Responsible computing: staff
Table of Contents
- University information and policy
- Individual responsibilities
- Protect personal information
- Managing systems in your care
- Computing resources acceptable use guidelines
- Electronic communications
- Copyright: Your rights and responsibilities
The information of any organization is one of its most valuable assets. As an employee of the University of Delaware, you have a responsibility for securing these assets. Information Security Policy (No. 1-15) establishes employee responsibility for protecting University information from unauthorized access, modification, destruction, or disclosure. The Policy for Responsible Computing (No. 1-14) requires University students, faculty, and staff to make responsible use of computing and information resources and to guard against abuse. Together these policies form the cornerstone of responsible computing at the University of Delaware. This Web page, along with other related University information policies, provides implementation guidelines for complying with these requirements. If you haven't already, you need to become familiar with these policies and indicate your understanding and compliance with them at Understanding of Employee Computing Responsibilities and Notice of Monitoring.
Read and understand these policies and take time to see how they apply to your work responsibilities. Ask questions if you are unsure of what is expected of you. Ask your supervisor or send email to the IT Support Center.
When you power up the PC on your desktop each morning, or log in to work from home, you have opened a window to University information. Responsibility for the security of that information is not delegated to a few select departments and administrators. If you have access to University information, you are also responsible for securing it. You could be a weak link in the security chain, potentially exposing the University's information system to those who would misuse it.
At the end of the day, when you log off from the network and then shut down your PC, you close the window. But, a lot of the information you worked with is still in your care. It may reside on your home or office PC, USB flash drives, CDs, or on an office file server. You should use the following guidelines to set specific practices for your department, office, or when working from home; they are not exhaustive, but are intended to serve as a guide.
Disclosing personally identifiable, non-public academic, financial, or health information without permission is prohibited by the University's Information Security Policy (No. 1-15), Personal Non-Public Information Policy (No.1-22), and Federal laws including the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Safeguarding personal non-public information—especially Social Security numbers (SSNs), is also critically important because these data pose a high risk of identity theft or financial loss to the individual if improperly disclosed. According to the Social Security Administration, the SSN is confidential and a key piece of personal information for perpetrators of identity theft.
A spreadsheet, Web site, or other posting with grades, financial, or medical information linked to Social Security numbers or any other personally identifiable information would violate one or more of the aforementioned laws and University policy. The Department of Education has even ruled that using the last four digits of SSNs for grade postings violates FERPA, so no portion of the SSN can be used as an identifier. Contact the University Registrar for more information on secure ways to post grades.
Unless required by law, or needed to perform core departmental activities that cannot be immediately facilitated by other means, SSNs or other high risk personal non-public information must not be collected or stored. Personal non-public information should not be stored on systems in your unit or on personally owned computers. Whenever possible, centrally administered systems must be used to retrieve, process, or store personal non-public information. University departments must re-evaluate their acquisition, use, and safeguarding of personal, non-public information for conformance to these guidelines at least annually.
If you have personal non-public information on a system in your unit, a personally owned system, or a portable storage media it must be encrypted and you must safeguard it from unauthorized disclosure, alteration, and destruction as outlined in the system management section below. You are required to notify all persons whose information may be disclosed if your system is compromised and you have unencrypted high risk personal non-public information stored on it. V.erify all requests for personal non-public information from unfamiliar persons. Social engineering is the use of subterfuge to gain access to confidential data. Never send or confirm personal non-public information over the phone or by email, even if the requesting party provides it.
Unless your department has designated someone else to manage your personal computer/workstation, you are its system administrator. As a system administrator, you are responsible for safeguarding your computer’s stored information and for keeping it safe from unauthorized users and processes (e.g., worms, bots, viruses, etc.). You may also be responsible for a departmental server, computing site, or subnet. System administrator responsibilities can range from a single laptop or office PC to a multi-processor server.
Each system you administer is most likely connected directly to the Internet via the University’s network. The University does not selectively monitor, filter, or block information passing over its network to maintain the highest support for free and unimpeded exchange of scholarly information. With that freedom comes the responsibility to protect confidential University information against the inherent risks of being connected to a high-speed, open network.
Security management basics
- Learn how to properly secure your system and its stored data (permanently attached and removable media) from unauthorized modification, destruction, or disclosure. An insecure system is vulnerable to being compromised, and then used remotely to attack other machines. By keeping your system free from hackers, you are also preventing possible accusations against yourself and the University.
- Keep your operating system up to date by configuring your system to automatically download and install patches. As the administrator of your personal computer or server, you are responsible for protecting it by keeping it up to date. Vendors, including Microsoft, routinely release security and other critical patches free of charge when vulnerabilities are discovered. Microsoft NEVER sends patches by email. Beware of email claiming to be from Microsoft with attached Windows patches (See How to Tell if a Microsoft Security-Related Message is Genuine). Microsoft does provide an email alert service informing subscribers when security update announcements are released.
- Use current anti-virus software at all times, especially to scan email attachments. Information Technologies requires McAfee anti-virus software for PCs and Macintoshes. The University has a site license for McAfee anti-virus software that can be downloaded free of charge.
- Use a firewall to protect your computer from unwanted, malicious probes by other systems. It’s like locking your doors at night to keep someone from just walking into your home. A new, unprotected computer can be infected within seconds of being connected to the Internet, but turning on a firewall first can protect it while updates and current virus protection are obtained over the Internet.
- Electronic communications (e.g., POP or IMAP email, Web files, login sessions, and wireless) are not routinely encrypted over the University network or when working from home. The University's recommended Webmail service is encrypted automatically. Although the probability of an Internet e-communication being intercepted (and falling into the wrong hands) is small, sensitive communications and documents -e.g., those containing personal non-public information--like Social Security numbers, credit card numbers, academic records and especially your passwords--should not be sent over the Internet without being encrypted. Recommended encryption protocols are described in more detail in Security 101. Contact the IT Support Center at (302) 831-6000 for more information about using encrypted protocols to secure electronic communications.
- Encrypt files containing personal non-public information. If the computer or removable media is compromised or stolen, the encrypted information will be unusable in the perpetrator’s hands. Contact the IT Support Center at (302) 831-6000 for more information on encryption software.
- The risk to sensitive information stored on a computer increases as its exposure to people, other computers, and the range of duties assigned to it increases. The number of users, both inside and outside the University, connections to other computers including Web surfing, and types of applications running (e.g., database and Web surfing) all must be considered when assessing whether a system is configured to adequately safeguard the information it contains. Be cautious of freeware and shareware as these programs can introduce processes that compromise your system’s security. Peer-to-peer applications can be especially dangerous if personal or confidential information resides on the system. These applications can inadvertently disclose sensitive, personal or confidential information residing on the host system to anyone who finds it via a simple query. Peer-to-peer applications should not be installed on any system containing PNPI. Read more...
- Choose passwords for your computer accounts, including the administrator accounts on your PC that are not easily guessed. Secure passwords are combinations of letters and numbers or special characters—the longer the better. Commit them to memory and never write them down or tell them to anyone. If you tell someone your password or PIN, you are potentially giving that person access to information that was entrusted specifically to you. If you write down your password or PIN, choose a password that is easy to guess, or transmit it in clear text when you log on from the office or from home, you run the same risk. To encrypt your password or PIN and all other information sent to, or received from University systems, you should use a SSH terminal client. Contact the IT Support Center at (302) 831-6000 for more information about using SSH to encrypt your computing sessions.
- Email messages may be stored as files on centrally administered storage. The email messages you send become the possession of the receiver and can easily be re-distributed or seen by others. In this sense, they are not private. They are unlike face-to-face or unrecorded telephone conversations in this regard. When the confidentiality of a message is of the utmost importance, only a person-to-person conversation may be sufficiently secure.
- Log off your computer when you leave your desk, or set it up to require a password after a pre-set amount of inactivity. Keep information displayed on your screen confidential, just as you would keep confidential printed material on your desk or in your files away from wandering glances.
Other best practices
- Destroy sensitive, confidential, or non-public information before disposing of the media on which it is stored. Otherwise, you subject the information on hard drives, USB flash drives, CDs, paper forms, and reports, etc., to unauthorized disclosure. Shred paper reports and forms that contain confidential or sensitive information and render CDs you no longer need unreadable before disposing of them. Also be sure to scrub the internal disk drive(s) of obsolete computers before you send them to surplus. Simply deleting the files does note completely remove them from the hard drive. Deleted files can be easily recovered with common utilities. For advanced users, the DBAN Disk Wipe Utility can be used. Call the IT Support Center at (302) 831-6000 for assistance if you are unsure of how to completely remove data from your hard drive before you surplus your computer.
- The Disposal Rule of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports to protect against "unauthorized access to or use of the information." For example, if consumer information about students or their parents is used as part of the financial aid process, the rule would apply. It would also apply to consumer information used in the applicant hiring process. Similarly, if your department uses consumer information to establish accounts for any service, this rule would apply. There are many other instances where this information may be obtained and used on our campus, and it is important for each department to be aware of these rules and to be in compliance.
- As an aid to better understanding responsible computing practices, all departments that own or lease computing equipment are encouraged to develop "Conditions of Use" or "Guidelines for Responsible Computing" documentation for all systems that they operate and to make these documents available to users. These documents should be consistent with the Policy for Responsible Computing at the University of Delaware and should be approved by the department's administrative officer or other individual designated by that administrative officer.
- Back up your data regularly and know how to restore it. Several generations of backups are recommended. Backups must be available, so store them where others know where they are and can access them. University Archives can offer assistance.
- Lock copies of your data on removable media or printed reports in your desk or a fire-resistant cabinet. Portable USB flash drives and other compact storage technologies have enough capacity to back up enormous amounts of institutional data. Highly sensitive or confidential institutional data stored on removable media must be encrypted.
- Your electronic data files are subject to the same records retention requirements as paper records. Consult with University Archives to make certain your electronic records are included in your Records Retention program.
- Routinely delete email messages that do not need to be saved.
- Ensure that all software license agreements are in place.
- Grant access to users on a need-to-know basis, and remove access and user profiles when they are no longer needed.
For additional assistance with managing your system, contact your department's CITA or call the IT Support Center at (302) 831-6000.
Employees are expected to be responsible in their use of computing resources in accordance with the University of Delaware mission and in compliance with its policies and all applicable laws and regulations. This principle is the basis for the following general acceptable use guidelines:
- Be considerate of other users. Do not run processes or engage in network activity that denies others the use of shared resources.
- Respect the integrity of the University network. Improperly configured or inappropriate processes running on your system can have a destabilizing effect on the network. The University reserves the right to constrain and remove applications, services or improperly configured systems which may be negatively impacting network performance.
- Respect the intellectual property rights of others. See Copyright: Your Rights and Responsibilities for more information.
- Abide by the principles of decency, fairness, and respect for the rights of others—e.g., the right to privacy and confidentiality.
University policies prohibit certain activities:
- Using University computing resources for non-University commercial activities, fund-raising, partisan political purposes, or on behalf of organizations not affiliated with the University. The State-created University Charter prohibits the Management of the University to benefit any party, sect, or denomination. Employees may choose to participate in any of the above activities but cannot use University resources to support their personal activities.
- Using any University computer, facility, equipment, software, network or other resource including email without authorization or for any activity other than that for which access or use was assigned or authorized.
- Sending chain letters, pyramid scheme messages, spam, or engaging in any behavior that wastes resources or is disruptive to the network.
- Sending sexually explicit, offensive, demeaning, insulting, or intimidating e-communications, ethnic or racial slurs or anything that harasses or disparages others. Sending such messages is grounds for disciplinary actions, including termination.
- Violating copyright, trademark, or other laws or regulations in sending e-communications, publishing Web pages, or posting to newsgroups and discussion lists.
- Using University of Delaware institutional mail lists without appropriate authorization.
- Intentional, unauthorized access to or interception of information or e-communications. The ability to access information or intercept e-communications does not inherently include authorization to do so.
- Altering, destroying, or forging e-communications or intentionally compromising the integrity of the network.
The University's Policy for Employees' Use of Electronic Communications (No.1-19) establishes the applicability of existing University policies and federal, state, and local law to electronic communications, including requirements for good electronic citizenship and expectations for privacy. Generally, the University will not make any efforts to monitor e-communications except when required by law or to investigate any policy infraction. If you haven't already, you need to become familiar with these current policies and indicate your understanding and compliance with them at Understanding of Employee Computing Responsibilities and Notice of Monitoring.
At the University of Delaware, electronic mail (email) and the University's Web sites offer efficient, cost-effective communication between members of the University community. In fact, email is
- An official communication channel for University departments and employees;
- An official communication channel between the University (departments, faculty, and staff) and its students.
As a result, every employee must
- Have an account on the University's central mail server (udel.edu);
- Be responsible for receiving and reading any official communication sent to his or her "udel.edu" account.
Therefore, every employee must do the following:
- Read your email in a timely fashion.
- If you choose to use software to sort your incoming email into folders or to filter out unsolicited advertising email (SPAM), you are responsible for making sure that your filter rules do not accidentally delete official University correspondence.
- If you choose to forward your email from udel.edu to another email server—either to a departmental server or to an off-campus ISP's server—you are responsible for making sure that your email forwarding is working so that you can continue to receive and read your University email in a timely fashion.
If your department sends email that might be construed as commercial (i.e., a commercial advertisement or promotion of a commercial product or service) you might be subject to the 2003 CAN-SPAM Act. Any commercial email must include the following information:
- Identification of the email as an advertisement from your University department or group. Make it clear that it is coming from a sub-part of the University and not the University as a whole;
- A valid postal address for your department;
- Accurate identification of the sender in the "From" line of the email;
- A subject line that is consistent with the email's message;
- Instructions to opt-out of future emails from your University department or group.
This information can appear anywhere in the email. An easy way to meet these requirements without re-writing your communication is to attach a standard signature block at the bottom of the email.
Additionally, opt-out requests must be handled in the following manner:
- Can be a return email address or Web site;
- Must be able to process opt-outs for 30 days after the commercial email was transmitted;
- Must be honored within 10 days after receipt and are effective indefinitely;
- Cannot disclose recipients email address to a third party.
For more information see the FTC Web site.
The Federal Communications Commission (FCC) is responsible for enforcing the Junk Fax Prevention Act, which was signed into law July 9, 2005 (S. 714). Effective August 1, 2006, the FCC's rules take effect that bar unsolicited advertisements subject to certain exemptions. Facsimiles that advertise the availability or quality of any property, goods, or services cannot be legally sent without prior express invitation or permission of the recipient, or if there is an established business relationship (EBR) between the sender and recipient. An EBR customer can receive facsimile advertisements if one or more conditions are met (e.g., if the customer provides it on an application or other form, or if it is published in a directory without noting that unsolicited facsimiles are not accepted).
Also, the FCC's rules require that facsimile advertisements include contact information that allows recipients to op-out of future Faxes from the sender. Valid opt-out requests must be honored within the shortest reasonable time from receipt—not to exceed 30 days.
These commercial communication rules may apply to activities in your department. Consider the types of communications you send outside the University and determine if they are governed by these two laws.
- Alumni or student membership renewals,
- Ticket sales for athletic or performing arts events,
- Solicitations for printed advertising space, and
- Advertisements for courses, seminars, and conferences.
For more information see the FCC Web site.
From the 1987 EDUCOM Code for Software and Intellectual Rights:
Respect for intellectual labor and creativity is vital to academic discourse and enterprise. This principle applies to works of all authors and publishers in all media. It encompasses respect for the right to acknowledgment, right to privacy and right to determine the form, manner and terms of publication and distribution.
Because electronic information is volatile and easily reproduced, respect for the work and personal expression of others is especially critical in computer environments. Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access, and trade secret and copyright violations, may be grounds for sanctions against members of the academic community.
These principles still hold true. However, in today’s rapidly changing technological environment, higher education institutions increasingly find themselves at the center of the ongoing digital copyright debate which seeks to balance the rights of copyright holders with users of creative works. Copyright law sets the rules for who can make copies of creative works (versus facts and ideas), and how they can be used. Examples of intellectual property include books, movies, manuscripts, audio recordings, pictures, and software.
It is essential that all members of the University community understand their rights and responsibilities regarding copyright laws. University policy and copyright laws prohibit the unauthorized use, transmission, copying and storing of copyrighted works. However, the University encourages the use of electronically transmitted information within the "Fair Use" guidelines of the copyright law or with the permission of the author.
The 1998 Digital Millennium Copyright Act (DMCA) amended Title 17 United States Code, in anticipation of the World Intellectual Property Organization (WIPO) Copyright Treaty. The DMCA set forth legal provisions for fair use in a digital environment, circumvention of technical protection measures, and other copyright issues pertinent to digital environments. The 2001 Technology Education, and Copyright Harmonization (TEACH) act extended digital fair use provisions by allowing accredited non-profit educational institutions to provide copyrighted materials to students enrolled in “mediated instructional activities”, e.g., distance education, under limited circumstances via the Internet without obtaining permissions from copyright holders. The rights embodied in the TEACH act are contingent upon “reasonable” technological protection measures (e.g., restriction to enrolled class roster via passwords, availability for a limited duration, notice to students that the materials are subject to copyright restrictions, etc.) to prevent the unauthorized re-distribution and /or retention of copyrighted materials, and other requirements.
Resources for learning more about copyright law and how it affects you can be found at the following locations:
- The University of Delaware Library Copyright Subject Guide contains an extensive list of copyright resources.
- The Center for Teaching and Learning can assist with navigating digital copyright issues in curriculum.