Responsible Computing
A Manual for Staff

 
In this document:

University Information and Policy

Individual Responsibilities

Protect Personal Information

Managing Systems in Your Care

Computing Resources Acceptable Use Guidelines

Electronic Communications

Copyright: Your Rights and Responsibilities

For More Information

Related Policies

 

Other documents:

Protecting Personal Non-Public Information

Security Breach Procedures

Faculty Handbook

Computer Security Home

University Policy Manual

IT Help Center

UD Home

 

  

University Information and Policy

The information of any organization is one of its most valuable assets. As an employee of the University of Delaware, you have a responsibility for securing these assets. Information Security Policy (No. 1-15) establishes employee responsibility for protecting University information from unauthorized access, modification, destruction or disclosure. The Policy for Responsible Computing (No. 1-14) requires University students, faculty and staff to make responsible use of computing and information resources and to guard against abuse. Together these policies form the cornerstone of responsible computing at the University of Delaware. This manual, along with other related University information policies, provides implementation guidelines for complying with these requirements. If you haven't already, you need to become familiar with these policies and indicate your understanding and compliance with them at Understanding of Employee Computing Responsibilities and Notice of Monitoring.

Read and understand these policies and take time to see how they apply to your work responsibilities. Ask questions if you are unsure of what is expected of you. Ask your supervisor or send e-mail to the Help Center.

Remember that these policies apply to you just as they apply to all other employees.

Individual Responsibilities

When you power up the PC on your desktop each morning, or login to work from home, you have opened a window to University information. Responsibility for the security of that information is not delegated to a few select departments and administrators. If you have access to University information, you are also responsible for securing it. You could be a weak link in the security chain, potentially exposing the University's information system to those who would misuse it.

At the end of the day, when you log off from the network and then shut down your PC, you close the window. But, a lot of the information you worked with is still in your care. It may reside on your home or office PC, USB flash drives, CDs, or on an office file server. The following guidelines should be used by you to set specific practices for your department, office or when working from home; they are not exhaustive, but are intended to serve as a guide.

Protect Personal Information

Disclosing personally identifiable, non-public academic, financial or health information without permission is prohibited by the University's Information Security Policy (No. 1-15), Personal Non-Public Information Policy (No.1-22), and Federal laws including the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Safeguarding personal non-public information - especially Social Security numbers (SSNs), is also critically important because these data pose a high risk of identity theft or financial loss to the individual if improperly disclosed. According to the Social Security Administration, the SSN is confidential and a key piece of personal information for perpetrators of identity theft. Identity theft was the most-reported complaint to the Federal Trade Commission in 2006, accounting for 36% of the 675,000 complaints filed. Credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud, and employment fraud.

A spreadsheet, web site or other posting with grades, financial or medical information linked to social security numbers or any other personally identifiable information would violate one or more of the aforementioned laws and University policy. The Department of Education has even ruled that using the last four digits of SSN for grade postings violates FERPA, so no portion of the SSN can be used as an identifier. Contact the University Registrar for more information on secure ways to post grades.

Unless required by law, or needed to perform core departmental activities which cannot be immediately facilitated by other means, SSNs or other high risk personal non-public information must not be collected or stored. Personal non-public information should not be stored on systems in your unit. Whenever possible, centrally administered systems must be used to retrieve, process or store personal non-public information. University departments must re-evaluate their acquisition, use and safeguarding of personal, non-public information for conformance to these guidelines at least annually.

If you have personal non-public information on your system or portable storage media it must be encrypted and you must safeguard it from unauthorized disclosure, alteration and destruction as outlined in the system management section below. You are required to notify all persons whose information may be disclosed if your system is compromised and you have unencrypted high risk personal non-public information stored on it. Be wary of, and verify all requests for personal non-public information from unfamiliar persons. Social engineering is the use of subterfuge to gain access to confidential data. Never send or confirm personal non-public information over the phone or by e-mail, even if the requesting party provides it.

Managing Systems in Your Care

Unless your department has designated someone else to manage your personal computer/workstation, you are its system administrator. As a system administrator, you are responsible for safeguarding your computer’s stored information and for keeping it safe from unauthorized users and processes (e.g., worms, bots, viruses, etc). You may also be responsible for a departmental server, computing site or subnet. System administrator responsibilities can range from a single laptop or office pc to a multi-processor server.

Each system you administer is most likely connected directly to the internet via the University’s network. The University does not selectively monitor, filter or block information passing over its network to maintain the highest support for free and unimpeded exchange of scholarly information. With that freedom comes the responsibility to protect confidential University information against the inherent risks of being connected to a high-speed, open network.

Security Management Basics

  • Learn how to properly secure your system and its stored data (permanently attached and removable media) from unauthorized modification, destruction or disclosure. An insecure system is vulnerable to being compromised, and then used remotely to attack other machines. By keeping your system free from hackers, you are also preventing possible accusations against yourself and the University.

  • Keep your operating system up to date by configuring your system to automatically download and install patches. As the administrator of your personal computer or server, you are responsible for protecting it by keeping it up to date. Vendors, including Microsoft, routinely release security and other critical patches free of charge when vulnerabilities are discovered. Microsoft NEVER sends patches by e-mail. Beware of e-mail claiming to be from Microsoft with attached Windows patches (See How to Tell if a Microsoft Security-Related Message is Genuine). Microsoft does provide an e-mail alert service informing subscribers when security update announcements are released.

  • Use current anti-virus software at all times, especially to scan e-mail attachments. Information Technologies requires McAfee anti-virus software for PCs and Macintoshes. The University has a site license for McAfee anti-virus software that can be downloaded free of charge.

  • Use a firewall to protect your computer from unwanted, malicious probes by other systems. It’s like locking your doors at night to keep someone from just walking into your home. A new, unprotected computer can be infected within seconds of being connected to the internet, but turning on a firewall first can protect it while updates and current virus protection are obtained over the internet. Windows XP has a built-in firewall that is easily activated.

  • Electronic communications (e.g., POP or IMAP e-mail, web files, login sessions and wireless) are not routinely encrypted over the University network or when working from home. The University's recommended web mail service is encrypted automatically. Although the probability of an Internet e-communication being intercepted (and falling into the wrong hands) is small, sensitive communications and documents -e.g., those containing personal non-public information - like Social Security numbers, credit card numbers, academic records and especially your passwords - should not be sent over the Internet without being encrypted. Recommended encryption protocols are described in more detail in Security 101. Contact the Help Desk at 831-6000 for more information about using encrypted protocols to secure electronic communications.

  • Encrypt files containing personal non-public information. If the computer or removable media is compromised or stolen, the encrypted information will be unusable in the perpetrator’s hands. Contact the IT Help Center at x6000 for more information on encryption software.

  • The risk to sensitive information stored on a computer increases as its exposure to people, other computers, and the range of duties assigned to it increases. The number of users, both inside and outside the University, connections to other computers including web surfing, and types of applications running (e.g., database and web surfing) all must be considered when assessing whether a system is configured to adequately safeguard the information it contains. Be cautious of freeware and shareware as these programs can introduce processes that compromise your system’s security. Peer to peer applications can be especially dangerous if personal or confidential information resides on the system. These applications can inadvertently disclose sensitive, personal or confidential information residing on the host system to anyone who finds it via a simple query. Peer to peer applications should not be installed on any system containing PNPI. Read more...

  • Choose passwords for your computer accounts, including the administrator accounts on your PC that are not easily guessed.  Sound passwords are combinations of letters and numbers or special characters – the longer the better. Commit them to memory and never write them down or tell them to anyone. If you tell someone your password or PIN, you are potentially giving that person access to information that was entrusted specifically to you. If you write down your password or PIN, choose a password that is easy to guess, or transmit it in clear text when you log on from the office or from home you run the same risk. To encrypt your password or PIN and all other information sent to, or received from University systems, you should use a SSH terminal client. Contact the Help Desk at 831-6000 for more information about using SSH to encrypt your computing sessions.

  • E-mail messages may be stored as files on centrally administered storage. The e-mail messages you send become the possession of the receiver and can easily be re-distributed or seen by others. In this sense, they are not private. They are unlike face-to-face or unrecorded telephone conversations in this regard. When the confidentiality of a message is of the utmost importance, only a person-to-person conversation may be sufficiently secure.

  • Log off your computer when you leave your desk, or set it up to require a password after a pre-set amount of inactivity. Keep information displayed on your screen confidential, just as you would keep confidential printed material on your desk or in your files away from wandering glances.

Other Best Practices

  • Destroy sensitive, confidential or non-public information before disposing of the media on which it is stored. Otherwise, you subject the information on hard drives, USB flash drives, CDs, paper forms and reports, etc., to unauthorized disclosure. Shred paper reports and forms that contain confidential or sensitive information and render CDs you no longer need unreadable before disposing of them. Also be sure to zero-fill or scrub the internal disk drive(s) of obsolete computers before you send them to surplus Simply deleting the files does note completely remove them from the hard drive. Deleted files can be easily recovered with common utilities. For advanced users, the DBAN Disk Wipe Utility can be used. Call the IT-Help Center at x6000 for assistance if you are unsure of how to completely remove data from your hard drive before you surplus your computer.

    The Disposal Rule of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports to protect against "unauthorized access to or use of the information." For example, if consumer information about students or their parents is used as part of the financial aid process, the rule would apply. It would also apply to consumer information used in the applicant hiring process. Similarly, if your department uses consumer information to establish accounts for any service, this rule would apply. There are many other instances where this information may be obtained and used on our campus, and it is important for each department to be aware of these rules and to be in compliance.

  • As an aid to better understanding responsible computing practices, all departments that own or lease computing equipment are encouraged to develop "Conditions of Use" or "Guidelines for Responsible Computing" documentation for all systems that they operate and to make these documents available to users. These documents should be consistent with the Policy for Responsible Computing at the University of Delaware and should be approved by the department's administrative officer or other individual designated by that administrative officer.

  • Back up your data regularly and know how to restore it. Several generations of backups are recommended. Backups must be available, so store them where others know where they are and can access them. University Archives can offer assistance.

  • Lock copies of your data on removable media or printed reports in your desk or a fire-resistant cabinet. Portable USB flash drives and other compact storage technologies have enough capacity to back up enormous amounts of institutional data. Highly sensitive or confidential institutional data stored on removable media must be encrypted.

  • Your electronic data files are subject to the same records retention requirements as paper records. Consult with University Archives to make certain your electronic records are included in your Records Retention program.

  • Routinely delete e-mail messages that do not need to be saved.

  • Ensure that all software license agreements are in place.

  • Grant access to users on a need-to-know basis, and remove access and user profiles when they are no longer needed.

For additional assistance with managing your system, contact your department's CITA or call the IT-Help Center at 831-6000.

Computing Resources Acceptable Use Guidelines

Employees are expected to be responsible in their use of computing resources in accordance with the University of Delaware mission and in compliance with its policies and all applicable laws and regulations. This principle is the basis for the following general acceptable use guidelines:

  • Be considerate of other users. Do not run processes or engage in network activity which denies others the use of shared resources.

  • Respect the integrity of the University network. Improperly configured or inappropriate processes running on your system can have a destabilizing effect on the network. The University reserves the right to constrain and remove applications, services or improperly configured systems which may be negatively impacting network performance.

  • Respect the intellectual property rights of others. See Copyright: Your Rights and Responsibilities for more information.

  • Abide by the principles of decency, fairness and respect for the rights of others – e.g., the right to privacy and confidentiality.

University policies prohibit certain activities:

  • Using University computing resources for non-University commercial activities, fund-raising, partisan political purposes, or on behalf of organizations not affiliated with the University. The State-created University Charter prohibits the Management of the University to benefit any party, sect or denomination. Employees may choose to participate in any of the above activities but cannot use University resources to support their personal activities.

  • Using any University computer, facility, equipment, software, network or other resource including e-mail without authorization or for any activity other than that for which access or use was assigned or authorized.

  • Sending chain letters, pyramid scheme messages, spam or engaging in any behavior which wastes resources or is disruptive to the network.

  • Sending sexually explicit, offensive, demeaning, insulting or intimidating e-communications, ethnic or racial slurs or anything that harasses or disparages others. Sending such messages is grounds for disciplinary actions, including termination.

  • Violating copyright, trademark, or other laws or regulations in sending e-communications, publishing web pages or posting to newsgroups and discussion lists.

  • Using University of Delaware institutional mail lists without appropriate authorization.

  • Intentional, unauthorized access to or interception of information or e-communications. The ability to access information or intercept e-communications does not inherently include authorization to do so.

  • Altering, destroying or forging e-communications or intentionally compromising the integrity of the network.

The University's Policy for Employees' Use of Electronic Communications (No.1-19) establishes the applicability of existing University policies and federal, state and local law to electronic communications, including requirements for good electronic citizenship and expectations for privacy. Generally, the University will not make any efforts to monitor e-communications except when required by law or to investigate any policy infraction. If you haven't already, you need to become familiar with these current policies and indicate your understanding and compliance with them at Understanding of Employee Computing Responsibilities and Notice of Monitoring.

Electronic Communications

At the University of Delaware, electronic mail (e-mail) and the University's web sites offer efficient, cost-effective communication between members of the University community. In fact, e-mail is

  • An official communication channel for University departments and employees;

  • An official communication channel between the University (departments, faculty, and staff) and its students.

As a result, every employee must

  • Have an account on the University's central mail server (udel.edu);

  • Be responsible for receiving and reading any official communication sent to his or her "udel.edu" account.

Therefore, every employee must do the following:

  • Read your e-mail in a timely fashion.

  • If you choose to use software to sort your incoming e-mail into folders or to filter out unsolicited advertising e-mail (SPAM), you are responsible for making sure that your filter rules do not accidentally delete official University correspondence.

  • If you choose to forward your e-mail from udel.edu to another e-mail server--either to a departmental server or to an off-campus ISP's server--you are responsible for making sure that your e-mail forwarding is working so that you can continue to receive and read your University e-mail in a timely fashion.

Commercial E-mail

If your department sends e-mail that might be construed as commercial - i.e., a commercial advertisement or promotion of a commercial product or service, you might be subject to the 2003 CAN-SPAM Act. Any commercial e-mail must include the following information:

  • Identification of the e-mail as an advertisement from your University department or group. Make it clear that it is coming from a sub-part of the University and not the University as a whole;

  • A valid postal address for your department;

  • Accurate identification of the sender in the "From" line of the e-mail;

  • A subject line that is consistent with the e-mail's message;

  • Instructions to opt-out of future e-mails from your University department or group.

This information can appear anywhere in the e-mail. An easy way to meet these requirements without re-writing your communication is to attach a standard signature block at the bottom of the e-mail.

Additionally, opt-out requests must be handled in the following manner:

  • Can be a return e-mail address or web site;

  • Must be able to process opt-outs for 30 days after the commercial e-mail was transmitted;

  • Must be honored within 10 days after receipt and are effective indefinitely;

  • Cannot disclose recipients e-mail address to a third party.

For more information see the FTC web site.

Commercial Facsimiles

The Federal Communications Commission (FCC) is responsible for enforcing the Junk Fax Prevention Act, which was signed into law July 9, 2005 (S. 714). Effective August 1, 2006, the FCC's rules take effect that bar unsolicited advertisements subject to certain exemptions. Facsimiles that advertise the availability or quality of any property, goods or services cannot be legally sent without prior express invitation or permission of the recipient, or if there is an established business relationship (EBR) between the sender and recipient. An EBR customer can receive facsimile advertisements if one or more conditions are met - e.g., if the customer provides it on an application or other form, or if it is published in a directory without noting that unsolicited facsimiles are not accepted.

Also, the FCC's rules require that facsimile advertisements include contact information that allows recipients to op-out of future faxes from the sender. Valid opt-out requests must be honored within the shortest reasonable time from receipt - not to exceed 30 days.

These commercial communication rules may apply to activities in your department. Consider the types of communications you send outside the University and determine if they are governed by these two laws.

Examples include

  • Alumni or student membership renewals,

  • Ticket sales for athletic or performing arts events,

  • Solicitations for printed advertising space,

  • Advertisements for courses, seminars and conferences.

For more information see the FCC web site.

Copyright: Your Rights and Responsibilities

From the 1987 EDUCOM Code for Software and Intellectual Rights:

Respect for intellectual labor and creativity is vital to academic discourse and enterprise. This principle applies to works of all authors and publishers in all media. It encompasses respect for the right to acknowledgment, right to privacy and right to determine the form, manner and terms of publication and distribution.

Because electronic information is volatile and easily reproduced, respect for the work and personal expression of others is especially critical in computer environments. Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access, and trade secret and copyright violations, may be grounds for sanctions against members of the academic community.

These principles still hold true. However, in today’s rapidly changing technological environment, higher education institutions increasingly find themselves at the center of the ongoing digital copyright debate which seeks to balance the rights of copyright holders with users of creative works. Copyright law sets the rules for who can make copies of creative works (versus facts and ideas), and how they can be used. Examples of intellectual property include books, movies, manuscripts, audio recordings, pictures and software.

It is essential that all members of the University community understand their rights and responsibilities regarding copyright laws. University policy and copyright laws prohibit the unauthorized use, transmission, copying and storing of copyrighted works. However, the University encourages the use of electronically transmitted information within the "Fair Use" guidelines of the copyright law or with the permission of the author.

The 1998 Digital Millennium Copyright Act (DMCA) amended Title 17 United States Code, in anticipation of the World Intellectual Property Organization (WIPO) Copyright Treaty. The DMCA set forth legal provisions for fair use in a digital environment, circumvention of technical protection measures, and other copyright issues pertinent to digital environments. The 2001 Technology Education, and Copyright Harmonization (TEACH) act extended digital fair use provisions by allowing accredited non-profit educational institutions to provide copyrighted materials to students enrolled in “mediated instructional activities”, e.g., distance education, under limited circumstances via the Internet without obtaining permissions from copyright holders. The rights embodied in the TEACH act are contingent upon “reasonable” technological protection measures (e.g., restriction to enrolled class roster via passwords, availability for a limited duration, notice to students that the materials are subject to copyright restrictions, etc.) to prevent the unauthorized re-distribution and /or retention of copyrighted materials, and other requirements.

Resources for learning more about copyright law and how it affects you can be found at the following locations:

The University of Delaware Library Copyright Subject Guide contains an extensive list of copyright resources.

How to use MyCourses to incorporate copyrighted materials into coursework. Also, in order to take UD Online courses students are required to agree to a copyright license agreement. This agreement outlines the obligations of the student (user) and the limitations of liability.

The Center for Teaching Effectiveness can assist with navigating digital copyright issues in curriculum.

For More Information

Faculty Handbook

Computer Security at UD

University Policy Manual

Related Policies

The following University policies define your role in, and responsibilities for protecting University information.

  • The Information Security Policy (No. 1-15) establishes employee responsibility for protecting University information from unauthorized access, modification, destruction or disclosure. This includes all University information and media types, from printed reports to e-mail saved on your PC to published web pages.

    The policy states that all employees are responsible for protecting University information and that each department is required to make protection of this information a part of its overall business plan.

  • The Policy for Responsible Computing (No. 1-14) requires University students, faculty and staff to make responsible use of computing and information resources and to guard against abuse.

  • The Electronic Record Keeping Policy (No. 1-13) makes it the responsibility of each department to establish standards for electronic file organization, measures for protecting sensitive information stored electronically and procedures for file backup.

    This policy extends to electronic records the requirements of the University Archives and Records Management Program (No. 1-10), which governs records retention, vital records protection and filing practices and techniques as they pertain to paper files.

  • The Policy for Employees' Use of Computing Resources for Web Pages (No. 1-16) governs the use of University computing resources by employees for home pages. This policy applies to all University full-time, part-time and miscellaneous wage employees.

  • The Policy for Electronic Mail Management and Retention (No. 1-18) advises University employees and departmental managers of their responsibilities regarding the creation of e-mail messages, the routine deletion of e-mail and the retention of e-mail messages that are official University of Delaware records.

  • The Policy for Employees' Use of Electronic Communications (No. 1-19) establishes the applicability of existing University policies and federal, state and local law to electronic communications (e-communications), including expectations for privacy and requirements for good electronic community citizenship.

  • The Policy for Wireless Computing at the University of Delaware (No. 1-20) regulates campus wireless airspace to ensure its fair and efficient allocation and to prevent collision, interference, and failure.

  • The Policy for Use of University Owned Mailing Lists (No. 1-21) regulates the use of University owned mailing lists for those purposes determined to be in the best interest of the University.

  • The Personal Non-Public Information Policy (No. 1-22) expands on the Information Security Policy #1-15 to establish requirements for protecting personal, non-public information and notifying individuals whose personal, non-public information may have been disclosed by computer security breaches.

  • The Credit Card Policy (No. 3-26) defines the minimum technical criteria that must be met for University departments to receive credit card information over the web.

  • The Family Educational Rights and Privacy Act (No. 4-20), or FERPA, requires the University protect the confidentiality of student educational records. These include academic, financial, disciplinary, medical and counseling office records.

    To be in compliance, the University must obtain the written consent of a student before disclosing information. A student’s right to see his or her records does not extend to parents or guardians.

    The University may not release directories, rosters, lists or address labels of students to parties not affiliated with the University. University policy prohibits posting grades and test scores publicly using any personally identifiable information, including the last 4 digits of the social security number.

  • The Policy for Copyrightable Material (No. 6-07) defines the general principles and administrative responsibilities and procedures for establishing and safeguarding intellectual property developed by University faculty and staff.


Questions / comments?
Copyright 2004, University of Delaware.