Draft vs. 1.0
The City University of New York
Policy on Acceptable Use of Computer Resources

Introduction

CUNY’s computer resources are dedicated to the support of the university’s mission of education, research and public service. In furtherance of this mission, CUNY respects, upholds and endeavors to safeguard the principles of academic freedom and freedom of expression for all its faculty, adjuncts, researchers and students.

CUNY recognizes that there is a concern among the university community that because information created, used, transmitted or stored in electronic form is by its nature susceptible to disclosure, invasion, loss, and similar risks, electronic communications and transactions will be particularly vulnerable to infringements of academic freedom. CUNY’s commitment to the principles of academic freedom and freedom of expression includes electronic information. Therefore, whenever possible, CUNY will resolve doubts about the need to access CUNY computer resources in favor of a user's privacy interest.

However, the use of CUNY computer resources, including for electronic transactions and communications, like the use of other university-provided resources and activities, is subject to the requirements of legal and ethical behavior. This policy is intended to support the free exchange of ideas among members of the CUNY community and between the CUNY community and other communities, while recognizing the responsibilities and limitations associated with such exchange.

Applicability

This policy applies to all users of CUNY computer resources, whether affiliated with CUNY or not, and whether accessing those resources on a CUNY campus or remotely.

This policy supersedes the CUNY policy titled “CUNY Computer User Responsibilities” and any college policies that are inconsistent with this policy.

Definitions

“CUNY Computer resources” refers to all computer and information technology hardware, software, data, access and other resources owned, operated, or contracted by CUNY. This includes, but is not limited to, personal computers, handheld devices, workstations, mainframes, minicomputers, servers, network facilities, databases, memory, and associated peripherals and software, and the applications they support, such as e-mail, virtual communities supported through course management systems (e.g., BlackBoard), chat rooms, list-serves or blogs, and access to the internet.

“E-mail” includes point-to-point messages, postings to newsgroups and listservs, and any electronic messages involving computers and computer networks.

Rules for Use of CUNY Computer Resources

1. Authorization. Users may not access a CUNY computer resource without authorization or use it for purposes beyond the scope of authorization. This includes attempting to circumvent CUNY computer resource system protection facilities by hacking, cracking or similar activities, accessing or using another person’s computer account, and allowing another person to access or use the user’s account. This provision shall not prevent a user from authorizing a colleague or clerical assistant to access information under the user’s account on the user’s behalf while away from a CUNY campus or because of a disability. CUNY computer resources may not be used to gain unauthorized access to another computer system within or outside of CUNY. Users are responsible for all actions performed from their computer account.

2. Purpose. Use of CUNY computer resources is limited to activities consistent with CUNY’s mission. Use of CUNY computer resources for private commercial purposes, unauthorized not-for-profit business activities, private advertising of products or services, or any activity meant to foster personal gain is prohibited. CUNY computer resources may not be used to engage in partisan political activity.

Incidental personal use of computer resources is permitted so long as such use does not interfere with CUNY operations, does not compromise the functioning of CUNY computer resources, does not interfere with the user’s employment or other obligations to CUNY, and is otherwise in compliance with this policy.

3. Compliance with Law. CUNY computer resources may not be used for any purpose or in any manner that violates CUNY rules, regulations or policies, or federal, state or local law. Users who engage in electronic communications with persons in other states or countries or on other systems or networks may also be subject to the laws of those other states and countries, and the rules and policies of those other systems and networks. Users are responsible for ascertaining, understanding, and complying with the laws, rules, policies, contracts, and licenses applicable to their particular use.

Examples of applicable federal and state laws include the laws of libel, obscenity and child pornography, as well as the following [add links]:

Family Educational Rights and Privacy Act
Electronic Communications Privacy Act
Computer Fraud and Abuse Act
New York State Freedom of Information Law

Examples of applicable CUNY rules and policies include the following [add links]:

Sexual Harassment Policy
Policy on Maintenance of Public Order
Web Site Privacy Policy
Gramm-Leach-Bliley Information Security Program
College policies on academic integrity

4. Licenses and Intellectual Property. Users of CUNY computer resources may use only legally obtained, licensed data or software and must comply with applicable licenses or other contracts, as well as copyright, trademark and other intellectual property laws.

Much of what appears on the internet and/or is distributed via electronic communication is protected by copyright law, regardless of whether the copyright is expressly noted. Users of CUNY computer resources should generally assume that material is copyrighted unless they know otherwise, and not copy, download or distribute copyrighted material without permission unless the use does not exceed fair use as defined by the federal Copyright Act of 1976. Protected material may include, among other things, text, photographs, audio, video, graphic illustrations, and computer software.

5. False Identity and Harassment. Users of CUNY computer resources may not employ a false identity, mask the identity of an account or computer, or use computer resources to engage in abuse of others, such as sending harassing, obscene, threatening, abusive, deceptive, anonymous messages within or outside CUNY.

6. Confidentiality. Users of CUNY computer resources may not invade the privacy of others by, among other things, viewing, copying, modifying or destroying data or programs belonging to or containing personal or confidential information about others, without explicit permission to do so. CUNY employees must take precautions to protect the confidentiality of personal or confidential information encountered in the performance of their duties or otherwise.

7. Integrity of Computer Resources. Users may not install, use or develop programs intended to infiltrate, damage or alter a computer resource, or which could reasonably be expected to cause, or does cause, directly or indirectly, excessive strain on any computing facility. This includes, but is not limited to programs known as computer viruses, Trojan horses, and worms.

8. Disruptive Activities. CUNY computer resources must not be used in a manner that could reasonably be expected to cause or does cause, directly or indirectly, unwarranted or unsolicited interference with the activity of other users. This provision explicitly prohibits chain letters, virus hoaxes or other intentional e-mail transmissions that disrupt normal e-mail service. Also prohibited are spamming, junk mail or other unsolicited mail that is not related to CUNY business and is sent without a reasonable expectation that the recipient would welcome receiving it, as well as the inclusion on e-mail lists of individuals who have not requested membership on the lists, other than the inclusion of CUNY faculty, staff and students on lists related to CUNY business. CUNY has the right to require users of CUNY computer resources to limit or refrain from other specific uses if, in the opinion of the IT director at the user’s college such use interferes with efficient operations of the system.

9. CUNY Names and Trademarks. CUNY names, trademarks and logos belong to the university and are protected by law. Users of CUNY computer resources may not state or imply that they speak on behalf of CUNY or use a CUNY name, trademark or logo without authorization to do so. Affiliation with CUNY does not, by itself, imply authorization to speak on behalf of CUNY.

10. Security. CUNY employs various measures to protect the security of its computer resources and of users’ accounts. However, CUNY cannot guarantee such security. Users are responsible for engaging in safe computing practices by guarding their passwords and changing them regularly, logging out of shared systems at the end of use, and taking reasonable precautions to secure access to CUNY computer resources. Access and other security violations must be reported to the IT director at the affected user’s college.

11. Filtering. CUNY reserves the right to install spam, virus and spyware filters and similar devices including network traffic monitors, packet-shapers and bandwidth regulation devices, if necessary in the judgment of CUNY’s Office of Information Technology or a college IT director to protect the security and integrity of CUNY computer resources. Notwithstanding the foregoing, CUNY will not install filters that restrict faculty or student access to e-mail or websites based solely on content.

12. Confidential Research Information. Principal investigators and others who use CUNY computer resources to store or transmit research information that is required by law or regulation to be held confidential or for which a promise of confidentiality has been given, are responsible for taking steps to protect confidential research information from unauthorized access or modification. In general, this means storing the information on a computer that provides strong access controls (passwords) and encrypting files, documents, and messages for protection against inadvertent or unauthorized disclosure while in storage or in transit over data networks. Robust encryption is strongly recommended for information stored electronically on all computers, especially portable devices such as notebook computers, Personal Digital Assistants (PDAs), and portable data storage (e.g., Memory StickTM , removable flash memory devices) that are vulnerable to theft or loss, as well as for information transmitted over public networks. Software and protocols used should be endorsed by CUNY=s Office of Information Technology and provide the capability for properly designated CUNY personnel to decrypt the information, when required and authorized under this policy.

13. CUNY Access to Computer Resources.

CUNY does not routinely monitor, inspect, or disclose individual usage of its computer resources without the user’s consent. In most instances, if the university needs information located in a CUNY computer resource, it will simply request it from the author or custodian. However, CUNY IT professionals and staff do regularly monitor general usage patterns as part of normal system operations and maintenance and might, in connection with these duties, observe the contents of web sites, e-mail or other electronic communications. Except as provided in this policy or by law, these individuals are not permitted to seek out contents or transactional information, or disclose or otherwise use what they have observed. Nevertheless, because of the inherent vulnerability of computer technology to unauthorized intrusions, users have no guarantee of privacy during any use of CUNY computer resources or in any data in them, whether or not a password or other entry identification or encryption is used. Users may expect that the privacy of their electronic communications and of any materials contained in computer storage in any CUNY electronic devise dedicated to their use will not be intruded upon by CUNY except as outlined in this policy.

CUNY may specifically monitor or inspect the activity and accounts of individual users of CUNY computer resources, including individual login sessions, e-mail and other communications, without notice, in the following circumstances:

1. when the user has voluntarily made them accessible to the public, as by posting to Usenet or a web page;
2. when it is reasonably necessary to do so to protect the integrity, security, or functionality of CUNY or other computer resources, as determined by the college chief information officer or his or her designee, after consultation with CUNY’s chief information officer or his or her designee;
3. to diagnose and resolve technical problems involving system hardware, software, or communications, as determined by the college chief information officer or his or her designee, after consultation with CUNY’s chief information officer or his or her designee;
4. when it is necessary to protect CUNY from liability, or when failure to act might result in significant bodily harm, significant property loss or damage, or loss of significant evidence, as determined by the college president or a vice president designated by the president, after consultation with the Office of General Counsel and the Chair of the University Faculty Senate or Vice Chair if the Chair is unavailable;
5. when there is a reasonable basis to believe that CUNY policy or federal, state or local law has been or is being violated, as determined by the college president or a vice president designated by the president, after consultation with the Office of General Counsel and the Chair of the University Faculty Senate or Vice Chair if the Chair is unavailable;
6. when an account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns, as determined by the college president or a vice president designated by the president college and the chief information officer or his or her designee, after consultation with CUNY’s chief information officer or his or her designee, the Office of General Counsel, and the Chair of the University Faculty Senate or Vice Chair if the Chair is unavailable; or
7. as otherwise required by law.

Except where specifically forbidden by law, in those situations in which the Chair of the University Faculty Senate is to be consulted prior to monitoring or inspecting an account, the college president shall report the completion of the monitoring or inspection to the Chair and the CUNY employee affected, who shall also be told the reason for the monitoring or inspection.

CUNY, in its discretion, may disclose the results of any general or individual monitoring or inspection to appropriate CUNY personnel or agents, or law enforcement or other agencies. The results may be used in college disciplinary proceedings, discovery proceedings in legal actions, or otherwise as is necessary to protect the interests of the University.

In addition, users should be aware that CUNY may be required to disclose to the public under the New York State Freedom of Information Law communications made by means of CUNY computer resources in conjunction with University business.

Any disclosures of activity of accounts of individual users to persons or entities outside of CUNY, whether discretionary or required by law, shall be approved by the General Counsel and shall be conducted in accordance with any applicable law. Except where specifically forbidden by law, CUNY employees subject to such disclosures shall be informed promptly after the disclosure of the actions taken and the reasons for them.

The Office of General Counsel shall issue an annual statement of the instances of account monitoring or inspection that fall within categories d through g above. The statement shall indicate the number of such instances and the cause and result of each. No personally identifiable data shall be included in this statement.

See CUNY=s Web Site Privacy Policy [add link] for additional information regarding data collected by CUNY from visitors to the CUNY website at cuny.edu.

14. Enforcement. Violation of this policy may result in suspension or termination of an individual=s right of access to CUNY computer resources, disciplinary action by appropriate CUNY authorities, referral to law enforcement authorities for criminal prosecution, or other legal action, including action to recover civil damages and penalties.

Violations will normally be handled through the university disciplinary procedures applicable to the relevant user. For example, alleged violations by students will normally be investigated, and any penalties or other discipline will normally be imposed, by the Office of Student Affairs.

CUNY has the right to temporarily suspend computer use privileges and to remove from CUNY computer resources material it believes violates this policy, pending the outcome of an investigation of misuse or finding of violation.

15. Additional Rules. Additional rules, policies, guidelines and/or restrictions may be in effect for specific computers, systems, or networks, or at specific computer facilities at the discretion of the directors of those facilities. Any such rules which potentially limit the privacy or confidentiality of electronic communications or information contained in electronic or other media dedicated to CUNY faculty, student or staff use will be subject to the substantive and procedural safeguards provided by this policy.

16. Disclaimer. CUNY shall not be responsible for any damages, costs or other liabilities of any nature whatsoever with regard to the use of CUNY computer resources. This includes, but is not limited to, damages caused by unauthorized access to CUNY computer resources, data loss, or other damages resulting from delays, non-deliveries, or service interruptions, whether or not resulting from circumstances under the CUNY=s control.

Users receive and use information obtained through CUNY computer resources at their own risk. CUNY makes no warranties (expressed or implied) with respect to the use of CUNY computer resources. CUNY accepts no responsibility for the content of web pages or graphics that are linked from CUNY web pages, for any advice or information received by a user through use of CUNY computer resources, or for any costs or charges incurred by a user as a result of seeking or accepting such advice or information.

CUNY reserves the right to change this policy and other related policies at any time. CUNY reserves any rights and remedies that it may have under any applicable law, rule or regulation. Nothing contained in this policy will in any way act as a waiver of such rights and remedies.

Security Policies and Advisories

Private Information Advisory

Protecting the personal private information of our students, faculty and staff is of utmost importance to the University. Exercising due diligence to prevent unauthorized disclosure of private information is the continuous responsibility of all constituents who maintain, use, distribute or share such information – regardless of the form in which the information is stored – electronic or paper. Not only does it make sense to protect the private information belonging to others, such practices are mandated by Federal and State Laws.

Unauthorized disclosure of private information can have a severe adverse impact on the financial profile of our constituents and could lead to significant embarrassment to the University and to those directly responsible for the disclosure. New State Law requires individual notification of those affected and there are other internal University and external reporting requirements.

When private information is disclosed to the Internet and made easily accessible through Internet search engines, it is extremely difficult to remove the private information in an expedited manner and there can be no assurance that this information is no longer accessible through lesser known or privately engineered Internet search engines in far offshore locations. In addition, once the information is published to the Internet it could have been saved to local computers intended to be used for less than ethical reasons. Similar risks can be illustrated if information is stolen or hacked from presumably secure computers.

The CUNY Information Security Management Office has published direct links of major Internet search engines to request the removal of information from their index and cache. Additional resources provide instructions on how to prevent the search engines from collecting your information. Please refer to security.cuny.edu under Security Resources.

Please be aware that this does not prevent the possible theft of information through unethical hacking or poorly implemented access controls. Only prudent security configuration, control over who has access, and maintaining current software patch levels can minimize these risks.

In the event of an unauthorized disclosure (or suspected disclosure) of private information the Breach of Private Information procedure must be followed. This procedure is available at security.cuny.edu under Security Policies.

Examples of private information includes, but is not limited to, social security numbers, driver's license or non driver identification card numbers, credit, debit, or other financial account numbers in combination with access codes permitting access to an individual's accounts. The disclosure of private information in combination with personal identifiers such as an individual's name must be protected.

Please exercise the following security measures:

1. When files contain private information do not allow the files to be
   searchable and publishable to the Internet search engines.
2. When files include private information and are to be stored on any type
   of portable device (including a desktop computer) or transmitted, the files must be encrypted and password protected.
3. Do not include social security numbers on displays, reports or spreadsheets unless absolutely necessary. When unique identification is desirable mask the social security number to include only the last four numbers or mask the entire entry if social security number is used as a data entry field for authentication.
4. Delete files and cross-shred documents when no long needed.
5. Do not leave your computer unattended and accessible to others. Either logout or use the screen lock features of your computer.
6. Do not share your password with anyone, do not write it down, and change it regularly.
7. Computer operating systems and other programs should be maintained to current software security patch levels.
8. Keep access to information aligned with individual job responsibilities.

1. Passwords, PIN or any type of security or access code should not be transmitted as part of an e-mail message (either as in-line text or attachment) without the data being encrypted. The decryption key must be transmitted separately from the encrypted data.


2. The communication of passwords, PIN, or other type of security or access code should be communicated over a land-based telephone line or secured wireless telephone equipment.


3. Transmission of other private or sensitive information should be handled similarly to passwords, PIN, or any type of security or access code.


4. Private or sensitive information would be data elements or collection of data elements that could be used to attribute directly to an individual. Examples would include, but are not limited to, social security number, drivers’ license number, credit/debit card numbers, salary, and medical information.


5. In some cases, electronic mail messages created from CUNY electronic mail systems are automatically forwarded to non-CUNY electronic mail systems. This practice potentially exposes private or sensitive information to the public Internet or misuse or diversion on non-CUNY provided computers. It is recommended disabling automatic forwarding if sensitive information could be a part of email messages and/or attachments.


6. Sometimes individuals are asked to disclose their passwords because of absences (planned or otherwise) from the office. The practice of sharing passwords is not allowed and computer access should only be allowed through a user ID belonging to a specific individual.

1. Avoid clicking on any web links from within an email. These embedded links may direct your Internet browser session to illegitimate web sites asking for personal information and could also download malicious code, such as viruses, onto your machine. Instead, start a new Internet browser session and enter the legitimate web site address into the address bar of the browser.


2. The content of many phishing e-mails can be very threatening (e.g., account closure, account verification, account updates, account is limited) and can be convincing to entice the user to follow through with the provided instructions. By far, most institutions will use non-Internet methods, such as the U.S. Postal Service, to send these types of notices and then will only send them to your official address of record. If in doubt about the legitimacy of these threatening e-mails, call the institution using the phone number on your last statement or on the back of your credit card.



3. Similarly financial institutions generally require some form of an initial setup to be completed prior to allowing electronic banking services. An online relationship is usually not established automatically or through exchange of e-mails. Become familiar with your financial institution’s online registration process. If in doubt, call the institution using the phone number on your last statement or on the back of your credit card.



4. Update your computer’s operating and Internet browser software on a regular basis. These updates routinely include security enhancements.



5. Maintain anti-virus programs to the current level of protection.



6. Select and maintain passwords that are difficult to guess and change them regularly.