Acceptable Use Policy

University of New Haven Policy No.: 7001, Revision 3. Effective Date: July 1, 2024.

PURPOSE

University of New Haven’s technology infrastructure exists to support the University and administrative activities needed to fulfill the University’s mission. Access to these resources is a privilege that should be exercised responsibly, ethically, and lawfully.

The purpose of this Acceptable Use Policy is to assist in protecting against unauthorized, illegal or damaging actions, committed either knowingly or unknowingly, by clearly establishing each member of the University’s role in protecting University information assets and communicating expectations for meeting these requirements. Fulfilling these objectives will enable University of New Haven to implement a comprehensive system-wide Information Security Program.

SCOPE

This policy applies to all students and staff of the University of New Haven when using any Information Technology Resources owned, managed, or otherwise provided by the University. For the purposes of this policy: (i) “Information Technology Resources” means any and all University of New Haven owned, licensed, or managed hardware, software, email domains, and related services, including without limitation the University’s physical, wired, or wireless network(s), regardless of the ownership of the computer or device connected to such network; and (ii) “staff” includes faculty, employees, contractors, consultants, temporary and other workers of the University of New Haven. Throughout this policy students and staff may be referred to collectively as “users,” and individually as a “user.”

This policy may reference other University policies or address similar subject matter. This policy does not supersede any other University policies, rather, it is supplemental to such policies. Students and staff are expected to be familiar with and comply with all University of New Haven policies relating to Information Technology Resources.

PRIVACY

University of New Haven protects the privacy of personally identifiable information as required by applicable law. Notwithstanding the foregoing, users of Information Technology Resources have no expectation of privacy with respect to any information or communications transmitted or stored via the University’s Information Technology Resources. When required by law, for example - in response to a judicial order or subpoena, or when otherwise legally permissible and reasonably necessary to protect or promote the legitimate interests of the University, the President, Board, HR, CFO or CIO may authorize a University of New Haven employee or authorized agent, to access, review, monitor and/or disclose data files and related information associated with an individual's account. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the University’s rules, regulations, or policy, or when access is considered necessary to conduct University of New Haven business due to the unexpected absence of two work days -- or sooner if determined by your vice president or dean--of a user or in response to health or safety emergencies.

POLICY

All students and staff are responsible for exercising good judgment regarding the appropriate use of Information Technology Resources in accordance with all University policies and standards, and applicable law and regulations. Use of Information Technology Resources for purposes related to University of New Haven’s mission take precedence over use of a more personal or recreational nature. Any use of Information Technology Resources that disrupts the University’s mission is prohibited.

Following the same standards of common sense, courtesy and civility that govern the use of other shared facilities, acceptable use of Information Technology Resources generally respects all individuals' right to be free from intimidation, harassment, and unwarranted annoyance. All users of University of New Haven’s Information Technology Resources must adhere to the requirements set forth below.

GENERAL USE OF INFORMATION TECHNOLOGY RESOURCES

Only authorized individuals are permitted to access the Information Technology Resources, and no individual acquires any ownership or privacy rights by virtue of using the Information Technology Resources.
Staff and students are responsible to promptly report any theft, loss, suspected malware or system intrusion, or unauthorized use or disclosure involving Information Technology Resources as described in the “Incident Reporting” section of this policy below.
Only software owned or licensed by University of New Haven may be installed on or used with hardware or devices owned by the University.
It is the responsibility of users to safeguard any hardware, devices, or equipment issued to them by the University against loss, theft, or damage. Users must not modify or alter any Information Technology Resources without the permission of the Associate Vice President & CIO.
All users are required to safeguard their individual network access credentials. Users must not facilitate use or access by non-authorized users by (among other actions) sharing their password or other login credentials with anyone, including other users, family members, or friends.
All users are required to comply with any password specifications imposed by the University including, without limitation, complexity requirements, character requirements, or time-limitations (i.e., password change requirements). Users must not base their passwords on something that can be easily guessed or obtained using publicly available information (e.g., names, favorite sports teams, etc.), or use the same password for non- University of New Haven access (for example, personal ISP account, social media, benefits, email, etc.) to access Information Technology Resources.
Staff must engage the lockout feature of any Information Technology Resources, such as devices, hardware or equipment, when they step away from the device or it is idle for an extended period of time to prevent unsupervised viewing or access to information. Devices, hardware, or equipment should never be left in an unattended area or vehicle.
When accessing the Internet, students and staff should assume all connections and sites visited, and that any communications, images, or files created, sent, received or stored via Information Technology Resources may be monitored and recorded by the University.
University of New Haven reserves the right to audit utilization of Information Technology Resources to ensure compliance with this policy and may terminate or restrict access to the Information Technology Services on an individual or group basis at any time, in its sole discretion.
Information Technology Resources are intended for University purposes. Users must not use Information Technology Resources for individual commercial use or personal gain.

PROHIBITED USE OF INFORMATION TECHNOLOGY RESOURCES

1. Fraudulent or Illegal Purposes.

The use of Information Technology Resources for fraudulent and/or illegal purposes is strictly prohibited. While using any of the University’s Information Technology Resources, a user must not engage in any activity that is illegal under local, state, federal, and/or international law. Users must not:

Violate the rights of any individual or the University involving information protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by University of New Haven;
Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the user or the University does not have a legal license;
Copy or distribute another user’s files or personal information without their knowledge and consent;
Export software, technical information, encryption software, or technology in violation of international or regional export control laws; or
Make any fraudulent statements or misrepresentations with respect to or on behalf of the University for the purposes of inducing another party into a commercial or other transaction.

Any user who suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, should notify Office of Information Technology along with his/her manager or the Dean of Students if a student, immediately and/or report it as described below in this policy.

2. Harassment.

University of New Haven is committed to providing a safe and productive environment, free from harassment, for all users. For this reason, users must not:

Use Information Technology Resources to harass any other person via e-mail, telephone, or any other means; or
Actively procure or transmit material that is in violation of sexual harassment or hostile workplace laws or University policy.

If a user feels he/she is being harassed through the use of Information Technology Resources, the user should make a report to his/her supervisor or any department head. For students, report to the office of the Dean of Students.

3. Malicious Activity.

University of New Haven strictly prohibits the use of Information Technology Resources for malicious activity against other users, the Information Technology Resources themselves, or the information assets of other parties.

4. Objectionable Content.

University of New Haven prohibits the use of Information Technology Resources for accessing or distributing content that other users may find objectionable. Users must not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials considered to be:

Racist
Sexually explicit
Violent or promoting violence

5. Unauthorized Hardware or Software.

University of New Haven strictly prohibits the use of any hardware or software by staff that is not purchased, installed, configured, tracked, and managed by the University. Staff users must not:

Use personal flash drives, or other USB based storage media, without prior approval from their Associate Vice President & CIO; or
Take Information Technology Resources off-site without prior authorization. Devices such as Laptops and Mobile Devices are pre-authorized to be transported off-site.

In addition, all users must not:

Install, attach, connect or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any Information Technology Resources without the knowledge and permission of Information Technology Department; or
Download, install, disable, remove or uninstall software of any kind, including patches of existing software, to any Information Technology Resources without the knowledge and permission of the OIT Helpdesk.

6. Network & System Disruption.

The use of Information Technology Resources to cause disruption to the Information Technology Resource themselves, or to the hardware, software, devices and networks of any other person or entity is strictly prohibited. Users must not:

Perpetrate, cause, or in any way enable disruption of University of New Haven’s information systems or network communications by denial-of-service methods;
Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system;
Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system or network;
Circumvent user authentication or security of any host, network, or account;
Use a port scanning tool targeting either University of New Haven’s network or any other external network, or introducing honeypots, honeynets, or other similar technology to the Information Technology Resources, unless this activity is a part of the user’s normal job functions, such as a member of the Office of Information Technology, conducting a vulnerability scan, and faculty utilizing tools in a controller environment;
Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the user’s unless this activity is a part of the user’s normal job functions; or
Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access

7. Impersonation.

Users must not:

Circumvent the user authentication or security of any Information Technology Resources;
Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
Create and/or use a proxy server of any kind, other than those provided by University of New Haven, or otherwise redirect network traffic outside of normal routing with authorization;
Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another user’s password; or
Use any type of technology designed to mask, hide, or modify their identity or activities electronically.

8. Staff User Prohibitions.

In addition to the foregoing, staff users must not:

Use Information Technology Resources to stream video, music, or other multimedia content unless this content is required to perform the user’s normal business functions;
Utilize encryption devices or software without providing, upon request, the encryption keys to the Information Technology Department in order to perform functions required by this policy.
Use Information Technology Resources to play games or provide similar entertainment.

SPECIFIC USE CASES

CONFIDENTIAL INFORMATION

University of New Haven has both an ethical and legal responsibility for protecting confidential information in accordance with its Data Classification program. Users responsible for accessing confidential information of the University or another party must also be familiar and comply with the Data Classification program. The following rules, in conjunction with the Data Classification and other University policies regarding the confidentiality and data security, apply to the use and access of confidential information:

Transmission of confidential information (as defined in the Data Classification program) by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) is prohibited, unless the transmission is encrypted and the user is explicitly authorized to send confidential/encrypted information.
Writing or storage of confidential information on mobile devices (phones, tablets, USB drives) and removable media is prohibited. Mobile devices that access confidential information will be physically secured when not in use and located to minimize the risk of unauthorized access.
All staff users must use approved workstations or devices to access the Information Technology Resources. Staff users are prohibited from using workstations or devices that are not owned by the University to store, process, transmit, or access confidential information. Accessing, storage, or processing confidential information on home computers or personal devices by staff users is prohibited.
Staff users must securely maintain all University-owned portable workstations or devices in their possession. Such equipment will be handled as carry-on (hand) baggage on public transport and must be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) and not in use.
Staff users are prohibited from accessing confidential information over public wi-fi or other unsecure networks.
Photographic, video, audio, or other recording equipment may not be utilized in secure areas—such as network closets and server rooms–without permission from the Associate Vice President & CIO.
All confidential information stored on University-owned workstations and mobile devices must be encrypted.
All users who use University-owned workstations must take all reasonable precautions to protect the confidentiality, integrity and availability of information contained on the workstation.
All users who move electronic media or information systems containing confidential information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft and unauthorized use.

MESSAGING AND ELECTRONIC COMMUNICATIONS

The University provides a robust communication platform for users to fulfill its mission. Users must not:

Harass any other person (see above);
Automatically forward electronic messages of any kind by faculty and staff, by using client message handling rules or any other mechanism;
Send unsolicited electronic messages in bulk, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
Solicit electronic messages for any other digital identifier (e.g., e-mail address, social handle, etc.), other than that of the poster's account, with the intent to harass or to collect replies;
Forge email header information or use email header information in an unauthorized manner; or
Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.

REMOTE WORKING

When working remotely, in addition to complying with all other applicable University policies, staff users must:

Safeguard and protect any Information Technology Resources (e.g., laptops and cell phones) to prevent loss or theft;
Not utilize personally-owned computing devices for University of New Haven work, including transferring University of New Haven information to personally owned devices;
Take reasonable precautions to prevent unauthorized parties from utilizing Information Technology Resources or viewing University of New Haven information processed, stored, or transmitted with Information Technology Resources;
Not create or store confidential or private information on local machines unless a current backup copy is available elsewhere; and
Only use approved methods for connecting to the university (e.g., VPN).

The use of social media platforms by students and staff is governed by the University’s Social Media Policy, which is incorporated by reference into this Acceptable Use Policy.

ROLES AND RESPONSIBILITIES

University of New Haven reserves the right to protect, repair, and maintain the Information Technology Resources and network integrity. In accomplishing this goal, University of New Haven IT personnel or their agents who have access to users’ account information and stored data are obligated to maintain the confidentiality of such information, unless they are required to report a policy violation. Any information obtained by IT personnel about a user through routine maintenance of the university’s computing equipment or network is generally kept confidential, unless the information pertains to activities that are not compliant with this policy or other University policies.

INCIDENT REPORTING

University of New Haven is committed to responding to policy violations or security incidents involving Information Technology Resources. All users should report suspected violations of this policy or security incidents, including without limitation the loss, theft or inappropriate use of access credentials (e.g., passwords, key cards or security tokens), assets (e.g., laptop, cell phones), or other information, to the IT Service Desk and Public Safety. No user may prevent any individual from reporting a security incident or violation of this policy.

ENFORCEMENT

Enforcement is the responsibility of the university’s President or designee. Users who violate this policy may be denied access to information Technology Resources and may be subject to penalties and disciplinary action both within and outside of University of New Haven. The University may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the University or other Information Technology Resources or to protect University of New Haven from liability.

Staff users are subject to disciplinary rules described in the Employee Handbook, and other policies and procedures governing acceptable workplace behavior. Student users are subject to disciplinary rules described in the Student Handbook and Code of Conduct.

In addition to the foregoing, University of New Haven reserves the right to report certain violations of this policy to law enforcement authorities or to independently pursue legal action against users who violate this policy or expose the University to liability or other legal action.

EXCEPTIONS

Exceptions to the policy must be made in writing and may be granted by the Associate Vice President & CIO, or by his or her designee. All exceptions must be reviewed annually.

REFERENCES

The Gramm - Leach Bliley Act (GLBA)
Family Educational Rights and Privacy Act (FERPA)
New York State Information Security Breach and Notification Act
NIST 800-171
FIPS-199
PCI DSS 3.1
New York Civil Practice Law and Rules § 4509
Code of Ethics of the American Library Association

OWNERSHIP AND REVIEW

This document is owned by the Associate Vice President & CIO.

This document shall be reviewed on an annual basis.

Admissions Visit Opportunities