Acceptable Use and Policies - Guidance
Below is guidance for acceptable use at NDSU.
Guidelines for Incidental Personal Use
Incidental personal use of University owned ECDs or personal use on University time is acceptable when the use:
- Does not interfere with the person's work performance
- Is of nominal cost or value
- Does not create the appearance of impropriety
- Is not for a political or personal commercial purpose
- Is reasonable in time, duration, and frequency
- Makes minimal use of hardware, software and network resources
Some uses, however, are never acceptable. These include:
- Use for harassment or similar inappropriate behavior
- Use for accessing or distributing sexually explicit, offensive or erotic material
- Violation of copyright laws
- Use for probing or hacking
- Use of non-business streaming technologies that consume significant amounts of bandwidth
- Use of pirated software or data
- Knowingly distributing viruses or bypassing established security
Inappropriate use may range widely in seriousness and impact on the other users. Often misuse can be addressed by the supervisor or administrator in the unit where it occurs. On some occasions, however, the misuse may represent a major violation of acceptable use. The University has established procedural guidelines for investigating an alleged major violation of acceptable use.
Summary of Procedural Guidelines
Initial discovery of a potential AUP violation can result from a number of triggering events which include but are not limited to:
- Bandwidth and network monitoring
- Complaint by a supervisor, other employee or person
- Inadvertent discovery during routine service or maintenance
- Legal copyright complaint (includes copyrighted materials such as music, movies, software, etc.)
- Creation or distribution of SPAM or other network abuse
- Law enforcement query or subpoena; open records request
The NDSU Chief IT Security Officer will be notified if they are not already aware of the problem. The appropriate Dean(s) or Director(s) will be notified as soon as possible so that there can be an initial decision or meeting established with the Appropriate Use Review Committee* (AURC) to assess the situation and agree on an appropriate course of action. The alleged violator will not be notified until this discussion has taken place and a decision when to notify the alleged violator has been made. A course of action is determined that can include monitoring and/or seizure and examination of equipment and related IT items (for example: computers, communication devices, hardware, software, media).
Occasionally, emergency action might be necessary so that the NDSU Chief IT Security Officer may not be able to contact all the above officials before an action is taken. If criminal violations are suspected, appropriate law enforcement will be notified. Outcomes of the investigation could include the following determinations: no violation, violation of law or policy, and/or possible criminal violations. Sanctions, if a violation is found, could include, but are not limited to: verbal caution; letter of warning; loss of computer and/or network access; referral to the Employee Assistance Program; referral for training and education; letter of reprimand; suspension with or without pay; and termination of employment. Any criminal process is separate but can also be considered when deciding on appropriate sanctions. The employee may use the normal employment appeals processes for any sanctions imposed.
*Members of the AURC include the NDSU Chief of Staff, the North Dakota Assistant Attorney General, the NDSU Vice President of Information Technology, and the Chief Information Security Officer or their designees.
Policies and Laws