ISO PS007 User Accounts and Acceptable Use
Policy Name: User Accounts and Acceptable Use
Policy Number: IS PS007
Effective Date: July 23, 2007
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew H. Witten
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
University computer user accounts and computing facilities are provided for persons who legitimately need access to university computing resources. This includes university faculty, staff and students. Other persons may qualify for a computer user account and access to computing facilities on a case by case basis.
Persons using university resources (users) are responsible for lawful and appropriate use of computing facilities and devices.
All users must abide by the University's Information Security Policies and Standards.
Computing resources are for all users. Users must respect the usage rights of others that use UofL resources.
Computing accounts and facilities must not be used in any manner which could be disruptive, degrade the performance of or cause damage to university computing infrastructure, resources or data and/or other users. Personal use should be kept to a minimum and in no case should a university account be used for non-university business purposes.
Confidentiality of Data
- Sensitive Information must not be accessed, copied or disseminated except to the extent necessary to fulfill assigned responsibilities, and then only to the extent that the individual is authorized.
- The confidentiality, security and integrity of the university data and computing infrastructure must be maintained at all times by university personnel. This obligation continues beyond the termination of the individual's relationship with the university.
- Adherence to all federal copyright laws, regulations and university policy on intellectual policy is required. This includes but is not limited to laws, regulations and policy on text, graphics, art, photographs, music, software, movies and games.
- Users must respect the property rights and associated restrictions of others and refrain from actions or access which would violate the terms of licensing and nondisclosure agreements.
- See the Intellectual Property policy and standards for more information.
Safeguarding and Misuse of Computing Accounts or Computing Infrastructure
- Safeguarding of access codes and passwords to protect against unauthorized use and notification of Information Technology of suspected unauthorized use is required.
- Unauthorized use of the accounts and knowingly allowing use of the accounts for unauthorized purposes is not permitted.
- Misuse of university computing accounts or computing infrastructure is not tolerated. Generally, behavior considered unacceptable if done without a computer is also unacceptable if done using a computer. Examples of misuse include, but should not be construed as being limited to: harassment, unauthorized hacking of computing systems, denial of service attacks, spoofing of identity, chain letter distribution, solicitation of non-university business and obscene language.
Expectation of Privacy and Disclosure
Privacy of computing activities while using university resources is neither
guaranteed nor should it be expected:
- User access, security, audit and other logs are maintained to facilitate compliance with laws and regulations as well as to facilitate activity reviews when necessary.
- Access may be given to persons outside of the university community on a case-by-case basis or under certain conditions when warranted. Disclosure of this information may not be given to the individual(s) involved.
- The University of Louisville does not guarantee the confidentiality or privacy of electronic data or voice mail messages. This should be kept in mind when using these services.
- Third party vendors are involved with both internet and voice mail data. All users of electronic data and voice mail should familiarize themselves with policies set forth by these vendors.
Electronic mail and messages:
- University email accounts are to be used by faculty, staff and administrators in the performance of their job duties and by students to aid them in their education.
- Faculty, staff, administrators and students should regularly check their university email accounts for correspondence.
- The University of Louisville does not allow anyone to send email to large numbers of employees and/or students in the University without prior approval. To send a mass email (greater than 100 recipients), your message must be approved by the Department of Communications and Marketing (see Information Technology's mass email guidelines).
- Employees should not use email in a manner that degrades or interferes with job performance or duties.
- Sensitive information requires special precautions when emailing. If sensitive information is being emailed outside the university network, it must be sent using the university's secure email system. Emails containing sensitive information must not be automatically forwarded.
- Mail forwarded from a user's account to any other account or email address is the responsibility of the user.
- Complaints regarding misuse or misconduct will be investigated. Note: The intent of the communication along with the perspective of the recipient is considered during investigations.
- Electronic mail use is monitored for resource consumption and storage management.
- "Email for life" users and other email users must not use their UofL email address to misrepresent their affiliation with the university.
- Requests for user accounts must be submitted in writing and approved by authorized personnel.
- Access to additional required resources not provided upon account creation can be requested by completing the appropriate form (see http://louisville.edu/it/departments/enterprise-security/manage-accounts/request-accounts).
Access to a university business application or data may be denied if the
appropriately completed authorization does not accompany the request.
- Access to information is granted based on owner authorization, position requirements, job duties and the principle of least privilege and need-to-know.
- Account creation and granting of access privileges can only be done by explicitly authorized personnel.
- Accounts should conform to the university's standard naming convention, be unique to each user and not reused for a period of 12 months.
All account holders must agree to comply with the
computer account usage agreement. (See https://louisville.edu/it/policies/computer-account-usage-agreement)
- Upon termination or reassignment, management must notify appropriate parties such as HR, Facilities and IT to ensure that all access to information or to restricted areas is revoked or removed including the deactivation or changing of known passwords or passcodes.
- Accounts that are dormant or inactive should be disabled after no more than 180 days. Disabled accounts are deleted after 30 days of inactivity.
Student Account Requests
- Students must be registered for classes to request and retain the computer account.
- Student accounts will automatically be renewed each Fall and Spring semester, if registration is continuous (students registered in the Spring will be able to retain their account over the Summer semester).
- When no longer registered, the student's account will be put on hold for a period of nine months. If the account has not been reactivated by the end of this period, the account will be deleted.
Employee Account Requests
- Accounts will be closed immediately upon termination of employment and all contents from the account deleted after one month.
- A limited number of Retirees were 'grandfathered' and allowed to retained their email accounts, however if at any time no activity has occurred for one month the account will be closed, and its contents deleted one month later.
Sponsored Account Requests
Sponsored accounts may be granted to individuals external to the University
of Louisville under the following conditions:
- A specific relationship exists with a university unit or individual in support of a university mission, function, project or business.
- A university unit or individual is willing to sponsor the individual's computer account.
- Sponsored accounts will be reviewed annually as a group to determine whether renewal is necessary.
- Sponsored accounts can only be requested by full-time faculty, staff or administrators.
- Sponsored accounts must be restricted to have access to only the information and facilities required for the specified purpose and as authorized by the appropriate university designee.
Service Account Requests
Service accounts are granted to University of Louisville units and departments
under the following conditions:
- The purpose is directly related to university mission, function, project or business;
- A need exists to share access to an account;
- A need exists to centrally manage and store electronic communications or data;
- All individuals who will use the service account must have their own individual computer account.
- Service account requests must be approved and accounts inventoried with documented owner, authorized personnel and business reason.
- Service accounts that are shared must be assigned to a single owner who is responsible for requesting changes, managing entitlement, disclosing and changing the password.
- A service account is the only exception to the computer account naming standard. A service account can have any descriptive name, indicating its purpose, within eight characters. For example, the Security and Account Management (SAM) team in Information Technology has a service account available for the university community to send questions, comments and problems called askSAMIT@louisville.edu.
Privileged Account Requests
Privileged accounts are granted to individuals, systems, applications, etc. under the following conditions:
- The purpose is directly related and restricted to university specific information assets, processes and systems
- All individuals who will use a privileged account must also have their own individual computer account
- May be granted to authorized development personnel for production emergency situations
- Privileged account requests must be approved and accounts inventoried with documented owner, authorized personnel and business reason.
- Privileged accounts must be restricted on a least privileged basis to those individuals and/or services that are required per business need.
Termination of an Account
Termination of computer accounts will occur under the following circumstances:
- The account holder does not agree to the Computer Account Usage Agreement.
- The account holder requests the computer account be closed.
- The account holder is no longer affiliated with the university.
- The account holder misuses computing facilities or resources.
- The department or sponsor requests that the computer account be closed.
Once a computer account has been closed, access to the account or the data contained with in it may be granted to University of Louisville individuals to facilitate the transfer of responsibilities or the retrieval of data.
SCOPE / APPLICABILITY:
All persons while conducting/performing work, teaching, research or study activity or otherwise using university resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the university or affiliates.
POLICY AUTHORITY / ENFORCEMENT:
The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with university leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
This policy will be reviewed annually to determine if the policy addresses university risk exposure and is in compliance with the applicable security regulations and university direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the policy management process.
Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
Version / Revision / Date Description
1.0 / July 23, 2007 / Original Publication
1.1 / May 5, 2008 / Revised url for account usage agreement link
1.2 / June 9, 2010 / Revised to include user account usage agreement and mass email language
1.3 / February 10, 2012 / Revised secure email language for sensitive information
1.4 / January 29, 2013 / Content Update
1.5/January 28, 2014/ Revised employee accounts - retiree accounts limited and 'grandfathered'
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council