102.2 Guidelines in Support of the Acceptable Use Policy
In support of GU Computer Systems Acceptable Use Policy
These procedures define acceptable and appropriate use of services and resources provided by the University. As stated in the Acceptable Use Policy, these services are intended for the benefit of the University. While the University recognizes and accepts the appropriateness of incidental personal use of some resources to a limited degree, the interest of the University is paramount in determining appropriate usage. Determination of appropriate use is made on this basis..
Acceptable Use Guidelines
Standards for University Computers
GU-owned computers must use the UIS standard image without alteration*, including:
- Authorized operating system and version
- Encryption appropriate to device and data classification
- University provided antivirus, managed by policy
- Local firewall enabled
- Centralized patch management
- Authorized VPN client and settings
- Backup managed by enterprise data management and restoration
- No unauthorized local administrator accounts
*Alterations to the image, alternate computer configurations, and other exceptions to the standard must be reviewed and authorized by the Chief Information Security Officer.
Only University-issued, secure computers and laptops may be used to access Restricted/High-Risk data.
Devices used to conduct University business may be assessed for compliance at the discretion of the University.
As described in the Computer Systems Acceptable Use Policy, while respecting confidentiality and privacy, the University reserves the right to examine all university owned and operated computer systems and electronic/digital resources, or any such devices used to conduct university business or making use of the university’s network and technology resources. The University will take whatever measures are required in addressing actual or potential compromise or threat to the University’s information security.
Employment & Access to University Resources and Data
Email and Collaborative Applications
The University provides email and related collaboration tools to facilitate the work of each employee for the benefit of the University. Incidental personal use is permitted; however, the interest of the University is paramount. It is the expectation and requirement of all data users to use the secure University-provided and University-approved technology resources for the transmission, storage, and processing of data and information related to and managed by Georgetown. While respecting confidentiality and privacy, the University reserves the right to assign, review, access, and withdraw access to these tools and services, or to alter or modify access, based on employment roles and the interests of the University.
Employees with other affiliations
- Faculty, AAP, and Staff are assigned Georgetown email accounts when hired, attached to the individual’s NetID.
- Alumni and former students who have been provided a Georgetown email account prior to employee onboarding might not automatically be assigned a new account. However, on the date of University employment, the primary affiliation is changed and the account is then considered a business account. The decision to assign a new account and NetID is at the sole discretion of the University.
- Beginning on the first day of employment, the account shall be used for University business; personal email should be directed to a non-Georgetown University account if the employee wishes to retain access to that email upon separation from the department or the University. Any mail, contacts, associated attachments or documents used in the operation of University business are to remain under the domain and control of the University upon employee separation.
- Upon an employee departing employment, at the sole discretion of the University, the email account may be closed. In such cases, alumni and former students may be offered a new NetID and associated email account for personal and academic use.
- Individuals who matriculate as active students during the period of employment may, upon request or at the discretion of the University, be assigned a separate NetID and associated account to be used for academic and personal purposes.
Some individuals, by virtue of their role or position in the university, have broad access to high-risk, sensitive information, protected systems and services. Such individuals, upon leaving a position which carries elevated privileges, may be assigned a new NetID with modified privileges appropriate to the new role, and the original NetID may be closed. This is done not as a punitive measure but as a protection for both the individual and the University. The decision to assign a new NetID is at the sole discretion of the University.
Changes of Role or Position
Individuals frequently change roles within a department or in moving between departments. Such changes may not immediately be reflected in the employee’s access to files and systems. When such a transition occurs, and the employee finds that access from the prior role persists, the employee shall promptly notify both the current and previous manager. Until the appropriate changes have been made, the employee shall make use only of that access appropriate to the current role.
Managers are required to ensure that employees transitioning between roles are provisioned with access to data and resources appropriate for their positions.
University business resources are provided for the benefit and operation of the University faculty, staff and student employees. When an individual leaves the University’s employ, voluntarily or otherwise, access to such resources will be terminated or modified as appropriate. It is incumbent on the managing department and the separating staff to appropriately transfer access to any resources not already available to the department, and to ensure that managers have the necessary authorization to ensure business continuity. This includes email, Google Drive documents, Calendar appointments, GU Box, and locally stored documents.
A departing employee’s NetID access is generally terminated in within 24 hours after the effective termination date in GMS. This removes the ability to access Google Apps, GU Box, VPN, and all other NetID enabled services. Delayed termination in GMS will result in unintended continued access for the departing employee.
Where an employee has additional affiliations in the University (faculty, student, alum, associate), departure from employment will have different impact depending on the role. Alumni, Emeriti and students may retain ongoing use of their Georgetown email account and some University resources. Former staff who are non-matriculated undergraduate or graduate students and staff who have retired do not retain access to resources when they separate.
When an alum becomes an employee, those accounts become University business accounts. At the sole discretion of the University, the employee’s NetID and Google account, including email, Google Drive, calendar, and other Google apps, may be closed. In such cases, alumni and former students may be offered a new NetID and associated email account for personal and academic use.
When an employee who is also currently an active student departs, the University retains the right to close the employee’s NetID and services at their discretion. Active students will be given a new NetID, and assisted in connecting that NetID to the appropriate academic resources.
Requests for Access to Another Individual’s Files
Upon authorization by designated parties, a requester may be granted access to the data and files of a departed staff member. Access will be provided in the manner authorized by the justification for business continuity or by legal authority. A record of the approved request will be retained by UIS.
Accounts of deceased staff are considered business accounts only, and will be treated as such. Such accounts are closed by the University and are not accessible to surviving family members for personal use.
Incidental Personal Use of Technology Resources
While University resources are intended for use that benefits the University, the University recognizes that its employees may occasionally need to make personal use of University technology resources and does not wish to prohibit such use altogether. The overriding principle that should govern personal use of these resources is that reasonable and incidental unofficial use of University technology resources is authorized only so long as (i) the University incurs no additional cost from that use, other than the minimal cost incurred from ordinary wear and tear and the use of minimal amounts of ink, toner, or paper; and (ii) the use does not inappropriately interfere with official business.
Employees shall use University-provided technology resources and services primarily for official business, but may make and receive personal communications that are necessary and in the interest of the University. Incidental personal use of technology resources must not adversely affect the performance of employee’s official duties or the organization’s work performance, must not be disruptive of co-workers, and must be of limited duration and frequency. Use for commercial purposes, in support of “for-profit” activities, or in support of other outside employment or business activity, as well as political use that is inconsistent with current Internal Revenue Service (IRS) rulings, are violations of the Acceptable Use Policy.
To the extent an employee must make personal use of University owned devices, such use should be incidental and immaterial. Appropriate reimbursement for any additional costs incurred by the University because of incidental use should be paid on a pro rata basis.
Responsibility for compliance with these restrictions is shared by the employee and the manager.
Network Extension Devices
You may not connect any type of device designed to “extend” network access connect to the Georgetown network. A good rule of thumb is, if you can plug another device into it, you can’t plug it into the network.
There are several reasons for restricting the use of devices that extend the network. It allows unauthorized access to the Georgetown network by non-Georgetown-related machines. It can also cause outages affecting entire groups, floors, or buildings.
Examples of prohibited network extension devices include:
- Personal Wireless Access Points
- Ethernet splitters
- Any layer 2 device that allows more than one Ethernet device to use any given port at the same time simultaneously.
Examples of permitted “end devices” include:
- Video game consoles
- DVRs with network access
- Printers with ethernet interfaces
Should you need additional network ports, you may submit a request to UIS via the help desk. UIS periodically inspects switches on the university network and may disable ports where unauthorized or unknown devices are connected.
Administrative Access by System or Network Administrators
These procedures balance five issues: (1) protecting users’ privacy; (2) protecting the System or Network Administrator (SNA) in the performance of his or her job; (3) allowing routine administrative actions that might affect users’ files; (4) providing a mechanism to authorize non-routine, non-emergency access to users’ files when it can be justified; and (5) providing guidelines when there is a need to take emergency action. The ability of an SNA to access or read a user’s files does not imply that he or she may do so without obtaining the approval required by these procedures. While respecting confidentiality and privacy, the University reserves the right to examine all University-owned and University-operated computer systems and electronic/digital resources.
During routine administration, SNAs may need to archive or delete user files or messages from the system. In this situation, it is not necessary for an SNA to read or view user files; all work is done using system utilities, machine to machine. Given that these situations are foreseeable, each Technology Service Provider must define how and when these actions will take place on systems for which they are responsible. Reasonable efforts must then be made to ensure that system users understand the policy.
Situations will occur that pose immediate threats to the operations or security of computer or network systems. Because of the urgency, the SNA will need to intervene without obtaining the prior written permission usually required before taking actions that may affect user files, messages or system access privileges. The intent of these procedures is to allow SNAs to take appropriate, timely action when protecting University computer systems, while ensuring that the user and appropriate University officials will be made aware of the situation as soon as possible.
If an SNA determines that user files or messages pose a significant threat to the operation or security of a University computer or network system, he or she will take appropriate action to correct the problem. Additionally, the SNA may restrict the user’s access to that computer or network system. The SNA will not perform any action on user files or messages that are not relevant to the current problem and will not take any technical action, at this point, that would permanently deprive the user of access to the computer or network system.
If possible, the SNA should consult with his/her manager prior to taking action. As soon as possible after action is taken, but no later than the next business day, the SNA will make a written report to his or her immediate manager outlining the nature of the situation, including, but not limited to: the nature of the threat; protective actions taken; the user(s) involved; the user files or messages that were affected.
After appropriate review, the SNA’s manager will forward the report, along with any recommendations, to the AVP/CIO, who will evaluate the situation and make a determination as to whether a temporary restriction on the user’s access is appropriate.
Non-Compliance with Guidelines
In any incident that may be a violation of the Computer Systems Acceptable Use Policy, the role of the SNA and other technology staff is to serve as investigators. At the discretion of the VP & CIO, Incidents that are deemed unintended are documented and no disciplinary action taken. As determined by the VP and CIO, single intentional actions or repeat offenses are considered to be policy violations and will be handled in accordance with the enforcement actions described below.
Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate the University’s Computer Systems Acceptable Use Policy and its associated procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution.
Students who violate the University’s Computer Systems Acceptable Use Policy and its associated procedures are subject to the Code of Student Conduct and may be referred to the student conduct adjudication process for their campus notwithstanding any actions that may be taken independently by other offices within Georgetown University when such student is acting as an employee.
Consistent with the Computer Systems Acceptable Use Policy, the University may suspend, block or restrict a user’s access to information and systems when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of University resources or to protect the University from liability. The University may routinely monitor network traffic to assure the continued integrity and security of University resources in accordance with applicable University policies and laws. Individuals who continuously or egregiously violate University technology policies may be referred to appropriate leadership as risks to the secure managed environment.
Georgetown Computer Systems Acceptable Use Policy
Data Classification Guidelines
Last Reviewed and Approved: March 2019