Table of Contents
- Information resources are provided to support the essential mission of UT Austin.
- UT Austin policies, UT System rules, state and federal law govern your use of information resources.
- You are expected to use information resources with courtesy, respect, and integrity.
- The information resources infrastructure is provided for the entire campus. This infrastructure is finite and requires millions of dollars to maintain, and all users are expected to use it responsibly.
- Simply because an action is easy to do technically does not mean it is legal or even appropriate.
- University: The University of Texas at Austin.
- System: The University of Texas System.
- University Information Resources: All computer and telecommunications equipment, software, data, and media, owned or controlled by University or maintained on its behalf.
- University Data: All data or information held on behalf of University, created as result and/or in support of University business, or residing on University Information Resources, including paper records.
- Confidential Data or Confidential Information: All University Data that is required to be maintained as private or confidential by applicable law.
- User: Any individual granted access to University Information Resources.
All individuals granted access to or use of System Information Resources must be aware of and agree to abide by the following acceptable use requirements:
3. Privacy Expectations
Users who who are University employees are to use University provided e-mail accounts, rather than personal e-mail accounts, for conducting University business.
5.1 You are the only person who can use an information resource (such as an electronic identifier or an electronic mail account) that the university has provided for your exclusive use.
5.2 NEVER GIVE YOUR PASSWORD TO ANYONE ELSE, even people you trust, such as your friends or relatives or someone who has offered to help you fix a problem. If you suspect someone may have discovered or guessed your password, change it immediately.
University issued or required passwords, including digital certificate passwords, Personal Identification Numbers (PIN), Digital Certificates, Identifcation Cards, Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes shall be maintained securely and shall not be shared or disclosed to anyone.
Users must not give others access to University Information Resources unless they are authorized and authenticated for such access. Users may not extend access to university information resources to others without permission (e.g., proxy services, accounts for non-university personnel, etc).
Each User will be held responsible for all activities conducted using the User’s password or other credentials.
5.3 Do not give others access to university information resources unless they are authorized and authenticated to do so. You may not extend access to university information resources to others without permission (e.g., proxy services, accounts for non-university personnel, etc).
5.4 Incidental Use of University Information Resources is permitted, but must not interfere with User’s performance of official University business, result in direct costs to the University, expose the University to unnecessary risks, or violate applicable laws or other University or System policy.
Users must understand that they have no expectation of privacy in any personal information stored by a User on a System Information Resource, including University e-mail accounts.
A User’s incidental personal use of Information Resources does not extend to the User’s family members or others regardless of where the Information Resource is physically located.
Incidental Use to conduct or promote the User’s outside employment, including self-employment, is prohibited.
Users may not be paid, or otherwise profit, from the use of any university-provided information resource or from any output produced using it. Users may not promote any commercial activity using university information resources. Examples include, attempting to sell football tickets or used text books via the UT course management service or advertising a "Make Money Fast" scheme via a newsgroup. Such promotions are considered unsolicited commercial spam and may be illegal as well.
Incidental Use for purposes of political lobbying or campaigning is prohibited.
Storage of any e-mail messages, voice messages, files, or documents created as Incidental Use by a User must be nominal.
5.5 Never use any university-provided information resource to do something illegal, threatening, or deliberately destructive—not even as a joke. The Information Security Office will investigate all complaints. The Office of the Dean of Students handles complaints about students; the Office of the Executive Vice President and Provost handles complaints about UT Austin faculty and staff. Violations can result in disciplinary action, criminal charges, or both. Law enforcement agencies will investigate violations of state or federal law.
- Ignorance is no excuse. Read the Computer Crimes Law.
- Never deliberately install any unauthorized or malicious software on any system.
- You cannot be exempt from the law because you are "just a student," "you were conducting research," or you were "just playing around."
- If you are a student with a part-time job at the university, you may be disciplined both as an employee and as a student, resulting in both professional and educational consequences.
- If someone asks you to stop communicating with him or her, you should. If you fail to do so, the person can file a complaint and you can be disciplined.
- If you ever feel that you are being harassed, university staff members will assist you in filing a complaint. Please report the problem to Student Judicial Services at 471-2841, or contact the Information Security Office at firstname.lastname@example.org. If you are concerned for your safety or feel that you are in danger, call the UT police department at 471-4441, or call the Austin police if you are off-campus.
5.7 Use resources appropriately. Do not interfere with the activities of others or use a disproportionate share of information resources. Examples of inappropriate use of resources are shown below. These actions frequently result in complaints and subsequent disciplinary action.
- Sending an unsolicited message(s) to a large number of recipients (known as "spamming the network").
- Consuming an unauthorized disproportionate share of networking resources (e.g., misuse of peer-to-peer applications).
- Deliberately causing any denial of service, including flooding, ICMP attacks, or the unauthorized automated use of a service intended solely for human interaction.
5.8 Never falsify your identity or enable others to falsify identity using university information resources. This type of forgery can result in serious criminal penalties and disciplinary action by the Office of the Dean of Students or the Office of the Executive Vice President and Provost.
- All electronic correspondence must correctly identify the sender.
- All electronic correspondence belongs to someone and should be treated as private communications unless the author has explicitly made them available to others.
- The following email activities are prohibited when using a University provided email account:
- Sending an email under another individual’s name or email address, except when authorized to do so by the owner of the email account for a work related purpose.
- Accessing the content of another User's email account except: 1) as part of an authorized investigation; 2) as part of an approved monitoring process; or 3) for other purposes specifically associated with the User’s official duties on behalf of University.
- Sending or forwarding any email that is suspected by the User to contain computer viruses.
- Any Incidental Use prohibited by this policy.
- Any use prohibited by applicable University or System policy.
5.9 Never infringe upon someone else's copyright. It is a violation of university policy and federal law to participate in copyright infringement. The university complies with all legal requests (e.g., subpoenas) for information and will not hesitate to report your use in response to a lawful request. Copyrighted materials include, but are not limited to, computer software, audio and video recordings, photographs, electronic books, and written material. If you share movies or music that you did not create, you may be infringing on another's copyright. Consequences of copyright infringement can include disciplinary actions by the university. In addition, copyright owners or their representatives may sue persons who infringe on another's copyright in federal courts.Such lawsuits average $750 per allegedly violated song in penalties or fines, for example. See the Keep it Legal: Finding Legal Online Music, Movies, and Other Content and the Fair Use of Copyrighted Materials for more information.
5.10 Never try to circumvent login procedures on any computer system or otherwise attempt to gain access where you are not allowed. Never deliberately scan or probe any information resource without prior authorization. Such activities are not acceptable under any circumstances and can result in serious consequences, including disciplinary action by the Office of the Dean of Students or the Office of the Executive Vice President and Provost.
- All electronic devices including personal computers, smart phones or other devices used to access, create or store University Information Resources, including e-mail, must be password protected in accordance with university requirements, and passwords must be changed whenever there is suspicion that the password has been compromised.
- University Data created or stored on a User’s personal computers, smart phones or other devices, or in databases that are not part of University’s Information Resources are subject to Public Information Requests, subpoenas, court orders, litigation holds, discovery requests and other requirements applicable to University Information Resources.
- University issued mobile computing devices must be encrypted.
- Any personally owned computing devices on which Confidential University Data is stored or created must be encrypted.
- University Data created and/or stored on personal computers, other devices and/or non-University databases should be transferred to University Information Resources as soon as feasible.
- Unattended portable computers, smart phones and other computing devices must be physically secured.
- All remote access to networks owned or managed by University or System must be accomplished using a remote access method approved by the University or System, as applicable.
5.12 Never use or disclose Confidential data, or data that is otherwise confidential or restricted, without appropriate authorization. Examples of groups that can provide appropriate authorization include, but are not limited to Office of Admissions, Human Resource Services, Office of the VP for Institutional Relations and Legal Affairs, Information Security Office, and the university's Public Information Officer.
- Make sure any individual with whom you share Confidential data is authorized to receive the information.
- Do not share Confidential data with friends or family members.
- Do not share university business data that may be classified as Confidential data, such as the status of negotiations, terms of contracts, and new research or products or relationships under development.
- Comply with the university's agreements to protect vendor information such as software code, proprietary methodologies, and contract pricing.
- If your office routinely receives requests for Confidential data, work with an appropriate group within the university to develop formal processes for documenting, reviewing, and responding to these requests.
- If you receive a non-routine request for Confidential data from a third party outside of the university, check with an appropriate group within the university to make sure the release of the data is permitted.
- Whenever feasible, Users shall store Confidential Information or other information essential to the mission of University on centrally managed services, rather than local hard drives or portable devices.
- Confidential or essential University Data stored on a local hard drive or a portable device such as a laptop computer, tablet computer, or, smart phone, must be encrypted in accordance with University, System’s, and any other applicable requirements.
- All Confidential University Data must be encrypted during transmission over a network.
- Users who store University Data using commercial cloud services must use services provided or sanctioned by the University, rather than personally obtained cloud services.
- Users must not try to circumvent login procedures on any University Information Resource or otherwise attempt to gain access where they are not allowed. Users may not deliberately scan or probe any University Information Resource without prior authorization. Such activities are not acceptable under any circumstances and can result in serious consequences.
- All computers connecting to a University’s network must run security software prescribed by the Information Security Officer as necessary to properly secure University Information Resources.
- Devices determined by University to lack required security software or to otherwise pose a threat to University Information Resources may be immediately disconnected by the University from a University network without notice.
- Report violations of university policies regarding use and/or disclosure of confidential or restricted information to the Information Security Office (email@example.com, 512-475-9242).
6. Annual Acknowledgement
As required by UT System, all actively appointed faculty and staff members are required to complete the Acceptable Use Policy acknowledgement form annually.
The Information Security Office will automatically notify faculty and staff of any outstanding acknowledgement forms and will report summaries of completed forms to supervisors, Human Resources representatives, and IT Owners.
Faculty and staff who have not completed the Acceptable Use Policy acknowledgement form may be subjected to disciplinary actions.
7. Disciplinary Actions
- If you believe that your personal safety is threatened, call UT Police, 471-4441.
- For others incidents, contact the Information Security Office at firstname.lastname@example.org or the UT Austin compliance hotline (via email@example.com or 1-877-507-7321). You will receive an acknowledgment, and the incident will be handled by staff at the appropriate university office, such as Student Judicial Services or the Office of the Provost. Alternatively, you may also use the following form to report matters to University Compliance Services (https://www.reportlineweb.com/utaustin).
- For reporting problems with "spam" or unsolicited mail, you may want to notify the Internet service provider (ISP) from which the mail was sent. Send a simple, polite note to the ISP, including a complete, unaltered copy of the spam (including the e-mail headers) for them to analyze. Don't expect a personal reply, because the ISP will probably be awash in complaints just like yours.
8. Authoritative Source
9. Revision History
|8/24/2015||Aligned with AUP changes to IRUSP|
|06/24/2013||Reviewed and fixed broken links.|
|5/28/2013||Converted back to HTML||No change|
|2/24/2011||Created PDF of web version||No change|
|2/23/2009||Updated example in Section V.4 to read, "Examples include, attempting to sell football tickets or used text books via the UT course management service or advertising a "Make Money Fast" scheme via a newsgroup. Such promotions are considered unsolicited commercial spam and may be illegal as well."||For example, you cannot advertise a "Make Money Fast" scheme. Such promotions are called "chain letters" and are explicitly illegal.|
During the annual review of this document, a number of wording changes were made to align the language with the expectations outlined in the Information Resources Use and Security Policy. In addition, the following changes were made:
1. Policy moved from Information Technology Services site to Vice President for Information Technology site.
2. Formatted document to conform to other policy documents. Added section II. Audience.
3. From "What can I expect?":
4. Updated Privacy Expectations (Sec III) to make mention of the U. T. Austin Network Monitoring Standards (http://security.utexas.edu/policies/monitoring.html).
5. Updated Requirements (Sec V) to more directly cover copyright violations associated with peer-to-peer misuse (Rule #7, Rule #9)
Section II, change requested by Compliance Office and Legal Affairs:
"Furthermore, the university will comply with the lawful orders of courts, such as subpoenas and search warrants. This compliance has included providing, when required, copies of discussions on university operated mailing list servers, discussion threads on university operated news servers, e-mail content stored on university IT resources, or other information ordered by the court."
"Furthermore, the university will comply with the lawful orders
of courts, such as subpoenas and search warrants. This compliance has included providing, when required, copies of discussions on university operated mailing list servers, discussion threads on university news servers, or other information ordered by the court."
|4/9/2007||Removed language about Brightmail and IronPort technologies from section VI, "Spam" #3. Replaced with "ITS uses robust hardware and software to control spam on all e-mail services provided by ITS. Specific questions about spam can be addressed to the ITS Help Desk."||"ITS uses a combination of Ironport appliances and Brightmail software to control spam on all e-mail services provided by ITS. Specific questions about spam can be addressed to the ITS Help Desk." |
|Chief Information Security Officer||Approval||Cam Beasley||September 24, 2015|