III. AASU Policy on IT Accountability

3.0 Purpose

The purpose of this policy is to outline the accountability guidelines for use of computer equipment and network access at Armstrong Atlantic State University.  These responsibilities are in place to protect the employee and Armstrong Atlantic State University.  Unaccountability promotes a “get away with what you can” attitude which can introduce unacceptable risks and legal liability to the employee and to Armstrong Atlantic State University.  

3.1 Scope

This policy covers all computer and communications equipment owned or operated by Armstrong Atlantic State University including all equipment attached to or using AASUNet resources. Explicit in the above statement is that this policy also includes ANYONE using AASU computer and/or communications equipment and/or ANYONE accessing and/or using AASUNet resources.

3.2 User Responsibilities

3.2.1   Courtesy and respect for rights of others.

The AASU campus community has the responsibility to foster a positive and secure campus community by respecting and valuing the right to privacy and the diversity of the population and opinion in the community.  In addition, all are responsible for complying with University policy and all laws and contracts regarding the use of information.

3.2.2    Use of resources.

Users are responsible for knowing what information resources are available, including those shared by the campus community.  Users should refrain from all acts that waste or prevent others from using these resources.

Users have a responsibility to ensure the security and integrity of the computer and network resources and services they use or access.  Responsibilities include performing regular data backups, controlling physical access to information and computer equipment, and using virus protection software and keeping the keeping the virus definition file (DAT file) up to date. Responsibilites may also include updating Windows Critical Updates as requested by Computer and Information Services.

3.2.3    Information integrity.

Users are responsible, to the utmost of their ability, for the accuracy, completeness, trustworthiness, timeliness, and relevance of the data they enter into and extract from AASU information systems. Users should not unconditionally depend on information or communications to be correct when they suspect otherwise and should investigate and verify when possible. It is important to ensure the integrity of the data entered into AASU information systems because information contained on AASU information systems may be used for reporting at a future date. Such reports could influence future decisions made by the state concerning student funding , employment opportunities, capital projects, policy design, and other data related issues.

3.2.4    User Privacy

No one without specific authorization shall read, modify or delete any other person’s computer files or email.  This rule applies regardless of whether the operating system of the computer allows these acts or whether the technical staff has access to perform these acts.

All files, including programs, stored on AASU computer are subject to the Georgia Open Records Act (http://www.sos.state.ga.us/archives/rms/ora.htm ).  However, you are prohibited from looking at, copying, modifying or deleting anyone else’s files.  This includes trying to guess passwords.  The ability to access someone else’s files or information does not imply permission.

3.2.5 Notification of Security Breaches

Users are responsible for notifying the director of CIS of any known security breaches involving AASU network and computer resources.
Examples:

  • Unauthorized access to protected services (e.g. Banner, Peoplesoft, WebCT, and AASUMAIL)
  • Intentional distribution of confidential/sensitive information to unauthorized users.
  • Intentional dissemination of a virus or viruses
  • Known account or password sharing

3.2.6 Notification of Employment Status

All individuals who supervise faculty, staff, and/or student employees are responsible for notifying CIS of employee termination, retirement, and/or departmental transfer.

3.3 Rules

3.3.1   Individual Users

3.3.1.1    Users shall not place confidential information on the computer’s local hard drive without protecting the information appropriately.

Student academic records are required by law, Family Educational Rights and Privacy Act (FERPA - http://www.ed.gov/offices/OII/fpco/ferpa/) , to be kept confidential.  If you store confidential or sensitive information on your computer, you are required to take all precautionary steps to safeguard the information.

3.3.1.2    Users shall not share their password or obtain any other person's password by any means.  Or shall an authorized user allow anyone to gain access to AASU computer and network resources through their account authentication.

Users are responsible for ensuring that others do not use their system privileges. Users should protect their password according to the AASU password policy.

3.3.1.3   Users are responsible for all messages they transmit through AASU's network services and resources.

No one shall use AASU’s network services and resources with intent to transmit fraudulent, defamatory, harassing, obscene or threatening messages, or any communications prohibited by Federal or State law.

3.3.2 System administrators

3.3.2.1    System administrators are accountable for the use of their systems.  This includes unauthorized use of their systems by system users. 

3.3.2.2    It is imperative that system administrators maintain an up-to-date patch level.

3.3.2.3    System administrators are responsible for creating an access policy for their systems, and presenting that policy to all users of their systems.

3.3.2.4    System administrators are responsible to their users.  This responsibility includes but is not limited to:

  • Reading, altering, or deleting any user's files or electronic mail unless the action is part of normal maintenance or related to audit actions preformed by InfoSec.
  • System administrators shall perform their duties fairly, in cooperation with the user community, the appropriate higher-level administrators, AASU policies and funding sources.  System administrators shall respect the privacy of users as far as possible and shall refer all disciplinary matters to the appropriate authorities.
  • System administrators shall give notice to system users before restrictions of denying services presently available unless the services outage is scheduled to occur during the normal maintenance interval or disruption is due to emergency security or maintenance procedures.

3.4 Enforcement

These policies and procedures are designed to ensure the integrity, security, and proper effective functioning of campus IT services. All policy and procedure violations will be subject to investigation and appropriate disciplinary action through established channels that may include, for serious violations, letters of reprimand and/or termination of employment.