Acceptable Use Policy
Acceptable Use Policy >> Overview
PURPOSE
The purpose of this document is to provide Unit-specific guidelines called for by the UF Acceptable Use Policy (UF AUP) for the University of Florida Health Science Center (UF HSC) Information Security Administrators, Information Security Managers and Information Technology (IT) Staff when a possible violation of the UF AUP policy is encountered other than an HSC-SPICE security or privacy incident.
back to top BACKGROUND
The University of Florida (UF) acquires, develops, and maintains computers, computer systems and networks to facilitate direct and indirect support of UF's academic, research and service missions. The UF AUP combined with Unit-specific policies and guidelines provide a framework describing acceptable and required behaviors involving Information Technology resources (IT-Resources).
Occasional personal use of UF IT-Resources is permitted when it is not for personal gain, when it is not excessive or disruptive, when it does not consume a significant amount of computing resources, when it does not interfere with the performance of the user's job or other UF responsibilities, and when it is otherwise in compliance with the UF AUP. Further limits may be imposed upon personal use in accordance with normal supervisory procedures concerning the use of UF equipment.
Although there is no single limit applicable to all types and uses of UF IT-Resources, most IT-Resources are actively managed and utilization is actively monitored. UF may require users to limit or refrain from specific uses if such use interferes with the system’s operational efficiency.
UF employs various measures to protect the security of its computing resources and its user's accounts. Users should be aware, however, that UF cannot guarantee security and confidentiality when UF IT-Resources are used. Nor is there any implied assurance of privacy offered by the University.
Users who violate the UF AUP may be denied access to UF computing resources and may be subject to other penalties and disciplinary action, up to and including termination of employment. Alleged violations will be handled through UF disciplinary procedures applicable to the user. UF may suspend, block or restrict access to an account, independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of UF or other computing resources or to protect UF from legal liability. UF may also refer suspected violations of applicable law to appropriate law enforcement agencies.
Note: An IT-Resource is defined as any equipment that has the primary purpose to store, process, display, and/or transmit digital information in support of the missions of the University.
Personal Use Limits
Where pertinent, acceptable limits for personal use of UF HSC IT-Resources are defined as outlined in Table 1, based on assessment of threat, resource utilization, and potential impact on reputation. The UF HSC has also specified an Administrative Unit Policy (See Table 2). Units may specify more stringent policies for their Unit or, alternatively, adapt the UF HSC Administrative Unit Policy.
NOTE: Where prohibited by law, the discussion of acceptable limits and threats is not warranted.
Acceptable limits for personal use of UF HSC IT-Resources
| Personal Use of IT-Resources for | Malware threat | Network bandwidth | Storage use | Reputation | Legal | Personal Use Limits |
| Sending SPAM mail, junk mail | High | High | High | High | Medium | Prohibited by UF AUP |
| Viruses, Hoax, DOS, Phishing, False Identification | Prohibited by State/Federal Law | |||||
| Child pornography | Prohibited by State/Federal Law | |||||
| Adult pornography | High | High | High | Medium | Unknown | Administrative Unit Policy (See table 2) |
| Unlicensed material (music, videos, games, software) | Prohibited by State/Federal Law | |||||
| On-line gambling | Prohibited by State/Federal Law | |||||
| Dating services | Yes; level unknown | Low | Low | Low | None | Administrative Unit Policy (See table 2) |
| Music sites | Yes; level unknown | Medium | High | Low | None | Administrative Unit Policy (See table 2) |
| Game sites | Yes; level unknown | Medium | Medium | Low | None | Administrative Unit Policy (See table 2) |
| Instant messaging | High w/file attachment use | Low | Low | Low | Unknown | HSC Spice Policy; no file or URL transfers |
| Personal picture and video files | Yes; level unknown | High | High | Low | None | Administrative Unit Policy (See table 2) |
| Download and storage of legally licensed picture, video and music files for personal use | Low | High | High | Low | None | Administrative Unit Policy (See table 2) |
| Fund raising | Low | Unknown | Unknown | Medium | Medium | Prohibited by UF AUP |
| Use of UF equipment for personal gain or personal business; or to provide non-University related services to others | Low | Unknown | Unknown | High | High | Prohibited by UF AUP |
Table 1
UF HSC Administrative Unit Policy pertaining to acceptable limits for personal use
| Personal Use of |
Unit Limits |
| Music | Play at minimum volume levels. |
| On-line dating services | Access only during non-working hours. |
| Games | Access only during non-working hours. |
| Adult pornography | Storage not allowed on any IT-Resource without written approval of the SVP. |
| Personal picture and video files | Local PC drive(s) storage or removable media only; Remove from mailbox and all mail folders due to current space limitations. Storage not allowed on shared IT-Resources; no backup or recovery services. |
| Download and storage of legally licensed picture, video and music files for personal use | Local PC drive(s) storage or removable media only; no server storage; no backup or recovery services. |
Table 2
Operational Guidelines For IT Staff
While users have no expectation of privacy in their use of UF IT-Resources, IT staff may not use special privileges in an abusive manner. IT staff must abide by these guidelines in all daily operations:
- IT staff only accesses files or computer activity logs when there is a legitimate business reason to do so:
- When engaged in activities involved with routine system administration. Examples of such activities include but are not limited to security management, problem resolution, system auditing, system performance evaluations and maintenance.
- IT staff ensures that a user is present to help direct and to provide consent (verbal is fine) when review of content (email, images, videos, text or music) is necessary to perform a support operation or to resolve a problem.
- IT staff never asks a user for their password. If user access is necessary to troubleshoot a problem, the user should log in or the IT staff member should reset the password and provide the user with the new password.
- IT staff does not retrieve, audit or allow access to user email or user activity logs unless:
- There is a reasonable suspicion that an individual is violating a law or a UF or Unit policy, regulation, or other requirement,
- As permitted by legal requirement, applicable policy or law,
AND with documented authorization and proper oversight of an entity such as Human Resources (HR), Office of the General Counsel, Office of the Senior Vice President, HSC Security Office, or the UF Privacy Office.
Objectionable Material
IT staff engaged in supporting and managing information technology resources may encounter images, videos, text or music which is legal but personally objectionable. IT staff can take measures to minimize exposure to this material, including clearing the user’s browser cache and history before working with a user’s Web browser, and only accessing user files with the user’s consent and guidance of which files to look at or test. If, however, IT staff encounters personally objectionable material, IT staff should bring these objectionable situations to the attention of their supervisor or manager. Unit leadership will work with the IT supervisor or manager to determine a course of action that will limit the IT staff member’s exposure to the objectionable material.
Enforcement Roles & Responsibilities
Acceptable use violations are education or conduct issues that need to be handled by the user’s supervisor. IT staff, IT staff supervisors, Unit ISAs and Unit ISMs are not required to or expected to police user behavior for acceptable use policy violations. Acceptable use violations will be encountered through the normal course of IT work such as troubleshooting a problematic workstation, monitoring server storage capacity, receiving a security incident report, or examining network traffic for security or performance issues. Enforcement will require a joint effort on the part of Unit leadership (staff managers and supervisors, ISAs) and the IT community (IT staff, IT management, and ISMs):
Prevention
- Managers and supervisors of users must ensure all users have been provided communication regarding the acceptable use including Unit limits on personal use of computing resources. IT Directors and managers must ensure that managers and supervisors have appropriate acceptable use communication materials for their employees.
- Where practical, technical controls that prevent users from exceeding personal use limits (i.e. quotas, filters on file types, etc.) should be determined collaboratively by the Unit ISA, ISM and system administrator and approved by the Unit leadership. Technical controls that limit both the personal uses listed above, and legitimate UF business must be analyzed to determine if there are less restrictive alternatives. The risk of damage as a result of not implementing the controls must be weighed against the risk of impeding operations.
- Upon approval, IT staff may implement technical controls to prevent users from exceeding personal use limits. Implementation must be preceded by adequate communication to the user community.
Reactive Enforcement
- IT staff supervisors, Unit ISAs and Unit ISMs who encounter or are notified of an acceptable use violation should take the following actions:
- Notify the supervisor or manager of the user. If at any time child pornography is suspected, notification must be immediate and must include Office of General Counsel and Unit leadership to determine course of action. The notification to the user’s supervisor or manager should contain pertinent and helpful information to help him/her clearly see the AUP violation, and suggested steps the user or manager should take to bring the use into compliance.
- Obtain agreement from the user’s supervisor that the user will execute the steps to bring their personal use into compliance, and a timeframe for doing so.
- Determine technical steps, if any, which can be taken to bring the use into compliance.
- Execute the technical steps, if any, at a mutually agreed upon time.
- The user’s supervisor or manger should take the following actions upon being notified one of their employees is violating an acceptable use or exceeding personal use limits:
- If at any time child pornography is suspected, notify Office of General Counsel and Unit Leadership immediately to determine course of action.
- Re-educate the user on the Unit’s limits on personal use of computing resources if applicable.
- In conjunction with HR, take appropriate disciplinary actions.
- Follow-up with the user to ensure they have taken the required steps to bring their personal use into compliance.
Escalation
It is generally understood that if acceptable use issues go unaddressed, it puts IT resources at risk. Since IT staff is responsible for keeping IT resources running, they are often in a quandary about IT resources when user behavior issues go unaddressed. If a user is repeatedly in violation of the acceptable use policy, Unit IT management may take this escalation path:
- Notification – Ensure the user and the user’s supervisor were provided appropriate notification during a prior occurrence and the notification contained pertinent and helpful information to help the supervisor clearly see the acceptable use violation, and steps for the user to come into compliance.
- Warning - Upon repeated violation by the same user after an appropriate ‘Notification’ communication, the Unit IT management may issue a ‘Warning’ communication to the user and user’s supervisor. A ‘Warning’ communication should explain that an acceptable use violation has occurred again and by policy, the system administrator is obligated to suspend the computer account of the user on the next occurrence. Refer them to the UF HSC CIO or the UF HSC Chief, Information Security for questions. It is expected that the supervisor will require the user to re-read the UF HSC acceptable use materials and the behavior will stop.
- Temporary suspension of account – Upon repeated violation by the same user after a ‘Warning’ communication, the Unit IT management can seek concurrence from the UF HSC CIO or the UF HSC Chief, Information Security to temporarily suspend the user account. The HSC CIO or the HSC Chief, Information Security will notify the user and the user’s supervisor of the account suspension, and will engage the appropriate UF authorities to determine when the user’s computer account can be re-activated.
References
- The University of Florida (UF)’s Acceptable Use Policy
- HSC Spice policies
- UF Privacy Policies
- Computer Fraud and Abuse Act (US Code title 18, 1030)
- Electronic Communications and Privacy Act (US Code title 18, 2701)