The University provides information technology(IT) and networks with the intent of making information available in an academic setting. Users should understand that this openness brings with it some inherent risks based on the nature of Internet threat sources. Where sensitive information is processed in an official capacity, the IT policies of the university are intended to provide reasonable and appropriate protections to ensure the confidentiality and integrity of such data, while still making that information available to authorized persons.
Yes, the policy applies when you are connected to:
- any CWRU network (wired or wireless, or via remote access technologies such as Virtual Private Networking/VPN) and using the connectivity and bandwidth that CWRU provides to the community.
- all information technology resources used to conduct University business, and/or to manage sensitive University information.
- any vendor-provided IT resources which are contractually managed by CWRU.
The practice of individual user account sharing is prohibited.
CWRU systems have been designed to be self-help by nature. If you share your CWRU ID and password, you are reminded that your credentials provide access to your payroll, human resources, and benefits functions, as well as email. That means the person you have shared your credentials with can gather your sensitive information and perpetrate Identity Theft crimes against you.
To avoid the negative impact of account theft, you should change your password immediately and be watchful for signs that someone else is using your account. You should also enroll in the CWRU Multi-factor authentication systems, and use it where available, to protect your CWRU online access from password theft.
AUP violations should be reported to your manager, department chair, or dean (as applicable) who will then have the option to notify CWRU Information Technology Policy(policy[at]case[dot]edu). Depending upon the severity of the violation (e.g. illegal activity, threats of violence, etc.), actions are taken that may include network triage. If an initial investigation produces evidence which indicates an AUP violation has taken place, CWRU UTech will work through the appropriate supervisory channels. Sanctions for violations are clearly delineated in the AUP document.
If you feel threatened or in personal danger by any online behavior from a CWRU user via CWRU IT systems, please call CWRU Police at 216.368.3333.
The University may temporarily suspend or block access to an account prior to the initiation or completion of a disciplinary process when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of university or other computing resources or to protect the university from liability.
The sharing of email and similar information is permitted, it is just the sharing of your user credentials that is prohibited. The optimal approach to solve this issue is to set email delegation (search for 'Gmail Delegation' in the CWRU Help Desk site) to the department assistant, or using a mailing list or personal alias to share specific incoming mail messages. The UTech Help Desk can also assist users with account delegation.
When the user agreement says that there is routine monitoring, does this mean that my department chair can access my email or hard drive whenever he/she wishes to do so? Don't I have the right to privacy?
Your department chair cannot (and is not permitted to) access your CWRU email, network backups, or local hard drive (without your cooperation) under the existing policies without first working through the recognized administrative processes for approval. For faculty, this would mean working through the dean of the pertinent school, then Chief Information Officer (CIO). For staff, Human Resources needs to be involved first and then the CIO is contacted. For graduate and professional school students, either the appropriate college dean or Dean of Graduate Studies would be required to request CIO approval. For undergraduate students, the Dean for Student Affairs would have to approve it before requesting assistance from the CIO.
Any direct active monitoring of individuals by departmental staff without approval is considered to be a violation of the AUP as well.
Routine monitoring means that network usage is noted, unusual connections (indicative of malicious outside users hijacking the current systems) may be investigated, and under those circumstances, email, voice mail, voice connections may be seen by authorized CWRU employees. The auditing of network and system logs is another example of routine monitoring. In the event law enforcement needs access to university information, the university may cooperate with law enforcement authorities in consultation with the University office of General Counsel. There should be no expectation of an inherent right to privacy--such rights cannot be guaranteed within the myriad IT uses at CWRU.
The only staff authorized to conduct direct active monitoring activities are in the Information Security Office, and then only with the focus of investigating a security issue, an internal administrative action, or network use/misuse.
The University may also specifically monitor the activity and accounts of individual users of university computing resources, including individual login sessions and communications, without notice, when
(a) the user has given permission or has voluntarily made them accessible to the public, for example by posting to a publicly-accessible web page or providing publicly-accessible network services;
(b) it reasonably appears necessary to do so to protect the integrity, security, or functionality of the university or other computing resources or to protect the university from liability;
(c) there is reasonable cause to believe that the user has violated, or is violating, this policy;
(d) an account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns; or
(e) it is otherwise required or permitted by law. Any such individual monitoring, other than that specified in "(a)", required by law, or necessary to respond to perceived emergency situations, must be authorized in advance by the Chief Information Security Officer or their designees. For example, under circumstances where business or legal need so requires, the University may copy, save, and review users' email messages and other evidence of electronic activities.
P2P systems can use less bandwidth, enable faster file transfers, reduce redundancy, and enable peers to connect directly with one another without going through a central authority. The software for P2P systems do not have central file repositories neither do they have central authorities to verify the quality and legality of files within their systems. This shifts the burden of responsibility to users who must personally ensure that they only share and download safe and legal materials.
Sharing and downloading copyrighted material, without permission of the owner is illegal and thus a violation of the AUP. Most people know that; but when movies, songs, games and other files are discovered via P2P networks it can sometimes be difficult to tell whether they were shared legally or not. When in doubt users should do further research to find out if the copyright holder authorized the distribution.
Provisions of the Higher Educational Opportunity Act (HEOA) of 2008 require universities to "effectively combat" illegal P2P file sharing. In light of the HEOA provisions, the Recording Industry Association of America (RIAA) has recently halted the process of litigation of students for illegally sharing copyrighted materials, but they will continue to monitor file sharing networks for copyright violations. They will notify network service providers, such as CWRU, who are still obligated to take appropriate actions on copyright violation notifications.
Although a limited amount of the use of your work e-mail may be used for personal matters, employees, staff, and faculty are encouraged to use an alternate personal e-mail account for clearly non-university business such as commerce, personal correspondence, and political messages.
May I use my personal computer or other equipment to conduct University business? Yes you may, however you have to comply with the university's policies for protection of any sensitive information. Individual departments may proscribe more stringent controls which may make the use of personally owned equipment impractical. Ensure you seek approval of your manager or system owner before using personal property in your work IT environment.