POLICY NO.: FI0805	SUBJECT:  INFORMATION TECHNOLOGY RESOURCES
EFFECTIVE: 03/20/2003	REVISION (4):	03/20/2003

OBJECTIVE:

To provide policies and guidelines on the responsible and acceptable use of the university's information technology resources and on software license agreements.

Overview

1. The use of university information technology (IT) resources is a privilege extended in good faith to authorized students, employees, alumni, and affiliates for purposes relating to education, research, service, and administration. Responsible and acceptable use preserves the security, integrity, and availability of information technology resources and assures the authentication and accountability of each user.
   
   The university, including its computing and networking facilities, is a forum for the exchange of ideas. UT cannot protect users from the presence of material they may find offensive. The presence of such material, however, must not be represented or construed as an endorsement or approval by the university.

General Policies

2. The use of university information technology resources is governed by all applicable university policies and the laws of the state of Tennessee and the United States. The university will address the violation of these policies appropriately. Violators will be subject to disciplinary action, including the loss of IT privileges or termination of employment. Illegal activities involving university IT resources may also be subject to prosecution by state or federal authorities.



3. University IT resources are provided for use in conducting authorized university business. Using these resources for personal gain or illegal or obscene activities is prohibited. Although not an inclusive list, examples of such use include theft, fraud, gambling, copyright infringement, sound or video recording piracy, and either viewing or distributing child pornography.
   
   Note:The prohibition against using university IT resources for personal gain does not apply to scholarly activities, including the writing of textbooks or preparation of other teaching materials by faculty members, as recognized in the Statement of Policy on Patents, Copyrights, and Licensing. Consulting and other activities that relate to the faculty member's professional development are also not included in the prohibition of using IT resources for personal gain (except where prohibited by the software license agreement-see 17-18 below). For approved consulting and other activities, see policies on compensated outside services in campus/unit faculty handbooks.



4. Tennessee's Little Hatch Act prohibits the use of university resources on behalf of any party, committee, agency, or candidate for political office (Tennessee Code Annotated 2-19-206). Therefore, employees should not use university computers, printers, letterhead, e-mail and surface mail systems, facilities, or other resources to endorse specific political candidates.



5. The chief information officer, or individual designated by the chancellor or vice president of each campus and unit, has the authority and responsibility for the development of technology standards and guidelines to ensure the effective implementation of this policy. (The university's Office of Information Technology has developed policies and guidelines for the entities under their jurisdiction. These policies address responsibilities for system and network administrators and users, among other areas. The policies can be found at http://oit.utk.edu/itp/)



6. The university encourages the use of e-commerce and online business processes as a way to improve services to the university community, but commercial links must be presented in a way that preserves the image and reputation of the university and conforms to policies. It is essential that e-commerce systems maintain adequate security and that departments hosting such services safeguard the integrity of data related to these transactions. To ensure compliance with policy and ensure that security is addressed, users should follow fiscal policy on Internet sales (see FISCAL POLICY 310,) 27-28.



7. The university will take reasonable steps to ensure that its IT resources are free of deliberately destructive software, such as viruses. Users must, however, share this responsibility and should ensure the integrity of any electronic media they introduce. Users should also maintain up-to-date virus protection software to be considered a responsible user of IT resources. A free copy of anti-virus software is available for the Knoxville campus at https://antivirus.utk.edu/. Other campuses should contact their computer support personnel for similar software.



8. "Hacking" into university computers or networks is strictly prohibited and may be subject to prosecution by state or federal authorities. Examples of prohibited activities include, but are not limited to:



1. Attempts to make any unauthorized connection to the UT network



2. Attempts to use the university's IT resources without authorization



3. Attempts to read, copy, or destroy files belonging to others unless those files have deliberately been made accessible by the owner or the owner has authorized such access



4. A denial of service attack launched against users or UT networks



5. Intentional damage to or disabling of computers, networks, or software



6. Deliberate attempts to circumvent data protection or other security measures, including running password cracking programs



Note: The examples of prohibited activities above apply to all UT network systems, including student systems, alumni and development, and the university's accounting system (IRIS).


9. The university employs various measures to protect the security of its computing resources and its users' accounts. Users must, however, share in this responsibility and should engage in safe computing practices, which include guarding passwords, routinely changing passwords, not sharing passwords with other users, and not using others' passwords.

Privacy

10. While the university recognizes the role of privacy in an institution of higher learning and every attempt will be made to honor that ideal, there should be no expectation of privacy of information stored on or sent through university-owned information systems and communications infrastructure.
    
    The normal operation and maintenance of the university's IT resources results in the backup and caching of data and communications (see 14 below). Furthermore, information regarding Web sites visited, deleted files, and other communications may be retrievable. This information may be created automatically by the computer without the user's knowledge and may include communication through third-party Internet servers such as AOL, Yahoo!, Hotmail, etc.



11. Employees who receive requests under the Tennessee Public Records Act should not release documents. Certain records relating to students; research; proprietary, trade secret, or patentable material; or certain medical records may not be considered public records. Therefore, all requests should be forwarded to the public information officer, who will review the request, contact the general counsel if needed, and oversee any disclosures.



12. The university also reserves the right to preserve or inspect any information transmitted through or stored in its computers, including e-mail communications and individual login sessions, without notice when:



1. There is reasonable cause to believe the user has violated or is violating this policy, any campus guidelines or procedures established to implement this policy, or any other university policies;



2. An account appears to be engaged in unusual or unusually excessive activity;



3. The user has voluntarily made information accessible to the public such as a Web page;



4. It is necessary to do so to protect the integrity, security, or functionality of the university's IT resources or to protect the university from liability; or



5. It is otherwise permitted or required by law, such as subpoena or court order.

Electronic Mail (E-Mail)

13. For purposes of this policy, e-mail includes point-to-point messages, postings to newsgroups and listservs, and any electronic messaging involving computers and computer networks. Organizational e-mail accounts, including those used by student organizations, are held to the same standards as those for individual use by members of the university community. Also see 12 above.



14. Users are responsible for saving or archiving their e-mail. The university retains e-mail only for system recovery and backup purposes. This length of time varies according to the system administrator. Recommended retention time is 14 to 30 days.

15. While not an exhaustive list, the following uses of e-mail by individuals or organizations are considered inappropriate and unacceptable by the university. In general, e-mail may not be used for the initiation or re-transmission of:



1. Chain mail—e-mail sent repeatedly from user to user, with requests to send to others.



2. Harassing or hate mail—any threatening or abusive e-mail sent to individuals or organizations which violates university policies or rules.



3. Viruses—malicious computer codes that include, but are not limited to, computer virus, Trojan Horse, worm, and hoax.



4. Spam or e-mail bombing attacks—intentional e-mail transmissions that disrupt normal e-mail service.



5. Junk mail—unsolicited e-mail that is not related to university business and is sent without a reasonable expectation that the recipient would welcome receiving it.



6. False identification—any actions that defraud another or misrepresent or fail to accurately identify the sender.

Personal Use

16. Just as minimal personal telephone use is allowed and is sometimes necessary, employees should use the same discretion concerning the university's IT resources. Therefore, minimal personal use of these resources is permitted by this policy, except when such use:



1. Is excessive or interferes with the performance of the user's university responsibilities.



2. Results in additional incremental cost or burden to the university's IT resources.



3. Is otherwise in violation of this policy.


Further restrictions may be imposed upon personal use by a user's supervisor or in accordance with normal supervisory procedures concerning the use of university equipment.

Software License Agreements

17. Each software package includes a license agreement that details restrictions on the use of the software. The university expects software users to follow the provisions in these license agreements regarding copying, improvements, number of concurrent users, and similar provisions, even though the university has not signed the license agreements and does not agree to be bound by certain other provisions of the agreements.
    
    License agreements differ among software publishers. It is important that users read and understand the license agreement for each software package.



18. Because of the unique nature of computer software, the federal copyright law recognizes two limited exceptions to the usual prohibitions against copying or altering copyrighted work. If the copy or adaptation does not meet one of the following exceptions, it is a violation of federal law. The licensee or purchaser of software may:



1. Make one backup copy for use in the event that the original disk is damaged or destroyed beyond use. The backup copy must be destroyed if the license for the underlying computer program is discontinued.



2. Make a copy or adaptation if the new copy or adaptation is an essential step in utilizing the program on the licensee's or purchaser's computers. Any additional copy or adaptation must be an essential step in utilizing the program, and not merely for convenience.



Questions about computer software use not addressed by this policy or questions about specific license agreements should be directed to campus or unit computer support personnel.