Vyvoj a filos.Internetu & BIG 38 (part 2/3).

Martin Pilc marpi at psu.edu
Wed Nov 9 19:31:29 CET 1994 

(I had to post it in three parts, sorry)

University Policy on Computer Use

Individuals are expected to exercise responsible, ethical
behavior when using the University's computers, information,
networks or resources.

Purpose

To establish conditions for use of, and requirements for
appropriate security to cover University computers, available
information technology, and networks.

Scope

This policy is effective at all University locations and
represents the minimum requirements that must be in place.
Individual areas that have computers and networks may have
additional controls and security, but they are in addition to
this policy.

Responsibility

The University Computing, Network, and Information Security
Officer is responsible for the development and implementation
of University-wide policies, controls and procedures to
protect the University network and information systems from
intentional or inadvertent modification, disclosure or
destruction, as well as monitoring user adherence to these
policies; arbitrating and resolving issues and problems
pertaining to ownership, accessibility and updating
responsibility for the University's data resources; and
educating the user community to the ethical use of computer
information and network facilities.

Policy

Appropriate security shall include protection of the privacy
of information, protection of information against
unauthorized modification, protection of systems against
denial of service, and protection of systems against
unauthorized access.

In order to protect the security of the computers and
networks, and the integrity of the information against
unauthorized or improper use, and to protect authorized users
from the effects of unauthorized or improper usage of the
facilities, the University reserves the rights to limit,
restrict or terminate any account holder's usage; and
inspect, copy, remove or otherwise alter any data, file, or
system resources that may undermine the authorized use of
that system, with or without prior notice to the user. The
University also reserves the right to periodically check the
systems, and to take such other actions necessary to protect
University computers, information, and networks.

Each operational computer facility at Penn State must develop
an internal security document to cover such details as the
type of access controls (minimum length of passwords, other
type of accessing, etc.) or disaster recovery plans.

The University shall not be liable for, and the user assumes
the risk of, loss of data or interference with files
resulting from the University's efforts to maintain the
privacy and security of the University's computer,
information and network facilities.
Access to and Use of Computers and Computer Networks
Individuals are expected to exercise responsible, ethical
behavior when using the University's computers, information,
networks or resources. This includes the following:

1. Access to University computer systems, accounts and
resources is limited to only those which an individual has
been authorized to use by the University. Authorization for
access to computer systems, including the purpose of the
account, issuance of passwords and designation  of computer
accounts, must be approved in writing through the respective
dean or director of the administrative unit, or their
authorized representative. The unauthorized use of University
computer systems, accounts and resources, the unauthorized
use of another person's computer account, and providing false
or misleading information for the purpose of obtaining access
to computer systems, is prohibited and will be subject to
the sanctions described in this policy.

2. Each user is responsible for understanding and complying
with the security rules of University computer systems.
Authorized users shall take all reasonable precautions to
prevent use of University computer systems by unauthorized
persons.

3. Use of another person's account or access to the
University's computer systems is prohibited without
authorization. Authorization shall not be given for anyone
to use another's account(s) unless such authorization is
specifically requested in writing, and approved in writing
by the account owner and the respective dean or director
(or authorized representative) of the computer or network.
The authorized user(s) of an account is (are) responsible
for all usage on that account. Account owners shall take
all reasonable precautions, including password maintenance
and file protection measures, to prevent use of accounts by
unauthorized persons. Accounts must be used only for the
purpose for which they were authorized. For example, non-
funded research or student accounts may not be used for
funded research or private consulting.

4. Users have the responsibility to use available mechanisms
and procedures to protect their own programs, programs in
software libraries, and data, and they also are responsible
for assisting in the protection of the systems they use.

5. Programs, programs in software libraries, and data that
belong to another account shall not be accessed or copied
without prior authorization from the account holder. Files
may not be taken to other computer sites without written
permission from the holder of the account under which the
files reside.

6. Computer software protected by copyright is not to be
copied from, into or by using University computers, except
as permitted by law or by the license or contract with the
owner of the copyright. The software license or contract
will define number of copies, simultaneous users, machine
exclusivity, etc.

7. University computer systems are reserved for University
related activities only. Transmitting or making accessible
offensive, obscene or harassing materials or messages are
not University related activities and are prohibited. The
intentional deletion or alteration of information or data
of others, intentional misuse of system resources, and
permitting misuse of system resources by others are
prohibited.

8. Individuals aware of any breach of information system or
network security, or compromise of computer security
safeguards, must report such situations to the responsible
computer security officer. The appropriate computer security
officer, in conjunction with the University Computing,
Network and Information Security Officer, will contact
Auditing for assistance to determine if financial loss has
occurred and if control or procedures require modification.
When warranted by such preliminary review, Police Services,
Auditing, and other departments will be contacted as
appropriate.

Sanctions for Policy Violations

Violation of any provision of this policy may result in (i) a
limitation on a user's access to some or all University
systems, (ii) the initiation of legal action by the
University, including, but not limited to, criminal
prosecution under appropriate state and federal laws, (iii)
the requirement of the violator to provide restitution for
any improper use of service, and (iv) disciplinary sanctions,
which may include dismissal.

Course and Work Related Access to Computers and
Computer Networks

Many academic courses and work-related activities require the
use of computers, networks and systems of the University. In
the event of an imposed restriction or termination of access
to some or all University computers and systems, a user
enrolled in such courses or involved in computer related work
activities may be required to use alternative facilities, if
any, to satisfy the obligation of such courses or work
activity. However, users are advised that if such alternative
facilities are unavailable or not feasible, it may be
impossible to complete requirements for course work or work
responsibility. The University views misuse of computers as a
serious matter, and will make no exceptions to restrictions
on access to its facilities even if the user is unable to
complete course requirements or work responsibilities as a
result.

Cross References
Other policies in the University Policy Manual should also be
referenced, especially the following:

AD-11  University Policy on Confidentiality of Student Records
AD-12  Use of University Equipment, Supplies and Services
AD-23  Use of Institutional Data
AD-35  University Archives and Records Management
AD-60  Access to Personnel Files
ADG-1  Glossary of Computerized Data and System Terminology
ADG-2  Operational Computer Facility Internal Security Guideline

Sincerely

MarPi                        Martin Pilc
                             marpi at psu.edu

More information about the net mailing list