Acceptable Use of Computer Systems and Facilities Policy (ACIS Policy)

1.0 Purpose

Lehigh University makes available to its community members its Computer Systems and Facilities policy (as defined below) for University-related purposes, including direct and indirect support of the University’s education, research, and service missions; University administrative functions; student and campus life activities; and the dissemination of knowledge within the University community and between the University community and the world at large in support of the University’s missions. As such, Lehigh computing and network resources are to be used in a manner consistent with University policy and applicable state and federal laws and regulations.

This policy establishes the “acceptable use” of Lehigh University's Computer Systems and Facilities. As used in this policy, the term “Computer Systems and Facilities” is broadly defined as the computing, networking, and information facilities and systems, whether currently existing or hereafter developed, which include, but are not limited to, the computers, terminals, networks, servers, printers, electronic mail, and other peripherals, devices, information and data files, and software (including SAAS products) owned, licensed, maintained or managed by the University. This policy is intended to ensure that the use of the University’s Computer Systems and Facilities supports the University in fulfilling its missions of education, research, and service.

2.0 Audience & Scope

This policy applies to the access and use of Computer Systems and Facilities by any user whatsoever including, but not limited to, all University staff, faculty, researchers, students, alumni, visitors, guests, vendors, contractors, volunteers, and business partners. This policy applies to such use whether such use occurs on the University’s campus or off campus, or is initiated from University Computer Systems and Facilities or otherwise (including user-owned (BYOD) devices). In addition to this policy, network traffic may be subject to acceptable use policies of the third-party networks through which it flows.

By accessing and using the University’s Computer Systems and Facilities, users assume personal responsibility for their access and use and agree to comply with this policy and other applicable University policies, as well as all applicable laws, rules and regulations.

Users of Computer Systems and Facilities are required to review and understand the contents of this policy.

3.0 Policy

Access to the University's Computer Systems and Facilities is a privilege granted solely to the University’s faculty, staff, students, alumni, and authorized guest users (including visitors, guests, vendors, contractors, volunteers, and business partners) for the purpose of fulfilling the University’s missions of education, research and service. Accordingly, the University reserves the right to limit, restrict, deny or extend computing and networking privileges, access to and use of its Computer Systems and Facilities in its sole and absolute discretion. Lehigh University is a private institution and the University’s property, including its Computer Systems and Facilities, are private property, the use of which the University has the legal right to limit and control as it deems appropriate.

All use of the Computer Systems and Facilities must be in accordance with all applicable University policies, rules and regulations, and all applicable laws and regulations in effect from time to time. The Computer Systems and Facilities are to be used only to support University-related activities and in accordance with the missions of education, research and service of Lehigh University. These activities include, for example: Lehigh University courses, delivery of curriculum, research projects, departmental activities, professional and scholarly activities, and related personal communications. Nothing in this policy is meant to limit legitimate faculty-supervised academic activities. All users of the Computer Systems and Facilities must act responsibly and maintain the integrity of these resources. Use of the University’s Computer Systems and Facilities in violation of this policy is disruptive to the University’s mission and is prohibited.

All non-departmental servers (World-Wide Web, ftp, etc.) that are connected directly to any University network resource must be approved by Library and Technology Services prior to accessing the external network, and all hosts may be monitored for use and systems compliance and restricted for non-compliance or malicious, suspicious, or prohibited activity.

External computer and network IDs, for use on University Computer Systems and Facilities, must be authorized by the University.

Prohibited Uses

Examples of prohibited uses of the University’s Computer Systems and Facilities include, but are not limited to, the following:

1. Accessing or using the Computer Systems and Facilities in any way that violates or attempts to violate, or knowingly facilitates the violation of:
   1. the security or integrity of the Computer Systems and Facilities;
   2. University policies, rules and regulations, including, but not limited to, this policy, the University Code of Conduct, the Policy on Harassment and Non-Discrimination, Anti-Hazing Policy and Protection of Minors Policy;
   3. the University’s status as a tax exempt, non-profit entity, including engaging in political or campaign activities where prohibited by federal, state and/or other laws, rules or regulations or University policy;
   4. the policies, rules or regulations of external networks and resources, including but not limited to, online media forums, including social networking websites, mailing lists, chat rooms and blogs in a manner that adversely impacts the University, its mission, or operations;
   5. the terms of applicable software licensing agreements, software as a service agreements and/or any third party’s intellectual property rights, including but not limited to, making unauthorized copies of software and other creative works; or
   6. any applicable law, rule, regulation, contractual obligation (including government contracts and related compliance obligations), or subjects the University to liability without necessary University approvals.
2. Intentionally or negligently engaging in or attempting to engage in any of the following activities:
   1. Disclosing the password of a computer or network ID entrusted to you without authorization or approval or using a computer or network ID that was not assigned to you by the University to access Computer Systems and Facilities, unless the University has authorized multiple access for the ID;
   2. Obtaining unauthorized access to another user's computer or network ID;
   3. Intercepting, monitoring, reading, copying, changing, using or deleting another user's communications, files, information or data without authorization or approval, or otherwise violating the privacy of another person;
   4. Disguising the identity of the account or machine a user is using in an identified malicious activity;
   5. Impersonating any individual or entity or otherwise misrepresenting an affiliation with or endorsement by any individual or entity (including the University), including through the use of a Lehigh computer or network ID;
   6. Using the Computer Systems and Facilities to gain or attempt to gain unauthorized access to remote computers;
   7. Allowing or facilitating unauthorized access or use of the Computer Systems and Facilities;
   8. Interfering with the normal operation of the Computer Systems and Facilities. This includes, but is not limited to, tampering with components of a local area network (LAN) or the high-speed backbone network, creating excessive network traffic or otherwise blocking communication lines, or interfering with the operational readiness of a computer;
   9. Running or installing a program (or providing another person with a program to run or install) on any Computer System or Facility which could damage a file or computer system and/or reproduce itself or which is otherwise malicious or technologically harmful. Such programs include but are not limited to, computer viruses, spyware, and worms;
   10. Circumventing data protection schemes or exploiting or failing to promptly report any security loopholes, including refusing to run approved security programs or circumventing security controls;
   11. Performing any act which is wasteful to the Computer Systems and Facilities or which unfairly monopolizes the Computer Systems and Facilities to the exclusion of others or could result in a third party restricting access to their services. These acts include, but are not limited to, sending mass mailings or chain letters, creating unnecessary multiple jobs or processes, or generating unnecessary output or printed material. Printing excessive copies of any documents, including resumes, theses, and dissertations, on Library and Technology Services printers is also prohibited;
   12. Installing unauthorized wireless access points. All wireless access points on the Lehigh campus must be coordinated through Library and Technology Services and must conform to specified standards. Library and Technology Services reserves the right to block network access to any devices including wireless access point not conforming to these standards;
   13. Using the Computer Systems and Facilities for personal or financial gain unless related to a valid University function;
   14. Misusing Library resources. Electronic resources licensed by the Lehigh Libraries are governed by agreements that restrict access to the Lehigh University community and to visitors in the library buildings. Use is typically limited to individual, noncommercial purposes, without systematic downloading, distribution, or retention of substantial portions of information; or
   15. Storing sensitive information outside of approved locations and unauthorized exfiltration of Lehigh data.

The above prohibitions supplement the University Code of Conduct, which covers such acts as theft of computer services (including copyrighted materials), theft or mutilation of the University’s property such as equipment, and the unacknowledged or unauthorized appropriation of another’s computer program, or the results of that program, in whole or in part, for a computer-related exercise or assignment.

Other Conditions of Use

Individual Colleges, departments or other units within the University may define additional "conditions of use" with respect to Computer Systems and Facilities under their control. Such conditions may include additional detail, guidelines restrictions, and/or enforcement mechanisms as long as they are consistent with this policy. Such College, department or other unit is responsible for publicizing and enforcing both the conditions of use and this policy.

Privacy and Confidentiality; Access for Legal and University Processes

Lehigh values each member of our community and recognizes our obligation to protect the privacy of certain data that we are entrusted with to the extent possible and as required by applicable law and regulation. The Data Governance program has been established to ensure that we appropriately use such data and the Information Security Program is designed to protect the data. Every member of the community is responsible for the protection of this data appropriate to the level of access they have been given. If you have access to sensitive Lehigh data you must understand and follow all applicable policies and procedures designed to govern and protect this data.

However, under some circumstances the University may inspect, monitor, collect, review and disclose data or other information located on or relating to access to and use of Computer Systems and Facilities (“information records”). These activities will be conducted under the direction of the Chief Information Security Officer. Such circumstances include ensuring the proper functioning of the University and the Computer Systems and Facilities; enforcing this and other University policies; in connection with investigations, audits, lawsuits, governmental and law enforcement subpoenas, warrants, or orders, or for other reasons related to compliance or legal proceedings; to protect the safety of individuals or the University community; or in other emergency or exceptional circumstances. The University may also permit reasonable access to information records to third-party service providers in order to provide, maintain or improve services to the University.

Accordingly, users do not have a reasonable expectation of privacy when accessing or using the University's Computer Systems and Facilities.

4.0 Exceptions:

In the event that the prohibitions in this policy interfere with fulfilling the University’s missions of education, research and service, members of the University community may request a written waiver through the Chief Information Security Officer.

5.0 Reporting and Enforcement

Users must notify Information Security about actual or suspected violations of this policy and potential loopholes in the security of the Computer Systems and Facilities. Users must immediately notify Information Security or LUPD about actual or suspected unlawful activities related to the Computer Systems and Facilities. Users must cooperate with Library and Technology Services in its operation of the Computer Systems and Facilities and in the investigation of misuse or abuse of the Computer Systems and Facilities or other violation of this policy.

Any person who violates any provision of this policy may face appropriate disciplinary action and other sanctions up to and including termination of employment, expulsion and/or legal action in accordance with existing disciplinary, personnel or judicial processes. Other disciplinary action and sanctions may include termination or suspension of privileges to access and use Computer Systems and Facilities and/or information or data located on Computer Systems and Facilities, taking appropriate legal action, including referral to and cooperation with law enforcement.

6.0 Freedom of Expression:

Lehigh University upholds the principles of academic freedom and free speech as stated in University policies, including but not limited to Section 2.1.1 (Policy on Academic Freedom) of the Rules and Procedures of the Faculty of Lehigh University and the Policy on Freedom of Thought, Inquiry and Expression, and Dissent by Students (collectively, “University Policies on Expression”). This policy is not intended to prohibit the access to and use of the Computer Systems and Facilities by authorized members of the University community with respect to activities protected by the University Policies on Expression.

7.0 Reference Documents

• Records Management and Retention Policy
• Data Classification
• Policy on Harassment and Non-Discrimination
• Policy of Freedom of Thought, Inquiry and Expression
• Information Security Policy
• Principles of Our Equitable Community
• Intellectual Property Policy

8.0 Additional Contacts:

Information Security, security@lehigh.edu

Responsible University Official: Eric Zematis, Chief Information Security Officer, ciso@lehigh.edu

Responsible University Office: Information Security, 610-758-3994

Effective Date: 11/4/2021
Last Updated/Reviewed: Pending
Revision Number: 2