Acceptable Usage of Information Resources Policy
This Policy establishes the accountability of all Users (as defined in the Columbia University Information Security Charter (the “Charter”)) of Columbia University’s Information Resources. It addresses the confidentiality, integrity and availability of such Resources in support of the University’s missions, codifies appropriate usage and establishes the need for Users to respect the rights of others and to be in compliance with other University policies, policies of external networks and resources, and all applicable federal, state and local laws and regulations.
The University’s Information Resources are provided to support the teaching, learning, clinical and research missions of the University and their supporting administrative functions.
Inappropriate use of these Information Resources threatens the atmosphere for the sharing of information, the free exchange of ideas and the security of an environment for creating and maintaining Information Resources.
This Policy applies to the access and use of the University’s Information Resources, whether originating from University or non-University Information Resources, including personal computers, as well as the access and use of Information Resources provided by research sponsors to, or leased or hired by, University Users.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:
- Acceptable Use of IT Resources (Network and Computing) Policy, dated July 1, 2007
- Electronic Information Resources Security Policy, dated March 1, 2007
- Social Security Number (SSN) and Unique Person Number Usage (UPN) Policy, dated September 10, 2007
and (B) the following CUIMC Policies:
- Information Security, Backup, Device and Media Controls Policy, dated November 2012
- Workstation Use and Security Policy, dated November 2012
III. Policy Text
A. Privacy Expectations
The University respects the privacy of individuals and maintains User files and emails on central University Systems as private as possible. However, to protect the integrity of its Information Resources and the rights of all Users, the University reserves the right to monitor access to Information Resources, communications on the University Network and use of Systems and University Data, as described in more detail in Section III(C) of the Charter.
For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the University’s Office of the General Counsel may authorize the reading, blocking or deleting of University Data. In particular, in the context of a litigation or an investigation, it may be necessary to access University Data with potentially relevant information. Any such action taken must be immediately reported to the Office of the General Counsel and the applicable Information Security Office.
B. Prohibited Actions
No User of Information Resources may take any of the following actions:
- Use Information Resources in violation of the Information Security Policies;
- Violate any institutional policies or procedures or use Information Resources for unethical, illegal or criminal purposes;
- Violate the privacy of co-workers, students, patients, research subjects, alumni(ae) or donors;
- Violate the rights of any person protected by copyright, trade secret, patent or other intellectual property or similar laws and regulations (i.e., installing or distributing pirated or other inappropriately licensed software);
- Copy, distribute or transmit copyrighted materials unless authorized;
- Obstruct University work by consuming excessive amounts of Network bandwidth and other System resources or by deliberately degrading performance of a computer;
- Create any program, web form or other mechanism that asks for a Columbia user identity and password other than user authentication mechanisms authorized by the applicable Information Security Office;
- Intimidate, harass, threaten or otherwise do harm to other Users or internal or external Information Resources;
- Transmit materials in violation of the University’s sexual harassment, hostile workplace or protection of minors policies;
- Make offers of products, items or services that are fraudulent;
- Intentionally cause a security incident (e.g., log into an account or access University Data that the User is not authorized to access, etc.);
- Intercept or monitor University Data not intended for the User unless specifically authorized by the applicable Information Security Office;
- Attempt to avoid the User authentication or security of Systems or Endpoints;
- Allow any unauthorized person to use institutional computers for personal use;
- Violate the policies of external networks and resources while using such external resources;
- Create or intentionally release computer viruses or worms or otherwise compromise a computer;
- Engage in frivolous, disruptive or inconsiderate conduct in computer labs or terminal areas;
- Use a University Network to gain unauthorized access to a System or University Data or to escalate privileges on a System; or
- Use Information Resources for commercial purposes, except when explicitly approved by the applicable Executive Manager. Prohibited uses include, but are not limited to, development of programs, data processing or computations for commercial use, preparation and presentation of advertising material and the running of a Server connected to the University Network.
C. Required Actions
Each User of Information Resources must take the following actions:
- Ensure that his/her account or password is properly used and is not transferred to or used by another individual;
- Log off from a System or Endpoint after completing access at any location where such System or Endpoint may potentially have multiple Users;
- Ensure that Sensitive Data is protected with a password and encrypted while in transit or storage;
- Report the loss or theft of any Endpoint or System containing Sensitive Data in accordance with the Columbia University Electronic Data Security Breach Reporting and Response Policy;
- Use University Email Systems only in compliance with the Columbia University Email Usage Policy; and
- Take responsibility for any traffic that appears on the University Network that originates from a network jack assigned to such User or from his/her wireless device(s) and/or network(s).
In addition, it is recommended, but not required, that Confidential Data be protected with a password while in transit or storage.
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix A hereto.