These procedures define acceptable and appropriate use of services and resources provided by the University. As stated in the Acceptable Use Policy, these services are intended for the benefit of the University. While the University recognizes and accepts the appropriateness of incidental personal use of some resources to a limited degree, the interest of the University is paramount in determining appropriate usage. Determination of appropriate use is made on this basis.
STANDARDS FOR UNIVERSITY COMPUTERS
DESKTOP & LAPTOP COMPUTERS:
GU-owned computers must use the UIS standard image without alteration, including:
Authorized operating system and version
Encryption appropriate to device
University provided antivirus, set to auto update
Local firewall enabled
Centralized patch management
Authorized VPN installed
Backup managed by University CrashPlan system
No local administrator accounts
Only University-issued, secure computers and laptops may be used to access Restricted Information.
Devices used to conduct University business may be assessed for compliance at the discretion of the University.
As described in the Computer Systems Acceptable Use Policy, while respecting confidentiality and privacy, the University reserves the right to examine all university owned and operated computer systems and electronic/digital resources, or any such devices used to conduct university business or making use of the university’s network and technology resources. The University will take whatever measures are required in addressing actual or potential compromise or threat to the University’s information security.
EMPLOYMENT & ACCESS TO UNIVERSITY RESOURCES
EMAIL and COLLABORATIVE APPLICATIONS
The University provides email and related collaboration tools to facilitate the work of each employee for the benefit of the University. Incidental personal use is permitted; however, the interest of the University is paramount. It is the expectation and requirement of all data users to use the secure University-provided and University-approved technology resources for the transmission, storage, and processing of data and information related to and managed by Georgetown. While respecting confidentiality and privacy, the University reserves the right to assign, review, access, and withdraw access to these tools and services, or to alter or modify access, based on employment roles and the interests of the University.
Employees with other affiliations
1. Faculty, AAP, and Staff are assigned Georgetown Gmail accounts when hired, tied to the individual’s NetID.
2. Alumni and former students who have a pre-employment Georgetown Gmail account will not automatically be assigned a new account. However, effective on the date of first employment, the account becomes a University business account. The decision to assign a new account and NetID is at the sole discretion of the University.
3. Beginning with the first day of employment, the account shall be used for University business; personal email should be directed to a non-Georgetown University account if the employee wishes to retain access to it after the employee separates from the department or the University. Any mail, contacts, associated attachments or documents used in the operation of University business are to remain under the domain and control of the Unversity upon employee separation.
4. Upon an employee departing employment, at the sole discretion of the University, the email account may be closed. In such cases, alumni and former students may be offered a new NetID and associated email account for personal and academic use.
5. Individuals who matriculate as active students during the period of employment may, upon request or at the discretion of the University, be assigned a separate NetID and associated account to be used for academic and personal purposes.
The above does not apply to students in Student Employment positions.
Some individuals, by virtue of their role or position in the university, have unusually broad access to Restricted or sensitive information, manage systems and services on behalf of the University, or otherwise have elevated privileges in some area of University business. Such individuals, upon leaving the position resulting in elevated privilege, will be assigned a new NetID with the privileges and services appropriate to the new role, and the original ID will be closed. This is done not as a punitive measure but as a protection for both the individual and the University. The decision to assign a new NetID is at the sole discretion of the University
CHANGES OF ROLE OR POSITION
Individuals frequently change roles within a department or in moving between departments. Such changes may not immediately be reflected in the employee’s access to files and systems. When such a transition occurs, and the employee finds that access from the prior role persists, the employee shall promptly notify both the current and previous supervisor. Until the appropriate changes have been made, the employee shall make use only of that access appropriate to the current role.
Supervisors are required to ensure that employees transitioning between roles are assigned only appropriate access.
University resources are provided for the benefit of the University. When an individual leaves the University’s employ, voluntarily or otherwise, access to such resources will be curtailed. It is incumbent on the departing employee to appropriately transfer access to any resources not already available to the department, and to ensure that supervisors have the necessary authorization to ensure business continuity. This includes email, Google Drive documents, Calendar appointments, GU Box, and locally stored documents.
Normally a departing employee’s NetID access is terminated in 24 hours or less after the effective termination date in GMS. This removes the ability to access Google Apps, GU Box, VPN, and all other NetID enabled services. Delayed termination in GMS will result in unintended continued access for the departing employee.
Where an employee has additional affiliations to the University (student, alum, Sponsored Associate), departure from employment will have different impact depending on the role. Alumni and students who are not employees ordinarily retain ongoing use of their NetIDs and Google Apps indefinitely.
When an alum becomes an employee, those accounts become University business accounts. At the sole discretion of the University, the employee’s NetID and Google account, including email, Google Drive, calendar, and other Google apps, may be closed. In such cases, alumni and former students may be offered a new NetID and associated email account for personal and academic use.
When an employee who is also currently an active student departs, the University retains the right to close the employee’s NetID and services at their discretion. Active students will be given a new NetID, and assisted in connecting that NetID to the appropriate academic resources.
NON-EMERGENCY REQUESTS FOR ACCESS TO ANOTHER INDIVIDUAL'S FILES
Non-routine, non-emergency situations may occur where it is necessary to examine a user's files without being able to obtain his/her specific permission or authorization; however, there will be no threat to the operations or security of the computer or network system. The intent of these procedures is to separate the authority to read user files or messages from the technical ability to do so. This separation is intended to protect the user, the department, and the SNA.
An administrator with substantial cause to gain access to user files or messages not already belonging to the department must send a written request to the Office of General Counsel and to the Office of the Vice President for Information Services and Chief Information Officer (CIO). The reason(s) for the request and the exact scope of the request must be clearly stated. The most common such situation is that of a former employee who, through error or neglect, failed to make available to the department important business documents. Upon approval by the designated authorities, the requester may be granted access to the requested files. Access will be provided exactly as approved. A record of the approved request will be retained by UIS.
Accounts of deceased individuals are considered business accounts only, and will be treated as such. Such accounts are closed by the University.
INCIDENTAL PERSONAL USE OF TECHNOLOGY RESOURCES
While University resources are intended for use that benefits the University, the University recognizes that its employees may occasionally need to make personal use of University technology resources and does not wish to prohibit such use altogether. The overriding principle that should govern personal use of these resources is that reasonable and incidental unofficial use of University technology resources is authorized only so long as (i) the University incurs no additional cost from that use, other than the minimal cost incurred from ordinary wear and tear and the use of minimal amounts of ink, toner, or paper; and (ii) the use does not inappropriately interfere with official business.
Employees shall use University-provided technology resources and services primarily for official business, but may make and receive personal communications that are necessary and in the interest of the University. Incidental personal use of technology resources must not adversely affect the performance of employee's official duties or the organization's work performance, must not be disruptive of co-workers, and must be of limited duration and frequency. Use for commercial purposes, in support of "for-profit" activities, or in support of other outside employment or business activity, as well as political use that is inconsistent with current Internal Revenue Service (IRS) rulings, are violations of the Acceptable Use Policy.
To the extent an employee must make personal use of University owned devices, such use should be incidental and immaterial. Appropriate reimbursement for any additional costs incurred by the University because of incidental use should be paid on a pro rata basis.
Responsibility for compliance with these restrictions is shared by the employee and the supervisor.
NETWORK EXTENSION DEVICES
You may not connect any type of device designed to "extend" network access connect to the Georgetown network. A good rule of thumb is, if you can plug another device into it, you can't plug it into the network.
There are several reasons for restricting the use of devices that extend the network. It allows unauthorized access to the Georgetown network by non-Georgetown-related machines. It can also cause outages affecting entire groups of students, floors, or buildings. Further, such devices make tracking down infected machines harder.
Examples of banned network extension devices include:
· Wireless Access Points
· Ethernet splitters
· Any layer 2 device that allows more than one Ethernet device to use any given port at the same time
Examples of permitted "end devices" include:
· Video game consoles
· TiVo’s or other digital video recorders (DVRs) with network access
· Printers with Ethernet interfaces
Should you need additional network ports, you may follow a university procedure to submit a request. The University Information Security Office periodically inspects switches on the university network and disables ports where multiple devices are connected simultaneously. There is typically no notice made before the port where the device is connected is disabled, although a ticket is generated afterwards.
ADMINISTRATIVE ACCESS BY SYSTEM OR NETWORK ADMINISTRATORS
These procedures balance five issues: (1) protecting users' privacy; (2) protecting the System or Network Administrator (SNA) in the performance of his or her job; (3) allowing routine administrative actions that might affect users' files; (4) providing a mechanism to authorize non-routine, non-emergency access to users' files when it can be justified; and (5) providing guidelines when there is a need to take emergency action. The ability of an SNA to access or read a user's files does not imply that he or she may do so without obtaining the approval required by these procedures. While respecting confidentiality and privacy, the University reserves the right to examine all University-owned and University-operated computer systems and electronic/digital resources.
During routine administration SNAs may need to archive or delete user files or messages from the system. In this situation, it is not necessary for an SNA to read or view user files; all work is done using system utilities, machine to machine. Given that these situations are foreseeable, each Technology Service Provider must define how and when these actions will take place on systems for which they are responsible. Reasonable efforts must then be made to ensure that system users understand the policy.
Situations will occur that pose immediate threats to the operations or security of computer or network systems. Because of the urgency, the SNA will need to intervene without obtaining the prior written permission usually required before taking actions that may affect user files, messages or system access privileges. The intent of these procedures is to allow SNAs to take appropriate, timely action when protecting University computer systems, while ensuring that the user and appropriate University officials will be made aware of the situation as soon as possible.
If a SNA determines that user files or messages pose a significant threat to the operation or security of a University computer or network system, he or she will take appropriate action to correct the problem. Additionally, the SNA may restrict the user's access to that computer or network system. The SNA will not perform any action on user files or messages that are not relevant to the current problem and will not take any technical action, at this point, that would permanently deprive the user of access to the computer or network system.
If possible, the SNA should consult with his/her supervisor prior to taking action. As soon as possible after action is taken, but no later than the next business day, the SNA will make a written report to his or her immediate supervisor outlining the nature of the situation, including, but not limited to: the nature of the threat; protective actions taken; the user(s) involved; the user files or messages that were affected.
After appropriate review, the SNA's supervisor will forward the report, along with any recommendations, to the AVP/CIO, who will evaluate the situation and make a determination as to whether a temporary restriction on the user's access is appropriate.
In any incident that may be a violation of the Computer Systems Acceptable Use Policy, the role of the SNA and other technology staff is to serve as investigators. At the discretion of the VP & CIO, Incidents that are deemed unintended are documented and no disciplinary action taken. As determined by the VP and CIO, single intentional actions or repeat offenses are considered to be policy violations and will be handled in accordance with the enforcement actions described below.
Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate the University’s Computer Systems Acceptable Use Policy and its associated procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution.
Students who violate the University’s Computer Systems Acceptable Use Policy and its associated procedures are subject to the Code of Student Conduct and may be referred to the student conduct adjudication process for their campus notwithstanding any actions that may be taken independently by other offices within Georgetown University when such student is acting as an employee.
Consistent with the Computer Systems Acceptable Use Policy, the University may suspend, block or restrict a user’s access to information and systems when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of University resources or to protect the University from liability.
The University may routinely monitor network traffic to assure the continued integrity and security of University resources in accordance with applicable University policies and laws. The University may also refer suspected violations of applicable law to appropriate law enforcement agencies.
Approved June 4, 1996
Modified: November 14, 1996
Approved with modifications by the Academic Senate: June 23, 1997
Updated: March 2019