Policy Number: 180

Acceptable Use of University Information Resources

Subject:

Information Resources

Scope:

This policy applies to all users of university information resources.

Date Reviewed: August 2011

Responsible Office: Information Technology

Responsible Executive: Vice President and Chief Information Officer

I.     POLICY AND GENERAL STATEMENT

The University of Texas Health Science Center at Houston (“university”) relies on University Information Resources to conduct university business and achieve the university’s mission. University Information Resources must be used appropriately to ensure their availability and preserve their integrity and confidentiality so the university can meet its academic, research and clinical commitments and goals. Federal and state laws and regulations, The University of Texas System (UT System) policies and university policies also require appropriate use and adequate protection of University Information Resources.

All users are responsible for using and protecting University Information Resources appropriately and in accordance with this policy.

II.     DEFINITIONS

University Information Resources – All University Information and all software, equipment, facilities and devices that are designed, built, operated and maintained to create, collect, record, process, store, retrieve, display and transmit University Information.

Examples:

Applications, web sites, software programs, servers, personal computers, notebook computers, netbook computers, personal digital assistant (PDA), pagers, mobile phones, USB flash drives, external hard drives, CDs, DVDs, backup tape, telephones, fax machines, routers, switches, cabling, network attached data storage, printers, network attached or computer controlled medical and laboratory equipment. Examples are not limited to items purchased or leased by the university.

University Information: All information residing on University Information Resources or held in any other computer, device or other information resource on behalf of the university. This includes, but is not limited to:

User – Anyone who requires and is granted access to university information resources.

Examples:

Faculty, students, residents, staff, alumni, retirees, continuing and distance education students, researchers, principal investigators, visiting faculty, observers, volunteers, business partners, affiliate hospitals and clinics, contractors, vendors and consultants.

Confidential Information – Information that must be protected from unauthorized disclosure or public release based on state or federal law, such as the Texas Public Information Act and other constitutional, statutory, judicial, and legal agreement requirements. 

Peer-to-peer File Sharing Software – Computer software, other than computer and network operating systems, that has the capability of allowing the computer on which the software is used to designate files available for transmission to another computer using the software, to transmit files directly to another computer using the software, and to request transmission of files from another computer using the software.

Examples of peer-to-peer file sharing software include, but are not limited to:

KaZaA, BitTorrent, Gnutella, eDonkey, eMule, Direct Connect, Vuze, Ares.

Virtual Machine – A software implementation of a machine (i.e., a computer) that executes programs like a physical machine.

III.     PROCEDURE

A. Ownership and Access to University Information Resources; No Right to Privacy

All University Information Resources are the property of the university and subject to this policy and all other applicable university and UT System policies. All University Information Resources created and or retained by the User is subject to this policy, even if the University Information Resource is created, stored, processed and/or transmitted on the User’s or another’s personal computer, smart phone, e-mail account, or other personal device or other non-university owned website.

All University Information Resources are subject to access and/or monitoring by the university. All System Information Resources are subject to access and/or monitoring by UT System without notice for any purpose consistent with the duties or mission of the institution including, but not limited to responding to public information requests, court orders, subpoenas or litigation holds; and conducting University Information Resource related maintenance, as well as inventories and investigations related to the duties and missions of the university.

B. Procedure

Users of University Information Resources must comply with this policy

Users are required to formally acknowledge they will abide by this policy. All  access to University Information Resources is subject to this policy. Failure to agree to and abide by this policy will result in termination of User’s access to University Information Resources.

Users are required to complete initial and recurring information security awareness training or access to University Information Resources will be terminated.

Users must report any identified weakness in university computer security and any incident of possible misuse or violation of this policy to the Information Security department by e-mail (its@uth.tmc.edu) or phone (713-486-2227), to the Help Desk by phone (713-486-4848), or by calling the compliance hotline (888-472-9868).

Users who fail to comply with this policy are subject to disciplinary action up to and including termination of employment, professional or business relationship, or dismissal from school. In some instances of non-compliance civil remedies or criminal penalties may apply.

Users’ access may be disabled (via account or connection) at the university’s sole discretion if required security software is not installed on a User’s computer or device, or if activity indicates the computer or device may be infected with a virus, malware, be party to a cyber attack or may endanger the security of university information resources.  Access may be re-established once the computer or device is determined to be safe by the Information Security department.

Incidental Use

  1. Users must use University Information Resources for university business only and not for personal use except for appropriate incidental use (Incidental Use) in accordance with this policy.
  2. Users have no expectation of privacy with regard to personal information that they elect to store on any University Information Resource. The User’s university e-mail accounts and other University Information Resources should not be used for personal e-mail or other correspondence that is or User may consider to be confidential to User or others.
  3. Incidental Use must not interfere with normal performance of User’s duties as an employee or, in the case of non-employee Users, the purpose for which User was granted access to University Information Resources. 
  4. Access to or storage of sexually explicit materials as part of Incidental Use is prohibited at all times.
  5. Incidental Use is permitted by the User only and does not extend to family members or others.
  6. Incidental Use may never include use for the conduct a personal business or political activity.
  7. Storage of any files, e-mails, documents, text messages, voice mails or other information for Incidental Use must be nominal. 
  8. Incidental Use must never result in a direct cost to the university and must not expose the university to unnecessary risk.
  9. Users must not use their university e-mail account to send personal commercial advertising, nor may they post personal commercial advertising on university web sites.

General Practices

  1. Users must not use their university e-mail account to send e-mail that is likely to contain computer viruses, “chain letter” e-mail or “broadcast” e-mail (unsolicited e-mail to large groups).
  2. Users must not use University Information Resources to: engage in acts against the mission and purposes of the university; intimidate or harass other Users; alter, damage or degrade the performance of university or other information resources; circumvent computer information security safeguards.
  3. University Information Resources must not be used to conduct a personal business or used for the exclusive benefit of individuals or organizations that are not part of The University of Texas System.
  4. Obscene, pornographic or other offensive material or topics intentionally accessed, created, stored or transmitted using university information resources is permitted only in the course of academic research as approved by the IRB.  The researcher must provide documentation of this aspect of the research to  the Chief Information Security Officer (CISO) so it can be included with the internet logs that are regularly provided to the Triage Team for review. Offensive materials include, but are not limited to materials that might offend a reasonable person on the basis of their race, gender, age, national origin, sexual orientation, religious belief, disability or other status protected by law. 
  5. Users must comply with U.S. Copyright Law and the Software Copyright Compliance Policy. Users must not download, copy, reproduce or use any software protected by copyright, including electronic media or files (e.g. e-books, music, photos and videos) except as expressly permitted by the software license. Users may not use unauthorized copies or reproductions on University Information Resources. For information on Copyright, including fair use, creating multimedia and other topics, view UT System's Copyright Crash Course.
  6. Users must use caution and exercise due diligence when communicating information about the university to non-Users through electronic means such as e-mail, text messages, chat rooms, virtual worlds, blogs, wikis, social networks, etc.
  7. Users must not disclose confidential information or other information that would, by itself or together, put the university at risk of legal, reputation or other damages including physical or information security breaches.
  8. Users must not give the impression they are representing, giving opinions or making statements on behalf of the university unless authorized. When appropriate, users should use a disclaimer stating the opinions expressed are their own and not necessarily those of the university.

E-mail and Internet Use

  1. University provided e-mail addresses and Internet designations are the property of the university.
  2. Employees must conduct university business using university e-mail accounts, not personal or non-university e-mail accounts. Confidential information in e-mail must be encrypted.
  3. Users’ e-mail and Internet activity are subject to logging and review for purposes related to the university’s mission and duties.
  4. Users must not use their university e-mail address to subscribe to e-mail lists or e-mail services strictly for personal use.
  5. Users must not use university e-mail for purposes of political lobbying or campaigning except as permitted by The University of Texas System Regents' Rules and Regulations.
  6. Users must not read another User's university e-mail unless authorized to do so by the owner of the e-mail account, or as authorized by the Triage Team for investigation, or as necessary to maintain services.
  7. Users must not impersonate the identity of another User by sending communication from that User’s university e-mail account, except when authorized to do so by the owner of the e-mail account.
  8. Only the Office of Institutional Advancement or designated positions at each school or unit are authorized to send broadcast e-mail.

Access to University Information Resources

  1. Access to University Information Resources must be on a need to know basis and must be granted using the rule of least privilege; all Users must only have access to the resources they need to perform their job responsibilities.
  2. Users must not deprive other Users from or obtain extra access to University Information Resources beyond those assigned.
  3. Users must not disclose, modify, delete or destroy University Information unless authorized.

Passwords and Access Codes

  1. Passwords and password use must comply with the Password Policy to access University Information Resources.
  2. Users must not share passwords or similar information or devices used for identification and authorization purposes, such as digital certificates, security tokens, smart cards, etc. Each User is responsible for all activities conducted using his or her account(s) to access University Information and/or University Information Resources.
  3. Users must not circumvent entering their password through use of auto logon, application “remember password” features, embedded scripts or hard-coded passwords in client software to access University Information Resources.

Security and Protection of University Information Resources.

This section applies to all computers and other devices or systems upon which University Information Resources are maintained regardless of whether the device or system is owned by the university.

  1. Portable devices must be used in accordance with the Portable Storage Device Policy and Laptop Security Policy.
  2. Password protected screen locking must be enabled and set to activate in 15 minutes or less on all computers, laptops and portable devices, where technologically possible. Screen locks must be manually activated by the User when left unattended.
  3. Laptops, portable devices and media must be physically secured when unattended.
  4. Laptop hard drives and other portable devices and media must be encrypted in accordance with the Portable Storage Device Policy and Laptop Security Policy.
  5. Computers and laptops that connect to the university network must be protected by current, updated and functioning security software, which includes virus protection software and may include firewall, host intrusion protection or other security software as specified by the Information Technology department. Required security software must not be disabled or bypassed except as required by the installation of software or for other special circumstance or procedure that requires the temporary disabling of such software.
  6. Users must not alter the configuration of any University Information Resource without authorization from the Information Technology department. This includes, but is not limited to: adding, removing or modifying hardware, software or operating systems, including peer-to-peer file sharing software or virtual machines.
  7. Peer-to-peer file sharing software must not be used except when required to conduct university business and when specifically authorized by the Information Technology department. It must not be used inappropriately, such as in violation of U.S. Copyright Law or other applicable laws or policies. When configured incorrectly, maliciously or used inappropriately, peer-to-peer file sharing software presents a high risk for security breaches often resulting in inappropriate information disclosure and/or loss of information integrity, and can severely reduce availability of University Information Resources.
  8. Security programs or utilities that reveal or exploit weaknesses in the security of a system or that reveal information by circumventing established authorization procedures or controls must not be downloaded or used, except as authorized by the CISO. Examples of such items include password cracking programs, packet sniffers and port scanners.

Confidential Information

  1. Users must not disclose confidential information except to authorized parties as required to accomplish authorized functions in support of university business.
  2. Confidential information must be stored in Zone 100, the university’s network zone with the highest level of security. For circumstances in which university business requires that a User save confidential information to a portable device or media, it must be in accordance with the Portable Storage Device Policy and Laptop Security Policy and comply with any policy the system (information) owner may have communicated (see HOOP 175, Section III(B)). The user should consult with his or her information technology department to ensure appropriate data protection measures are taken to guard against unauthorized disclosure and loss of availability or integrity of the information.
  3. Confidential information that must be e-mailed to conduct university business must be sent using a university e-mail account and must be encrypted in accordance with the university’s Acceptable Encryption Policy.
  4. Confidential information transmitted over external networks must be encrypted in accordance with the university’s Acceptable Encryption Policy.
  5. Confidential information transmitted over wireless networks must use approved wireless transmission protocols and be done in compliance with the Wireless Network Security Standards.

IV.     CONTACTS

ContactTelephoneEmail/Web Address
IT Risk and Compliance Manager 713-486-3608

itcompliance@uth.tmc.edu