Procedures in Support of Fairfield University's Computer Systems Acceptable Use Policy
These procedures have been designated to complement rather than supercede existing University procedures, guidelines, and policies relating to computer use by faculty, staff and students. For this reason, final authority for the resolution of complaints, including any penalties rests with the appropriate chief administrator.
For the purposes of this policy, "appropriate chief administrator" shall be defined as the senior administrator who has jurisdiction over the alleged offender of the Fairfield University Computer Systems Acceptable Use Policy (hereafter cited as the "Acceptable Use Policy"). The "appropriate Chief administrator" for faculty is the Academic Vice President. The "appropriate chief administrator" for students will either be the Academic Vice President if the offense is related to academics, or the Vice President for Student Affairs in non-academic affairs. In circumstances where the jurisdictional lines are not clearly demarcated, authority will rest with both Vice Presidents, disputes being resolved by the President. In the case of non-faculty staff, the Associate Vice President of Human Resources is the chief administrator.
These procedures were designed to balance seven interests:
- respecting the rights and responsibilities of academic freedom as defined in applicable policies forfaculty, and students engaged in academic work;
- protecting the rights of the university;
- protecting users' privacy;
- protecting the System or network Administrator (SNA) in the performance of his or her job;
- allowing routine administrative actions that might affect users' files;
- providing a mechanism to allow non-routine, non-emergency access to users' files when it can be justified;
- providing guidelines for the occasional need to take immediate action. The ability of an SNA to read a user's files does not imply that he or she may do so without obtaining the approval required by these procedures.
"Incidental personal use" of computing systems is an accepted and appropriate benefit of being associated with Fairfield University. However, "incidental personal use" must still adhere to all university policies, and must never have an adverse impact on the use of technology and information resources in support of the University's mission. Examples of "adverse impact" are described in the section entitled "Responsibilities" in the Acceptable Use Policy. The respective chief administrator of the Academic Division, Student Services, and Human Resources share the responsibility to interpret the Acceptable Use Policy along with existing university policies relating to personal use of computers and to establish procedures to assist them in the investigation and enforcement of these procedures. For example, in accordance with existing university procedures an employee's supervisor may also decide that personal activities are affecting the abilities of the employee or colleagues to perform job functions and it is their right to ask the employee to cease those activities. Ultimately, the Office of Human Resources will arbitrate disagreements concerning the interpretation of the Acceptable Use Policy relating to non-faculty staff.
This policy defines "private" either as physically or technically not accessible to the general public or accessible only through non-obvious password protection or other security schemes designed to limit access to known or identified individuals. Network system logs which may record an individual's network activity shall be considered private.
During routine administration SNAs may need to archive or delete privacy user files or messages from the system; for example, this usually is due to physical data storage limits or an individual's departure from the University. In this situation, it is not necessary for an SNA to read or view user files; all work is done using system utilities, machine to machine. Given that these situations are foreseeable, each organization responsible for a computer or network system on which these actions will take place must define how and when they will occur. Reasonable efforts must then be made to ensure that system users understand the policy.
Violations, Investigations and Due Process
Non-routine situations may occur where it is necessary to examine a user's private files without being able to obtain his/her specific permission or authorization. Such situations may include the investigation of violations of this policy or other University policies. The intent of these procedures is to separate the authority to read private user files or messages from the technical ability to do so. This separation attempts to protect both the user and the SNA.
- The procedures outlined in this section shall apply to the investigation of University policy violations, including violations of the Acceptable Use Policy, which involve University computing resources or which require access to the private computer activities or files of students or faculty.
- Reporting of complaints
Any member of the University community may bring a complaint of unacceptable use of computing resources. It is also conceivable that individuals or agencies outside the University may bring such complaints. Complaints shall be brought to the Director of Computing & Network Services or his/her designee who will be responsible for coordinating the presentation of complaints to the "appropriate chief administrator" as follows:
- A. The Director of Computing & Network Services is charged with making judgments of whether a given activity, use, or publication involving Fairfield University computing resources (including but not limited to the use of the campus network and internet gateway, use of servers-e-mail, web, file, mainframes, etc.-desktop computers, public terminals, etc.) requires further investigation and/or referral to the appropriate chief administrator.
- B. For alleged violations of the AUP by faculty members or by students engaged in academic work, complaints that merit investigation will be referred to the Academic Vice President. Before any action is taken the Academic Vice President will refer the matter to an Acceptable Use Policy Committee (AUPC) composed of two tenured faculty appointed by the Educational Technologies Committee and one tenured faculty appointed by the Academic Vice President to investigate and make a recommendation.
- C. Students whose conduct is alleged to violate the AUP may appeal to the Academic Vice President on the grounds that their activity is course related and within the scope of academic freedom. The Academic Vice President will refer the matter to AUPC. Student activities that are related to course work and found in violation of the AUP may be sanctioned by the Academic Vice President and the matter referred back to the Vice President of Student Affairs.
- D. For Non-Academic Violations the Director of Computing & Network Services may make recommendations regarding suspension of computer privileges or other punitive or remedial action to the respective chief administrator.
- For the disposition of computing privileges, the due process procedures outlined in this document shall be sufficient, on the authority of the appropriate chief administrator, to revoke or limit computing privileges of an individual found in violation of acceptable use. However, this policy does not limit any further disciplinary action the appropriate chief administrator may seek to bring according to established disciplinary procedures for faculty, staff and students.
Authorization for Investigative Action
This policy makes a distinction between electronic files and activities that take place on common University computing equipment (file and e-mail servers, the network and internet gateway) and files and activities that take place on a personal computer belonging to or assigned to an individual. Private electronic files that reside on, or activities that take place on, common University computing equipment (file servers, etc.) and private computing activities that take place over the University network and internet gateway are covered by this policy and may be searched according to the procedures set out in Sections 3a and 3b below. Electronic files residing on personal computers belonging or assigned to individuals may only be searched according to the procedures set forth in Section 3b below. Electronic files that have been made publicly available (that is, not protected through the use of non-obvious passwords or other security measures), either on common University file server equipment or through the use of "sharing" or other forms of file server programs on equipment owned by or assigned to a user are not considered private according to this policy. Computing equipment that resides off campus is not covered under this policy, though all activity of such equipment by authorized Fairfield users that takes place through the University network and computing systems is covered by this policy.
- a. Searching private computer files or monitoring electronic activities that do not violate the Acceptable Use Policy. Situations may arise in which the conduct of a computer user is under investigation for violations of other University policies. In such cases, authorization to access private electronic files or monitor electronic activity must be made in writing by the appropriate chief administrator to the Director of Computing & Network Services, who in turn must authorize the System or Network Administrator (SNA) in writing to perform the requested search. Any attempt to access private electronic files or other private electronic activities must conform to all applicable operating procedures of the University.
- b. Searching faculty offices and student dorm room. Different policies govern the privacy of student dorm rooms and faculty office space:
- i) Student Dorm Rooms and Personal Computers Owned by Students. Under the authority of the Room Entry and Room Search sections of the Student Handbook, the Vice President of Student Affairs may authorize that a search be conducted on a personal computer. Entry to the student room shall be conducted in accordance with the Room Entry and Room Search clauses in the Student Handbook. The SNA may be authorized to assist the staff of student services by accompanying them and conducting the search of student computer in accordance with Section 4a of this policy.
- ii) Faculty Desktop Computers. This policy recognizes that files stored on a desktop computer are part of the faculty office, unless made publicly available (i.e., not password protected) through networking programs such as file sharing, web, or other such server software. Entry to a faculty desktop computer shall occur only when authorized by the Academic Vice President, in accordance with existing policies.
All users of computing resources at the University should be aware that this policy does not limit any applicable State and Federal search and seizure procedures.
Emergency Situations. Situations will occur that pose immediate threats to the operations or security of computer or network systems. Because of the immediacy, the SNA will need to intervene without obtaining the written permission usually required before taking actions that may affect user files, messages or system access privileges. The intent of these procedures is to allow SNAs to take appropriate, timely action when protecting University computer systems while ensuring that the user and appropriate University officials will be made aware of the situation as soon as possible.
- a. If an SNA determines that user files or messages pose a significant threat to the operation or security of a University computer or network system, he or she will take appropriate action to correct the problem only upon the authorization of the Vice President for Information Services. If the Director of Computing & Network Services is not available, the SNA may take such action as is necessary to resolve the emergency. Such action may include, but is not limited to disabling user privileges, deleting or disabling a user file, or disconnecting a network connection. SNAs are not authorized to enter a private office or dorm room on an emergency basis, but may temporarily disable network connections until proper authorization is obtained to inspect computing equipment in these areas. The SNA will not perform any action on user files or messages that are not relevant to the current problem and will not take any technical action, a this point, that would permanently deprive the user of access to the computer or network system.
- b. As soon as possible after action is taken, but no later than the next business day, the SNA will make a written report to the Director of Computing & Network Services and the appropriate chief administrator outlining the nature of the threat; protective actions taken; the user(s) involved; and the user file or messages that were affected.
Sanctions. For nonacademic violations the appropriate chief administrator will review the recommendations of the Director of Computing & Network Services and make the final decision concerning any penalty or sanctions to be imposed on the offending party. Under this policy, those sanctions or penalties may consist of limitation or suspension of any or all computing privileges. Imposition of such penalties does not preclude further disciplinary action according to established policies for faculty, students and staff.
Guidelines for Systems and Network Administrators
Computer systems and network administrators (SNAs), by the nature of their work, have privileges and responsibilities that other users of technology generally do not have. Without system privileges, SNAs would not be able to do their jobs. The use of these privileges must be wise and thoughtful. These guidelines were developed to articulate responsibilities SNAs have in addition to those outlined in Fairfield University's Acceptable Use Policy.
- SNAs are bound by the Acceptable Use Policy and the procedures set forth in Sections I and II of this policy. Further, SNAs have a responsibility to educate users about all applicable computing policies.
- All SNAs have an additional responsibility to assure the operation, security and integrity of Fairfield University's computers, networks, and data.
- Consistent with the other obligations imposed on them under the Acceptable Use Policy, other applicable University policies, and the law, SNAs will treat as confidential any private and/or confidential information obtained during system administration.
- SNAs must not disclose privileged and confidential information about Fairfield University's systems or any other information that could prove detrimental to operations or compromise system security.
- It is against University policy for an SNA to read a user's files. However, SNAs in the course of routine system administration, may need to delete or archive user files or messages. In order to do this, SNAs must first promulgate a clear policy to the users describing how and when delete or archive actions will be taken. These policies may vary by department. This section does not, however, grant SNAs authority to read user files or messages during routine system administration. Procedures for obtaining authorization to read user files or messages in routine, non-emergency and emergency situations are provided in Section II of this policy.
- When reacting to or preventing actions by users that may violate the Acceptable Use Policy or other actions by users that may have significantly detrimental effects on system or network operation, SNAs may need to read, modify or delete user files or messages. These actions will take place in accordance with the procedures outlined in this policy and the SNA will document any access to user files or messages.
- SNAs will take all practical measures to ensure that all hardware and software license agreements are faithfully executed on all systems, network, servers, and computers for which he or she has responsibility.
Violations of these Guidelines for SNAs will be handled following the administrative and disciplinary processes outlined in the applicable operating pollicies and procedures of the University.