University Policies
Policy Contact
Office of Information Technology, Information Security Group Email 401-863-7266
For loss or theft or loss of computing device: Department of Public Safety 401-863-3103

Acceptable Use of Information Technology Resources Policy

Policy No. Issue Date Effective Date
09.00.03

1.0 Policy Purpose

This Acceptable Use of Information Technology Resources Policy (Policy) establishes requirements for the use and management of Brown University’s Information Technology Resources to ensure their Confidentiality, Integrity, and Availability supports Brown’s educational, research, outreach, and administrative objectives.

2.0 To Whom the Policy Applies

This Policy applies to individuals who directly, or through any agent acting on their behalf, interacts with Brown University Information Technology Resources, regardless of affiliation.

3.0 Policy Statement

Use of Information Technology Resources:

  • Must adhere to the Brown University Code of Conduct and the Code of Student Conduct;
  • Must be consistent with the educational mission, research goals, outreach, and administrative objectives of Brown University;
  • Must adhere to applicable laws, regulations, Brown University policies, contractual agreements, and licensing agreements;
  • Must not risk Brown University’s 501(c)(3) non-profit status;
  • Must avoid actions that jeopardize the Confidentiality, Availability, and Integrity of the resources;
  • Must respect the rights of all users; and
  • Must be consistent with the user’s role or relationship to Brown University and used only in a manner and to the extent authorized by Brown University.

Users of Information Technology Resources are responsible for the content of their individual communications and may be subject to personal liability resulting from that use. Brown University accepts no responsibility or liability for any individual or unauthorized use of Information Technology Resources by users.

Access to Information Technology Resources is a privilege and continued access is contingent upon compliance with this and other Brown University policies.

3.1 Unacceptable Use

Users of Information Technology Resources must NOT:

  • Violate any Brown University policies or rules;
  • Use Information Technology Resources for unethical, illegal, or criminal purposes;
  • Use Information Technology Resources for commercial purposes, except when explicitly approved by an authorized Brown University official;
  • Use Information Technology Resources for personal economic gain;
  • Use Information Technology Resources in violation of the Political Activity Policy;
  • Violate the rights of any person or entity protected by copyright, trade secret, patent or other intellectual property, or similar laws and regulations;
  • Copy, distribute, or transmit unauthorized copyrighted materials;
  • Use Information Technology Resources in a libelous, slanderous, or harassing manner;
  • Violate the privacy of co-workers, students, research subjects, alumni(ae), or donors;
  • Consume excessive Information Technology Resources;
  • Engage in any unauthorized circumvention, attempted circumvention, or assist another in circumventing security controls protecting Information Technology Resources;
  • Engage in any unauthorized activity that intentionally impacts the Integrity of Information Technology Resources or any resources external to Brown University that could result in a disruption, destruction, or corruption of Information Technology Resources;
  • Use credentials for which they are not explicitly authorized, attempt to capture or guess credentials, in any way attempt to gain access to an unauthorized account;
  • Share personal password(s) with others or enable unauthorized users to access Information Technology Resources, or otherwise violate the Network Connection Policy;
  • Create any program, web form, or other mechanism that authenticates with Brown University credentials, unless the Authentication Method is authorized by Office of Information Technology.

4.0 Definitions

For the purpose of this Policy, the terms below have the following definitions:

Availability

(of Information Technology Resources): Ensuring timely and reliable access to and use of information.

Authentication Method:

Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. Examples in use at Brown University include Active Directory (centralized Windows Directory Service for authentication of user, computer, and group objects), Duo (leverages a second factor when authenticating), and Shibboleth (protects web resources and exercise fine-grained control of access to those resources to members of Brown University community as well as other institutions).

Confidentiality

(of Information Technology Resources): Ensuring Electronic Information and Information Technology Resources are protected from unauthorized access.

Desktop, Laptop, Mobile, or Other Endpoint Device:

Any device, regardless of ownership, that has been used to store, access, or transmit Electronic Information, not classified as a Server. These devices are intended to be accessed directly by individuals and include, but are not limited to desktops, laptops, mobile phones, and tablets.

Electronic Information:

Often referred to as Electronically Stored Information (ESI). Any documents or information stored, in electronic form, on or sourced from Information Technology Resources. Common examples include: documents, spreadsheets, digital photographs, videos, communications (emails and their attachments, instant messages), voicemails, logs, data stored in Brown funded or contracted cloud services, and data stored on Brown Owned devices, including, but not limited to: laptops, desktops, cell phones, and Servers.

Information Technology Resources:

Brown-owned facilities, technologies, and information resources used for Brown University processing, transfer, storage, and communications. Included, without limitations, in this definition are computer labs, classroom technologies, computing and electronic devices and services, email, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are Brown-owned, leased, operated or provided by Brown or otherwise connected to Brown resources, such as cloud and Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or any other connected/hosted service.

Integrity

(of Information Technology Resources): Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Server:

A computer program or device that provides dedicated functionality to clients. These are normally managed by professional information technology practitioners.

Two-Step Authentication:

A method to protect an account or system that requires more than one means to access it, such as providing a password as well as a response to a verification code sent to a physical device.

5.0 Responsibilities

All individuals to whom this Policy applies are responsible for becoming familiar with and following this Policy. Brown University supervisors are responsible for promoting the understanding of this Policy and for taking appropriate steps to help ensure compliance with it.

Users:

  • Review, understand, and comply with policies, laws, and contractual obligations related to access, acceptable use, and security of Information Technology Resources, particularly the related policies in section 7.1 below;
  • Consult with the Office of Information Technology (OIT) Information Security Group (ISG) on acceptable use issues not specifically addressed in this Policy;
  • Protect personal information and personal assets used to access Electronic Information;
  • Use only authorized Information Technology Resources and only in the manner and to the extent authorized;
  • Follow the user specific security controls in Minimum Security Standards for Desktop, Laptop, Mobile, and Other Endpoint Devices on personal assets, including, but not limited to, encryption, installing updates, virus protection, and Two-Step Authentication;
  • Report the loss or theft of any Desktop, Laptop, Mobile, or Other Endpoint Device containing Electronic Information to the Department of Public Safety (401-863-3103) and ISG ([email protected]).
  • Report any breach or suspected breach of a Desktop, Laptop, Mobile, or Other Endpoint Device containing Electronic Information to ISG ([email protected]); and
  • Report suspected violations of this Policy to ISG ([email protected]).

Administrators:

  • Work with ISG to investigate alleged violations of this Policy; and
  • Report suspected violations of this Policy to ISG ([email protected]).

Information Technology Professionals:

  • Follow specific security controls in Minimum Security Standards for Servers and Minimum Security Standards for Desktop, Laptop, Mobile, and Other Endpoint Devices on Brown University managed resources;
  • Respond to questions from users related to appropriate use of Information Technology Resources;
  • Work with ISG to investigate alleged violations of this Policy;
  • Report the loss or theft of any Server containing Electronic Information to the Department of Public Safety (401-863-3103) and ISG ([email protected]);
  • Report any breach or suspected breach of a Server containing Electronic Information to ISG ([email protected]); and
  • Report suspected violations of this Policy to ISG ([email protected]).

Chief Information Security Officer:

  • Delegate authority and responsibility for investigating alleged violations of this Policy;
  • Designate individuals who have the responsibility and authority to refer violations to appropriate Brown University offices or law enforcement agencies for resolution or disciplinary action; and
  • Designate individuals who have the responsibility and authority to employ security measures and ensure that appropriate and timely action is taken on acceptable use violations.

Chief Digital Information Officer:

  • Designate individuals who have the responsibility and authority for Information Technology Resources;
  • Designate individuals who have the responsibility and authority for establishing policies for access to and acceptable use of Information Technology Resources;
  • Designate individuals who have the responsibility and authority for monitoring and managing system resource usage; and
  • Designate individuals who have the responsibility and authority for investigating alleged violations of this Policy.

Office of Information Technology Information Security Group (ISG):

  • Investigate suspected violations of this Policy;
  • Refer alleged violations to appropriate Brown University offices and law enforcement agencies for resolution or disciplinary action;
  • Ensure that appropriate and timely action is taken on alleged violations; and
  • Coordinate with appropriate Internet Service Providers and law enforcement agencies on violations of this Policy.

Department of Public Safety:

  • Respond to alleged violations of criminal law; and
  • Coordinate all activities between Brown University and outside law enforcement agencies.

6.0 Consequences for Violating this Policy

Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with Brown University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures, or for non-employees, may result in the suspension or revocation of the third party’s relationship with Brown University.

Individuals are also subject to federal, state, and local laws governing many interactions that occur on the Internet. These policies and laws are subject to change as state and federal laws develop and change.

7.0 Related Information

Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).

The following information complements and supplements this document. The information is intended to help explain this Policy and is not an all-inclusive list of policies, procedures, laws, and requirements.

7.3 Related Forms:

  • N/A

7.4 Frequently Asked Questions (FAQs):

  • N/A

Policy Owner and Contact(s)

Policy Owner: Chief Digital and Information Officer

Policy Approved by: President

Contact Information:

Office of Information Technology, Information Security Group Email 401-863-7266
For loss or theft or loss of computing device: Department of Public Safety 401-863-3103

Policy History

Policy Issue Date:

Policy Effective Date:

Policy Update/Review Summary:

N/A

 

Webpage reviewed September 16, 2021