Repealed as of October 5, 2017
UW System Administrative Policy 1034

Information Security: Acceptable Use

This policy was repealed as of October 5, 2017.

Original Issuance Date: September 14, 2016
Last Revision Date: September 14, 2016

1. Policy Purpose

The purpose of this policy is to establish parameters for the acceptable use of information technology resources owned or under the control of the University of Wisconsin System. This policy establishes the behaviors for acting in a responsible, ethical, and legal manner that respects the rights of community members who access or rely upon the information technology resources of the UW System, or who may have personal, confidential, private, proprietary, or copyrighted data and information stored within the UW System’s information technology resources.

2. Responsible UW System Officer

UW System Chief Information Officer (CIO)

3. Scope

This policy covers all those who access information technology resources under the control of UW System institutions. These information technology resources include:

  • Information technology assets and systems administered by UW System institutions
  • Authorized and unauthorized information technology resources operated by others residing on UW System networks, off-site networks, or within cloud-based services
  • Personally owned computers and devices used to access UW System information technology resources
  • All devices that connect by wired or wireless connections to UW System networks.

4. Background

The President of the University of Wisconsin System is empowered to establish information security policies, under Regent Policy Document 25-5. The UW System is committed to a secure information technology environment in support of its mission. The UW System aims to afford broad access to information resources for university students, faculty, and staff for use in fulfilling the University’s missions and for appropriate university-related activities. Information technology resources support the research and instructional missions, as well as the administrative operations of the UW System. The access and use of these resources is a privilege granted to authorized individuals. These persons have access to valuable UW System resources that might include moderate or high risk data, as well as access to internal and external networks, systems, and data connected through the UW System’s computing infrastructure.

5. Definitions

Low Risk Data: Data assets classified as low risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

Moderate Risk Data: Data assets classified as moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

High Risk Data: Data assets classified as high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

Institutions: All four year campuses of the UW System, UW Colleges, the University of Wisconsin- Extension, and UW System Administration.

6. Policy Statement

All individuals granted access to University of Wisconsin System information technology resources must agree to and accept responsibility for:

  1. Using only the information technology resources for which they are authorized.
  2. Utilizing appropriate authentication mechanisms to access information technology resources.
  3. Not attempting to access information technology resources for which their authorization may be erroneous or inadvertent.
  4. Only using accounts, passwords, and/or authentication credentials that they have been authorized to use consistent with their role at the UW System institution.
  5. Protecting and not sharing their account, password, and/or authentication credentials.
  6. Only sharing data with others as defined by applicable policies and procedures.
  7. Not using UW System information technology resources to represent the interests of any non-University group or organization unless authorized by an appropriate University department or office.
  8. Not using any hardware or software which is designed to assess or weaken security strength unless authorized by the institutional CIO or their designee(s).
  9. Not engaging in disruptive “spamming” (i.e., sending unsolicited electronic communication to groups of recipients at the same time).
  10. Not forging identities or sending anonymous messages unless the recipient has agreed to receive anonymous messages.
  11. Only acting in a way that will not harm, damage, corrupt, or impede authorized access to information resources, systems, networks, equipment, and/or data.
  12. Not using UW System information technology resources to alter, disrupt, or damage information technology resources of another person or entity.
  13. Not using UW System information technology resources to upload, download or distribute copyrighted or illegal material which results in violation of law.
  14. Complying with all licenses and contracts relative to information technology systems which are owned, leased, or subscribed to by the UW System.
  15. Not using UW System information technology resources to sell or solicit sales for any goods, services, or contributions for commercial, political or non-university activities unless such use conforms to UW System policies governing the use of University resources.
  16. Complying with applicable local, state or federal laws, and institutional policies, rules, and guidelines as they relate to information technology resources.

Employees will only access UW System information for purposes consistent with their status as employees. Employees may not use these resources to support the nomination of any person for political office or to influence a vote in any election or referendum.

In the interest of making the use of information technology resources a natural part of the day-to-day learning and work of all members of the University community, incidental personal use is permitted. However, people should use non-University sources of email, internet access, and other information technology services for activities of an extensive nature that are not related to University purposes.

If an individual or group is determined to have violated this Acceptable Use Policy, the UW System institutions may elect to take action, which includes:

  • The restriction and possible loss of information technology resource access privileges
  • Appropriate disciplinary action including, but not limited to, termination from employment with the UW System.

7. Related Documents

Regent Policy Document 25-5, Information Security
Regent Policy Document 25-3, Policy on Use of University Information Technology Resources
UW System Administrative Policy 1031, Information Security: Data Classification
UW System Administrative Procedure 1031.A, Information Security: Data Classification

8. Policy History

First approved: September 14, 2016

9. Scheduled Review

March 2017