Pol-User Accounts and Acceptable Use
policy user accounts acceptable use modified Tue Oct 18 2022 16:09:37 GMT-0400 (Eastern Daylight Time)
University of Louisville
User Accounts and Acceptable Use
July 23, 2007
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
REASON FOR POLICY
University user accounts and computing facilities are provided for persons who legitimately need access to university computing resources. This includes university faculty, staff and students. Other persons may qualify for a user account and access to computing facilities on a case by case basis. Accounts and facilities must be utilized in accordance with law and University policy.
Persons using university resources (users) are responsible for lawful and appropriate use of computing facilities, accounts, and devices. All users must abide by the University's Information Security Policies and Standards. University business must be conducted utilizing university-authorized systems.
Computing resources are for all users. Users must respect the usage rights of others that use UofL resources.
Computing accounts and facilities must not be used in any manner which could be disruptive, degrade the performance of or cause damage to university computing infrastructure, resources, or data and/or other users. Personal use should be kept to a minimum and in no case should a university account be used for non-university business purposes.
Confidentiality of Data
- Sensitive Information must not be accessed, copied, or disseminated except to the extent necessary to fulfill assigned responsibilities, and then only to the extent that the individual is authorized.
- The confidentiality, security and integrity of the university data and computing infrastructure must be maintained at all times by university personnel. This obligation continues beyond the termination of the individual's relationship with the university.
- Adherence to all federal copyright laws, regulations and university policy on intellectual policy is required. This includes but is not limited to laws, regulations and policy on text, graphics, art, photographs, music, software, movies, and games.
- Users must respect the property rights and associated restrictions of others and refrain from actions or access which would violate the terms of licensing and nondisclosure agreements.
- See the Intellectual Property policy and standards for more information.
Safeguarding and Misuse of Computing Accounts or Computing Infrastructure
- Safeguarding of access codes and passwords to protect against unauthorized use and notification of Information Technology Services of suspected unauthorized use is required.
- Unauthorized use of the accounts and knowingly allowing use of the accounts for unauthorized purposes is not permitted.
- Misuse of university computing accounts or computing infrastructure is not tolerated. Generally, behavior considered unacceptable if done without a computer is also unacceptable if done using a computer. Examples of misuse include, but should not be construed as being limited to: harassment, unauthorized hacking of computing systems, denial of service attacks, spoofing of identity, chain letter distribution, solicitation of non-university business and obscene language.
Expectation of Privacy and Disclosure
- Privacy of computing activities while using university resources is neither guaranteed nor should it be expected:
- User access, security, audit and other logs are maintained to facilitate compliance with laws and regulations as well as to facilitate activity reviews when necessary.
- Access may be given to persons outside of the university community on a case-by-case basis or under certain conditions when warranted. Disclosure of this information may not be given to the individual(s) involved.
- The University of Louisville does not guarantee the confidentiality or privacy of electronic data or voice mail messages. This should be kept in mind when using these services.
- Third party vendors are involved with both internet and voice mail data. All users of electronic data and voice mail should familiarize themselves with policies set forth by these vendors.
Electronic mail and messages:
- University email accounts are to be used by faculty, staff and administrators in the performance of their job duties and by students to aid them in their education.
- Faculty, staff, administrators and students should regularly check their university email accounts for correspondence.
- The University of Louisville does not allow anyone to send email to large numbers of employees and/or students in the University without prior approval. To send a mass email (greater than 100 recipients), your message must be approved by the Department of Communications and Marketing (see Information Technology Service's mass email guidelines).
- Employees should not use email in a manner that degrades or interferes with job performance or duties.
- Sensitive information requires special precautions when emailing. If sensitive information is being emailed outside the university network, it must be sent using the university's secure email system. Emails containing sensitive information must not be automatically forwarded.
- Mail forwarded from a user's account to any other account or email address is the responsibility of the user.
- Complaints regarding misuse or misconduct will be investigated. Note: The intent of the communication along with the perspective of the recipient is considered during investigations.
- Electronic mail use is monitored for resource consumption and storage management.
- "Email for life" users and other email users must not use their UofL email address to misrepresent their affiliation with the university.
- Requests for user accounts must be submitted in writing and approved by authorized personnel.
- Access to additional required resources not provided upon account creation can be requested by completing the appropriate ITS account request form.
- Access to a university business application or data may be denied if the appropriately completed authorization does not accompany the request.
- Access to information is granted based on owner authorization, position requirements, job duties and the principle of least privilege and need-to-know.
- Account creation and granting of access privileges can only be done by explicitly authorized personnel.
- Accounts should conform to the university's standard naming convention, be unique to each user and not reused for a period of 12 months.
- All account holders must agree to comply with the User Account and other university information security policies and procedures.
- Upon termination or reassignment, management must notify appropriate parties such as HR, Facilities, and ITS to ensure that all access to information or to restricted areas is revoked or removed including the deactivation or changing of known passwords or passcodes.
- Accounts that are dormant or inactive should be disabled after no more than 180 days. Disabled accounts are deleted after 30 days of inactivity.
Student Account Requests
- Students must be registered for classes to request and retain a computer user account.
- Student user accounts will automatically be renewed each Fall and Spring semester, if registration is continuous (students registered in the Spring will be able to retain their account over the Summer semester).
- After 2 years of non-registration, the student's user account will be placed on hold for a period of nine months. After 9 months, the account will be deleted.
- Student email accounts will remain open during enrollment and thereafter for 2 years beginning the first semester not enrolled.
- Upon graduation, students may request an email for life account which will remain open.
Employee Account Requests
- Accounts will be closed immediately upon termination of employment and all contents from the account deleted after one month.
- Retirees may request to keep their email accounts after retirement. Decisions on whether an account can be retained are based on the sensitivity of the retiree's previous role and access to information. If the account has not been accessed in 6 months the account will be closed and the mail will be deleted in 30 days.
Sponsored Account Requests
- Sponsored accounts may be granted to individuals external to the University of Louisville under the following conditions:
- A specific relationship exists with a university unit or individual in support of a university mission, function, project, or business.
- A university unit or individual is willing to sponsor (be responsible for) the individual's computer account.
- Sponsored accounts will be reviewed annually as a group to determine whether renewal is necessary.
- Sponsored accounts can only be requested by full-time faculty, staff, or administrators.
- Sponsored accounts must be restricted to have access to only the information and facilities required for the specified purpose and as authorized by the appropriate university designee.
Service Account Requests
- Service accounts are granted to University of Louisville units and departments under the following conditions:
- The purpose is directly related to university mission, function, project or business;
- A need exists to share access to an account;
- A need exists to centrally manage and store electronic communications or data;
- All individuals who will use the service account must have their own individual computer account.
- Service account requests must be approved and accounts inventoried with documented owner, authorized personnel and business reason.
- Service accounts that are shared must be assigned to a single owner who is responsible for requesting changes, managing entitlement, disclosing and changing the password.
- A service account is the only exception to the computer account naming standard. A service account can have any descriptive name, indicating its purpose, within eight characters. For example, the Security and Account Management (SAM) team in Information Technology Services has a service account available for the university community to send questions, comments and problems called askSAMIT@louisville.edu.
Privileged Account Requests
Privileged accounts are granted to individuals, systems, applications, etc. under the following conditions:
- The purpose is directly related and restricted to university specific information assets, processes, and systems.
- All individuals who will use a privileged account must also have their own individual computer account.
- May be granted to authorized development personnel for production emergency situations.
- Privileged account requests must be approved and accounts inventoried with documented owner, authorized personnel, and business reason.
- Privileged accounts must be restricted on a least privileged basis to those individuals and/or services that are required per business need.
Termination of an Account
Termination of computer accounts will occur under the following circumstances:
- The account holder does not agree to the Computer Account Usage Agreement.
- The account holder requests the computer account be closed.
- The account holder is no longer affiliated with the university.
- The account holder misuses computing facilities or resources.
- The department or sponsor requests that the computer account be closed.
Once a computer account has been closed, access to the account or the data contained within it may be granted to University of Louisville individuals to facilitate the transfer of responsibilities or the retrieval of data.
Individuals with administrative responsibility University wide or for University organizational units. The University Redbook (see http://louisville.edu/provost/redbook/chap2.html#SEC2.3.1) for more information.
- Individuals employed by the University as faculty or other employees who teach courses or are engaged in academic research activities for the University.
- Visiting faculty who are conducting academic research or teaching courses on a time-limited basis from another institution for the University.
- An individual, who is teaching courses or conducting academic research activities for the University without salary and is under the control/supervision of the University. See also the University Redbook at http://louisville.edu/provost/redbook/chap3.html.
Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. (see Information Management and Classification Standard).
The staff of the University of Louisville shall consist of all employees of the University who do not hold faculty appointments, are not full-time students enrolled in the University, are not graduate assistants at the University, or are not administrators as defined in Section 2.3.1 of the University Redbook (see http://louisville.edu/provost/redbook/contents.html/chap5.html).
- An individual taking a course at the University whether for credit or non-credit who is enrolled for course.
- An individual who was enrolled at the University for a specific term (e.g., fall, spring, summer semester), who has not graduated, and who is not yet enrolled for the immediately subsequent term, provided such enrollment is still permitted, and provided further, that where the individual was enrolled at the University for the spring term, the immediate subsequent term shall be the University succeeding fall term. (e.g., (1) a student enrolled in the spring term, who does not graduate at the end of the spring term, may not enroll for the summer term; but will still be a student unless the individual fails to enroll for the succeeding Fall semester, and (2) a student who has completed all other degree requirements but is completing a dissertation/thesis.).
- An individual who is admitted to the University or an academic program of the University but has not yet commenced the program of study. An admitted student will be included in the definition of student for a period of one-year following the date of admission to the University or an academic program of the University. See the University Redbook at http://louisville.edu/provost/redbook/chap6.html for more information.
Includes students, faculty, staff, administrators and other employees of the University of Louisville and its affiliated entities and any other individual having a computer account, email address or utilizing the computer, network or other information technology services of the University of Louisville.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology Services, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
Information Security Compliance Office
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007 / Original Publication
1.1 / May 5, 2008 / Revised URL for account usage agreement link
1.2 / June 9, 2010 / Revised to include user account usage agreement and mass email language
1.3 / February 10, 2012 / Revised secure email language for sensitive information
1.4 / January 29, 2013 / Content Update
1.5 / January 28, 2014 / Revised employee accounts - retiree accounts limited and 'grandfathered'
1.6 / May 1, 2014 / Revised student accounts - email account addition, user account clarification
1.7 / September 26, 2014 / Revised policy regarding retiree account closures
2.0 / March 8, 2016 / Reviewed/updated content and update to template format
2.1 / April 5, 2022 / Removed reference to obsolete computer agreement and replaced with reference to information security policies and procedures. Updated retiree options to request email account
2.1 / June 23, 2022 / Minor edit
Reviewed Date(s): March 8, 2016; June 12, 2017; April 5, 2022; June 23, 2022
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.