Responsible Computing at UVa
A Handbook for Faculty and Staff
In support of its mission of teaching, research, and public service, the University of Virginia provides faculty, staff and students with access to computing and information resources. Responsible behavior is the price of admission to the University's digital community, with its attendant conveniences and benefits. Irresponsible behavior can jeopardize your computing privileges and can put you at risk for other serious consequences. The Department of Information Technology Services (ITS), which provides many computing and communication services for the University, has prepared this handbook to help you understand the nature of responsible computing in our digital community.
I. You, the University, and the Electronic Community
On nearly all office desktops at the University of Virginia, you will find a computer. Most faculty and staff use computers at least as often as telephones for communication, as well as to help them do their work in many other ways.
The University makes information technologies available to you in many and varied forms:
- Everyone at the University has access to information servers for electronic mail (email) and other Internet services. There are data network connections in nearly all offices to connect your office computer to the Internet.
- The University's World Wide Web home page (http://www.virginia.edu) provides not only important information about UVa's academic and administrative departments but provides a starting point as you navigate to other websites that may interest you or be applicable to your area of work or research.
- You can acquire computers through the Desktop Computing Initiative (DCI) program at Cavalier Computers, a division of the UVa Bookstore.
- The Integrated Systems Project, the Integrated Student Information System, and the Student System Project provide easy access to University data from your desktop.
- Everyone at the University has access to a voicemail system, which makes it easy and convenient to communicate with colleagues.
II. Who Owns What?
We often use the possessive word “your” but this does not always mean “ownership.” In some cases, it means “exclusive use.” We also assign ownership of computers or files or data to the University when in reality some of these items may be officially the property of the Commonwealth of Virginia, a research sponsor, or some other entity. If in doubt over the ownership of a particular item, ask your manager or department head, or contact the UVa Help Desk.
Your unit or department often owns the personal computers or workstations at your workplace. The unit or department should provide guidance about what is appropriate use of computing equipment and services for that specific workplace, and it should communicate clearly to you any special conditions of use beyond those described in this handbook, in similar widely-available sources or in the University's policy resources. If you do not clearly understand the nature of appropriate use of computing equipment or services in your particular workplace, ask those in charge of your department or unit.
The department or unit may also own software licenses—for example, word processing or spreadsheet software—that were purchased from a software vendor. The licenses usually allow you to possess ONE copy of this software per workstation. It is a violation of your software license agreement to make copies of the software without permission. You should read and abide by the software license agreement. You also may NOT make a copy of software someone else has purchased. The general rule is ONE purchase, ONE copy.
The University owns or otherwise makes available the central computers, computer labs, the microcomputing sites, the computers it places on its employees' desks, the printers and other devices it has attached to them, and all the software it has installed on them. The University determines who may use these resources and provides guidance about their intended use.
The University owns the University network—all the wires, cables and routers that connect the central computers, computer labs, microcomputer sites and that perhaps connects your personal computer to each other and, beyond the Grounds, to the Internet. The University determines who is authorized to use its network.
The University's ownership of these resources intended for shared use imposes on it a special responsibility to ensure equitable availability. The University expects you not to overuse such resources when doing so denies effective access to other users. If you do, we will ask you to discontinue your use or reduce it to a more appropriate level.
III. University Information: Protecting a Valuable Asset
The information of any organization is one of its most valuable assets. Now that University of Virginia business is conducted extensively on computers and the information is available more readily and to greater numbers of persons, you have an important responsibility to safeguard it. Meeting that responsibility may be as simple as making good practices part of your regular routine. They include:
- Choose a good password for your computer account — one that is not “guessable.” Make it a combination of 8 or more letters and numbers or special characters. For help choosing a good password, see http://its.virginia.edu/accounts/passwords.html. Commit it to memory. Never write it down and never tell it to anyone. On some systems you will be required to change your password on a regular basis.
- Log off your computer when you leave your desk. Keep information displayed on your screen confidential, just as you would keep confidential printed material on your desk or in your files away from wandering glances.
- Back up your data regularly making several generations of backups. Store the backup diskettes where they would be available in the event of a disaster, and know how to restore the backed-up data.
- Log off your computer when you leave your desk and use a password-protected screen saver. Keep information displayed on your screen confidential, just as you would keep confidential printed material on your desk or in your files away from wandering glances.
- Reformat used storage media and use them again. Destroy diskettes, CDs, and other electronic media when they are no longer reusable. Do not recycle any that contain sensitive data or University-licensed software.
- Lock your CDs and other electronic media in your desk or in a locked, fire-resistant cabinet.
- Follow University-approved procedures when surplusing electronic devices (such as desktop computers, laptops, and PDAs), returning them to a leasing company, or transferring them from one University employee to another employee having different software and data access privileges.
- It is not advisable to use email for confidential information or when there would be concern if all or part of the email were forwarded to other parties.
- Apply the security safeguards discussed in this training not just to on-site devices and data, but also to protect devices and data taken off University premises. Special precautions are necessary for small portable devices (such as laptops and PDAs), which can be easily lost or stolen. Home computers used for University business should be secured.
- If you become aware that sensitive University data may have been inappropriately exposed, contact the Information Security, Policy, and Records Office (ISPRO) at firstname.lastname@example.org.
- Your electronic data files are extensions of printed files in your care. It is your responsibility to ensure that both electronic and paper files in your care be safeguarded, especially if they contain sensitive information such as data about individual students, employees, patients, clinical trial participants, donors, and others. If you are unsure what is expected of you, ask questions.
University policies require you to protect University information. If you aren't already, you need to become familiar with these current policies.
- The Disclosure of University Records policy (UVa Financial and Administrative Policies Manual, Policy XV.C.1, http://www.virginia.edu/~polproc/pol/xvc1.html) establishes employee responsibility for the security of its information. This includes reports, memos, messages and accounting, student and personnel data. You may just see or hear the information or you may be asked to manipulate the information, record it or simply file it. The information may be on paper, on computer disk or tape or on audio- or videotape.
The policy states that all employees are responsible for protecting University records and that each department is required to make protection of this information a part of its overall business plan.
- Retention, protection and filing practices and techniques for all files and records is governed by the state records management program (Code of Virginia, Chapter 7, Public Records Act, http://leg1.state.va.us). Where necessary the University will develop specific regulations and procedures for electronic media within departments needing
- standards for electronic file organization,
- measures for protecting sensitive information stored electronically, and
- procedures for file backup and restoration.
- The Family Educational Rights and Privacy Act, or FERPA,
requires the University to protect the confidentiality of student
educational records (see the
Office of the
University Registrar's related information). These include academic records, financial records, disciplinary records, medical records and placement office records.
To be in compliance, the University must obtain the written consent of a student before disclosing information. The rights of a student to see his or her records does not extend to parents or guardians.
The University may not release directories, rosters, lists or address labels of students to parties not affiliated with the University when a student has requested that this information be withheld. And, the University may not post grades and test scores publicly using any personally identifiable information, without the written consent of the students involved.
- The Gramm-Leach-Bliley Act requires that personally identifiable financial data, such as bank and credit card account numbers, be safeguarded against unauthorized access or use.
- The Health Insurance Portability and Accountability Act requires that protected health information be safeguarded against unauthorized access or use.
- Read and understand these policies and take time to see how they apply to your work responsibilities.
- Ask questions if you are unsure of what is expected of you.
- Be aware that student, employee, patient, clinical trial participant, donor and other personally identifiable information is the most sensitive information with which you may come in contact and should be treated accordingly. The University forbids the use of any data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity. Do not view or access data that are not required for the performance of your job.
IV. Email: Rules, Responsibilities, and Privacy
You can expect that, except in specific circumstances, the content of the email files associated with your account will be treated as confidential by the University because it does not routinely examine or monitor such content, except when you have been notified in advance that such examination or monitoring is an expectation in your specific workplace. You should be aware, however, that email messages can sometimes be records that are subject to review with sufficient justification. They may be subject to Virginia Freedom of Information Act if they were produced, collected, received or retained in pursuance of law or in connection with the transaction of public business. They may lose whatever confidentiality they have if their release is compelled by orders issued through courts of law. Also, officials overseeing the University's disciplinary processes may rule that email or other files are evidence that may be reviewed as part of investigations. Under these circumstances, the privacy of your email is not guaranteed. To understand how ITS system administrators deal with requests for individual-account log or content information by persons other than the account holder, see http://www.virginia.edu/abuse/info.html.
Although you might have downloaded and/or deleted your email messages, ITS's delivery systems work in such a way that messages may be preserved for a time as computer files on centrally-administered disks and at system back-up locations, so your capacity to control if and where copies exist is not absolute. The array of storage locations is another factor making the confidentiality of your email conditional. And, although some email programs allow for use of encrypted email, most still produce messages in plain text; they are like postcards in that others might view the messages in transit or those left in plain view.
Sometimes messages are so badly misaddressed that they cannot be delivered and will end up in the hands of computing staff for redirection. People often make mistakes in addressing their mail that puts private messages in the mailbox of someone other than the intended recipient. If you are the recipient of such a message, common courtesy dictates that you either return the message to the sender with a brief note explaining its misdirection or that you delete the message.
University procedures allow ITS's system administrators to view and modify any files, including email messages, in the course of diagnosing or resolving system problems and maintaining information integrity. ITS system administrators, as part of their jobs, are expected to treat any such information on the systems as confidential. However, if an administrator comes across information that indicates illegal activity, he or she is required to report the discovery to appropriate authorities. For example, electronic mail messages that carry threats to persons or their immediate families may be prosecuted and punished as felonies under Virginia law. If an ITS system administrator inadvertently encounters an email message containing a threat or other illegal content, it will be turned over to law enforcement officials.
University policies prohibit certain other kinds of email messages. For example, email, University computers, and the University network cannot be used by individuals for commercial purposes or for personal gain. Such policies pertain to email just as they do to any other University resource and are enforced when brought to the attention of appropriate University officials.
Large-scale mailings (to more than 1,000 addresses) impose loads on the University's electronic mail services. They should be used judiciously and often require approval from the president, executive vice president, other vice presidents or deans. You will be wise to coordinate any large-scale mailing with the University's email postmaster (email@example.com). For guidance, see the mass email procedure.
Email accounts are vulnerable to malicious use when others know the owner's computing ID and password; carefully protect your electronic identity from use by anyone other than you. Your email account is also subject to misuse when you leave open a computing session that you have begun in a University computing lab (or other shared-computer locations) or when you fail to logout from the University Web Mail service before you close your browser. It is prudent to reboot the computer you use in any shared-computer setting when you finish your work there or when you leave any workstation, even if you plan to return to it soon. You are held accountable for any misuse of your email account.
Other important tips related to email:
- Remember, the email messages you send become the possession of the receiver. They can easily be redistributed by recipients, and rules of disclosure by their systems apply to mail they received from you. When in doubt, double-check the addresses of your intended recipients.
- Do think before you send email—once sent, it is almost impossible to keep email messages from reaching their destinations.
- Realize that University policy and secure passwords provide good but not complete assurance of the privacy of your email messages. When the confidentiality of a message is of the utmost importance, only a person-to-person conversation may be sufficiently secure.
- Delete messages that should not be preserved.
- Never send or forward chain mail, whether it promises fame and fortune, or even supposed donations for a sick child. In virtually every known case, the claims made by such messages are untrue. A message that has been forwarded ten or more times is by definition in our policy a chain letter. This policy violation is a waste of computing resources and a nuisance and often offends recipients.
- Don't pass on unconfirmed rumors—especially about viruses—because they often only cause needless panic. The Suspicious Email Alerts page provides a useful list of malicious email messages known to be circulating at UVa (please bookmark this page!).
- Don't open or execute attachments about which you have any question, even if they appear to be coming from a friend. Attachments have become an increasingly popular way of automatically distributing viruses, and your friend may not even know that his or her email account is being used for that purpose.
- Configure your email program so that attachments are only opened when you choose to open them.
- If you are sending attachments, include personalized text and specific references to the attachment (i.e., "Attached, in Word format, is my paper on...") to help the recipient know that the message and attachment are indeed from you.
- University policy prohibits use of University resources, computing or otherwise, for commercial purposes.
V. About Web Pages and Individual Websites
The University's Web server and software tools provide the opportunity for you to develop and publish an individual website, if you are permitted to do so under the rules of your particular workplace. ITS's Training Services group and the University Library provide courses designed to help you create a website. Remember that you are expected to act responsibly when publishing Web pages, just as you are in all use of computing resources at the University.
All users of University computing systems must comply with the requirements of responsible computing in the University environment, as outlined here and in the full array of University computing policies (see http://its.virginia.edu/policy/). Individual users assume full legal responsibility for the content of their Web pages, and they must abide by all applicable local, state, and federal laws, including laws of copyright. Copyright law pertains to many types of materials, including cartoons, pictures, graphics, text, song lyrics, and sounds (including most MP3 and other files shared via so-called peer-to-peer procedures). See Section VI for additional important information about copyright.
The University is not responsible for the content of Web pages other than those defined as its "official" Web pages (the official Web pages of University schools, departments, divisions, and other units). As a neutral provider of computing services and access to the Internet, ITS does not review in advance or monitor the content of any materials transmitted, received, published or stored on or otherwise available through its systems. If ITS receives complaints regarding the content of such materials, it will refer the complaint to the appropriate disciplinary system within the University, and it will cooperate with any resulting investigation in accord with the policies, procedures, and principles described or cited in this handbook. You are also responsible for the way you handle information you gather using your Web pages (to review the University's practices for its own Web pages, see http://www.virginia.edu/copyright.html#3).
Assumptions about audiences who will see information you publish
You will be wise to remember the very public nature of information you disseminate on the Internet through the World Wide Web. Information in a Web page is often available to everyone who can get to the Web. You must not assume that your information is restricted to only a close circle of colleagues, or even to the University of Virginia community.
Fundraising and Advertising
You may not use Web pages for fundraising or advertising for commercial or non-commercial organizations, except for University-related organizations and University-related events and in accord with policies governing these activities.
Use of the University Name, Logo, Seal, or Photographs
You may not use the University name in your Web pages in any way that implies University endorsement of other organizations, products, or services. You may not use University logos and trademarks, including the crossed sabers and "V," the Cavalier mascot, the University seal or photographs copyrighted by the University. Photos from the University's home page and secondary pages are copyrighted by the photographers, including the Lawn panoramic photo on the home page, and cannot be used or reproduced in any form. Requests for permission to use the University logos or seal in Web or print publications should be directed to the Office of Web Communications (email firstname.lastname@example.org or phone (434) 924-4524. The Director of Licensing in Sports Marketing must approve the use of trademarks and logos for any other purpose. Call (434) 982-5600 for assistance.
VI. Copyrights: Ethical and Legal Use
As noted above, unauthorized use of copyright-protected or licensed materials (including, but not limited to, graphic images, movies, music or audio files, and written word) is a serious matter and is a violation of federal law. Any individual who reproduces and/or distributes digitized copyrighted material without permission and in excess of "fair use" has violated federal digital copyright law, has put him or herself at real personal risk for a lawsuit brought by the copyright owner, has violated University policy and the Employee Standards of Conduct. An introduction to copyright law and University copyright policy is at http://www2.lib.virginia.edu/policies/copyright/. See also http://its.virginia.edu/policy/copyright.html.
Individuals who use software, such as KaZaa, iMesh and Gnutella, to listen to or view files over the network often unknowingly allow their computers to be used by the software to share these files and all the individuals' personal files with everyone on the Internet. Be aware that the penalties cited above apply in these cases. The University will not protect individuals who use or share (knowingly or not) copyrighted materials without an appropriate license to do so.
Copyright laws and policies also apply to software. Most software available for use on computers at the University of Virginia is protected by federal copyright laws. The software provided through the University for use by faculty, staff, and students may be used only on computing equipment as specified in the various software licenses. Licenses sometimes specify that you may use the software only while you are a member of the UVa community.
It is the policy of the University to respect the copyright protections given to software owners by federal law. It is against University policy for faculty, staff, or students to copy or reproduce any licensed software on University computing equipment, except as expressly permitted by the software license. Of course, faculty, staff, and students may not use unauthorized copies of software on University-owned computers.
It is worth repeating that at the University of Virginia, unauthorized use of copyrighted material of all types is a serious matter. Any such use is without the consent of the University and is subject to University disciplinary action and possible prosecution through the federal court system.
VII. Good Citizenship in the Internet Community
As more than one writer has observed, the Internet isn't a thing; it is neither an entity nor an organization; it isn't owned or run by anyone. It is a world of millions of publishers with some of the characteristics of a frontier. The only code of behavior on that frontier is one that demands individual responsibility and accountability and that rewards those attributes with rational self-government, albeit quite limited in scope. The University provides Internet access to faculty, staff, and students with the expectation that they be good, responsible, and accountable Internet citizens. But, what does that mean in practical terms? How can you be a good Internet citizen?:
VIII. Threats to Your Online Safety and Security
The Internet community is under regular attack—at varying levels of seriousness—from "outlaws." Such outlaws (both within our community and outside it):
- steal other people's computing IDs and passwords;
- disrupt computer systems and networks;
- flood electronic mail systems with unwanted messages (spam);
- send forged electronic messages from celebrities, politicians, the University president, a faculty member or, maybe, YOU;
- post messages that threaten other people;
- spread viruses;
- subscribe others to mailing lists, or unsubscribe them, without their permission;
- or invade the privacy of others.
Faculty, staff, and students who do these things at the University of Virginia may lose computing privileges and suffer other severe consequences from the disciplinary entities at the University. They might also be subject to prosecution under state and federal laws.
- Cracking Passwords
- Your password may be guessed or "cracked" if you choose a common word, or a friend's or a pet's name, or your nickname, or the name of your favorite team or the name of a celebrity. Choose a password that combines letters, numbers, and special characters (for example, $, *, !). Whether you use your UVa computing ID and password or not, it is your responsibility to keep them secure. Do not let anyone talk you into "sharing." Don't keep your password and computing ID together. If you can remember your password without writing it down, that is best. Don't tell your friends—or anyone, even someone assisting you with problem solving—what your password is. Change your password regularly. For help choosing a good password, see http://its.virginia.edu/accounts/passwords.html.
- Crashing and Disrupting the System
- Malicious computer users make the system stop working or perform poorly. It's like speeding, shop-lifting, spray-painting cars or slashing tires. These users find out, from a variety of sources—sometimes each other—about things they can do to disrupt the systems. In almost every instance, such behavior violates the law, and, in every instance, it violates University policy. Consequences are severe.
- Forging Email
- It is not hard to forge electronic messages. It also is usually against the law in its own right, and, in connection with the sending of unsolicited bulk email, may violate other state or federal laws.
- Spam is essentially the same message emailed over and over and broadcast to recipients who did not request it. Just because a message is annoying, off-topic or stupid doesn't make it spam; the defining characteristic of spam is the volume with which it is sent. Most common forms of spam violate Virginia law. Spamming is an international problem, however, unfortunately no one as yet has found an effective way to eliminate it. See http://www.virginia.edu/abuse/spamemail.html to understand what you can and can't do about spam. In many cases, simply deleting the unwanted message is the best action you can take.
- Controlling Access to Your Computing Files
- The University's computing environment is designed to be an open environment. Many faculty, staff, and students want or need others to view and use their computer information—their files. An instructor may want students to find a class assignment on the network. A student may want to share some information with friends. Computer systems are designed to let this happen.
But many faculty, staff and students do not want others seeing their messages, work or research. On computers, you can control who can see your files by protection settings. Use these settings as you would locks to keep your files private. However, malicious users realize that many people don't know how to use the settings. If you need help in using the settings, introductory computing documents are available on ITSWeb (i.e., at http://its.virginia.edu/security/) and by contacting the UVa Help Desk.
Because some people don't know how to limit access to their files, sometimes information is left unintentionally unprotected. When people are good citizens of the Internet community, unprotected files are not a problem. Good Internet citizens respect one another's privacy. Persons who gain access to resources either by directly breaking into them or because they are just poorly protected violate the Ethics in Computing Usage policy, among an array of other University policies. If you have any doubt about whether any resources or materials were intended to be public, ask the owner before you look. If you happen across resources or materials that you suspect weren't intended to be public, let the owner know. That owner may have no idea that he or she has left something open to worldwide viewing.
IX. What You Should Do if You are a Victim of Computing Abuse or Irresponsible Behavior
Unfortunately computer abuse, malicious behavior, and unauthorized account access do happen. Should any of these things happen to you, report them to ITS, your system administrator or other appropriate University authority. Computing resource abuse should be reported to the electronic mail address email@example.com. This step will alert a number of ITS and University staff to your situation. Abuse cases are handled individually and confidentially. For more information, see the website at http://www.virginia.edu/abuse.
X. Security and Connecting Your Equipment to the University Network
If you connect your personal computer equipment or that of a vendor or a research sponsor to the University network, you are responsible for the security of your resources—not only for risks to the resources themselves but also for the possibility that your unsecured resources can be used by anyone on the Internet as remote locations to mount attacks on other computing systems.
Any misuse of your equipment through your neglect in providing safeguards may be reason to deny access for your equipment to our network. "Neglect" in this instance may take many forms—here are a few:
- Failure to:
- use a strong password
- limit access to your equipment
- keep files from unknown sources off your equipment
- back up your files
- use up-to-date antivirus software
- use great caution in opening email attachments
- keep your operating system up-to-date
- keep application software updated
- turn off or delete unneeded software features
For more details on the security-related responsibilities of connecting equipment to the University network, see http://its.virginia.edu/policy/netdevices/. Also, ITS's Security website posted at http://its.virginia.edu/security provides helpful guidance for keeping you computer secure.
XI. Disciplinary Action for Abuse of Computing Privileges
Faculty and staff at the University have both rights and responsibilities. Faculty Rights and Responsibilities are listed in the Faculty Handbook available online through the World Wide Web at http://www.virginia.edu/provost/policies.html. Staff will find similar information listed in the Human Resources Policies and Procedures Manual available at http://www.hrs.virginia.edu/policies.html.
Prohibited conduct related to computer access and use for which faculty and staff may be subject to disciplinary action are defined in their respective "standards of conduct." Included are:
- The use of obscene or abusive language (a Group I offense for staff, resulting in written notice; three "active" Group I offenses result in suspension without pay);
- Unauthorized use or misuse of state property or records which includes electronic data (a Group II offense for staff, resulting in written notice and/or suspension without pay);
- Willfully or negligently damaging or defacing state records, state property or other persons' property (a Group III offense for staff, resulting in written notice and removal or notice and suspension of up to 30 workdays without pay);
- Falsification of records; and
- Theft or unauthorized removal of state records, state property or other persons' property.
Of course, violations of law that occur in the context of computing activities also have serious consequences in each disciplinary system at the University.
Sanctions involving central University computing and communications resources for violation of policy or for law are set by the various disciplinary entities, then communicated to and carried out by ITS. In instances of immediate threat to the computing and communications systems, ITS takes direct and immediate action to safeguard the resources it is charged to protect.
XII. How ITS Handles Computer Violations
You will find more details about how ITS handles allegations of faculty, staff or student abuse of computing resources in the firstname.lastname@example.org website (http://www.virginia.edu/abuse/). Briefly, for faculty and staff:
- When ITS is notified (usually through email@example.com) that a faculty or staff member appears to be abusing computing resources, all of his or her computing privileges may be suspended immediately when such an action is warranted to protect the computing resources and to assure reliable service to the rest of the community.
- Often, ITS staff will notify the faculty or staff member through phone contact, electronic or U.S. mail of the apparent violation. Frequently, the matter is resolved at that step by explanation from the faculty or staff member, and, in the case of minor issues, assurance from the faculty or staff member that the behavior will not continue. If computing access has been suspended, it is usually restored at successful conclusion of this step.
- If the matter cannot be resolved at Step 2, ITS may refer the matter through University offices responsible for disciplinary processes, the choice of which depends on the role of the person alleged to have committed the misdeed (i.e., the person's supervisor, the Office of the Provost, the Office of Human Resources), or through law enforcement officials if the matter involves an apparent violation of law. Computing access may remain suspended during these processes. Sometimes, individuals in the University community who are complaining about the behavior take the matter directly to those University disciplinary entities or to law enforcement.
XIII. UVa Computing Policy Digest
It is your responsibility as a user of the University of Virginia's computers and networks to be familiar with the policies that govern their use. By using your computing ID at UVa, you automatically agree to abide by all of the policies, terms, and conditions, including but not limited to the information in this publication and the policies posted at http://its.virginia.edu/policy.
Have further questions? Please contact the UVa Help Desk.