Technology Acceptable Use Policy
1.0 Purpose
Wheaton College’s technology infrastructure exists to support the organization and activities needed to fulfill the organization’s mission. Access to these resources is a privilege that should be exercised responsibly, ethically, and lawfully.
The purpose of this Technology Acceptable Use Policy is to clearly establish the College’s position relating to the acceptable use of its technology and the role each member of the organization has in protecting its information resources.
2.0 Scope
This policy applies to all users of technology resources owned, managed or otherwise provided by the organization. Individuals covered by this policy include, but are not limited to, all employees and service providers, students, guests and anyone else with access to the organization's technology and information resources and/or facilities. Technology and information resources include all Wheaton College-owned, licensed, or managed hardware and software, email domains, and related services and any use of the organization’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
3.0 Privacy and Property
Wheaton College will make every reasonable effort to respect a user's privacy. However, employees and other users as identified above have no expectation of privacy for communications, documents, or other data transmitted or stored on the organization’s resources. In addition, in response to a judicial order or any other action required by law or permitted by official Wheaton College policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the College reserves the right to access, review, intercept, monitor, and/or disclose all data created, transmitted, accessed, and/or stored on the College’s network and/or technology. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the organization’s rules, regulations, or policy, or when access is considered necessary to conduct Wheaton College business due to the unexpected absence of an employee or to respond to health or safety emergencies.
The campus network is maintained and provided to assist in the pursuit of the mission of Wheaton College and to conduct the College's day-to-day operational activities. The network is College property thus all data composed and created by employees and transmitted and/or stored on the network, is and will remain College property, not the private property of any individual. Exceptions to the data ownership clause described includes: student works developed as a part of their academic or co-curricular pursuits; and scholarly work by faculty such as articles, books, music composition, research data, and the like.
Data residing on personally-owned workstations that are connected to the campus network is not considered to be College property, but any data created, transmitted, accessed, and/or stored on the campus network by users of these individually-owned computers is subject to the same policies, procedures, guidelines and constraints as data created, transmitted, accessed, and/or stored through the use of College-owned computers.
4.0 Policy
Activities related to Wheaton College’s mission take precedence over computing pursuits of a more personal or recreational nature. Personal, non-job-related use of the College’s technology, except for use by students enrolled at the College, should be incidental and kept to a minimum. Any use that materially disrupts the organization’s mission or its day-to-day operational activities is prohibited.
The same standards of common sense, courtesy, civility, and the College’s Statement of Faith and Community Covenant, that govern the use of other shared facilities, must be adhered to in regard to the use of information technology resources. This includes the individual’s right to privacy and to be free from intimidation, harassment, and unwarranted annoyance. All users of Wheaton College’s technology resources, whether use is via personally-owned and/or College-owned devices, must adhere to the requirements enumerated below.
4.1 Fraudulent and Illegal Use
Wheaton College explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the organization’s information systems, a user must not engage in any activity that is illegal under local, state, federal, and/or international law. As a part of this policy, users must not:
- Violate the rights of any individual or company involving information protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by Wheaton College or the individual user.
- Use of copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software, in any way that violates copyright law.
Wheaton College is a non-profit organization, and as such use of the College’s information systems for commercial purposes is prohibited.
Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify the Chief Information Officer immediately via cio@wheaton.edu.
4.2 Confidentiality
Wheaton College has both an ethical and legal responsibility to protect confidential information in accordance with its Data Classification Policy. Confidential data is defined as data that has been classified as “Restricted” or “Private” by the Data Classification Policy. To promote confidentiality users must not:
- Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access;
- Facilitate use or access by un-authorized users, including sharing their password or other login credentials with anyone, including other users, family members, or friends;
- Use the same password for Wheaton College accounts as for other non-Wheaton College access (for example, personal home internet, social media, bank accounts);
- Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another user’s password; or
- Make or distribute unauthorized copies of another user’s files or Wheaton College's confidential information.
All encryption keys employed by users must be provided to the Chief Information Officer if requested, in order to perform functions required by this policy.
4.3 Harassment
See details and provisions of the College’s Discrimination, Harassment and Sexual Misconduct Policy.
4.4 Malicious Activity
Wheaton College strictly prohibits the use of its information systems for malicious activity against other users, the organization’s information systems themselves, or the information assets of other parties. Users must not:
- Perpetrate, cause, or in any way enable disruption of Wheaton College’s or any other information systems or network communications by denial-of-service, the introduction of malicious programs (e.g. viruses, worms, Trojan horses) or other methods;
- Circumvent or attempt to circumvent the user authentication or security of any information system;
- Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information; or
- Create and/or use a proxy server of any kind, other than those provided by Wheaton College, or otherwise redirect network traffic outside of normal routing; or use any type of technology designed to mask, hide, or modify their identity for nefarious activities electronically.
- Use a port scanning or network monitoring tool targeting either Wheaton College’s network or any other external network, unless this activity is a part of the user’s normal job functions, such as a member of the Academic & Institutional Technology (AIT) Department conducting a vulnerability scan, or for bona fide scholarship within a controlled environment, with CIO approval.
4.5 Objectionable content
Wheaton College strictly prohibits the use of organizational information systems for accessing or distributing content that other users may find objectionable. Users must not post, upload, download, or display inappropriate messages, photos, images, sound files, text files, video files, newsletters, or related materials, including but not limited to those that are discriminating; harassing; sexually explicit; violent or promoting violence; and/or anything that would not uphold the values expressed in our Community Covenant.
4.6 Hardware and software
Wheaton College provides technology resources to employees and other personnel for the purpose of ensuring they have a safe and reliable computing environment from which to work. Thus, those who are working with or accessing institutional resources need to be sure that they are operating within the secure platforms that have been vetted and reasonably secured. As such:
- Wheaton College prohibits the use of any hardware or software on institutionally-owned computers that is not purchased by the College; or licensed for College use; and installed, configured, tracked, and/or managed by an authorized employee.
- All employees and service providers must use approved workstations, services, or devices to access the College’s data, systems, or networks. This includes the storing of institutional data in cloud-services that have been approved by Wheaton College through AIT.
- Personally owned workstations or devices that store, process, or transmit institutional confidential information must be secured with a minimum of the following:
- a complex password,
- up-to-date security patches,
- working, up-to-date anti-malware protection,
- an up-to-date web browser to access online services through https protocols,
- and the Wheaton College virtual private network (VPN) software.
- Users must not download, install, disable, remove, or uninstall software designed to provide a secure computing environment, including patches of existing software, to any institutional information system without approval of AIT.
- All devices must be physically secured at all times. This includes locking a workstation when not in use and not leaving an unlocked device unattended for any length of time.
- Users must not install, connect, or disconnect unauthorized network devices on the campus network. Examples of prohibited devices include a router, network switch, wireless access point, or wireless printer with WiFi Direct enabled.
- Users must take appropriate security precautions with institutionally-owned devices, up to and including the utilization of a loaner device from AIT when traveling abroad.
4.7 Messaging
The organization provides a robust communication platform for users to fulfill its mission.
- Employees and students are expected to read their campus email, and must use their campus email accounts in official communication with campus offices and campus community members, to ensure proper identification.
- Employees must not forward wheaton.edu email accounts, or other private or restricted institutional communications, to other email service providers.
- Students are responsible for reading and responding to official information that is sent to their College email account.
- Users must not send unsolicited e-mail messages, including “junk mail” or other advertising material to individuals who did not specifically request such material for commercial ventures, solicitations, religious or political causes, outside organizations, or other non-job-related endeavors.
5.0 Enforcement
Users who violate this policy may be denied access to organizational resources and may be subject to penalties and disciplinary action both within and outside of Wheaton College. The organization may temporarily suspend or block access to an account or information systems prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the organization or other technology resources or to protect Wheaton College from liability.
If any user creates any liability on behalf of Wheaton College due to use in a way that the user reasonably knew to be in violation of this policy, the user agrees to be fully responsible, and to be held accountable should it be necessary for Wheaton College to defend itself against the activities or actions of the user.
Users are subject to disciplinary rules described in the Student, Employee, or Faculty Handbooks and any other applicable policies and procedures.
6.0 Exceptions
Exceptions to the policy may be granted by the Chief Information Officer, or his or her designee. All exceptions must be reviewed annually.
Departments may create and enforce more restrictive security policy and processes to meet the business needs of the organization.
To request exceptions or authorizations contact the AIT Service Desk.
7.0 Effective date
Effective: October 1, 2017
Last updated: September 28, 2017
8.0 Revision History
Version | Date | Author | Revision |
---|---|---|---|
1.00 | March 30, 2017 | GreyCastle Security | Original |
1.01 | September 29, 2017 | Wheaton & GCS | General Revision |
Effective Date: October 1, 2017
Last Update: September 28, 2017
Responsible SAC Member: Vice President for Finance and Operations
Policy Owner: Chief Information Officer in partnership with Technology @ Wheaton Governance
Policy Contact: Dr. Alan Wolff, Chief Information Officer