Acceptable Use of E-Resources Policy
Policy #: | LFC.ITS.1 |
Date: | 10/23/2023 |
Author: | LFC ITS |
Version: | 2.5 |
Status: | Approved |
Table of Content:
1. SCOPE:
This policy applies to:- All persons who access or use 91¿´Æ¬Íø’s electronic resources. This includes but is not limited to faculty, staff, students, alumni, authorized guests of 91¿´Æ¬Íø, and others granted permission by Information Technology Services (ITS), who shall henceforth be referred to as “Users”;
- All Information Technology and related Electronic Resources (henceforth “e-resources”), which include but are not limited to:
- Technology equipment owned by the College, including but not limited to desktop and mobile computing devices and peripherals, communication and networking equipment, servers, and storage systems;
- Access to or use of licensed software purchases, subscriptions, or “____ as a Service” platforms regardless of whether they are hosted “in the cloud” or on College premises;
- Wired and wireless network services maintained by Information Technology Services (hereafter “ITS”) for storing, processing, or transmitting data including audio, video, or other related signals conveying information;
- Access to or use of any College data, systems, or applications from devices not controlled or maintained by the College;
- The creation, processing, communication, distribution, storage, and disposal of all information under the College's control.
- All third-party electronic resources which users may access through their association with the College. Please note that use of these resources is governed by this policy and any applicable policies held by the third-party provider.
2. PURPOSE:
The purpose of this Acceptable Use Policy is to provide the 91¿´Æ¬Íø community with guidelines regarding the responsible and respectful use of e-resources, which are provided to support the educational, administrative, and campus life activities of the College. Because e-resources are both finite and critical to the academic and administrative work of the College, supporting these core functions must take priority over other activities. Because e-resources are shared, each member of the College’s community must do their part to use e-resources appropriately and protect them from unauthorized access or misuse. This policy communicates what the College considers authorized and unauthorized uses of its e-resources, while sharing expectations, oversight methods, and consequences for policy violations. As a condition of access to and use of College e-resources, all users: 1. consent to all provisions of College policies, and 2. agree to abide by all of the terms and conditions contained therein.3. AUTHORIZED USES:
3.1 Respect for laws, policies, and codes of conduct: All 91¿´Æ¬Íø users are expected to conduct themselves in a responsible, ethical, and legal manner consistent with the college’s Mission Statement, its Academic Values, and this Acceptable Use Policy. All use of College e-resources must also comply with:- Other College policies, procedures, and codes of conduct, including those found in student and faculty/staff handbooks;
- All federal, state, or local laws and regulations applicable to the user and/or the College; and,
- All relevant licenses and other contractual commitments of the College, which may be updated periodically and without notice.
3.3 Fair Share: College e-resources – especially storage space, CPU cycles, and network bandwidth – are finite in nature. Users must respect the limited capacity of e-resources and limit consumption to avoid negatively impacting other users. The College reserves the right to set limits on and/or throttle access to e-resources for users who do not refrain from excessive or unreasonable use of them. “Reasonable use” will be assessed within the context of all relevant circumstances, but any use which interferes with others’ ability to use e-resources or the business or educational functions of the College will be considered unacceptable.
3.4 Limited Personal Use: Personal use of limited College e-resources – such as network bandwidth and CPU cycles on shared systems – by employees must be incidental in nature. Incidental use shall be defined as occasional use which has a negligible effect on the availability of e-resources to others, does not interfere with a user’s work or responsibilities, does not incur additional costs for the College, and is not of a commercial or profit-making nature. However, the College recognizes that faculty may participate in external academic and professional activities aligned with their institutional roles and which may involve nominal compensation. Examples might include professional associations and/or academic societies, preparing scholarly publications, participating in other institutions’ tenure or departmental reviews, etc. Use of College e-resources in connection with these activities is generally acceptable presuming it is not excessive and otherwise aligns with the College mission and other policies.
4. UNAUTHORIZED USES:
The following categories of e-resource use are inappropriate and prohibited:4.1 Violations of law: Users must obey all federal, state, and local statutes and regulations while using College e-resources. Users must also avoid violating the rights of any other person or entity protected by copyright, trade secret, patent or other intellectual property, privacy, or similar laws or regulations using same. Users shall not engage in illegal file-sharing, nor use or share pirated software. For further information, consult the Copyright and Fair Use Policy. The College is obligated to inform appropriate legal authorities upon becoming aware of violations of law committed on or with its e-resources. Examples include making bomb threats, infringing copyright, or trafficking in Child Sexual Abuse Materials (CSAM.)
4.2 Commercial Activities: Any use that is inconsistent with the of the College. As a tax-exempt organization, the College is subject to federal, state, and local laws regarding sources of income, political activities, use of property, and more. As a result, commercial use of e-resources for non-91¿´Æ¬Íø purposes is prohibited, except when specifically authorized and permitted under conflict-of-interest, outside employment, and/or other policies of the College. Prohibited commercial use does not include communications and exchange of data that furthers the College's educational, administrative, research, and other goals, regardless of incidental benefits to an external organization.
4.3 Political Activities: Use of e-resources that suggests College endorsement of any political candidate, party, or ballot initiative is prohibited. Users are prohibited from using e-resources for lobbying activities which connotes College involvement or endorsement, unless specifically authorized by the administration of the College.
4.4 Attempts to circumvent security measures: Any attempt (whether successful or not) to circumvent, avoid, or defeat any security measures protecting College e-resources, or to assist someone else with those activities, is prohibited. This includes attempts to gain unauthorized access, intercept, tamper with, modify, or delete College data without permission, deny or interfere with the functioning of e-resources for others or otherwise compromise the cybersecurity posture of the College, including activities such as password cracking, privilege escalation, or exploiting security vulnerabilities. Use of anonymizing and/or evasion tools such as TOR networks is also prohibited. For further information, consult the 91¿´Æ¬Íø Information Security Policy.
4.5 Sharing Access or Credentials: It is expressly forbidden for students and employees to share account usernames/user IDs, passwords, or other access credentials with others, or to otherwise provide unauthorized users with access to College e-resources. Contractors may, under certain circumstances, receive specific instructions from the CIO or their designee regarding shared use of a single business account to complete work for the College.
4.6 Disguise, Impersonation, or Forgery: Users are prohibited from attempting to conceal their identity, use a false identity, or otherwise misrepresent themselves except where anonymous access, participation, or use is expressly authorized. Users shall not use any login credentials other than their own except on specific systems (example: loaner or podium/display systems) where logins may not be required.
4.7 Inappropriate Data Exposure: Protecting the privacy and integrity of confidential data, especially Personally Identifiable Information (or “PII”), is of paramount importance to 91¿´Æ¬Íø. As such, engaging in activities that expose, mishandle, or misuse such data is strictly prohibited. This includes, but is not limited to:
- Inappropriate Access: Accessing, intercepting, or distributing data without appropriate authorization, including reading, copying, or modifying another user's data, emails, files, or other resources without explicit permission.
- Distribution of Confidential Information: It is strictly prohibited to disclose, distribute, or use College information, including personal or confidential data, without the necessary authorization.
- Unauthorized Distribution of PII: Deliberately or negligently sharing, transmitting, or exposing another user's personally identifiable information without proper consent. PII can include names, addresses, social security numbers, financial data, or any other information that can be used to identify an individual.
- Failure to Report Data Exposure: If you become aware of a data leak, inappropriate data exposure, or any event where sensitive data might be compromised, it is your responsibility to immediately report it to infosec@lakeforest.edu. Quick reporting can help mitigate potential damages and further exposure.
- Unauthorized Data Storage: Storing sensitive or protected data on non-secure devices, personal cloud storage, or any other unauthorized platforms that do not meet the College's data protection standards.
- Bypassing Data Controls: Attempting to circumvent, disable, or tamper with any data protection mechanisms, encryption protocols, or other security measures in place to protect sensitive data.
4.8 Harassment, threatening, or harmful behavior: At the College, policies regarding discrimination and harassment apply equally to electronic systems, displays, and communications as they apply to traditional oral or written communications. Prohibited forms of communication include defamatory, abusive, or sexually, racially, or ethnically offensive materials, harassment, invasions of privacy, intimidation, threats, or other harmful behavior, such as:
-
- Anonymous or repeated unwelcome electronic contact with another user is also prohibited, regardless of whether the recipient’s objection is due to language, frequency, or the size of messages.
- Discrimination based on race, sex, national origin, disability, age, religion, sexual orientation, or other protected status;
- Advocacy directed to incite, facilitate, or produce lawless action.
-
- Engaging in malicious activities that undermine the integrity, functionality, and security of College's e-resources is forbidden. This includes, but is not limited to:
-
- Introduction of Malicious Software: Uploading, downloading, or deliberately propagating viruses, worms, Trojans, ransomware, or any other form of malicious software;
- Resource Overload: Initiating or participating in any activity intended to degrade, disrupt, or overwhelm the normal functionality of a network, server, service, or application. This encompasses activities like Distributed Denial of Service (DDoS) attacks or other form of resource flooding, such as email “chain letters” or unwanted solicitations or information (“spam”);
- Sabotage: Deliberately altering, defacing, corrupting, destroying, or otherwise damaging data, software, or hardware belonging to the College or other users, whether through physical or electronic means.
-
4.11 Unauthorized Activities:
-
-
- Engaging in activities that jeopardize the integrity, functionality, or performance of the College's systems or network is strictly prohibited. This includes, but is not limited to:
-
- Scanning and Probing: Conducting any form of network scanning or probing, be it to discover system vulnerabilities, open ports, or other network attributes without prior authorization from the CIO or ISM. These activities should only be performed by ITS and/or their designated vendors.
- Misusing Resources: Excessive consumption of network bandwidth, such as large-scale streaming, downloading, or uploading, especially for non-academic or non-official college purposes, is strictly forbidden.
- Denial of Service Attacks: Deliberately engaging in activities that degrade or deny service to users, either by overwhelming network resources or exploiting system vulnerabilities.
- Capturing Credentials: Creating any program, web form, or other mechanism that captures and/or retransmits 91¿´Æ¬Íø credentials, unless the authentication method and process is explicitly authorized by Information Technology Services.
- Traffic Sniffing: Intercepting, monitoring, or collecting data packets traveling across the network without explicit permission. Unauthorized data gathering, surveillance, or intelligence collection are also prohibited.
- System Modifications: With regard to shared lab computers, users shall not make any significant modifications to the condition or status of any computer equipment – including the alteration of critical system files, network, or peripheral connections. Installation of personal software or hardware on shared lab computers is prohibited. With regard to College-owned personal office, departmental, research, and teaching computers, users who make any significant modifications to the condition or status of any computer equipment, including the installation of hardware or software, the alteration of critical system files, network, or peripheral connections, are not entitled to, but may receive, technical support from ITS User Services for these changes. Modifications such as formatting the internal storage device, reinstalling the operating system, or removing required software such as MDM or security software shall be considered a violation of the Minimum Access Requirements section of the Information Security Policy.
- Unsanctioned Server Hosting: Setting up personal servers or services can compromise network and information security and consume substantial bandwidth, which is prohibited without prior authorization from ITS. Authorization for such activities will only be granted when the system in question can be appropriately secured (the owner commits to following IT best practices, including access following the principle of least privilege, applying regular software updates, and patching or otherwise remediating vulnerabilities as they are discovered.) Failure to do so in a timely fashion will result in loss of authorization and removal of network access for the unsanctioned system.
- Peer-to-Peer (P2P) and Torrenting: Unauthorized file sharing, especially of copyrighted material, through peer-to-peer networks or torrents, is prohibited.
- VPN and Tunneling: Setting up or using unauthorized VPNs or tunneling protocols to bypass network restrictions or hide user activity.
- MAC Spoofing: Changing the Media Access Control (MAC) address of devices to impersonate other devices or bypass network access controls.
-
-
-
- Users should not state or imply that they speak on behalf of the College or use College trademarks or logos without authorization to do so. Authorization to use College trademarks or logos is granted solely by the Office of Communications and Marketing.
5. USER RESPONSIBILITIES:
5.1 Respect for Others: Users shall respect and honor the rights of other individuals regarding copyright and intellectual property, personal privacy, freedom from harassment, intellectual freedom and the pursuit of academic inquiry, and others’ use of College e-resources. Actions that make the campus intimidating, threatening, demeaning, or otherwise hostile for another person are considered serious offenses by the College, even if those communications do not take place on e-resources belonging to the College.5.2 Safeguard Credentials and Data: Users are expected to safeguard college credentials, data, and access to e-resources by:
- Accessing e-resources from secure environments and by locking or logging out of sessions before leaving computers unattended;
- Employing an encrypted Virtual Private Network (VPN) session when accessing College data from insecure networks, such as open Wi-Fi networks in public spaces;
- Using only systems and accessing only the data to which you are authorized, and only to the extent necessary for your work, study, or research;
- Refraining from sending or asking to receive sensitive or confidential data via insecure communication channels such as email, instant message platforms, or SMS texts;
- Keeping technology assets within the care of the assigned individual. Technology assets are not to be loaned or given to non-College persons or entities without prior authorization from ITS;
- Frequently applying available software updates to patch known vulnerabilities in software which may otherwise compromise College e-resources;
- Using anti-virus/anti-malware/endpoint protection software and keeping it up to date with current definitions/subscriptions;
- Creating regular backups of any work stored on local media to ensure against loss;
- Changing passwords or taking other actions required by ITS promptly when informed that their account or credentials have been compromised;
- Complying with requests from ITS staff or other authorized personnel to cease using e-resources that pose an identifiable threat to other College e-resources or expose the College to unnecessary risk;
- Choosing strong passwords which cannot be easily guessed or “cracked” by threat actors and not re-using passwords across multiple systems, services, or applications. Consult the Password Policy for more detail.
- Employing strong encryption to protect the data stored on laptops, mobile devices (phones, tablets, etc.), or other devices which are more susceptible to loss or theft is strongly encouraged.
5.3 Report losses, breaches, and security issues: Users are expected to report any of the following to ITS immediately:
- Any loss of College hardware assets, especially if the device might contain PII or other sensitive or confidential data;
- Any unauthorized access to systems or data;
- Any breaches or suspected breaches of College systems or security;
- Any gaps in security which the user encounters or discovers;
- Any suspected violations of this or other College/ITS policies.
5.5 Honor College Contracts and Licenses: All use of e-resources must be consistent with contractual obligations held by the College, including limitations defined in software and other licensing agreements. Proprietary software made available by the College may not be duplicated or redistributed by users. Users shall not alter software installed by ITS on College-owned computing devices in any manner.
5.6 Cooperation with Investigations: Users are expected to promptly respond, forthrightly answer questions, and otherwise cooperate with College administration in any investigations into misuse of College e-resources. Failure to cooperate may be grounds for cancellation of access privileges, or other disciplinary actions.
5.7 When Questions Arise: Users should consult with Information Technology Services (ITS) to obtain answers to any acceptable use questions not addressed in this Policy.
6. OTHER EXPECTATIONS:
6.1 Committing Resources: 91¿´Æ¬Íø e-resources may not be used, committed, or made available to others without prior authorization of the Chief Information Officer and the responsible Vice President(s) for:- any ongoing business or other commercial activity not administered by the College;
- the benefit of persons or organizations other than the College; or
- political or lobbying activities.
6.3 Responsibility for Content: Official College information may be published in a variety of electronic forms. Deans, directors, and department chairs under whose auspices the information is published are considered the certifying authority for such official information and are responsible for the content of published documents they certify. While other users may also be able to publish information on or over College e-resources, the College or the appropriate ITS staff cannot screen such privately published material, ensure its accuracy, nor assume responsibility for its content. The College considers any electronic publication provided on or over College e-resources that lacks a certifying authority as the private speech of an individual user.
6.4 Social Media Accounts: Employees who manage accounts on social media such as Facebook, Instagram, or X (previously known as Twitter) on behalf of 91¿´Æ¬Íø are expected to always observe this policy, regardless of whether they do so from College or personally owned e-resources. Guidelines on using social media have been developed by the Office of Marketing and Communications.
6.5 Regulatory Obligations: Nothing in this policy changes or supersedes individuals’ or the College’s rights or obligations to comply with applicable federal and state laws or regulations governing the use and privacy of information, including, but not limited to:
- (FACTA, or the “Red Flags Rule”)
- (FERPA),
- (GLBA),
- (HIPAA),
- (PCI-DSS), or
- (PIPA)
7. EXPECTATIONS OF PRIVACY AND OVERSIGHT METHODS:
7.1 Expectations of Privacy: The College places a high value on privacy, understanding its critical importance in an academic setting. As such, the College does not routinely monitor the individual use of e-resources and ITS staff responsible for managing those e-resources will perform their tasks in a manner that is respectful of individual privacy and promotes user trust. That said, the College is obligated by federal regulations to secure its e-resources – including servers, networks, hosted applications, and other systems – and that cannot be accomplished without extensive logging of access, activities, and connections and then subsequently performing User and Entity Behavior Analytics (UEBA) on that data to identify anomalous behavior. As such, users have no reasonable expectation of privacy, particularly with respect to any electronic communication and content created, viewed, or saved while using College-owned technology and systems.7.2 Access without Consent: The College may determine that other considerations outweigh the value of an individual user's expectation of privacy and warrant College access to relevant e-resources without the consent of the user. Under federal and state law authorizing such activities, the College may access, monitor, and/or disclose all aspects of e-resources, including a user’s communications or other data without the knowledge or consent of the user, under the following Authorized Conditions:
- To maintain the integrity of its systems, network, or data;
- When required by federal, state, or local law, court order, or other legal authority;
- To preserve the health and safety of individuals or the 91¿´Æ¬Íø community;
- When there are reasonable grounds to believe that a violation of law or a significant breach of College policy may have taken place and access, inspection or monitoring may produce evidence related to the possible misconduct; or
- To address a legitimate business need, such as continued function of a work unit after a user’s termination of employment.
7.3 Oversight Methods: For absolute clarity, ITS staff who are charged with the daily administration, oversight, and security of College systems, servers, networks, or applications and may preserve the confidentiality, availability, and/or integrity of those-resources. To do so, authorized ITS employees may at any time:
- Limit, throttle, or block any user's access to e-resources without advance notice;
- Reject or destroy email messages, email attachments, or other files suspected of being spam or containing malicious code;
- Exercise administrative authority over networks, systems, or applications to manage services, grant users access to e-resources, to establish and maintain protective security controls, or to investigate claims that rights or policies have been violated;
- Employ automated system logging and security monitoring tools to identify unauthorized access, misuse of e-resources, or security risks associated with personally owned devices connected to the College network;
- Personally inspect, analyze, and/or disclose such logs to ITS-contracted third-party vendors for the purposes of maintenance or security;
- With the approval of the Chief Information Officer, temporarily shut off the College's Internet connection, servers, or services, without prior notice, to protect College systems, data, and users or to protect other important interests of the College; and/or
- Suspend or terminate users' access to e-resources to investigate or remedy any threat to e-resources, a violation of this policy, or to protect the College from liability. ITS staff will attempt to notify the user of any such action.
8. POLICY VIOLATIONS:
The College may issue a warning, deny access to computing resources, refer for prosecution, or administer other penalties, depending upon the nature of the infraction. Violations will be handled according to normal disciplinary review procedures for students, faculty, or staff as applicable and may result in disciplinary action, up to and including suspension without pay, termination of employment, expulsion from further study, or for third parties, the suspension or revocation of the third party’s relationship with 91¿´Æ¬Íø. Specific processes are provided for:8.1 Complaints: Users who believe themselves to have been harmed by an alleged violation of this policy may file a complaint in accordance with established College procedures. The individual is also encouraged to report the alleged violation to the Chief Information Officer, who must investigate the allegation and, when appropriate, refer the matter to the appropriate College officials and/or law enforcement authorities.
8.2 Reporting Violations: If a member of the College community has observed or otherwise is aware of a violation of this policy, but has not been harmed by the alleged violation, they may report any evidence to the Chief Information Officer, who must investigate the allegation and, when appropriate, refer the matter to the appropriate College officials and/or law enforcement authorities.
8.3 Investigations: 91¿´Æ¬Íø is authorized to investigate alleged or apparent violations of college policy or applicable law using whatever means appropriate. The College reserves the right to monitor, inspect, and/or download information stored on College e-resources in the course of such an investigation. ITS staff may be authorized by the relevant disciplinary authority to investigate policy violations involving e-resources and apply reduction or elimination of access privileges to any College e-resources while the matter is under review.
8.4 Disciplinary Procedures: Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff, and students, as outlined in the relevant student or faculty/staff handbook. A user accused of a violation will be notified of the charge and will have an opportunity to respond to the appropriate College disciplinary authority. That authority may also deem it appropriate for ITS staff to participate in disciplinary proceedings.
8.5 Penalties: Individuals found to have violated this policy may be subject to penalties provided for in other College policies dealing with the underlying conduct. Violators may also face IT-specific penalties, including temporary or permanent reduction or elimination of some or all IT privileges. The applicable disciplinary authority in consultation with the Chief Information Officer shall determine the appropriate penalties.
8.6 Legal Liability: In addition to College discipline, users may be subject to criminal prosecution, civil liability, or both for unlawful use of any College e-resources. The College reserves the right to seek restitution for any damages or costs related to these incidents.
8.7 Appeals: Users found in violation of this policy may appeal or request reconsideration of any imposed disciplinary action in accordance with the appeals provisions of the relevant disciplinary procedures. Appeals should be directed to the appropriate Dean or Vice President.
RELATED POLICIES:
- Copyright and Fair Use Policy
- Governance & Compliance Policy
- Information Security Policy
- Password Policy
- Privacy Policy
- Network Policy
- Student, Faculty, and Staff Handbooks
RELEVANT ILLINOIS LAWS:
-
- Illinois Statutes Chapter 720. Criminal Offenses § 5/16-1
- Illinois Statutes Chapter 720. Criminal Offenses § 5/17-50
Document Control:
Entry#: | Date | Version | Notes |
1 | 09/27/2012 | 1.0 | Original policy, approved by LITS Advisory Committee |
2 | 01/19/2023 | 2.0 | Revised Policy, reviewed by LITS Advisory Committee |
3 | 10/23/2023 | 2.3 | Revised policy, reviewed by LITS Advisory Committee |
4 | 12/07/2023 | 2.5 | Revised policy, reviewed and approved by LITS Advisory Committee |
5 | 01/03/2024 | 2.5 | Reviewed and approved by the Senior Leadership Team |
Information Technology Services
- Password
- Service Desk
- Students
- Faculty and Staff
- Guests and Visitors
-
Policies
- Acceptable Use of E-Resources Policy
- Change Management Policy
- Computing Device Lifecycle Policy
- Copyright, File Sharing, and DMCA Policy
- Eligibility for Accounts Policy
- Email and Mass Communication Policy
- GLBA Compliance Policy
- Information Security Policy
- Password Policy
- Technology Procurement and Vendor Management Policy
- Printing Services
- Meet Our Staff