Information Technology (IT) Policy

These policies apply to all users of any Xavier University School of Medicine (henceforth referred to as “University) information technology resource, including students, staff, faculty and other authorized users, whether operating on campus or from a remote location. The University’s information technology resources include, but are not limited to: 

1. Any network, communication system, computer equipment or media service provided by the University for educational, research, administrative, communication or related purposes; 
2. Information technology or data communications equipment owned, leased, or operated by the University; 
3. Any equipment connected to the University’s data network, regardless of ownership; 
4. All messages, data files and programs stored in or transmitted by any University information technology resource; 
5. All data and information assets created with or stored on systems operated by or for the University. 

Information technology resources are provided by the University to support its educational and research mission. Use of University information technology resources is a privilege. Accordingly, all users of the University’s networks, systems and equipment are responsible for the proper use and protection of these resources, consistent with University policies and applicable law. 

Computer System Access and Usage 

To ensure the continued integrity of its information technology resources, facilities and controls, the University may audit, inspect and/or monitor network or resource usage, at any time, without notice. The University may limit or terminate the network access of any user who is in violation of any University or Information Technology (IT) policies. 

Examples of improper use include, but are not limited to the following: 

1. Unauthorized access to network or electronic data in any form; 
2. The use of another’s password or account without prior authorization; 
3. The use of University data, networks or IT resources for private, commercial, union or political purposes; 
4. The unauthorized alteration of electronic files, including any disruption or interference (hacking / spam / viral programs); 
5. Software license or intellectual property violations; 
6. The violation of any University policy, local, state or federal law; harassment or defamation, or activity that may damage the University's good name and reputation. 

Users with access to confidential, privileged or financial data protected by law or University policy must adhere to the following security requirements: 2 

Desktop security: All computers must be secured and non-approved software removed. Only approved software may be installed. Individual users on administrative systems may not add or remove software without Information Technology involvement. 

Internet: Internet browsing will be limited to approved, business websites by management. Personal webmail such as Yahoo, Google, etc. is not allowed. 

Remote Access: All remote access must be authorized for business operation continuity purposes and approved by management. 

Laptop security: Laptop use is not authorized for persons with access to extremely privileged information due to the risk of loss and associated threat of security breach. When laptop usage cannot be avoided, strong data encryption must be applied. 

The University may also restrict unlimited electronic access. If an imposed limitation interferes with a user’s bona fide educational or research activities, the user may notify his or her supervisor. The University reserves the right to limit the use of information technology resources based on institutional priorities, technical capacity and fiscal considerations. 

Article 156 of the New York State Penal Code and federal law (18 USC §§ 1030, 1302, 2252, 2501) impose criminal sanctions for certain offenses involving computers, software and computer data, including unauthorized use, fraud, computer trespass, computer tampering and unauthorized access to student records. Misuse of the University’s information technology resources is subject to disciplinary and/or legal action. 

Terms of Use 

Usage of the University's information technology systems and resources is a privilege granted to University students, faculty and staff, to support its educational mission. Computer accounts are assigned to individuals for University-related purposes. Passwords and account access may not be shared. Passwords are the frontline of protection for all user accounts. Persons using University information technology resources must safeguard their passwords. Select ‘secure’ passwords using letter, number and symbol combinations that cannot easily be ‘cracked’ by automated tools. 

All users of the University’s computer network must maintain the integrity of the information technology systems. Any user who detects a possible security concern on any University system or network must report it immediately to the IT system administrators. The University reserves the right to audit, inspect, limit, revoke or refuse to extend IT privileges or access to its computer systems and electronic resources, at any time, in its sole discretion. 

(i) Internet Content 

The University does not control information available over the Internet and is not responsible for Internet content. Internet users should be aware that even sites accessed for legitimate educational or research purposes may contain offensive material. Workstations in open-access facilities, such as the University Computer Labs, shall be used in a fashion that is not offensive to the University community or violative of local, state or federal law. 

(ii) Personal Use 

The University is subject to laws that restrict the use of University property for matters unrelated to its Charter mission. To ensure compliance with applicable law and University policy, the use of the University’s information technology resources for political, commercial or private purposes is prohibited. Additionally, employees are prohibited from using consumable IT resources, e.g., paper, printer ink, blank media, etc., for personal, non-business needs. 

(iii) Physical Security 

All computers, data storage media and storage repositories that contain confidential information must be secured against loss or tampering. Portable computing devices such as laptops, hand-held equipment (PDAs) and data storage media pose a unique and significant risk for exposure of protected information and potential access to the University’s administrative systems. For these reasons, special care must be taken with these devices. The login should never be set for automated login, and all protected data stored on any portable device must be encrypted. Store all such devices in a secure location. 

Email 

A University email address will be assigned by management to registered students and University employees. E-mail accounts provided by the University to employees are intended for University business. Faculty members and administrative personnel must use their University email address when communicating with students and conducting other University business. 

All University email account holders are expected to check their email regularly so that University communications will be timely received and read. The owner of an email account is responsible for its use and is presumed to have sent all communications actually sent from that account. Users may not view, copy, alter or destroy another’s email without permission unless authorized or required to do so by law or policy. 

The University does not guarantee the confidentiality or privacy of its email services or data stored or sent through its network systems. Although every effort is made to preserve the integrity of the University’s communication systems, users should be aware that the interception of email messages on shared networks is possible. Redirecting email from the University email address to another address (e.g., @hotmail.com, @gmail.com) is also discouraged. The University is not responsible for the integrity of email directed to other service providers. 

To protect the functionality and integrity of its IT systems, and protect users against unauthorized or improper use, the University reserves the right, without notice, to limit or restrict any individual’s use, and to inspect, remove, copy or otherwise address any data, file, or the like that may adversely affect authorized users. Email may be scanned automatically for malicious content (viruses, spam, and phishing attacks) and deleted without warning. The University may also impose limitations or restrictions to address violations of University policies. 

Email records resident on University-owned IT resources belong to the University and are subject to review and disclosure without notice when required by law, where a violation of law or University policy may exist, where there is a risk of spoliation, bodily harm, property loss or damage, where the University’s mission is jeopardized or during routine system administration. 

Copyright 

Copyright infringement is the unauthorized copying, storing, displaying, or distributing of another’s intellectual property without the express permission of the copyright owner. In the file-sharing context (peer-to-peer or P2P shareware programs), downloading or uploading another’s work product without authority constitutes an infringement, and is prohibited by the federal Copyright Act of 1976 and Digital Millennium Copyright Act of 1998. 

Penalties for copyright infringement are both civil and criminal in nature. For civil violations, individuals may be ordered to pay actual damages or statutory damages of not less than $750 and not more than $30,000 per infringement. For willful infringement, awards of up to $150,000 per incident may be granted; criminal penalties include imprisonment for up to five years and fines of $250,000 per offense. Attorney’s fees and costs may also be assessed. For more information, see www.copyright.gov, and www.copyright.gov/help/faq. 

Users of University IT resources may use only legally obtained licensed data or software and must comply with all applicable licenses, copyright, trademark and other intellectual property laws. Much of what appears on the internet or is distributed via electronic communication is protected by copyright law, regardless of whether the copyright is expressly noted. Users of the University computer resources should assume that material is copyrighted unless they specifically know otherwise, and may not copy, download or distribute copyrighted material without permission. Protected material may include, among other things, music, movies, text, photographs, audio, video, graphic illustrations, and computer software. 

The University continues to use appropriate technology to reduce and/or eliminate the practice of illegally sharing copyrighted materials. Known vectors used to share files are blocked from the campus. In addition, students are bound by existing University policy that specifically prohibits the use of copyrighted material without the permission of the copyright holder. Violators of the policy are subject to removal of network access and referral to the appropriate disciplinary body. 

A list of legal downloading sites is available here: www.educause.edu/legalcontent. The University encourages all students and staff to take advantage of these resources. 

It is the responsibility of every person who uses University IT resources to download or upload data to make sure that copyrighted work is not misappropriated, and that all necessary permissions are obtained from the copyright holder. 

Online Protocols 

The University recognizes that the Internet provides unique opportunities to participate in interactive discussions, research and collaboration using a variety of social media and online venues, such as Facebook, Twitter, blogs, wikis, interactive websites, listeservs, newsgroups and so forth. However, the use of non-University hosted sites, systems or networks can pose risks to confidential and proprietary information, the University’s reputation and brand, and compliance with applicable laws. 

Be aware that data mining programs used by off-site hosts may result in the sale of participant data (name, email address, etc) to third parties for commercial purposes. Those permissions are granted by your acceptance of the terms of the third party host site’s license. 

Users of social media must recognize that the manner in which they communicate, interact and share information online must follow the same rules and guidelines that govern activity in the University community at large. 

1. Protecting Confidential Information. Users must follow all applicable University confidentiality and privacy policies and related laws. 
2. Refraining from Inappropriate or Harassing Comments. Members of the University community who use online social media are expected to conduct themselves in a manner consistent with the same expectations of dignity and respect that govern other modes of interaction. 
3. Respecting and Protecting Copyrights and Other Intellectual Property. All restrictions that apply in other contexts regarding copyrights and other intellectual property protections apply to social media postings as well. 
4. University Name and Logos. The University’s name, logos and other marks may not be used in any context without prior written authorization from the Vice President of Operations. Individuals or groups intending to post or otherwise utilize social media officially on behalf of the University must receive prior written approval from the appropriate University official. 

Network Domain 

Intentionally interfering with normal operation of the network is prohibited, including the propagation of computer viruses or sustained high volume network traffic which substantially hinders others in their use of the network. An example would be: 

1. Downloading movies / uploading to external server 
2. Downloading music / uploading to external server 
3. Downloading any software or electronic files 
4. Uploading, downloading or otherwise transmitting commercial software or copyrighted material in violation of its copyright 
5. IP address spoofing or IP spoofing: creation of Internet Protocol (IP) packets with a forged source IP address 
6. Using the Internet for gambling or illegal activities 
7. Using the Internet for on-line games 
8. Using the Intranet [LAN] for on-line game 
9. Video streaming / torrent usage, etc.

If you are aware of a potential inappropriate use of the network or violation of these policies, please direct the information to itsupport@xusom.com and management will diligently investigate.