Rivier University Information Technology

Network Access and Information Systems Appropriate Use Policy

1.0 Purpose
2.0 Scope
3.0 Rights and Responsibilities
4.0 Access Policies
5.0  Connection Policies
6.0 Appropriate Connection Methods
7.0 Network Registration
8.0 Responsibility for Security
9.0 Security Standards
10.0 Centrally-Provided Network-Based Services
11.0 Protection of the Network
12.0 Fair Share of Resources
13.0 Adherence with Federal, State and Local Laws
14.0 Other Inappropriate Activities
15.0 Privacy and Personal Rights
16.0 Privacy in Email
17.0 User Compliance

 

1.0 Purpose

The computing resources at Rivier University support the educational, instructional, research, and administrative activities of the University. The use of these resources and associated facilities is a privilege that is extended to members of the Rivier community. Users of these services and facilities have access to valuable University resources, to sensitive data, and to internal and external networks. Therefore, it is important for all users to behave in a responsible, ethical, and legal manner.
Rivier University must also provide a secure network for our educational, research, instructional and administrative needs and services. An unsecured computer on the network allows denial of service attacks, viruses, Trojans, and other compromises to enter the University campus network, thereby affecting many computers, as well as the network’s integrity. Damages from these exploits could include the loss of sensitive and confidential data, interruption of network services, and damage to critical Rivier University internal systems. Colleges and universities that have experienced severe compromises have also experienced damage to their public image. Therefore, individuals who connect computers, servers, and other devices to the Rivier network must follow specific standards and take specific actions.

This policy is designed to protect the campus network and the ability of members of the Rivier community to use it. The purpose of this policy is to define the standards for connecting computers, servers, or other devices to Rivier’s network. The standards are designed to minimize the potential exposure to Rivier University and our community from damages (including financial, loss of work, and loss of data) that could result from computers and servers that are not configured or maintained properly and to ensure that devices on the network are not taking actions that could adversely affect network performance and access.

Acceptable use means respecting the rights of other computer users, the integrity of the physical facilities, and all pertinent license and contractual agreements. If an individual is found to be in violation of the Acceptable Use Policy, the University may take disciplinary action ranging from restriction of privileges to dismissal from the University (suspension or termination) and/or removal from campus.
Individuals in the Rivier Community are also subject to federal, state and local laws governing many interactions that occur on the Internet (for example, Fair Use, Copyright, Privacy). This policy is subject to change in conjunction with the evolution of these laws.
This document establishes specific requirements for the use of all computing and network resources at Rivier University.

2.0 Scope

This policy applies to all users of computing resources owned or managed by Rivier University. Individuals covered by the policy include (but are not limited to) Rivier faculty and visiting faculty, staff, students, alumni, guests or agents of the administration, and external individuals and organizations accessing network services via Rivier’s computing facilities.

Computing resources include all University owned, licensed, or managed hardware and software and services (for example but not limited to: printers, laptops, tablets, phones, voicemail, texting services), and use of the University network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

These policies apply to technology administered in individual departments, the resources administered by OIT, personally owned computers and devices connected by wire or wireless to the campus network, and to off-campus computers that connect remotely to the University’s network services.

3.0 Rights and Responsibilities

As a member of the Rivier University community, the University provides users access to academic and/or work-related tools, including access to certain computer systems, servers, services, software and databases (including Library subscription-based databases), to the campus telephone and voicemail systems, and to the Internet. All users have a reasonable expectation of unobstructed use of these tools, of certain degrees of privacy (which may vary depending on a user’s role at the University), and of protection from abuse and intrusion by others sharing these resources. Users can expect the right to access information and to express opinions to be protected in the same manner as for paper and other forms of non-electronic communication.

All users are responsible for knowing the regulations and policies of the University that apply to appropriate use of the University’s technologies and resources. Users are responsible for exercising good judgment in the use of the University’s technological and information resources. Technological and information resources are to be used in an effective, ethical, and lawful manner. Actions being technically possible do not necessarily make them appropriate.

As a representative of the Rivier University community, users are expected to respect the University’s reputation through all electronic dealings with the outside world.

4.0 Access Policies

• Users may only access the computers, computer accounts, and computer files for which explicit authorization has been provided.
• Users may not access another individual’s account or attempt to capture or guess other users’ passwords.
• Users are individually responsible for appropriate use of all assigned resources, including the computer, the network address or port, software, and hardware. Therefore, users are accountable to the University for all use of such resources. Authorized Rivier University users may not enable unauthorized users to access the University’s computer-based resources.
• The University is bound by its contractual and license agreements respecting certain third party resources; users are expected to comply with all such agreements.
• Users must make a reasonable effort to protect their passwords and to secure resources against unauthorized use or access. Users must configure hardware and software in a way that reasonably prevents unauthorized users from accessing Rivier’s network and computing resources.
• Users must not attempt to access restricted portions of the network, operating systems, security software, or other administrative applications without appropriate authorization by the Chief Information Officer or designee. Users must comply with the policies and guidelines for any specific set of resources to which access has been granted. When other policies are more restrictive than this policy, the more restrictive policy takes precedence. Principal of Least Privilege (PoLP) is a basic security guideline stating that “every program and every user of the system should operate using the least set of privileges necessary to complete the job.”
• Users must not use Rivier computing and/or network resources in conjunction with the execution of programs, software, processes, or automated transaction-based commands that are intended to disrupt (or that could reasonably be expected to disrupt) other computers or network users, or damage or degrade performance, software, or hardware components of a system.
• Users may not use tools while on the Rivier University network and/or computing systems that may assess security or attack computer systems or networks (e.g., password ‘crackers,’ vulnerability scanners, network sniffers, etc.) unless specific authorization has been provided by the Chief Information Officer or designee.

5.0 Connection Policies

6.0 Appropriate Connection Methods

You may connect devices to the campus network at appropriate connectivity points including voice/data jacks, through an approved and Rivier University provided wireless network access point.
Modifications or extensions to the network through the introduction of personal or departmental devices can frequently cause detrimental impacts, including loss of connectivity. These effects are not always immediate, nor are they always located at the site of modifications. As a result, extending or modifying the Rivier University network is not permitted without the express involvement and written agreement of OIT designees.

7.0 Network Registration

Users of the University network may be required to authenticate when connecting a device to it. Users may also need to install an agent on their computers before they are allowed on the network. The role of such an agent would be to audit the computer for compliance with security standards as defined below.
OIT maintains a database of unique machine identification, network address and owner for the purposes of contacting the owner of a computer when it is necessary.

8.0 Responsibility for Security

Every computer or other device connected to the network, including a desktop computer has an associated owner (e.g. a student who has a personal computer) or caretaker (e.g. a staff member who has a computer in their office). For the sake of this policy, owners and caretakers are both referred to as owners. Owners are responsible for ensuring that their machines meet the relevant security standards and for managing the security of the equipment and the services that run on it.

9.0 Security Standards

These security standards apply to all devices that connect to the Rivier University network through standard university ports, through wireless services, and through home and off campus connections.
Owners must ensure that all computers and other devices capable of running anti-virus/anti-malware software have Rivier-licensed anti-virus software (or other appropriate virus protection products) installed and running. Updates to this software should be run no less than on a daily basis.
Computer owners must install the most recent security patches on the system as soon as practical but in no case longer than one week after release. Where machines cannot be patched, other actions may need to be taken to secure the machine appropriately and it is the responsibility of the device owner to contact OIT to receive assistance in securing the device.

10.0 Centrally-Provided Network Services

OIT is responsible for providing reliable network services for the entire campus. As such, individuals or departments may not run any service which disrupts or interferes with these services. These services include, but are not limited to, email, DNS, DHCP, password resets, file storage and Domain Registration.

11.0 Protection of the Network

OIT uses multiple methods to protect the Rivier University network:
• monitoring for external intruders
• scanning hosts on the network for suspicious anomalies
• blocking harmful traffic
All network traffic passing in or out of Rivier’s network is monitored by an intrusion detection system for signs of compromises. By connecting a computer or device to the network, you are acknowledging that the network traffic to and from your computer may be scanned.
Information Technology routinely scans the Rivier network looking for vulnerabilities. At times, more extensive testing may be necessary to detect and confirm the existence of vulnerabilities. By connecting to the network, you agree to have your computer or device scanned for possible vulnerabilities.
Information Technology reserves the right to take necessary steps to contain security exposures to the University and/or improper network traffic. Information Technology will take action to contain devices that exhibit the behaviors indicated below and allow normal traffic and central services to resume.
• imposing an exceptional load on a campus service
• exhibiting a pattern of network traffic that disrupts centrally provided services
• exhibiting a pattern of malicious network traffic associated with scanning or attacking others
• exhibiting behavior consistent with host compromise

Information Technology reserves the right to restrict certain types of traffic coming into and across the Rivier network. Information Technology restricts traffic that is known to cause damage to the network or hosts on it, such as NETBIOS. Information Technology also may control other types of traffic that consume too much network capacity, such as file-sharing traffic.
By connecting to the network, you acknowledge that a computer or device that exhibits any of the behaviors listed above is in violation of this policy and will be removed from the network until it meets compliancy standards.

12.0 Fair Share of Resources

OIT as well as other University departments which operate and maintain computing devices, network systems and servers, and access to services, are expected to maintain an acceptable level of performance and must ensure that excessive or inappropriate use of resources by one person or a few people does not limit or degrade performance for others.

The campus network, computer labs, servers, software, and services are shared widely and are limited, requiring that resources be utilized with consideration for others. The use of any automated processes to gain technical advantage over others in the Rivier community is explicitly forbidden.
The University may elect to set limits on individual use of resources through quotas, time limits and other mechanisms to ensure that resources can be used by those who need them.

13.0 Adherence with Federal, State and Local Laws

Users of Rivier’s computing and network resources must:
• Abide by all federal, state, and local laws.
• Abide by all applicable copyright laws and licenses.
• Observe the copyright law as it applies to music, videos, games, images, texts, and other media in both personal use and in production of electronic information. The ease of use of the Internet makes electronic materials very vulnerable to unauthorized access, invasion of privacy, and copyright infringement.
• Not use, copy, or distribute copyrighted works (film clips, trademarks, graphics, etc.) unless you have a legal right to use, copy, distribute or otherwise exploit the copyrighted work (e.g. as defined by the terms of Fair Use). Engaging in these activities may be the basis for disciplinary action, civil litigation, and criminal prosecution.

14.0 Other Inappropriate Activities

Rivier University’s computing facilities and services may be used for those activities that are consistent with the educational, research and public service mission of the University. Other prohibited activities include:
• Activities that would jeopardize the University’s tax-exempt status.
• Use of Rivier’s computing services and facilities for political purposes.
• Use of Rivier’s computing services and facilities for personal economic gain.

15.0 Privacy and Personal Rights

• Users of the University’s network and computing resources are expected to respect the privacy and personal rights of others.
• Users may not access or copy another user’s email, data, programs, or other files without the written permission of the Chief Information Officer, who is bound to the procedures outlined at Emergency Access to Accounts and Information.
• Users are expected to be professional and respectful when using computing systems to communicate with others; the use of computing resources to libel, slander, or harass any other person is not allowed and could lead to University discipline as well as legal action by those who are the recipient of these actions.
• While the University does not generally monitor or limit content of information transmitted on the campus network, it reserves the right to access and review such information under certain conditions and in compliance with state law. These include: investigating performance deviations and system problems (with reasonable cause), determining if an individual is in violation of this policy, or, as may be necessary, to ensure that Rivier University is not subject to claims of institutional misconduct.
• Access to files on University-owned equipment or information will only be approved by specific personnel when there is a valid reason to access those files. Authority to access user files can only come from the Chief Information Officer in conjunction with requests and/or approvals from senior members of the University, as found in the document Emergency Access to Accounts and Information.
• External law enforcement agencies and Rivier University Campus Safety may request access to files through valid subpoenas and other legally binding requests. All such requests must be approved by the General Counsel. Information obtained in this manner can be admissible in legal proceedings or in a University hearing.

16.0 Privacy in Email

While every effort is made to ensure the privacy of Rivier University email users, this may not always be possible. In addition, since employees are granted use of electronic information systems and network services to conduct University business, there may be instances when the University, based on approval from authorized officers, reserves and retains the right to access and inspect stored information without the consent of the user.

17.0 User Compliance

By using Rivier University computing and information services, users inherently agree to comply with this and all other computing related policies. Users have the responsibility to keep up-to-date on changes in the computing environment, as published using the University’s electronic and print publication mechanisms, and to adapt to those changes, as necessary.