Standard 2: Acceptable Use of Information Resources

1. Computing, networking, telecommunications, and all other information technology resources of the University of North Florida are available and intended to advance the education, research, administrative and public service missions of the University. Accordingly, the University encourages and promotes the use of these resources by the University community, within institutional priorities and financial capabilities. Access to and use of these resources and services are privileges which must be accepted in strict compliance with all applicable laws and regulations and with the highest standards of ethical behavior.
2. This standard applies to all persons accessing and using computing, networking, telecommunications, and other information technology resources through any facility of the University. Such resources include mobile devices, computer and network systems, hardware, software, databases, support personnel and services, physical facilities and data communications systems and services.
3. University information resources are provided for the purpose of conducting the business of the University. Users are permitted to use University information resources for use that is incidental to the user's official University duties (incidental use) as permitted by this policy.
4. All users must comply with applicable University and system information resources use and security policies at all times.
5. Users shall never use University information resources to deprive access to individuals otherwise entitled to access University Information; to circumvent University computer security measures; or, in any way that is contrary to the University's missions or applicable law.
6. Users must not interfere with the activities of others or use a disproportionate share of information resources. Examples of inappropriate use of resources are shown below. These actions frequently result in complaints and subsequent disciplinary action.
   1. Sending an unsolicited message(s) to a large number of recipients (known as "spamming the network").
   2. Consuming an unauthorized disproportionate share of networking resources.
   3. Deliberately causing any denial of service, including flooding, ICMP attacks, or the unauthorized automated use of a service intended solely for human interaction.
7. Use of University information resources to intentionally access, create, store, or transmit sexually explicit materials is prohibited unless such use is required as part of the user's official duties as an employee of the University and is approved in writing by the President or their designee. Viewing, accessing, storing, and/or transmitting sexually explicit materials as incidental use is prohibited.
8. Users should report misuse of University information resources or violations of this policy. How an incident is reported depends upon the nature of the incident:

If users believe that their personal safety is threatened, they should call UNF UPD, (904) 620-2800.

For other incidents, users should contact IT Security at ITSecurity@unf.edu.

Confidentiality and Security of Data

1. Users shall access University data only to conduct University business and only as permitted by applicable confidentiality and privacy laws.
2. Users must not attempt to access data on systems they are not expressly authorized to access.
3. Users shall maintain all records containing University data in accordance with the University's records management documents.
4. Users shall not disclose confidential data except as permitted or required by law and only as part of their official University duties.
5. Whenever feasible, users shall store confidential data or other information essential to the mission of University on a centrally managed server, rather than on a local hard drive or portable device.
6. In cases when a user must create or store confidential or essential University data on a local hard drive or a portable device such as a laptop computer, tablet computer, or smart phone, the user must ensure the data is encrypted in accordance with the University's and any other applicable requirements.
7. All University confidential data must be encrypted during transmission over an unsecured network. Examples include Social Security Numbers (SSN), credit card numbers and information, and education records subject to the Family Educational Rights & Privacy Act (FERPA). confidential data sent from a University provided email account is automatically encrypted. To send encrypted data over unsecured networks to and from other locations, contact IT Security.
8. Users who store University data using commercial cloud services must use services provided or sanctioned by the University, rather than personally obtained cloud services.
9. Users must not use security programs or utilities except as such programs are required to perform their official duties on behalf of University.
10. All computers connecting to the University's network must run security software (such as Anti-Virus applications) prescribed by IT Security as necessary to properly secure University resources.
11. Devices determined by the University to lack required security software or to otherwise pose a threat to University information resources may be immediately disconnected from the University network without notice.

Email

1. Emails sent or received by users in the course of conducting University business are University data that are subject to state records retention and security requirements.
2. Users are to use University provided email accounts, rather than personal email accounts, for conducting University business.
3. The following email activities are prohibited when using a University provided email account:
   1. Sending an email under another individual's name or email address, except when authorized to do so by the owner of the email account for a work-related purpose.
   2. Accessing the content of another user's email account except:
      1. As part of an authorized investigation;
      2. As part of an approved monitoring process; or
      3. For other purposes specifically associated with the user's official duties on behalf of the University.
   3. Sending or forwarding any email that is suspected by the user to contain computer malware.

Incidental Use

1. Incidental use of University information resources must not interfere with the user's performance of official University business, result in direct costs to the University, expose the University to unnecessary risks, or violate applicable laws or other University policy.
2. Users must understand that they have no expectation of privacy for any personal information stored by a user on a University information resource, including University email accounts.
3. A user's incidental personal use of information resources does not extend to the user's family members or others regardless of where the information resource is physically located.
4. Incidental use to conduct or promote the user's outside employment, including self-employment, is prohibited.
5. Incidental use for purposes of political lobbying or campaigning is prohibited.
6. Storage of any email messages, voice messages, files, or documents created as incidental use by a user must be nominal (less than 5% of a user's allocated mailbox space).
7. Files not related to University business may not be stored on network file servers.

Portable and Remote Computing

1. All electronic devices including personal computers, smart phones or other devices used to access, create or store University information resources, including email, must be password protected in accordance with University requirements, and passwords must be changed whenever there is suspicion that the password has been compromised.
2. University data created or stored on a user's personal computers, smart phones or other devices, or in databases that are not part of the University's information resources are subject to public information requests, subpoenas, court orders, litigation holds, discovery requests and other requirements applicable to University information resources.
3. University issued mobile computing devices must be encrypted.
4. Any personally owned computing devices on which confidential University data is stored or created must be encrypted.
5. University data created and/or stored on personal computers, other devices and/or non-University data bases should be transferred to University information resources as soon as feasible.
6. Unattended portable computers, smart phones and other computing devices must be physically secured. Examples include locking the screen or keeping devices in a locked office or drawer.
7. All remote access to networks owned or managed by the University must be accomplished using a remote access method approved by the University.

Password Management

1. Computer accounts, passwords, access codes, and other authorizations are assigned to individual users. It is a violation of this policy to use another's account, password, access code, or other such authorization, to permit access by unauthorized users, or to otherwise misrepresent one's identity in accessing or using any information technology resource of the University.
2. Each user is responsible for all activities conducted using the user's password or other credentials.

Comply with all applicable federal, state, and local laws and regulations, including, but not limited to copyright, trademark and licensing laws, the Florida Computer Crimes Act (Chapter 815, F.S.), state obscenity laws (Chapter 847, F.S.), and all Florida Board of Governors and University rules, policies, and procedures. Existing University policies applicable to standards of behavior (such as code of conduct, ethics, sexual harassment, disruptive behavior, academic integrity, use of facilities, etc.) are incorporated in this policy by reference.

Comply with applicable U.S. export control and sanctions regulations, including but not limited to those governing the export and re-export of hardware, software and technical data. In addition, travel with any University equipment to a U.S. embargoed country is prohibited unless otherwise authorized by applicable regulations and written approval is obtained. (View the U.S. Treasury embargoed country list.)

Failure to comply with the appropriate use of computing and information technology resources threatens the atmosphere for the sharing of information, the free exchange of ideas and the secure environment for creating and maintaining information property and subjects users to disciplinary action. Any member of the University community found using computing and information technology resources in violation of this policy is subject to disciplinary procedures including, without limitation, suspension of system privileges, expulsion from school, termination of employment and/or legal action as may be appropriate.