Technology Acceptable Use - Employees

Purpose

The University’s technology infrastructure supports the University’s institutional and administrative activities needed to fulfill the University’s mission. Access to these resources is a privilege that should be exercised responsibly, ethically, and lawfully.

The purposes of this Acceptable Use Policy are to establish acceptable use standards, clearly identify the role each employee has in protecting the institution’s information assets, and to communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables the University to implement a comprehensive system-wide Information Security Program, as defined by the Information Security Policy.

This policy applies to all Members of the University Community using computing resources and systems owned, managed, or otherwise provided by the University. Individuals covered by this policy include but are not limited to the University employees, emeritus faculty, volunteers, contractors, guests, visitors, and service providers with access to the University’s computing resources and/or facilities. Computing resources include all University-owned, licensed, or managed hardware and software, email domains, and related services. This also includes any use of the University’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

Privacy Information

The University will make every reasonable effort to respect a user’s privacy, subject to applicable laws. However, Members of the University Community do not acquire a right of privacy for communications transmitted or stored on the University’s resources. In response to a judicial or lawfully issued administrative order, Freedom of Information Law request, E-Discovery request, or any other action required by law, a University official or an authorized agent may access, review, monitor, and/or disclose computer files associated with an individual's account. Additionally, in response to a violation of a University policy, to prevent the disruption of regular business, or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the University, the President or their designee may authorize a University official or an authorized agent to access, review, monitor and/or disclose computer files associated with an individual's account, subject to applicable law.

Definitions

• University Employee – Employee of the University or its affiliated corporations.
• Information Security Officer – Reporting to the Chief Information Officer, the Information Security Officer (ISO) oversees the University’s ITS Security environment.
• Information Technology Resources – Any hardware, software, system, network, data, or service used to create, process, store, secure, or transmit information within the University. IT resources support the operational, academic, administrative, and research functions of the University.
• Member of the University Community – Any person who is a University employee, University official, Emeritus, or any other person employed by or contracted with the University.
• Mobile Devices – a portable computing device, e.g., laptop, cell phones, or tablets.
• Secure Areas – Any physical University location where sensitive information or assets are maintained, that require security measures to be in place to prevent unauthorized access.
• University – Empire State University, State University of New York
• University Username – An individually assigned, unique computer identifier. Also known as User code or User-id. The standard format for the University Username is FirstName.LastName.
• University User Account – Any account assigned to an individual to provide access to university IT resources. Using the University User Account, the individual may access University resources, including but not limited to computers, email accounts, Banner, webservices accounts, and Brightspace accounts. The standard format for the University User Account for employees is FirstName.LastName@sunyempire.edu, and for Emeritus individuals is FirstName.LastName@emeritus.sunyempire.edu.
• User - Any member of the University community who has access to and / or utilizes University Information Technology Resources.

Policy Statements

• Roles and Responsibilities
  • The University accepts the responsibility to protect, repair, and maintain the University’s computing equipment and network integrity. In accomplishing this goal, University ITS personnel or their agents must take reasonable care to maintain User privacy, including the content of personal files and Internet activities. Any information obtained by ITS personnel about a User through routine maintenance of the University’s computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of the University’s computing resources.
  • Activities related to the University’s mission take precedence over computing pursuits of a more personal nature. The New York State Commission on Ethics in Government clearly states that any private use of a state resource is prohibited. Additionally, any use of Information Technology Resources that disrupts the University’s mission is prohibited.
  • Acceptable use of information technology resources aligns with all university policies, including Bullying and Civility Standards in the Workplace, Non-Discrimination, Anti-Harassment, Sexual Harassment, and Bias-Related Crime, which protect the rights of everyone working with or interacting with the University.

• Fraudulent, Unapproved, and Illegal Use
  • The University explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the University’s information systems, a User must not engage in any activity that is illegal under local, state, federal, and/or international laws as applicable. As a part of this policy, Users must not:
    • Violate the rights of any individual or company involving information protected by copyright, trade secret, patent, or other intellectual property.
    • Violate laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not licensed or approved for use by the University.
    • Use in any way copyrighted material including, but not limited to, photographs, books, music, video, or other copyrighted sources, and any software for which the University does not have a legal license.
    • Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
    • University-issued user accounts shall not be linked to or used to access, authenticate, or integrate with any personal or private external service, system, or resource not explicitly authorized by University Information Technology Services.
    • Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.
  • Any user who suspects or becomes aware of any activity described in this section, or any other activity that may be fraudulent or illegal, must immediately notify their manager.

• Confidential Information
  The University has both an ethical and legal responsibility for protecting confidential information in accordance with its Enterprise Data Classification, use of Text Messaging Service, General Data Protection Regulations Privacy, Payment Card Industry-Data Security Standard Policy, Adherence to the Family Educational Rights and Privacy Act (FERPA) of 1974, Adherence to the Gramm-Leach-Bliley Act (GLBA) of 1999, adherence to the Health Insurance Portability and Accountability Act (HIPAA) and Limiting the Use of Student Social Security Numbers Procedure policies, as well as other applicable federal, state and local laws. As such:
  • Any files or other electronic transmission of protected personally identifiable information (PII) such as social security numbers and credit card numbers must be encrypted or sent through approved, secured channels.
  • Transmission of PII by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) is prohibited.
  • Mobile Devices that access confidential information must have physical controls to secure the device when not in use, minimizing the risk of unauthorized access.
  • University Employees will use approved workstations or devices to access the University’s data and information systems.
  • All of the University’s portable workstations will be securely maintained, including mandatory hard drive encryption when in the possession of University employees. Such workstations will be handled as carry-on (hand) baggage on public transport. Devices will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.
  • Photographic, video, audio, or other recording equipment must not be used in secure areas where PII or other sensitive data is present, unless there is a documented business need and prior authorization is provided by the ISO.
  • All confidential information files stored on workstations and mobile devices must be encrypted in addition to the hard drive being encrypted.
  • All Members of the University Community who use organization-owned workstations will take all reasonable precautions to protect the confidentiality, integrity, and availability of information contained on the workstation.
  • University Employees who move electronic media or information systems containing confidential information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized use.
  • University Employees will activate their workstation locking software whenever they leave their workstation unattended or will log off from or lock their workstation when their shift is complete.

• Incident Reporting
  The University is committed to responding to security incidents involving personnel, University-owned information, or University-owned information assets. As part of this policy:
  • The loss, theft, or inappropriate use of information access credentials (e.g., passwords, or security tokens), assets (e.g., key cards, laptop, cell phones, tablets), or other information must be immediately reported to the University’s ITS Service Desk.
  • All incidents regarding physical assets shall be reported to the Office of Safety and Security by the University ITS Service Desk.
  • All incidents regarding inappropriate use, theft, or loss of access credentials and information shall be reported to the University's Information Security Officer.
  • A Member of the University Community shall not prevent another Member of the University Community from reporting a security incident.

• Malicious Acitivity
  The University strictly prohibits the use of information systems for malicious activity against other Users, outside parties, the University’s information systems themselves, or the information assets of other parties.

• Denial of Service
  Users must not:
• • Perpetrate, cause, or in any way enable disruption of the University’s information systems or network communications by denial-of-service methods
  • Knowingly introduce malicious programs, such as viruses, worms, and trojan horses, to any information system
  • Intentionally develop or use programs to infiltrate a computer, computing system, or network, and/or damage or alter the software components of a computer, computing system, or network

• Confidentiality
  All encryption keys employed by Users must be provided to Information Technology if requested to perform functions required by this policy.
  Users must not:
  • Attempt to gain access to files and resources to which they have not been granted permission, Perpetrate, cause, or in any way enable data exposures, including but not limited to, accessing data of which the User is not an intended recipient or logging into a server or account that the User is not expressly authorized to access
  • Facilitate use or access by non-authorized Users, including sharing their password or other login credentials with anyone, including other Users, family members, or friends
  • Use the same password for University accounts as for other non-University access (for example, personal Internet Service Provider account, social media, benefits, email, etc.); whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another User's password
  • Make copies of another User's files without that User's knowledge and consent, unless written authorization is provided to the CIO or delegate by a Cabinet member subject to federal, state, and applicable laws.
  • Create a secure password based on something that can be easily guessed using personal information (e.g., family names, favorite sports team, subject taught, etc.);
  • Input, upload, or share confidential, personally identifiable, or restricted University data (including but not limited to student records, personnel data, financial information, and proprietary research) into AI tools that lack explicit approval from the University. This ensures compliance with FERPA, GLBA, and University data protection policies.

• Impersonation
  Users must not:
  • Circumvent the User authentication or security of any information system
  • Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information
  • Create and/or use a proxy server of any kind, other than those provided by the University, or otherwise redirect network traffic outside of normal routing with authorization
  • Use any type of technology designed to mask, hide, or modify their identity or activities electronically outside of the approved use of a Virtual Private Network

• Network Discovery
  Users must not:
  • Use a port scanning tool targeting either the University’s network or any other external network unless this activity is a required part of the User's normal job functions or the tools is being used in a contolled environment for academic purposes.
  • Use a networ monitoring tool or perform any kind of network monitoring that will intercept data not intended for the User unless this activity is a part of the User's normal job functions

• Objection Content
  • The University strictly prohibits the use of organizational information systems for accessing or distributing content that other Users may find objectionable. Users may not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials that promotes sex, hate, alcohol, firearms, tobacco or are in violation of any University policy.
  • This is not intended to hinder individual freedom, academic curricula, research, or intellectual discourse. This list is not an all-inclusive list of when objectionable content may be used at the University. If unsure, individuals should contact the University’s Information Security Officer for clarification.

• Hardware and Software
  The University strictly prohibits the use of any hardware or software that is not purchased, installed, configured, tracked, or managed by the University.
  Users must not:
  • Install, attach, connect, remove, or disconnect hardware of any kind, including wireless access points, storage devices, and peripherals, to any institutional information system without the knowledge and permission of ITS
  • Download, install, disable, remove, or uninstall software of any kind, including patches of existing software, to any institutional information system without the knowledge and permission of ITS
  • Use personal flash drives, or other USB-based storage media, without prior approval from their supervisor
  • Take University equipment off-site without prior authorization from their supervisor and equipment management

• Messaging
  The University provides a robust communication platform for Users to fulfill its mission.
  Users must not:
  • Automatically forward electronic messages sent to University equipment or University accounts of any kind by using client message handling rules or any other mechanism
  • Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam). University marketing messages sent to prospects or current students are exempt
  • Solicit electronic messages for any other digital identifier (e.g., email address, social handle, etc.), other than that of the poster's account, with the intent to harass or to collect replies
  • Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type

• Remote Working
  When working remotely, the User must:
  • Safeguard and protect any University-owned or managed computing asset (e.g., laptops and cell phones) to minimize loss or theft
  • Take reasonable precautions to prevent unauthorized parties from utilizing computing assets or viewing University information processed, stored, or transmitted on University-owned assets
  • Not create or store confidential or private information on local machines unless a current backup copy is available elsewhere
  • Not access or process confidential information in public places where the screen could be easily viewed or over public, insecure networks
  • Only use University-approved methods for connecting to the organization (e.g., VPN)

• Artificial Intelligence (AI) Usage
  • SUNY Empire understands that AI tools can be used to assist productivity. However, AI is a complex tool that introduces security challenges.:
    • University employees may use AI tools for administrative, instructional, and research purposes, provided such use aligns with SUNY Empire’s policies on data security, academic integrity, and professional ethics. AI should serve as a support tool and not replace human judgment in academic, research, or operational decision-making.
    • AI-generated content must be clearly disclosed and may not be used as a substitute for original academic work unless explicitly permitted by faculty. Misuse of AI to fabricate, misrepresent, or plagiarize content is considered a violation of academic integrity policies.
    • University employees must not input, upload, or share confidential, personally identifiable, or restricted University data (including but not limited to student records, personnel data, financial information, and proprietary research) into AI tools that lack explicit approval from the University. AI tools must comply with FERPA, GLBA, and University data protection policies*.
    • Any AI-driven processes must be transparent, ethical, and free from bias.
    • AI-powered decision-making systems must undergo regular review and audits to ensure fairness and accuracy.
    • AI-generated or AI-assisted content must be stored in compliance with data retention policies. AI tools must not retain, reuse, or transmit University data beyond the scope of their authorized use.
  • Faculty members are responsible for defining AI usage policies in their courses and providing clear guidance to students regarding proper and improper AI use. AI-generated content should be disclosed and cited when used for instructional material or research.  AI must not compromise academic integrity, originality, and student learning.
  • AI must not be used to automate employment, grading, admissions, or other University decision-making processes without human oversight. University Employees must ensure AI-driven recommendations are transparent, ethical, and free from bias.
  • University Employees may only use AI tools on University-owned equipment that has been approved by ITS. Integrating AI into University operations must align with data security, privacy regulations, and ethical AI guidelines.

• Other
  In addition to the other parts of this policy, Users must not:
  • Stream video, music, or other multimedia content using University bandwidth unless this content is required to perform the User's normal business functions
  • Use the University’s information systems for commercial use
  • Use the University’s information systems to play games for entertainment; this excludes usage for the University-related business such as e-sports

• Enforcement
  • Enforcement is the responsibility of the University’s President or Chief Information Officer (CIO). The President or CIO may authorize a University official or an authorized agent to act on their behalf.
  • Violations of this policy may result in disciplinary action, including but not limited to restriction of access, corrective action, or termination, in accordance with University policies and collective bargaining agreements, if applicable. The University may temporarily suspend an account when it reasonably appears necessary to do so to protect the integrity, security, or functionality of the University or other computing resources or to protect the University from liability.  The Chief Information Officer or their designee reserves the right to approve exceptions to this policy, subject to a regular review.

Applicable Legislation and Regulations

The Gramm - Leach Bliley Act (GLBA)

Family Educational Rights and Privacy Act (FERPA)

General Data Protection Regulation (GDPR)

New York State Information Security Breach and Notification Act

NIST 800-171 SP Rev 2

FIPS-199

Related References, Policies, Procedures, Forms and Appendices

Information Security Policy

Non-Discrimination/Anti-Harassment Policy

Sexual Harassment Policy

Sexual Violence Prevention and Response Policy

Title IX Grievance Policy

Enterprise Data Classification Policy