Appropriate Use Procedures and Standards
In compliance with the Appropriate Use Policy, Information Technology presents the following procedures and standards which elaborate and explain how each statement in the AUP applies to various Computing, Network and Information Resources. Each statement from the Policy is presented separately below, followed by specific requirements, recommendations and prohibitions that apply to one or more Resource. A violation of one of these procedures/standards is an indication of violation of the policy.
"USU Computing, Networking and Information Resources are provided as
a service for use by faculty, staff, students and visitors in a
responsible manner that is within the capacity of the Resource and
consistent with the mission of the University."
- Users must respect academic freedom and free speech rights.
- Users must respect the rights and privacy of others, including intellectual property and personal property rights.
- Incidental Personal Use - Resources may be used for incidental personal purposes provided that such use does not interfere with the operation or availability of those Resource; does not generate noticeable incremental costs to the University; and does not violate the law or other University policy. This is consistent with the Use and Security of University Property policy ( #344)
- Computational work which makes heavy demands on shared resources should be run at off-hours or at low priority.
- Resources are provided primarily for activities that support the mission of the university. Other activities are considered secondary. During busy times, users engaged in secondary activities may be asked to give up their access for others needing the services.
- Performing any act, intentionally or otherwise, that will interfere with the normal operation of computers, peripherals, or networks.
- Saturating network or computer resources to the exclusion of another's use, for example, overloading the network with traffic such as emails or legitimate (file backup or archive) or malicious (denial of service attack) activities.
- Engaging in any activity that might be purposefully harmful to systems or to any information stored thereon, such as creating or propagating viruses, disrupting services, damaging files or making unauthorized modifications to university data.
- Exposing sensitive or confidential information or disclosing any electronic information that one does not have the authority to disclose.
- Disruptive behavior in shared-use facilities will result in immediate removal from the facilities.
- Failure to comply with requests from appropriate officials to discontinue activities that threaten the operation or integrity of computers, systems or networks, or otherwise violate this policy is prohibited.
"Authentication credentials are assigned as an access privilege for
restricted Resources that may be relevant to the role of the user as
faculty, staff, student or visitor.
Users must maintain a "strong"
password. Credentials must be protected from use by anyone other than
the assigned individuals.
Credentials may be revoked to protect the
- Users must be truthful and accurate in personal and computer identification.
- Use only your own authentication credentials to access any Resource, except as appropriate to your job duties and in accordance with legitimate university purposes.
- Use a strong passcode/PIN that cannot be guessed by friends, family, neighbors, and associates.
- Use a long passcode/PIN that cannot be cracked readily by hackers or guessed by dictionary attacks.
- Use a passcode/PIN of at least 8 characters, mixing letters and digits, not composed of:
- dictionary words (in any language)
- names (e.g. family, friends, literary figures, objects)
- numeric strings (e.g. 123456, 007, 90210, birthdates, phone numbers, SSN, credit card, bank account, drivers license)
- keyboard patterns (e.g. qwerty, ewqdsacxz, 1qw23er4)
- any of the above with a leading or following digit or sequence of consecutive digits
- not matching or including your username/ID
- Administrative (root, sysadmin) users should use a passcode that meets higher standards of strength, appropriate to the requirements and constraints of the system, typically at least 12 characters, mixing letters, capitalization, digits and punctuation and avoiding the guessable categories listed above.
- All users are required to cooperate when authorized personnel are investigating the source of anonymous messages.
Recommended - strategies for creating strong passwords:
- Use the initial letter from each word of a "shocking nonsense" phrase. "I love to ski in fresh cow manure" becomes "iltsnfcm". If you have a requirement for digits, change the little "connector" words to their character count: "1l2s2fcm"
- Use a "Simple Rule for Strong Passwords" such as:
- Pick a favorite name or word, a favorite string of numbers, and a favorite letter.
- Split the word in the middle and insert the numbers
- Split the numbers in the middle and insert the favorite letter.
- For example: "Broccoli", "7734" and "Q" becomes the password "Broc77Q34coli"
- Use a random password generator, write the password down and store it in a safe place, like your wallet next to your credit cards.
- Sharing passwords with others. The decision to extend access rights to others belongs only to Resource managers and not to end users who might choose to share their passwords with other individuals, including family members or friends. Extending administrative rights to subordinates must be coordinated with the Resource manager and must be consistent with University business practices.
- Changing the authentication credentials of another individual, except when authorized by the Resource manager and positive identification is provided.
- Exploiting any available means to intercept or decode the credentials of another individual.
- Circumventing the authentication process for any Resource.
- Attempting to access or accessing another's accounts, private files, e-mail messages, or intercepting network communication without the owner's permission except as appropriate to your job duties and in accordance with legitimate university purposes.
- Unauthorized anonymous and pseudonymous communication.
- Users must maintain the security of accounts and are advised to protect and regularly change their account passwords. Individuals responsible for system administration are required to regularly change passwords to protect information and maintain security.
"Users of Resources must obey relevant federal, state and local laws, with
special attention to intellectual property laws (copyright), communications
laws (libel, harassment, obscenity, child pornography, privacy, etc) and government
property laws (non-commercial use, etc.). The University will cooperate with law
enforcement agencies when allegations of violation are made."
Uses of the Resource that may be prohibited by some law or regulation include:
- Unauthorized access.
- Creating a hostile working or learning environment for others. This includes the display of offensive material in a public or shared-use location.
- Distributing or viewing obscene material or child pornography.
- Harassing via communication content, frequency or volume.
- Threats of harm.
- Libel or defamation.
- Infringement of copyright, including documents, software and entertainment media.
- Infringement of university wordmark, trademark or identity.
- Identity theft.
- Hoaxes, scams and pyramid schemes.
- Plagiarism - copying the intellectual property of others and claiming it as your own.
- Forgery of identity, of official documents or of communications of others.
- Propagating electronic chain letters.
- Resale of the Resource for non-University purposes.
Some prohibitions apply because the Resource belongs to the University. You may see others using public or commercial ISP services to legally engage in the following activities which are prohibited here:
- Commercial, entrepreneurial or profit-making activities.
- Doing the work of commercial, political or religious organizations. Such work should be done using commercially available resources. This is not a restriction on expressing personal views of a political or religious nature. Relevant professional, public service, charitable and civic organizations may be excepted with administrative approval.
- Sending unsolicited e-mail messages, including "junk mail" or "spam", to individuals who did not specifically request such material, except as approved under the Bulk Email Policy.
Copyright compliance is a big, and varied issue:
- Installing unlicensed copies of commercial software is prohibited.
- Audio files (songs), video files (movies) and programs (games) created by others are automatically protected by copyright. You should not acquire or distribute these works without complying with the owner's licensing terms (usually this means PAYING for access to the files). You may not operate on the campus network any service that provides any files for which you do not have authorization. For more details, see the Digital Millennium Copyright Act. This means no BitTorrent, LimeWire, eDonkey or other peer-to-peer file sharing for this purpose. Don't do it! They will catch you. They will complain to USU. We will disable your access and charge a $50 fee to re-enable your access. Repeat infringements have escalating penalties, defined by the Student Discipline Officer in Student Services.
- Except as provided by established fair use principles, engaging in unauthorized copying, distribution, display or publishing of copyrighted material from hardcopy or digital sources is prohibited. "I want it, but can't afford to pay for it" is not an established fair use principle. "Educational Use" is not always "Fair Use" either.
- Exporting software, technical information, encryption software, or technology in violation of international or regional export control laws is prohibited.
- Attempting to alter any Resource (including, but not limited to, bridges, routers, hubs, wireless access points) without approval is prohibited.
- Attempts to create unauthorized network connections, or any wireless extension or retransmission of any computer or network services unless approved by an authorized network administrator is prohibited.
- Interception or attempted interception of communications by parties not authorized or intended to receive them is prohibited. (this includes man-in-the-middle attacks, installing keystroke loggers, etc)
Protect Integrity of Resource
"Users of Resources must protect the integrity of the Resource
and the confidentiality of stored and transmitted data by
following directions specific to the Resource being used and
the data being accessed.
Those directions will be provided by
IT or other administrators of the Resource or data.
requirement guards against "social engineering" attempts by
outsiders to mislead users in ways that allow the outsider to
gain access to the Resource or data. (e.g. viruses, phishing,
hidden malware, etc.)
- Users are required to be aware of and employ security practices established by the university to prevent unauthorized access to their computers. Security breaches can often be linked to the actions individuals take or fail to take when using information technology resources (e.g., leaving their computers logged into applications while away from their desks, storing written copies of passwords in obvious places, using insecure methods for transferring authentication credentials and other information).
- Users should be on guard against "social engineering" ploys to mislead the user into taking actions that allow the malware (literally, "bad software") to bypass the technical security protections on the computer. These social engineeering strategies include:
- Viruses - unexpected email messages with attachments that claim to contain important information about your computer account, or your enrollment or employment status, or your bank account. The attachment really contains a program that gives control of your computer to some outsider. USU IT will never send information about your account in an email attachment.
- Phishing - unexpected email messages that direct you to a website that is a forged copy of your bank. When you login to the website, the outsiders have obtained your login credentials for their own use.
- Neat, cool software or online services that are free. Free software and online services must generate their revenue in some other way. It might be by providing a venue for advertising or it might be by including some undisclosed service that you don't need or want (a trojan or rootkit). That undisclosed service might include the interception of your computer activity or access to your computer processor or stored files for other purposes.
- Money Making Scams - these often offer you a chunk of the money in exchange for help moving a large sum of money out of another country. Up front costs eventually deplete the victim's funds. This scam doesn't often put the University's Resources at risk but can ruin the gullible greedy individual.
- Client computers, peripherals and other devices that do not provide continuous network services should be powered off when not needed, especially overnight and on weekends, holidays and breaks. A cold computer is a secure computer, and saves power costs as well. Computers brought into service after extended outages should be patched and updated immediately (See the Computer Management Policy).
User Owned Equipment
"User-owned equipment connected to the University network must
be properly registered and managed in compliance with the
separate Computer Management Policy to protect against technical
vulnerabilities which will allow outsiders to gain access to the
Resource or data.
- Protection of the Resource - All users of Computing, Network and Information Resources are charged with the responsibility to protect the Resource from compromise by outsiders. Some sources of compromise can be thwarded by technical means, if those means have been employed. Technical means include:
- Keeping operating systems and application programs patched and updated.
- Keeping virus and spyware protection updated.
- Disabling or blocking unused system services
- Using only trusted applications (free downloads from the internet may contain hidden malware)
- Destroying, altering, compromising the integrity or security, or making inaccessible Resources, when such uses are not authorized;
University Owned Equipment
"University-owned equipment must comply with the separate Computer
Management Policy, however users of that equipment should be alert
to any indications of deficiencies in compliance that may result
in compromise to the security of the Resource or data."
- Technical security measures can be overcome by carefully crafted "social engineering" that attempts to fool you into opening an infected document ("virus"), visiting a hostile website ("drive-by browsing"), downloading an application with hidden functionality ("malware"), or responding to a misleading request ("phishing"). Be an Internet Skeptic.
- The university-owned equipment in your care must be protected from physical losses including theft, unauthorized access and damage. Offices should be secured when not occupied. Portable equipment (laptops, etc) should be under your direct physical control when travelling.
- Intentionally or recklessly compromising the privacy or security of electronic Resources.
- Unauthorized scanning of networks for security vulnerabilities.
Resources Subject to Failure
"Users are expected to recognize that the Resources being provided
are subject to compromise and other failure at any time in spite
of professional efforts in compliance with industry best practices.
- Keep backup copies on personal storage devices of important data and documents (such as research data and thesis drafts). Don't let a system failure cause personal tragedy.
Protect Own Privacy
"Users should take extra precautions to protect their own privacy,
to insure the confidentiality of their own personal identifying
information, and to guard against the loss or destruction of their
own intellectual property as a result of any compromise or failure.
- Be sure to log out of authorized services to prevent subsequent users from using your access.
- Be sure that application windows are closed, temporary file caches are deleted and stored cookies and passwords are erased before leaving a public workstation or kiosk.
- Do not allow shared computers to "remember" your passcode/PIN.
- Do not send private, confidential, or authentication information in email messages.
"While the University respects the user's
stored on or transmitted through the Resource is subject to
exposure by technical, legal and extra-legal means beyond the
control of the University.
- Do not share in an electronic medium any information that must be kept private. Technical security is incomplete, especially when that information is transmitted over the uncontrolled internet. Data can be intercepted in various ways by "man-in-the-middle" attacks, spoofed IP addresses, subpoenas or freedom of information act requests.
- Conducting personal activities unrelated to any University purpose unless otherwise allowed by this policy;
- Compromising the privacy of users of Resources;