Monitoring and Archiving
Section D of the
Acceptable Use of CU Boulder's IT Resources Policy
states:
"The University may access and disclose employee or student individual content when the University deems
a legitimate and appropriate business need and those instances are documented and approved by the appropriate authorities.
In those instances, if it is necessary to access individual content on IT resources without the consent of an individual
currently affiliated with the University, approval must be obtained from the appropriate authority or his or her designee.
In the case of faculty and staff working in a school or college, this is the Dean; for all other staff, the Divisional
Vice Chancellor; for undergraduate student users, the Dean of Students; and for graduate students, the Dean of the
Graduate School. Individual content may be accessed without the consent of the user to comply with legal requirements
(including, but not limited to, subpoena, court order, e-discovery request, and/or open records request) as determined
by University Counsel. Departmental supervisors may request access to individual content when an employee retires,
is terminated, unexpectedly passes away, or otherwise leaves the employment of the University.
If emergency access to individual content without the consent of the users is required to preserve public health and safety,
or preserve the integrity of IT resources and campus facilities, notice shall be provided to the campus IT security principal,
notifying them of the need to access files. The campus IT security principal can also assist in obtaining files. All instances
of access will be logged by the IT security principal.
Individual content may be accessed through automated information security systems (such as antivirus software,
intrusion detection systems, and/or data loss prevention systems) for the purposes of detecting and responding
to threats to campus information resources. Excluding client antivirus or antimalware software, the campus IT
security principal must authorize all automated information security systems that systematically access individual
content. Automated information security systems will log only individual content needed to respond to and identify incidents.
Other than backups for disaster recovery purposes CU Boulder does not systematically archive contents of email communications.
CU Boulder, at the direction of University Counsel, arranges ongoing archival of email accounts as required to meet legal requirements."
Enforcement
Any person who uses CU Boulder's computing and network resources in violation of Federal, State, or University law or policy is subject to loss of privileges,
disciplinary action, personal liability, and/or criminal prosecution.
The University may block access to or remove a network connection that is endangering computing and/or network resources,
or that is being used for inappropriate or illegal use.
The AVC for IT and Chief Information Officer shall, as determined by the circumstances of a potential policy violation,
work with the appropriate University offices such as University Counsel, the Office of Student Conduct (in cases involving students),
the CU Police Department, deans and directors, and others to enforce this policy.