Responsible Use of Information Technology and Electronic Communications
This policy governs the proper use and management of all computing and network resources of The Citadel. This policy applies to all users of college computing resources, whether affiliated with the college or not, and whether on campus or from remote locations.
The Citadel's computing resources include, but are not limited to, computers, computer systems, networks, electronic and mobile communications systems, telephone and data systems, internet connections, software, and related hardware and infrastructure that are owned, leased, acquired, developed or maintained by the college (“computing resources”). The Citadel provides these resources to support the college’s mission; instruction, academics, scholarship, research and service; administrative functions; student and campus life activities; and the free exchange of ideas among members of the college community and between the college and the wider local, national, and world communities.
The right of academic freedom applies to the use of college computing resources. So, too, however, do the responsibilities and limitations associated with that right. The use of college computing resources is a revocable privilege. The use of college computing resources, like the use of any other college resource or activity, is subject to the normal requirements of legal, ethical, authorized and appropriate behavior. Users must abide by all applicable restrictions, whether or not they are integrated into the computing resources and whether or not they can be circumvented by technical means.
Users, including college employees and students, should understand that their expectations of privacy and ownership in their use of college computing resources are limited and may be unfounded. The college, including the General Counsel and the Director of Information Technology Services (see “Security and Privacy” below), will engage in activities authorized by this policy with due and careful regard for the interests of college employees and students in academic freedom, privacy, and employee or student proprietary information.
All members of The Citadel community must use information technology and electronic communications in a responsible manner and in compliance with College Regulations and applicable state or federal laws. Information Technology Services (ITS), on behalf of the college, may restrict the use of its computers and network systems in response to complaints presenting evidence of violations of college policies or codes, or state or federal laws. Specifically, the college reserves the right to limit access to its networks through college-owned or other computers, and to remove or limit access to information contained in college-owned systems, in addition to imposing any of the penalties stated below.
Examples of behavior in violation of this policy include, but are not limited to, use of electronic communications to:
- harass, threaten, or otherwise cause harm to a specific individual(s) or classes of individuals;
- impede or interfere with the activities of others;
download or post to college computers, or transport across college networks, material that is illegal, proprietary, in violation of college contractual agreements, or otherwise is damaging to the institution;
- propagate electronic chain mail;
- send, post, view, or reply to indecent, obscene, pornographic, offensive, threatening, harassing, libelous, slanderous or fraudulent content, or content that is otherwise a violation of state or federal law.
Other examples of policy violation include:
- deliberate circumvention of network or system access control mechanisms;
- use of a username and password assigned to another individual in order to gain that person’s access rights or to masquerade as that individual;
- unauthorized exposure or careless handling of confidential, privileged or private information;
- unauthorized alteration or deletion of information stored on college computers;
- use of unlicensed or illegally obtained software.
From time to time, Information Technology Services will institute policies and procedures intended to protect the college’s network and systems from inappropriate use or disruption. Violations of these policies or failure to follow these procedures also constitute a violation of the overarching Responsible Use policy and include:
- without prior permission from Information Technology Services (ITS), uninstalling, failing to install, or otherwise disabling software required by ITS to protect its systems from the propagation of viruses, worms, malware or spyware;
- connection of communications devices such as modems, hubs, routers and switches, network monitoring tools such as sniffers and port scanners, and provision of services which may only be provided by ITS such as DNS, VPN and DHCP servers.
Depending on the seriousness of the offense, violation of the above rules may result in the temporary or permanent loss of access to The Citadel's computing and network resources; suspension, dismissal, or expulsion from the college (for students); suspension or termination of employment (for faculty and staff); and other disciplinary or legal actions.
Questions concerning policies and procedures relating directly to the use of information technology resources and requests for exceptions should be sent to the Director of Information Technology Services.
- Computer Security
- Access to Electronic Mail Services
- Appropriate Use of Mass Electronic Mail
- Information Privacy
The computing resources at The Citadel include centrally located server systems and desktop, laptop, and handheld devices. Although most of the systems centrally managed are reasonably secure, installation and monitoring of detection and protection systems is both expensive and increasingly time consuming. Individual desktops, laptops, and handheld devices are even less secure.
The college employs various measures to protect the security of its computing resources and of users’ accounts. However, the college cannot and does not guarantee the security of its computing resources, or of personal information located on any college owned or personally owned device. Therefore, The Citadel expects all users to take certain basic security steps to enable their computer to run smoothly and safely on The Citadel’s Network. These steps are not a guarantee that individual computers or the college’s computing system will not be compromised, but serve to make individual computers and the system a less inviting target to malicious persons.
Users are expected to engage in “safe computing” practices by establishing appropriate access restrictions for their accounts, guarding their passwords, and changing their passwords regularly. Also, users should ensure the installation of anti-virus software and appropriate updates for personally-owned computers connecting to the college’s network and computers.
Failure to employ these procedures may result in disconnection of the user’s computer from the Citadel network, suspension of the user’s network account and referral to the appropriate supervisor or disciplinary body.
Access to Electronic Mail Services
Information Technology Services (ITS) provides electronic mail services to the Citadel community. These services are provided for official college business.
Viruses and worms most often find their way into networks such as that provided by The Citadel through electronic mail messages that carry infected attachments or which contain links to Internet sites that will inject malicious code into the unsuspecting user’s computer. Once infected, that computer may, in turn, infect other computers through the electronic mail system and, potentially, reveal confidential information. All mail destined for electronic mail servers maintained by ITS is scanned for spam, phishing attempts, viruses and malicious code. ITS has no control over mail services provided by others.
- Inbound mail delivery to servers other than those maintained by ITS will not be permitted.
- Mail clients connected to The Citadel network are not permitted to connect directly to external mail servers for the purpose of sending mail. This policy restriction does not apply to web browser access to external mail services. (See Procedure #3, below.)
- Users connecting to outside mail services must ensure that their computer has all the necessary security patches and up-to-date anti-virus software, and take care when opening attachments or following links to external sites.
- Use of outside mail services is subject to the same policies, procedures and regulations that apply to the use of The Citadel's systems.
- Electronic mail clients (such as Outlook, Outlook Express and Mozilla Thunderbird) configured to send mail through external mail servers will be blocked at the college’s firewall.
- All mail servers located on The Citadel campus that directly send mail to, or receive mail from outside the campus network must be authorized and administered by ITS. All others will be blocked at the firewall.
- Connection via a web browser to external mail services (such as Gmail, Hotmail, Yahoo Mail) is subject to all institutional as well as departmental policies and procedures. Any "private" information obtained through such connection is subject to the same scrutiny as institutional information.
Any attempt to circumvent these policies or careless use of electronic mail systems may result in disconnection of the user’s computer from the Citadel network, suspension of the user’s network account and referral to the appropriate supervisor or disciplinary body.
Appropriate Use of Mass Electronic Mail
Excessive use of campus-wide distribution lists intended for urgent communications can sometimes overwhelm the campus mail systems and impede or interfere with the activities of others. Such use is, therefore, in violation of Citadel policy, “Responsible Use of Information Technology and Electronic Communications.”
- Mass emails to members of The Citadel community must be sent in accordance with the procedures outlined below.
- Initiation of or participation in chain emails (ones which instruct the recipient to forward the message to a large number of people, no matter how noble the cause) is not only a violation of the Responsible Use policy, but also a violation of the Terms and Conditions of most Internet Service Providers.
- Any communication intended for mass distribution to The Citadel community or one of its subsets must be sent via one of the sanctioned email distribution lists: Phoebe, Chloe, and Delilah. These messages are collected, consolidated and sent out to the appropriate list on a daily basis. Specific information on use of these distribution lists may be found on the Citadel computing home page.
- Information Technology Services (ITS) also provides distribution lists for urgent communications which warrant individual and immediate distribution. While there is no technical limitation as to who may send mail to these lists, their use for non urgent communications is a violation of Citadel policy. Examples of appropriate use of "urgent" distribution lists include communications that: deal with a life safety issue; require immediate attention on the part of the recipients and apply to a significant number of the recipients; are essential to the conducting of Citadel business and cannot wait until the next day for delivery. Examples of inappropriate use of "urgent" distribution lists include communications that: announce events that take place in the future and can wait until overnight delivery; are not of general interest to the intended recipients.
- Messages intended for mass distribution should be checked for accuracy before sending. Repeated sending of “urgent” messages to correct errors in date or time are annoying and can also disrupt delivery of other electronic mail.
Any complaints about inappropriate use of distribution lists or chain emails should be sent to the sender’s supervisor or department head.
The Citadel does not routinely monitor individual usage of its computing resources or the privately owned computing devices used to access The Citadel network beyond the back up and caching of data and communications required in the normal operation and maintenance of the College’s computing resources. When there is sufficient justification to do so (upon the occurrence of certain events for example), the College may access and / or monitor the accounts of specific individual users of college computing resources. To enhance the security of its computing resources, The Citadel has adopted the following policy.
The Citadel follows standard, widely accepted computer operation and data security procedures that include the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other similar activities. The Citadel does not consider these normal operations an invasion of individual privacy and carries out these operations routinely without notification. When there is reasonable cause to do so, the College may, without notice, access and monitor the accounts of individual users of college computing resources, including individual login sessions and communications. Furthermore, when the College “reasonably anticipates” litigation, through the receipt of notification or other information identifying the possibility of a lawsuit or upon the actual service of a summons and complaint (“notification”), the College must take actions to preserve all electronically stored information that may be relevant to the claim.
Procedures - General
- The college may, without notice, access and monitor the accounts and equipment of individual users of college computing resources, including individual login sessions and communications when there is reasonable cause to do so. Such causes include, but are not limited to the following:
- the user has voluntarily made them accessible to the public, as by posting to the College’s website or any webpage, whether affiliated with the College or not;
- it reasonably appears necessary to do so to protect the integrity, security, or operation of college or other computing resources or to protect the College from liability;
- an account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns;
- it reasonably appears that the account could have a detrimental impact on the operation of the College or the safety of faculty, staff, or students;
- it reasonably appears necessary to do so as part of an audit conducted internally at the College or by outside auditors or governmental agencies; or
- it is otherwise required by law.
- Any access or monitoring of accounts and equipment, other than that specified in part 1.1 (above) or required in response to perceived emergency situations, must be authorized in advance by the Director of Information Technology Services or his designee and General Counsel, following consultation with appropriate College officials.
- The college will maintain documentation of the authorizations to access or monitor individual user activity or information stating the purposes for which authorization is given. Activities associated with accessing, monitoring, and investigating users’ activity and information shall be limited to the purposes for which such College and/or third party activity is authorized.
- When the contents of a current employee’s or student’s College owned computer or communications associated with an individual’s College computing account are accessed or monitored under this policy, the individual will be notified as soon as practicable that the access or monitoring occurred, provided the notification is permitted by law and will not interfere with any investigation by the College or other outside agency. Notification is not required when the access or monitoring was conducted under part 1.1..
- The College, in its discretion, may disclose the results of any such general or individual access or monitoring, including the contents and records of individual communications, to appropriate College personnel or law enforcement agencies and may use those results in appropriate College disciplinary processes.
- On an annual basis, General Counsel and the Director of Information Technology Services shall provide a report to the President regarding: the number of times the authorization required by this policy was requested to monitor the accounts of group or individual users of College computing resources; the number of times such authorization was given; and a general description of the purposes for requests and authorizations. The report shall be made in a manner that does not directly or indirectly identify the individual users involved or reveal any confidential or private information.
Procedures - Before and During Litigation
Pre-Litigation Data Retention: When the College “reasonably anticipates” litigation, through the receipt of notification or other information identifying the possibility of a lawsuit or upon the actual service of a summons and complaint (“notification”):
- As soon as practicable after notification, the General Counsel (GC) will notify the Director of Information Technology Services (DITS) of a new potential or actual claim and provide parameters for the information to be preserved. These parameters will be based on the known relevant parties and witnesses (i.e., those who may control or possession or potentially relevant data), the departments of the college which are involved, and the timeframe of the incident or incidents alleged.
- DITS will take immediate steps to preserve all data held by central services (mail, calendar, etc.).
- As soon as practicable, the GC and the DITS will meet to discuss the case and develop an initial course of action. Together they will:
- Identify the set of data that must be preserved;
- Discuss mechanisms, process and other circumstances that may be particular to the specific lawsuit; and
- Prepare individual and department questionnaires for use by college personnel to identify the location of electronic and paper data implicated by the threatened or potential lawsuit.
- The GC and DITS, or his designee, will meet with local representatives to discuss immediate needs, identify data unique to the local department, and create a plan to preserve all required data (and to reiterate need to preserve “paper” data as well).
- DITS will send out end user questionnaires to all affected individuals for completion and return to DITS so that DITS can identify all potential locations of data.
- DITS will work with the individual departments (involving HR as appropriate) to implement preservation
- The GC will send specific information handling instructions to all affected individuals to ensure future data are appropriately preserved and easily retrievable. These instructions may provide that:
- All future documents created that may be relevant to the case be stored in a specific directory;
- All future mail correspondence be appropriately stored in a specific mail folder; and
- All systems used for future creation of data potentially relevant to a claim be backed up on a regular schedule by DITS.
- DITS will store all collected data centrally for future potential retrieval and discovery.
- Discovery: Discovery is the formal process by which parties exchange information after a lawsuit has been filed. Upon receipt of a discovery request for information and data pertaining to a lawsuit, the College must take action to develop and produce a response to this request. The General Counsel, in consultation with the Senior Staff, the DITS, and other college officials, serves as the lead college official for The Citadel's response to discovery requests. The Citadel's response may be to supply the requested information, attempt to obtain a modification of the request as to a different set of data or search terms, or to decline to provide some or all of the requested data based upon expense or some other basis. During the discovery phase:
- The GC will meet with DITS to discuss the specific requirements of discovery requests.
- If the college has previously prevserved information, as described in Paragraph 7, above, the DITS will determine whether the set of preserved data is sufficient to meet the requirements of the discovery request. DITS will also notify the GC of any extraordinary circumstances, costs of compliance, or other concerns.
- If DITS determines that the preserved data is not sufficient to meet the requirements of the discovery request, the GC and DITS will work to retrieve additional electronic data, whether from central or local data repositories.
- DITS will perform searches on the preserved data specific to the discovery requirements.
- DITS will supply the retrieved data to the GC.
- GC will review the retrieved data to determine legal relevance, privilege or other protected status, and will handle discovery.
Failure to adhere to these procedures can result in significant civil penalties to The Citadel. Therefore, individual failure to cooperate with these policies may result in one or more of the following:
- Exposure of the individual to civil liability,
- Disconnection of the user’s computer from the Citadel network,
- Suspension of the user’s network account, and
- Referral to the appropriate supervisor or disciplinary body