The purpose of this policy is to clarify the requirements, prohibitions, and procedures applicable to the use of CU Boulder's computing and network resources. CU Boulder's computing and network resources include:

• All computers, computer systems, peripherals, network devices, and networks that are owned by CU Boulder or that are attached to or access CU Boulder's network; and
• All institutional data, user data, programs, system software, and/or configuration files that are contained in, stored on, or are transmitted via CU Boulder's computers, networks, or information systems.

1. Passwords
   The University of Colorado Administrative Policy Statement on "Providing and Using Information Technology" states: "Only university faculty, staff, and students and other persons who have received permission under the appropriate university authority are authorized users of IT resources."

   CU Boulder grants permission to individuals to have access to portions of its computing and network resources by issuing a password. The password is the mechanism by which a system permits a specific, authorized individual to have access to that system and/or data. Each user who obtains a password is required to keep it secure.

2. Group Use of a Single Password
   

   In very limited circumstances, a group of users may need to use a single user account to access resources. Under no circumstances should a password to an account established for the sole use of an individual be given out or shared. The Office of Information Technology mandates additional controls for group accounts. Please refer to CU Boulder's Account Activation, Authentication and Termination Policy for password and group account requirements and procedures.

3. Faculty, Staff, and Student Web Pages
   

   CU Boulder allows students, faculty, and staff to create and maintain personal web pages on CU Boulder's servers. The policy applicable to such personal web pages is set forth in CU Boulder's Web Development Guidelines

1. This policy prohibits a password holder from:
   • Disclosing a password to another person, either intentionally or through carelessness;
   • Taking any action to discover, intercept, or decode others' passwords; and/or
   • Running or otherwise configuring software or hardware to intentionally allow access by unauthorized users.
2. This policy prohibits anyone, whether or not they have been issued a password from:
   • Taking any action to discover, intercept, or decode others' passwords; and/or
   • Running or otherwise configuring software or hardware to obtain unauthorized access to CU Boulder's computing and network resources.
3. Users must not disrupt or damage the academic, research, service, administrative, or related pursuits of another through the use of any CU Boulder computing and network resource.
4. Users must respect the integrity of all CU Boulder computing and network resources. Users are prohibited from using these resources to:
   • Develop or execute programs that could infiltrate any computing and network resource;
   • Tamper with security provisions;
   • Damage or alter any computing and network resource;
   • Gain or seek to gain unauthorized access to any computing and network resource; and/or
   • Engage in any spoofing activity (constructing electronic communication so that its origin cannot be determined, or so it appears to be from someone else).
5. Users are prohibited from unauthorized monitoring or eavesdropping on any CU Boulder computing and network resources.
6. Personal use of CU Boulder's computing and network resources for commercial purposes not directly related to the University's business or for obtaining personal gain, or use that creates a direct cost or constitutes a conflict of interest or conflict of commitment for the University is prohibited.
7. Other use of CU Boulder computing and network resources that violates University, State, or Federal law is prohibited. These prohibitions include but are not limited to:
8. 1. Use to harass, intimidate, or otherwise violate the rights or privileges of another person, organization, or legal entity;
   2. Use to support a political campaign in violation of the Fair Campaign Practices Act (section 1-45-117, Colorado Revised Statutes);
   3. Use to violate Colorado and/or Federal Copyright and Intellectual Property laws;
   4. Use to defame or invade the privacy of another person, organization, or legal entity;
   5. Use to access and/or download obscene material as defined by Colorado and/or Federal laws.

As used in this policy, Confidential Information includes information that is confidential pursuant to Colorado and/or Federal law. Types of Confidential Information include but are not limited to information that is protected from disclosure pursuant to the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Colorado Open Records Act, the attorney-client privilege, etc.

Because information transmitted by using University computing and network resources runs the risk of being unintentionally disclosed to the wrong addressee or to others with access to the resources, the user should consider whether or not using the computing and network resources is prudent. Notwithstanding this risk, staff, faculty, and others who are authorized to use University computing and network resources to transmit information on behalf of the University are permitted to transmit Confidential Information, when such transmission is appropriate. Before transmitting Confidential Information, faculty and staff should consult with their dean, director, or department head. Supervisors who have legal questions about transmitting Confidential Information by using University computing and network resources may consult with the Boulder campus' Office of the University Counsel.

1. Termination of Authorized Use
   

   When an authorized user changes status (e.g., terminates employment, graduates, retires, and/or changes positions or responsibilities within CU Boulder), the unit responsible for supervising that change in status must communicate the change to appropriate administrators and the Office of Information Technology to ensure that access and authorization privileges reflect that status change.

2. Monitoring and Archiving
   

   Section D of the Acceptable Use of CU Boulder's IT Resources Policy states:

   "The University may access and disclose employee or student individual content when the University deems a legitimate and appropriate business need and those instances are documented and approved by the appropriate authorities. In those instances, if it is necessary to access individual content on IT resources without the consent of an individual currently affiliated with the University, approval must be obtained from the appropriate authority or his or her designee. In the case of faculty and staff working in a school or college, this is the Dean; for all other staff, the Divisional Vice Chancellor; for undergraduate student users, the Dean of Students; and for graduate students, the Dean of the Graduate School. Individual content may be accessed without the consent of the user to comply with legal requirements (including, but not limited to, subpoena, court order, e-discovery request, and/or open records request) as determined by University Counsel. Departmental supervisors may request access to individual content when an employee retires, is terminated, unexpectedly passes away, or otherwise leaves the employment of the University.

   If emergency access to individual content without the consent of the users is required to preserve public health and safety, or preserve the integrity of IT resources and campus facilities, notice shall be provided to the campus IT security principal, notifying them of the need to access files. The campus IT security principal can also assist in obtaining files. All instances of access will be logged by the IT security principal.

   Individual content may be accessed through automated information security systems (such as antivirus software, intrusion detection systems, and/or data loss prevention systems) for the purposes of detecting and responding to threats to campus information resources. Excluding client antivirus or antimalware software, the campus IT security principal must authorize all automated information security systems that systematically access individual content. Automated information security systems will log only individual content needed to respond to and identify incidents.

   Other than backups for disaster recovery purposes CU Boulder does not systematically archive contents of email communications. CU Boulder, at the direction of University Counsel, arranges ongoing archival of email accounts as required to meet legal requirements."

3. Enforcement
   

   Any person who uses CU Boulder's computing and network resources in violation of Federal, State, or University law or policy is subject to loss of privileges, disciplinary action, personal liability, and/or criminal prosecution.

   The University may block access to or remove a network connection that is endangering computing and/or network resources, or that is being used for inappropriate or illegal use.

   The AVC for IT and Chief Information Officer shall, as determined by the circumstances of a potential policy violation, work with the appropriate University offices such as University Counsel, the Office of Student Conduct (in cases involving students), the CU Police Department, deans and directors, and others to enforce this policy.

1. The University of Colorado at Boulder.
   1. Account Activation, Authentication and Termination Policy
   2. Acceptable Use of CU Boulder's IT Resources
   3. Web Development Guidelines
   4. Office of the Associate Vice Chancellor for IT and Chief Information Officer Policy Page
2. University of Colorado System, Administrative Policy Statements
   1. Providing and Using Information Technology
   2. Political Participation of University Community
   3. Electronic Communications

1. Guidelines for Computer Users
2. Guidelines for System Administrators