ITS Facilities are the computers, terminals,printers, networks, modem banks, and related equipment, as well as data files or documents managed or maintained by ITS residing on disk, tape, or other media. ITS facilities also include computer rooms, laboratories, offices and furnishings operated or maintained by Yale Information Technology Services.
An ITS User (or user) is any person, whether
authorized or not, who makes any use of an ITS facility from any
location. For example, this definition includes persons who access ITS
facilities via an electronic network or who are present in an ITS
computer cluster, as well as those who use an ITS electronic network
to connect a personal machine to any other system or service.
The basic purpose of ITS systems is to further the research,
education, and administrative functions of Yale University.
Free Inquiry & Expression.
ITS users have the right to free inquiry and expression consonant with
the purposes of the University.
Users have the right to keep certain data reasonably confidential, such as
electronic mail correspondence. Users have the right to be informed of
what the limits of confidentiality are in an ITS system. See "Privacy
Users have the right to due process in cases of discipline resulting from
rules violations. See "Enforcement Procedures" below.
Users have the right to representation in the formulation of ITS policies
and regulations affecting them.
All use of ITS facilities is subject to Federal, State, and local law and
University regulations. Consult Yale College Undergraduate Regulations,
the Faculty Manual, the Office Procedures Manual, and various policies of
the graduate and professional schools for applicable University policies
Users must observe intellectual property rights, in particular the
software copyright law.
All use of ITS computers and networks must be consistent with all contractual
obligations of the University, including limitations defined in software
and other licensing agreements.
Users must not conceal their identity when using ITS facilities, except
when anonymous access is explicitly provided.
Unauthorized Data Access.
Users must not make or attempt any deliberate, unauthorized access to or
changes in data on an ITS facility, for example to read personal
communications of other users or to access confidential University files.
Users must not defeat or attempt to defeat ITS security systems, such as
"cracking" or guessing user identifications or passwords, compromising
room locks or alarm systems.
Users must not intercept or attempt to intercept data communications not
intended for that user's access, for example, by "promiscuous" bus
monitoring or wiretapping.
Denial of Service.
Users must not deny or interfere with or attempt to deny or interfere with
service to other users, e.g., by means of "resource hogging," distribution
of computer worms or viruses, etc.
Users are responsible for the security of their ITS accounts and
passwords. Any user changes of password must follow published guidelines
for good passwords. Accounts and passwords are normally assigned to
single users and are not to be shared with any other person without ITS
authorization. Users are expected to report any observations of
attempted security violations.
Users must have authorization to use any ITS facility. Except in cases
of explicitly authorized external access, such as for incoming electronic
mail, anonymous ftp or similar services, or specially authorized external
users, ITS facilities are limited to members of the Yale community. Users
must not permit or assist any unauthorized person to access ITS facilities.
External Data Networks.
Users must observe all applicable policies of external data networks when
using such networks.
Users of ITS microcomputers, workstations, printers, or other public
facilities must show University identification upon request.
Access to Data.
Users must allow ITS personnel access to data files kept on ITS systems
for the purpose of systems backups or diagnosing systems problems,
including rules violations.
Without specific authorization, all activities using ITS facilities for
personal profit or for the direct financial benefit of any non-Yale
organization are prohibited. However, this is not meant to restrict
normal communications and exchange of electronic data, consistent
with the University's education and research roles, that may have an incidental financial or
other benefit for an external organization. For example, it is appropriate
to discuss products or services with companies doing business with Yale or
to contribute to Usenet bulletin boards discussing issues relating to
Threats and Harassment.
ITS facilities must not be used to threaten or harass any person. A user
must cease sending messages or interfering in any way with another user's
normal use of ITS facilities if the aggrieved user makes a reasonable
request for such cessation, in the opinion of the director of the facility
Chain Letters and Other Inappropriate Electronic Communications
Knowing or reckless distribution of unwanted mail or other messages is
prohibited. Specifically, chain letters and other schemes that may cause
excessive network traffic or computing load are prohibited.
Modification of Data or Equipment.
Without specific authorization, users of ITS computing or network
facilities must not cause, permit, or attempt any destruction or
modification of data or computing or communications equipment, including
but not limited to alteration of data, reconfiguration of control switches
or parameters, or changes in firmware. This rule seeks to protect "data,
computing, and communications equipment" owned by ITS, Yale University, or any
other person or entity. "Specific authorization" refers to permission by
the owner or designated administrator of the equipment or data to be
destroyed or modified.
Removal of Equipment or Documents.
Without specific authorization by the owner or designated administrator,
users must not remove any ITS-owned or -administered equipment or
documents from an ITS facility.
Without specific authorization, users must not physically or electrically
attach any foreign device (such as an external disk, printer, or video
system) to ITS equipment.
Responsibility for Account.
Users are presumed to be responsible for any activity carried out under
their ITS accounts.
Reports of Violations.
Users must report any evidence of violation of these rules to appropriate
ITS personnel and other University authorities. Users must not conceal
or help to conceal or "cover up" violations by any party.
The policies described herein are those that ITS intends to use in normal
operation of its facilities. This is not a formal statement of University
policy, however. This document does not waive any claim that Yale
University may have to ownership or control of any
hardware, software, or data created on, stored on, or transmitted through
APPENDIX A. PRIVACY CONSIDERATIONS
ITS policy is to ensure the greatest degree of confidentiality in
treating user data on ITS systems and networks consistent with available
technology and the need for system backups, troubleshooting, etc. The
situation will vary somewhat depending on what system or network is being
used. Users should be aware of the following considerations.
(Examples are stated for ITS Unix systems, but similar principles apply
to other systems.)
Example: A bug in a utility program might allow one user to read another's files, or a user might tap a data network wire to view data that is flowing to another user's machine.
Example: The Unix commands w, top, and netstat allow users to monitor certain aspects of system operation.
Example: The current default protection for files (other than mail) on the Minerva Unix system is "600", for directories it is "700". This means that any other Minerva user may not browse through, read or write to any of a user's directories. Another user also cannot read or write to any file in a user's home directory. The Unix command "chmod" allows a Unix user to modify the protection of a file or directory. Default protection level may be changed with the "umask" command, which may be placed in a shell initiation script (.cshrc).
Example: On Minerva Unix logs of mail messages sent or received (not including text) and logs of user sessions (time on, time off and network address of connection) are maintained. In rare cases, detailed logs of each command invocation may be kept.
Example: The Unix "crypt" command is available on some systems.
This list indicates a number of limitations of user privacy and
confidentiality. Notwithstanding these limitations, ITS will make all
reasonable efforts to maintain confidentiality of user data. ITS staff
are forbidden to "browse" user files without specific purpose and
authorization. If, by mistake or other cause, an ITS staff member
reads protected user information, they will not divulge this information
except as authorized by the director of the facility concerned or by
appropriate legal authorities.
APPENDIX B. ENFORCEMENT PROCEDURES
Any actual or suspected violation of the rules listed above should be
brought to the director of the ITS facility most directly involved. In
case of doubt, the report should be made to the ITS Director of Academic
ITS is authorized by University regulations to apply certain penalties to enforce its policies and regulations. Such penalties may include temporary or permanent reduction or elimination of access privileges, which may apply to computing accounts, networks, ITS-administered computing rooms, and other services or facilities.
When ITS believes it necessary to preserve the integrity of facilities, user services, or data, ITS may suspend any account, whether or not the account owner (the user) is suspected of any violation. ITS will attempt to notify the user of any such action.
A person accused of a violation will be notified of the charge and have an opportunity to respond before a final determination of an ITS penalty. The Director of Academic Computing Services must approve any penalty, after considering all available evidence, extenuating factors and any explanations offered by the accused. If an ITS penalty is made, the accused violator may appeal to the University Director of ITS.
If, in the opinion of ITS, the violation warrants action beyond an ITS penalty, the case may be referred to other authorities, such as to the University disciplinary body appropriate to the violator's status, to an employee's supervisor or to a police authority.
(technical revision to Appendix A, 1/96)
(revised 8/21/96, change of name from C&IS; to ITS)
-End of ITS Policy Statement-