Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 8 - Facilities and University Services
Publication Date: May 10, 2016
Responsible Executive: VP for Academic Affairs


8.15 Acceptable Use Policy


I. POLICY STATEMENT


The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its mission. The UTSA Office of Information Security (OIS) and the Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure university computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the Data and Information Resources used to carry out UTSA business.

This policy is in place to protect these resources in accordance with state law, The University of Texas System (UT System) Regents’ Rules, and UT System policies, and to ensure UTSA can fulfill its duties and mission.

II. RATIONALE


UTSA has a responsibility to provide computing resources to the UTSA community and to ensure these resources are protected in accordance with state law and UT System Regents’ Rules and Regulations.

This policy ensures that all personnel seeking to access UTSA computing resources are aware of the duties and responsibilities in place to protect UTSA Information Resources.


III. SCOPE


All individuals granted access to or use of UTSA Information Resources must be aware and agree to abide by the acceptable use requirements set out in this policy.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter8/8-15.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


UTSA or UT System Policies or the Board of Regents' Rules & Regulations

  1. UT System Policy UTS165, UT System Information Resources Use and Security Policy
  2. UT System Policy INT124, Information Resources Acceptable Use and Security Policy
  3. UT System Policy UTS178, Required Reporting of Significant Events 

Other Policies & Standards

  1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C

VI. CONTACTS


If you have any questions about HOP policy 8.15, Acceptable Use Policy, contact one of the following offices: 

Office of Information Security
210-458-4555
informationsecurity@utsa.edu

Office of Information Technology
210-458-4555
oitconnect@utsa.edu


VII. DEFINITIONS


A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Backup: Copy of files and applications made to avoid loss of Data and facilitate recovery in the event of a system failure.

Confidential Data: Data that is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state and federal laws. See also “Category I” data in the definition of Data Classification.

Data: Information which is recorded - regardless of form or media – that is used to support the business of the university, whether in an administrative or research capacity.  Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images) or other format.

Data Classification: At UTSA, Data is classified as Category I (confidential), Category II (controlled) or Category III (published/public data), with each category subject to its own protection requirements and processes.  More information, including definitions, protection requirements and examples of Data can be found in the Standard for Data Classification.

Data Custodian: An employee who is responsible for day-to-day maintenance of UTSA Information Resources. In some instances, this responsibility is assigned to a third-party vendor or OIT.  

Data Owner: The manager or agent responsible for the business function supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program using the Information Resources. 

Information Resources (IR):  The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.  This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices,  pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment ( e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.

Information Security Officer (ISO): Staff member responsible for providing and administering the overall information security program for all centrally maintained and all distributed systems and computer equipment.

Information System: An interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, information, Data, applications, communications and people.

Local Computer Administrator Account: A User account where the User has special access privileges to their or other staff’s university-owned computers. Generally this type of access allows the User to install software on that machine without having to contact OIT.

Mission-critical Information Resource: An information resource defined by an entity to be essential to that entity's function and that, if made unavailable, will inflict substantial harm to the entity and the entity's ability to meet its instructional, research, patient care or public service missions.  More information, including a list of systems identified as "mission-critical" can be found in the Standard for Data Owners.

Personally Identifiable Information (PII): Any information that uniquely identifies a person. For IT purposes, this most often refers to demographic Data, User IDs, passphrases and other credentials.

Server: A computer system that provides shared resources on the network (For example, Web server, print server, file server).

User: An individual who is authorized by the Data or Information Owner to access the Information Resource, in accordance with the Data Owner's procedures and rules. The User is any person who has been authorized by the Data Owner to read, enter, or update that information whether done individually or through facilitation or responsibility for an automated application or process. The User is the single most effective control for providing adequate security.


VIII. RESPONSIBILITIES


  1. Information Security Officer (ISO)
    1. Reviews the Acceptable Use Policy annually to ensure consistency with all applicable rules, regulations, and federal/state/local laws.
    2. Reviews and approves the contents of compliance training related to Acceptable Use Policy.
  2. Office of Institutional Compliance and Risk Services
    1. Ensures the materials and acknowledgements are included and recorded during the course of the compliance training.
  3. Data Owner
    1. Establishes controls to provide security and authorizes access to the Information Resource.
    2. In the event that the Data Owner is also the User, then the Data Owner is also responsible for compliance with User responsibilities as specified below.
  4. User
    1. Reviews and acknowledges their understanding and acceptance of the Acceptable Use Policy during the compliance training process.
    2. Complies with all applicable procedures as specified in this policy.
    3. Uses the Information Resource only for the purpose specified by the Data Owner.
    4. Complies with controls established by the Data Owner.
    5. Prevents any prohibited disclosure of Category I or Category II data. This Data may be disclosed pursuant to a court order or other legal finding.

IX. PROCEDURES


All Users seeking to access UTSA computing resources must be aware of the duties and responsibilities that are in place to protect the University’s Information Resources..

UTSA’s Acceptable Use Policy is derived directly from UT System’s Acceptable Use Policy found in policy INT124.

  1. Acknowledgement of Acceptable Use Policy
    1. Each User, during the normal compliance training process, reviews and acknowledges their understanding and acceptance of the Acceptable Use Policy.
  2. General
    1. UTSA Information Resources are provided for the purpose of conducting the business of UTSA. However, Users are permitted to use UTSA Information Resources for use that is incidental to the User’s official duties to UTSA (Incidental Use) as permitted by this policy.
    1. Users have no expectation of privacy regarding any UTSA Data residing on University owned computers, servers, or other information resources owned by, or held on behalf, of the University. UTSA may access and monitor its Information Resources for any purpose consistent with the University’s duties and/or mission without notice.
    2. Users have no expectation of privacy regarding any UTSA Data residing on personally owned devices, regardless of why the Data was placed on the personal device.
    3. All Users must comply with applicable UTSA and UT System Information Resources Use and Security policies at all times.
    4. Users shall never use UTSA Information Resources to deprive access to individuals otherwise entitled to access University Information, to circumvent University computer security measures; or, in any way that is contrary to the University’s mission(s) or applicable law.
    5. Use of UTSA Information Resources to intentionally access, create, store, or transmit sexually explicit materials is prohibited unless such use is required as part of the User’s official duties as an employee of UTSA and is approved in writing by the president or a specific designee. Viewing, access to, or storage or transmission of sexually explicit materials as Incidental Use is prohibited. 
    6. Users must clearly convey that the contents of any email messages or social media posts that are the result of Incidental Use are not provided on behalf of UTSA and do not express the opinion or position of the University. An example of an adequate disclaimer is: "The opinions expressed are my own, and not necessarily those of my employer, The University of Texas at San Antonio."
    7. Users should report misuse of UTSA Information Resources or violations of this policy to their supervisors.
  3. Confidentiality & Security Data
    1. User shall access UTSA Data only to conduct University business and only as permitted by applicable confidentiality and privacy laws.  Users must not attempt to access Data on systems they are not expressly authorized to access. Users shall maintain all records containing UTSA Data in accordance with the University’s Records Retention Policy and Records Management Guidelines.
    2. Users shall not disclose Confidential Data except as permitted or required by law and only as part of their official UTSA duties.
    3. Whenever feasible, Users shall store Confidential Information or other information essential to the mission of UTSA on a centrally managed Server, rather than a local hard drive or portable device.
    4. In cases when a User must create or store Confidential or essential University Data on a local hard drive or a portable device such as a laptop computer, tablet computer, or, smart phone, the User must ensure the data is encrypted in accordance with UTSA, UT System’s and any other applicable requirements.
    5. The following UTSA Data must be encrypted during transmission over an unsecured network: Social Security Numbers; personally identifiable Medical and Medical Payment information; Driver’s License Numbers and other government issued identification numbers; Education Records subject to the Family Educational Rights & Privacy Act (FERPA); credit card or debit card numbers, plus any required code or PIN that would permit access to an individual’s financial accounts; bank routing numbers; and other UTSA Data about an individual likely to expose the individual to identity theft. Email sent to and received from UTSA and UT System institutions using University and/or UT System provided email accounts is automatically encrypted. The Office of Information Technology will provide tools and processes for Users to send encrypted data over unsecured networks to and from other locations. 
    6. Users who store UTSA Data using commercial cloud services must use services provided or sanctioned by the University, rather than personally obtained cloud services. 
    7. Users must not use security programs or utilities except as such programs are required to perform their official duties on behalf of UTSA.
    8. All computers connecting to a UTSA network must run security software prescribed by the Information Security Officer as necessary to properly secure University Resources. 
    9. Devices determined by UTSA to lack required security software or to otherwise pose a threat to UTSA Information Resources may be immediately disconnected by the University from a University network without notice.
  4. Email
    1. Emails sent or received by Users in the course of conducting UTSA business are University Data that are subject to state records retention and security requirements.
    2. Users are to use UTSA provided email accounts, rather than personal email accounts, for conducting University business.
    3. The following email activities are prohibited when using a UTSA provided email account:
      1. Sending an email under another individual's name or email address, except when authorized to do so by the owner of the email account for a work related purpose.
      2. Accessing the content of another User's email account except:
        1. As part of an authorized investigation;
        2. As part of an approved monitoring process; or
        3. For other purposes specifically associated with the User's official duties on behalf of UTSA.
        4. Sending or forwarding any email that is suspected by the User to contain computer viruses.
        5. Any Incidental Use prohibited by this policy.
        6. Any use prohibited by applicable UTSA policy.
  5. Incidental Use of Information Resources
    1. Incidental Use of UTSA Information Resources must not interfere with a User’s performance of official University business, result in direct costs to the University, expose the University to unnecessary risks, or violate applicable laws or other UTSA or UT System policy.
    2. Users must understand that they have no expectation of privacy in any personal information stored by a User on a UTSA Information Resource, including University email accounts.
    3. A User's incidental personal use of Information Resources does not extend to the User’s family members or others regardless of where the Information Resource is physically located.
    4. Incidental Use to conduct or promote the User’s outside employment, including self-employment, is prohibited.
    5. Incidental Use for purposes of political lobbying or campaigning is prohibited.
    6. Storage of any email messages, voice messages, files, or documents created as Incidental Use by a User must be nominal (less than 5% of a User's allocated mailbox space).
    7. Files not related to UTSA business may not be stored on network file servers.
  6. Additional Requirements for Portable and Remote Computing
    1. All electronic devices including personal computers, smart phones or other devices used to access, create or store UTSA Information Resources, including email, must be password protected in accordance with UTSA requirements, and passwords must be changed whenever there is suspicion that the password has been compromised.
    2. UTSA Data created or stored on a User’s personal computers, smart phones or other devices, or in data bases that are not part of  UTSA’s Information Resources are subject to Public Information Requests, subpoenas, court orders, litigation holds, discovery requests and other requirements applicable to UTSA Information Resources
    3. UTSA issued mobile computing devices must be encrypted.
    4. Any personally owned computing devices on which Confidential UTSA Data is stored or created must be encrypted.
    5. UTSA Data created and/or stored on personal computers, other devices and/or non-University data bases should be transferred to UTSA Information Resources as soon as feasible. 
    6. Unattended portable computers, smart phones and other computing devices must be physically secured.
    7. All remote access to networks owned or managed by UTSA or UT System must be accomplished using a remote access method approved by UTSA or UT System, as applicable.
  7. Password Management
    1. UTSA issued or required passwords, including digital certificate passwords, Personal Identification Numbers (PIN), Digital Certificates, Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes shall be maintained securely and shall not be shared or disclosed to anyone.
    2. Each User is responsible for all activities conducted using the User’s password or other credentials. 

    Additional information is available in the Standard for Acceptable Use.


X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


Classifying your Data: Data Classification Examples


XII. APPENDIX


None