CINXE.COM

650-18: Authorized and Acceptable Use of Institutional Information and IT Resources | Campus Administrative Policies

<!DOCTYPE html> <html lang="en" dir="ltr"> <head> <meta charset="utf-8" /> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-1557428-4"></script> <script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments)};gtag("js", new Date());gtag("set", "developer_id.dMDhkMT", true);gtag("config", "UA-1557428-4", {"groups":"default","anonymize_ip":true,"page_placeholder":"PLACEHOLDER_page_path"});</script> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="/themes/custom/echo/favicon.ico" type="image/vnd.microsoft.icon" /> <link rel="canonical" href="https://policies.ucsf.edu/policy/650-18" /> <link rel="shortlink" href="https://policies.ucsf.edu/node/1316" /> <title>650-18: Authorized and Acceptable Use of Institutional Information and IT Resources | Campus Administrative Policies </title> <link rel="stylesheet" media="all" href="/sites/policies.ucsf.edu/files/css/css_Rajt4_YRQrYvR2MIxCMN_sUteacsI7yJVq5AjzfHLgQ.css?delta=0&amp;language=en&amp;theme=echo&amp;include=eJxljlEOAiEQQy9E4EhkFhoWHRgyA27W02v0Q6M_TfuaNCUzzFj7BWmKhmTmRTMUOXK16ei_H8I1VVicB-hqrogURqROfM6aLPwCZ6dNtLCRwSHt8uUazKjA3qmwbMQuiSJ00UZc73C3isPCS32TvBhukFJRGruFrGsQ-w_xq4-1Pd_vyO_ZLhkP7r9bHQ" /> <link rel="stylesheet" media="all" href="/sites/policies.ucsf.edu/files/css/css__w7sDDiRyjWCJbddL89wyQcxCsvqmisFtsmMRlMtl_0.css?delta=1&amp;language=en&amp;theme=echo&amp;include=eJxljlEOAiEQQy9E4EhkFhoWHRgyA27W02v0Q6M_TfuaNCUzzFj7BWmKhmTmRTMUOXK16ei_H8I1VVicB-hqrogURqROfM6aLPwCZ6dNtLCRwSHt8uUazKjA3qmwbMQuiSJ00UZc73C3isPCS32TvBhukFJRGruFrGsQ-w_xq4-1Pd_vyO_ZLhkP7r9bHQ" /> <link rel="stylesheet" media="all" href="/sites/policies.ucsf.edu/files/css/css_fFrhmlZnn6E9v7vV61mIYCTucHZ5S90imq_4Qhm3_zk.css?delta=2&amp;language=en&amp;theme=echo&amp;include=eJxljlEOAiEQQy9E4EhkFhoWHRgyA27W02v0Q6M_TfuaNCUzzFj7BWmKhmTmRTMUOXK16ei_H8I1VVicB-hqrogURqROfM6aLPwCZ6dNtLCRwSHt8uUazKjA3qmwbMQuiSJ00UZc73C3isPCS32TvBhukFJRGruFrGsQ-w_xq4-1Pd_vyO_ZLhkP7r9bHQ" /> </head> <body class="path-node page-node-type-knowledge-base"> <a href="#main-content" class="visually-hidden focusable skip-link"> Skip to main content </a> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="layout-container"> <header class="header" data-search-and-menu-visibility> <nav aria-label="UCSF" class="universal-header"> <a href="https://www.ucsf.edu">University of California San Francisco</a> <a href="https://giving.ucsf.edu" class="universal-header__give">Give to UCSF</a> </nav> <section class="navbar"> <div id="block-echo-branding" class="block block-system block-system-branding-block"> <a href="/" rel="home" id="logo" title="Campus Administrative Policies homepage" class="navbar__logo"> <img src="/themes/custom/echo/images/logos/policies-logo.svg" alt="Campus Administrative Policies homepage" height="53" width="189"/> </a> </div> <nav aria-label="Main" id="block-echo-main-menu" class="block block-menu menu--main"> <ul class="menu menu--level-1"> <li class="menu__item menu__item--level-1 menu__item--has-children"> <button class="menu__link menu__link--button menu__link--level-1 menu__link--has-children" aria-controls="policies-submenu-1" aria-expanded="false" aria-label="Open/Close Policies submenu" type="button">Policies</button> <ul class="menu menu--level-2" id="policies-submenu-1"> <li class="menu__item menu__item--level-2"> <a href="/policy" class="menu__link menu__link--link menu__link--level-2">Policies Home</a> </li> <li class="menu__item menu__item--level-2"> <a href="/policy/all-campus-administrative-policies" class="menu__link menu__link--link menu__link--level-2" data-drupal-link-system-path="policy/all-campus-administrative-policies">All Policies</a> </li> <li class="menu__item menu__item--level-2"> <a href="/policy/subject-areas" class="menu__link menu__link--link menu__link--level-2" data-drupal-link-system-path="policy/subject-areas">Subject Areas</a> </li> <li class="menu__item menu__item--level-2"> <a href="/search" class="menu__link menu__link--link menu__link--level-2" data-drupal-link-system-path="search">Policies Search</a> </li> </ul> </li> <li class="menu__item menu__item--level-1"> <a href="/policy-tools" class="menu__link menu__link--link menu__link--level-1" data-drupal-link-system-path="node/1451">Policy Tools</a> </li> <li class="menu__item menu__item--level-1"> <a href="/related-resources" class="menu__link menu__link--link menu__link--level-1" data-drupal-link-system-path="node/1446">Related Resources</a> </li> <li class="menu__item menu__item--level-1"> <a href="/updates" class="menu__link menu__link--link menu__link--level-1" data-drupal-link-system-path="node/1481">Updates</a> </li> <li class="menu__item menu__item--level-1"> <a href="/contact" class="menu__link menu__link--link menu__link--level-1">Contact Us</a> </li> </ul> </nav> <div id="global-search-dropdown" class="search--header"> <button class="search-icon" aria-controls="global-search-dropdown-form" aria-expanded=false> Search </button> <div class="search__dropdown"> <form id="global-search-dropdown-form" action="/search" accept-charset="utf-8" method="get" autocomplete="off" class="search"> <label for="header-search-input" class="visually-hidden">Search</label> <input id="header-search-input" type="text" name="search" value="" placeholder=Search... class="search__input"> <div class="focus-outline"> <input type="submit" value="Search" class="search__submit"> </div> </form> </div> </div> <button class="nav-toggle nav-toggle--active btn-alt-inverted" aria-controls="block-echo-main-menu" aria-expanded=false aria-label="Toggle Menu"> Menu <span class="nav-toggle__icon"></span> </button> </section> </header> <main class="l-container"> <a id="main-content" tabindex="-1"></a> <div id="block-echo-breadcrumbs" class="block block-system block-system-breadcrumb-block"> <nav class="l-container-breakout breadcrumb-wrapper" aria-label="Page location"> <ol class="breadcrumb l-container" id='top-breadcrumb'> <li class="breadcrumb-item"> <a href="/">Home</a> </li> <li class="breadcrumb-item"> <a href="/policy">Policies</a> </li> <li class="breadcrumb-item"> 650-18: Authorized and Acceptable Use of Institutional Information and IT Resources </li> </ol> </nav> </div> <div class="layout-content"> <div data-drupal-messages-fallback class="hidden"></div> <div id="block-echo-page-title" class="block block-core block-page-title-block"> <div class="node-owner-group"> <h1 class="page-title"> 650-18: Authorized and Acceptable Use of Institutional Information and IT Resources </h1> <p class="node-owner-group__info"> <span class="node-owner-group__subheading">Questions?</span> <span class="node-owner-group__link">Contact <a href="/contact">Campus Administrative Policies</a><span> </p> </div> </div> <div id="block-echo-content" class="block block-system block-system-main-block"> <article class="node node--type-knowledge-base node--view-mode-full knowledge-base"> <div class="l-basic l-container-offset "> <nav class="l-sidebar knowledge-base__sidebar" aria-label="Table of contents"> <input type="checkbox" id="check"> <label for="check" class="box-shadow knowledge-base__mobile-overview-toggle">In this article</label> <h2 class="l-sidebar knowledge-base__sidebar-title">In this article</h2> <ul class="knowledge-base__nav"> <li> <a href="#field-overview"> Overview </a> </li> <li> <a href="#paragraph-10486"> Purpose </a> </li> <li> <a href="#paragraph-8611"> Definitions </a> </li> <li> <a href="#paragraph-11161"> Policy </a> </li> <li> <a href="#paragraph-9841"> Responsibilities </a> </li> <li> <a href="#paragraph-9236"> References </a> </li> <li> <a href="#field-related-sections"> Related Information </a> </li> </ul> </nav> <div class="l-content"> <div class="box-shadow knowledge-base__content background-white"> <h2 id="field-overview">Overview</h2> <div class="node__overview"><p>Defines the scope of authorized and acceptable use of UCSF Institutional Information and IT resources.</p> </div> <div class="section-panel paragraph paragraph--type--text-block paragraph--view-mode--default" id="paragraph-10486"> <h2>Purpose</h2> <div class="clearfix text-formatted field field--name-field-section-body field--type-text-long field--label-hidden field__item"><p>The University of California (University) recognizes and encourages the use of Institutional Information and IT resources (<em>Resources</em>) in support of the University's mission of education, research, community service, and patient care and to conduct University business. This Authorized and Acceptable Use Policy formally defines the scope of authorized and acceptable use of UCSF <em>Resources</em>.</p> </div> </div> <div class="accordion accordion--alt section-panel paragraph paragraph--type--definitions paragraph--view-mode--default" id="paragraph-8611"> <h2>Definitions</h2><dl> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-901" aria-expanded="false" id="accordion-title-901">Exceptions to Policy</button> </dt> <dd class="accordion__body" id="accordion-id-901" aria-labelledby="accordion-title-901"> <p>Individuals whose devices or applications are unable to meet UCSF’s Minimum Security Standards for technical reasons must apply for a security policy exception by completing and digitally signing the online form for which instructions are linked immediately below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University’s Information Security Officer will respond to your request.</p> <p><a href="https://wiki.library.ucsf.edu/display/ITSI/IT+Security+Exception+Request+Process" target="_blank">Instruction for filling out Security Exception Request Form</a> (UCSF MyAccess login required)</p> </dd> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-1116" aria-expanded="false" id="accordion-title-1116">Institutional Information</button> </dt> <dd class="accordion__body" id="accordion-id-1116" aria-labelledby="accordion-title-1116"> <p>A term that broadly describes all data and information created, received and/or collected by UC. The <a href="https://it.ucsf.edu/policies/dataclassification" target="_blank">UCSF Data Classification Standard (Addendum F)</a> defines categories according to their unique protective requirements and provides guidance for identifying appropriate users or recipients. UCSF departments and units should determine in advance the extent to which information should be disclosed to specific users. Determinations should be made based on the nature of the content and the duties of department employees.</p> </dd> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-1121" aria-expanded="false" id="accordion-title-1121">Institutional Information Proprietor</button> </dt> <dd class="accordion__body" id="accordion-id-1121" aria-labelledby="accordion-title-1121"> <p>The individual, identified group, committee or board designated responsible for the information and the processes supporting the University function. Institutional Information Proprietors are responsible for ensuring compliance with federal or state statutory regulation or University policy regarding the release of information according to procedures established by the University, the campus, or the department as applicable to the situation. Examples of responsibilities of Institutional Information Proprietors include:</p> <ul><li>Assumes overall responsibility for establishing the Protection Level classification, access to and release of a defined set of Institutional Information.</li> <li>Classifies Institutional Information under their area of responsibility in accordance with these policies.</li> <li>Establishes and documents rules for use of, access to, approval for use of and removal of access to the Institutional Information related to their area of responsibility.</li> <li>Notifies Units, users, Service Providers and Suppliers of the Institutional Information Protection Level.</li> <li>Approves Institutional Information transfers and access related to their areas of responsibility.</li> <li>Notifies Units, Service Providers and Suppliers of any changes in requirements set by the Institutional Information Proprietor.</li> </ul> </dd> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-1186" aria-expanded="false" id="accordion-title-1186">IT Resources</button> </dt> <dd class="accordion__body" id="accordion-id-1186" aria-labelledby="accordion-title-1186"> <p>A term that broadly describes IT infrastructure, software and/or hardware with computing and networking capability. These include but are not limited to portable computing devices and systems, mobile phones, printers, network devices, industrial control systems (SCADA, etc.), access control systems, digital video monitoring systems, data storage systems, data processing systems, backup systems, electronic media, logical media, biometric and access tokens, and other devices that connect to any UC network. This includes both UCSF-owned and personally owned devices while they store Institutional Information, are connected to UCSF systems, are connected to UCSF Networks, or are used for UCSF business.</p> </dd> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-1561" aria-expanded="false" id="accordion-title-1561">Restricted Information</button> </dt> <dd class="accordion__body" id="accordion-id-1561" aria-labelledby="accordion-title-1561"> <p>Protection of data is required by federal or state law or regulation, or contractual obligation, and may be subject to data breach notification requirements. <a href="https://it.ucsf.edu/policies/ucsf-minimum-security-standards-electronic-information-resources" target="_blank">UCSF Minimum Security Standards</a> apply.</p> <p>Examples include:</p> <ul><li>Personally Identifiable Information (PII)</li> <li>Protected Health Information (PHI)</li> <li>Research Health Information (RHI)</li> <li>Payment Card Industry (PCI) Data</li> <li>Confidential Security Information</li> <li>Licensed Proprietary IP and Product Development Information</li> </ul> </dd> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-1626" aria-expanded="false" id="accordion-title-1626">Sensitive Information</button> </dt> <dd class="accordion__body" id="accordion-id-1626" aria-labelledby="accordion-title-1626"> <p>Protection of data is required by the data owner or other confidentiality agreement and may be required by federal or state law or regulation or by policy. <a href="https://it.ucsf.edu/policies/ucsf-minimum-security-standards-electronic-information-resources" target="_blank">UCSF Minimum Security Standards</a> apply.</p> <p>Examples include:</p> <ul><li>University Intellectual Property</li> <li>De-identified Health Information</li> <li>Employee Information</li> <li>Sensitive Faculty Activities</li> <li>Student Information</li> <li>Donor Information</li> <li>Current Litigation/Investigation Materials</li> <li>Contracts</li> <li>Physical Building Designs</li> <li>Financial Information</li> </ul> </dd> <dt class="accordion__title"> <button class="accordion__button" aria-controls="accordion-id-1956" aria-expanded="false" id="accordion-title-1956">Workforce Member</button> </dt> <dd class="accordion__body" id="accordion-id-1956" aria-labelledby="accordion-title-1956"> <p>Any UCSF employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.</p> </dd> </dl> </div> <div class="section-panel paragraph paragraph--type--text-block paragraph--view-mode--default" id="paragraph-11161"> <h2>Policy</h2> <div class="clearfix text-formatted field field--name-field-section-body field--type-text-long field--label-hidden field__item"><p>This Policy does not prohibit units within UCSF from having additional authorized and acceptable use policies and guidelines as necessitated by legal constraints or business requirements. Deviations from this Policy, however, cannot be less stringent than this Policy, must be properly documented and approved, and must be made available in a location accessible to affected Workforce Members.</p> <p><strong>A. Authorized Use</strong></p> <p>Usage of and access to UCSF <em>Resources</em> is limited to Workforce Members and is considered a privilege, not a right. UCSF reserves the right to revoke or curtail access privileges at any time and does not provide any guarantee for availability and reliability of <em>Resources</em>.</p> <p>Access by Workforce Members shall be limited to the minimum necessary to further the University’s mission and to conduct University business. Controls shall be used to minimize risk of abuse and/or information security incidents.</p> <p>For the purposes of this Policy, users of <em>Resources</em> meant for public use, including but not limited to Internet kiosks and publicly accessible web servers, are considered Workforce Members and fall within the scope of this policy.</p> <p><strong>B. Acceptable Use</strong></p> <p>Examples of acceptable and unacceptable uses are described below.</p> <ol> <li><strong>Copyrights and Licenses</strong>—Workforce Members shall respect all copyrights and licensing agreements. <ol> <li>Copying—Software shall not be copied except as permitted by copyright law or a license agreement.</li> <li>Number of simultaneous Workforce Members—The number and distribution of copies shall be handled so the number of simultaneous Workforce Members does not exceed the number of copies purchased, unless otherwise stipulated in the purchase contract.</li> <li>Plagiarism—Copied material shall be properly attributed. Plagiarism of electronic information is subject to the same sanctions as in any other medium.</li> </ol> </li> <li><strong>Integrity</strong>—Workforce Members shall not interfere with the normal operation of any <em>Resources</em>. <ol> <li>Modification, damage, or removal—Workforce Members shall not intentionally modify, damage, or remove <em>Resources</em> owned by the University or Workforce Members without proper authorization from UCSF or the owner of the <em>Resource</em>.</li> <li>Encroaching on others’ access and use—Workforce Members shall not intentionally encroach on others’ access and use of <em>Resources</em>. This includes but is not limited to: <ul> <li>the sending of chain-letters or excessive messages (size or volume)</li> <li>printing excessive copies </li> <li>running grossly inefficient programs when efficient alternatives are available</li> <li>unauthorized modification of <em>Institutional Information;</em> attempting to disable or prevent authorized access to Institutional Information </li> </ul> </li> <li>Unauthorized or destructive programs—Workforce Members shall not intentionally develop or use programs such as, but not limited to: viruses, backdoors, and worms which: <ul> <li>disrupt other Workforce Members</li> <li>access private or restricted portions of the system or identify security vulnerabilities</li> <li>decrypt secure data, or damage the software or hardware components of a <em>Resource</em></li> </ul> <p>Legitimate academic pursuits for research and instruction conducted under the supervision of academic personnel are authorized to the extent the pursuits do not compromise the University’s <em>Resources</em>.</p> </li> <li>Disabling, modifying, testing, or circumventing security controls—Workforce Members shall not intentionally disable, modify, test, or circumvent any <em>Resource</em> security controls without authorization. This includes but is not limited to: <ul> <li>disabling or circumventing authorization and authentication mechanisms</li> <li>intentionally disabling, modifying or removing security logs</li> <li>intentionally causing a security control to fail</li> <li>running any programs which intentionally create numerous security control false positives</li> <li>modifying networks to circumvent security monitoring or access controls</li> <li>intentionally causing or creating the perception of an information security incident</li> <li>using remote access or virtual private networking tools other than those provided by UCSF IT</li> <li>establishing persistent network connectivity to third-party networks </li> </ul> </li> </ol> </li> <li><strong>Use of Campus Network</strong>—All devices that attach to the network must meet the requirements of UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources.&nbsp;Network devices (e.g., wireless access points) attached to the network must also meet the requirements of <a href="https://policies.ucsf.edu/policy/650-14">UCSF Policy 650-14 Network Gateway Policy</a>, which requires device registration with UCSF IT</li> <li><strong>Non-UCSF Devices</strong>—Non-UCSF devices, including personally owned computing devices, are expected to meet <a href="https://it.ucsf.edu/standard-guideline/ucsf-650-16-addendum-b-ucsf-minimum-security-standards-electronic-information">UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources</a> when connected to the UCSF network. For example, a personally owned computer that accesses the UCSF network through a VPN connection is expected to meet those standards. Additionally, any non-UCSF device used to conduct UCSF business (including any storage or processing of UCSF information), must meet those requirements at all times, even when not connected to the UCSF network.</li> <li><strong>Access</strong>—Workforce Members shall not seek or enable unauthorized access. <ol> <li>Authorization—Workforce Members shall not access Institutional Information <em>Resources</em> without proper authorization, or intentionally enable others to do so.</li> <li>Authorization levels <ol> <li>Workforce Member access levels shall not be greater than required to conduct University business, i.e., a Workforce Member who does not conduct system administration on a <em>Resource</em> should not be given system administrator privileges on said <em>Resource</em>.</li> <li>Workforce Members shall not attempt to obtain a higher authorization level without need and permission.</li> </ol> </li> <li>Password and other protection <ol> <li>A Workforce Member who has been authorized to use a password-protected account shall not disclose the password or otherwise make the account available to others.</li> <li>Sharing of accounts is prohibited. Other methods, such as shared file permissions or temporary passwords should be used in cases in which data needs to be shared.</li> <li>When using multi-factor authentication (e.g., Duo), users will approve only valid logins and will not set any level of authentication to default to approved.</li> </ol> </li> </ol> </li> <li><strong>Use of Electronic Communication Records</strong>—Workforce Members may seek out, use, or disclose electronic communication records only for UCSF business in compliance with the <a href="/policy/650-19">UCSF Network Security Monitoring Policy (650-19)</a> and the <a href="https://www.ucop.edu/information-technology-services/policies/electronic-communications.html">UC Electronic Communications Policy (ECP)</a>.</li> <li><strong>Usage</strong>—Workforce Members shall comply with all applicable law and University policy. <ol> <li>Hostile working environment—Workforce Members shall not use <em>Resources</em> in a manner which creates a hostile working environment (including sexual or other forms of harassment), or which violates obscenity laws.</li> <li>Unlawful activities—Workforce Members shall not use <em>Resources</em> for unlawful activities or activities which violate University policy, including fraudulent, libelous, slanderous, harassing, threatening, or other communications.</li> <li>Mass messaging—Workforce Members shall avoid spamming, and other inappropriate mass messaging. Subscribers to an electronic mailing list will be viewed as having solicited any material delivered by the list so long as the material is consistent with the list’s purpose.</li> <li>Information belonging to other Workforce Members—Workforce Members shall not intentionally seek or provide information on, obtain copies of, or modify data files, programs, or passwords belonging to other Workforce Members without the permission of those other Workforce Members.</li> <li>False identity—Workforce Members shall not use the identity of another Workforce Member without the explicit approval of said Workforce Member or mask the identity of an account or machine.</li> </ol> </li> <li><strong>Implying University Endorsement</strong>—Workforce Members shall not imply University endorsement of products or services of a non-University entity from a <em>Resource</em> without approval. Workforce Members shall not give the impression they are representing, giving opinions, or otherwise making statements on behalf of the University unless authorized to do so. To avoid such misrepresentation or misinterpretation, the Workforce Member may use a disclaimer such as “The opinions or statements expressed herein should not be taken as a position of or endorsement by the University of California.”</li> <li><strong>Protection of Restricted/Sensitive Information</strong>—Workforce Members are responsible for maintaining the security of Institutional Information. Restricted/Sensitive Information not necessary for a Workforce Member to conduct University business shall be removed from the <em>Resource</em> or shall have authorizations set so it is inaccessible to said Workforce Member.</li> <li><strong>Political or Religious Use</strong>—UCSF is a not-for-profit, tax-exempt organization and, as such, is subject to federal, state, and local laws regarding the use of University property.<br> <p>In communications relating to religious or political activities or issues, the Workforce Member’s UCSF title may be used only for identification. If such identification might reasonably be construed as implying the support, endorsement, or opposition of UCSF respective to any religious or political activity or issue, a disclaimer shall be used, e.g. “The opinions or statements expressed herein should not be taken as a position of or endorsement by the University of California.”</p> </li> <li><strong>Incidental Personal Use</strong>—Authorized Workforce Members may use <em>Resources</em> for Incidental Personal Use purposes provided such use does not directly or indirectly interfere with the University’s operation of electronic communications resources; interfere with the Workforce Member’s employment or other obligations to UCSF; burden UCSF with noticeable incremental costs; or violate the law or UCSF policy. <ol> <li>Workforce Members are responsible for ensuring any Incidental Personal Use falls within this scope and may be held liable for any damages to UCSF associated with Incidental Personal Use.</li> <li>Any Incidental Personal Use may become University records and subject to disclosure to the University and third parties.</li> <li>Examples of Incidental Personal Use include, but are not limited to: <ul> <li>visiting non-work-related websites; sending personal emails</li> <li>using instant messaging services for personal communications</li> <li>accessing media for which the Workforce Member has access rights</li> </ul> </li> </ol> </li> <li><strong>Commercial Use</strong>—<em>Resources</em> shall not be used for non-University commercial purposes, except as permitted under University policy or with the appropriate approval.</li> <li><strong>Advertisements</strong>—<em>Resources</em> shall not be used to transmit commercial or personal advertisements, solicitations, or promotions, except as permitted under University policy and with the appropriate approval.</li> <li><strong>Non-University Sites and Resources</strong>—External non-University sites and resources accessible through UCSF <em>Resources</em> may have their own policies governing their use. Workforce Members are responsible for understanding and following UCSF policies and/or the remote resources’ policies, whichever are more restrictive.</li> </ol> <p><strong>C. Administrative and Authorization Management</strong></p> <p><em>Resources</em> shall use physical and logical authentication and authorization controls in accordance with University policy and appropriate to the risk level for said <em>Resource</em>.</p> <p>Unauthenticated access and/or authorization shall only be granted if specifically necessitated by an operational requirement or in instances in which authentication and/or authorization are not technically feasible. Examples include but are not limited to:</p> <ul> <li>public Internet kiosks</li> <li>web servers meant for public access, access to information meant for public access. Additional security controls, such as monitoring and logging, shall be deployed in such instances to reduce the risk of abuse and/or information security incidents. Refer to <a href="https://policy.ucop.edu/doc/7000543/BFB-IS-3">UC Policy BFB-IS-3: Electronic Information Security</a> for more information about appropriate controls.</li> </ul> <p>Restricted/Sensitive Information must not reside on a <em>Resource</em> allowing unauthenticated access and/or authorization.</p> <ol> <li>Account Management <ol> <li>Accounts may only be granted to Authorized Workforce Members and must be associated with an identifiable person. An example of an identifiable person is someone who is granted a UCSF ID number.</li> <li>Accounts granted to a Workforce Member who is not a UCSF faculty, staff, or student must designate a UCSF faculty or staff member as being responsible for the account. For further information refer to the guest account link in the References section below. Guest Access must be reviewed and approved by an appropriate UCSF authority, such as a Department chair or a Dean, to ensure the appropriateness of the request.</li> <li>Units responsible for granting access are responsible for ensuring timely removal of accounts and for ensuring proper access levels are maintained.</li> <li>Units are responsible for reviewing their accounts at least once a calendar year to ensure all Workforce Members are still authorized Workforce Members and have appropriate access levels, and to remove or modify access where appropriate.</li> <li>Workforce Member accounts must be deleted, disabled, have their access rights restricted or have their access rights removed from any IT Resource for which they no longer need access at the end of the Workforce Member’s employment within 24 hours, at the time of a full transition of job responsibilities or during an approved leave of absence.&nbsp; If a user transitioning to a new role requires access to resources from their previous role, they may retain them with the former manager’s approval, but upon full transition to their new role, access must be fully disabled within 24 hours.</li> <li>Application owners for non-Active Directory integrated systems are responsible for removing access of users who are leaving the university or are transitioning to another role that will not require them to have access to said system.</li> <li>Accounts which have not been accessed for 180 consecutive days must be reviewed. If not needed, they must be disabled or removed. CISOs may approve longer no-access periods for sabbaticals, leaves or other planned absences.</li> <li>Records of access approvals to Restricted/Sensitive Information should be retained consistent with the requirements of the University <a href="https://policy.ucop.edu/doc/7020454/BFB-RMP-2">Records Disposition Program and Procedures (BFB RMP-2)</a>.</li> <li>An account which is not deleted upon loss of affiliation shall be transferred to another UCSF faculty or staff person designated as being responsible for the account.</li> <li>An individual who terminates his or her UCSF affiliation, but still requires access to UCSF <em>Resources</em>, shall have access privileges modified to restrict access to only those required.</li> </ol> </li> </ol> <p>All such Workforce Members shall be associated with a UCSF faculty or staff member who can ensure their continued access requirements and must have their access and affiliation with the UCSF faculty or staff member documented. Access by such individuals must be reviewed no less than annually to ensure continued access is still required. For further information, refer to the UCSF Guest Access form.</p> <p>Example: When a researcher leaves UCSF, but there is an operational need to occasionally collaborate with UCSF colleagues, access may be granted, provided a UCSF faculty or staff person has been appointed as being responsible for this individual. Such access should be restricted to the minimum needed, reviewed on a periodic basis, and terminated when no longer required.</p> <p><strong>D. Implementation</strong></p> <p>Implementation of this Policy is the responsibility of each Department and School within UCSF and all Workforce Members. All Workforce Members are responsible for understanding this Policy and ensuring their use falls within the scope of this Policy.</p> <p>Deviations from this Policy must be documented and made available to affected Workforce Members. Temporary or minor deviations to this Policy may be handled as <em>Exceptions to Policy</em> and must be documented.</p> <p><strong>E.</strong> <strong>Violations and Sanctions</strong></p> <p>Minor or accidental violations of this Policy may be handled informally through email, education, or discussion.</p> <p>More serious or repeated Policy violations may result in temporary or permanent loss of access privileges or modification of these privileges.</p> <p>Violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion under applicable University policies and collective bargaining agreements. They may also be subject to any federal or state penalties for violations.</p> <p>Individuals who become aware of a violation or potential violation of this Policy should inform their supervisor, department head, or Internal Audit.</p> <p>In the event of a violation of this Policy involving possible unlawful action by an individual, the Locally Designated Official, the employee’s immediate supervisor, or other appropriate official should immediately be notified in accordance with the <a href="https://policy.ucop.edu/doc/1100171/Whistleblower">Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities</a> (the “Whistleblower Policy”). Notification should be made before any action is taken, unless prompt emergency action is required to prevent bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policy, or significant liability to the University or to members of the University community.</p> <p><em>Resources</em> found in violation of this Policy may be removed from the UCSF network or prohibited from connecting to the UCSF network until the violation is mitigated. Notifications of disconnects will be communicated to the Institutional Information Proprietor as quickly as possible; however, <em>Resources</em> may be disconnected prior to notification.</p> <p>UCSF may disconnect or limit access to a <em>Resource, </em>groups of<em> Resources</em>, the UCSF network, and the Internet without notice to protect <em>Resources</em>, both external and internal, under exigent circumstances.</p> </div> </div> <div class="section-panel paragraph paragraph--type--text-block paragraph--view-mode--default" id="paragraph-9841"> <h2>Responsibilities</h2> <div class="clearfix text-formatted field field--name-field-section-body field--type-text-long field--label-hidden field__item"><p>Contact Responsible Office (above) with any questions.</p> </div> </div> <div class="section-panel paragraph paragraph--type--text-block paragraph--view-mode--default" id="paragraph-9236"> <h2>References</h2> <div class="clearfix text-formatted field field--name-field-section-body field--type-text-long field--label-hidden field__item"><ul> <li><a href="https://wiki.library.ucsf.edu/display/IAM/Guest+Accounts">Guest Accounts</a></li> </ul> </div> </div> <div class="views-element-container"><div role="group" class="view view-meta-byline view-id-meta_byline view-display-id-block_1 js-view-dom-id-d10bbdca7ae848fb90e3addcd515cc25aead4569764a4bbfa817424314d11c34"> <div class="view-content"> <div class="meta-byline"><div class="meta-byline-row"><h2 class="meta-byline-title">Subject area</h2><p><a href="/taxonomy/term/2241" hreflang="en">Information Technology</a></p></div><div class="meta-byline-row"><h2 class="meta-byline-title">Policy number</h2><p>650-18</p></div><div class="meta-byline-row"><h2 class="meta-byline-title">Responsible office</h2><p><a href="/taxonomy/term/2006" hreflang="en">Financial and Administrative Services</a></p></div><div class="meta-byline-row"><h2 class="meta-byline-title">Primary content owner</h2><p><a href="/taxonomy/term/2171" hreflang="en">Information Technology</a></p></div><div class="meta-byline-row"><h2 class="meta-byline-title">Reviewed</h2><p><time datetime="2021-09-01T12:00:00Z" class="datetime">September 1, 2021</time> </p></div></div> </div> </div> </div> </div> <section class="background-gray related-text-block l-container"> <div class="related-text-block-section"> <div id="field-related-sections" class="related"> <h2 class="related__title">Related Information</h2> <ul class="related__info"> <li><a href="/policy/650-16" hreflang="en">650-16: Information Security and Confidentiality</a></li> </ul> </div> </div> </section> </div> </div> </article> </div> </div> </main> <footer class="footer"> <a href="/" rel="home" title="Campus Administrative Policies homepage" class="footer__logo"> <img src="/themes/custom/echo/images/logos/policies-logo.svg" alt="Campus Administrative Policies homepage" height="53" width="189"/> </a> <div class="footer__menus"> <nav aria-label="Footer" class="footer__columns"> </nav> </div><nav class="footer__legal" aria-label="Legal Information"> <p class="footer__copyright">© 2024 The Regents of the University of California</p> <ul class="footer__legal-nav"> <li> <a href="https://www.ucsf.edu/accessibility-resources">Accessibility</a> </li> <li> <a href="https://www.ucsf.edu/website-privacy-policy">Privacy Policy</a> </li> <li> <a href="https://websites.ucsf.edu/website-terms-use">Terms of Use</a> </li> <li> <a href="https://websites.ucsf.edu/azlist">A-Z Website List</a> </li> </ul> </nav> </footer> </div> </div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/1316","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"google_analytics":{"account":"UA-1557428-4","trackOutbound":true,"trackMailto":true,"trackTel":true,"trackDownload":true,"trackDownloadExtensions":"7z|aac|arc|arj|asf|asx|avi|bin|csv|doc(x|m)?|dot(x|m)?|exe|flv|gif|gz|gzip|hqx|jar|jpe?g|js|mp(2|3|4|e?g)|mov(ie)?|msi|msp|pdf|phps|png|ppt(x|m)?|pot(x|m)?|pps(x|m)?|ppam|sld(x|m)?|thmx|qtm?|ra(m|r)?|sea|sit|tar|tgz|torrent|txt|wav|wma|wmv|wpd|xls(x|m|b)?|xlt(x|m)|xlam|xml|z|zip"},"user":{"uid":0,"permissionsHash":"8b0c82fd0976c61ca946eb928a0694c6243d71b5847c948f050a493eaa6afd99"}}</script> <script src="/sites/policies.ucsf.edu/files/js/js_Aco2iilEAxNSDcEu_WOumNU4H6LnJPwo7xmDA9q-7kI.js?scope=footer&amp;delta=0&amp;language=en&amp;theme=echo&amp;include=eJxljlEOAiEQQy9E4EhkFhoWHRgyA27W02v0Q6M_TfuaNCUzzFj7BWmKhmTmRTMUOXK16ei_H8I1VVicB-hqrogURqROfM6aLPwCZ6dNtLCRwSHt8uUazKjA3qmwbMQuiSJ00UZc73C3isPCS32TvBhukFJRGruFrGsQ-w_xq4-1Pd_vyO_ZLhkP7r9bHQ"></script> <script type="text/javascript"> /*<![CDATA[*/ (function() { var sz = document.createElement('script'); sz.type = 'text/javascript'; sz.async = true; sz.src = '//siteimproveanalytics.com/js/siteanalyze_8343.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(sz, s); })(); /*]]>*/ </script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10