CODES OF ETHICS
IntroductionIowa State University's Code of Computer Ethics and Acceptable Use policy provides for access to information technology (IT) resources and communications networks within a culture of openness, trust, and integrity. In addition, Iowa State University is committed to protecting itself and its students, faculty, and staff from unethical, illegal, or damaging actions by individuals using these systems.
PurposeThe purpose of this policy is to outline the ethical and acceptable use of information systems at Iowa State University. These rules are in place to protect students, faculty, and staff, i.e., to ensure that members of the Iowa State University community have access to reliable, robust IT resources that are safe from unauthorized or malicious use.
Insecure practices and malicious acts expose Iowa State University and individual students, faculty, and staff to risks including virus attacks, compromise of network systems and services, and loss of data or confidential information. Security breaches could result in legal action for individuals or the university. In addition, security breaches damage the university's reputation and could result in loss of services. Other misuses, such as excessive use by an individual, can substantially diminish resources available for other users.
ScopeThe Code of Computer Ethics and Acceptable Use policy is an integral part of the IT Security policy and applies to faculty, staff, and students as well as any other individuals or entities who use information and information technology at Iowa State University. This policy applies to all equipment owned or leased by Iowa State University and to any privately owned equipment connected to the campus network and includes, but is not limited to, computer equipment, software, operating systems, storage media, the campus network, and the Internet.
Securing and protecting these significant and costly resources from misuse or malicious activity is the responsibility of those who manage systems as well as those who use them. Effective security is a team effort involving the participation and support of every member of the Iowa State University community who accesses and uses information technology.
Therefore, every user of university IT resources is required to know the policies and to conduct their activities within the scope of the ISU Code of Computer Ethics and Acceptable Use policy, the ISU Information Technology Security Policy, and the Policies, Standards, and Guidelines for Best Practices for IT security. Failure to comply with this policy may result in loss of computing privileges and/or disciplinary action.
Iowa State University desires to provide the highest level of privacy possible for users of its information technology systems and to assure their rights of free speech and intellectual freedom are protected and uninhibited. At the same time Iowa State University is required by federal and state laws to keep certain information confidential. To the extent permitted by law and university policy, Iowa State University maintains and protects both the privacy of individuals and the confidentiality of official information stored on its information technology systems. Privacy and confidentiality must be balanced with the need for the university to manage and maintain networks and systems against improper use and misconduct.
- State and Federal Law
All information including the personal, academic, or research data and files residing on university systems is subject to state and federal laws and regulations requiring its disclosure.
- Access Accounts to Conduct Business or Research
Faculty and staff may need access to accounts of other faculty and staff when that individual is not available but access is needed to conduct university business or further research. Approval to access the account should be given either by prior proxy access by the individual's account or by written recommendation and justification by the individual's department chair or Director and approval by the individual's Dean or Vice President.
Iowa State University may access or monitor accounts and equipment during the course of an investigation of misconduct, violations of law, or violations of university policy by students or employees. Access must be approved in writing by the Vice President for Business and Finance, Vice President for Academic Affairs or other designee acting on the basis of university policy and law. In accessing the account or equipment university officials are expected to avoid accessing information that is personal and irrelevant to the investigation.
- Official University Business
As part of their assigned responsibilities, Iowa State University faculty and staff may have access to confidential information and are restricted to using it only for purposes associated with the requirements of their position.
- Internal Administrative Disclosure
Disclosure or use of any personal or confidential information for extraordinary circumstances must be approved in writing by the Vice President for Business and Finance, Vice President for Academic Affairs or other designee acting on the basis of university policy and law.
- Maintenance of ISU Network and Systems
Iowa State University reserves the right to maintain its information systems; to audit networks and systems on a periodic basis to ensure compliance with security policies; and to locate, and to resolve security breaches or other situations that potentially impact the reliability, robustness, or security of the campus network and systems infrastructure. Individuals performing these functions or others may have access to personal and confidential information and are restricted to using it only for purposes associated with their position.
- Legal Process
Iowa State University may disclose confidential or personal information in response to a lawfully issued subpoena, court order or other compulsory legal process. In order to comply with court rules and compulsory process, attorneys in the Office of University Counsel may require or conduct targeted searches of electronic files to find material relevant to a subpoena or litigation involving the University. In accessing the files attorneys shall work with IT staff to limit access to material that is relevant to the subpoena or litigation.
- Health and Safety Emergency
In the event of a health or safety emergency, Iowa State University may disclose confidential or personal information necessary and relevant to addressing the emergency situation.
Iowa State University may access or disclose confidential or personal information relating to an individual student or employee upon the written authorization of the individual student or employee.
- Confidential information is defined by federal and/or state law and university policy and includes information such as student educational records, personnel information; financial information, and health and insurance records. All faculty, staff, and students are responsible for knowing and complying with university policies that apply to confidential information. See Notification of Rights Under FERPA and policies on Health Information Privacy and Security (HIPAA), Student Records, Employee Records, and Social Security Number Protection.
- Business information includes all other information created and maintained for the purpose of operating the university. All faculty and staff are responsible for knowing and complying with university policies that apply to business information, including the policies on Records Management and Information Disclosures.
- Colleges, departments and units are responsible for securing confidential and business information maintained on the systems under their authority as required by federal and/or state law and university security policy. In addition, they are responsible for developing appropriate security practices for their internal business information.
- Students, faculty and staff are responsible for accessing only that confidential or business information for which they are authorized and using that information only for the purposes for which it is intended. The Office of the Registrar maintains helpful information regarding confidentiality.
- Students, faculty and staff are required to comply with security practices established by the university or their college, department or administrative units to protect confidential or business information.
Individual information should be protected based on the level of risk associated with its loss or misuse. Colleges, departments, central information technology providers and other units may assist individuals by offering services including secure storage of files with systematic copying of data and/or archiving. Nonetheless, individual students, faculty and staff are ultimately responsible for securing their own information and should take action to assure their individual data is protected to the level they deem adequate.
- Engaging in or effecting security breaches or malicious use of network communication including, but not limited to
- obtaining configuration information about a network or system for which the user does not have administrative responsibility.
- engaging in activities intended to hide the user's identity, to purposefully increase network traffic, or other activities that purposefully endanger or create nuisance traffic for the network or systems attached to the network.
- Circumventing user authentication or accessing data, accounts, or systems that the user is not expressly authorized to access.
- Interfering with or denying service to another user on the campus network or using university facilities or networks to interfere with or deny service to persons outside the university.
- Except as provided by fair use principles, engaging in unauthorized copying, distribution, display or publishing of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources; copyrighted music or video; and the installation of any copyrighted software without an appropriate license.
- Using, displaying or publishing licensed trademarks, including Iowa State University's trademarks, without license or authorization or using them in a manner inconsistent with terms of authorization.
- Exporting software, technical information, encryption software, or technology in violation of international or regional export control laws.
- Breaching confidentiality agreements or disclosing trade secrets or pre-publication research.
- Using computing facilities and networks to engage in academic dishonesty prohibited by university policy (such as unauthorized sharing of academic work, plagiarism).
- Setting up file sharing in which protected intellectual property is illegally shared.
- Intentionally introducing malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Inappropriate use or sharing of university-authorized IT privileges or resources.
- Changing another user's password, access, or authorizations.
- Using an Iowa State University computing asset to actively engage in displaying, procuring or transmitting material that is in violation of sexual harassment policy or laws, hostile workplace laws, or other illegal activity.
- Using an Iowa State computing asset for any private purpose or for personal gain. Refer to the policy on Personal Use and Misuse of University Property.
- Sending unsolicited e-mail messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material, except as approved under the policy on Mass E-Mail and Effective Electronic Communication.
- Engaging in harassment via e-mail, telephone, or paging, whether through language, frequency, or size of messages.
- Masquerading as someone else by using their e-mail or internet address or electronic signature.
- Soliciting e-mail from any other e-mail address, other than that of the poster's account, with the intent to harass or to collect replies.
- Creating or forwarding "chain letters" or solicitations for business schemes.
- Using e-mail originating from within Iowa State's networks for commercial purposes or personal gain.
- Sending the same or similar non-business-related messages to large numbers of e-mail recipients or newsgroups.
- is a claim under the Digital Millennium Copyright Act (DMCA);
- is a violation of criminal law;
- has the potential to cause significant damage to or interference with university facilities or services;
- may cause significant damage to another person; or
- may result in liability to the university.
- After hearing the user's explanation of the alleged violation, a central IT provider has made a determination that the user has engaged in a violation of this code or,
- A student or employee disciplinary body has determined that the user has engaged in a violation of the code.