Mitchell Hamline School of Law

Mitchell Hamline Policy Repository

Acceptable Use Policy

Posted: May 18, 2023

Applies to: Faculty, Staff, Students

Policy Holder: Administrative Information Technology

Responsible Office: Administrative Information Technology

Contact Information: Chief Information Officer

Effective Date: March 1, 2023

Last Review Date: March 1, 2023

Approved by: Vice President of Finance and Administration

1.0 Background and Purpose

The purpose of the Mitchell Hamline School of Law (MHSL) Acceptable Use Policy is to establish acceptable practices regarding the use of MHSL Information Resources in order to protect the confidentiality, integrity, and availability of information created, collected, and maintained.

1.1 Who Needs to Know?

The MHSL Acceptable Use Policy applies to any individual, entity, or process that interacts with any MHSL Information Resources.

2.0 Policy

Acceptable Use

  • All students and employees are responsible for complying with MHSL policies when using MHSL information resources and/or on MHSL time.
  • Students and/or employees must promptly report harmful events or policy violations involving MHSL assets or information to the Chief Information Officer or an IT staff member.  Events include, but are not limited to, the following:
    • Technology incident: any potentially harmful event that may cause a failure, interruption, or loss in availability to MHSL Information Resources.
    • Data incident: any potential loss, theft, or compromise of MHSL information.
    • Unauthorized access incident: any potential unauthorized access to a MHSL Information Resource.
    • Facility security incident: any damage or potentially unauthorized access to a MHSL owned, leased, or managed facility.
    • Policy violation: any potential violation to this or other MHSL policies, standards, or procedures.
  • Students and employees should not purposely engage in activities that may:
    • harass, threaten, impersonate, or abuse others;
    • degrade the performance of MHSL Information Resources;
    • deprive authorized MHSL personnel access to a MHSL Information Resource;
    • obtain additional resources beyond those allocated;
    • or circumvent MHSL technology security measures.
  • Students and employees should not download, install, or run security programs or utilities that reveal or exploit weakness in the security of a system. For example, Students and employees should not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on any MHSL Information Resource.
  • All intellectual property and proprietary information, including reports, blueprints, software codes, computer programs, data, writings, and technical information, developed on MHSL time and/or using MHSL Information Resources are the property of MHSL.
  • Use of encryption should be managed in a manner that allows designated MHSL personnel to promptly access all data.
  • MHSL Information Resources are provided to facilitate company business and should not be used for personal financial gain.
  • Students and employees are expected to cooperate with incident investigations, including any federal or state investigations.
  • Students and employees are expected to respect and comply with all legal protections provided by patents, copyrights, trademarks, and intellectual property rights for any software and/or materials viewed, used, or obtained using MHSL Information Resources.
  • Students and employees should not intentionally access, create, store, or transmit material which MHSL may deem to be offensive, indecent, or obscene.

Access Management

  • Access to information is based on a “need to know”.
  • Students and employees are permitted to use only those network and host addresses issued to them by MHSL IT Services and should not attempt to access any data or programs contained on MHSL systems for which they do not have authorization or explicit consent.
  • All remote access connections made to internal MHSL networks and/or environments must be made through approved, and MHSL-provided, virtual private networks (VPNs).
  • Students and employees should not divulge any access information to anyone not specifically authorized to receive such information, including IT support personnel.
  • Students and employees must not share their personal authentication information, including:
    • Account passwords,
    • Personal Identification Numbers (PINs),
    • Security Tokens (i.e. Smartcard),
    • Multi-factor authentication information
    • Access cards and/or keys,
    • Digital certificates,
    • Similar information or devices used for identification and authentication purposes.
  • Access cards and/or keys that are no longer required must be returned to MHSL security personnel.
  • Lost or stolen access cards, security tokens, and/or keys must be reported to MHSL security personnel as soon as possible.

Authentication/Passwords

  • All Students and employees are required to maintain the confidentiality of personal authentication information.
  • All passwords, including initial and/or temporary passwords, must be constructed, and implemented according to the following MHSL rules:
    • Must meet all requirements including minimum length, complexity, and reuse history.
    • Must not be easily tied back to the account owner by using things like username, social security number, nickname, relative’s names, birth date, etc.
    • Must not be the same passwords used for non-business purposes.
  • Unique passwords should be used for each system, whenever possible.
  • User account passwords must not be divulged to anyone. MHSL support personnel and/or contractors should never ask for user account passwords.
  • If the security of a password is in doubt, the password should be changed immediately.
  • Students and employees should not circumvent password entry with application remembering, embedded scripts, or hard coded passwords in client software.
  • Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with MHSL, if issued.

Clear Desk/Clear Screen

  • Students and employees should log off from applications or network services when they are no longer needed.
  • Students and employees should log off or lock their workstations and laptops when their workspace is unattended.
  • Physical and/or electronic keys used to access confidential information should not be left on an unattended desk or in an unattended workspace if the workspace itself is not physically secured.
  • Laptops should be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the workday if the laptop is not encrypted.
  • Passwords must not be posted on or under a computer or in any other physically accessible location.
  • Copies of documents containing confidential information should be immediately removed from printers and fax machines.

Data Security

  • Students and employees should use approved encrypted communication methods whenever sending confidential information over public computer networks (Internet).
  • Only authorized cloud computing applications may be used for sharing, storing, and transferring confidential or internal information.
  • Information must be appropriately shared, handled, transferred, saved, and destroyed, based on the information sensitivity.
  • Confidential information must be transported either by a MHSL employee or a courier approved by IT Management.
  • All electronic media containing confidential information must be securely disposed. Please contact IT for guidance or assistance.

Email and Electronic Communication

  • Auto-forwarding electronic messages outside MHSL internal systems is allowed only on “as needed” basis.
  • Electronic communications should not misrepresent the originator or MHSL.
  • Students and employees are responsible for the accounts assigned to them and for the actions taken with their accounts.
  • Accounts must not be shared without prior authorization from MHSL IT.
  • MHSL Employees should not use personal email accounts to send or receive confidential information.
  • Any personal use of MHSL provided email should not:
    • Involve solicitation.
    • Be associated with any political entity.
    • Have the potential to harm the reputation of MHSL.
    • Forward chain emails.
    • Contain or promote anti-social or unethical behavior.
    • Violate local, state, federal, or international laws or regulations.
    • Result in unauthorized disclosure of MHSL confidential information.
    • Or otherwise violate any other MHSL policies.
  • Employees should only send confidential information using approved secure electronic messaging solutions.
  • Students and employees should use caution when responding to, clicking on links within, or opening attachments included in electronic communications.
  • Employees should use discretion in disclosing confidential or internal information in Out of Office or other automated responses, such as employment data or other sensitive data.

Hardware and Software

  • All hardware must be formally approved by IT Management before being connected to MHSL networks.
  • Software installed on MHSL equipment must be approved by IT Management and installed by MHSL IT personnel.
  • All MHSL assets taken off-site should be physically secured at all times.
  • Employees traveling to a High-Risk location, as defined by FBI and Office of Foreign Asset control, must contact IT for approval to travel with School’s IT assets.
  • Employees should not allow family members or other non-employees to access and use MHSL Information Resources.

Internet

  • The Internet must not be used to communicate MHSL confidential or internal information, unless the confidentiality and integrity of the information is ensured and the identity of the recipient(s) is established.
  • Use of the Internet with MHSL networking or computing resources must only be used for business-related activities. Unapproved activities include, but are not limited to:
    • Recreational games,
    • Streaming media,
    • Personal social media,
    • Accessing or distributing pornographic or sexually oriented materials,
    • Attempting or making unauthorized entry to any network or computer accessible from the Internet.
    • Or otherwise violate any other MHSL policies.
  • Access to the Internet from outside MHSL network using a MHSL owned device must adhere to all of the same policies that apply to use them from within MHSL facilities.

Privacy

  • Information created, sent, received, or stored on MHSL Information Resources are not private and may be accessed by MHSL IT employees at any time, under the direction of MHSL executive leadership and/or Human Resources, without knowledge of the user or resource owner.
  • MHSL may log, review, and otherwise utilize any information stored on or passing through its Information Resource.
  • Systems Administrators, MHSL IT, and other authorized MHSL personnel may have privileges that extend beyond those granted to standard personnel. Personnel with extended privileges should not access files and/or other information unless advised to do so in writing by the executive leadership and/or Human Resources.

Incidental Use

  • As a convenience to MHSL employees, incidental use of Information Resources is permitted. The following restrictions apply:
    • Incidental personal use of electronic communications, Internet access, fax machines, printers, copiers, and so on, is restricted to MHSL approved personnel; it does not extend to family members or other acquaintances.
    • Incidental use should not result in direct costs to MHSL.
    • Incidental use should not interfere with the normal performance of an employee’s work duties.
    • No files or documents may be sent or received that may cause legal action against, or embarrassment to, MHSL or its customers.
  • Storage of personal email messages, voice messages, files and documents within MHSL Information Resources must be nominal.
  • All information located on MHSL Information Resources are owned by MHSL that may be subject to open records requests and may be accessed in accordance with this policy.