Ohio Admin. Code 3341-6-07 - Acceptable uses of BGSU information technology

(A) Policy Statement and Purpose

Bowling Green state university provides information technology resources to support the academic, administrative, educational, research, and service missions of its appropriately affiliated members within the margins of institutional priorities and financial capabilities. The information technology resources provide for the university a conduit for a free and open forum for the expression of ideas mindful of the university core values. In order to protect the confidentiality, integrity, and availability of information technology resources for intended purposes, the following policy has been developed.

(B) Policy scope

The scope of this policy is to encompass all information technology devices owned by the university, any device connected to the university network, and all university data on these devices.

(C) Policy

(1) Applicable laws and policies

All usage of information technology resources is to be consistent with all other relevant policies at BGSU.

Users must be aware of and comply with all federal, state, local, and other applicable laws, regulations, contracts, and licenses, which include the following:

(a) Digital Millennium Copyright Act (DMCA)

(b) Electronic Communications Privacy Act (ECPA)

(c) Computer Fraud and Abuse Act (CFAA)

(d) Family Educational Rights and Privacy Act (FERPA)

(e) HIPAA :Hybrid Entity Designation of Health Care Components and Administrative Responsibilities"

(f) Gramm-Leach-Bliley Act (GLBA)

(g) House Bill 104 of the 126th General Assembly (sections1347.12 and 1349.19 to 1349.192 of the Revised Code).

(2) Acceptable uses of information technology

Use of information technology to access resources other than those supporting the academic, administrative, educational, research, and service missions of the university or for more than limited social purposes is prohibited.

(a) Information technology is provided to access resources supporting the academic, administrative, education, research, and service missions of the university. Use of the provided information technology resources is to be mindful of the university core values. Use of information technology for experimental use or limited social purposes is permitted, as long as it does not violate other policies or interfere with operations of the university.

(b) The legitimate use of information technology resources does not extend to whatever is technically possible. Although some limitations are built into computer operating systems and networks, those limitations are not the sole restrictions on what is permissible. Users must abide by all applicable restrictions, whether or not they are built into the operating system or network and whether or not they can be circumvented by technical means.

(c) Network applications and protocols that are not essential to carrying out the mission of the university or to conduct university business are neither specifically permitted nor specifically prohibited. Should such a subsidiary application or protocol become a risk to the security of the university's information technology infrastructure, its use will be restricted or blocked as deemed appropriate or necessary, without prior notice.

(d) All users must only access or attempt to access information technology resources that they are authorized to use and then only in a manner and to the extent authorized.

(e) Ability to access information technology resources does not, by itself, imply authorization to do so. Prior to accessing a resource, users are responsible for ascertaining and properly obtaining necessary authorization. Accounts, passwords, and other authentication mechanisms may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the university.

(f) Users are required to protect the confidentiality, integrity, and availability of information technology. This responsibility includes practicing safe computing at all times when deploying or using BGSU information technology resources. Users are to care for the integrity of technology-based information sources they are authorized to access and to ensure that information is shared only with other appropriately authorized users.

(3) Unacceptable uses of information technology

(a) Attempting to circumvent information technology security systems is prohibited.

BGSU employs various technologies and procedures in the interest of protecting the confidentiality, availability, and integrity of information technology. Some examples of these technologies and procedures include, but are not limited to, physical methods, firewalls, anti-virus software, encryption, and passwords. Circumvention or attempted circumvention of a security system creates a threat to the university and is not permitted.

(b) Disruption of university-authorized activities is prohibited.

All members of the BGSU community share the information technology resources provided by BGSU. Those causing disruption to the use of information technology resources for other community members will be in violation of this policy. Some examples include, but are not limited to, configuration of devices that disrupt network services, launching denial of service attacks, and disturbing public access resources.

(c) Use of information technology to conduct reconnaissance, vulnerability assessments, or similar activity by unauthorized personnel is prohibited. In an effort to protect the confidentiality, availability, and integrity of information technology resources, BGSU officials will investigate any discovered unauthorized network reconnaissance, vulnerability scanning, or service enumerations. While it is recognized that there are some valid purposes for this activity, BGSU officials are unable to determine intent and must react in a manner that will best protect information technology resources by assuming that the source of scans are malicious. Additionally, many vulnerability scanning tools utilize techniques that may be disruptive if not properly used. Please contact the ITS information security office for authorization to conduct vulnerability or service assessments using BGSU information technology resources.

(d) Anonymous use, impersonation, or use of pseudonyms on an information technology resource to escape accountability is prohibited.

Examples of this include, but are not limited to, forging email or using any Internet service not affiliated with the university that can prevent accountability for its usage.

(e) The use of any unlicensed spectrum space is prohibited on any BGSU-owned or BGSU-occupied property, unless it is part of the wireless services being deployed by the university.

Information technology services (ITS) has implemented wireless local area network (LAN) services on the BGSU main campus and the Firelands campus. While this service allows mobility and easier access to the BGSU network, it means that the air space on campus now serves as a medium for network connectivity. The use of open air space poses a number of potentially difficult situations for both users and network administrators. Users who may need to make use of wireless equipment for special purposes such as research or other unique applications must contact ITS to coordinate this use of wireless air space so that its use does not negatively impact regular operations.

(D) Responsibilities

(1) University responsibilities

(a) Provide and coordinate information technology resources to allow completion of duties as assigned in support of the academic, administrative, educational, research, and service missions, within the margins of institutional priorities and financial capabilities.

(b) Communicate, review, update, and enforce policies to protect information technology resources.

(c) Take reasonable measures to mitigate security threats.

(2) User Responsibilities

(a) Read, agree to, and abide by all university policies and policy updates.

(b) Practice safe computing when using information technology resources.

(c) Notify university officials upon discovery that an assigned information technology resource has been accessed, attempted to be accessed, or is vulnerable to access by unauthorized users.

(d) Users are responsible for activity resulting from their assigned information technology resources.

(E) Security and privacy statement

BGSU respects the privacy of all information technology users. While the university does not routinely monitor content, it reserves the right to access and review all aspects of its information technology infrastructure, without notice, to investigate performance or system problems; search for harmful programs; investigate potential risks to health or safety; or determine if a user is violating a university policy or state or federal law. Such information may also be used in appropriate university disciplinary proceedings. BGSU monitors, keeps, and audits detailed records of information technology usage; traces may be recorded routinely for trouble shooting, performance monitoring, security purposes, auditing, recovery from system failure, etc.; or in response to a complaint, in order to protect the university's and others' equipment, software, and data from unauthorized use or tampering. Extraordinary record keeping, traces and special techniques may be used in response to technical problems or complaints, or for violation of law, university policy or regulations, but only on approval by university administrators specifically authorized to give such approval. In addition to the privacy of individuals being respected under normal circumstances, the privacy of those involved in a complaint will be respected and the university will limit special record keeping in order to do so, where practicable. Information will be released in the university's discretion, to appropriate university personnel, law enforcement agencies, and/or in accordance with applicable law, including information subject to disclosure under Ohio's public records laws. Users should be aware that while the university implements various security controls to protect information technology resources, protection of data from unauthorized individuals cannot be guaranteed.

(F) Enforcement and sanctions

Individuals or entities in violation of the BGSU information technology policy will be referred to the appropriate disciplinary authority for review. Access privileges may be suspended without prior notice if it is determined that a policy violation is causing a current or imminent threat to the confidentiality, integrity, or availability of information technology resources.

A violation of this policy may result in disciplinary action, up to and including termination of employment.

(G) Implementation of policy

This policy is authorized by the office of the chief information officer (CIO) and has been approved by the appropriate university committee(s). This policy may be supplemented with additional published guidelines by campus units that are authorized to operate/control their own information technology resources provided such guidelines are consistent with and supplemental to this policy and do not alter its intent.

(H) Related policies

(1) 3341-6-6 BGSU e-mail Account

(2) 3341-6-18 Data use and protection

(3) 3341-6-21 Faculty and staff email

(4) 3341-6-29 ITS computer lab utilization

(5) 3341-6-33 My VPN

(6) 3341-6-39 Sensitive data privacy

(7) 3341-6-41 Social networking media policy

(8) 3341-6-43 Student email

(9) 3341-6-49 BGSU web privacy policy

(10) 3341-3-84 HIPAA hybrid entity designation of health care components and administrative responsibilities

Replaces: 3341-6-07

Notes

Ohio Admin. Code 3341-6-07

Effective: 3/13/2025
Promulgated Under: 111.15
Statutory Authority: 3341.
Rule Amplifies: 3341.
Prior Effective Dates: 03/17/2015, 03/31/2016, 12/22/2017, 04/15/2024