Responsible Use of ComputingUniversity Policy 1301: Responsible Use of Computing applies to all faculty, staff, students, visitors and contractors in all academic, operational departments, and offices at George Mason University.
University Policy Number 1301
Subject: Responsible Use of Computing
Responsible Parties: Vice President for Information Technology and Services
Procedures: Not Applicable
Related University Policies: Data Stewardship Policy 1114, Reporting Electronic Security Incidents 1305
Policy Number 1301, Responsible Use of Computing (RUC), applies to all academic and operational departments and offices at all George Mason University (Mason) locations owned and leased. The policies and procedures provided herein apply to all Mason faculty, staff, students, visitors, and contractors.
Mason provides and maintains general computing services including web and Internet resources, as well as telecommunication technology, to support the education, research, and work of its faculty, staff, and students. At the same time, Mason wishes to protect all users’ rights to an open exchange of ideas and information. This policy sets forth the responsibilities of each member of the Mason community in preserving the security, confidentiality, availability, and integrity of Mason computing resources. To accomplish these ends, this policy supports investigations of complaints involving Mason computing abuse, including sexual harassment, honor code, federal, state, applicable industry, and local law violations.
Mason faculty and staff, as state employees, are subject to the Freedom of Information Act, §2.2-3700, et seq., of the Code of Virginia, and all applicable state and federal rules and regulations. While this policy endeavors to maintain user confidentiality it cannot create, nor should faculty or staff members presume, any expectation of privacy.
Violations of this policy may result in revocation of access, suspension of accounts, disciplinary action, or prosecution. Evidence of illegal activity will be turned over to the appropriate authorities. It is the responsibility of all users of Mason computing resources to read and follow this policy and all applicable laws and procedures (user sign-on agreement).
Mason Computing Resources. All computers, systems, workstations, networks, networking equipment, peripheral devices, servers, and any other university property attached to Mason’s website or Internet network. These resources include all software, files, documents, and databases stored in Mason computing systems. The Mason website includes all webpages that reside on servers owned by Mason. The Mason website does not include servers or other resources owned by Internet Service Providers or personal resources owned by members of the Mason community who may use the resources to access Mason computing resources.
System Administrator (SA). Anyone who has the responsibility to maintain, configure, operate, or repair Mason’s computing resources. System Administrators have special privileges and special responsibilities under this policy.
Information Technology Unit (ITU). The organizational entity that is responsible for IT equipment and services within the Mason campus system. The ITU is headed by the Vice President for Information Technology (VPIT), who is administratively responsible for this policy.
Technology Council. A group of Mason faculty and staff that provides advice and recommendations to the VPIT regarding the selection and architecture of technologies used to provide IT services.
System Administrator. The SAs have extraordinary powers to override or alter access controls, configurations, and passwords. This power should be exercised with great care and integrity. SAs’ actions are constrained by this policy and by the policies of local administrative units.
Data Stewards of Mason units who employ SAs are responsible for ensuring that the SAs comply with and enforce the requirements of this policy in the systems for which they are responsible. SAs who violate this policy or who misuse their powers are subject to disciplinary action.
If an SA observes someone engaging in activities that would seriously compromise the confidentiality, availability, or integrity of a Mason system, network, or electronic Mason data, the SA may take immediate action to stop the threat or minimize the damage or contact the ITU Support Center to activate the Computer Security Incident Response Team (CSIRT). SAs who observe suspected violations of law should immediately alert the Mason Police.
Security Review Panel (SRP). This policy establishes an SRP that is responsible for reviewing SAs’ decisions, responding to complaints, providing security advice, and periodically reviewing this policy. The SRP consists of the Director, IT Security, three faculty members, two members of Mason’s Technology Council, one representative from the Faculty Senate, one graduate student, one undergraduate student, one ITU staff member, and one non-ITU system administrator. The VPIT appoints the SRP members. The SRP chair will be one of the faculty members and will be appointed by the VPIT.
The SRP is responsible for periodically reviewing the RUC Policy and recommending improvements and clarifications as needed. All modifications to the policy will be made after full public disclosure and a reasonable period for public comment.
The SRP will establish a dispatching procedure for routing StopIt complaints to the appropriate official or staff member for action.
Users. Access to Mason’s computing resources are a privilege granted on a presumption that every member of the Mason community will exercise that privilege responsibly. Because it is impossible to anticipate all the ways in which individuals can damage, interrupt, or misuse Mason’s computing resources, this policy focuses on a few simple rules. These rules describe actions that users should avoid and the principles behind them. Each rule is followed by a non-exhaustive list of examples of actions that would violate the rule.
RULE 1: Use Mason Computing Resources consistently with the following intended purposes:
Educational, research and administrative purposes of Mason.
Uses indirectly related to Mason purposes that have an educational or research benefit, such as news reading, web browsing, chat sessions, and personal communications.
Employees and contractors of the Commonwealth of Virginia may not use Mason’s computing resources for recreation or entertainment.
RULE 2: Do not use computer accounts for illegitimate purposes.
Account usernames identify individuals to the entire international Internet user community. Users may be held responsible for actions in the account. If that person violates any policies, his or her actions will be traced back to the username and the account holder may be held responsible.
- Selling access to Mason’s computing resources;
- Engaging in commercial activity not sanctioned by Mason;
- Intentionally denying or interfering with any network resources;
- Using or accessing any Mason computing resource, or reading or modifying files, without proper authorization;
- Using the technology to in any way misrepresent or impersonate someone else;
- Sending chain letters;
- Violating copyright laws and licenses;
- Violating federal or state law, or university policy.
RULE 3: Honor the privacy of other users.
Mason respects the desire for privacy, and voluntarily chooses to refrain from inspecting users’ files, except as described below in Section V. System administrators who carry out standard administrative practices, such as backing up files, cleaning up trash or temporary files, or searching for rogue programs, do not violate privacy. Some examples of privacy violations are:
- Accessing the contents of files of another user without explicit authorization from that user.
- Intercepting or monitoring any network communications meant for another person.
- Transmitting or distributing personal or private information about individuals without explicit authorization from the individuals affected.
- Creating or using programs (e.g., keyloggers), that secretly collect information about users. Note that most systems keep audit trails and usage logs; these are not secret and are considered normal parts of system administration.
RULE 4: Do not use any account except the one you have been authorized to use.
If a user has a legitimate reason to give someone else access, it should be strictly temporary. The account holder should change the password after another user finishes using the account.
RULE 5: Do not use Mason’s computing resources to violate other policies or laws.
The list below is not comprehensive. In case of doubt, ask the Security Review Panel (SRP), or e-mail firstname.lastname@example.org.
- Using Mason’s computing resources to violate harassment laws or policies. Various types of harassment, including sexual or racial, are proscribed by Mason policies.
- Using Mason’s computing resources to violate the Honor Code.
- Extending the Mason network without explicit permission from ITU Network Engineering. The unauthorized use of routers, switches, modems and other devices can impact the security and stability of the network.
- Running vulnerability scans on systems are considered hostile. If required for academic reasons, written permission from the system owner is required.
- Using Mason’s computing resources to transmit, store, display, download, print or intentionally receive obscene material, or to distribute pornographic material. All users of Mason computing resources are subject to all federal and state obscenity laws. State employees should also be aware of state laws prohibiting the use of state equipment to access, store, print or download sexually explicit material.
Personal e-mail, electronic files maintained on Mason equipment, and personal websites are part of a unique electronic information environment. This environment creates unique privacy issues that involve federal and state laws as well as Mason policies.
Mason reserves the right to inspect user files and communications for all lawful purposes, to include investigating allegations of illegal activity, violations of Mason policies, or to protect the integrity and security of network systems.
Mason will investigate all complaints involving personal websites and will remove or block material or links to material that violate federal or state law or university policy.
THE STOPIT PROCESS. The process described here, called “StopIt,” uses a graduated approach to handle violations of this policy. This policy distinguishes between incidents that pose no immediate dangers to persons or to system integrity, and incidents that do. The three-step StopIt process described below is for cases in which there are no immediate dangers.
Incidents posing immediate dangers to persons or systems require immediate action. These include active system break-ins or intrusions, denials of service, and incidents or criminal activity conducted using Mason computing resources. In these cases, the responsible SA may take reasonable actions to deal with the threat, such as temporarily disconnecting the system from the network, temporarily suspending accounts, and calling law enforcement officers. The SA taking such actions will notify his or her supervisor and the ITU Support Center as soon as practicable.
The StopIt process rests on two foundations:
- Wide Distribution of Policy Information: Notices describing the essence of the RUC policy will be displayed in academic computing labs on Mason premises; the same information will be provided to the community at least annually. By logging on to the Mason network, users are agreeing to the conditions of the RUC policy (user sign-on agreement).
- Standard Reporting Mechanism: The StopIt e-mail address is monitored regularly by individual(s) appointed by the SRP. Harmful or disruptive behavior should be reported to the StopIt e-mail or to the Mason Police. The individual who responds to a complaint will normally forward it to the SA of the system on which the infraction apparently occurred. That SA will investigate the complaint, determine its validity, and take appropriate actions (see below).
The steps of the process are:
STOPIT 1: FIRST WARNING
The SRP member handling a case (or SA, if the case is delegated) will send a warning letter or email to the alleged perpetrators of improper use of Mason computing resources, harassment, or other uncivil behavior. The letter will have this form:
“Someone using your account did [description of offense].” This is followed by an explanation of why this behavior violates which policy. “Account holders are responsible for the use of their accounts. If you were unaware that your account was being used in this way, it may have been compromised. Your system administrator can help you change your password and secure your account. If you are aware, then please make sure that this does not happen again.”
This warning ensures that the alleged perpetrators are aware that a policy violation may have occurred and that there was a complaint. It offers them an opportunity to desist without having to admit guilt and secure their account against unauthorized use.
STOPIT 2: SECOND WARNING
If there is a second offense from an account that received a first-warning letter, the SRP member will issue a second warning and may require that the account holder come to a mandatory interview. The SRP chair can authorize the temporary suspension of access to the user’s account if the individual fails to arrange for a mandatory interview. The user can request a hearing before the full SRP.
STOPIT 3: DISCIPLINARY PROCEDURES
If the previous StopIt stages do not convince the perpetrators to desist, the matter will be turned over to the appropriate Mason authority designated for that type of offense. The SRP will make available all information and evidence it has on the case to that authority.
If it appears from the evidence that any federal or state laws may have been violated, the SRP may recommend suspension of the account pending the outcome of the Mason or law enforcement authorities’ investigation.
All amendments to the Responsible Use of Computing Policy Number 1301 are to be reviewed and approved by the Office of the Provost and the Office of the Senior Vice President.
TThe policies herein are effective October 20, 1997, and were revised December 17, 2007. This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of Mason’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: 10/07/02
Revisions approved: 1/08/08