1.0 Policy Purpose
Brown University Information Technology Resources and Data are made available to University faculty, staff, students, contractors, and other individuals for University-related purposes. Access to and the use of these resources come with specific expectations and User responsibilities. This policy sets forth the rules for acceptable use of Information Technology Resources at Brown University.
2.0 To Whom the Policy Applies
This policy applies to all Brown faculty, staff, students, contractors, and any other individual using Brown Information Technology Resources or Data.
3.0 Policy Statement
The use of Information Technology Resources at Brown University is a privilege and not a right. Users of Information Technology Resources and Data are expected to be good stewards of such resources and use them in a manner that is safe, responsible, ethical, and legal. The use of Brown Information Technology Resources and Data must be consistent with the educational mission, research goals, outreach, and administrative objectives of Brown University.
3.1 Behavior Standards
Use of Brown Information Technology Resources and Data is contingent upon Users of such resources abiding by the following standards of behavior:
- Users must adhere to the Brown University Code of Conduct and the Code of Student Conduct, as well as all Brown University policies, standards, procedures, and guidelines.
- Users must adhere to applicable federal and state laws and regulations, Brown University contractual agreements, licensing agreements, third-party copyrights, patents, trademarks, and software license agreements.
- Users may only use those Information Technology Resources and Data that they have been authorized to use and may use them only to the extent authorized and in a manner that is consistent with the mission and values of Brown University.
- Users may not circumvent, bypass, or impede security measures, requirements, or any standard protocols in place to ensure the confidentiality, integrity, and availability of Brown University Information Technology Resources and Data.
- Users must respect the rights and privacy of all Brown University Information Technology Resource Users.
- Users may not use Information Technology Resources in any manner that risks Brown University’s 501(c)(3) non-profit status.
- Users may not use Information Technology Resources for personal commercial purposes of personal financial or other gain.
- Users must refrain from disproportionate uses of Information Technology Resources that have the likelihood of consuming an unreasonable amount of resources, disrupting the intended use of these resources, or impinging the access of others.
Users of Information Technology Resources are responsible for the content of their individual communications and may be subject to personal liability resulting from that use. Brown University accepts no responsibility or liability for any individual or unauthorized use of Information Technology Resources by Users.
3.2 Incidental Personal Use
Incidental personal use of Brown University Information Technology Resources is allowed, provided such use does not:
- Unreasonably interfere with the use of Information Technology Resources by other Users, or with Brown University’s operation of Information Technology Resources.
- Interfere with the User’s employment or other obligations to Brown University.
- Circumvent or compromise any measures put into place by the Brown University Information Security Program.
- Violate any applicable laws or regulations.
- Violate this or other applicable Brown University policies, standards, procedures, or guidelines.
3.3 Use of Personally Owned Devices
Users are responsible for following this policy and the standards of behavior listed in this policy when using personally owned devices for accessing Brown University Information Technology Resources and Data. Users must also comply with all other Brown University policies, standards, procedures, and guidelines governing the type of device and the type of Data involved. In addition, Users must implement the Brown University Minimum Security Standards for Desktop, Laptop, Mobile, and Other Endpoint Devices on any personally owned devices used to access Brown University Information Technology Resources and Data.
In addition, Users have no expectation of privacy regarding any Brown Data residing on personally owned devices, regardless of the reasons Brown Data was placed on the personal device. In some cases, such as to comply with applicable federal and state laws and regulations, Brown policies, or Brown contractual agreements, or to gather information related to investigations or pending or potential litigation, the University may be required to request that a User turn over or provide appropriate access to Brown Data on the User's personally owned device. In such instances, and for the University to carry out its obligations, authorized personnel may access the entirety of the device, search it using specialized software configured with appropriately tailored criteria, review the information found by the search, and disclose relevant portions to University officials who are duly authorized to receive it.
3.4 Information Technology Resource Privacy
Brown University Information Technology Resources and Brown Data are the private property of Brown University. The normal operation and maintenance of Brown’s Information Technology Resources require Data integration between systems, backup and caching of Data, the logging of activity, automated monitoring of general usage patterns, the use of Data protection technologies, and the use of other technologies to ensure the proper operation, preservation, and protection of Brown Information Technology Resources and Data. Brown University has the right, without prior notice, to monitor, access, preserve, disclose, and secure the custody of its Information Technology Resources and any data created as a result of the operation and use of Brown Information Technology Resources or otherwise transmitted through Brown Information Technology Resources. For these reasons, Users have no presumption of privacy concerning Data stored on or processed by Brown Information Technology Resources.
Nonetheless, Brown University respects the reasonable privacy expectations of its students, faculty, and staff in their use of Brown University Information Technology Resources in the interest of promoting intellectual and academic freedom and an open, collegial atmosphere. Brown University staff members responsible for the operation of Information Technology Resources do not routinely monitor the content of user Data stored or communicated using Information Technology Resources as part of these operational duties. Access and disclosure of such data is only permitted in accordance with Brown University Electronic Information Policy.
3.5 Additional Information
Brown University makes no warranties of any kind, whether expressed or implied, concerning the Information Technology Resources that it provides. Brown University is not responsible for damages resulting from the use of Information Technology Resources, including but not limited to loss of Data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a Brown University employee, or by any User’s error or omission. Brown University specifically denies any responsibility for the accuracy or quality of information obtained through Information Technology Resources, except material that is presented as an official record of Brown University.
4.0 Definitions
For the purpose of this policy, the terms below have the following definitions:
- Data:
-
Any information, regardless of electronic or printed form or location, that is created, acquired, processed, transmitted, or stored on behalf of Brown University. This includes Data processed or stored by Brown University in hosted environments in which Brown University does not own or operate the technology infrastructure.
- Information Technology Resources:
-
Brown University-owned facilities, technologies, and information resources used for Brown University processing, transfer, storage, and communications. Included, without limitations, in this definition are computer labs, classroom technologies, computing and electronic devices and services, email, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive but rather reflects examples of equipment, supplies, and services. This also includes services that are Brown University-owned, leased, operated, or provided by Brown University or otherwise connected to Brown resources, such as cloud and Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or any other connected/hosted service.
- Information Security Program:
-
A set of coordinated services and activities designed to protect Information Technology Resources and Data, and manage the risks associated with the use of such resources. The program includes the policies, standard operating procedures, guidance, assessments, protocols, controls, and training needed to protect Information Technology Resources and Data.
- User/Users:
-
Any person who uses Information Technology Resources and Data.
5.0 Responsibilities
All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors and employees with student oversight duties are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure and enforce compliance with it.
Users of Information Technology Resources: All Users of Brown University Information Technology Resources are responsible for:
- Reviewing, understanding, and complying with policies, laws, and contractual obligations related to access, acceptable use, and security of Information Technology Resources.
- Consulting with policy owners on acceptable use issues not specifically addressed in this policy.
- Promptly reporting potential information security incidents to the OIT Service Center.
Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers: All Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers are responsible for ensuring that units, staff, and Users receive appropriate information security training.
Vice President for Information Technology and Chief Information Officer (CIO): The Vice President for Information Technology and CIO is responsible for providing guidance to Brown University leadership concerning the appropriate use of Information Technology Resources.
Chief Information Security Officer (CISO): The CISO is responsible for:
- If needed, consulting with the Brown University Vice President and General Counsel regarding the appropriate use of Information Technology Resources and Data.
- Providing advice and guidance to the Vice President for Information Technologies and CIO concerning the appropriate use of Information Technology Resources and Data.
- Providing advice and guidance to Brown OIT staff regarding handling requests received under this policy.
6.0 Consequences for Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures.
7.0 Related Information
Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this Policy and is not an all-inclusive list of policies, procedures, laws, and requirements.
7.1 Related Policies:
7.2 Related Procedures:
7.3 Related Forms:
- N/A
7.4 Frequently Asked Questions (FAQs):
- N/A
Policy Owner and Contact(s)
Policy Owner: Vice President for Information Technology and Chief Information Officer
Policy Approved by: President
Contact Information:
Policy History
Policy Issue Date:
Policy Effective Date:
Policy Update/Review Summary:
Policy updated to include the use of personally owned devices and clarify the responsibilities of users and key authorities. Previous policy version(s) superseded by this policy:
- Acceptable Use of Information Technology Resources Policy, Effective Date: July 18, 2021