Policies For Responsible Computing at Walla Walla University

Implemented: March 2, 2000

1 - Introduction

Scope, Audience, and Authority

This document describes policies for use of university computer systems by faculty, staff, and students. The creation of these policies involved broad input from the computer users of Walla Walla University. The policies have been adopted by these campus groups: Information Technology, the Computer Users’ Committee, the Student Senate, the Faculty Senate, and the President's Cabinet.

Readers are also referred to several other documents concerning policies and procedures for campus computer resources -- including the Computer Center System Backup Policy, the Computer Center Basic Services Guide, the section in the Governance Handbook regarding the Computer Users’ Committee, the section on Software in the University Copyright Policy, the Computer Primer, the Academic Computing Handbook, and the Internet Primer.

Philosophy

Walla Walla University maintains computers, computer software, computerized data, computer networks, and connections to external networks, collectively referred to as computer facilities, for the purpose of fostering the instruction, research, and the administrative functions of the university.

Computing facilities are provided for use by WWU students, faculty, and staff in support of the activities of the university. All students, faculty and staff are responsible for seeing that these computing facilities are used in an effective, efficient, ethical, and lawful manner.

These policies establish rights, responsibilities, and restrictions regarding the access and use of university-owned computer facilities. These policies apply to centrally administered computer systems, departmental computer systems, and university-owned personal computers. They include all means of accessing these, as well as all computerized institutional data regardless of the office in which it resides or the format in which it is used.

All computer users have two basic rights -- a reasonable expectation of privacy and a fair share of the resources. Consequently, computer users have the responsibility to help ensure that others also experience those rights. The following policies are intended to ensure these rights.

2 - General Policies

2.1 Ownership of Resources

Computer facilities and data owned by the university are to be used solely for university-related activities. All access to centralized computer systems shall be approved through the Computer Center. Access to departmental computer systems shall be approved by the department chairman or authorized representative.

Computerized Institutional Data

All computerized institutional data is considered to be an asset of the university and shall be protected from loss, corruption, misuse, and inappropriate disclosure. Certain computerized institutional data, by law or by university policy, is confidential and may not be released without permission. Users of university computer resources are responsible for the privacy and protection of data over which they have control.

2.2 Authorized Users

Computer facilities are provided to support the instructional, research, and administrative functions of the university. Students, staff members, and faculty members (including emeritus faculty and members of the Board of Trustees) are permitted, upon proper validation, to use the academic portion of these facilities without charge. The facilities available will be determined by the intended use of the facilities and the resources available at the time. Because of limited resources the university does not provide computer facilities for use by relatives or friends who do not otherwise qualify as users.

2.3 General Policies

Policy:

Computer users may log in only to their own computer accounts

Rationale:

System managers are more able to make systems run smoothly when they know who is using the system. Users are less likely to interfere with each other if they each have their own account. Unauthorized users can then be identified more readily. On systems that charge for computer resources, one user may be paying for the computer usage of another. Some systems limit the number of simultaneous users of a single account. Private information is available to the legitimate owner of an account.

Exceptions:

>Some systems have generic accounts (e.g., guest) that almost anyone is authorized to use.

Policy:

Computer users must ensure that their work does not interfere with others

Rationale:

Students, faculty, and staff depend on reliable and efficient computer systems to do work and schoolwork. Disrupting computer systems causes lost productivity and frustration.

Exceptions:

Nearly everyone, from time to time, unknowingly does something on the computer that has an adverse effect on the network, the hard drive space, or some other shared resource. This is usually quite innocent and unintentional. Users are responsible for educating themselves regarding their computer work, so as to have a minimum of impact on other users. The Computer Center will help with that educational process by making users aware of resource-consuming activities when they are discovered.

Examples:

Exceeding assigned disk quotas

Attaching incompatible equipment to the campus network

Releasing a virus program

Sending harassing messages

Policy: 

Computer users may not examine, copy, modify, or delete files belonging to other users without their consent.

Rationale:

Computer users have a reasonable expectation of privacy for their data stored on campus computer systems. Most systems have security protections in place to make it difficult for users to look where they have no permission to look. This policy applies to System Managers as well as regular computer users.

Examples:

Attempting to discover other users' or system passwords.

Attempting to read or modify other users’ files without their permission.

Attempting to circumvent data protection schemes or uncover security loopholes.

Attempting to read or modify another’s E-mail.

Attempting to modify system software or configuration files.

Users who encounter or observe a gap in system security should report it to the Computer Center.

Exceptions:

It is generally considered acceptable for work supervisors to access the work related files in the accounts of their employees when necessary. This is one reason why student employees are encouraged to keep their work files separate from their personal files. Of course, guidelines for these practices will vary between departments.

Policy:

Computer users must not waste computer resources

Rationale:

Wasting computer resources that could be used by others hurts everyone. Good computer citizens will not use more than their fair share of the computer resources.

Examples:

Generating unnecessary printer output.

Using unwarranted or excessive amounts of disk storage.

Creating unnecessary processes on multi-user systems.

Propagating electronic chain letters.

Sending frivolous E-mail to large groups.

Creating or posting inappropriate messages to news or list groups.

Posting messages to multitudinous news groups, creating unnecessary network traffic.

Policy:

Computer users must not use WWU computer facilities to gain unauthorized access to remote networks or systems or violate the use policies of any remote system.

Rationale:

System managers on the Internet depend on each others cooperation to enforce policies and keep general order. If a Walla Walla University computer user were to use our facilities to disrupt the operation of remote systems, the only recourse for the remote system manager might be to terminate all access from WWU computers. This could cause the disruption of many Internet facilities upon which our users depend. In addition, if government systems were involved, the user might be in violation of United States and/or Washington State Law (refer to the Washington State Criminal Code).

2.4 Use and Storage of Potentially Dangerous Programs

The introduction of worm or virus programs into the computer systems can be particularly disruptive. Because of this, the existence of such software as well as other software intended to break security is regulated.

Possession of computer software used to discover passwords or otherwise scan for security loopholes may be allowed for legitimate academic purposes, but must be registered with and approved by the Computer Center before it is stored on a university-owned computer system or system connected to a campus network. To protect the integrity of the network, unregistered copies of such software discovered on campus systems will be promptly removed.

2.5 Privacy Issues

Security

The University makes every reasonable effort to ensure the integrity of its various systems. All computer systems available to users offer some form of data protection which can be modified by an authorized user as needed. However, due to a number of technical, legal, and economic reasons, no system will offer absolute security. Thus, users should never place highly sensitive or confidential information on any computer, especially a networked one, without understanding the risks involved. Steps can be taken by users to improve the security of their data through publicly available cryptographic technologies. Users are encouraged to use these techniques when appropriate.

Privacy and Confidentiality of User Data

The following policies are intended to create a balance between users' rights to privacy and the right to a smoothly-functioning computer system, free of disruption. 

Programs and files stored in users' private directories are considered private unless their owners have explicitly made them available. However, in the case of system problems, violation of federal, state, or local law, or violation of university policy, system managers (as authorized below) may examine user files and system logs in order to gather sufficient information to diagnose and correct system problems or to investigate potential violation of law or university policy. Any examination of this sort must be reported promptly to the Director of Computing.

Personal user files -- whether stored on disk or backup tape -- are considered private and will not be scanned or read by computer center staff except as specifically authorized below. If system managers discover private information as an incidental result of performing their duties, they are obligated to keep this information confidential. However, such information, if evidence of legal or policy violations, may be used in legal or disciplinary proceedings.

System Operation

System managers are authorized to examine user files or processes only as far as necessary to ensure reliable and secure system operation. If reliable system operation is in jeopardy, system operators are also authorized to kill or suspend user processes, move user files to alternate storage media or delete files that can be easily recovered (for instance, from off the Internet). The users affected will be promptly notified of the actions taken and the reasons why. System Managers will make every reasonable attempt to assist users in recovering work files that were destroyed in the process of attempting to keep the system running properly.

Violation of Law

System managers are authorized to take action as required by federal, state, or local law or court order. System managers are authorized to investigate alleged violations of federal or state law and to take action as required to comply with the law.

Violation of University Policy

System managers are authorized to examine user files to collect evidence of specific university policy violations only when authorized by the president or an appropriate vice president, provided that reasonable cause exists for such a search. Reasonable efforts must be made to conduct searches in a manner that protects individual privacy.

Note that not all data created by users is considered personal. In particular, logs of user activity created automatically by system programs (such as login) are not considered personal or private.

Some systems run programs which periodically scan disk volumes looking for problem files such as viruses and large graphical images. The system program will report these potential problems to the System Manager. Private disk volumes not mounted on the network are never scanned.

Being Logged In is Considered Public Information

Most systems have publicly available software that can be used to list the user names of currently logged-in users, and on some systems the last command executed by each user. On some systems, this information is available even from off-campus computers. In short, being logged into a system is considered public information.

Disclaimer for Loss of Data

The University disclaims liability for the loss of data or interference with files resulting from its efforts to maintain the operation, privacy, and security of the computer facilities. For additional information regarding procedures in place to protect system and user data, refer to Information Services Backup Policy.

2.6 Copyright Policies

Illegally copying or storing of copyrighted images, music, or other materials on university computer facilities is expressly prohibited by copyright statute and by the university computer policy. The university reserves the right to search files when it suspects copyright violation, to remove illegally copied material, and in appropriate circumstances to terminate the accounts of users who are repeat offenders. The university will not interfere with standard technical measures used by copyright owners to identify protected copyrighted works.

Many copyrighted programs are made available on campus systems under license agreements with the publishers. These license agreements generally do not allow campus computer users to make copies of these programs. Unless otherwise specified, users are not allowed to make personal copies of software stored on central systems. For additional information refer to the WWU Copyright Policy  p. 101.

2.7 Non-Commercial Use Policy

University computer accounts are to be used for the university-related activities for which they are assigned. University computing resources are not to be used for commercial activities without written authorization from the university administration. In these cases, the university will require payment of appropriate fees.

2.8 Electronic Mail Policies

Electronic mail, once received, belongs to the recipient. A user's mailbox is treated in the same manner as any other file belonging to that user and is subject to the same privacy protections as regular files. (See Section 2.5)

The university will not attempt to regulate the content of electronic mail except for cases involving violations of law or other university policies. The university accepts no liability for the content of users’ electronic mail. The university has policies against racism, sexism, and sexual harassment; if necessary, individuals may direct their concerns to the appropriate administrator.

E-mail in departmental accounts (such as alumni@orkexpo.net) has no expectation of privacy and may be accessed by supervisors or other department employees.

The university does not guarantee the delivery of e-mail, nor can confidentiality be guaranteed during transmission.

All authorized computer users (as defined in Section 2.2) may have campus e-mail accounts. In addition, e-mail accounts may be opened for prospective students.

Accounts may be terminated on the following conditions:

 

  • Repeated or flagrant violation of e-mail policy
  • Termination of employment at WWU
  • Graduation or termination of enrollment at WWU
  • Non-enrolled students planning to return to WWU may request that e-mail accounts remain open until their return.

E-mail sent to terminated accounts will be forwarded for a period of 6 months from the date of termination when a forwarding address is provided to the Information Services department. WWU assumes no responsibility for guaranteeing the delivery of e-mail forwarded from terminated accounts.

E-mail is not archived. Short-term backups are performed to ensure system function, but e-mail backups are kept no longer than 48 hours. Requests to retrieve e-mail messages cannot be honored.

 

3 - Policies Specific to Computer Labs

Several clusters of public-access computers are available on campus and are commonly referred to as computer labs. While primarily intended for students to use for course work, faculty and staff are also welcome to use the facilities on an equal basis with students.

Faculty May Reserve the Computer Labs

Faculty wishing to reserve a computer lab for a class or seminar must contact the office of the Director of Academic Computing at least one week before the event. Such requests are generally granted on a first-come first-served basis. Generally the labs should not be reserved during evening hours nor all at the same time.

Unattended Workstations

Any workstation left unattended for more than fifteen minutes may be appropriated by another user.

Computer Games

Playing recreational games in a computer lab is prohibited. Any exceptions to this policy must be approved in writing by the Computer Users’ Committee.

Other Non-Academic Computer Use

Computer lab facilities are intended for educational and research purposes, and these have higher priority than other types of use (for example, composing personal electronic messages or reading electronic news). A user engaging in non-academic activities while other users are waiting to use a terminal, is expected to yield the terminal. As a matter of courtesy, users should give up the terminal voluntarily without having to be asked.

Experimenting with graphics (non-course work), reading news, and writing personal correspondence are considered to have educational value; however, they should not be performed during peak lab hours.

Manuals

Manuals for most common software are available in the labs. Under no circumstances should users remove these manuals or other computer supplies without authorization.

4 - Penalties and Due Process

Available Penalties

Depending on the nature and severity of the policy violation, the University may take one or more of the following disciplinary actions:

 

  • Send a verbal, written, or electronic mail warning
  • Allow only restricted computer privileges
  • Temporarily suspend the computer account (typically 1 to 10 weeks)
  • Revoke all computer privileges

Warnings and temporary suspension of accounts may be issued by the appropriate System Manager. Restricting or revoking computer privileges for more than three days requires the approval of the Director of Computing. Termination of computer privileges permanently or indefinitely requires action by the university administration.

Supervisors have authority over their workers' accounts -- to activate or terminate as necessary. Supervisors on administrative systems also determine what specific data access rights their workers are granted. When someone ceases to be an employee of the University, the supervisor or department head should promptly notify the Computer Center so that the account can be disabled.

In cases where the integrity or functionality of the network or a multi-user system is in jeopardy, the system administrator is authorized to take immediate steps to prevent further damage -- up to and including disabling user accounts and disconnecting a user's workstation from the campus network. In the event that the user's account is being used by someone other than the true owner, this policy may prevent damage to the legitimate owner's data. The system administrator will promptly notify the account owner of the action taken.

When an account cannot be accessed, the user should immediately contact Computer Support for an explanation of the situation. Quite often, temporary revocation is the result of a minor or unintentional violation of the policies; it is customary to restore the account after the staff has discussed the situation with the user.

Procedures for Students

Students who are for any reason dissatisfied by the application of this policy have a right to appeal under the procedures specified in the Student Handbook. For severe infractions the matter will be remanded to the Vice President for Student Life for disciplinary procedures under the Student Handbook.

If the Vice President for Student Life initiates disciplinary action, the Computer Center may be able to provide computing access on a restricted basis during disciplinary proceedings. This restricted access will depend upon the severity of the infraction and the technical feasibility of providing such access. The level of access will be determined by the university administration.

If the Vice President for Student Life chooses not to bring disciplinary action, or if the judicial proceedings are resolved in the defendant's favor, computer access will be restored immediately.

Procedures for Employees

Employees who are for any reason dissatisfied by the application of this policy have a right to appeal under the procedures specified in the Governance Handbook. For severe infractions, the matter will be remanded to the vice president of the department. The vice president in consultation with the Director of Computing will decide what temporary computer access is appropriate during the disciplinary proceedings.

Statutory Provisions

The Washington State Criminal Code defines Computer Trespass in the first degree as a class C felony, punishable by fines of up to $10,000 and imprisonment for up to 5 years. Title 18 of the United States Code as amended in 1994 also includes fines and imprisonment for “Computer Abuse.” Copies of the relevant sections of the code are available in the Appendix K.2  p. 114.

5 - Acknowledgments

Parts of this document were adapted and ideas taken from the computer policies of the following institutions:

Columbia University; California State University, Fresno; University of Hawaii, Manoa; Iowa State University; University of Kentucky; Louisiana Tech University; Princeton University; Rice University, University of Delaware.

6 - Approvals:

President’s Cabinet: October 20,1999

Computer Users’ Committee: October 21, 1999

Lawyer Review: January 17, 2000

Computer Users’ Committee: January 20, 2000

Faculty Senate (Conditionally): March 2, 2000

 

Document Identification

File name:...\policies\cccpol7.wpd

First Draft: July 22, 1993

Revised: May 12, 1994

Revised: November, 1994

Revised: March 30, 1995

Printed: September 8, 2003 11:27 am

Appendix K.1  E-mail Etiquette Guidelines

E-mail Etiquette Guidelines

 

  • Do review messages before you send them out to make sure they say what you mean to say. Be careful with sarcasm and humor that could be misunderstood.
  • Do assume that anyone could read your e-mail. Treat e-mail the same as a postcard. If you don’t want to read it in the newspaper, don’t write it. Legal precedent has established that courts and employers have legal rights to access stored electronic communication.
  • Do remember that deleting an e-mail message does not necessarily mean that the message is gone. For example, copies may still exist in your e-mail trash can or in other users’ files.
  • Do keep messages short and to the point.
  • Do be sure the subject line reflects the subject of your message.
  • Do include your name at the end of the message.
  • Do check your e-mail regularly. Delete unwanted messages immediately. Keep messages remaining in your mailbox to a minimum. Files you wish to keep should be stored on your personal computer’s hard drive or on diskette.
  • Don’t send or reply to e-mail messages when you are angry. Avoid SHOUTING by capitalizing a word; it’s considered rude.
  • Don’t reply to “all recipients” unless they all need to see your reply.
  • Don’t send personal e-mail messages to the entire campus; this is “spam” and wastes campus resources and time.
  • Don’t send harassing or excessive e-mail to another e-mail user; don’t send e-mail to a user who has specifically requested you to stop sending it.
  • Don’t send chain letters or messages recruiting participants in make-money-fast schemes; doing so not only violates campus policy, but may also violate federal law.
  • Don’t copy an entire large message in your response just to add a line or two of comment.
  • Don’t forward an e-mail not intended for further dissemination without permission from the originator.
  • Don’t attach documents to your e-mail whenever possible. Every mail browser can read text in the main body of the message, but some browsers may not access attachments as well. If you are uncertain what type of browser the recipient uses, send them an e-mail ahead of time.

 

Appendix K.2  Revised Code of Washington Computer Statutes

Revised Code of Washington

Computer Statutes

 9A.52.110 Computer trespass in the first degree.

(1) A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another; and

(a) The access is made with the intent to commit another crime; or

(b) The violation involves a computer or data base maintained by a government agency.

(2)  Computer trespass in the first degree is a class C felony. [1984 c 273 § 1.]

A class C felony is punishable by fines of up to $10,000 and imprisonment for up to 5 years.

 9A.52.120 Computer trespass in the second degree.

(1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another under circumstances not constituting the offense in the first degree.

(2) Computer trespass in the second degree is a gross misdemeanor. [1984 c 273 § 2.]

A gross misdemeanor is punishable by fines of up to $5,000 and imprisonment for up to one year.

Summary of The Computer Fraud and Abuse Statute

Title 18 of the United States Criminal Code

18 USC Chapter 47 Sec 1030 Fraud and related activity in connection with computers.

As amended by the 1994 Omnibus Crime Bill

Whoever knowingly and without authorization causes loss or damage to a computer, network, information, data, or program used in interstate commerce or communications (including loss of use of the system by the rightful users), of value aggregating $1,000 or more during any 1-year period shall be punished by fines and imprisonment of not more than five years (ten years for repeat offenders).