Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 11 - Information Technology
Previous Publication Date: May 10, 2016
Publication Date: August 2, 2022
Policy Reviewed Date: November 21, 2023
Policy Owner: VP for Information Technology


11.03 Acceptable Use


I. POLICY STATEMENT


Every effort must be made to maintain the security and integrity of the Data and Information Technology Resources used to carry out the missions of The University of Texas at San Antonio (UTSA).  UTSA community members who use UTSA Information Technology Resources must use them responsibly, with respect to other community members and in compliance with international, state and federal laws, The University of Texas System (UTS) Regents’ Rules, the UTSA Handbook of Operating Procedures, and UT System policies.


II. RATIONALE


UTSA has a responsibility to provide Information Technology Resources to the UTSA community and to ensure these resources are protected.  UTSA community members who use UTSA Information Technology Resources must be aware of the duties and responsibilities in place to protect Information Technology Resources.

III. SCOPE


All individuals and/or entities granted access to or use of UTSA Information Technology Resources.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter11/11.03.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


  1. University of Texas System Policies or the Board of Regents' Rules & Regulation
    1. UT System Policy UTS 165, UT System Information Technology Resources Use, and Security Policy.
    2. UT System HOP 4.1.1 Information Technology Resources Acceptable Use and Security Policy.
    3. UT System Policy UTS 178, Required Reporting of Significant Events.
  2. Other Policies and Standards
    1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C.

VI. CONTACTS


If you have any questions about Handbook of Operating Procedures policy 11.03, Acceptable Use, contact one of the following offices:

  1. Office of Information Security
    210-458-7974
    informationsecurity@utsa.edu
  2. UTSA Tech Solutions
    210-458-4555
    TechCafe@utsa.edu  

VII. DEFINITIONS


  1. Confidential Data: Data that is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state and federal laws. See also “Category I” data in the definition of Data Classification.
  2. Data: Information that is recorded - regardless of form or media – that is used to support the mission of UTSA, whether in an administrative or research capacity. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats.
  3. Data Classification: At UTSA, Data is classified as Category I (confidential), Category II (controlled), or Category III (published/public data), with each category subject to its own protection requirements and processes.  More information, including definitions, protection requirements, and examples of Data can be found in the Standard for Data Classification.
  4. Data Owner: The Department or College manager or agent responsible for the business functions supported by the Information Technology Resources or the individual upon whom responsibility rests for carrying out the program using the Information Technology Resources.
  5. Data User:  With authorization from the Data Owner, the Data User is any person who accesses, reads, enters, or updates information and/or Information Technology Resources whether done individually, through facilitation, or responsibility for an automated application or process.
  6. Information Technology Resources: The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
  7. Chief Information Security Officer (CISO): The lead UTSA employee responsible for providing and administering the overall security program for UTSA Information Technology Resources for all centrally maintained and distributed systems and computer equipment.  The CISO assesses Information Technology Resources security risks and engages in a transparent discussion of risks with internal stakeholders.  The CISO is also responsible for the continuous development of this Policy and related.  The CISO tests for compliance and promotes compliance through training, awareness programs, and risk assessments. The CISO responds to the misuse of Information Technology Resources and any unauthorized access of Information Technology Resources by external or internal parties.

VIII. RESPONSIBILITIES


  1. Chief Information Security Officer
    1. Reviews the Acceptable Use Policy annually to ensure consistency with all applicable rules, regulations, and international/federal/state laws.
    2. Reviews and approves the contents of compliance training related to the Acceptable Use Policy.
  2. Office of Institutional Compliance and Risk Services
    1. Ensure the materials and acknowledgments are included and recorded during the course of the compliance training
  3. Data Owner
    1. Establishes controls to provide security and authorizes access to the Information Technology Resource.
    2. In the event that the Data Owner is also the Data User, then the Data Owner is also responsible for compliance with Data User responsibilities as specified below.
  4. Data User
    1. Reviews and acknowledges their understanding and acceptance of the Acceptable Use Policy during the compliance training process.
    2. Complies with all applicable procedures as specified in this policy.
    3. Uses the Information Technology Resource only for the purpose specified by the Data Owner.
    4. Complies with controls established by the Data Owner.
    5. Prevents any prohibited disclosure of Category I or Category II data. This Data may be disclosed pursuant to a court order or other legal process.

IX. PROCEDURES


  1. Acknowledgment of Acceptable Use Policy
    1. Each Data User, during the normal compliance training process, reviews and acknowledges their understanding and acceptance of the Acceptable Use Policy.
  2. General
    1. Information Technology Resources are provided for the purpose of conducting the business of UTSA. However, Data Users are permitted to use Information Technology Resources for use that is incidental to the Data User’s official duties to UTSA (Incidental Use) as permitted by this policy.
    2. Data Users who are employees, including student employees, or who are otherwise serving as an agent or are working on behalf of UTSA have no expectation of privacy regarding any Data they create, send, receive, or store on Information Technology Resources owned by, or held on behalf, of UTSA. UTSA may access and monitor its Information Technology Resources for any purpose consistent with UTSA’s duties and/or mission without notice.
    3. Data Users have no expectation of privacy regarding any Data residing on personally owned devices, regardless of why the Data was placed on the personal device.
    4. All Data Users must comply with applicable UTSA and UT System Information Resources Use and Security policies at all times.
    5. Data Users shall never use Information Technology Resources to deprive access to individuals otherwise entitled to access UTSA Information, to circumvent UTSA computer security measures; or, in any way that is contrary to UTSA’s mission(s) or applicable law.
    6. Use of Information Technology Resources to intentionally access, create, store, or transmit sexually explicit materials is prohibited unless such use is required as part of the Data User’s official duties as an employee of UTSA and is approved in writing by the president or a specific designee. The viewing, access to, storage, or transmission of sexually explicit materials as Incidental Use is prohibited.
    7. Data Users must clearly convey that the contents of any email messages or social media posts that are the result of Incidental Use are not provided on behalf of UTSA and do not express the opinion or position of UTSA. An example of an adequate disclaimer is: "The opinions expressed are my own, and not necessarily those of The University of Texas at San Antonio."
    8. Data Users should report misuse of UTSA Information Technology Resources or violations of this policy to their supervisors.
  3. Confidentiality & Security Data
    1. Data Users shall access Data only to conduct UTSA business and only as permitted by applicable confidentiality and privacy laws. Data Users must not attempt to access Data on systems they are not expressly authorized to access. Data Users shall maintain all records containing Data in accordance with the UTSA’s Records Retention Policy and Records Management Guidelines.
    2. Data Users shall not disclose Confidential Data except as permitted or required by law and only as part of their official UTSA duties.
    3. Whenever feasible, Data Users shall store Confidential Information or other information essential to the mission of UTSA on any managed servers, rather than a local server, hard drive, or portable device.
    4. In cases when a Data User must create or store Confidential or essential Data on a local hard drive or a portable device such as a laptop computer, tablet computer, or, smartphone, the Data User must ensure the data is password-protected and/or encrypted in accordance with UTSA, UT Systems, and any other applicable requirements.
    5. The following Data must be encrypted during transmission over an unsecured network: Social Security Numbers; personally health information; Driver’s License Numbers; other government-issued identification numbers; Education Records subject to the Family Educational Rights & Privacy Act (FERPA); credit card or debit card numbers, plus any required code or Personal Identification Numbers (PIN) that would permit access to an individual’s financial accounts; bank routing numbers; and other Data about an individual likely to expose the individual to identity theft. Emails sent to and received from UTSA and UT System institutions using UTSA and/or UT System provided email accounts are automatically encrypted. The UTSA Tech Solutions will provide tools and processes for Data Users to send encrypted data over unsecured networks to and from other locations.
    6. Data Users who store Data using third-party cloud services must use providers approved by UTSA through official procurement processes, rather than personally obtained cloud services.
    7. Data Users must not use security programs or utilities except as such programs are required to perform their official duties on behalf of UTSA.
    8. All computers connecting to a UTSA network must run security software approved by UTSA as necessary to properly secure Information Technology Resources.
    9. Devices determined by UTSA to lack required security software or to otherwise pose a threat to Information Technology Resources may be immediately denied access and/or disconnected without notice.
  4. Email
    1. Emails sent or received by Data Users in the course of conducting UTSA business are records that are subject to State Records Retention and Security Requirements.
    2. Data Users must use UTSA email accounts, rather than personal email accounts, for conducting UTSA business.
    3. The following email activities are prohibited when using a UTSA provided email account:
      3.1 Sending an email under another individual's name or email address, except when authorized to do so by the owner of the email account for a work-related purpose.
      3.2 Accessing the content of another Data User's email account except:
      3.2.1 As part of an authorized investigation.
      3.2.2 As part of an approved monitoring process.
      3.2.3 For other purposes specifically associated with the Data User's official duties on behalf of UTSA.                                                                                  
      3.2.4 Sending or forwarding any email that is suspected by the Data User to contain computer viruses.
      3.2.5 Any Incidental Use prohibited by this policy.
      3.2.6  Any use prohibited by international/federal/state laws, UT System policies, or UTSA policies
  5. Incidental Use of Information Technology Resources
    1. Incidental Use of Information Technology Resources must not interfere with a Data User’s performance of official UTSA business, result in direct costs to UTSA, expose UTSA to unnecessary risks, or violate applicable laws or other UTSA or UT System policy.
    2. Data Users must understand that they have no expectation of privacy in any personal information stored by a Data User on a UTSA Information Technology Resource, including University email accounts.
    3. A Data User's incidental personal use of Information Technology Resources does not extend to the Data User’s family members or others regardless of where the Information Technology Resource is physically located.
    4. Incidental Use to conduct or promote the Data User’s outside employment, including self-employment, is prohibited.
    5. Incidental Use for purposes of political lobbying or campaigning is prohibited.
    6. Storage of any email messages, voice messages, files, or documents created as Incidental Use by a Data User must be nominal (less than 5% of a Data User's allocated mailbox space).
    7. Files not related to UTSA business may not be stored on network file servers.
  6. Additional Requirements for Portable and Remote Computing
    1. All electronic devices including personal computers, smartphones, or other devices used to access, create or store UTSA Information Technology Resources, including email, must be password-protected in accordance with UTSA requirements, and passwords must be changed whenever there is suspicion that the password has been compromised.
    2. Data created or stored on Information Technology Resources and also a Data User’s personal computers, smartphones, database, or other devices are subject to production pursuant to the Texas Public Information Act, subpoenas, court orders, litigation holds, and discovery requests.
    3. UTSA-issued mobile computing devices must be password-protected and Data must be encrypted during rest and transmission.
    4. Any personally owned computing devices on which Confidential Data is stored or created must be password-protected and data must be encrypted during rest and transmission.
    5. Data created and/or stored on personal computers, other devices, and/or non-UTSA databases should be transferred to UTSA Information Technology Resources as soon as feasible and deleted from personal devices thereafter.
    6. Unattended portable computers, smartphones, and other computing devices must be physically secured.
    7. All remote access to networks owned or managed by UTSA or UT System must be accomplished using a remote access method approved by UTSA or UT System, as applicable.
  7. Password Management
    1. UTSA-issued or required passwords, including digital certificate passwords, PIN, Digital Certificates, Security Tokens (i.e., Smartcard), or similar information or devices used for identification and authorization purposes shall be maintained securely and shall not be shared or disclosed to anyone.
    2. Each Data User is responsible for all activities conducted using the Data User’s password or other credentials.
    3. Additional information is available in the Standard for Acceptable Use.

X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


Classifying your data: Data Classification Standard.


XII. APPENDIX


None


XIII. Dates Approved/Amended


08-02-2022
05-10-2016