Acceptable Use of IT Resources and Information Assets (VII.A.4)

Volume VII: Information Technology
Chapter A: Acceptable Use
Responsible Executive: Vice President for Information Technology and Chief Information Officer
Responsible Office:  Office of the Vice President for Information Technology
Date Issued: October 16, 2017
Date Last Revised: December 12, 2024

Table of Contents

Contacts
Statement of Policy
Reason for This Policy
Individuals and Entities Affected
Exclusions
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
Website Address for This Policy
History and Updates
Appendix 

Contacts

Policy Clarification

Purdue Systems Security (PSS)
765-494-4000 | itpolicyanswers@purdue.edu

Data Classification

Data Stewards
List of data stewards

Campus Specific Questions

Security Officers
List of security officers

Statement of Policy

Information Assets and a trusted and effective information technology (IT) environment are vital to the University’s ongoing mission of discovery, learning and engagement. In furtherance of this mission, the University makes Information Assets and IT Resources available (1) to support scholarship, research and instructional activities of University faculty, (2) to facilitate the operations of the University, (3) to provide access to University services and (4) to support student and campus life activities. 

Appropriate Use

Any use of Information Assets and IT Resources must be limited to the University-related purposes described above. Incidental and non-recurring personal use of IT Resources is tolerated as part of the daily learning and work of all members of the University community, provided that such use does not violate any other applicable law, University policy, procedure or regulation. The University accepts no responsibility to maintain or secure information related to personal use that a community member chooses to store on the University’s IT Resources. The user accepts all risks associated with personal use, as outlined below under No Warranties or Assurances. 

As a condition to being granted use of or access to Information Assets and IT Resources, each user (1) consents to the provisions of this policy and (2) agrees to comply with all of the terms and conditions detailed within this policy.

The following uses of IT Resources are prohibited:

1. Circumvention of any security measure of Purdue University or another entity.
2. Intentional use, distribution or creation of viruses, worms, malicious software or keylogging techniques.
3. Distributed denial of service practices or any other device, program or practice of malicious motive.
4. Unauthorized use, copying or distribution of licensed software or copyrighted material.
5. Accessing Information Assets or other Data that is not publicly available, does not belong to the user and for which the user does not have explicit permission to access.
6. Accessing Information Assets or IT Resources in a manner designed to circumvent access limitations on Restricted or Sensitive Data (e.g., replicating a database by automated queries) without permission.
7. Use of IT Resources for organized political activity that is inconsistent with the University’s tax-exempt status.
8. Use of IT Resources that disables other IT Resources, consumes disproportionate IT Resources so that other users are denied reasonable access to those resources or materially increases the costs of IT Resources.
9. Use of IT Resources that violates any local, state or federal law or regulation or any University policy, procedure or regulation, including without limitation Information Security and Privacy (VII.B.8) and its related program and standards, Anti-Harassment (III.C.1) and Violent Behavior (IV.A.3).
10. Use of Information Assets or IT Resources for any purpose that could lead directly or indirectly to Financial Conflicts of Interest, unless such use has been approved in advance in accordance with University policies on Individual Financial Conflicts of Interest (III.B.2) and Conflicts of Commitment and Reportable Outside Activities (III.B.1). Any approval of the use of IT Resources under such policies is at the sole discretion of the University and must:
    1. Comply with all University software licenses and other intellectual property agreements;
    2. Comply with all University policies, standards and procedures;
    3. Comply with federal and state laws and regulations;
    4. Not generate additional costs to the University; and
    5. Not interfere with University work or use of IT Resources.

Use of IT Resources is a privilege and not a right. All users who have been assigned an IT Resource account by the University are responsible for the actions performed on their accounts.  Violations of this policy or any other University policy or regulation may result in revoked or limited IT Resource privileges, as well as other disciplinary action up to and including expulsion, termination or referral to appropriate external authorities.

Privacy, Operations and Monitoring

Purdue University seeks to maintain its IT environment and manage its Information Assets and IT Resources in a manner that respects individual privacy and promotes user trust. However, the use of the University’s IT Resources is not completely private, and users should have no expectation of privacy in connection with the use of IT Resources.

The normal operation and maintenance of the University’s IT Resources require back up and caching of Data and communications, the logging of activity, monitoring of general usage patterns and other such activities. The University may, with or without further notice to users, take any other action it deems necessary to preserve, protect and promote the Interests of the University. Such actions include, but are not limited to, those listed below and may occur at the institutional or local unit level pursuant to procedures promulgated from time to time under the Information Security and Privacy Program.

1. Intercept, access, scan, inspect, monitor, record, copy, store, use, disclose or sanitize the contents of any electronically stored Data employing IT Resources or any communications or transmissions to or from IT Resources, whether via computer accounts, Devices or other means; and
2. Block unauthorized access to, and unauthorized uses of, the IT Resources and Information Assets. 

University personnel do not routinely monitor the content of communications or transmissions using IT Resources. A dean, vice president or chancellor; their designee(s); or University legal counsel may authorize, through written request to the Office of the Vice President of Information Technology, University technicians or administrators to take any of the actions described above. Deans, vice presidents and chancellors who delegate authority to a designee must do so in writing and, upon request, provide a copy to the Office of the Vice President for Information Technology. The decision to direct action to be taken must be based on one or more of the following:

1. A reasonable belief that a process active in the account or Device is causing or may cause significant damage to University IT Resources or could cause loss/damage to user, University or third-party Data;
2. A need to comply with a written request from federal, state or local law enforcement agencies and compliance with applicable University policies relating to the handling of such a request;
3. A reasonable belief that an individual has violated or is violating University policies, standards, regulations or procedures using the accounts or Devices in question;
4. A determination that a staff member, faculty member or student is deceased, has been terminated or is otherwise unavailable for the purposes of retrieving information that is critical to the operation of the unit in question;
5. Receipt of a written request from the Office of the Dean of Students on behalf of the parents, guardian or personal representative of the estate of a deceased student;
6. Receipt of a written Internal Audit request;
7. Authorization by an appropriate order of a court of competent jurisdiction and compliance with applicable University policies related to the handling of such orders;
8. Receipt of a written authorization from an authorized representative of the Institutional Review Board (IRB) after concluding that access is needed in support of an institutionally-approved research project and such access complies with applicable laws and University policies, including rules governing protection of human research subjects;
9. A requirement to take action to comply with applicable law; and/or
10. A determination that access is necessary to preserve, protect or promote University Interests.

Without limiting its right to take action, the University may, in its sole discretion, disclose the results of any general or individual monitoring or access permitted by this policy, including the contents and records of individual communications, to appropriate University personnel or law enforcement agencies or use those results in appropriate University disciplinary proceedings. Where applicable and warranted, the account or equipment user will be notified of the access or monitoring and the corrective actions taken. In addition and without violating federal, state or local laws, the University may use Business Administrative Data or Institutional Academic Data in the collection, analysis and reporting of metrics designed to fulfill the University’s mission of discovery, learning and engagement; to advance its strategic objectives; and to preserve, protect and promote its Interests.

Scope

As a general matter, the following types of Data are created or transmitted by, maintained on or accessed via IT Resources, and this policy applies to all such Data at all University campuses:

1. Information Assets stored in IT Resources, including computer accounts on University-owned systems or other University-owned Devices.
2. Information Assets stored in computer accounts or other Devices managed by the University on behalf of an associated organization, including but not limited to Purdue Research Foundation, the Ross-Ade Foundation and Purdue International, Inc.
3. Information Assets stored in computer accounts or other Devices managed or hosted by trusted partners or third parties on behalf of the University, including but not limited to Cloud Computing Services or Hosting Services.
4. Voice and Data telecommunications traffic to, from or between University IT Resources and any Device listed above, and traffic on personally-owned Devices while using or accessing University IT Resources.

No Warranties or Assurances

The University makes no warranties of any kind, whether expressed or implied, with respect to the IT Resources it provides. The University will not be responsible for damages resulting from the use of IT Resources, including but not limited to loss of Data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a University employee, or by any user’s error or omission. The University specifically denies any responsibility for the accuracy or quality of information obtained through IT Resources, except material that is presented as an official University record.

Reason for This Policy

The University’s Information Assets and IT Resources are provided for University-related purposes. Access to and usage of them entails certain expectations and responsibilities for both users and managers of the University’s IT environment. This policy sets forth those expectations and responsibilities.

The University recognizes that the right to privacy is a deeply held conviction, especially within intellectual and academic communities. Privacy is critical to the intellectual freedom that forms the foundation of higher education.  However, a user’s right to individual privacy in the context of the availability and use of IT Resources must be balanced with the University’s legal obligations, the larger needs of the community and the University’s own Interests.

Individuals and Entities Affected

This policy applies to students, faculty and staff of the University and to all other persons accessing Purdue Information Technology (IT) Resources or Information Assets stored on or accessible via those resources, regardless of whether such resources or assets are accessed from on-campus or off-campus locations or via Devices (generally referred to in this policy as “users”). 

Exclusions

While the University reserves the right to (1) maintain and implement controls on a user’s ability to access Information Assets and IT Resources via a personal Device and (2) regulate the transmission of these types of Data between a personal Device and University IT Resources, this policy does not grant the University access to an individual’s personal Device.

This policy does not apply to cyber-security research activities that, by their very nature, explore limits on the ability to protect the privacy of Data, when the research:

1. Is carried out in a manner that employs sufficient and appropriate safeguards to contain the research to pre-defined and intended University IT Resources;
2. Is safeguarded from conception to termination of the research; and
3. Does not interfere with or compromise the operation or security of other University IT Resources.

Faculty, staff and students conducting cyber-security research must consult with their campus or departmental IT staff to ensure that appropriate safeguards are in place for that research.

Nothing in this policy changes or supersedes individuals’ or the University’s rights or obligations to comply with applicable federal and state laws or regulations governing the use and privacy of information, including:

1. Fair and Accurate Credit Transactions Act of 2003 (FACTA),
2. Family Educational Rights and Privacy Act (FERPA),
3. Gramm-Leach- Bliley Act (GLBA),
4. Health Insurance Portability and Accountability Act of 1996 (HIPAA), and
5. Payment Card Industry Data Security Standard (PCI-DSS).

Responsibilities

University Faculty, Staff and Students, and Other Parties with Access to University Information Assets and IT Resources

• Use IT Resources in compliance with all applicable laws and University policies, standards, regulations and procedures.
• Be familiar with and consult security standards and technical reference materials as applicable to the user’s particular use of Information Assets and IT Resources.
• Physically secure and safeguard IT Resources within the user’s possession and control.
• Understand and comply with the guidance provided by this policy, as well as applicable compliance programs, including but not limited to those relating to FACTA, FERPA, GLBA, HIPAA and PCI-DSS.
• Report promptly to abuse@purdue.edu any suspected violation of this policy, any suspected IT Incident, as defined in the University’s policy on Incident Response (VII.B.3), and any incident involving a suspected compromise of a user’s University-provided account or Device.

Chief Information Security Officer (CISO)

• Administer this policy.
• As official designee of the Vice President for Information Technology, ensure request to access or disclose information per policy is reasonably required in order to protect University interests, is properly authorized and specify the scope and conditions of permitted access.
• Provide authorization and direction to technicians and administrators in accordance with this policy.

University-Authorized Technicians or Administrators

• With appropriate authorization, take directed action in accordance with this policy to preserve, protect and promote the Interests of the University.
• Ensure all associated procedures are followed when taking any actions outlined in this policy.

Definitions

All defined terms are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

Business Administrative Data
Information Assets that are created, collected, maintained, used or transmitted by the University in connection with conducting its business operations, including but not limited to human resources, finance, accounting, facilities and general administrative activities.

Cloud Computing Services or Hosting Services
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) or other similar services by which providers deliver software applications or platforms for development to business clients via the Web or host and/or manage hardware that commonly supports data center operations.

Data
Discrete, objective facts, statistics or other information collected or captured for reference, analysis, calculation, measurement or some other use. 

Device(s)
Any mechanism used to store, retrieve, manipulate or transfer Data, including but not limited to a desktop or laptop computer, CD, USB flash drive, external USB hard drive, tablet, smart phone or cellular phone.

Information Asset
A body of contextualized or definable Data, regardless of format, that has a recognizable and manageable value, risk, content and lifecycle and that is generally defined, classified and managed by the University so that it can be understood, shared, protected and used effectively. In the ordinary course of its activities, the University regularly creates, collects, maintains, uses and transmits Information Assets.

Information Owner
The unit administrative head who is the decision-maker with respect to Information Assets owned by that unit in conducting University business. Except in cases where unit-level control would impede the general usage of information in the University’s mission of discovery, learning and engagement, an Information Owner has decision-making authority over the Information Assets used, managed or regularly accessed in the unit’s administrative functions, as well as over any forms, files, information and records, regardless of format, that relate to such Information Assets.

Institutional Academic Data
Information Assets that are created, collected, maintained, used or transmitted by the University in connection with its mission of discovery and learning, including but not limited to general Data regarding student diversity, enrollment, academic performance, retention, majors and instructional activity; faculty and staff headcount and funding Data; research Data; and peer benchmarking Data.

Interests
As used in this policy, the Interests of the University include, without limitation, those in:

1. Maintaining the stability, security and operational effectiveness of IT Resources and the services provided through them;
2. Safeguarding the availability, integrity and confidentiality of Information Assets maintained on IT Resources;
3. Protecting University assets and resources, including but not limited to IT Resources;
4. Monitoring the progress of institutional effectiveness and identifying improvements to services or delivery of programs;
5. Ensuring compliance by others with University policies, standards, procedures or regulations;
6. Preserving and promoting the integrity and reputation of the University;
7. Safeguarding the property, rights and Data of third parties;
8. Complying with the University’s own legal responsibilities;
9. Promoting and protecting public safety; and
10. Preserving the University’s legal rights.

Interests also include those identified within the definition of “legitimate educational interests” of the University as set forth in its FERPA Annual Notification of Student Rights.

IT Resources (or Information Technology Resources)
All tangible and intangible computing and network assets provided by the University or by authorized third-parties, regardless of whether those resources or assets are accessed from on-campus or off-campus locations or via Devices. Examples of such assets include, but are not limited to, hardware, software, wired and wireless network and voice telecommunications assets and related bandwidth (including electronic mail), mobile Devices, electronic and hardcopy information resources, and printers.

Restricted Data
Information to which access is restricted under applicable legal, regulatory or policy requirements or for which the Information Owner has exercised a right to restrict access by others.

Sensitive Data           
Information whose access must be guarded due to proprietary, ethical or privacy considerations, even if such considerations are not mandated by an applicable legal, regulatory or policy requirement.

Related Documents, Forms and Tools

Related training:

Family Educational Rights and Privacy Act (FERPA) Training

Health Insurance Portability and Accountability Act (HIPAA) Training

Gramm-Leach-Bliley Act (GLBA) Training

Related policies, standards and procedures:

• Access to Student Education Records (VIII.A.4)
• Anti-Harassment (III.C.1)
• Biometric Technologies (S-14)
• Classified Computing (S-9)
• Compliance with HIPAA Privacy and Security Regulations (S-10)
• Electronic Mail (S-7)
• Individual Financial Conflicts of Interest (III.B.2)
• Information Security and Privacy (VII.B.8)
• Payment Card Acceptance, Security and Governance (S-1)
• Political Activities (III.B.4)
• Procedures for Public Records Requests
• Social Security Numbers (S-18)
• Violent Behavior (IV.A.3)

Laws that influence and affect this standard include but are not limited to:

• COPPA
• DMCA
• ECPA
• FERPA
• GLBA
• HIPAA
• USA Patriot Act

FERPA Annual Notification of Student Rights

Website Address for This Policy

www.purdue.edu/vpec/policies/information-technology/viia4

History and Updates

December 12, 2024: Document reviewed; minor administrative updates made to titles, offices and links.

March 1, 2019: Updated Appropriate Use section to reference No Warranties or Assurances section.

October 16, 2017: Consolidates and supersedes policies for Privacy for Electronic Information (VII.B.2) and IT Resource Acceptable Use (VII.A.2). Added clarification regarding University’s use of data to support mission and goals; updated to reflect current technologies and capabilities; updated links in Related Documents, Forms and Tools section.

November 18, 2011: Policy number changed to VII.B.2 (formerly V.1.3). Links to policies in Related Documents section updated as well.

Appendix

There are no appendices to this policy.