected data against loss, theft, or unauthorized access. Users must take reasonable precautions to ensure that their devices (e.g., computers, PDAs, smart phones, etc.,) are secure before connecting remotely to the CSU information systems, data, or network resources. Users must close connections (including re-mote connections) to University information systems, data, and network resources once they have completed University-related activities.
Incidental Use
University information systems and network resources are owned and operated by the University and are to be used for University-related activities and may be used for occasional incidental use. Such resources are provided to facilitate a person’s essential work as an employee, student, or other role within the University. Individuals may use campus information resources for occasional incidental personal purposes of a private nature provided such use does not:
- Violate international, federal, or state laws.
- Interfere with the University’s operation of its information systems and network resources.
- Burden the University with significant costs.
- Interfere with a person’s employment or other obligations to the University.
- Constitute or result in financial gain for someone or something other than the University.
- Create a security risk to the confidentiality, integrity or availability of University resources, data or services.
When significant costs for personal use are incurred, users may be held responsible for reimbursing some or all of the costs to the University.
Note: The California State University is in the process of developing a university-wide policy for the responsible use of technology and communication resources. Pending the adoption of the final policy, CI has adopted, on an interim basis, the initial draft of the CSU policy. The above is only a portion of the University’s Interim Policy on Responsible Use of Technology and Communication Resources. The complete policy can be found on the CI website at http://policy.csuci.edu/IT/03/IT.03.001.htm.
(IT.03.001) |