Revised Fall, 2004

Introduction

Faculty, students, and staff at Millikin University routinely use University-owned computers, software, networks, and computerized information. This technology is used to further University-related research and educational activities. In addition, some individuals may have special administrative or technical responsibility for a computer, network, or database.

This policy document is an introduction to the issues of legitimate use, information security, and privacy that arise in the use of computers, software, and electronic information. These policies strive to balance the individual's ability to benefit fully from these resources and the University's responsibility to maintain a secure and reasonably allocated computing, information technology, and networked environment.

The University's Responsibilities

The University owns most of the computers and all of the internal computer networks used on campus. The University also has various rights to the software and information contained on, developed on, or licensed for these computers and networks. The University has the responsibility to administer, protect, and monitor this aggregation of computers, software, and networks.

Specifically, the purposes of the University's information technology management are to:

1. Establish and support reasonable standards of security for electronic information that community members produce, use, or distribute, and protect the privacy and accuracy of administrative information that the University maintains.

2. Protect University computers, networks and information from destruction, tampering, and unauthorized inspection and use.

3. Ensure that information technology resources are used to support activities connected with instruction, research, and administration.

4. Delineate the limits of privacy that can be expected in the use of networked computer resources and preserve freedom of expression over this medium without countenancing abusive or unlawful activities.

5. Ensure that University computer systems do not lose important information because of hardware, software, or administrative failures or breakdowns. To achieve this objective, authorized systems or technical managers may occasionally need to examine the contents of particular files to diagnose or solve problems.

6. Communicate University policies and individuals' responsibilities systematically and regularly in a variety of formats to all parts of the University community.

7. Monitor policies and propose changes in policy as events or technology warrant.

8. Manage computing resources so that members of the University community benefit equitably from their use. To achieve this, authorized staff may occasionally need to restrict inequitable computer use, including shared systems or the network. For example, the University reserves the right to restrict users from using any program that is unduly resource-intensive.

9. Enforce policies by restricting access in case of serious violations. For example, in appropriate circumstances, authorized systems administrators may find it necessary to lock a user's account. In such circumstances, if there is not a resolution within 24 hours, the systems administrator or the user should refer the matter to the appropriate official for follow-up and resolution. (See section on Sanctions for more details.)

10. Conduct routine audits of software on University owned computers to check for licensing compliance.

The Individual's Responsibilities

Millikin University supports networked information resources to further its mission of research and instruction and to foster a community of shared inquiry. All members of the University community must be cognizant of the rules and conventions that make these resources secure and efficient. It is the responsibility of each member of the University community to:

1. Respect the right of others to be free from harassment or intimidation to the same extent that this right is recognized in the use of other media or communications.

2. Respect copyright and other intellectual-property rights. Unauthorized copying of files or passwords belonging to others or to the University may constitute plagiarism or theft. Modifying files without authorization (including altering information, introducing computer viruses or Trojan horses, or damaging files) is unethical, may be illegal, and may lead to sanctions.

3. Maintain secure passwords. Users should establish appropriate passwords in the first instance, change them occasionally, and not share them with others.

4. Use resources efficiently. Accept limitations or restrictions on computing resources -- such as storage space, time limits, or amount of resources consumed -- when asked to do so by systems administrators.

5. Recognize the limitations to privacy afforded by electronic services. Users have a right to expect that what they create, store, and send will be seen only by those to whom permission is given. Users must know, however, that the security of electronic files on shared systems and networks is not inviolable--most people respect the security and privacy protocols, but a determined person can breach them. Users must also note that, as part of their responsibilities, systems or technical managers may occasionally need to diagnose or solve problems by examining the contents of particular files.

6. Learn to use software and information files correctly. Users should maintain and archive backup copies of important work. Users are responsible for backing up their own files. They should not assume that files on shared machines are backed up. If users choose to participate in a backup service, they should become familiar with the schedules and procedures of that service. They also should learn to use properly the features for securing or sharing access to their files.

7. Abide by security restrictions on all systems and information to which access is permitted. Users should not attempt to evade, disable, or "crack" passwords or other security provisions; these activities threaten the work of others and are grounds for immediate suspension or termination of privileges and possible additional sanctions.

8. Student owned computers, which are connected to the network, are required to have an updated anti-virus program installed. If any student owned computer becomes a security or virus threat to the network, IT reserves the right to restrict its access to the network, this includes file sharing or student operated servers in residences.

Millikin University extends these principles and guidelines to systems outside the University that are accessed via the University's facilities (e.g., electronic mail or remote logins using the University's Internet connections). Network or computing providers outside Millikin University may also impose their own conditions of appropriate use, for which users at this University are responsible for following.

Sanctions

Individuals or groups who act in a manner contrary to existing policy and accepted standards for computer use are subject to the sanctions and disciplinary measures normally applied to misconduct or lawbreaking. Computing policy violations are handled by established University channels.

In the first instance, such matters will be addressed by the appropriate computing administrators. Whenever it becomes necessary to enforce University rules or policies, an authorized administrator may prohibit network connections by certain computers (even departmental and personal ones); require adequate identification of computers and users on the network; undertake audits of software or information on shared systems where policy violations are suspected; take steps to secure compromised computers that are connected to the network; or deny access to computers, the network, and institutional software and databases. Users are expected to cooperate with investigations either of technical problems or of possible unauthorized or irresponsible use as defined in these guidelines; failure to do so may be grounds for suspension or termination of access privileges.

If the infringement is not settled in discussion with the computing administrator, a matter involving students will be referred to the appropriate dean of students; a matter involving faculty will be referred to the department chair or dean; and a matter involving staff will be referred to the immediate supervisor, the manager of the unit, or an official in Human Resources. In addition, certain kinds of abuse may entail civil or criminal action as well.

Examples of Misuse

The following list, while not exhaustive, characterizes unacceptable behavior which may be subject to disciplinary action:

Use of any University facility in a manner that violates copyrights, patent protections, or license agreements.
Attempts to gain unauthorized access to any information facility, whether successful or not. This includes running programs that attempt to calculate or guess passwords, or that are designed and crafted to trick other users into disclosing their passwords. It also includes electronic eavesdropping on communications facilities.
Any violation of state or federal law
Any action that invades the privacy of individuals or entities that are the creators, authors, users, or subjects of information resources.
Using electronic mail, talk or other programs as pranks or in a threatening, obscene, or harassing manner.
Masking the identity of an account or machine or in any manner misrepresenting your identity in an email or other electronic communication.
Sending chain letters or sending advertisements, solicitations, or mass mailings to individuals who have not agreed to be contacted in this manner.
Posting on electronic bulletin boards materials that violate existing laws or the University's codes of conduct.
Using the campus network to gain unauthorized access to any computer systems.
Knowingly performing an act which will interfere with the normal operation of computers, terminals, peripherals, or networks.
Knowingly running or installing on any computer system or network, or giving to another user, a program intended to damage or to place excessive load on a computer system or network. This includes but is not limited to programs known as computer viruses, Trojan horses, and worms.
Attempting to circumvent data protection schemes or uncover security loop holes.
Attempting to monitor or tamper with another user's electronic communications, or reading, copying, changing, or deleting another user's files or software without the explicit agreement of the owner.
Usage of network resources (computers, software, networks, printers, plotters, scanners, etc.) or your account for commercial purposes.
Reselling access to the institution's network to anyone.
Using the announcements listserv for discussions or personal opinions.
Activities will not be considered misuse when authorized by appropriate University officials for security or performance testing.

Conclusion

To obtain more information about individual responsibilities, users should contact their local computer administrator or refer to the Student Information Handbook. Additional questions relating to computer security policy should be directed to either Pat Pettit, Information Technology Department (at 217-362-6488 or ppettit@mail.millikin.edu).

*Based on the University of Chicago and the University of California - Los Angeles Acceptable Use policies in place as of December, 1996.