This policy covers the appropriate use of all information resources including computers, networks, and the information contained therein.

Authority:

Approved by the Director of the Department of Global Ecology, the Director of the Department of Plant Biology, and the Information Systems Manager at the departments of Plant Biology and Global Ecology

Applicability:

Applies to all Carnegie employees, fellows, affiliates, guests, and all others using computer and communication technologies, including Carnegie's network, whether personally or Carnegie owned, which access or utilize Carnegie network and computing resources located at and managed by Carnegie’s departments of Plant Biology and Global Ecology.

Policy Statement:

Use of Carnegie's network and computer resources should support the basic missions of Carnegie research and education. Users of Carnegie's network and computer resources ("users") are responsible to properly use and protect information resources and to respect the rights of others. This policy provides guidelines for the appropriate use of information resources.

  1. Definitions
    As used in this policy:
    1. "Information resources" are all computer and communication devices and other technologies which access, store or transmit Carnegie information.
    2. "Information" includes both Carnegie and personal information.
    3. "Personally owned resources" are information resources that are under the control of Carnegie employees or agents and are not wholly owned by Carnegie.
       
  2. Policies
    1. General Policy
      Users of information resources must protect their online identity from use by another individual, the integrity of information resources, and the privacy of electronic information. In addition, users must refrain from seeking to gain unauthorized access, honor all copyrights and licenses and respect the rights of other users of information resources.
       
    2. Access
      Users must refrain from seeking to gain unauthorized access to information resources or enabling unauthorized access. Attempts to gain unauthorized access to a system or to another person's information are a violation of Carnegie policy and may also violate applicable law, potentially subjecting the user to both civil and criminal liability. However, authorized system administrators may access information resources, but only for a legitimate operational purpose and only the minimum access required to accomplish this legitimate operational purpose.
       
      1. Prohibition against Sharing Identities
        Sharing an online identity (user ID and password or other authenticator such as a token or certificate) violates Carnegie policy.
      2. Information Belonging to Others
        Users must not intentionally seek or provide information on, obtain copies of, or modify data files, programs, passwords or other digital materials belonging to other users, without the specific permission of those other users.
      3. Abuse of Computing Privileges
        Users of information resources must not access computers, computer software, computer data or information, or networks without proper authorization, or intentionally enable others to do so, regardless of whether the computer, software, data, information, or network in question is owned by Carnegie. For example, abuse of the networks to which Carnegie belongs or the computers at other sites connected to those networks will be treated as an abuse of Carnegie computing privileges.
         
    3. Usage
      Carnegie is a non-profit organization and, as such, is subject to specific federal, state and local laws regarding sources of income, political activities, use of property and similar matters. It also is a contractor with other entities and thus must assure proper use of property under its control and allocation of overhead and similar costs. Use of Carnegie's information resources must comply with Carnegie policies and legal obligations (including licenses and contracts), and all federal and state laws.
       
      1. Prohibited Use
        Users must not send, view or download fraudulent, harassing, obscene (i.e., pornographic), threatening, or other messages or material that are a violation of applicable law or Carnegie policy. In particular, contributing to the creation of a hostile academic or work environment is prohibited.
      2. Copyrights and Licenses
        Users must not violate copyright law and must respect licenses to copyrighted materials. For the avoidance of doubt, unlawful file-sharing using Carnegie's information resources is a violation of this policy.
      3. Social Media
        Users must respect the purpose of and abide by the terms of use of online media forums, including social networking websites, mailing lists, chat rooms and blogs.
      4. Political Use
        Carnegie information resources must not be used for partisan political activities where prohibited by federal, state or other applicable laws, and may be used for other political activities only when in compliance with federal, state and other laws and in compliance with applicable Carnegie policies.
      5. Personal Use
        Carnegie information resources should not be used for activities unrelated to appropriate Carnegie functions, except in a purely incidental manner.
      6. Commercial Use
        Carnegie information resources should not be used for commercial purposes, including advertisements, solicitations, promotions or other commercial messages, except as permitted under Carnegie policy.  Any such permitted commercial use should be properly related to Carnegie activities, take into account proper cost allocations, and provide for appropriate reimbursement to Carnegie for costs Carnegie may incur by reason of the commercial use.  Carnegie's Chief Operations Officer will determine permitted commercial uses.
         
    4. Personally Owned Resources
      Carnegie does not require personnel to use their personally owned resources to conduct Carnegie business. Individuals within Carnegie may choose to use their own resources accordingly. Any personally owned resources used for Carnegie business are subject to this policy and must comply with all Carnegie requirements pertaining to that type of resource and to the type of data involved. The resources must also comply with any additional requirements (including security controls for encryption, patching and backup) specific to the particular Carnegie functions for which they are used.
       
    5. Integrity of Information Resources
      Users must respect the integrity of information and information resources.
       
      1. Modification or Removal of Information or Information Resources
        Unless they have proper authorization, users must not attempt to modify or remove information or information resources that are owned or used by others.
      2. Other Prohibited Activities
        Users must not encroach, disrupt or otherwise interfere with access or use of Carnegie's information or information resources. For the avoidance of doubt, without express permission, users must not give away Carnegie information or send bulk unsolicited email. In addition, users must not engage in other activities that damage, vandalize or otherwise compromise the integrity of Carnegie information or information resources.
      3. Academic Pursuits
        Carnegie recognizes the value of legitimate research projects undertaken by faculty and staff.  Carnegie may restrict such activities in order to protect Carnegie and individual information and information resources, but in doing so will take into account legitimate academic pursuits.
         
    6. Locally Defined and External Conditions of Use
      Individual units within Carnegie may define "conditions of use" for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines restrictions, and/or enforcement mechanisms. Where such conditions of use exist, the individual units are responsible for publicizing and enforcing both the conditions of use and this policy. Where use of external networks is involved, policies governing such use also are applicable and must be followed.
       
    7. Access for Legal and Carnegie Processes
      Under some circumstances, as a result of investigations, subpoenas or lawsuits, Carnegie may be required by law to provide electronic or other records, or information related to those records or relating to use of information resources, ("information records") to third parties. Additionally, Carnegie may in its reasonable discretion review information records, e.g., for the proper functioning of Carnegie, in connection with investigations or audits, or to protect the safety of individuals or Carnegie community. Carnegie may also permit reasonable access to data to third-party service providers in order to provide, maintain or improve services to Carnegie. Accordingly, users of Carnegie information resources do not have a reasonable expectation of privacy when using Carnegie's information resources.
       
  3. Oversight of Information Resources
    Responsibility for, and management and operation of, information resources for a Carnegie department is delegated to the department’s Information Systems Manager. The Information Systems Manager will be responsible for compliance with all Carnegie policies relating to the use of information resources owned, used or otherwise residing in their department.  The Information Systems Manager may designate another person to manage and operate the system, but responsibility for information resources remains with the Information Systems Manager. This designate is the "system administrator.”  The system administrator is responsible for managing and operating information resources under their oversight in compliance with Carnegie and department policies, including accessing information resources necessary to maintain operation of the systems under the care of the system administrator.
     
    1. Responsibilities
      The system administrator should:
      1. Take all appropriate actions to protect the security of information and information resources.
      2. Take precautions against theft of or damage to information resources.
      3. Faithfully execute all licensing agreements applicable to information resources.
      4. Communicate this policy, and other applicable information use, security and privacy policies and procedures to their information resource users.
      5. Cooperate with the Information Systems Manager, Directors, and Associate Director of IT to find and correct problems caused by the use of the system under their control.
         
    2. Suspension of Privileges
      System administrators may temporarily suspend access to information resources if they believe it is necessary or appropriate to maintain the integrity of the information resources under their oversight.
       
  4. Reporting or Investigating Violations or Carnegie Concerns
     
    1. Reporting Violations
      System users will report violations of this policy to the Information Systems Manager, and will immediately report defects in system accounting, concerns with system security, or suspected unlawful or improper system activities to the Information Systems Manager.
       
    2. Incident Response
      Response to incidents will be managed by the Information Systems Manager.  The nature of the response will be based the impact or threat to the operation and/or integrity of Carnegie and its information resources.  All security related incidents will be also reported to Carnegie’s Associate Director of IT.
       
    3. Accessing Information & Systems
      Inspecting and monitoring information and information resources may be required for the purposes of enforcing this policy, conducting Carnegie investigations or audits, ensuring the safety of an individual or the Carnegie community, complying with law or ensuring proper operation of information resources.
       
    4. Cooperation Expected
      Information resource users are expected to cooperate with any investigation of policy abuse. Failure to cooperate may be grounds for cancellation of access privileges, or other disciplinary actions.
       
  5. Consequences of Misuse of Information Resources
    A user found to have violated this policy will be subject to appropriate disciplinary action up to and including dismissal and/or legal action.
     
  6. Cognizant Office
    The Information Systems Manager, or other person designated by the Directors, shall be the primary contact for the interpretation, monitoring and enforcement of this policy.