Acceptable Use Policy

Purpose

New York Tech's technology resources and Data are made available to its faculty, staff, students, affiliates, contractors, and other Users for university-related purposes; all other uses are secondary. Access to and the use of these Computer Resources and Data come with specific expectations and User responsibilities. This policy sets forth the rules for acceptable use of these resources at New York Tech.

Scope

This policy applies to all members of the university community, including faculty, students, staff, contractors, and affiliates, and to authorized visitors, guests, and others for whom technology resources and network access are made available by the university. As a condition to being granted use of, or access to, New York Tech Computing Resources, each User is responsible for the following:

1. Reviewing, understanding, and complying with policies, laws, and contractual obligations related to access, acceptable use, and security of Computing Resources and Data.
2. Consulting with policy owners on acceptable use issues not specifically addressed in this policy.
3. Promptly reporting potential information security incidents to the Information Security Office (infosec@nyit.edu)

Use of New York Tech's Computing Resources, even when carried out on a privately-owned device that is not managed or maintained by New York Tech, including personal devices that connect remotely to New York Tech Computing Resources, are also governed by this policy.

Definitions

Computing Resources: Computing resources include all university-owned, licensed, or managed hardware and software, Data, information, information assets, university assigned User accounts, and use of the university network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network. These policies apply to technology whether administered in individual departments and divisions or by central administrative departments. They apply to personally owned computers and devices connected by wire or wireless to the university network; to off-site computers that connect remotely to the university's network services; and to all websites bearing university credentials.

Data: Any information, regardless of electronic or printed form or location, that is created, acquired, processed, transmitted, or stored on behalf of New York Tech. This includes Data processed or stored by New York Tech in hosted environments in which New York Tech does not own or operate the technology infrastructure.

User/Users: Any person who uses Computing Resources and Data.

Policy Statement

Institutional Use

Use of all university Computing Resources should be for purposes that are consistent with the non-profit educational mission and the policies and legal requirements of the university (including license agreements and terms of service), and not for commercial purposes.

Personal Use

Incidental personal use of New York Tech's Computing Resources is allowed, provided such use does not:

• Unreasonably interfere with the use of Computing Resources by other Users, or with New York Tech's operation of Computing Resources.
• Interfere with the User's employment or other obligations to New York Tech.
• Circumvent or compromise any security measures put into place by the New York Tech.
• Violate any applicable laws or regulations.
• Violate this or other applicable New York Tech policies, standards, procedures, or guidelines.

Access, Privacy and Monitoring

Except where stipulated in relevant collective bargaining contracts, the university has the absolute and unconditional right to access, preserve, monitor, review and disclose all information stored on, or transmitted through, its electronic services, equipment, systems and networks. While the university respects the privacy of electronic communications and makes every attempt to keep electronic information secure, privacy is not guaranteed. The university endeavors to afford reasonable privacy for individual Users, and does not access information created, stored or transmitted by individual Users on its Computing Resources except when it determines that it has a legitimate operational need to do so.

Protection of University Resources

Users of university Computing Resources are responsible for protecting university Data, including its confidentiality, integrity, access, retention and disposal, in accordance with the university's Data Security and Access Management Policy, Record Retention and Destruction Policy as well as other applicable university policies. Users with electronic access and administrative or custodial responsibility over any university resources should take reasonable measures to protect these accounts and resources. Shared university technological resources should be used for educational purposes and to carry out the legitimate business of the university, and should not be used in a way that disrupts or otherwise interferes with any university activities or systems, or that is inconsistent with the university's policies or mission.

Prohibited Activities

Use of New York Tech's Computing Resources should not violate applicable federal, state, and local law, including U.S. copyright law, or applicable university policies. If New York Tech work is conducted outside the United States, the laws of the relevant nation or state must also be followed. From any location, university resources may not be used to transmit malicious, harassing, or defamatory content.

The following list describes prohibited conduct. The list is not comprehensive but serves to illustrate and help interpret this policy.

• Revealing passwords or otherwise permitting the use by others (by intent or negligence) of personal accounts for computer, software and network access.
• Using or accessing restricted university Computing Resources or Data beyond one's level of authorization.
• Using unapproved remote access clients, third-party email or cloud storage solutions (Gmail, Hotmail, Dropbox, Box, etc.) to conduct official New York Tech business.
• Attempting to access, or accessing another User's accounts, private files, email; or inspecting/intercepting network communication without permission except as appropriate to your job duties and in accordance with legitimate university purposes.
• Knowingly running or installing on any computer system or network, or giving to another User, a program intended to disrupt, damage, or place excessive load on a computer system, service or network (e.g., the propagation of computer malware, the sending of electronic chain mail, etc.).
• Installing, copying, distributing, or using electronic content (including software, music, text, images, and video) without the consent of the publisher, author or copyright holder; or a proper license agreement.
• Modifying the physical network connections of any workstation, telephone, or network device without prior authorization from ITS; and installing unauthorized wireless access points.
• Knowingly performing an act which will interfere with the normal operation of Computing Resources.
• Engaging in conduct that interferes with others' use of shared Computing Resources.
• Attempting to circumvent or subvert system or network security controls.
• Exploiting or failing to promptly report any security loopholes, including refusing to run approved security programs.
• Misrepresenting oneself as another individual or otherwise misrepresenting an affiliation with, or endorsement by, any individual or entity (including the university).
• Recording conversations, phone calls, and/or meetings with any recording device, software application, cell phone, etc. without the consent of all parties.
• Storing Confidential or Restricted Data outside of approved locations and unauthorized exfiltration of New York Tech Data.
• Transmitting or transporting Confidential or Restricted Data in an unauthorized manner.
• Using Computing Resources in any manner that risks New York Tech's 501(c)(3) non-profit status.

Warranties and Assurances

New York Tech makes no warranties of any kind, whether express or implied, with respect to the Computing Resources it provides. The university is not responsible for any damage resulting from use of Computing Resources, including service interruptions, loss of Data or damage to hardware or software on your personal systems at home, in the residence halls or public access computer labs on campus.

Related Internal Policies

• Administrative Rights Policy
• Clean Desk and Clear Screen Policy
• Data Security and Access Management Policy
• Mobile Device Policy
• Password Management Policy
• Record Retention and Destruction Policy
• Copyright Policy

Regulatory References

The following are references to related federal and state laws, policies, guidelines, and resources on cybersecurity.

• Federal NIST National Institute of Standards and Technology, U.S. Department of Commerce, Information Technology Laboratory, Computer Security Division, Computer Security Resource Center.
• NIST 800-53
  • NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, Joint Task Force Transformation Initiative, April 2013.
  • Summary of NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, NIST Computer Security Division, February 19, 2014.
• Federal legislation
  • HIPAA (Health Insurance Portability and Accountability Act)
  • FRCP (Federal Rules of Civil Procedure – a.k.a. eDiscovery)
  • USA Patriot Act
  • FERPA (Family Educational Rights and Privacy Act)
  • GLBA (Gramm-Leach-Bliley Act)
  • FISMA (Federal Information Security Modernization Act)
• State Regulations
  • SHIELD Act (New York's Stop Hacks and Improve Electronic Data Security Act) and other state security regulations
• Associations
  • PCI DSS (Payment Card Industry Data Security Standard)
• International
  • GDPR (European Union's General Data Protection Regulation)
  • PIPEDA (Canadian Personal Information Protection and Electronic Documents Act)
  • PIPA (British Columbia's Personal Information Protection Act)

Violations

Violations of the policy may result in disciplinary action, including dismissal from employment, expulsion from further study, and termination, or suspension of IT and network privileges. In addition, if a User's conduct violates federal or state laws, the User may be subject to prosecution under such laws. The university reserves the right to investigate suspected violations using all means available.