Body
| |
|
| Policy Number |
To be assigned by Legal Counsel |
| Effective Date |
To be determined |
| Responsible Office |
UM Information Security Office |
| |
|
IN PLAIN LANGUAGE
The University of Montana provides access to technology resources to support its missions of teaching, research, outreach, service, and campus life. This policy describes the rights and responsibilities that come with that access. Using UM technology resources is a privilege — everyone who uses them is expected to follow applicable laws and University policies, maintain the security of devices and data, and avoid activities that constitute misuse. Violations of this policy may result in suspension or termination of access, institutional disciplinary action, or civil and criminal penalties.
1. Purpose
The University of Montana (UM) provides access to technology resources and assets to support its missions in all areas, including instruction, research, outreach, service, administrative functions, and student and campus life activities. This Acceptable Use Policy sets forth the rights and responsibilities of users of UM technology resources. It also defines measures that may be taken by the University to ensure the integrity of those resources and compliance with applicable law and policy.
This policy is issued under and should be read in conjunction with the UM Information Security Policy, which establishes the broader governance framework and information security program of the University.
2. Scope
This policy applies to:
- All members of the University community, including faculty, staff, students, student employees, affiliates, contractors, vendors, and other third parties with access to UM Information Technology Resources
- All University-owned, managed, or operated information systems, technology resources, and networks
- All users accessing UM technology resources, whether accessing them on a UM campus or from other locations
- All campuses within the University of Montana System, including UM Missoula, Montana Tech, UM Western, and Helena College
Note: Access to and use of UM technology resources is a privilege and requires compliance with all applicable laws and University and Montana University System Board of Regents policies. Users accessing UM technology resources have no expectation of privacy with respect to the use of those resources.
3. Definitions
For purposes of this policy, the following key terms apply:
Information Technology Resources — Hardware, software, networks, systems, and services owned, managed, or operated by the University of Montana, used to collect, process, store, or transmit University Data or support University activities
University Data (Institutional Data) — Information for which the University has legal, contractual, or operational responsibility
CISO — Chief Information Security Officer
Information Security Office (ISO) — The University function responsible for administering the Information Security Program under the direction of the CISO
4. Policy
4.1 Authorized Use
The University of Montana provides access to and use of its Information Technology Resources to students, staff, faculty, and others as part of its operational practices in support of its mission. All use of UM technology resources must be consistent with the University's mission and comply with this policy, applicable laws, and all University and Montana University System Board of Regents policies.
Incidental personal use of UM technology resources is permitted when it does not interfere with an individual's employment responsibilities, does not give rise to a cost to the University, and does not involve commercial activity or partisan political activity as described in Section 4.3.
4.2 User Responsibilities
All users of UM technology resources must:
- Follow all applicable UM policies, procedures, and Information Technology standards
- Actively maintain the security of all devices used to access UM technology resources or to store, access, or process University Data
- Protect the security and privacy of University Data and UM-maintained third-party data, and store or process such data only in authorized locations, consistent with UM policies and standards
- Complete required information security awareness training as directed by the University
- Report privacy, security, or technology policy violations to the UM Information Security Office via the IT Solutions Center support portal or at infosec@umontana.edu
4.3 Prohibited Uses
The following actions constitute misuse of UM Information Technology Resources and are prohibited:
- Utilizing any identity, account, or credentials not specifically assigned to the user by the University
- Hindering, monitoring, or intercepting another user's network traffic, except as expressly authorized by exception to this policy
- Attempting to access, disclose, destroy, use, or modify University systems or data without authorization from appropriate data owners or stewards
- Using technology resources to create or transmit materials that place any person's personal safety at risk
- Using technology resources to gain unauthorized access to any system or network
- Using technology resources for unlawful communications or activity, including threats of violence, unlawful obscenity, child pornography, defamation, cyberstalking, or activity in violation of other University policies, including the Student Conduct Code and policies governing discrimination, harassment, and retaliation
- Engaging in the unauthorized copying, distribution, or transmission of copyrighted materials, including software, music, or other media
- Using traffic anonymizers, proxy services, or third-party VPN services that disguise country of location while accessing UM technology resources, except as expressly authorized by exception to this policy
- Using technology resources or applications to provide an unauthorized gateway or access point into or out of any UM network
- Accessing or using technology resources from unauthorized non-U.S. locations, including those subject to Export Control restrictions, trade sanctions, or other applicable laws, regulations, or University policy
- Using technology resources for partisan political or campaign activities, including participating or intervening in a campaign for public office or making technology resources available to a candidate, campaign, political party, or political action committee
- Using technology resources for commercial purposes, including personal financial gain, except as allowed by exception to this policy
4.4 Exceptions
Exceptions to this policy must be documented and approved through the established exception process administered by the UM Information Security Office. Requests for exceptions should be submitted to the CISO and must include a description of the proposed exception, business justification, duration, and any compensating controls.
5. Roles and Responsibilities
The CISO is responsible for:
- Overseeing the implementation and enforcement of this policy as part of the University's Information Security Program
- Developing and maintaining information security policies, standards, and procedures that support this policy
- Granting or denying exceptions to policy requirements
- Escalating material compliance issues to executive leadership and appropriate disciplinary authorities
UM IT, UM System IT, and Distributed IT are responsible for:
- Implementing technical controls to support compliance with this policy
- Supporting monitoring, incident response, and remediation activities related to misuse of technology resources
- Providing users with guidance and resources for secure and compliant use of University technology
5.3 All Users
All users of UM technology resources are responsible for:
- Understanding and complying with this policy and all applicable University policies and information security standards
- Protecting University Data and systems from unauthorized access, misuse, or disclosure
- Completing required security awareness training
- Promptly reporting suspected policy violations or security incidents to the UM Information Security Office
6. Compliance and Enforcement
The University may take actions it deems necessary to protect and manage the security and integrity of its technology resources, including monitoring, investigation, and suspension or restriction of access. Noncompliance with this policy may result, depending on the nature and severity of the violation, in one or more of the following:
- Temporary or permanent suspension or termination of access to UM technology resources
- Requirement to implement remedial measures prior to reinstatement of access
- Referral to the appropriate University disciplinary body for institutional sanctions
- Civil or criminal penalties under applicable law
The CISO is authorized to monitor compliance through assessments, audits, and investigations and to escalate non-compliance to appropriate University officials. Exceptions to this policy must be documented and approved through the established exception process.
This policy is issued under and should be read in conjunction with the following:
Institutional Policies
- UM Information Security Policy
- UM Data Governance Policy
Information Security Standards
- User Security Awareness & Responsibilities Standard
- IT Data Security Standard
- Account Security Standard
- Endpoint Management & Configuration Standard
- Electronic Communications Standard
- Network Security Standard
- Cloud Computing Security Standard
- Incident Response Standard
8. External References
- Montana University System Board of Regents IT Policy 1300.1
- Montana University System Board of Regents IT Policy 1303.1
- Montana University System Board of Regents IT Policy 1304.1
- Montana University System Board of Regents IT Policy 1305.1
- Applicable federal and state laws and regulations, including FERPA, GLBA, HIPAA (as applicable), and Export Control regulations