Acceptable Use Policy

Purpose

California Institute of the Arts' (Institute) technology infrastructure exists to support the Institute and administrative activities needed to fulfill the Institute's mission. Access to these resources is a privilege that should be exercised responsibly, ethically and lawfully. The purpose of this Acceptable Use Policy is to clearly establish each member of the Institute's role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable California Institute of the Arts to implement a comprehensive system-wide Information Security Program.

Scope

This policy applies to all users of computing resources owned, managed, or otherwise provided by the Institute. Individuals covered by this policy include but are not limited to all workforce members and service providers with access to the Institute's computing resources and/or facilities. Computing resources include all California Institute of the Arts owned, licensed or managed hardware and software, email domains and related services and any use of the Institute's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

Privacy

Employees do not acquire a right of privacy for communications transmitted or stored on the Institute's resources. In response to a judicial order or any other action required by law or permitted by official California Institute of the Arts policy or as otherwise considered reasonablynecessary to protect or promote the legitimate interests of the Institute, the Chief Risk Officer or the General Counsel may authorize a California Institute of the Arts official or an authorized agent, to access, review, monitor and/or disclose computer files associated with an individual's account. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the Institute's rules, regulations or policy, or when access is considered necessary to conduct California Institute of the Arts business due to the unexpected absence of an employee or to respond to health or safety emergencies.

Policy

Activities related to California Institute of the Arts' mission take precedence over computing pursuits of a more personal or recreational nature. Any use that disrupts the Institute's mission is prohibited.

Following the same standards of common sense, courtesy and civility that govern the use of other shared facilities, acceptable use of information technology is subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All users of California Institute of the Arts' computing resources must adhere to the requirements enumerated below.

Fraudulent and Illegal Use

California Institute of the Arts explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the Institute's information systems, a user must not engage in any activity that is illegal under local, state, federal, and/or international law.

As a part of this policy, users must not:

  • Violate the rights of any individual or company involving information protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by California Institute of the Arts.
  • Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the Institute does not have a legal license.
  • Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
  • Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services. Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify his/her manager immediately.

If any user creates any liability on behalf of California Institute of the Arts due to inappropriate use of the Institute's resources, the user agrees to indemnify and hold the Institute harmless, should it be necessary for California Institute of the Arts to defend itself against the activities or actions of the use

Confidential Information

California Institute of the Arts has both an ethical and legal responsibility for protecting confidential information in accordance with its Data Classification Policy.  To that end, there are some general positions that the Institute has taken:

  • The writing or storage of restricted information on mobile devices (phones, tablets, USB drives) and removable media is discouraged. Mobile devices that access confidential information will be physically secured when not in use and located to minimize the risk of unauthorized access.
  • All workforce members and service providers will use approved workstations or devices to accessInstitute's data, systems, or networks.  Non-Institute owned workstations that store, process, transmit, or access confidential information are prohibited without appropriate access and other safeguards approved by IT. Accessing, storage, or processing confidential information on home computers is prohibited without appropriate access and other safeguards approved by IT.
  • All company portable workstations will be securely maintained when in the possession of workforce members. Such workstations will be handled as carry-on (hand) baggage on public transport.  They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.
  • Photographic, video, audio, or other recording equipment will not be utilized in secure areas.
  • All confidential information stored on workstations and mobile devices must be encrypted.
  • All workforce members who use Institute-owned workstations will take all reasonable precautions to protect the confidentiality, integrity and availability of information contained on the workstation.
  • Organization employees and affiliates who transport electronic media or information systems containing restricted information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft and unauthorized use.
  • Organization workforce members will lock their screen whenever they leave their workstation unattended and will log off from or lock their workstation when their shift is complete.

Harassment

California Institute of the Arts is committed to providing a safe and productive environment, free from harassment, for all employees. For this reason, users must adhere to Institute-established codes of conduct and/or policies. If a user feels he/she is being harassed through the use of the Institute's information systems, the user must report it in accordance with established reporting protocols.

Incident Reporting

California Institute of the Arts is committed to responding to security incidents involving personnel, Institute-owned information or Institute-owned information assets. As part of this policy:

  • The loss, theft or inappropriate use of Institute access credentials (e.g. passwords, key cards or security tokens), assets (e.g. laptop, cell phones, desktop PC and/or peripheral equipment), or data will be reported to the Chief Information Officer.
  • If an Institute workforce member suspects that something may be an incident, it should be reported to the Chief Information Officer.
  • An Institute workforce member will not prevent another member from reporting a security incident.

Malicious Activity

California Institute of the Arts strictly prohibits the use of information systems for malicious activity against other users, the Institute's information systems themselves, or the information assets of other parties.

Denial of Service

Users must not:

  • Perpetrate, cause, or in any way enable disruption of California Institute of the Arts' information systems or network communications by denial-of-service methods;
  • Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or
  • Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system or network.

Confidentiality  

Users must not:

  • Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the useris not expressly authorized to access;
  • Facilitate use or access by non-authorized users, including sharing their password or other login credentials with anyone, including other users, family members, or friends;
  • Use the same password for California Institute of the Arts accounts as for other non-California Institute of the Arts access (for example, personal ISP account, social media, benefits, personal email, etc.);
  • Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another user's password;
  • Make copies of another user's files without that user's knowledge and consent;
  • Use non-Institute encryption keys on Institute equipment.  For enforcement of functions required by this policy, any such encryption keys employed by users must be provided to Information Technology if requested; or,
  • Base passwords on something that can be easily guessed or obtained using personal information (e.g. names, favorite sports teams, etc.).

Impersonation  

Users must not:

  • Circumvent the user authentication or security of any information system;
  • Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
  • Create and/or use a proxy server of any kind, other than those provided by California Institute of the Arts, or otherwise redirect network traffic outside of normal routing with authorization; or
  • Use any type of technology designed to mask, hide, or modify their identity or activities electronically

Network Discovery  

Users must not:

  • Use a port scanning tool targeting either California Institute of the Arts' network or any other external network, unless this activity is a part of the user's normal job functions, such as a member of the Information Technology, conducting a vulnerability scan, and faculty utilizing tools in a controlled environment.
  • Use a network monitoring tool or perform any kind of network monitoring that will intercept datanot intended for the user unless this activity is a part of the user's normal job functions

Hardware and Software

California Institute of the Arts strictly prohibits the use of any software that is not purchased, installed, configured, tracked, managed, or approved by Informational Technology. Users must not:

  • Install, attach, connect or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any Institute information system without the knowledge and permission of Information Technology;
  • Download, install, disable, remove or uninstall software of any kind, including patches of existing software, to any organizational information system without the knowledge and permission of Information Technology;
  • Take California Institute of the Arts equipment off-site without prior authorization from Information Technology.
  • Take a device owned by CalArts-owned to countries on a restricted list, as defined by CAIT or the General Counsel

Messaging

The Institute provides a robust communication/email platform for users to fulfill its mission.

Users must not:

  • Automatically forward electronic messages of any kind, by using client message handling rules or any other mechanism outside of their CalArts’ account. Examples include auto-forwarding email to a personal account rather than using the official CalArts one.
  • Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
  • Use any email or identity (e.g. e-mail address, social handle, etc.), other than the employee's Institute email account for any Institute business; or
  • Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.

Remote Working

When working remote, user must:

  • Abide by the Institute's telecommuting protocol.
  • Safeguard and protect any Institute-owned or managed computing asset (e.g. laptops and cell phones) to prevent loss or theft.
  • Not utilize personally-owned computing devices for California Institute of the Arts work, including transferring California Institute of the Arts information to personally-owned devices, unless approved by Information Technology.
  • Take reasonable precautions to prevent unauthorized parties from utilizing computing assets or viewing California Institute of the Arts information processed, stored or transmitted on Institute-owned assets.
  • Not create or store restricted or private information on local machines unless a current backup copy is available elsewhere.
  • Not access or process restricted information over public, insecure networks. Networks should ideally be over individual “hotspot” cellular WiFi devices, encrypted networks secured with passwords, or with VPN encryption.
  • Only and always use approved methods for connecting to the Institute (e.g. VPN).

Other

In addition to the other parts of this policy, users must not:

  • Use the Institute's information systems for non-Institute related commercial use or personal gain; or
  • Use the Institute's information systems to play games or provide similar entertainment unless this content is required for the user to perform normal business functionality
Roles and responsibilities

California Institute of the Arts reserves the right to protect, repair, and maintain the Institute's computing equipment and network integrity. In accomplishing this goal, California Institute of the Arts IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and Internet activities. Any information obtained by IT personnel about a user through routine maintenance of the Institute's computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of California Institute of the Arts' computing resources.

Enforcement

California Institute of the Arts may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of Institute and computer resources. Individuals who violate any part of this policy will be subject to Institute disciplinary action.

Exceptions

Exceptions to the policy may be granted by the Chief Information Officer or the General Counsel, or by their designee.  All exceptions must be reviewed annually.

Have more questions? Submit a request

Comments

Article is closed for comments.