Technology Use Policy

The University of Portland (UP) provides technology resources, including computers, virtual machines, server resources, storage, and access to the Internet to the entire UP community (faculty, staff, students, and visitors to the campus). This is only possible because members of our community are mindful of the shared nature of these resources and the risks that could arise from misuse. This policy outlines the responsibilities and rights that come with access to technology resources.

This policy applies to all users of technology resources provided by the University of Portland, including students, faculty, staff, third-party contractors/vendors, and visitors to campus. In this document this full population will be referred to as "users".

Rights and Responsibilities

Computers and networks can provide access to resources on and off campus and communicate with other users worldwide. UP strives to make this access as open and unfettered as possible, but this requires that individual users act responsibly. Users must respect the rights of other users, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations.

Personal UP login credentials are only to be used by the person they are issued to and should not be shared with coworkers, family members, or Information Services staff. Information Services will never ask you for your password. The Help Desk (help@up.edu) can assist users in sharing online resources when appropriate so they can be accessed by others using their own login credentials.

The University and its Information Services department make every effort to keep data secure and for all technology resources to be available as much as possible. Individual user data, including personal information in the information systems, files in personal online storage such as OneDrive, and email, will not be accessed by Information Services staff except for when required by legal action or necessitated in response to cybersecurity incidents.

All existing laws (federal and state) and UP regulations and policies apply, including not only those laws and regulations that are specific to computers and networks, but also those that may apply generally to personal conduct.

Misuse of Technology

Broadly speaking, activities are considered misuse when they represent attempts to compromise security or privacy protections, cause damage to others or to the University's systems, leverage University resources for personal gain, or to perform illegal activity.

Examples of misuse include, but are not limited to, the following activities:

• Using a computer account that you are not authorized to use.
• Stealing or fraudulently obtaining another user's login credentials for any reason.
• Using UP technology resources to gain unauthorized access to a computer system.
• Intentionally disrupting the normal operation of computers, terminals, peripherals, or networks.
• Knowingly running or installing on any computer system or network, or causing another user to run or install, a program intended to spy on other users, damage or compromise systems, or place excessive load on a computer system or network.
• Attempting to circumvent data protection schemes or uncover security loopholes.
• Violating terms of licensing agreements or copyright laws. This includes using the intellectual property of others in the prompting or training of artificial intelligence or machine learning systems when prohibited by license agreement.
• Excessive or wasteful use of UP resources in a way that impacts or excludes other users from their resources, or for individual gain at the expense of the University (for example, cryptocurrency mining).
• Leveraging one's access to UP data and information to "snoop"; into other users'; private personal information, such as home address or academic history, without a valid UP business purpose.
• Unauthorized commercial activity, such as mass email solicitations, from a UP account.

Specific activities that would normally be considered misuse can be granted an exception if they have a legitimate reason to be conducted. This exception must be approved by a Vice President-level official at UP and communicated to the Chief Information Officer.

Privacy and Security

Network access provided by UP connects our community to a worldwide community and allows employees and students to connect with UP resources remotely. This broad access is only possible when users take responsibility for protecting themselves and UP from security risks. Details about privacy and security levels for different categories of data are available in the Data Risk Classification Guidelines and the Information Security Plan (available on the Information Services Policy page). Key guidance included in those policies includes:

• Personal devices used on the UP network or used to access UP resources remotely should be regularly updated with the latest security patches and have malware protection software installed. Devices, including laptop and desktop computers, tablets, and phones, should be configured to require a password/PIN or biometric login (such as a fingerprint or face scan) to access them.
• All users are expected to exercise their best judgment in protecting devices from theft or damage. Do not leave equipment unattended in an insecure or vulnerable location. Report any stolen or lost UP equipment to Information Services and Campus Safety as soon as possible.
• Employees should avoid saving sensitive UP data on their local machine and instead save to University-managed locations such as network drives, OneDrive, or Microsoft Teams. UP Data may be accessed from personal machines, but users should use a secure connection such as the Virtual Private Network (VPN) if connecting remotely. Sensitive UP data should never be saved locally on a personal machine or in cloud storage services that are not managed by UP.
• All employees are expected to comply with the Federal Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and other statutes regarding protecting private information.
• Users are required to use Multi-Factor Authentication to protect their account and should be careful not to approve authentication requests that they did not originate.
• Sensitive University data should not be made accessible to an artificial intelligence or machine learning system unless it has been approved by both Information Services and the appropriate data stewards. For more information on what data is considered sensitive and a list of data stewards, consult the Data Risk Classification Guidelines.
• Proper procedures and precautions should be maintained when managing or disposing of sensitive data. For instance, hard drives that potentially include sensitive data should be properly and securely wiped or destroyed before being recycled, disposed of, or transferred to another owner.

Enforcement of this Policy

Minor or accidental violations of this policy may be dealt with through direct or email communication to inform users of the issue and request remediation. In more serious cases, or when there is a perceived risk to the University or others, accounts and network access may be administratively suspended by the Information Services team with or without notice pending investigation and remediation.

Serious or repeated violation of this policy by a student may lead to disciplinary charges under the appropriate student disciplinary policy. Likewise, faculty and staff violations will be addressed by their respective disciplinary policies and procedures.

Users who violate Federal, state, or local laws may also face criminal or civil liability for their actions. Reproduction or distribution of copyrighted works, including, but not limited to, images, text, or software, without permission of the owner is an infringement of U.S. Copyright Law and is subject to civil damages and criminal penalties including fines and imprisonment.

General Information and Reporting

Users with questions about this policy can contact the UP help desk at help@up.edu. Helpful information about how to access UP resources can be found at the Information Services web site at https://up.edu/is

To report possible spam or other email abuse, please forward the suspected message to the UP email abuse hotline: abuse@up.edu.

Last Revised: July 2024