I. General Information: The University of Central Florida's computing resources and telecommunications networks provide a wide range of resources and facilities for the communication, storage, and processing of information that are of fundamental importance to the academic, research, and administrative functions of the university. The university provides its employees and its enrolled students in good standing ("users") open access to electronic communication and information. To preserve this computing and communications environment, all users must adhere to the university's standards and policies for the responsible use of computing systems, software, and telecommunications networks as described in this policy.

A. Users are generally free to utilize UCF's computing systems, software, networks, and telephone systems as necessary to perform their job responsibilities, subject to the appropriate use of these resources as described in this policy.

B. Electronic information (including images) that is accessible to the university community through the university's computing and telecommunications networks and that is stored in or processed on university computer facilities shall be treated the same as if such information was in printed format.

C. The university has the right to monitor, access, add or remove university equipment and use thereof at any time. The university does not permit the addition or use of unauthorized equipment and reserves the right to disconnect, remove, or block access to such equipment at any time.

II. Use of Computer and Telecommunications Resources: The university's users shall use the university's information resources responsibly in accordance with this policy.

A. The university's computing and telecommunications resources shall not be used to impersonate another individual or misrepresent authorization to act on behalf of other individuals or the university. All information (including images and messages) stored in or transmitted through university computers and telecommunications networks must correctly identify the sender. Users shall not modify the original attribution of electronic information or postings and shall not send anonymous messages.

B. The computing and telecommunications resources of the university shall not be used to make unauthorized or illegal use of the intellectual property of others. Users shall not transmit to others or display images, sounds, or messages that could reasonably be perceived as harassing, invasive, or otherwise unwanted.

C. University computers and telecommunications resources shall not be used to attempt to read or duplicate electronic information belonging to others, or to decrypt or translate encrypted information, unless such action has been expressly authorized in writing by the owner(s) or copyright holder(s) of the information.

D. The university does not warrant that data will be retained for any specified period of time on university computer or telecommunications systems. Users shall be responsible for making appropriate backup copies of all needed data to protect against the potential of loss. Likewise, each computer or telecommunications system administrator shall make accurate and timely backup copies of essential data to protect against information loss, or to be used to facilitate disaster recovery. Backup of central university servers is managed by Computer Services. Media containing all backup or archival recordings of information from university computer systems shall be stored in a secure and environmentally sound location separate from the system from which the information was obtained.

E. System administrators for electronic mail systems shall not retain backup or archival copies of electronic messages for a period longer than five (5) working days. Certain "transitory messages" such as e-mail messages with short-lived, or no administrative value, which do not set policy, establish guidelines or procedures, certify a transaction, or become a receipt need only be retained until obsolete, superseded or administrative value is lost. There are circumstances when e-mail messages may have a more significant administrative, fiscal or legal value, and therefore be categorized as public records documents requiring a longer retention. It is the responsibility of the user (i.e., the sender or receiver of a message) to choose one of the following options for handling messages falling into this category: messages may be printed to hard copy and filed in a traditional filing system, or messages may be retained in an appropriate electronic filing system. The sender's copy is designated as the copy of record. Electronic messages that constitute public records must be retained for four years.

F. Management of and access to university administrative data shall be in accordance with procedures described in the document Administrative Data, Information and Computer Security Guidelines, which is available from the Computer Services office and the ITR Policies Web page http://reach.ucf.edu/~itr/ITPolicies/ADICS.htm

G. Users shall not send telecommunications messages the content of which is defamatory, or which constitutes a breach of telecommunications security, or is in violation of Federal, State, or local laws or university rules or policies.

H. Telecommunications messages intended for general distribution to all campus users shall be reviewed and approved in advance by the appropriate Vice President to determine that such information is suitable for general distribution. Broadcast distribution of electronic mail messages may be limited by other university Policies.

I. The university telephone system shall be used only for official university business purposes. University employees are allowed to make incidental use of the telephone system for necessary personal calls, but must identify such calls and reimburse the university for any tolls or other charges incurred through personal use.

University employees requiring telephone credit cards for use in official university business should contact UCF Telecommunications.

Individuals applying for long distance calling plans or telephone credit cards for personal use must not use university telephone numbers (407) 823-XXXX and (407) 882-XXXX in such applications.

Students must not accept third number billing calls or collect call charges against UCF telephone numbers. UCF contracts with private long distance carriers to provide long distance service for students residing in UCF residence halls. Students can apply for this service and receive an authorizing PIN code. Students must use calling cards not associated with UCF telephone numbers from any university telephone; e.g., calling cards from parents or the Z-Line service.

J. For purposes of this document, e-mail includes point-to-point messages, postings to newsgroups and listservs, and any electronic messages involving computers and computer networks. E-mail is generally subject to the Florida Public Records Law to the same extent as would be the equivalent paper documents. University e-mail systems shall be used only for official university business purposes. University employees are allowed to make incidental use of university e-mail systems for necessary personal messaging. The following uses of e-mail by individuals or organizations are prohibited under this policy. University e-mail systems shall not be used for the initiation or re-transmission of:

1. Chain letters
2. E-mail sent repeatedly from user to user, with requests to send to others
3. Harassing or hate mail
4. Any threatening or abusive e-mail sent to individuals or organizations that violates university procedures and regulations
5. Virus hoaxes
6. Spamming or e-mail bombing attacks (intentional high volume e-mail transmissions other than officially approved campus general mailings)
7. Unsolicited e-mail that is not related to university business
8. False identification (any messages that misrepresent or fail to accurately identify the true originator.)
9. Computer viruses, worms, or other harmful software

K. Individuals submitting messages to electronic forums such as mail distribution lists or Usenet news groups shall be aware that users of these forums have expectations regarding message content and appropriate posting etiquette. University users shall be considerate of the expectations and sensitivities of others on the network when posting material for electronic distribution.

L. Utilizing electronic systems in such a manner as to deliberately degrade or disrupt the normal operation of voice or data networks or university computer systems is prohibited.

M. Official university web sites (including colleges, departments, centers, institutes, etc.) represent the university and are intended for the official business functions of the university. Each home page of an official university web site should be registered with the Coordinator of Web Services, Course Development and Web Services, who will include it as a link from the UCF main web site.

The following information must be readily identifiable on all content pages of the web site (home, welcome, or splash pages may be exempt from this requirement):

1. Accurate authorship attribution including the name of the unit or group represented by the page
2. A means of contacting the person(s) responsible for maintaining the page content
3. The date of the last revision
4. A text or graphic link to the main university web site

Personal home pages on university computers represent the individual in his or her primary role as a UCF employee. Incidental personal information on employee pages is deemed acceptable so long as it is not false or misleading and it does not interfere with the function or desired presentation of the unit, cause disruption of normal service, incur cost to the university, result in excessive use of resources, contain commercial content, or represent non-university entities. Faculty and staff who wish to publish substantial personal information not related to their university functions should use an Internet service provider rather than university web resources.

Using UCF web pages for personal financial gain or other personal benefit is prohibited. Any commercial use of UCF web resources must be pre-approved, consistent with existing university policies and procedures regarding outside employment activities. The university may require pages involving commercial content to reside on a specific domain such as ucf.com.

UCF accepts no responsibility for content on servers not maintained by the university that are linked from pages on UCF servers. However, web page authors should consider that such links, even when clearly labeled, can be misinterpreted as being associated with the University. Links on personal home pages to sites where the individual has a personal monetary interest should be avoided.

N. Any individual user or departmental office may maintain and be solely responsible for one or more registered servers on the UCF network. Servers that do not directly support the instructional, service, and research missions of the university will not be provided access to the campus network. Server access to the campus network and the Internet may be terminated by Computer Services if the operation or content of the server appears to violate applicable law, rules, or policies, or poses a risk to the integrity of the campus network, results in a degradation of network performance, makes inappropriate use of intellectual property, or contains prohibited content. Every effort will be made to provide advance notification of termination.

All servers must be registered with Computer Services using the Network Operations Center secure server registration page http://www.noc.ucf.edu/Security/secure_site.htm. The Server registration database will be audited annually.

O. The university and its employees are prohibited from using any university resources for, or implying in any way that the university is directly involved in, political campaigns or campaign fundraising. Likewise, university computing and communication resources cannot be used in support of a political campaign or for campaign fundraising, even under a reimbursement arrangement. An example of prohibited use would be for a university employee to use university e-mail, Web, or telephone resources to solicit support of any political candidate over another or to raise funds for a candidate.

III. User Responsibility: Computer users shall comply with all applicable user conduct codes and rules, laws, and regulations governing the use of computer and telecommunications resources, specifically Chapter 815, Florida Statutes, Computer Crimes Act, Title 18, United States Code, and the Electronic Communications Privacy Act of 1986.

A. Campus and network computing resources shall be used in a manner consistent with Chapter 815, Florida Statutes, Computer Crimes Act, Title 18, United States Code, and the Electronic Communications Privacy Act of 1986. Unauthorized or fraudulent use of university computing or telecommunications resources can result in felony prosecution as provided for in Florida Statutes, and Chapter 775, Florida Criminal Code.

B. The computing and telecommunications resources of the university shall be used only for purposes directly related to, or in support of, the academic, research, or administrative activities of the university. If a university employee wishes to use university facilities, students, equipment, materials or software, for personal or outside professional purposes, permission must be requested in advance using form AA22. Form AA22 is available in the Office of Academic Affairs, the Office of the Vice President for Research, and in the office of each college dean.

C. Departments operating UCF computers shall be responsible for all use made by individuals having accounts on those machines. Account owners shall prevent unauthorized use by others, and report intrusions or any other inappropriate activity to the respective system administrators. Individual password, PIN or authentication code security is the responsibility of each user. Users shall be required to change their passwords as least every sixty (60) days, using a password that contains a minimum of six (6) characters, including numerals. Passwords should not be common names or words found in the dictionary.

D. Users shall not attempt to undermine the security or the integrity of computing systems or telecommunications networks and shall not attempt to gain unauthorized access to these resources. Users shall not employ any computer program or device to intercept or decode passwords or similar access control information. If security breaches are observed or suspected, they must be immediately reported to the appropriate system administrator or department security coordinator.

E. Users shall not intentionally damage or disable computing or telecommunications equipment or software.

F. Users shall ensure that software acquisition and utilization adheres to the applicable software licenses and copyright law, and is consistent with university software policies. Users shall maintain documentation sufficient to prove that all software installed on any computer workstation assigned to them has been legally obtained and is installed in conformance with the applicable license(s). Backup copies of software shall be made only if expressly permitted by the applicable license(s). Managers and unit administrators shall ensure that the workstation of any employee who reports to them is operated in accordance with this policy and applicable university rules and other policies. In addition, managers and administrators shall provide software users reporting to them written documentation (e.g., this policy) describing responsibilities for appropriate use.

G. To maintain proper functioning of computer and networking hardware and software, system administrators and individual users shall take reasonable care to ensure their computing facilities are free of viruses or other destructive software. Information on computer viruses and virus detection, and eradication software is available from the Computer Services office.

H. Users of university computing facilities and telecommunications networks shall use these resources prudently, and avoid making excessive demands on these facilities in a manner that would knowingly impair the use of these resources by others.

IV. Access To and Disclosure of Electronic Information
Users should be aware that their uses of university computing and telecommunications resources are not completely private. The university does not routinely or without cause monitor individual use of these resources; however, the normal operation and maintenance of these resources require the backup and caching of data and communications, logging of activity, monitoring of general usage patterns, and other such activities that are required to manage these services. In addition, information stored on university computing resources, or passed through university telecommunications networks may be accessible to the public through public record laws, subpoenas, interception, or other means.

The university may also specifically monitor the activity or accounts of individual users of university computing and telecommunications resources, including individual login sessions and the content of individual communications, without advance notice when:

1. the user has voluntarily made such information accessible to the public, as by posting to a listserv or web page;
2. it reasonably appears necessary to do so to protect the integrity, security, or functionality of university or other computing resources or to protect the university from liability;
3. there is reasonable cause to believe that the user has violated or is violating this policy;
4. an account appears to be engaged in unusual or excessive activity; or
5. it is otherwise required or permitted by law.

Access to and disclosure of electronic information shall be governed by the following provisions:

A. Professional ethics dictate that any person having access to proprietary or confidential information:
1. use that access only to the extent required to discharge the assigned responsibilities of that person's position;
2. not disclose any such information except to the extent authorized or required under this policy or applicable rules or laws; and
3. not use, in any manner, such information or knowledge for personal gain.

B. A university employee may read, view, listen to, or otherwise access electronic messages or the contents of computer systems without the knowledge or consent of the user only as provided in this policy or upon express prior authorization from the Provost or designee or the General Counsel. Such prior authorization shall be given in writing, and must clearly state the purpose of granting such access.

C. It is the responsibility of each person having access to proprietary or confidential information to pursue any case of actual or suspected abuse or misuse of university computing and telecommunications resources. Proper pursuit of such cases may require that person to disclose relevant information to supervisors or designated investigators.

D. Except as provided otherwise in this policy, any person having or gaining access to proprietary or confidential information who is found guilty of violating confidentiality shall be subject to appropriate university and statutory sanctions.

E. Information accessed in such instances shall not be disclosed except as provided in this policy or with prior written authorization from the university's Provost or designee or the General Counsel. Such prior authorization to disclose shall be given only in cases involving a possible breach of system security, a violation of law, a violation of university rule or policy, or dereliction of duty or responsibility on the part of a university user.

V. Enforcement of Policies: Violations of computer and network procedures and policies shall result in disciplinary action, in accordance with the Student Handbook - The Golden Rule, the USPS Handbook, the Faculty Handbook, Rule 6C-5.950, 6C7-3.0124, 6C7-3.0191 and 6C7-5.0041, Florida Administrative Code, The Digital Millennium Copyright Act of 1998, and the disciplinary provisions of all applicable university collective bargaining agreements in place at the time such violation occurs. Violations of university policies shall be referred to the appropriate university official(s) for appropriate disciplinary actions. Suspected criminal violations of Federal, State or local laws shall be reported to the university police, appropriate law enforcement agencies, the Inspector General's office, or any other applicable authorities or agencies.

Any violation of the procedures and policies described above may result in immediate loss of network and computer access privileges, seizure of equipment, or removal of inappropriate information posted on university-owned computers or university supported internet sites or pages.

VI. Definition of Terms: For the purpose of this procedure, the following terms are described as follows:

A. Telecommunications means all communications made through or on university telephones, electronic mail, radios, facsimile machines, or any other electronic communication device.

B. University Communications means all communications that have a university business purpose.

C. Personal Communications means all communications that do not have a university business purpose.

D. Use of Telecommunications Equipment means any use of the university's telecommunications equipment by employees for university or personal business.

E. System Administrator means the person(s) responsible for managing central computer or file servers, including operating systems and application software.

F. Network Administrator means the person(s) responsible for managing telecommunications network software, hardware infrastructure, or access rights for local area networks (LANS) or wide area networks (WANS).

G. Server means a computer that supports access to electronic services or information for network users.

H. Information Technology Resources means the technology infrastructure for processing and exchange of information, including computing and telecommunications (voice, video, and data) devices and associated resources to operate, maintain, and utilize the technology infrastructure.

Specific Authority: 120.53(1)(a), 240.227(1) FS. Law Implemented: 120.53(1)(a), 240.227(1) FS. History -- New 4-26-87, Amended 9-12-96, Amended 04-04-00.