Technology Acceptable Use - Students


Sponsor:	Chief Information Officer
Contact:	Information Security Officer
Category:	Information Security and Technology
Policy Number:	1000.003
Effective Date:	8/28/2025
Implementation History:	Approved: 4/14/2002, Revised: 7/9/2003, 2/2023, 8/2025
Review Date:	TBD
Keywords:	Student, Information Technology Resources, Users, Confidential Information, Account Access, Technology Access
Background Information:	This policy replaces the “Computer Use Statement Policy-Students.” This policy amends and incorporates all policy statements from the preceding policy. This policy was drafted with the assistance of a third-party cyber security firm. The University “laptop loaner program” is acknowledged in this policy.

Purpose

Empire State University promotes student use of its online academic resources, online student support services, and computing facilities located at centers and units, and seeks to improve the computer literacy of its students. Every user is expected to adhere to the statements that follow to further these goals.

The purpose of this Acceptable Use Policy is to clearly establish each member of the university's role in protecting its Information Technology Resources and communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable the University to implement a comprehensive system-wide Information Security Program.

Definitions

Information Technology Resources: Any hardware, software, system, network, data, or service used to create, process, store, secure, or transmit information within the University. Supports the operational, academic, administrative, and research functions of the University. Includes all University-owned, licensed, or managed hardware, software, email domains, licenses, access, and related services and any use of the University’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

Student: Student at the University, matriculated or non-matriculated, currently enrolled in a class or not, with access to the University’s Information Technology Resources.

University: Empire State University, State University of New York User – Any member of the University community who utilizes University Information Technology Resources.

Policy Statements

Scope

This policy applies to all Students with access to Information Technology Resources and facilities owned, managed, or otherwise provided by the University.

Privacy

The University will make every reasonable effort to respect a User's privacy. Monitoring is done in accordance with academic integrity policies and the Family Educational Rights and Privacy Act. However, students do not acquire a right of privacy for communications transmitted or stored on or through the University’s Information Technology Resources, including laptops loaned to Students. In response to a judicial order or any other action required by law or permitted by official University policy, or if the University has otherwise determined reasonably necessary to protect the legitimate interests of the University, the President or Chief Information Officer (CIO), may authorize a University official or other authorized agent, to access, review, monitor and/or disclose computer files associated with an individual's University account. Additionally, in response to a suspected violation of the Student Conduct Policy and/or violation of New York State Acceptable Use of Technology Information Technology Resources Policy, or this Policy, the Associate Provost for Student Success or designee may require a student return a loaned laptop to the University before the term has ended and may authorize an agent of the University to review the data and information on the laptop. Students are encouraged to review the Adherence to Family Educational Rights and Privacy Act of 1974 Policy as well as the Student Conduct Policy .

Policy

University issued equipment is for the sole use of the Student and may not be loaned to others. Any use that disrupts the University' mission is prohibited. Using any University information Technology Resources for personal profit, or other purposes other than academic or University purposes is prohibited.

Following the same University policies on Non-Discrimination-Anti-Harassment, Sexual Harassment and Bias Related Crime that protect the rights of individuals that study and interact with the University, acceptable use of Information Technology Resources generally respects all individuals' privacy, but subject to the rights of individuals to be free from intimidation, harassment, and unwarranted annoyance. All Users of the University’s Information Technology Resources must adhere to the requirements enumerated below.

The University reserves the right to monitor or restrict computing activity on University owned and operated systems, including laptops loaned to Students from the official laptop loan program. The university is not responsible for loss of data or service interference resulting from efforts to maintain the University's Information Technology Resources.

Students creating personal webpages on the university's servers must abide by the university’s Web Presence and Publishing Policy.

4.1 Fraudulent and Illegal Use

The University explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the University’s Information Technology Resources, a User must not engage in any activity that is illegal under local, state, federal, and/or international law or in violation of University policies or procedures. As a part of this policy, Users must not:

Violate the rights of any individual or company involving information protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by the University.

Use of AI tools to generate fraudulent, misleading, or plagiarized academic work is prohibited and subject to disciplinary action.

Use copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the University does not have a legal license, or an appropriate license has been purchased by the User of a loaned device.

Export software, technical information, encryption software, or technology in violation of international or regional export control laws.

Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.

Any User that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify the IT Service Desk.

4.1.1 Use of Artificial Intelligence (AI) in Academic Work

Use of AI tools and AI-generated content is at the discretion of each faculty member for each course. Students must follow any guidelines or restrictions set by the instructor for their coursework.

AI tools may not be used to fabricate sources, research data, or falsify records. AI tools must not be used to create misleading content.

AI-generated work that processes personal or sensitive information must comply with FERPA and the University’s data protection policies.

AI tools may be used by students enrolled in AI and cybersecurity-related courses under instructor supervision for academic purposes such as simulated threat generation, risk modeling, or defensive automation. All use must occur within isolated, university-approved sandbox environments and comply with data privacy and security regulations (e.g., FERPA, GLBA).

The University reserves the right to review and restrict the use of specific AI tools that pose risks to academic integrity, cybersecurity, or data privacy.

4.2 Confidential Information

The University has both an ethical and legal responsibility for protecting confidential information in accordance with its Enterprise Data Classification Policy.

Students must not enter, store, or process any University-protected data into AI platforms that have not been explicitly approved for academic or institutional use.

4.3 Harassment

The University is committed to providing a safe and productive environment, free from harassment, for all Students. Harassment is defined and prohibited by the Student Conduct Policy .

For this reason, Users may not:

Use University Information Technology Resources to harass any other person via e-mail, telephone, or any other means, or

Actively procure or transmit material that is in violation of sexual harassment or hostile workplace laws.

If a User feels they are being harassed through the use of University Information Technology Resources, the User shall reference the University’s Discrimination Compliance Procedures.

4.4 Incident Reporting

The University is committed to responding to security incidents involving University-owned Information Technology Resources. As part of this policy:

The loss, theft, or inappropriate use of information access credentials (e.g., passwords, or security tokens), physical assets (e.g., key cards, laptop, cell phones, tablets), or other information must be reported to the IT Service Desk.

Any device loaned through the Laptop Loan program must be reported to the program administrator, including damage, loss, and/or theft.

4.5 Malicious Activity

The University strictly prohibits the use of Information Technology Resources for malicious activity against other Users, the organization’s information systems themselves, or the information assets of other parties.

4.5.1 Denial of Service

Users must not:

Perpetrate, cause, or in any way enable disruption of the University’s information systems or network communications by denial-of-service methods;

Knowingly introduce malicious programs, such as viruses, worms, and trojan horses, to any information system; or

Intentionally develop or use programs to infiltrate a computer, computing system, or network, and/or damage or alter the software components of a computer, computing system, or network.

4.5.2 Confidentiality

All encryption keys employed by Users must be provided to Information Technology Serivces (ITS) if requested, in order to perform functions required by this policy.

Users must not:

Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the User is not an intended recipient or logging into a server or account that the User is not expressly authorized to access;

Base passwords on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports teams, etc.);

Facilitate use or access by non-authorized Users, including sharing their password or other login credentials with anyone, including other Users, family members, or friends;

Use the same password for University accounts as for other non-University access (for example, personal Internet Service Provider account, social media, benefits, email, etc.);

Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another User’s password;

Make copies of another User’s files without that User’s knowledge and consent.

4.5.3 Impersonation

Users must not:

Circumvent the User authentication or security of any information system;

Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;

Create and/or use a proxy server of any kind, other than those provided by the University, or otherwise redirect network traffic outside of normal routing with authorization; or

Use any type of technology designed to mask, hide, or modify their identity or activities electronically.

4.5.4 Network Discovery

Users must not:

Use a port scanning tool targeting either the University’s network or any other external network, unless this activity is a part of the User’s normal job functions, such as a member of ITS, conducting a vulnerability scan, and faculty utilizing tools in a controlled environment;

Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the Users, unless this activity is a part of the User’s normal job functions.

It is understood that some students enrolled in cybersecurity and information security courses may engage in simulated network analysis, penetration testing, malware analysis, and other offensive/defensive cybersecurity activities within instructor-approved, isolated sandbox environments. These environments must be pre-configured to prevent interaction with any university-owned systems or networks, and activities must be restricted to academic objectives under faculty oversight.

4.6 Objectionable Content

The University strictly prohibits the use of Information Technology Resources for accessing or distributing content that may be in violation of the Student Code of Conduct. Users must not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials considered to be in violation of the Student Code of Conduct, unless explicitly assigned by a University instructor or mentor to do so as part of an academic exercise.

4.7 Hardware and Software

University owned equipment that is provided as part of the Laptop Loaner program may be used outside the University’s network and have a less restrictive device and security settings. Users of the laptops are expected to adhere to all the above sections with acceptable use.

The loaner laptops are not restricted by the University’s ITS, and Users may install software for which they have legally purchased licenses or have access through the University (Office 365, etc.). However, a User must always protect their security and use sound judgment when using unsecured networks or trusted plug and play devices outside of the University or the Student’s residence.

The University is not responsible for loss of data or service interference resulting from individual use of devices loaned through the laptop loaner program.

When using university-owned equipment not governed by the Laptop Loaner program, such as computer labs or other local devices, the University strictly prohibits the use of any hardware or software that is not purchased, installed, configured, tracked, and managed by the University.

Users of such University owned or managed computer labs or other local devices must not:

Attach, connect, or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any University information system without the knowledge and permission of ITS;

Download, install, disable, remove, or uninstall software of any kind, including patches of existing software, to any University Information Technology Resource without the knowledge and permission of ITS;

Use personal flash drives, or other USB-based storage media, or

Take University equipment off-site without prior authorization from ITS.

4.8 Messaging

The University provides a robust communication platform for Users to fulfill its mission.

Users must not:

Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);

Solicit electronic messages for any other digital identifier (e.g., e-mail address, social handle, etc.), other than that of the poster's account, with the intent to harass or to collect replies; or

Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.

4.9 Other

In addition to the other parts of this policy, Users must not:

Use the Information Technology Resources for commercial use or personal gain.

AI must not be used for deceptive purposes, including impersonating others in academic, personal, or professional communication when using the University’s Information Technology Resources.

Roles and Responsibilities

The University reserves the right to protect, repair, and maintain the University Information Technology Resources and network integrity. In accomplishing this goal, the University’s ITS personnel or their agents must do their utmost to maintain User privacy, including the content of personal files and internet activities. Any information obtained by ITS personnel about a User through routine maintenance of the University’s Information Technology Resources will remain confidential, unless the information pertains to activities that are not compliant with acceptable use of the University’s Information Technology Resources under any University policy including the Student Conduct Policy

Enforcement

Enforcement is the responsibility of the University’s President or CIO.

The President or CIO may authorize a University official or an authorized agent. Users who violate this policy may be subject to the termination of their account. The University may temporarily suspend or block access to an account when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the University or University Technology Resources or to protect the University from liability. If a laptop that has been loaned to a Student is requested to be returned to the University due to a suspected violation and it is not returned, a hold will be placed on the Student’s record which will prevent registration for future courses.