Information Security Office

The University of Texas at San Antonio

Information Resources Acceptable Use Policy

Computing and information technology resources at the University of Texas at San Antonio (UTSA), like all University resources, are dedicated to the support of the common mission of teaching, research, learning and community service. Shared use of and access to these resources requires legal and ethical behavior from all users. Just as a student is not permitted to play loud music or recite answers during a final exam, some activities on the UTSA network that are technically possible may nevertheless be prohibited. Protecting the integrity of UTSA’s shared information resources and preserving access to them is a community effort that requires each member to act responsibly and to guard against abuse. Both the University community as a whole and each individual user have an obligation to abide by the standards and best practices of the information security program, as outlined in this Policy and in the published standards, State and Federal laws and University of Texas Regents’ Rules.

This policy applies to all users of University computing and information technology resources, whether accessing those resources on campus or via remote connection. Additional policies may apply to specific computers, systems or networks.

General

• UTSA endeavors to provide a robust, technically current and secure computing environment for use by the University community, and will protect the valuable data within its academic, research and administrative computing facilities to the fullest extent.
• Since UTSA information resources are financed by student tuition, tax dollars and research funds, they must not be used to conduct a personal business or be used for the exclusive benefit of individuals or organizations that are not part of the University of Texas System.  Any exceptions must be in support of University missions and will require the prior written approval of a University executive officer.
• UTSA is committed to academic freedom, regardless of the medium of expression. However, obscene materials must not be intentionally accessed, created, stored or transmitted other than in the course of academic research where this aspect of the research has the explicit written approval of a University executive officer.

Data Protection

• In order to protect the integrity of data created and used by faculty, students and staff, access to that data will be on a “need to know” basis.  Users of information systems must not attempt to access data or programs contained on systems for which they do not have proper authorization.
• Critical UTSA data that is stored on computing devices, including office computers and portable devices, must be copied or backed up to a central network server.

Virus Protection

• In order to protect data and computer equipment, all computers that connect to the UTSA network must be currently running virus prevention software (provided and updated at no cost through a University-wide site license).  Virus protection software must not be disabled or bypassed, except as required temporarily to install software or for other special circumstances. Computers found to be infected with a virus or other malicious code may be disconnected from the UTSA network until it the malware is removed and the system can be safely returned to service.

Email

• Members of the University community are encouraged to use e-mail for University-related activities and to facilitate the efficient exchange of useful information.  Access to e-mail is a privilege and certain responsibilities accompany that privilege. Users of e-mail are expected to be ethical and responsible in their actions.
• Sensitive information, including but not limited to Social Security Numbers (SSNs), health information and credit card numbers may not be sent via e-mail.
• Members of the UTSA community may engage in political lobbying, campaigning and other activities, but not during work hours (for employees) or with the use of State resources, including e-mail, except as permitted by the Regents' Rules and Regulations.
• Users may not pose as anyone else or read another’s e-mail, except when properly authorized to do so.
• E-mail users are expected to make efficient use of technology resources, especially avoiding wasteful and disruptive activities such as sending chain letters, very large files or by sending broadcast messages or other unwanted material(s).
• UTSA computer and technology resources must be protected from viruses, worms and other infections transmitted via e-mail. E-mail users may not send messages or use e-mail software that poses high security risks, including sending or forwarding e-mail that is likely to contain computer viruses or downloading Web-based e-mail from external e-mail systems that bypass UTSA e-mail filters.

Confidential or Protected Information

• In accordance with federal laws (HIPAA and FERPA) all confidential or protected health or student academic information must be encrypted before being saved on system servers or transmitted over external networks, including commercial ISPs or wireless networks.  Confidential/protected information cannot be transmitted via e-mail.

Incidental Use of Information Resources

• UTSA provides information technology resources to faculty, students and staff with which to conduct their University-related duties only. However, incidental personal use is permitted but is restricted to UTSA employees and does not extend to family members or other acquaintances. Any incidental personal use must not interfere with normal performance of duties and must not result in any direct costs to UTSA.
• Storage of any non-work-related e-mail messages, voice messages, files and documents within the UTSA e-mail system must be negligible (less than 5% of a user's allocated mailbox space).
• Non-work-related files may not be stored on network file servers.
• As a public institution, UTSA is subject to the Texas Public Information Act, commonly referred to as the Open Records Act. Although there are some exceptions, in general all messages, files and documents - including personal messages, files and documents – stored on UTSA information technology equipment are owned in accordance with the Regents' Rules and Regulations, and may be subject to public information requests and may be accessed in accordance with this policy.

Internet Use

• Network connections and software for accessing the Internet are provided to authorized UTSA students, staff and faculty members only for appropriate academic, research and business purposes.
• Individual user activities and use of UTSA information technology resources may be monitored to ensure compliance with applicable laws and policies or to monitor network performance and maintenance activities.
• To keep the University community focused on the core missions of education, research and service, commercial activities such as advertising are prohibited.

Portable and Remote Computing

• To provide adequate safeguards and to prevent unauthorized access, all computers and portable computing devices accessing UTSA data or other information resources must be password protected. Passwords must use the “strong” password standards and must be changed annually or immediately if the password is suspected of having been compromised.
• Employees accessing the UTSA network from a remote computer must adhere to all policies that apply to use from within UTSA facilities, including the use of current virus scanning software. All data transferred between the UTSA network and a remote computer must be encrypted. Use of SSL and VPN software is strongly recommended.
• To prevent theft, unattended laptop computers and other portable computing devices must be kept physically secure at all times.
• To protect UTSA data and technology resources, user accounts and access via remote computers may be disabled if that computer poses a potential threat due a virus, cyber attack or other means. Once the computer has been restored to a safe condition, access will be reestablished.
• To protect data against disaster or theft and to provide for recovery, critical UTSA data stored on portable computing devices must be backed up to a UTSA network server.

Decentralized Technical Resources

• To provide specialized capabilities and services quickly and conveniently, some technical resources at UTSA may be operated and maintained by individual colleges or departments.
• Decentralized technical resources may be connected to the University network if they are administered by qualified technical staff and if they adhere to established policies.
• Faculty, students or staff who are designated administrators of decentralized technical resources are responsible for maintaining the appropriate security environment on their systems, including current virus scanning software and operating system security updates.
• To protect UTSA data and technical resources, decentralized computers or servers will be disconnected from the University network if a threat is posed from that system by a virus, cyber attack or other means. The offending system may be reconnected once it has been restored to a safe condition.

Passwords

• To protect UTSA’s technology resources and the work of its faculty, students and staff from unauthorized access, individual login identification user IDs and passwords are assigned. All users are required to use only their own personal ID and password and may not use group ID and password combinations or any other person’s ID and password. UTSA maintains records of system use based on login IDs and passwords, as required by Texas law and in accordance with industry best practices.
• Individual users must reduce their risk and liability and not share with anyone (including family members) their UTSA account(s), passwords, Personal Identification Numbers (PINs), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes.
• To maintain the integrity of UTSA systems, users must not circumvent password entry through use of auto logon, application “remember password” features, embedded scripts or hard-coded passwords in client software. Exceptions may be made for specific applications (like automated backup) with the approval of the UTSA Information Security Officer.

Security

• Maintaining the integrity and security of the technology environment at UTSA is a community effort and serves to create a secure structure in which all may work with confidence. Users must report any incidents of possible misuse or violation of these policies to their supervisor, department head or the UTSA Information Security Officer (ISO). Any observed weakness in UTSA computer security should also be promptly reported.
• UTSA provides legally purchased and licensed software for use by faculty, students and staff in carrying out their University-related endeavors. UTSA technology users must not copy or reproduce any licensed software except for backup purposes or as expressly permitted by the software license.  Additionally, users may not  use unauthorized copies of software on University-owned computers or intentionally use software known to cause problems.
• To protect University systems, data and the work of faculty, students and staff, unauthorized access should be prevented through the use of password-protected screensavers wherever possible on all computers, laptops, PDAs and workstations.
• Because of their potential to breach security and privacy, special software designed to be used to monitor and enter computer systems and networks should only be used by appropriate technology security staff. This includes security programs or utilities such as password cracking programs, packet sniffers or port scanners that reveal or exploit weaknesses in the security of a system or that reveal data by circumventing established authorization procedures and systems.