Policy Name: Acceptable Use Policy (AUP)
Date Approved: June 18, 2020
Policy Category: Board of Governors - University Operation
Date Effective: August 14, 2020
Policy Number: 4.1.080
Date Last Revised:
Approval Authority: Board of Governors
Review Cycle: 5 years
Responsible Department: Office of Technology
This policy provides for a framework for the acceptable use of Information Technology resources at the University of Central Missouri. These rules are in place to protect the University of Central Missouri, as well as all staff, students, and visitors, from risks due to inappropriate use of University information systems and technology resources.
Antivirus Software –
Export Controls –
Federal laws which apply to the transfer or transmittion of classified or restricted technologies and information to foreign nationals, both inside and outside of the United States, or into foreign countries as it relates to foreign policy and national security.
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security procedures or this policy.
Information Technology –
Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term information technology includes computers, phones, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
The single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB) and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
Malicious cyber activity -
Activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.
Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
Network Sniffing –
A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.
A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.
A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.
Port Scanning –
Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).
Security Control Assessment –
The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Trojan Horse –
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Technology Transfer –
The University’s patenting of research discoveries and then making them available through licensing to businesses or other researchers who want to build upon them.
The University’s information systems and technical resources are intended to be used in support of the University mission. These resources include servers, workstations, computer laboratories, wired and wireless networks, and the use of these systems to connect to or from other resources via the internet.
The use of the University’s information systems and technology resources including, but not limited to, Internet resources, individual computer workstations, university issued equipment, e-mail communications, telephone wire systems, or networks, is a privilege and not a right. Users of the University’s information systems and technical resources are accountable for their own actions.
All data created in support of the University mission is a strategic asset and remains the sole property of the University of Central Missouri. University data shall be managed in compliance with legislative mandates, regulatory requirements, and University policy.
Users may access, use, or share protected information only to the extent it is authorized and reasonably necessary to fulfill assigned job duties or otherwise within their and the University’s legal rights. Users must ensure through legal or technical means that University data is protected in accordance with UCM Office of Technology (“OT”) standards.
The University issues to each user of computer and network resources a unique user account and password. Account holders have a responsibility to protect their account from unauthorized use.
Passwords shall be sufficiently complex and changed in accordance with OT’s User Account Password Standards. Account holders may not share their credentials or use their credentials on information systems not managed by the University.
The University respects and protects personally identifiable information stored on the University’s information systems in accordance with legislative mandates, regulatory requirements, and University policy.
The University of Central Missouri reserves the right to monitor and filter the use of its information assets. All users of information systems or network resources are advised not to assume any degree of privacy or restricted access to information they create or store on University information systems or technology resources. Users have no personal privacy expectations when using University technology systems. The University of Central Missouri is a public institution and information stored on the University’s information systems may be subject to disclosure according to federal or state law (Chapter 610 RSMo, Missouri Sunshine Law) or other legal mandates, including without limitation audits or subpoenas. Disclosure of personal information shall be conducted in accordance with applicable laws and advice of General Counsel.
All computing devices, mobile and stationary, connected to the University network are advised to implement security controls that conform to vendor or security best practices. Any device identified to be a threat to the confidentiality, integrity, or availability of University information systems may be disconnected from the University network, without notice, until the risk has been mitigated.
Device owners are strongly encouraged to implement, at minimum, the following controls:
All computing devices must be secured with a screensaver that requires authentication with an automated activation feature set to 15 minutes or less. All users must lock their screen or log off when the device is unattended.
Owners of information technology systems in support of the University mission shall implement security controls in accordance with standards established by the Office of Technology.
The University of Central Missouri reserves the right to conduct security audits and assessments of all networks, systems, and devices connected to the University network on a periodic basis to ensure compliance with University policies and information security standards.
Under no circumstances is an employee or student of the University of Central Missouri authorized to engage in any activity that is illegal under applicable law while utilizing University-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities that fall into the category of unacceptable use and are strictly prohibited.
1. System and Network Activities
2. Personally Owned Devices and Software
The use of personally owned devices or software to store confidential information is prohibited. This restriction includes all information systems and technology resources not owned or operated by the University.
3. Email and Communication Activities
All users of University information systems and technology resources have a responsibility to promptly report violations of this policy or the theft, loss or unauthorized disclosure of protected information to the Technology Support Center (TSC) via email firstname.lastname@example.org or phone (660) 543-4357.
The Office of Technology will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner, as authorized and documented by the Associate Vice President of Technology or his/her deisgnee.
Any exception to this policy must be approved by the Associate Vice President for Information Systems/ CIO or appointed designee.
Any user found to have violated this policy may be subject to discipline, including loss of network access privileges and referral to law enforcement.
Any device found in violation of this policy may be disconnected from the university network until the device is brought into compliance.
An employee found to have violated this policy and may be subject to disciplinary action, up to and including termination of employment.
A student found to have violated this policy may be subject to disciplinary sanctions, which may include suspension or expulsion from the University.