Acceptable Use of Data and Technology Resources Policy
Policy Number: IT.1.1
Category: Acceptable Use
Effective: March 27, 2017
Revision History: Originally effective August 13, 2016
Review Date: March 26, 2020
PURPOSE AND SCOPE
- Purpose . The purpose of this policy is to establish the acceptable use of West Virginia University (WVU) technology and data resources, which are provided to faculty, staff, students and third-parties to advance the mission of academics, research and community outreach.
- Scope . This policy applies to all University staff, faculty, and students as well as any third-parties who store, use, transfer, transport, produce or dispose of technology and data resources owned or managed by WVU.
. Conducting activities on WVU data and technology resources by authorized
individuals for the purpose for which access was granted and does not disrupt
operations and is not otherwise prohibited or considered unacceptable use
under this policy is considered acceptable use.
- Users of WVU data and technology resources must adhere to all applicable WVU policies, standards, procedures, contracts and licenses, as well as applicable federal, state and local laws and regulations.
- WVU data and technology resources shall only be used by authorized individuals for the purpose for which access was granted. Access to WVU data and technology resources must be based on least privilege or on a need-to-know basis depending on the individual’s job responsibilities.
- Incidental personal use of technology resources, not including data resources,
is permitted; however, users of WVU technology resources are advised
that they should have no expectation of privacy or confidentiality in
connection with the personal use of these resources. Personal use is
only permissible if the use does not:
- Consume more than a trivial amount of resources that could be otherwise used for business purposes.
- Interfere with worker productivity.
- Preempt any business activity.
- Promote or result in a hostile work or academic environment.
- The University reserves the right to monitor technology resources and the use of technology resources for operational needs and to ensure compliance with applicable laws and WVU policies and standards. To that end, users should have no expectation of privacy in anything they create, store, send or receive on WVU data and technology resources.
- When the University receives a Freedom of Information Act request, subpoena, litigation or other similar request for information or documents, it will take necessary measures to access WVU data and technology resources in order to comply with its legal obligations.
Unacceptable Use. Any unauthorized use of WVU data and technology
resources or any use that disrupts or endangers WVU data and technology.
The following constitutes unacceptable use:
- Exposing University data and technology resources to unauthorized access
through means that include, but are not limited to, the following:
- Leaving the means of authentication in a location where it can be readily obtained by another individual (e.g., writing one’s password on a note affixed to one’s monitor or keyboard).
- Stepping away from a computer without securing it in some fashion (e.g., locking it with a screen saver or logging out).
- Sharing a personal password or other means of authentication with another individual.
- Providing another person access to University technology and data resources under your authentication.
- Failing to secure files containing Social Security numbers or credit card information as outlined in the Sensitive Data Protection Policy.
- Failing to secure files containing confidential or limited access data resources. Such files might include, but are not limited to, personally identifiable information (PII); credit card holder data; and any information associated with a federal, state or third party mandate such as FERPA, HIPAA or PCI-DSS.
- Failing to secure media containing confidential or limited access data resources when it is no longer needed (e.g., shredding printouts or erasing magnetic media).
- Unauthorized access to or use of data or technology resources through means
that include, but are not limited to, the following:
- Using another person’s credentials to gain access to University technology or data resources.
- Using University technology and data resources to gain unauthorized access to resources of other institutions, organizations or individuals. This includes the unauthorized downloading of copyrighted materials as outlined in the Digital Millennium Copyright Act (PDF).
- Accessing confidential or limited access data resources for reasons unrelated to one’s job.
- Using false or misleading information to acquire access to University technology or data resources.
- Bypassing, subverting or otherwise rendering ineffective, the security or access control measures for any University technology or data resource.
- Unauthorized destruction, damage, disruption or impairment of University
technology or data resources through means that include, but are not
limited to, the following:
- Intentionally, recklessly or negligently damaging any technology or data resource by any means (e.g., introducing malicious software into a computer system).
- Altering, moving or removing software, system logs, configuration files or other files needed for the proper operation of a computer system without prior authorization.
- Using any technology or data resource in a manner that adversely affects the work of others.
- Unauthorized commercial activities, including, but not limited to, the
- Using University technology or data resources for one’s own commercial gain or for other commercial purposes not expressly approved by the University.
- Using University technology or data resources to operate or support a personal or other non-University- related business.
- Use of University resources in a manner inconsistent with the University’s contractual obligations to suppliers of those resources or with any published University policy.
- Unauthorized activity by WVU employees (administrators, faculty and staff), includes, but is not limited to, inappropriate use of WVU-owned or operated technology systems to transmit, retrieve, access, print or store any communication or content of a defamatory, discriminatory, harassing, obscene or sexually explicit nature. Enforcement of this unauthorized activity must be followed in conjunction with other WVU policies, procedures or guidelines that govern appropriate workplace conduct and behavior.
- All users of WVU data and technology resources are expected to use good
judgment and exercise decency and common sense. This includes, but is
not limited to, the following:
- Using WVU data and technology resources in a lawful and appropriate manner.
- Respecting the rights and privacy of others.
- Maintaining WVU data and technology resources in an appropriate manner (e.g., using anti-virus software, patching operating systems and applications and using authentication for all technology resources).
- Using the University’s marks (e.g., trademarks, logo) only as authorized and not representing personal comments as being those of the University.
- Exposing University data and technology resources to unauthorized access through means that include, but are not limited to, the following:
- Acceptable Use . Conducting activities on WVU data and technology resources by authorized individuals for the purpose for which access was granted and does not disrupt operations and is not otherwise prohibited or considered unacceptable use under this policy is considered acceptable use.
- Authorized individuals: Faculty, staff, students and third-parties who have assigned WVU Login credentials which provide access to WVU data and technology resources.
- Credit card information: In addition to the credit card number, this data can also include the card holder’s name, address, Social Security number (SSN) or any other PII stored on the credit card.
- FERPA: The Family Educational Rights and Privacy act of 1974 is the federal law that governs access to educational information records.
- HIPAA: The Health Insurance Portability and Accountability Act of 1996, under Title 2, requires the establishment of policies and guidelines for maintaining the privacy and security of individually identifiable health information.
- PCI-DSS: Payment Card Industry Data Security Standards are the standards developed by the major credit card issuers (Visa, Mastercard, American Express, Discover and JCB) on merchant responsibilities for processing credit card transactions.
- Personally identifiable information (PII): Data that identifies the individual including, but not limited to, Social Security numbers, driver’s license numbers, credit card numbers, bank account information, employee performance or salary information, student grades, disciplinary information or account passwords.
- WVU third-party: An individual or an entity that has an affiliation with WVU (e.g., retirees, consultants, presenters, camp attendees, vendors).
- WVU’s Chief Information Officer, supported by the Chief Information Security and Privacy Officer, will coordinate with appropriate University entities on the implementation and enforcement of this policy.
- Violation or non‐compliance of this policy will be addressed in accordance with established WVU disciplinary policies and procedures, as issued and enforced by the appropriate authorities. Failure to comply with this or other related standards may result in disciplinary action up to and including termination of employment or studies.
- All other University policies are also applicable to the electronic environment.
Relevant institutional policies include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- WVU FERPA Policies
- Sensitive Data Policy
- Digital Millennium Copyright Act (DMCA)
- Health Information Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI-DSS)
- Faculty Handbook
- Code of Student Rights and Responsibilities (Code of Conduct)
- WVU Talent and Culture Policies
- WV Higher Education Policy Commission Rules and Policies
- All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to:
Valid WVU credentials are required in order to view internal procedures.