Policy Number: IT.22.214.171.124
Category: Information Technology
Responsible Unit: Information Technology Services
Effective: December 31, 2019
Last Revised Date: April 14, 2021
Revision History: Originally effective August 13, 2016; major revision March 27, 2017; major revision December 31, 2019; minor revision April 14, 2021
Review Date: December 30, 2022
Purpose and Scope
- The purpose of this Policy is to establish the rules that govern the use of the devices and information systems at West Virginia University, West Virginia Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure both the protection of University Data and compliance with University policies and applicable laws and regulations.
- This Policy applies to all individuals granted access to University Data and/or University Technology Resources (“Authorized Individuals”), including systems and services provided by third-parties, personally-owned, and publicly provided devices that connect to the Campus Network.
University Data And University Technology Resources
- University Data must be maintained pursuant to the Record Retention Policy and Schedule.
- Pursuant to the Sensitive Data Policy, information the University considers Sensitive Data must only be retained within an approved University Technology Resource and must never be accessed or downloaded to a personal device.
- Electronic University Data that does not require retention (“Incidental Records”) must only be retained for as long is necessary to complete the action or resolve the issue that is the subject of the record.
- The University will provide the use of University Technology Resources to Authorized Individuals as the primary means to create, store, send, or receive University Data.
- Employees may not use University Technology Resources for political purposes in violation of the University and its affiliates’ tax-exempt statuses; for their own private gain in violation of any state or federal ethics law; or to libel, slander, or harass another person.
- Access to University Technology Resources and University Data will be based on Least Privilege or on a need-to-know basis depending on the individual’s job responsibilities.
- Use of another person’s WVU Login credentials to access University Technology Resources and/or University Data is strictly prohibited.
- The University will monitor University Technology Resources and their use when necessary for operational needs and to ensure compliance with applicable laws and University policies and standards.
- When the University receives a Freedom of Information Act request, subpoena, litigation, or other similar request for information or documents, it will take necessary measures to access University Technology Resources in order to obtain the requested University Data and comply with its legal obligations.
De minimis personal use of University Technology Resources is permitted
provided the use does not:
- Consume more than a trivial amount of resources that could be otherwise used for University academic, administrative, research, or outreach purposes;
- Interfere with worker productivity;
- Preempt any University activity; or,
- Promote or result in a hostile work or academic environment.
- Authorized Individuals who use University Technology Resources are advised that they should have no expectation of privacy or confidentiality in connection with anything they create, store, send, or receive on University Technology Resources, including de minimis personal use of these resources.
- De minimis use of personally owned devices to create, store, send, or receive University Data is permitted pursuant to the requirements within the Bring Your Own Device Standard.
- The University is bound by the contractual and licensing agreements it has entered; therefore, all members of the University utilizing such resources (e.g., software) are also expected to comply.
- The University community must respect the rights of ownership of intellectual property and adhere to United States copyright laws.
- The University Technology Resources provided by the University are shared widely and are limited. Any use of automated processes to gain technical advantage over others at the University is prohibited.
- Frivolous, excessive, or inappropriate use of University Technology Resources by one person or a group of people that adversely affects the Campus Network and/or the ability of others to legitimately utilize such resources is strictly prohibited.
- The University will limit use of resources through quotas, time limits, and other mechanisms should an individual and/or group of people exhibit a continued pattern of adversely affecting University Technology Resources.
Responsibilities Of Authorized Individuals
- Individuals authorized to use University Technology Resources and/or access
University Data are responsible for:
- Adhering to, and maintain all University Technology Resources according to, established University policies, standards, and procedures;
- Adhering to all applicable international, federal, state, and local laws
and regulations, including, but not limited to, those that pertain to
the use, copy, and distribution of:
- Protected health information;
- Educational records;
- Covered financial information; and,
- Music, videos, games, images, texts, sound files, film clips, trademarks, logos, and other media.
- Adhering to the contractual and licensing agreements to which the University has entered related to use of third-party resources (e.g., software) and require each individual using the resource to comply;
- Only using University Technology Resources and/or accessing University Data for the purpose for which access has been granted;
- Securing WVU Login credentials to prevent unauthorized access;
- Being held accountable for all activities conducted under their Authentication;
- Securing University Technology Resources and University Data appropriately;
- Using good judgement and common sense, exercising decency, and being professional and respectful;
- Respecting the rights and privacy of others;
- Acknowledging the finite capabilities of University Technology Resources and limiting use to only consume the reasonable amount required to carry out activities;
- Using the University’s marks (e.g., trademark, logo) only as authorized; and,
- Never representing personal comments as being those of the University.
- Individuals authorized to use University Technology Resources and/or access University Data are responsible for:
Unacceptable Use Of Technology Resources And Data At The University
- University Data and Technology Resources must never be subject to Unacceptable
Use, which means the following:
- Activities that may permit unauthorized access to University Technology Resources and University Data, including leaving Devices unsecured or sharing WVU Login credentials;
- Storing University Data in an unsecure location;
- Failing to destroy University Data when it is no longer needed (e.g., shredding printouts, erasing magnetic media);
- Disrupting or endangering University Technology Resources and University Data by bypassing, subverting, or otherwise rendering ineffective the security controls implemented;
- Altering, moving, or removing software, system logs, configuration files, or other files needed for the operation of a University Technology Resource;
- Unauthorized downloading or distribution of copyrighted materials;
- Intentionally, recklessly, or negligently causing damage by any means to University Technology Resources and/or University Data;
- Deliberate unauthorized altering, moving, or destruction of University Data or University Technology Resources;
- Sending unsolicited, disruptive messages (e.g., spam, junk mail, chain letters);
- Intercepting another individual’s transmissions;
- Conducting unauthorized commercial or personal business activities including sending personal email that may be construed by the recipient to be from the University, operating a personal business, political lobbying, or endorsement of political candidates; and,
- Intentionally transmitting, receiving, accessing, printing, or storing any communication or content of a defamatory, discriminatory, harassing, obscene, or sexually explicit nature in violation of federal or state laws and regulations or Board of Governors Rule 1.6.
- Additional examples of Unacceptable Use can be found within Exhibit A of this Policy.
- University Data and Technology Resources must never be subject to Unacceptable Use, which means the following:
- “Authorized Individuals” means faculty, staff, students, and others who have assigned WVU Login credentials which provides them access to University Data and Technology Resources such as retirees, consultants, presenters, camp attendees, or vendors.
- “Least Privilege” means granting the minimum system resources and authorizations needed to perform its function or restricting access privileges of Authorized Individuals to the minimum functions necessary to perform their job.
- “University Technology Resources” means the Campus Network, University-owned
hardware, software, and communications equipment, technology facilities,
and other relevant hardware and software items, as well as personnel tasked
with the planning, implementation, and support of technology. University
Technology Resources can be broken into the following categories:
- Campus Network means the wired and wireless components and University Technology Resources connected to the network managed by the University. Excludes residence halls, University public/private partnerships, and other relationships the University may establish with institutions, including the City of Morgantown and WVU Medicine, through which the University provides IP addresses but does not manage the network.
- Device means a server, computer, laptop, tablet, or mobile device used to enter or access University Data from a University Information System.
- University Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the University, whether operated and managed by the University or a third-party vendor.
- “University Data” means anything that contains information regarding the University made or received in connection with its operations, regardless of whether it is a hard copy or electronic, and includes, but is not limited to, written and printed matter, books, drawings, maps, plans, photographs, microforms, motion picture films, sound and video recordings, e-mails, computerized or other electronic data on hard drives or network drives, or copies of these items. See Record Retention Policy and Schedule.
Enforcement And Interpretation
- Any employee who violates this Policy will be subject to appropriate disciplinary action.
- Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
- Any individual affiliated with the University who violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
- The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
- Responsibility for interpretation of this Policy rests with the Chief Information Officer.
Authority and References
- BOG Rule 1.11 – Information Technology Resources and Governance
- All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to: