Acceptable Use Policy
Approved by: Information Security Steering Committee (ISSC)
Prior Review: 5/2/22
Revised Date: 3/15/23
Purpose
In the interests of learning and research, and to support its academic, research, and administrative functions, Touro University (TU) provides students, faculty, and staff with access to computer and network resources. TU seeks to promote and facilitate the proper use of Information Technology. However, while the tradition of academic freedom will be fully respected, so too will the requirement of responsible and legal use of the technologies and IT facilities that are made available to faculty and staff. This Acceptable Use Policy (AUP) is intended to provide a framework for the use of TU's IT resources and should be interpreted to have the widest application l. This AUP addresses the entire TU Community.
Institutional technology resources, facilities, and/or equipment include all technology-based resources, facilities, and/or equipment that are owned and/or operated by TU as part of its mission. The basic rules for use of the institutional technology resources, facilities, and/or equipment are to act responsibly, to abide by the TU's policies as specified in the TU Handbooks, and to respect the rights and privileges of other users. Each user of TU technology resources is responsible for adhering to all legal and ethical requirements in accordance with the policies of TU and applicable law.
TU technology resources, facilities, and/or equipment may only be used by TU community members as per Touro Employee and Student Policies unless otherwise authorized by the President, Provost or their designated alternates (VP, Dean, or above). Members of the TU community may not allow other person(s) to utilize TU's technology resources, facilities, and/or equipment.
All users of TU IT resources (hereafter referred to as "users") must acknowledge, upon initial employment or promotion, or other appropriate time, the AUP upon signing in to the TouroOne system. A copy of the Policy is also available online. In acknowledging the AUP, each individual will be certifying that he/she has read and will comply with the AUP. This Policy contains elements that intersect with other policies at TU. Should there be questions as to which policy applies; requests for clarifications should be addressed, in writing, to the CISO at CISO@Touro.edu.
Scope
This policy applies to all users (students, faculty, staff, consultants, vendors, volunteers, temps, etc.) of IT resources in all departments of TU.
Definitions
TU | Touro University includes all New York campus locations, including NYMC and all California, Nevada, Illinois and all foreign locations. |
Touro systems | Computer systems owned and operated by Touro as well as Touro licensed cloud-based systems used by Touro employees and students in the course of their employment or studies. |
1IMPORTANT DISCLAIMER
This policy does not form a contract. Touro University (TU) reserves the right to amend, revoke this policy, in whole or in part, at any time, with or without notice in its sole discretion. The policy is neither written nor meant to confer any rights or privileges on an individual or equity or bypass any obligations on TU other than its obligations under the law. As with all TU policies, this policy is written for informational purposes only, may contain errors and may not be applicable to every situation or circumstance. Any dispute, claim or controversy arising out of, or related to this policy, which is not resolved through TU's internal procedures (hereafter, "Disputes") shall be resolved exclusively through final and binding expedited arbitration conducted solely by the with a neutral arbitrator affiliated with an established and reputable organization engaged in alternative dispute resolution (“ADR Organization”) in accordance with the Rules than in effect. The location of the arbitration shall be at a convenient office on a Touro campus where the student is (or was last) affiliated.
Policy and Implementation
TU IT resources are provided primarily for academic (including support of research, and laboratory-related activities) and communication purposes to facilitate a person's academic or administrative role (Faculty, Staff, Student) within the TU Community. Other uses, such as personal electronic mail or recreational use of the Internet are not rights but privileges, which may be withdrawn. Any such use must not interfere with the user's duties or studies or any other person's use of computer resources and must not, in any way, damage TUS's reputation.
TU-provided email addresses must be used for all official TU business to facilitate official TU communication, audit ability and institutional record keeping. All individuals in the TU community ("members") are obligated to read their TU-supplied email, which is considered the official means of communication for TU.
Authorization
To use the computing resources of TU, a person must be a member of the TU community. Members will be issued a username, password and email address (nonmember guests will not be issued a TU email address). Authorization for other services may be requested by application based on need. Use of TU technology resources implies, and is conditional upon, acceptance, via electronic signature, of this Acceptable Use Policy.
All individually allocated usernames, passwords and email addresses are for the exclusive use of the individuals to whom they are allocated. The user is personally responsible and accountable for all activities carried out under his/her username. The password associated with a particular username must not be divulged to any other person, and any attempts to access or use any username or email address, which are not authorized to the user, are prohibited. All users must correctly identify themselves at all times. A user must not masquerade as another, withhold his/her identity, or tamper with audit trails. A user must take all reasonable precautions to protect his/her resources. In particular, passwords used must adhere to current password policy and practice.
Privacy
TU sees privacy, not regulated by law (such as Family Educational Rights and Privacy Act (FERPA) or Health Insurance Portability and Accountability Act (HIPAA)), as a privilege and not an absolute right. Therefore, members should not hold or pass information that they would not wish to be seen by staff responsible for their administrative or academic-related work.
After a member of the TU community leaves TU, files left behind on any computer system owned by TU, including servers, cloud based services and electronic mail files, will be kept for a period consistent with record retention policies of TU and then destroyed. Records maintained on TU's systems, including cloud based systems, are the sole and exclusive property of TU and no privacy right attaches to such records and those records may be viewed by authorized personnel with a need to know within the Institution even if they are otherwise privileged.
Acceptable Use
Use of Technology resources is expected for academic (teaching, research including laboratory), administrative, and communication purposes. Acceptable use of TU IT resources may be summarized as follows:
- Users are required to abide by all intellectual property, copyright or similar laws or regulations. Plagiarism, in any form, is unacceptable at TU.
- Conventional norms of behavior apply to IT-based media, just as they would apply to more traditional media. Within TU, this would mean that the tradition of academic freedom will always be respected. TU, as expressed in relevant handbooks, is committed to maintaining an educational and working environment that provides equality of opportunity, and freedom from discrimination on the grounds of race, religion, sex, sexual orientation, national origin, age, disability or special need.
- All users of TU technology services must not disable anti-virus or automated mechanisms that update virus signatures or prevent security patches on workstations from being applied; all workstations must be adequately protected against viruses and malware, through the use of up-to-date anti-virus software with the latest tested security patches installed. Reasonable care should also be taken to ensure that resource use does not result in a denial of service to others.
- Users of services external to TU are expected to abide by any policies, rules, terms of service or use, and codes of conduct applying to such services. Any breach of such policies, rules, terms of service or use, and codes of conduct that are reported to TU may be regarded as a breach of this Acceptable Use Policy and be dealt with accordingly. The use of TU credentials to gain unauthorized access to the facilities of any other organization is similarly prohibited.
- TU information stored on electronic and computing devices whether owned or leased by TU, the employee or a third party, remains the sole property of TU. You must ensure through legal or technical means that proprietary information is protected in accordance with TU Policies.
- You have a responsibility to properly dispose of technology used to store TU data in accordance with TU disposal policies, promptly report the theft, loss, or unauthorized disclosure of TU devices and proprietary information.
- For security and network maintenance purposes, authorized individuals within TU may monitor equipment, systems and network traffic at any time.
- Multi-Factor Authentication must be enabled wherever possible for all work-related accounts, and should be enabled for all personal accounts, wherever possible.
Unacceptable Use
Use of Technology resources to interfere with the business of TU is unacceptable. Wrongful disclosure of private health information in areas that are required to abide by the Health Information Portability and Accountability Act (HIPAA) will lead to immediate review that could result in termination of employment, expulsion from the program, or breach sanctions enabled associated with business associate agreements for any contractors.
If an employee or student working with HIPAA regulated data wrongfully discloses private health information inadvertently, a warning will be issued. These measures are consistent with what is contained within our HIPAA confidentiality agreement and employee and student handbooks.
Any user logging into our system is monitored by our system logging capabilities. Any contractors working on our behalf are beholden to the bylaws contained within HIPAA as a “business associate”. Unacceptable use of TU IT resources include, but are not limited to, the following actions:
- Distributing materials which are offensive, obscene, defamatory or abusive. Such material may be illegal and violate TU policies on abuse. Users of TU computer systems must be familiar with, and comply with, TU abuse policies.
- Interfering or attempting to interfere in any way with information belonging to or material prepared by another user. Similarly, no user shall make unauthorized copies of information belonging to another user.
- Intellectual property rights infringement, including copyright, trademark, patent, and piracy is unacceptable. It is unacceptable to download, distribute, or store music, video, or other material for which you do not hold a valid license or other valid permission from the copyright holder.
- Use of TU email to solicit anyone for donations to a charitable cause or to purchase goods or services of any kind, not connected to TU or the job duties of the employee, or to participate in any activity not sponsored by TU, including without limitation, any activity which is political, charitable, social, entertainment, educational, or advocacy, in nature.
- Unsolicited advertising (often referred to as "spam email"), sending emails that purport to come from an individual other than the person actually sending the message (using a forged address), or sending emails that solicit another person's account and password. Note: users who receive unsolicited "spam email" should forward the message to Information.Security@touro.edu for follow up, wherever practical.
- Attempting to break into, gain access to, or damage computer systems or data of TU computers or any other computers for which the individual is not authorized, or attempting to facilitate actions to accomplish same.
- Connecting an unauthorized device to TU's network, such as one that has not been configured to comply with this policy or with any other relevant regulations and guidelines relating to security, IT purchasing policy, and acceptable use.
- Circumvention of network access controls, monitoring or interception of network traffic, without permission; probing for the security weaknesses of systems by methods such as portscanning, without permission; associating any device to network Access Points, including wireless, for which you are not authorized.
- Providing any services to others via remote access. The installed machine on each network segment must be a workstation only and not provide any server-based services, including, but not limited to, Web, File Transfer, Streaming Media server, peer-to-peer facilities, or email services.
- Using TU systems or networks in a manner that violates TU policies or federal, state or local law.
- Use of TU systems or networks for commercial purposes unrelated to TU.
- Reconfiguring or otherwise adjusting any settings on any TU shared computer, device, technology resource, software and/or hardware without explicit permission from the VP for Technology at TU or designated staff.
- Elevating a user's access permissions beyond their job responsibilities. TU community users are assigned the minimum access rights required to perform job-related duties and responsibilities. For faculty and staff, standard computer user rights allow use of applications and tools needed to complete work tasks in a timely fashion. Computer "administrative rights" are reserved for TU IT technology staff as defined by job responsibilities.
- Removing any equipment from TU without explicit permission of TU Administrative Management.
- Sending student (FERPA-governed) or patient (HIPAA-governed) data via email or storing this type of confidential data on any portable device or virtual space outside of TU's administrative control in an unencrypted state.
With Respect to Restricted and Confidential TU Data, access is allowed solely to members of the TU community to perform their job responsibilities. Members of the TU community should not:
- seek personal benefit or permit others to benefit personally from any Restricted or confidential data that has come to them throughout their work assignments.
- make or permit unauthorized use of any restricted or confidential data in any of the TU's computer systems or other records.
- enter, change, delete or add data to any computer system or files outside of the scope of their job responsibilities.
- include or cause to be included in any record or report, a false, inaccurate or misleading entry known to the user as such.
- alter or delete or cause to be altered or deleted from any records, report or information system, a true and correct entry.
- release restricted or confidential data other than what is required in completion of job responsibilities which is consistent with this Policy.
- exhibit or divulge the contents of any record, file or information system to any person unless it is necessary for the completion of their job responsibilities.
Members are strongly encouraged to report any suspected violation of this policy or any other action, which violates confidentiality of data according to the security and incident reporting instructions defined under the security breach section of this policy.
Security Breaches
A suspected computer breach or security incident represents the attempted or successful unauthorized access, use, modification, or destruction of information systems or data. If unauthorized access occurs, computer systems could potentially fail, and restricted and/or confidential information could be compromised. Thus, it is TU's policy that all suspicious activity be immediately reported, especially if the individual has violated this Policy. Additionally, given the potential harm that the TU may suffer with the release of any restricted or confidential data all employees are strongly encouraged to report any suspected violation of this policy or any other action, which violates confidentiality of data. Reporting can be done as follows:
- Faculty should report the incident to their local campus Dean or Department Chairperson or their local IT Director in writing. A copy should be sent to the Chief Information Security Officer at CISO@Touro.edu.
- Non-Faculty should report the incident in writing to their local Manager and their local IT Director. A copy should be sent to the Chief Information Security Officer (CISO) at CISO@Touro.edu.
- All TU technology users are required to inform their campus IT Director and the CISO at CISO@Touro.edu of any security vulnerabilities (loopholes) discovered, and to cooperate in implementing any security measures and procedures needed to close these vulnerabilities.
- TU technology resource users should not execute any form of network scanning (e.g., port, security) without the express written permission of the CISO who will bring these requests for approval to the Information Security Steering Committee (ISSC).
The CISO will coordinate with TU Counsel and Senior Management in reporting computer breaches to law enforcement authorities.
Enforcement
All users are required to abide by the policy.
TU reserves the right to have access to email, files, history and other utilization and audit trail data or information so as to enable TU to monitor equipment, systems and network traffic at any time or to ensure compliance with this Policy and applicable laws.
Any member of the TU community found to have violated this Policy may be subject to disciplinary action, according to the applicable TU handbook.
No exceptions to this Policy will be granted. Individual requests for modifications from this Policy must be made in writing to the Chief Information Security Officer (CISO) who will consult with appropriate Senior Management, and, if granted, will be acknowledged in writing.
Responsibilities
VP for Technology/Chief Information Officer
Chief Information Security Officer
Media Permission
User grants the right and permission, without reservation, to Touro University, and those authorized by Touro University, to photograph and/or videotape user and further to display, use and/or otherwise utilize, in original or modified form, user’s face, likeness, name, information, voice, and appearance forever and throughout the world, in all media, whether now known or hereafter devised, throughout the universe in perpetuity (including, without limitation, in online webcasts, television, motion pictures, films, newspapers, publications or use by third parties) and in all forms including, without limitation, digitized images, whether for advertising, publicity, or promotional purposes, including, without limitation, for the promotion, public education, and/or fundraising activities of Touro University, without compensation, reservation or limitation. Touro University is, however, under no obligation to exercise any rights granted herein. User releases Touro University, its officers, directors, agents, employees, independent contractors, licensees and assignees from all claims that user now has or in the future may have, relating, thereto. User agrees that Touro University, or its grantees or assignees, will be the sole owner of all tangible and intangible rights in the abovementioned photographs and recordings, with full power of disposition. If potential users or user wishes to opt out of this media permission only please send an electronic mail to barbara.franklin@touro.edu. You cannot opt out of the remainder of this Policy and emailing Touro University will not relieve you of your obligations hereunder.
References to HIPAA Laws
Information Access Management | |
---|---|
Isolating Healthcare Clearinghouse Functions | 68 Federal Register 8377 45 CFR 164.308 (a)(4)(ii) |
Access Authorization | |
Information access management | 68 Federal Register 8377 45 CFR 164.308 (a)(4)(ii)(B) |
Establish and Modify Access | |
Information access management | 68 Federal Register 8377 45 CFR 164.308 (a)(4)(ii)(C) |
Protection from Malicious Software | |
Security awareness and training | 68 Federal Register 8377 45 CFR 164.308 (a)(5)(ii)(B) |
Login Monitoring | |
Security awareness and training | 68 Federal Register 8377 45 CFR 164.308 (a)(5)(ii)(C) |
Password Management | |
Security awareness and training | 68 Federal Register 8377 45 CFR 164.308 (a)(5)(ii)(D) |
Security Incident Reporting | |
Security awareness and training | 68 Federal Register 8377 45 CFR 164.308 (a)(6)(ii) |
Workstation Use | |
Workstation use | 68 Federal Register 8378 45 CFR 164.310(b)(2) |
Workstation Security | |
Workstation security | 68 Federal Register 8378 45 CFR 164.310(c) |