Acceptable Use Policy
Introduction
This policy will provide guidance to all users on the proper and acceptable use of Keuka College’s electronic resources. The technology resources at Keuka College include, but are not limited to, all IT equipment, software and applications, networking equipment and services, internet access, email, telephone equipment and services, and voicemail. These services are provided to support the activities of the organization and should be used for those purposes.
• Use should always be legal, ethical, and consistent with Keuka College's general standards for community behavior.
• Use of Keuka College’s technology resources or data for personal business, political campaigning, or for commercial use is prohibited, except as authorized by Keuka College.
Scope
This policy applies to all Keuka College employees, contractors, temporary staff, students, other authorized users who have access to or are responsible for an account on any system or network owned by Keuka College. It is the user’s responsibility to read and understand this policy and related policies to conduct their activities in accordance with its terms.
Policy
Except for any privilege or confidentiality recognized by law, individuals have no legitimate expectation of privacy during any use of Keuka College’s technology resources or in any data on those resources. Any use may be monitored, intercepted, recorded, read, copied, accessed, or captured in any manner including in real-time, and used or disclosed in any manner, by authorized personnel without additional prior notice to individuals. Periodic monitoring will be conducted of systems used, including but not limited to: all computer files; and all forms of electronic communication (including email, text messaging, instant messaging, telephones, computer systems, and other electronic records). In addition to the notice provided in this policy, users may also be notified with a warning banner text at system entry points where users initially sign on about being monitored and may be reminded that unauthorized use of Keuka College’s technology resources is not permissible.
Keuka College may impose restrictions on the use of a particular IT resource. For example, Keuka College may block access to certain websites or services not serving legitimate business purposes or may restrict user ability to attach devices to Keuka College’s technology resources (e.g., personal USB drives, external storage devices).
Employees accessing Keuka College’s applications and technology resources through personal devices must only do so with prior approval or authorization from the organization.
Acceptable Use
All uses of information and information technology resources must comply with organizational policies, standards, procedures, and guidelines, as well as any applicable license agreements and laws including Federal, State, local and intellectual property laws.
The acceptable use of information and technology resources includes the following responsibilities:
- Understanding the baseline information security controls necessary to protect the confidentiality, integrity, and availability of information;
- Protecting organizational information and resources from unauthorized use or disclosure;
- Protecting personal, private, sensitive, or confidential information from unauthorized use or disclosure;
- Observing authorized levels of access and utilizing only approved IT technology devices or services; and
- Immediately reporting suspected information security incidents or weaknesses to the appropriate manager and the Associate Vice President of Technical Solutions or designated security representative.
Unacceptable Use
The following list is not intended to be exhaustive but is an attempt to provide a framework for activities that constitute unacceptable use. Any exemptions to this policy will be provided in writing to the individual by the Associate Vice President of Technical Solutions. Unacceptable use includes, but is not limited to, the following:
• unauthorized use or disclosure of any personal, private, restricted, sensitive, and/or confidential information;
• storing personal, private, restricted, sensitive, and/or confidential information that belongs to the College on an unauthorized service, application, or device;
• storing personal, private, restricted, sensitive, and/or confidential information that is not affiliated with the College or not relevant to the user's job duties on a College-owned service, application, or device;
• unauthorized use or disclosure of business information and/or resources;
• distributing, transmitting, posting, or storing any electronic communications, material or correspondence that is threatening, obscene, harassing, pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or intentionally false or inaccurate;
• attempting to represent the organization in matters unrelated to official authorized job duties or responsibilities;
• connecting unapproved devices to the Keuka College network or any IT resource;
• connecting organizational technology resources to unauthorized networks;
• installing, downloading, or running software that has not been approved following appropriate security, legal, and/or IT review in accordance with organizational policies;
• connecting to commercial email systems (e.g., Gmail or other email providers for personal use) without prior management approval (Keuka College recognizes the inherent risk in using commercial email services as email is often used to distribute malware);
• using a Keuka College technology resource to circulate unauthorized solicitations or advertisements for non-organizational purposes including religious, political, or not-for-profit entities;
• disclosing your account password and/or providing unauthorized third parties, including family and friends, access to your account or the the organization’s IT information, resources, or facilities;
• using College IT information or resources for commercial or personal purposes, in support of "for-profit" activities or in support of other outside employment or business activity (e.g., consulting for pay, business transactions);
• propagating chain letters, fraudulent mass mailings, spam, or other types of undesirable and unwanted email content using organizational technology resources; and
• modifying, tampering, disengaging, or otherwise circumventing organizational or third-party IT security controls, network, and systems.
Occasional and Incidental Personal Use
Keuka College allows users the occasional, incidental, and necessary personal use of technology resources, provided such use is:
• consistent with the spirit of this policy;
• does not conflict with any other security policy or protocol;
• is limited in amount and duration;
• does not impede the ability of the individual or other users to fulfill the organization’s responsibilities and duties, including but not limited to, extensive bandwidth, resource, or storage utilization.
Exercising good judgment regarding occasional and incidental personal use is important. Keuka College may revoke or limit this privilege at any time.
Individual Accountability
Individual accountability is required when accessing all technology resources and organization information. Everyone is responsible for protecting against unauthorized activities performed under their account. This includes locking your computer screen when you walk away from your system and protecting your credentials (e.g., passwords, OTP hardware, or similar technology) from unauthorized disclosure. Credentials must be treated as confidential information and must not be disclosed or shared with anyone.
Restrictions on Off-Site Transmission and Storage of Information
Users should not transmit personal, confidential, sensitive, or restricted information over email if it can be avoided. Users must not transmit non-public, personal, confidential, sensitive, or restricted information to or from personal email accounts (e.g., Gmail, Hotmail, Yahoo) or use or use a non-Keuka College email account to conduct Keuka College business unless explicitly authorized. Users must not store sensitive information, restricted organizational, non-public, personal, confidential, sensitive, or restricted information on a non-organizational issued device, or with a third-party file storage service that has not been approved for such storage by the College.
While off-site, devices that contain sensitive information must be attended at all times or physically secured and must not be checked in transportation carrier luggage systems. Any device containing sensitive information, that leaves the Keuka College campus requires additional safeguards. Users should practice good judgement when travelling with IT equipment. If the user is not expected to work or be on call while they are travelling, they should not travel with it. Users who are travelling internationally with College-issued devices must contact the IT Department at least a week in advance to be informed proper security protocols.
User Responsibility for IT Equipment
Users are routinely assigned or given access to IT equipment in connection with their official duties. Equipment is selected by the IT Department to ensure compatibility with the current technical infrastructure of the College. This equipment belongs to Keuka College and must be immediately returned upon request or at the time an employee is separated from the College. Users are financially responsible for the value of equipment assigned to their care if it is damaged, lost, or not returned to the College. Should IT equipment be lost or stolen, users must notify IT immediately. Should IT equipment be lost, stolen or destroyed, users are required to provide a written report of the circumstances surrounding the incident. Users who are found responsible for violating this policy or mishandling equipment may be subject to disciplinary action which may include repayment of the replacement value of the equipment. The College has the discretion to not issue or re-issue IT devices and equipment to users who repeatedly lose or damage IT equipment.
Use of Social Media
All users are prohibited from publicly posting any personal, confidential, sensitive, or restricted information, unauthorized pictures or information regarding Keuka College or Keuka College employees/students. Even accidental posting of personal, confidential, sensitive, or restricted information may result in criminal penalties.
Unless specifically authorized, employees are prohibited from using organizational email addresses on public social media sites. In instances where users access social media sites on their own time utilizing personal resources, they must remain sensitive to expectations that they will conduct themselves in a responsible, professional, and secure manner with regard to references to the organization and staff. These expectations are outlined below:
a. Use of Social Media within the Scope of Official Duties
Keuka College's designated Public Information Officer (PIO) is the Associate Vice President of Marketing and Communications. The PIO, or designee, must review and approve the content of any posting of public information, such as blog comments, tweets, video files, or streams, to social media sites on behalf of Keuka College. However, PIO approval is not required for postings to public forums for technical support, if participation in such forums is within the scope of the user’s official duties, has been previously approved by his or her supervisor, and does not include the posting of any sensitive information, including specifics of the IT infrastructure. In addition, PIO approval is not required for postings to private, organization approved social media collaboration sites. Blanket approvals may be granted, as appropriate.
Accounts used to manage Keuka College’s social media presence are privileged accounts and must be treated as such. These accounts are for official use only and must not be used for personal use. Passwords of privileged accounts must follow information security standards, be unique on each site, and must not be the same as passwords used to access other technology resources.
b. Guidelines for Personal Use of Social Media
Employees must be sensitive to the fact that information posted on social media sites clearly reflects on the individual and may also reflect on the individual’s professional life. Consequently, employees must use discretion when posting information on these sites and be conscious of the potential perceptions of and responses to the information.
Users must respect the privacy of Keuka College' constituents by not posting any identifying information of any employees or students without permission (including, but not limited to, names, addresses, photos, videos, email addresses, and phone numbers). Users will be held accountable for comments posted on social media sites.
If a personal email, posting, or other electronic message could be construed to be an official communication, a disclaimer is strongly recommended. A disclaimer might be: “The views and opinions expressed are those of the author and do not necessarily reflect those of the organization.”
Users must not use their personal social media accounts for official business unless specifically authorized by the organization. Users must not use the same passwords in their personal use of social media sites as those used on organizational devices and technology resources, to prevent unauthorized access to resources if the password is compromised.
Use of AI
Users are encouraged to use the approved AI tools and functions that have been provided to them by the College. This section outlines acceptable practices for utilizing generative AI tools while safeguarding institutional, personal, and proprietary information. In all cases, use should be consistent with the Acceptable Use Policy.
a. Authorized AI Use
All users are provided with access to Copilot through Keuka College's Microsoft 365 tenant which is authorized for public and private data injection and AI use. Copilot is configured with security controls to ensure data remains isolated and is not used to train models. Still, users should continue to exercise caution when injecting private or protected information into approved AI tools, even if it is allowed. Non-managed, open AI tools, are only appropriate to use when the data that is being injected is considered to be publicly available.
b. Unauthorized AI Use
AI tools that lack the appropriate data-sharing controls are not approved for use with private, non-public, confidential, or otherwise protected information. This includes free or non-managed versions of AI tools like ChatGPT, Claude, and any other AI tools outside of what has been provided to users explicitly through licensing. Examples of data that should not be injected into non-authorized AI tools include: Student records subject to FERPA, health information, proprietary information, and any other data classified as non-public or confidential.
Additionally, AI tools should not be used to generate non-public outputs, such as proprietary or unpublished research, legal analysis or advice, recruitment or personnel decisions, academic work not permitted by instructors, or any other work that cannot be considered original. AI tools must not be used for activities that are illegal, fraudulent, or violate any state, federal, international laws, or Keuka College policies.
Compliance
Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time. If compliance with this standard is not feasible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the IT department's exception process.
Exceptions
Exceptions to the policy may be granted by the Vice President overseeing the IT Department.