HOP 4.1.1 Information Resources Acceptable Use and Security Policy

Sec. 1 Purpose 

The subsections of this document comprise The University of Texas System Administration Information Resources Acceptable Use, Security, and Privacy Policy. This policy is established to achieve the following:

a) to establish prudent and acceptable practices regarding the use and safeguarding of Information Resources;

b) to establish an understanding of the confidential nature of certain records created, stored, and maintained by U.T. System Administration;

c) to ensure compliance with applicable statutes, regulations, and mandates regarding the management of Information Resources and Privacy requirements; and

d) to gain a signed annual acknowledgement of this policy from every individual granted access to U. T. System Administration Information Resources.

Note: Two companion documents to this policy, the U. T. System Administration Information Resources Standards of Operation Manual, details security practices and requirements relating to each policy topic and, UTS 165, Information Resources and Use Policy, details the standards regarding the use and safeguarding of U. T. System Information Resources is incorporated by reference into this policy. These two documents, including this policy comprise the policy and procedures foundation for the U. T. System Administration computer security and privacy program.

Principles

The University of Texas System Administration is committed to protecting the privacy of individuals for whom personally identifiable information is held including protected health information and education records.  This Policy is aimed at educating users of Information Resources about the importance of proper use and responsibilities associated with such use, including the safeguarding of physical records containing personally identifiable information.  

Sec. 2 Protection of Assets 

The assets of the U. T. System Administration must be available and protected commensurate with their value and must be administered in conformance with federal and State law and the Board of Regents’ Rules and Regulations. Measures shall be taken to protect these assets against accidental or unauthorized access, disclosure, modification, or destruction, as well as to assure the availability, integrity, utility, authenticity, and confidentiality of information. As stated in Title 1 Texas Administrative Code 202.20 (1), it is the policy of the State of Texas that Information Resources residing in the various agencies of State government are strategic and vital assets belonging to the people of Texas. The formal acknowledgment of the Acceptable Use and Security Policy serves as a compliance and enforcement tool.

Sec. 3 Information Resources Acceptable and Secure Use

3.1 Individual Responsibility. All individuals granted access to technology resources of U. T. System Administration must acknowledge the rules of use of these resources annually. Each individual is responsible for exercising good judgment regarding the reasonableness and security of his/her behavior and use of Information Resources.

3.2 Incidental Personal Use. As a convenience to individuals, limited incidental personal use of Information Resources is permitted. Incidental use of Information Resources must not result in direct cost to the U. T. System Administration or expose U. T. System Administration to unnecessary risks.

Sec. 4 Disciplinary Actions

4.1 Monitoring Authority. Pursuant to Title 1 Texas Administrative Code Section 202 and to ensure compliance with this policy and State laws and regulations related to the use and security of Information Resources, U. T. System Administration has the authority and responsibility to monitor Information Resources. If there is a reasonable basis to believe that this policy or State laws or regulations regarding the use and security of Information Resources have been violated, the contents of user files may be accessed for purposes of investigation with the written approval of a U. T. System Administration executive officer.

4.2 Types of Disciplinary Action. Violation of this policy may result in disciplinary action for employees, including but not limited to, termination, in accordance with HOP 3.7.3 Discipline/Dismissal of Employees and other related policies or regent rules. For contractors and consultants this may include a termination of the work engagement. For interns and volunteers, this may include immediate dismissal. Any student who violates this policy will be referred to student judicial services at the student’s home campus. Additionally, individuals are subject to possible civil and criminal prosecution.

Sec. 5 Training and Other Procedures 

5.1 Training of Users.  Recurring training for employees and users with access to Information Resources shall take place every year.  The training must be aimed at informing users of the various information resources available at U.T. System Administration, including classification of system information based on confidential, controlled, or published status and appropriate methods of reporting violations of policy or misuse of information resources or data. Each new, temporary, contract, assigned, or engaged employee or user must complete initial training within 30 days after the date that such a person is hired by System Administration or otherwise engaged or assigned to perform such work. Separate and targeted training related to role-based responsibilities for departments which use, handle, and have access to confidential and sensitive information will be administered to departments on an annual and biennial basis and ad-hoc, as necessary, in conjunction with the Office of Information Security and the U.T. System Privacy Officer.  

For all other procedures and mechanisms outlined in this policy and UTS165, consult the Information Resources Standards of Operation Manual. Compliance with these procedures will be enforced as outlined in the Disciplinary Actions section of this policy.

 

Policy Details

Responsible Office(s)

Systemwide Compliance
Technology and Information Services

Date Approved

Dates Amended or Reviewed