Policies For Use of Information Technology Services Facilities

DEFINITIONS

ITS is Yale University's Information Technology Services, whose responsibility includes central academic and administrative computing and networking.

ITS Facilities are the computers, terminals,printers, networks, modem banks, and related equipment, as well as data files or documents managed or maintained by ITS residing on disk, tape, or other media. ITS facilities also include computer rooms, laboratories, offices and furnishings operated or maintained by Yale Information Technology Services.

An ITS User (or user) is any person, whether authorized or not, who makes any use of an ITS facility from any location. For example, this definition includes persons who access ITS facilities via an electronic network or who are present in an ITS computer cluster, as well as those who use an ITS electronic network to connect a personal machine to any other system or service.

PURPOSE

The basic purpose of ITS systems is to further the research, education, and administrative functions of Yale University.

RIGHTS

Free Inquiry & Expression.

ITS users have the right to free inquiry and expression consonant with the purposes of the University.

Reasonable Confidentiality.

Users have the right to keep certain data reasonably confidential, such as electronic mail correspondence. Users have the right to be informed of what the limits of confidentiality are in an ITS system. See "Privacy Considerations" below.

Due Process.

Users have the right to due process in cases of discipline resulting from rules violations. See "Enforcement Procedures" below.

Participation.

Users have the right to representation in the formulation of ITS policies and regulations affecting them.

LEGAL RESPONSIBILITIES

Lawful Use.

All use of ITS facilities is subject to Federal, State, and local law and University regulations. Consult Yale College Undergraduate Regulations, the Faculty Manual, the Office Procedures Manual, and various policies of the graduate and professional schools for applicable University policies and procedures.

Copyrights.

Users must observe intellectual property rights, in particular the software copyright law.

Contracts.

All use of ITS computers and networks must be consistent with all contractual obligations of the University, including limitations defined in software and other licensing agreements.

SECURITY

Concealed Identity.

Users must not conceal their identity when using ITS facilities, except when anonymous access is explicitly provided.

Unauthorized Data Access.

Users must not make or attempt any deliberate, unauthorized access to or changes in data on an ITS facility, for example to read personal communications of other users or to access confidential University files.

Security Compromise.

Users must not defeat or attempt to defeat ITS security systems, such as "cracking" or guessing user identifications or passwords, compromising room locks or alarm systems.

Data Interception.

Users must not intercept or attempt to intercept data communications not intended for that user's access, for example, by "promiscuous" bus monitoring or wiretapping.

Denial of Service.

Users must not deny or interfere with or attempt to deny or interfere with service to other users, e.g., by means of "resource hogging," distribution of computer worms or viruses, etc.

Personal Responsibility.

Users are responsible for the security of their ITS accounts and passwords. Any user changes of password must follow published guidelines for good passwords. Accounts and passwords are normally assigned to single users and are not to be shared with any other person without ITS authorization. Users are expected to report any observations of attempted security violations.

GENERAL RESPONSIBILITIES

Proper Authorization.

Users must have authorization to use any ITS facility. Except in cases of explicitly authorized external access, such as for incoming electronic mail, anonymous ftp or similar services, or specially authorized external users, ITS facilities are limited to members of the Yale community. Users must not permit or assist any unauthorized person to access ITS facilities.

External Data Networks.

Users must observe all applicable policies of external data networks when using such networks.

Personal Identification.

Users of ITS microcomputers, workstations, printers, or other public facilities must show University identification upon request.

Access to Data.

Users must allow ITS personnel access to data files kept on ITS systems for the purpose of systems backups or diagnosing systems problems, including rules violations.

For-profit Use.

Without specific authorization, all activities using ITS facilities for personal profit or for the direct financial benefit of any non-Yale organization are prohibited. However, this is not meant to restrict normal communications and exchange of electronic data, consistent with the University's education and research roles, that may have an incidental financial or other benefit for an external organization. For example, it is appropriate to discuss products or services with companies doing business with Yale or to contribute to Usenet bulletin boards discussing issues relating to commercial products.

Threats and Harassment.

ITS facilities must not be used to threaten or harass any person. A user must cease sending messages or interfering in any way with another user's normal use of ITS facilities if the aggrieved user makes a reasonable request for such cessation, in the opinion of the director of the facility involved.

Chain Letters and Other Inappropriate Electronic Communications

Knowing or reckless distribution of unwanted mail or other messages is prohibited. Specifically, chain letters and other schemes that may cause excessive network traffic or computing load are prohibited.

Modification of Data or Equipment.

Without specific authorization, users of ITS computing or network facilities must not cause, permit, or attempt any destruction or modification of data or computing or communications equipment, including but not limited to alteration of data, reconfiguration of control switches or parameters, or changes in firmware. This rule seeks to protect "data, computing, and communications equipment" owned by ITS, Yale University, or any other person or entity. "Specific authorization" refers to permission by the owner or designated administrator of the equipment or data to be destroyed or modified.

Removal of Equipment or Documents.

Without specific authorization by the owner or designated administrator, users must not remove any ITS-owned or -administered equipment or documents from an ITS facility.

Foreign Devices

Without specific authorization, users must not physically or electrically attach any foreign device (such as an external disk, printer, or video system) to ITS equipment.

Responsibility for Account.

Users are presumed to be responsible for any activity carried out under their ITS accounts.

Reports of Violations.

Users must report any evidence of violation of these rules to appropriate ITS personnel and other University authorities. Users must not conceal or help to conceal or "cover up" violations by any party. The policies described herein are those that ITS intends to use in normal operation of its facilities. This is not a formal statement of University policy, however. This document does not waive any claim that Yale University may have to ownership or control of any hardware, software, or data created on, stored on, or transmitted through ITS facilities.

APPENDIX A. PRIVACY CONSIDERATIONS

ITS policy is to ensure the greatest degree of confidentiality in treating user data on ITS systems and networks consistent with available technology and the need for system backups, troubleshooting, etc. The situation will vary somewhat depending on what system or network is being used. Users should be aware of the following considerations. (Examples are stated for ITS Unix systems, but similar principles apply to other systems.)

This list indicates a number of limitations of user privacy and confidentiality. Notwithstanding these limitations, ITS will make all reasonable efforts to maintain confidentiality of user data. ITS staff are forbidden to "browse" user files without specific purpose and authorization. If, by mistake or other cause, an ITS staff member reads protected user information, they will not divulge this information except as authorized by the director of the facility concerned or by appropriate legal authorities.

APPENDIX B. ENFORCEMENT PROCEDURES

Any actual or suspected violation of the rules listed above should be brought to the director of the ITS facility most directly involved. In case of doubt, the report should be made to the ITS Director of Academic Computing Services.

ITS is authorized by University regulations to apply certain penalties to enforce its policies and regulations. Such penalties may include temporary or permanent reduction or elimination of access privileges, which may apply to computing accounts, networks, ITS-administered computing rooms, and other services or facilities.

When ITS believes it necessary to preserve the integrity of facilities, user services, or data, ITS may suspend any account, whether or not the account owner (the user) is suspected of any violation. ITS will attempt to notify the user of any such action.

A person accused of a violation will be notified of the charge and have an opportunity to respond before a final determination of an ITS penalty. The Director of Academic Computing Services must approve any penalty, after considering all available evidence, extenuating factors and any explanations offered by the accused. If an ITS penalty is made, the accused violator may appeal to the University Director of ITS.

If, in the opinion of ITS, the violation warrants action beyond an ITS penalty, the case may be referred to other authorities, such as to the University disciplinary body appropriate to the violator's status, to an employee's supervisor or to a police authority.

(revised 1/11/94)
(technical revision to Appendix A, 1/96)
(revised 8/21/96, change of name from C&IS; to ITS)

-End of ITS Policy Statement-