Acceptable Use of Computing and Information Technology Resources Policy

Originally Issued:

December 2013

Contacts:

Download Policy Document (PDF)

Policy:

1. Each person may use only those computing and information technology resources for which he or she has authorization.

See examples

Examples of violations include, but are not limited to:

  1. asking another person for individual account passwords or attempting to obtain such passwords by any means
  2. using resources without authorization
  3. sharing university accounts with other persons without authorization
  4. accessing files, databases, dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. or processes without authorization
  5. using former system and access privileges without authorization after association with the university has ended.

2. Computing and information technology resources must be used in a manner that respects the privacy and rights of others.

See examples

Examples of violations include, but are not limited to:

  1. accessing, attempting to access, or copying someone else’s electronic mail, dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy., programs, or other files without authorization
  2. divulging sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. without a valid business or academic reason
  3. developing or using programs that may cause problems or disrupt services for other users
  4. misrepresenting another user’s identity in any electronic communication (e.g., forging an e-mail address)
  5. using electronic resources for deceiving, harassing or stalking other individuals
  6. sending threats, “hoax” messages, chain letters, or phishing
  7. intercepting, monitoring, or retrieving any networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. communication without authorization.

3. The access to and integrity of computing and information technology resources must be protected.

See examples

Examples of violations include, but are not limited to:

  1. sharing passwords
  2. purposefully propagating computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. malware such as computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. viruses, worms or Trojan Horses, except under secure conditions for research or teaching purposes
  3. preventing others from accessing an authorized service
  4. degrading or attempting to degrade performance or deny service
  5. corrupting information
  6. altering or destroying information without authorization
  7. making university systemsDevices and applications accessed via the network. and resources available to those not affiliated with the university
  8. installing hacking or vulnerability tools in university systemsDevices and applications accessed via the network. without authorization
  9. circumventing or attempting to circumvent security mechanisms without authorization.

4. Applicable laws and university policies must be followed.

See examples

Examples of violations include, but are not limited to:

  1. uploading, downloading, distributing or possessing material deemed illegal under US and state laws, such as child pornography or classified information
  2. using university computing or networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. resources for advertising, partisan political activities or commercial purposes (see the exception for “UNLV Student elections, which are governed by CSUN policy” in Section II.1. “Partisan Political Activity” and the definition of political activity from the NAC 284.770, both referenced in the Related Documents section)
  3. making unauthorized copies of licensed software 
  4. downloading, using or distributing illegally obtained media (e.g., software, music, movies) using the campus networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices., whether on a UNLV-issued computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. or not
  5. accessing, storing or transmitting sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. without a valid business or academic reason, or outside the parameters of limited personal use
  6. transmitting sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. without using appropriate security protocols (NRS 603A).

5. Limited personal or non-university use of UNLV computing and information technology resources is allowable only if ALL of the following conditions are met:

  1. the use does not interfere with an employee’s duties
  2. the cost and value related to use is nominal
  3. the use does not create the appearance of impropriety or UNLV endorsement
  4. the use is otherwise consistent with this policy.

Policy Context

UNLV’s computing and information technology resources are dedicated to the support of the university’s mission and its core themes to promote student learning and success, advance and support research scholarship, and creative activity, and foster inclusion and community engagement. While advancing the mission and core themes, UNLV respects, upholds, and endeavors to safeguard the principles of academic freedom, freedom of expression, and freedom of inquiry. UNLV’s commitment to the principles of academic freedom and freedom of expression includes electronic information.

The use of computing and information technology resources in a manner consistent with the mission and ideals of the university and with the Nevada System of Higher Education (NSHE) Computing Resources Policy requires adherence to legal statutes, approved policies, and responsible behavior, including:

  • using only assigned account(s) or account information
  • respecting the privacy and rights of other computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. users
  • protecting the integrity of the physical environments in which information technology equipment resides
  • complying with all pertinent software license and contractual agreements, and
  • obeying all UNLV and NSHE regulations, state and federal laws.

UNLV seeks to create an atmosphere of privacy with respect to information and UNLV information technology resources. UNLV acknowledges its responsibilities to respect and advance free academic inquiry, free expression, reasonable expectations of privacy, due process, equal protection of the law, and legitimate claims of ownership of intellectual property. Such responsibilities are balanced with the acknowledgement that users should be aware that they should have no expectation of privacy in connection with the use of UNLV resources beyond the explicit provisions of university policy and applicable federal and state law (e.g., NRS Chapter 239, Public Records). UNLV is a public institution, and because the university must be able to respond to lawful requests and ensure the integrity and continuity of its operations, use of the university's information resources cannot be completely private.

Information on university computersAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. and equipment may be subject to legal discovery and disclosed:

  • In response to lawfully executed court ordered warrants or subpoenas
  • As a result of the Nevada Public Records Act (i.e. public records request)
  • In response to federal “Freedom of Information Act” requests
  • In litigation involving the university and/or university employeesFor purposes of this policy, university employees are defined as all individuals with an employment contract with the university of 90 days or more.
  • In criminal investigations or investigations of student or employee misconduct
  • In university investigations in accordance with NSHE or university policy.

When warranted, university staff are asked to assist in investigations and discovery and have direct responsibility for investigating and responding to some alleged offenses and incidents involving computing resources.

 


Statement of Purpose:

The purpose of this policy is to:

  • Ensure that use of computing and information technology resources is consistent with the principles and values of the university including academic freedom, privacy, and security.
  • Ensure that computing and information technology resources are used for the intended purposes and meet compliance requirements.
  • Ensure the confidentiality, integrity, availability, reliability, and proper performance of computing and information technology resources.

Entities Affected By Policy:

Entities affected by this policy include UNLV students and employees and anyone who accesses UNLV computing and/or information technology resources.


Who Should Read This Policy:

UNLV students and employees and anyone who accesses UNLV computing and information technology resources should read this policy. 


Exceptions:

To request an exception, please complete the OIT Policy Exception Form.

Exception requests will be processed within 10 business days of receipt of the request.  If an exception is created, the exception will be audited on an annual basis. The owner of the system or a listed designee must respond to the annual audit and verify that the exception is still required.

Changes to the exception may only be requested by the system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. or a documented designee appointed by the owner.


Frequently Asked Questions:

Is it okay to keep my password on a sticky note and keep it near my computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. as long as I do not share the note with anyone else?

If your password is in clear sight or can be readily found by someone else, you are in violation of the clause in the Acceptable Use of Computing and Information Technology Resources Policy that says “Each person may use only those computing and information technology resources for which he or she has authorization” and the statement “The access to and integrity of computing and information technology resources must be protected.” Even if it not your intention to share the password, leaving the password where it can be seen by an another person is providing unauthorized access to a computing resource.

Should I provide my username and password if asked to do so by someone from OIT?

No. OIT staff will never ask for your password. It is a violation of university policy for an OIT staff member to ask you to disclose your password. If logging in under your username and password is required to make a change or troubleshoot a problem an OIT staff member will avert their eyes as you log in then assist you.

Impersonating an IT staff person is a common ploy used by identity thieves to gain access to password-protected informationInformation provided at the direction of UNLV or to which access was indirectly obtained in the course of contractor's performance of services, that: is an education record, protected health information, or personally identifiable information; identifies any individual (by name, signature, address, telephone number, email address, or other unique identifier); can be used to authenticate any individual (including, but not limited to, any employee identification number, Social Security number, driver's license number or other government-issued identification number, passwords or PINs, biometric or health data, answers to security questions, or other personal identifiers); or, includes credit card, debit card, or other financial information. UNLV business contact information is not, by itself, protected information. . If an OIT staff member or someone claiming to work for OIT asks for your password, please decline to provide the information and call the IT Help Desk at ext. 5-0777 or email ithelp [at] unlv [dot] edu to report the incident.

What happens if I violate the policy?

The normal processes:

For students - It is a violation of the UNLV Student Conduct Code to engage in actions that are contrary to university policy. Violations of provisions in the Acceptable Use Policy would be considered a Student Conduct Code violation and would be handled in accordance with the procedures outlined in the Student Conduct Code and overseen by the Office of Student Conduct. More details about those procedures are available at: http://studentconduct.unlv.edu/students/

For academic and administrative faculty - It is a violation of the Standards of Conduct contained in Title 2, Chapter 6, Section 2.2 of the Nevada System of Higher Education (NSHE) Code to engage in actions that are contrary to university policy. Violations of provisions in the Acceptable Use Policy would be considered a violation of the Standards of Conduct and would be handled in accordance with the procedures outlined in Chapter 6 of the NSHE Code and overseen by the Office of General Counsel. More details about those procedures are available at: http://www.unlv.edu/sites/default/files/24/HR-PDF- Chapter6Title2NSHECode.pdf

For classified staff - It is a violation of the Prohibitions contained in the UNLV/ NSHE Prohibitions and Penalties: A Guide for Classified Staff document to engage in actions that are contrary to university policy. Violations of provisions in the Acceptable Use Policy would be considered prohibited activity and would be handled in accordance with procedures outlined in the Prohibitions and Penalties document and overseen the Office of Human Resources. More details about those procedures are available at: http://www.unlv.edu/hr/policies/disciplinary-action

What if I deleted or corrupted information by mistake (unintentionally)

In the event that information was deleted by mistake every effort should be made to retrieve the deleted information from available backup systemsDevices and applications accessed via the network.. In the event that information contained on a university system assigned to you was found to be corrupt an effort would be made to determine how the corruption occurred. If you were directly responsible for the corruption, you would be in violation of the policy. If the corruption was the result of malicious activity by someone not authorized to access the system (e.g., malware, computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. virus), the system will be cleaned and protections put in place to prevent further incidents.

If information that should not be deleted continues to be deleted or files continue to be corrupted, you will be provided instructions on how to prevent future occurrences. If the issues continue, your supervisor will be notified and asked to assist with prevention efforts.

Can I allow someone who isn't a student at UNLV to use my ACE account to access a computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. lab?

No. You are not permitted to share either your UNLV identification card to assist another individual in gaining physical access the computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. lab nor your ACE account login information to gain access to lab resources. UNLV computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. labs are solely intended to support the academic computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. needs of UNLV students. Use of UNLV computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. labs is restricted to UNLV students with a valid UNLV identification card and ACE accounts are only to be used by the person to whom they are issued. Each student signing up for an ACE account accepted a formal agreement stating that they will not share their account with anyone else.

My wife is not a student. Can I share my password with her so that she can look for a job while I'm in class?

No. Only you are authorized to use your account with UNLV computing resources. Additionally, sharing your login information violates the university’s Password Policy, which states that passwords must not be shared. https://oit.unlv.edu/about-oit/policies/password-policy

In my networking class, we've been talking a lot about WireShark. Can I use it to "snoop" dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. on the school networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices.?

No. The use of networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. packet analyzers to intercept, monitor or retrieve any university networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. communications without authorization is not permitted. (Policy Sec 2.g)

Can I copy any of the applications on Macs so I can use them on my MacBook from home?

No. Software should not be copied or transferred from a university computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such.. Please check the OIT Website for the list of free and discounted software and for instructions on how to obtain them. (Policy Sec 4.c)

Isn't it my own personal right if I choose to share and/or participate in music and movie sharing from on-campus, since I pay a fee to use the networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. resources.

By using a resource, you are accepting the terms and conditions of using that resource, including any applicable policies. This instance not only potentially violates the Acceptable Use Policy, but it also the university Digital Media and CopyrightAs defined by U.S. Copyright Office - Circular 1 entitled "Copyright Basics" - "Copyright is a form of protection provided by the laws ofthe United States (title 17, U. S. Code) to the authors of 'original works of authorship,' including literary, dramatic, musical, artistic, and certain other intellectual works. This protection is available to both published and unpublished works." Compliance Policy and federal law. Students, employees or other networkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. users are responsible for knowing their legal rights for sharing files, including music, videos, pictures, books, etc., as both potential creators and/or distributors of such works.

Why can't I give out my password to my coworkers because OIT is coming to work on my computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. and I won't be in when they are here?

Sharing passwords is a violation of the policy. Via the OIT Service Account and Active Directory installed on many computersAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such., OIT technicians are able to work on a computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. in the user’s absence. If the user has disabled those accounts or the computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. does not have the accounts, the user must be present for the computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. to be repaired. Once the user is available and is able to log into the machine, OIT technicians will be able to work on the computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such..

I have a laptop with everyone's personally identifiable dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. on it that I use to work from home. Can I still have that dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. on my laptop?

Sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. (e.g., education, financial transactions, medical history, information that can be used to distinguish or trace the individual’s identity) should be stored on and accessed only from a secure server. When not on campus, users should use the Virtual Private NetworkAn underlying infrastructure of cabling, equipment, and management software that electronically transmits and directs the flow of information among devices. (VPN) to log into the server: https://oit.unlv.edu/vpn

A classmate has access to an application and I don't. Who do I contact to gain access to the application in question?

If the resource is specific to a class the best person to ask first is the instructor for the class. If they are unable to assist you, contact the IT Help Desk and submit a help request. The IT Help Desk will assign a specialist to your case and that individual will work with you directly to figure out what needs to be done to complete your request.

If I use RebelMail, which is a Google resource, are my emails subject to inspection by UNLV technology staff?

First, UNLV staff will not inspect your email without a written request and authorization from the University President, the vice president or cabinet-level official (e.g., Athletic Director) in your reporting structure, the Director of Human Resources, General Counsel, or, in the case of students, the Director of the Office of Student Conduct. Authorization may be based on a criminal subpoena, civil litigation discovery, allegation of professional misconduct, or even a Freedom of Information Act request.

It is important to understand that you have no “reasonable expectation of privacy” with respect to your University email. In the UNLV mail (unlv.edu) domain, UNLV will subscribe to Google Vault in order to support the above requests.

Google Vault will store all incoming and outgoing mail even if immediately deleted and will provide a search engine to facilitate the discovery of relevant messages. Google Vault will not be purchased for Rebelmail. While the current contents of your Rebelmail account can be accessed by the University under the conditions listed above, accessing mail that has been deleted will require that Google honor a subpoena.

I sometimes download copies of Freeware and Shareware. Is this allowed, as I have not really been authorized by anyone?

As long you comply with OIT's Software Licensing Policy and abide by the software manufacturer's End User License Agreement (EULA), you are allowed to install freeware and/or shareware licensed software on UNLV owned computersAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such..

Can I store my work files in Google Drive or other Google Apps?

As a customer of Google’s “Apps for Education”, UNLV has entered into agreements with Google regarding the way they protect our dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy.. These agreements ensure compliance with federal regulations such as FERPA and HIPAA when the dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. is used in conjunction with what Google defines as the “core apps”.

For HIPAA protected dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy., the core apps that allow storage of Protected Health InformationHas the meaning set forth in the Health Insurance Portability and Accountability Act of 1996 and any subsequent amendments (HIPAA, codified at 42 U.S.C. 1320(d); Protected data definition at 45 C.F.R. § 160.103). (PHI) are: Gmail, Google Drive (including Docs, Sheets, Slides, and Forms), Google Calendar, Google Sites, and Google Apps Vault.

For FERPA protected dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy., the core apps that are compliant are: Gmail, Google Drive (including Docs, Sheets, Slides, and Forms), Google Calendar, Google Sites, Google Classroom, Google Contacts, Google Groups, Google Talk/Hangouts and Google Vault.

Users should be aware that although they may have access to other Google services outside these core apps (e.g. YouTube, Google+, Picassa, etc.), these “non-core” apps are not approved for the storage or transmission of dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. protected by state or federal regulations. Also, federal Export Control Act prohibits the storage of some kinds of information, including some research findings, outside the borders of the United States. Google cannot guarantee where any file will be stored. Therefore, this type of dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. should not be stored in any Google App.

Can I put my work files in other cloud storage providers, such as Dropbox, Box, or any of the other ones?

A number of federal statutes govern the transmission and storage of dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy., including HIPAA, for healthcare dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy., FERPA for academic records, and the GLB act for financial dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. associated with student loans. Unless your department/unit has entered into a formal agreement covering protected dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. with any of these cloud storage providers, there is no guarantee that they will treat compliance protected dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. in a way that satisfies state or federal regulations. In addition, the federal Export Control Act prohibits the storage of some kinds of information, including some research findings, outside the borders of the United States. The majority of these services will not guarantee where any file will be stored. DataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. protected by any of the above legislation should not be stored in “cloud services” such as Dropbox. OIT will work with you to provide file storage solutions that meet compliance requirements. If you have a need for this type of storage contact the IT Help Desk.