Appropriate Use of Information and Technology Resources (Draft)

Original policy can be found at – https://cam.illinois.edu/policies/fo-07/

Purpose

This Appropriate Use Policy (“AUP”):

    • Defines policy, controls, requirements, expectations, and limits when establishing, accessing, using, or otherwise interacting with University Information and/or University Digital Technology Resources (“I&T Resources”).
    • Ensures I&T Resources are protected, available, and used to benefit, support, and further the University’s mission.
    • Ensures those who use I&T Resources do so:
      • Within the scope of the intended purpose(s) of any such I&T Resources; and
      • In a manner that:
        • Mitigates risk and adverse outcomes to the University;
        • Maintains the required integrity, availability, and/or confidentiality of I&T Resources;
        • Meets University policy requirements, including, but not limited to, University System policies, University of Illinois System Privacy Statement, and Campus Administrative Manual policies; and
        • Meets regulatory and legal requirements, including, but not limited to, all legal, license, and contractual obligations; and
        • Is respectful of others.

Scope

This AUP applies to all persons and entities accessing, using, or otherwise interacting with I&T Resources.

Underlying Principles

Related Policies

Authority

This Policy is issued under the authority of the Chancellor with concurrence of the Chief Information Officer (CIO), who is charged with establishing and maturing policy, standards, and practices which support and maintain the integrity and availability of I&T Resources.

Policy

  1. Authorization: The CIO and Office of the CIO (OCIO) designee(s) are authorized to suspend use, terminate access, initiate administrative actions, notify authorities, or enact mitigations if any discovered I&T Resources use or activity violates applicable law, this AUP, or otherwise presents unacceptable risk to the University or its mission.
  2. Confidentiality: All persons are responsible for protecting and maintaining the confidentiality of Access Credentials they possess, know, or use.
    1. University User Account access or Access Credentials must not be disclosed or shared.
    2. Persons having personal access to I&T Resources must not share or transfer their personal access.
      1. Delegation of authority is allowed if the delegation mechanism establishes an audit mechanism that logs all actions with timestamps and the identity of the designee.
    3. Persons possessing User Account Access Credentials must take reasonable care to protect them from disclosure or misuse.
    4. Persons having access or Access Credentials to Privileged-Access Accounts must not share or transfer such access to any entity or person without official authorization.
    5. Failure to comply with the requirements listed above may result in:
      1. Removal of access to I&T Resources;
      2. Recovery or restoration actions;
      3. Investigation of root cause, impact, and severity of the event;
      4. Notification to other university units; or
      5. Actions or sanctions pursuant to this policy and other university policies.
  3. Use of I&T Resources: Persons using devices or other technologies to access, use, or consume I&T Resources have a responsibility of due care to protect I&T Resources by maintaining control, proper use, security, and integrity of the devices and technologies they use.
    1. Persons using or managing devices used to access, process, or interact with I&T Resources must take care to protect such devices and I&T Resources from compromise and misuse.
    2. Detection of compromised devices or technologies will result in immediate removal of access to I&T Resources, and possible further actions to determine impact and severity of compromise.
      1. Compromised account or device owner may be required to take certain action before account or network access is restored by the University.
    3. Detection of unsupported technology, critical vulnerability, or other configurations which present unacceptable risk to I&T Resources may result in reduced functionality, removal of access, or other mitigations.
      1. In the case of unsupported or end-of-life software or technologies, restoration of access or functionality may not be possible without acceptance of presented risks by unit executive and other risk-area stakeholders.
  4. Persons may not use I&T Resources for any Commercial, Adverse, or Illegal Purpose:
    1. I&T Resources may not be used or accessed for commercial or profit-making purposes, or other purposes that interfere with the mission of the University.
    2. Persons may not use I&T Resources in contravention of any University policy, controls, processes, or this Policy.
    3. Use of I&T Resources by any person may not:
      1. Degrade service or otherwise unduly impact the University or others; or
      2. Present unacceptable risk of adverse impact to the university.
    4. I&T Resources may not be used or accessed for any illegal purpose or via any illegal method.
    5. I&T Resources may not be used in contravention of any state or federal laws, including, but not limited to, the State Officials and Employees Ethics Act (5 ILCS 430).
  5. Comingling of private, personal technologies and data with I&T Resources by Staff:
    1. Private or personal data stored, combined, and/or sent with I&T Resources are subject to the same laws and policies that govern I&T Resources.
    2. Using personal technologies, devices, or data for official University business subjects them to all university standards, policies, controls, management capabilities, and legal requirements.
      1. Any such uses could give rise to a situation compelling the university to access, search, archive, or disclose any such information or data in response to a lawful request. Applicable laws include, but are not limited to, the Illinois Freedom of Information Act(FOIA).
  6. Use of I&T Resources by Students: Use of I&T Resources by students is governed by this AUP and the Student Code.
    1. This AUP as it applies to Staff shall also apply to Students when students are acting as university employees.
  7. Use of I&T Resources by Non-University Users: Non-University individuals and organizations may not use I&T Resources, except as approved by OCIO or by a Unit with a written University contract or MOU authorizing such use.
    1. Limited to University-related activities: Non-University users may use their University-provided accounts and Internet access only in conjunction with authorized University-related activities.
    2. Responsibilities of contracting units: Contracting units providing access to, extending utility, or establishing functionality upon I&T Resources for non-university users are responsible for ensuring that such actions are limited to legitimate and official uses consistent with University policies, standards, and contractual obligations. Designated officials of contracting units may not exercise or supersede the authority of the CIO.
  8. I&T Resources Use and Data Access are Limited to Authorized Users at the University of Illinois Urbana-Champaign: Except for public-facing facilities, data classified as “public data” (See https://cybersecurity.uillinois.edu/data_classification), or otherwise public as designated or indicated in policy, I&T Resources access or use must not be transferred or provided to any person or organization not officially identified by or through the OCIO as an University of Illinois at Urbana-Champaign authorized user or agent.
  9. University Access to I&T Resources: Access to and disclosure of Standalone Resources
    1. Standalone Resources are subject to the following policies:
      1. University I&T Resources remain property of the University regardless of access status;
      2. Access to and disclosure of Standalone Resources shall only be granted:
        1. With approval by a formal OCIO designee to university executive petitioners with a legitimate University purpose, pursuant to established OCIO disclosure process; or
        2. In response to legal process request in consultation with University Counsel.
      3. Contents or metadata contained in Standalone Resources may be disclosed as required by applicable local, state, and federal laws, including but not limited to:
        1. Illinois State Records Act (See: [5 ILCS 160/]) applies to all state records, regardless of access status.
        2. Illinois Freedom of Information Act (See [5 ILCS 140/]) applies regardless of resource ownership or status
        3. Subpoenas, warrants or other legal requirements.
  10. Inspection related to official duties: Contents or metadata may be opened, processed, or inspected by University employees in the course of official duties related to their roles.
    1. Inspection must be reasonable or necessary for official university purposes.
    2. Inspection may include automated processes.
    3. All work, events, or activities falling under this provision shall be documented.
    4. No data may be transferred to or inspected by any party who has no official need to possess, see, or know such data.
    5. Specific content accesses and justifications for content access may be reviewed by a delegated OCIO privacy official.

Definitions

University Information and/or Digital University Technology Resources (“I&T Resources”)

I&T Resources refers to digital assets, services, or solutions employed for University use; and any University data transmitted via, processed by, or stored on them.

Examples of I&T resources include, but aren’t limited to: computers, University data and files; software applications, networks, cloud assets, University email, personally-owned “BYOD” devices when used for University business; vended digital solutions; “flash drives“ and other mobile storage; “serverless” cloud computing, mobile devices, digital appliances, “IoT” devices, metadata, online services used for University business, and digital automation products.

User Account

A named, unique digital identity created to authenticate, identify, designate, recognize, and authorize access, role(s), privileges, or permissions assigned to a single person within the University.

An account designated with one’s NetID as its username is an example of a common User Account at the University.

Privileged-Access Account

A digital identity used to authenticate, identify, designate, recognize, or authorize extended, elevated, or impactful abilities; access, utility, or privilege to persons, groups, and/or roles requiring such ability, access, utility, and/or privilege.

Common examples of Privileged-Access Accounts include, but are not limited to “Admin(istrator)”, database “sa”, “root”, “system”, sudo-privileged, and “superuser” accounts.

Access Credentials

Access codes, identifiers, factors, or devices which can validate access to User Accounts or Privileged-Access Accounts and authorize levels of access to and privilege upon I&T Resources. Access Credentials may include an account name or number plus one or more authentication factors.

Examples of Access credentials include, but are not limited to: passwords, biometric authentication factors, keys, certificates, secrets, tokens, hardware devices, or codes.

Standalone Resources

I&T Resources controlled by a single user such that the University does not have direct access to that I&T Resource without the controlling user’s assistance or administrative overriding actions.

Examples of common Standalone I&T Resources may include, but are not limited to: email, electronic messages, file shares, personally owned ”BYOD” devices, when used for University business, storage media, laptops, mobile devices, computers, and other facilities.

Process/Procedures/Guidelines

(None)

Exceptions

(None)

Contact

Office of the CIO
Chief Information Security Officer
Tech Services Identity, Privacy, & Cybersecurity
securitysupport@illinois.edu