Question

1. Search the Web for examples of issue-specific security policies. What types of policies can you find? Using the format provided in this chapter, draft a simple issue-specific policy that outlines fair and responsible use of computers at your college, based on the rules and regulations of your institution.

     Consider the following Policies at university of Sharjah:

• Policy Statement
• User Responsibility
• General Computer Usage
• Internet Use
• Electronic Mail
• Authorized Access and Usage of Equipment
• Systems Management
• Violations of Policy
• Limitations of Liability

Answer 1

Policies on the Use of Computers

1.0 Overview

The University is committed to free and open inquiry and discussion, fair allocation of University resources, and the provision of a working environment free of needless disruption. To advance these goals, the University has adopted policies on computer usage. Most of these policies follow from existing regulations, agreements, laws, and/or policies.

2.0 Objective / Purpose

This document has two purposes: to prohibit certain unacceptable uses of the University's computers and network facilities, and to educate users about their individual responsibilities.

3.0 Scope

This policy covers all computers owned or administered by any part of The University or connected to the University's communication facilities, including departmental computers and personally owned computers, and also the University's computer network facilities accessed by anyone from anywhere.

4.0 Policy

4.1 No one shall use any University computer or network facility without proper authorization. No one shall assist in, encourage, or conceal from authorities any unauthorized use, or attempt at unauthorized use, of any of the University's computers or network facilities.

4.2 No one shall knowingly endanger the security of any University computer or network facility, nor willfully interfere with others' authorized computer usage.

4.3 No one shall use the University's communication facilities to attempt unauthorized use, nor to interfere with others' legitimate use, of any computer or network facility anywhere.

4.4 No one shall connect any computer to any of the University's networks unless it meets technical and security standards set by the University administration.

4.5 All users shall share computing resources in accordance with policies set for the computers involved, giving priority to more important work and cooperating fully with the other users of the same equipment.

4.6 No one without specific authorization shall use any University computer or network facility for non-University business.

4.7 No one shall give any password for any University computer or network facility to any unauthorized person, nor obtain any other person's password by any unauthorized means whatsoever. No one except the system administrator in charge of a computer is authorized to issue passwords for that computer.

4.8 No one shall misrepresent his or her identity or relationship to the University when obtaining or using University computer or network privileges.

4.9 No one without specific authorization shall read, alter, or delete any other person's computer files or electronic mail. This rule applies regardless of whether the operating system of the computer permits these acts.

4.10 No one shall copy, install, or use any software or data files in violation of applicable copyrights or license agreements, including but not limited to downloading and/or distribution of music, movies, or any other electronic media.

4.11 No one shall create, install, or knowingly distribute a computer virus, "Trojan horse," or other surreptitiously destructive program on any University computer or network facility, regardless of whether any demonstrable harm results.

4.12 No one without proper authorization shall modify or reconfigure any University computer or network facility.

4.13 No one shall store confidential information in computers or transmit confidential information over University networks without protecting the information appropriately.

4.14 Users shall take full responsibility for data that they store in University computers and transmit through network facilities. No one shall use University computers or network facilities to store or transmit data in ways that are prohibited by law or University policy. Users shall not transmit any communications that are harassing or discriminatory as outlined in the University's Non-Discrimination and Anti-Harassment Policy.

4.15 Those who publish web pages or similar information resources on University computers shall take full responsibility for what they publish; shall respect the acceptable use conditions for the computer on which the material resides; shall obey all applicable laws; and shall not publish commercial advertisements without prior authorization. References and links to commercial sites are permitted, but advertisements, and especially paid advertisements, are not. Users shall not accept payments, discounts, free merchandise or services, or any other remuneration in return for placing anything on their web pages or similar information resources.

4.16 Users of University computers shall comply with the regulations and policies of mailing lists, social media sites, and other public forums through which they disseminate messages.

4.17 System administrators shall perform their duties fairly, in cooperation with the user community, the appropriate University administration, University policies, and funding sources. System administrators shall respect the privacy of users as far as possible and shall refer all disciplinary matters and legal matters to appropriate authorities.

4.18 Email and other electronic messaging technologies are intended for communication between individuals and clearly identified groups of interested individuals. No one without prior authorization shall use University facilities to knowingly create or disseminate spam -- unwanted and unsolicited emails or materials, in such a large volume that it may disrupt the proper functioning of the University’s information technology resources or individuals’ ability to use such resources. The University reserves the right to discard incoming mass mailings and spam without notifying the sender or intended recipient.

4.19 For its own protection, the University reserves the right to block communications from sites or systems that are involved in extensive spamming or other disruptive practices, even though this may leave University computer users unable to communicate with those sites or systems.

5.0 Enforcement and Implementation

5.1 Roles and Responsibilities

Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with the UGA Policies on the Use of Computers.

The Office of Chief Information Officer is responsible for enforcing this policy, and is authorized to create technical and security standards for University computing and network facilities and protection standards for information stored or transmitted by University computing and network facilities.

5.2 Consequences and Sanctions

Violations of these policies may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation. In some cases, violations of this policy may also be violations of state and federal laws, and consequences may include criminal prosecution.

Systems and accounts that are found to be in violation of this policy may be removed from the UGA network, disabled, etc. as appropriate until the systems or accounts can comply with this policy.

6.0 Definitions

University computers and network facilities - all computers owned or administered by any part of The University or connected to the University's communication facilities, including departmental computers, and also all of the University's computer network facilities--not limited to the Athens campus--accessed by anyone from anywhere.

Authorization - permission granted by the appropriate part of the University's governance and/or management structure, depending on the particular computers and/or network facilities involved and the way they are administered.