|Policy Title:||Providing and Using Information Technology|
|Effective:||February 1, 2000|
|Approved by:||David A. Groth|
|Responsible University Officer:|
|Responsible Office:||Associate Vice President for Technology|
|Supersedes:||Establishment of University Management Systems Policy Committee and Campus Advisory Committees dated 9/27/78, and|
University Computing Policy Formulation, Monitoring and Implementation dated 4/15/81
|Last Reviewed/Updated:||February 1, 2000|
|Applies to:||All campuses|
Brief Description: Sets forth University-wide policies applicable to each environment and requires that campuses and system administration create and implement policies that govern the provision and use of the University's IT resources.
Information technology (IT) resources that the University owns, leases, licenses, or has authority to use are valuable assets that the University has responsibility to manage, secure, protect, and control. IT resources have become integral to teaching, research, and public service at the University and must be provided and used efficiently and effectively to support those missions. University of Colorado providers, responsible for management of facilities, services, and data, enable users from the academic community, administration, management, and other constituencies to access the institution's resources. Providers may also be given authority to develop standards and best practices which users must agree to in order to access IT resources.
The University must set expectations for both the providers and users of institutional IT resources. The purposes of this Administrative Policy Statement are to set forth University-wide policies applicable to each environment and to require that campuses and system administration create and implement policies that govern the provision and use of the University's IT resources.
- "IT resources" are hardware, software, and data used to create, store, process, and communicate information electronically. Examples of IT resources include but are not limited to fax machines, telephones, computers, data communication lines, and video systems (hardware); operating systems, voice mail systems, email systems, and transaction processing applications (software); database contents, voice messages, and video images (data).
- "University of Colorado providers" of IT resources are University departments or other administrative units to whom a campus or system administration has delegated responsibility to manage IT resources that the University owns, leases, licenses, or has authority to use.
III. Statement of Policy
- The following policies shall apply throughout the University to the provision and use of IT resources.
- Subject to Regent, State, and Federal laws, rules, and/or regulations, and University policy on intellectual property , all IT resources acquired or created through the use of University funds, including grant funds from contracts between the University and external funding sources, are the property of the University. All IT resources owned by the University as well as those leased, licensed, or authorized for use are covered by this policy.
- Management responsibility for IT resources lies with the President and the Chancellors.
- To the extent permitted by law, the University retains all rights of access to its resources as may be necessary to conduct the work of the University.
- Only University faculty, staff, and students and other persons who have received permission under the appropriate University authority are authorized users of the University's IT resources.
- The University shall take reasonable and prudent measures to maintain the privacy, confidentiality, and integrity of communications and stored data. Users are expected to follow good security practices as part of those measures.
- This policy does not establish a relationship between the University and users of IT resources. As such, there are no guarantees that the use of IT resources, which is a privilege and not a right, will result in an expected and desired level of performance.
- The provision and use of IT that the University owns, leases, licenses, or has authority to use also is governed by other policies, rules, regulations, bylaw, and guidelines of the University such as the Conflict of Interest Policy and student codes of conduct. A list of the most directly applicable policies and rules as of the date of issuance of this policy is provided in Attachment A.
- Any use of University IT resources must comply with applicable provisions of Colorado law. Documents and data stored on University IT resources may be subject to disclosure under the Colorado Public Records Act.
- Any use of University IT resources involving copyrighted materials must comply with applicable provisions of Federal copyright law and specific license agreements.
- The Chancellor of each campus shall be responsible for the development and implementation of policies that cover IT resources managed by the campus. The policies shall, at a minimum, address the following:
- Campus rights and responsibilities with regard to IT resources:
- Management of IT resources for which the campus and its sub-units are responsible, including protection of resources;
- Creation and enforcement of policy regarding provision and use of IT resources;
- Procedures for ensuring comprehensive dissemination of all applicable University and campus IT policies and procedures. A sample list of Frequently Asked Questions and Answers (Attachment B ) about this policy is provided as a possible approach to this requirement;
- Procedures for reporting violations of University or campus IT policies and procedures;
- Administrative processes and possible sanctions to be applied by the campus in the event of violation of campus or University policies.
- Campus expectations for users of IT resources:
- User rights and privileges (including access privileges, information about policies, and information about administrative processes and sanctions).
- User accountability for ethical and responsible use of University IT resources:
- respect for the rights of others: respecting privacy, using only authorized access, respecting intellectual property, respecting sensibilities of others, not knowingly doing harm to others or denying service to others;
- respect for resources: using good security practices, not knowingly doing harm to data, systems or the property of others, not wasting resources;
- academic and personal integrity including honest representation of identity and authorship; and
- proper use of resources: only for University-related work; only for use that is not a conflict of interest or commitment.
- User responsibility for knowing and complying with all applicable laws, policies, and procedures.
- Campus rights and responsibilities with regard to IT resources:
- The Vice President for Budget and Finance shall develop and implement policies for the IT resources managed by administrative units within the system administration. Those policies shall, at a minimum, address the topics listed in Section B  above.
- The campuses and system administration shall submit copies of their policies to the President's Office, which will review them for conformance to this policy statement and will work to facilitate general consistency among the policies.
Current and proposed Administrative Policy Statements that impact IT resources
- Misconduct in Research and Authorship 
- Conflicts of Interest and Commitment Policy 
- Reporting Fiscal Misconduct
- Use of Electronic Mail 
- University Policy on Sexual Harassment 
- Intellectual Property Policy on Discoveries & Patents for Their Protection & Commercialization 
- Intellectual Property That is Educational Materials 
Frequently Asked Questions and Answers
- Why does the IT policy apply to my telephone? My fax machine?
Both your telephone and your fax machine are electronic communication resources and fall under the definition of IT resources. A single policy was written for all IT resources in order to address related policy issues and to make it easier for users to be informed of policy requirements.
- Does the IT policy apply to the computer I purchased for my home, using my own money?
No, since you paid for your computer from your own funds, the policy doesn't apply to it. However, if you use your computer to connect to a University IT resource, such as the data communications network, the policy applies to any action you take via your computer on that University resource.
- If I use the University's network to connect to an IT resource that belongs to someone else, whose policy applies to my actions?
Suppose you use the University's network to connect to a database belonging to another institution. Both the CU IT policy and any policies of the other institution apply to your actions. If you connect from a workstation that belongs to a CU campus, that campus' IT policy will apply. Depending on what you do while connected to that database, Federal or state laws could also be applicable. It's very hard to find, read, and understand everything that may apply. If you adhere to high standards of ethical and responsible behavior you're unlikely to commit a serious infraction of any of the policies, rules, or laws.
- Does the hardware and software purchased by my department from grant funds belong to the University?
Yes, it does. The grant funds are almost certainly money provided under a contract between the Regents of the University and the grant source. As such, they are monies of the University and anything purchased or leased or created through the use of that money belongs to the University. So this policy applies, and the University has the right to access that hardware and software as may be necessary for the work of the University.
- Who is and who is not a user of the University's IT resources?
- Any University student or employee who uses the University's data communication network to access data at another institution is a user of University IT.
- A student who stores data files for a course on the University's network is a user.
- Anyone who uses a campus computer kiosk or a computer in a lab is a user of University IT.
- A University employee who uses a home computer they purchased themselves to access the web through a commercial Internet Service Provider is not a user of University IT resources at that time.
- Does the University have the right to look at my accounts, files, and electronic communications?
Yes, University officials have a right to look at any user's electronic accounts, files, or communications within the limits established by law. Employees need to understand that there is no absolute right to personal privacy when the employee is using the employer's equipment, including IT resources. The University does not routinely monitor the content of files or communications, but may view contents whenever it has a business or legal need to do so.
You should also be aware that the files you maintain on University IT resources may be considered public records and the University may be required to make them available for inspection under the Colorado Public Records Act. In addition, the Act defines "public records" to include electronic mail messages which means that your email messages also may be subject to public inspection.
- What about my right to privacy? Does the University protect the confidentiality of data about me?
The current state of IT is such that there can be no absolute assurance of privacy or confidentiality of electronic data and systems. The University takes reasonable and prudent precautions to protect privacy, but users should understand there is always some risk that data can be accessed by unauthorized people.
- Does the University have the right to delete my data or block my communications?
University IT administrators are charged with maintaining and operating the resources for the benefit of all members of the University community. If someone's data consumes so much storage that others are denied storage or if someone's web page attracts so much network traffic that others are denied network access, the administrator of those resources has the right to remove the material. Whenever possible, users are given an opportunity to backup data to other media before it is removed.
- Can I trust the University to take care of the files I store on its IT resources?
University IT administrators take reasonable and prudent steps to protect the integrity of data and systems stored on the resources they administer, but there is always some risk that files may be lost or damaged. Users are urged to make backup copies of files that would be difficult or costly to replace.