Providing and Using Information Technology

The university has a responsibility to manage, secure, and protect IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​.  Effective and efficient use of these resources is integral to the teaching, scholarly research, and public service missions of the university. IT service providersIT service providerAny person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel. play critical roles in this entire process, including development of best practices to meet future needs.

The purposes of this Administrative Policy Statement are to set forth University requirements for providing and using IT resources and to establish expectations for campuses and system administration. Campuses and system administration may create and implement additional policies and guidance necessary for each unique environment consistent with the ownership and management provisions of this policy. 

1. University Ownership and Management of IT ResourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.

   1. Subject to Regent, State, and Federal laws, rules, and/or regulations, and other university policies, all IT resources acquired or created through the use of university resourcesUniversity resourcesOfficial resources of the institution, including but not limited to: university funds, facilities, personnel/labor, equipment (e.g., telephones, photocopy machines, computers – including email), work products, results, materials, records, or other information developed or produced with university goods or services.​, including grant funds from contracts between the university and external funding sources, are property of the university. Rights and ownership of intellectual property and educational materials are governed by the following policies:

      1. Ownership and disposition of intellectual property created by University employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly. and studentsStudentAny individual who applies to, is accepted for admission, and enrolls for a course at the University of Colorado. This does not include an individual who has never attended or never enrolled at the institution. is addressed in APS 1013 - Intellectual Property Policy on Discoveries and Patents for Their Protection and Commercialization.

      2. Rights, responsibilities and rewards for the University and its employees in the development and commercialization of educational materials are addressed in APS 1014 - Intellectual Property That is Educational Materials.

   2. Management responsibility for IT resources lies with the Chief Information Officer (CIO) as specified by APS 6005 - IT Security Program​.

   3. To the extent permitted by law, the university retains all rights of access to its IT resources as necessary to conduct the work of the university.

   4. Only university faculty, staff, and students and other persons who have received permission under the appropriate university authority are authorized users of IT resources.

   5. The university shall take reasonable and prudent measures to maintain the privacy, confidentiality, and integrity of communications and stored data. Specific expectations for all employees and IT Service Providers are specified in APS 6005 - IT Security Program​, System-wide Baseline Security Standards and Standards for Individuals with Privileged Access.

   6. The university provides access to IT resources in support of official university businessOfficial university businessAny activity that carries out the university's mission of instruction, research and service or that provides support to the university's instruction, research, and service activities.​ and may revoke access privileges for reasons deemed appropriate by the Chief Information Officer (CIO) as specified by APS 6005 - IT Security Program​.

   7. IT resource usersIT resource userIndividuals that are authorized to use University IT resources. Examples of users include: faculty, staff, students, researchers, vendors, volunteers, contractors, or sponsored affiliates of the University. may access IT resources for incidental and occasional personal use as long as any such personal use does not violate laws, is not substantial use of university resources, or does not create a conflict of interestConflict of interestSituations defined in the Administrative Policy Statement Conflict of Interest Policy in which financial or other personal considerations may compromise, or have the appearance of compromising, an employee's professional judgment in administration, management, instruction, research and other professional activities. This includes situations in which an employee might derive private gain due to her/his association with the University.​ or commitment1.  Decisions about whether use of these resources is "substantial" or "customary and current" shall be determined by the responsible campus chancellor or designee.

   8. Except as provided in this policy the University will take all reasonable and prudent efforts to protect an IT resource user’s personal privacy.

2. Use of External Email to Conduct University Business

   1. The university expects employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly. and designated university affiliatesAffiliateAn organization that has a contractual or other legal relationship with the University that closely aligns them operationally with the University to more effectively further both the University and the organization's missions. Affiliates are identified at https://www.cusys.edu/controller/policies/supporting%20listing.doc. Affiliates include Blended Organizations and Supporting Organizations. shall use their official university email account when conducting official university businessOfficial university businessAny activity that carries out the university's mission of instruction, research and service or that provides support to the university's instruction, research, and service activities.​. Notwithstanding any other provision, employees shall not use an external email provider for storage or transmission of highly confidential informationHighly confidential informationThis category includes data elements that require protection under laws, regulations, contracts, relevant legal agreements and/or require the institution to provide notification of unauthorized disclosure/security incidents to affected individuals, government agencies or media. This type of University Information includes personally identifiable information (a category of personal information regulated by federal law), as well as other non-public personal information that would adversely impact an individual if inappropriately used or disclosed. Examples include Social Security numbers, credit card numbers and medical records.​ (e.g., protected health information, social security numbers. etc.). 

      1. If technical limitations in an official university email account cause a barrier to an employee performing his or her university duties, the employee shall first consult with the campus IT unit to determine if it is possible to mitigate the limitation.  For example, it may be necessary for the campus IT unit to, temporarily, increase an employee’s storage quota. If the technical limitations cannot be resolved in a reasonable timeframe, and highly confidential information will not be stored or transmitted, the employee may use an external email provider.

      2. If employees or designated university affiliates attempt to forward email to an external email provider (e.g. Google, an affiliated government agency, another university), the university does not guarantee delivery to external servers.

      3. The use of an external email service for university-related business creates university records outside of the university’s official email system.  Employees and designated university affiliates who use an external email service either directly or through establishing an email forward are responsible for the following:

         1. Maintaining and preventing from deletion all emails (and associated attachments) used to conduct university-related business, in accordance with the university’s Record Retention. Because email is not easily secured and preserved, users should use other means to save information specified in the campus records retention schedule.  

         2. Upon request of the Office of University Counsel, an employee using a third-party email service for university-related business shall be expected to suspend any automated destruction process, provide requested information from his/her official university email account, and provide information related to official university business from his/her third-party account(s).  Unless otherwise required by law, the Office of University Counsel shall provide an explanation for a request before the employee is required to furnish any requested information.

         3. If an employee or designated university affiliate does not take reasonable measures to provide specifically requested university informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data. in response to the Office of University Counsel’s request, or intentionally destroys the requested information in violation of a legal hold, disciplinary sanctions, up to and including termination, may apply.

3. Colorado Open Records Act Provisions

   1. Information, no matter where it is stored, that is created, maintained or kept by the university and that relates to the performance of public functions or the receipt or expenditure of public funds may be a public record subject to public inspection under the Colorado Open Records Act, C.R.S. §24-72-201et seq., which governs disclosure of public records.

   2. In the event of an Open Records Request affecting data residing on any university IT resourceIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University., the Office of University Counsel may instruct the appropriate IT office to capture and save the relevant data. 

   3. In response to an Open Records Request, the Office of University Counsel may review collected data to determine if any of the data constitutes a public record subject to public inspection. 

4. Legal Hold Provisions

   1. Data residing on any IT resourceIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ used for university business may be subject to a legal hold, discovery request, subpoena, court order or other legal request. 

   2. In the event of a legal hold, discovery request, subpoena, court order or other legal request regarding data residing on any university IT resource, the Office of University Counsel may instruct the appropriate IT office to capture and save the data. 

   3. In response to a discovery request, subpoena, court order, legal hold or other legal request, the Office of University Counsel may review the captured data to determine if any of the data may need to be disclosed.

5. Other Access

   1. The university reserves the right to access and disclose data on IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ when the university deems a legitimate and appropriate business need. These instances shall be documented and approved by appropriate authorities determined by the Chief Information Officer (CIO).  Users shall be notified of access to the individuals account unless prohibited by law. Each Chief Information Officer (CIO) shall compose a written statement of procedure to request such approval. The procedure shall protect the personal privacy rights of individuals, take into consideration ways to minimize the time and effort required to submit and respond to requests and the need to minimize interference with university business.

6. Policies of Campuses and System Administration.

   1. Each campus and system administration have different missions and environment and may create policies and guidance regarding use of IT.  Campus policies and guidance shall be consistent with all provisions of this policy.  The attached Campus Acceptable Use Policy Guidance​ provides guidance to campuses regarding rights, responsibilities, and legal considerations.

   2. If a campus or system administration elects to adopt local policies and procedures, it shall submit copies to the President's Office, which shall review them for conformance to this policy statement and publication with this policy.

   3. Campuses and system administration shall communicate at least annually employeeEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly. responsibilities and expectations as outlined in this APS and, if applicable, in local policies. The communication shall include, but is not be limited to, awareness of processes and possible circumstances under which data on IT Resources (e.g. records of extensively browsing social media or travel websites for personal use on work computer during business hours) may be accessed and disclosed.

1. Administrative Policy Statements (APS) and Other Policies
   1. APS 2006 - Retention of University Records
   2. APS 6005 - IT Security Program
   3. System-wide Baseline Security Standards
   4. Standards for Individuals with Privileged Access
   5. APS 6002 - Electronic Communications
2. Campus Policies
   1. CU Boulder – Acceptable Use of CU Boulder’s IT Resources
   2. UCCS - Information Technology Responsible Computing
   3. CU Denver | Anschutz Medical Campus - Acceptable Use of Information Technology Resources
   4. System Administration - Use of IT resources

1. Non-substantive clean-up – May 1, 2015.  Use of the title “Chief Technology Officer (CTO)” has been terminated and references to it were removed.​
2. APS 6001 Providing and Using Information Technology was revised on April 9, 2015 and replaces Providing and Using Information Technology which was approved on 2/1/2000;
3. Providing and Using Information Technology was approved on 2/1/2000 to replace Establishment of University Management Systems Policy Committee and Campus Advisory Committees (dated 9/27/78) and University Computing Policy Formulation, Monitoring and Implementation (dated 4/15/81).

Recognizing that the campuses and system administration may also require additional standards for the use of technology, the campuses and system administration may extend the use of IT APS with policies and guidance specific to each environment.  When drafting such policies the campuses should consider the following:

1. How do employees report violations of IT policy to the campus chief information officer or chief technology officer?
2. How are sanctions for violations reviewed by campus administrative officers such as vice chancellors and deans? 
3. What additional guidance is required regarding IT resource user accountability for ethical and responsible use of IT resources.  Examples include:
   1. respect for the rights of others: respecting privacy, using only authorized access, respecting intellectual property,  not knowingly doing harm to others or denying service to others;
   2. respect for resources: using good security practices, not knowingly doing harm to data, systems or the property of others, not wasting resources;
   3. academic and professional integrity including honest representation of identity and authorship; and
   4. proper use of resources: while some personal use of IT resources is permitted, such personal use should not interfere with academic, research, or administrative needs.
4. IT resource users are responsible for knowing and complying with applicable laws, policies, and procedures.  Campus leadership and employee supervisors have responsibility for providing appropriate training regarding applicable laws, policies and procedures.  What process will the campus communicate and train employees annually regarding employee responsibilities?
5. Should it be necessary for the university administration to access university accounts without employee prior consent, for example to access for administrative and/or investigative purposes, approval must be provided by the appropriate administrative officer (such as the campus chancellor, vice chancellor, dean or vice president).  Otherwise, unless legally required employees must be notified of such access by another person.
6. Any use of university IT resources involving copyrighted materials must comply with applicable provisions of Federal copyright law and specific license agreements.