ADMIN INFO
- Approval Authority: Vice Chancellor for Finance, Information Technology
- Responsible Administrator: Chief Information Officer (CIO)
- Responsible Office: Office of Cybersecurity
- Policy Contact: Chief Information Security Officer (CISO)
- Approval Date: September 2021
- Effective Date: September 2021
- Last Revision Date: April 2023
OVERVIEW
The mission of Vanderbilt University is to be a center of scholarly research, informed and creative teaching, and service to the community and society at large. The university upholds the highest standards and is a leader in the quest for new knowledge through scholarship, dissemination of knowledge through teaching and outreach, and creative experimentation of ideas and concepts. In pursuit of these goals, Vanderbilt highly values intellectual freedom that supports open inquiry, and equality, compassion, and excellence in all endeavors.
To achieve its mission, the university applies substantial financial and personnel assets toward operating a reliable, available, and secure network computing infrastructure. The mass adoption of digital technologies by members of our community requires Vanderbilt establish clear policies that guide how Vanderbilt Community Members may use the university’s information technology (IT) assets. This Appropriate Use of Technology Assets Policy communicates the respective policies associated with our role in the Vanderbilt community as students, faculty, staff, postdoctoral trainees, or other authorized users.
REASON FOR POLICY
The guiding purpose of the Appropriate Use of Technology Assets Policy is to ensure that the university’s IT assets are used to promote the core mission of Vanderbilt in education, research and scholarship, and service, either directly or through the various administrative entities and services that enable Vanderbilt’s core mission. To that end, the policy has the following goals:
- First, computer and communication devices or other IT assets which access, store or transmit university data and or student information are used for their intended purposes;
- that the use of IT assets is consistent with the principles and values that govern use of other university facilities and services; and
- that the confidentiality, integrity, and availability of IT assets are protected.
The Office of Cybersecurity will review this policy annually with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.
SCOPE
This policy applies to the entire Vanderbilt University (VU) community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called “VU Community Members”) as well as campus visitors. All IT assets used to collect, transmit, process, store, or host institutional data are in-scope for this policy.
POLICY
1. GENERAL USE AND OWNERSHIP
- Vanderbilt university data stored on electronic and computing devices whether owned or leased by Vanderbilt, faculty, staff, or a third party, remains the sole property of Vanderbilt. You must ensure through contractual or technical means that university data is protected in accordance with the Data Classification Policy.
- VU Community Members have the responsibility to promptly report suspected security and privacy incidents to include the theft, loss, or unauthorized disclosure of university data.
- VU Community Members may access, use, or share Vanderbilt University data only to the extent it is authorized and necessary to fulfill assigned job duties.
- For security and network maintenance purposes, authorized individuals within Vanderbilt university Information Technology (VUIT) or the Office of Cybersecurity may monitor equipment, systems, and network traffic at any time.
- Vanderbilt university reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
2. UNLAWFUL AND INAPPROPRIATE USE
- Under no circumstances are Vanderbilt Community Members authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing university owned resources.
- Tennessee and federal laws provide for civil and criminal penalties for violations related to misuse of information technology assets. Examples of unlawful actions include, but are not limited to, defamatory remarks, destruction of Vanderbilt University data or equipment, unauthorized copying of copyrighted material, sexual exploitation or solicitation of a minor via electronic means, and the transportation of obscene materials across state lines. Any use of Vanderbilt network computing assets by anyone in the organization that violates state, federal, or local laws is prohibited.
- Details of inappropriate activities may be found in the Inappropriate Use of Technology Assets Standard.
- Details of appropriate and inappropriate use of personally owned devices (Bring Your Own Device Standard) may be found in the BYOD Standard.
3. PRIVACY
The privacy of all users and the integrity and operational security of university data must be respected by all Vanderbilt Community Members. Access to a user’s electronic information should only occur for a legitimate business purpose or with that user’s consent. Furthermore, access to a user’s electronic information should be limited to the minimum electronic information necessary to accomplish the legitimate business purpose. Vanderbilt’s IT assets must not be used by anyone to gain or attempt to gain unauthorized access to private information, even if that information is not securely protected or is otherwise available. The fact an individual account and its data may be unprotected does not confer either an ethical or legal right to access it.
- Investigations of misuse, unauthorized use, or illegal activity, compliance with federal, state, or local laws or regulations, as well as routine or emergency maintenance of the IT asset, may require observation of electronic information by appropriate and authorized university officials, employees, or their authorized agents. Such activities are not in violation of this principle so long as these activities are conducted by authorized individuals on behalf of Vanderbilt university and are governed by professional IT forensic protocols. Vanderbilt uses automated systems to monitor data transmissions entering and leaving the Vanderbilt networks to detect the presence of viruses, malicious software, or privileged information.
- With the availability of smart phones, and consumer electronics, it is possible for someone to acquire voice, video, still images, multimedia, or text in non-public situations without the knowledge or consent of all parties. Vanderbilt IT assets must not be used by anyone in the organization to publish or distribute this type of material without the express consent of all involved parties.
- Vanderbilt university is committed to protecting the privacy of faculty, students, staff, and other users of its IT assets, and their electronic communications. However, because Vanderbilt operates subject to compliance with various federal and state laws and regulations and must be able to enforce its own policies, Vanderbilt must occasionally inspect, preserve, and produce records to fulfill legal obligations and to carry out internal investigations. Vanderbilt university reserves the right to obtain copy and convey to outside persons any records or electronic transactions completed using Vanderbilt university IT assets in the event it is required by law or institutional policy to do so. Vanderbilt university may also in its reasonable discretion, when circumstances require, obtain, and review any records relevant to an internal investigation concerning compliance with Vanderbilt university rules or policies applicable to students, faculty, staff, postdoctoral trainees, or to all others granted use of Vanderbilt’s IT assets. Users therefore should not expect that records created, stored, or communicated with Vanderbilt IT assets or in the conduct of Vanderbilt’s business will necessarily be private. Vanderbilt university reserves its right to any work product generated in the conduct of its business.
4. INTELLECTUAL PROPERTY
At the heart of any academic or research endeavor resides the concept of intellectual property. All copyrighted information (text, images, icons, programs, video, audio, etc.) retrieved from computer or network resources must be used in compliance with applicable copyright and other law. All Vanderbilt Community Members are obligated to respect licenses to copyrighted material. Copied material must be properly attributed. Plagiarism of digital information is subject to the same sanctions as apply to plagiarism in any other media. Acquiring or sharing copyrighted materials without obtaining the appropriate licenses or permissions may be unlawful.
5. POLICY COMPLIANCE
- Any use of Vanderbilt information technology assets that violates applicable institutional policies is prohibited.
- Unauthorized access to private information constitutes a violation of this policy and may result in disciplinary actions under the Faculty Manual, Student Handbook, Human Resources Policies, or other applicable policy statements. Violation of this principle may also constitute a violation of state or federal law.
- Vanderbilt university maintains high standards for its students and various codes and policies govern and inform a student’s day-to-day life in the conduct of his or her Vanderbilt experience. Students are prohibited from using the Vanderbilt information assets for activities that violate the conduct code, the honor code, or other policies and regulations delineated by The Student Handbook.
6. FIDUCIARY RESPONSIBILITIES
- VANDERBILT COMMUNITY MEMBERS
- Members of the Vanderbilt community possess a great personal responsibility to themselves and to other Community Members to utilize technology while maintaining their fiduciary responsibilities. These responsibilities include, but are not limited to:
- Being responsible for the security of one’s personal information;
- Protecting personal and private information of others; and
- Taking care to minimize risks of various undesirable events, such as disclosure of sensitive personal information, identify theft, and even threats to personal safety when using Vanderbilt IT assets.
- Members of the Vanderbilt community possess a great personal responsibility to themselves and to other Community Members to utilize technology while maintaining their fiduciary responsibilities. These responsibilities include, but are not limited to:
- VANDERBILT COMMUNITY MEMBERS WITH ELEVATED ACCESS
- VU Community Members (e.g. VUIT Personnel) may be granted elevated or privileged access to Vanderbilt University’s IT assets for legitimate business needs. This privileged access places these members in a higher level of trust. To maintain this level of trust, Vanderbilt users with administrative or elevated access must develop, maintain, and continually enhance their skills and abilities to safeguard university data. These VU Community Members must strive to be trusted and highly skilled custodians through:
- Preserving confidentiality;
- Protecting data and information integrity;
- Establishing and maintaining availability of IT assets;
- Educating those around them about IT and social risks related to IT assets;
- Enhancing and maintaining technical skills; and
- Demonstrating an understanding of the areas they support.
- VU Community Members (e.g. VUIT Personnel) may be granted elevated or privileged access to Vanderbilt University’s IT assets for legitimate business needs. This privileged access places these members in a higher level of trust. To maintain this level of trust, Vanderbilt users with administrative or elevated access must develop, maintain, and continually enhance their skills and abilities to safeguard university data. These VU Community Members must strive to be trusted and highly skilled custodians through:
7. GUEST NETWORK ACCESS
Any individual or device that connects to the Vanderbilt university guest wireless network(s), regardless of the individual’s affiliation with the institution or the device ownership, shall use the institution’s resources in an authorized, ethical, and lawful manner. Under no circumstances is an individual authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing the guest wireless network, and Vanderbilt university reserves the right to disconnect any individual at any time for any reason.
Vanderbilt university makes no guarantees regarding the availability or assurance of its guest wireless network, and usage is provisioned as is. While an individual or device is connected to the guest wireless network, Vanderbilt University assumes no liability for,
- any personal equipment that is lost or damaged,
- any information or data that is lost or compromised,
- any content or material uploaded, shared, disseminated, or downloaded.
8. LOCALLY SPECIFIC POLICIES
Individual units (e.g., VC areas or schools) within the university may create additional policies for IT assets under their control. These policies may include additional detail, guidelines and further restrictions but must be consistent with principles stated in this policy document. Individual units adopting more specific policies are responsible for establishing, publicizing, and enforcing such policies, as well as any rules governing the authorized and appropriate use of equipment for which those units are responsible.
EXCEPTIONS
On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.
ENFORCEMENT
Any VU community member that violates this policy may be subject to disciplinary action up to and including termination. The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.
FREQUENTLY ASKED QUESTIONS
RELATED DOCUMENTS/POLICIES
ADDITIONAL CONTACTS
Contact | |
Office of Cybersecurity | cybersecurity@vanderbilt.edu |
HISTORY
Review Date | Summary of Changes |
April 2023 | Updated boilerplate language and terms |