This policy applies to the use of all College computing facilities, equipment and networks. College computing facilities, equipment and networks are to be used only by authorized persons, i.e., faculty, students, staff and other persons with affiliate status at the College. Once such status lapses for any individual, use is no longer permitted.
Information technology supports and sustains the College's teaching, learning, research and business practices. For the institution and the individuals who are a part of it, safe computing practices are in each user's and the institution's best interest. Computers and networks offer us access to resources on and off-campus; they enable us to communicate with other users throughout the world. This open access is a privilege the College extends to the members of its community, founded on the assumption that each user will act responsibly and with the interests of the community at heart. All users are responsible for familiarizing themselves with this policy and guidelines. Users are expected to respect the rights of other users, to respect the integrity of the systems and related physical facilities, and to observe all relevant laws, regulations and contractual obligations.
Misuse of the network in unauthorized ways is detrimental to all our interests and may result in the loss of computing privileges. Serious misuse can be prosecuted under state and federal applicable statutes. Users are accountable for their conduct under College policies and procedures.
Members of the community--students, faculty and staff--may have rights of access to information about themselves contained in computer files, as specified in federal and state laws. Members of the community should be aware that files may be subject to search under court order and that system administrators may access user files as required to protect the integrity of the computing system. For example, system administrators will examine files or accounts that are suspected of unauthorized use or misuse, or that have been corrupted or damaged, when authorized to do so either by the individual user or a senior official of the College.
All users of Bryn Mawr College's computing resources are expected to follow the guidelines set forth below. Respect for these reasonable measures should ensure a safe and productive information technology environment at Bryn Mawr College. In addition, students are advised to consult the policy on the use of information technology in dormitories.
This policy was drafted by representatives from the Committee on Academic Computing (CoAC), the Library, Computing Services and the College Counsel. It was reviewed and amended by the members of CoAC and further reviewed and amended by the Senior Advisory Group on Information Technology (SAGIT) and the College Counsel. Policies and guidelines in use at other institutions, including Bucknell University and the University of California-Berkeley, helped inform the process.
Public Access Computers and Computing Labs
The College has a variety of venues for computing: public labs in Guild; departmental labs; the Language Learning Center; computers in labs, rooms, and at-large throughout the College's Libraries, etc. Users are asked to respect the procedures in each of these facilities.
Anyone possessing a valid ID card from Bryn Mawr, Haverford, or Swarthmore College may use the College's public computing labs. Some of these labs require the presentation of a valid ID card.
Some computing labs (e.g., in the sciences) may, by College policy, have restricted access.
Public labs--as in Guild or in the Language Learning Center--usually have a manager and contact information in the event of a problem. Labs should each have a posted set of guidelines or rules for users.
The Libraries have computers which are available to the public. Library personnel oversee these computers and have installed on them appropriate security software. Access to these computers is available to all library users and visitors.
Some of the College's computing labs restrict the user from installing software or altering the configuration of the workstations in any way without the permission of the lab managers. Users are expected to respect these restrictions.
Other College labs and public access facilities, such as the Libraries, permit users to download software in the course of their work from sites throughout the world in order to view and use the information they are seeking. Although deliberate changes in settings would violate College policy, temporary changes prompted through the use of CDs and information downloaded from the web are permitted.
College-owned equipment
The College supplies the users (i.e., members of the faculty or staff) in offices with a College-related need for computer access with hard- and software, that is a workstation. As part of the computer's standard software, Computing Services will install virus protection software and connect the computer to the campus network.
Users should not use another employee's workstation without the express permission of their supervisor, or the individual to whom the workstation has been assigned.
Users are responsible for the security and integrity of institutional data stored on workstations. Users are responsible for backing up their work, either on disks or servers (see below); controlling physical and network access to their equipment; and using virus protection software.
College-owned computing equipment should not be moved from an office without the notification and approval of Computing Services. Changing network jacks within an office might result in the loss of connectivity. Users should call the Help Desk for assistance.
Departments which need to move equipment from time to time because of instructional needs should notify User Services.
Personally-owned equipment
Personally-owned computers which are brought to campus by users--for dorm use or office use--must be registered with Computing Services before being connected to the network. Registration is performed electronically. A registration form will appear automatically when a web browser is launched on an unregistered computer which has been connected to the College network. The computer will have full network access once the user completes the registration process.
Safe Practices
Users are required to keep their passwords secret. Passwords should not be posted on or near a computer for that could lead to unauthorized use of the user's or the College's computing resources. See below for more information on passwords.
Users are advised to backup their own work periodically. "Periodically" will mean different things to different users, but a rule of thumb is to determine how much one can afford to lose or redo.
Users may not run or otherwise configure soft- or hardware so that access by unauthorized users is possible.
To guard against viruses, users are advised to be sure that virus-checking software is installed, configured and running up-to-date virus definitions on their machines, and that it runs daily, or weekly, at a minimum. Further information about viruses and protection against them is available electronically.
When a user leaves the office, she or he is advised to log off network accounts or to lock the office. Users who share office space should log off network servers when they expect to be away from their desks for some time. These measures are to prevent unauthorized persons from reading sensitive information on a computer screen or accessible through the computer, itself.
Users in private offices and shared work areas are advised to take precautions to prevent unauthorized persons from reading sensitive information on their computer screens.
Users who find or suspect a possible security lapse in an institutional system should report it to abuse@brynmawr.edu and to their dean, the Provost, department head, or supervisor.
The campus network is provided primarily for uses and functions related to the academic mission of the College and the work--in offices, labs and elsewhere--which supports that mission. It supplies access to e-mail, to the Internet, to institutional databases (AIMS, PeopleSoft), to a calendar system and to other LANs (local area networks). The following practices secure the network for all users:
Users need to establish accounts in order to use many of these network services. Information on obtaining server accounts is available at Computing Services' website. That website sets forth the types of network accounts (e-mail, AIMS, PeopleSoft, MeetingMaker, LAN) and the guidelines for opening and maintaining them.
The minimum level of security required by the College for servers outside of the core service area and attached to the College network requires that user accounts on these servers may not be given to individuals outside of the College community without prior permission. Information about applying for affiliate status, which would allow persons outside the community to acquire accounts on College machines, is described in the next item. This security level also prohibits the activation of certain services on these machines, including, but not limited to, sendmail. Additional security measures, such as system logging and installation of available security patches, may also be required. See below for more on servers residing outside Computing Services.
Individuals who are not current students at or employees of the College may seek to obtain affiliate status which will enable them to use the network. Guidelines for affiliate status are posted on the Provost's website.
Passwords--or user "login names"--provide security to the College's information infrastructure. They are therefore required for a user who wishes to have an account on the College network. Without such an account, a user cannot use e-mail or access administrative systems (e.g., PeopleSoft and AIMS).
Users should choose and keep secret all their passwords for their accounts. Passwords should not be posted in easily accessible places or shared. Guidelines for choosing strong passwords are available here.
In order to protect the integrity of the network, the College follows the practice of asking users to change their passwords at regular intervals. Three- to six-month intervals are industry standards. Computing Services may implement a mechanism to assure that this happens and alert users as the expiration date for their password approaches. Some central system software maintains a history of previous passwords and prevents their reuse until after a given period of time has elapsed. All this is in the interests of maintaining network security. Instructions on changing passwords are available here.
Violations in the use of "login" names and passwords include intercepting (or monitoring) transmitted information without prior authorization.
To maintain network security and protect the College's computing resources and only in those instances in which there is a suspected violation of this policy or a law, Computing Services will act on its authority to lock accounts, examine files, passwords and account information on core servers.
The following guidelines refer, for the most part, to core equipment in Guild and to data closets throughout the campus, and not to desktop computers in offices, labs and other public spaces.
Access to Such Equipment
Only authorized persons may use College equipment. Authorized employees are responsible for taking reasonable precautions to ensure that unauthorized individuals do not have access to equipment. In no case may the means of access (keys, access cards, or combinations) be lent or given to others.
Data Closet and Room Access
In general, only Computing Services staff members are allowed in the College's Computing Services machine rooms or distributed data closets. Unless they are under the close and immediate supervision of a Computing Services staff member, no one else is authorized to enter these areas.
Protection of College Infrastructure
The College will take action to provide reasonable protection against environmental threats such as flooding, lightning, extreme temperatures, loss or fluctuation of electrical power, and unauthorized use or access for purposes of harm, and will provide adequate disaster recovery plans and procedures for critical systems data.
Security of Files Stored on Servers
The College provides reasonable security against intrusion and damage to files stored on the central computing facilities. The College cannot, however, be held accountable for unauthorized access by other users, nor can it guarantee protection against media failure, fires, floods, etc. The security measures the College undertakes and each user should undertake include:
Routine Back-ups
Computing Services will perform routine system and data backups of central servers. Backup tapes will be kept in a secure location and archived for a period of time appropriate to the system. Files lost due to system failures or user error will be restored upon request, when possible. Computing Services does not guarantee the availability of backups to restore files.
A User's Responsibility
It is the responsibility of the user to backup files stored on her or his workstation. Users taking advantage of server storage are advised to keep a list of their folders and files in order to facilitate and expedite their retrieval in the case of loss.
Individual File Security
Users may choose to use available system commands to reset permission levels on their own files from those assigned in order, for example, to share files with a colleague. Those choosing to use these commands take responsibility for correctly setting or resetting permission levels. Any user discovering material accidentally left unprotected is expected to follow ethical standards respecting the privacy of the file owner.
User Access Limitations
Users may access only the workstations, "login" accounts, and computer files for which they are authorized. Users are individually responsible for all use of resources assigned them.
Any attempts to secure a higher level of privilege than has been approved and extended to the user on networked systems are prohibited. Users may not develop programs, use mechanisms, or employ means by which the College's computing resources may be used anonymously or by means of a forged "login" identity.
Use of the College systems and/or network to gain unauthorized access to other systems or networks (i.e., hacking) is prohibited.
Servers Residing outside Computing Services
The users responsible for these systems are responsible for the security and backup of information stored on them. To the extent possible, the security of these systems should conform to the same standards as core resources. If a department or other unit of the College which has responsibility for such server systems is unable to provide sufficient security, Computing Services may be able to provide assistance or administer the server. Only servers meeting the requirements for supported systems will be connected to the campus network.
Servers should not routinely be used as a workstation without the permission of the system owner or administrator.
Ideally, servers should be located in physically secure areas such as a locked closet. When servers are located in labs (as in the sciences) so that students may have access to them, reasonable measures should be taken to lock the lab's doors when the rooms are not in use.
Cables to servers and their connections should be in a secure location, if possible.
Data Integrity during Repair
Computing Services will follow written procedures to maintain data integrity during hardware repair, will set up a schedule of preventive maintenance for the computer systems, and will maintain a log of administrative tasks performed on the server. Any hardware or system malfunctions will be documented and reported.
Security Lapses
Any user who finds a possible security lapse on an institutional system is obligated to report it to the system administrator.
Security Loopholes
Loopholes in system security or knowledge of a special password are not to be used to damage systems or obtain unauthorized services.
Dial In/Modem
Dial in access must be restricted due to the limitations on available equipment and technical support. Users with a College related need may request access through the account request form.
Access to Administrative Data Systems
Access to administrative data systems is granted to those individuals who need to use specific data because of the nature of their employment at the College. Users may access only those data and transactions required to conduct their officially assigned duties. Improper access to or unauthorized disclosure of confidential information is a violation of this policy, and may be a violation of federal law.
Handling Administrative Data and Reports
Printed output containing confidential or sensitive information should be treated with the same care as confidential data files. Floppy disks, zip disks and printouts should be stored in a locked file cabinet or desk. Disks or printouts with sensitive information should be locked in a cabinet.
Dissemination of Administrative Data
Dissemination of information by phone, fax or printed materials should be limited to those authorized to receive the data. Printouts and disks should be discarded in a way that prevents unauthorized access. Disks should be re-initialized or erased and paper shredded.
Responsible Parties
Department heads are responsible for ensuring that procedures are in place for maintaining the security of the systems and data and periodically reminding their staff and/or colleagues about the need for secure practices.
College computing resources are not to be used for personal financial gain or commercial purposes.
Any user aware of a policy violation is obligated to report it to her or his dean, the Provost, department head or supervisor and to abuse@brynmawr.edu. After reporting the violation, knowledge or suspicion of policy violations will be treated confidentially within the College, but in case of possible criminal activity, evidence of such violations may be provided to law enforcement officials.
Removal, misappropriation, forwarding or copying of confidential files, records and reports (or of copies thereof) from the office where they are kept is a violation of College policy, unless necessary in the performance of job responsibilities.
Exploiting loopholes in system security or using special passwords to damage systems or obtain unauthorized services are violations of College policy and practices.
Further examples of misuse include, but are not limited to:
Using a computer account that you are not authorized to use.
Using the campus network to gain unauthorized access to any computer systems.
Knowingly performing an act which will interfere with the normal operation of computers, terminals, peripherals, or networks.
Violating terms of applicable software licensing agreements or copyright laws.
Deliberately wasting computing resources.
Using electronic mail to harass others.
Masking the identity of an account or machine.
Attempting to monitor or tamper with another user's electronic communications, or reading, copying, changing, or deleting another user's files or software without the explicit agreement of the owner.
If a violation is determined to have occurred, the College will determine disciplinary action. The College may temporarily suspend access to an account prior to the initiation of disciplinary proceedings in order to protect the College's computing resources or to protect the College from liability. Possible disciplinary actions include warnings, loss of access, and administrative action, up to and including separation from the institution. Violations may also be reported to outside law enforcement authorities, if deemed appropriate.