University of Maryland Baltimore (UMB)
Information Technology Acceptable Use Policy

Effective Date: 04/01/03

Purposes

The purposes of this policy are to state what constitutes the acceptable use, and what constitutes the misuse, of information technology resources at UMB and UMB Affiliates. This policy also states responsibilities and procedures for administering and enforcing this policy, reporting violations of this policy, and initiating disciplinary actions against those alleged to violate this policy.

Definitions

"Affiliate": an organization located at the UMB campus which has IT Resources connected to UMB IT Resources, or which has IT Resources used by Personnel; also an organization located elsewhere which provides IT Resources used by Personnel in the course of UMB employment or educational activities.

"Affiliate IT Resources": IT Resources that are owned by, or under the direction or control of, an Affiliate of UMB.

"CIO": the Vice President and Chief Information Officer of UMB.

"Information technology resources or IT Resources": information technology resources including, but not limited to, computerized information, computing facilities, systems and devices, network systems, resources and devices, software, e-mail systems, and web pages.

"IT Administrator": the administrator or academic officer of a UMB unit or school who, as determined by the applicable vice president or dean, is responsible for management and oversight of the UMB IT Resources and Affiliate IT Resources located in, or used by Personnel of, that unit or school.

"Personnel": all students, faculty, staff, visitors, and guests who use UMB IT Resources, on-campus or off-campus, or who use Affiliate IT Resources in the course of UMB employment or educational activities; also, employees of Affiliates who use UMB IT Resources to fulfill employment responsibilities.

"UMB": University of Maryland Baltimore.

"UMB IT Resources": IT Resources that are owned by, or under the direction or control of, UMB, as well as IT Resources for which UMB otherwise is responsible.

"USM": University System of Maryland.

Scope

This policy applies to Personnel who use UMB IT Resources, and to Personnel who use Affiliate IT Resources in connection with UMB employment responsibilities or educational activities.

Acceptable Use

In general, acceptable use of UMB or Affiliate IT Resources is use in support of the research, education, service, and administrative activities of UMB and its Affiliates. Personnel should always use IT Resources in accordance with UMB and USM policies and procedures, software licenses, and applicable laws. UMB depends upon a spirit of mutual respect and cooperation to create and maintain an open community of responsible users of IT Resources. Use of IT Resources must be responsible, professional, and in a manner consistent with the law and the opportunities of others to use the IT Resources. Academic freedom of faculty and students and constitutional rights of free speech are not limited by this policy.

Personnel are responsible for safeguarding their own identification (ID) codes and passwords, and for using them for their intended purposes only. Personnel are responsible for all transactions made under the authorization of their ID, and for activity involving IT Resources which originates from computing devices owned by or assigned to them.

Personnel are solely responsible for their personal use of IT Resources. Personnel may not represent or imply that personal communications reflect the views or policies of UMB.

Use of the UMB IT Resources and Affiliate IT Resources within the scope of this policy is a privilege granted to Personnel by UMB subject to compliance with UMB and USM policies, Affiliate policies as applicable, and applicable laws.

Misuse

Misuse includes, but is not limited to, use of UMB IT Resources or Affiliate IT Resources in the following ways: A.   Securing unauthorized access to or unauthorized use of IT Resources, or facilitating such use or access by another person.
 
B.   Without authority, accessing or attempting to access IT Resources on or off the UMB campus. This is also referred to as hacking.
 
C.   Any deliberate or reckless act that denies or interferes with the access and use of IT Resources by others.
 
D.   In a manner that violates the law, the policies of UMB, USM, or an Affiliate, or the policies of any UMB school or unit. Examples of such prohibited use include violations of a school's anti-discrimination or harassment policies, or academic honor code.
 
E.   Violations of copyright law.
 
F.   Personal communication that interferes with UMB employment or academic responsibilities.
 
G.   Software theft or piracy, data theft, or any other action that violates the intellectual property rights of others.
 
H.   Inappropriate access to, or use of data on, academic or administrative systems (e.g., social security numbers, birth dates, and addresses used for identity theft; illegal or unauthorized sale or transfer of such information).
 
I.   Altering system software or hardware configurations without authorization.
 
J.   Intercepting or monitoring communications, user dialog, or password input intended for another recipient, except when this is done as part of responsibility for IT resource management, other reasons authorized by the CIO, or legally mandated action.
 
K.   Collecting or storing information about users of IT Resources without their authorization, except as necessary for UMB activities and functions.
 
L.   Illegal activity.
 
M.   Commercial purposes other than an Affiliate's business activities.
 
N.   Access to or use of electronic distribution lists created by UMB, a school or unit of UMB, or an Affiliate, for purposes not authorized by UMB, the school, or the unit; permitting others access to such distribution lists for unauthorized purposes.
 
O.   Transmitting threatening, obscene or harassing messages, messages that personally attack another individual or group of individuals, or messages that violate the policies of UMB, any school or unit of UMB, or any Affiliate of UMB.
 
P.   Anomalous (unusual or unexpected) computing activity that is illegal or wasteful of IT Resources.
 
Security

The maintenance, operation, and security of IT Resources require UMB and Affiliates to monitor and access IT Resources. UMB monitors IT Resources as part of normal operations and maintenance. Normal monitoring includes, but is not limited to, logging activity and monitoring usage patterns.

To the extent feasible, as determined by UMB, and taking into account the electronic environment and the public agency status of UMB, confidentiality of information stored in and transmitted through the IT Resources will be protected. However, there is no assurance of confidentiality or privacy. The Maryland Access to Public Records law applies to electronic data, including archived electronic messages. Other state and federal laws, and the needs of UMB to meet its administrative, business, and legal obligations, require UMB to review the use of IT Resources and to access stored data.

UMB seeks to maintain the security of IT Resources, but cannot guarantee security. Personnel have no expectation of privacy as to information stored or transmitted using IT Resources, and generally should not maintain or transmit sensitive personal information about themselves or others using IT Resources. However, IT Resources protected by appropriate security measures can be used for personal information of clients, research subjects, and patients. Related security policies apply to certain categories of personal information.

UMB may monitor the activity and accounts of Personnel without notice, in situations when it is necessary or appropriate in the judgment of the CIO or an IT Administrator, e.g.:

• The user has voluntarily made the activity or account information available to the public, as by posting to an electronic list or web page.
  
• Monitoring is necessary to preserve the security, integrity, or functionality of IT Resources.
  
• UMB has reason to suspect Personnel may be violating this policy.
  
• A user of IT Resources, or an account, is demonstrating anomalous activity based on usage patterns.
  
• There is reason to believe a person using IT Resources is doing so without authorization.
  
• Otherwise necessary, as permitted by law or required by lawful directive to UMB.

Electronic Mail (E-Mail)

Copyright laws, license agreements, all applicable USM and UMB policies, and state and federal laws also apply to e-mail. E-mail sent with the intent of disrupting communication or other system services is not allowed. The proliferation of unsolicited commercial e-mail (also known as UCE or "spam"), virus warnings, urban legends and other electronic chain letters are not acceptable uses of IT Resources.

Broadcast e-mail, i.e., e-mail messages sent to a list of users in all schools and units of UMB, is forbidden unless approved by the President or his designee. Broadcast e-mail to users in a particular school or unit is prohibited unless approved by the head of the school or unit.

The primary purpose, and primary use, of e-mail is UMB-related activities. Occasional use of e-mail for personal communications during the business day is acceptable. Personnel should not rely on a UMB e-mail account as a primary personal e-mail account.

Web Pages

The Office of External Affairs (OEA) has established visual guidelines for UMB web pages. Refer to the OEA web page at: http://www.oea.umaryland.edu/web/ for information regarding these guidelines.

Originators of all web pages using IT Resources of UMB shall comply with UMB policies, including the OEA guidelines, and are responsible for complying with all federal and state laws and regulations, including copyright laws, obscenity laws, laws relating to libel, slander and defamation, and laws relating to piracy of software.

The persons creating web pages are responsible for the integrity of the information contained on those pages.

Personal web pages and commercial web pages may not be posted using UMB IT Resources. However, personal web pages for students or faculty are permitted if allowed by their school. Web pages that are not in good taste are not allowed. Anyone who wants a web page primarily or exclusively for personal or commercial purposes, rather than academic purposes, should not use IT Resources to create or host the web page.

Administration and Enforcement of Policy

The CIO is responsible for the administration of this policy. Each school and unit of UMB, and the IT Administrator of the school or unit, may provide additional guidelines for appropriate use of the IT Resources found in that school or unit or used by its Personnel, wherever they are located. Such guidelines shall be consistent with this policy and do not supplant this policy.

The enforcement of this policy is delegated to the heads of the UMB schools or units, i.e., deans and vice presidents, with respect to Personnel associated with their respective schools or units. In all other cases, enforcement of this policy is the responsibility of the President or his designee.

Violations

All suspected violations of this policy shall be reported to the UMB CIO and the IT Administrator of any school or unit involved, as well as the IT Administrator of any Affiliate involved. Within a school or unit, the IT Administrator will report the suspected violation to those responsible for supervision of the Personnel involved and those responsible for administration of disciplinary policies applicable to the Personnel involved.

Personnel who are accused of violating this policy and who have a student or employment relationship with UMB will be subject to disciplinary actions and/or other proceedings consistent with an accusation of misconduct. At the discretion of the CIO, use of IT Resources may be suspended or limited pending conclusion of such proceedings. Accused personnel may explain the circumstances of the alleged violation and seek relief from the suspension by a petition to the CIO within 48 hours after the suspension is effective.

The CIO and/or IT Administrator shall investigate the issues thoroughly, provide a complete report to the School or employing unit, and cooperate in disciplinary proceedings.

Allegations of violations by Personnel other than students and employees will be resolved by the CIO, who may suspend or limit privileges upon learning of an allegation, and may terminate the privilege of using IT Resources after investigating the allegation and providing the accused an opportunity to explain the circumstances relating to the allegation.

Personnel who commit serious or repeated violations of this policy are subject to additional sanctions imposed by the relevant unit head. Such additional sanctions may include permanent suspension of access to IT Resources, use restrictions, or special monitoring of activities involving IT Resources.

The CIO or any IT Administrator shall refer suspected violations of law to the University Police.

Immediate action may be directed by the CIO or an IT Administrator in response to potential or ongoing threats to: IT Resources security at UMB or an Affiliate; health or safety of persons at UMB or an Affiliate; privacy rights of UMB students; privacy rights of employees, patients, research subjects or clients of UMB or Affiliates; compliance with laws by UMB or an Affiliate; or confidentiality of proprietary information in UMB's possession. This action may include suspending an accused user's access to some or all IT Resources until an investigation is completed and, if required by UMB policy, a hearing has been held to determine the validity of the allegations involved.

Violations of this policy may result in actions under Human Resource policies, faculty policies, or student policies, in addition to actions under this policy. Termination of enrollment or employment may follow from violations of this policy.

School and Unit Responsibilities

A. Schools and units may require their Personnel to follow additional guidelines for appropriate use of school and unit IT Resources. Such guidelines shall be consistent with this policy and do not supplant this policy.

B. Schools and units will institute procedures to ensure that unauthorized persons are denied access to the IT Resources of the school and units. Unauthorized persons include employees who have resigned or been terminated, former students, and those who have committed serious or repeated violations of this policy or school or unit guidelines.

C. When Personnel change status, e.g., terminate employment, graduate, retire, or change positions, roles or responsibilities within UMB, the school or unit responsible for initiating a change in status must coordinate with central support units, (e.g., Center for Information Technology Services, Human Resource Services, Payroll) to discontinue or change access and authorization to any and all UMB and Affiliate IT Resources used by the Personnel before the change of status.