Policy Statement

It is the policy of OU that all Individual Users are responsible for exercising reasonable judgement regarding appropriate use of OU information and Information Systems in accordance with OU policies and standards and federal and state laws and regulation. Individual Users must understand they have no expectation of privacy in the use of State Information Systems and are limited to the uses as described herein.

Web Address For This Policy

https://universityok.navexone.com/content/dotNet/documents/?docid=50&public=true

Definitions

Information Technology and Security Definitions

General Use and Ownership

1. The University provides faculty, staff, and students with access to educational Information Systems and platforms (e.g., course management systems, learning management systems, etc.) for academic, educational, and research use. These educational systems and platforms are extensions of the classroom and learning environment. Accordingly, their use is limited to academic, educational, and research purposes. Any other use is specifically prohibited, including, but not limited to, disseminating unsolicited, commercial messages; engaging in disruptive activity or behavior; or engaging any other conduct or behavior violating a university policy. Student information (i.e., class lists, contact information, or other education records relating to students) contained on an educational Information System or platform may be used solely for participation in the course, lesson, or presentation; dissemination of such student information should adhere to university policy.
2. Any OU proprietary information that is stored on electronic and computing devices, whether owned or leased by OU, an employee, or a third party, remains the sole property of OU.
3. You must ensure through legal or technical means that university proprietary information is protected in accordance with this policy.
4. You are required to promptly report all Information Security Incidents to IT Security by submitting a ‘Report a Security Incident Form’ at https://ou.edu/ouit/cybersecurityincident.
5. You may access, use, or disclose university information only to the extent it is authorized and necessary to fulfill your assigned job duties.
6. You are responsible for exercising reasonable judgment regarding personal use of Information Systems.
7. For security and network maintenance purposes, authorized University Personnel may monitor equipment, systems, and network traffic.
8. University Information Systems may audit Individual Users’ use of Information Systems as permitted by applicable law on a periodic basis to ensure compliance with this policy.

Security and Proprietary Information

1. All Portable Computing and Storage Devices must comply with any current university or campus policy, as well as applicable laws and regulations, governing portable computing and storage device usage. See OU Information Security Policy Definitions.
2. System-level and user-level passwords must comply with the OU IT Password Policy. Providing access to your passwords to another individual, either deliberately or through failure to secure its access, is prohibited.
3. If you use a University Information Systems email address to post to a newsgroup, forum, or other group of third-party recipients, you should include a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of the campus, unless the posting is made in the course of business duties.
4. You must use extreme caution when opening e-mail attachments received from unknown senders or which are otherwise not expected and suspicious, since such attachments may contain viruses and other malicious code.
5. University System Security will monitor compliance with this policy using various methods, such as business tool reports, internal and external audits, and any feedback provided to University System Security.
6. Prior to utilizing external public services for university business, University Personnel must complete an OU IT System Security Assessment.
7. University Personnel must only use acceptable cloud technologies for university missions. A list of acceptable cloud technologies by university mission, and based on campus, can be found in the Cloud Storage Matrix.
8. University Personnel must report the following to OU IT Security immediately:
   1. any event in which access to university data might have been gained by an unauthorized person
   2. any event in which a device containing University information has (or might have been) lost, stolen, or infected with malicious software (viruses, Trojans, etc.)
   3. any event in which an OU account might have been compromised or the password shared with an unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
   4. any attempt to physically enter or break into a secure area where OU data are or might be stored
   5. any other event in which OU data have been or might have been lost or stolen
   6. any event in which OU information system policies, standards, or practices are violated
9. University Personnel must securely dispose of hard copy materials in accordance with the associated OU Media Disposal Guideline.
10. University Personnel must mark digital and non-digital media storing Category D1 – Confidential Research and Publications Information, with necessary Controlled Unclassified Information (CUI) markings and distribution limitations in accordance with the executed contract agreements. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact discs, and digital video disks. Non-digital media includes, for example, paper and microfilm. For additional information, see OU Category D1 Confidential Research and Publications Information Protection Standard.

Training

1. University Personnel must complete required New Employee Orientation training within 30 days of beginning employment.
2. University Personnel must acknowledge and follow the OU IT Acceptable Use Policy and OU IT Acceptable Use of Network Services Policy prior to being granted access to University Information Systems.
3. University Personnel must acknowledge any additional Rules of Behavior, for Category A, Category B or Category D1 Information Systems, agreements prior to being granted access to an Information System.
4. University Personnel storing, transmitting, or processing Controlled Unclassified Information must complete mandatory OU CUI Program Training at least annually, and more often as necessary.
5. University Personnel with a defined role in the OU IT Cybersecurity Incident Response Plan must undergo annual Cybersecurity Incident Response training.
6. University Personnel with a defined role in the OU IT Disaster Recovery Plan must undergo annual Disaster Recovery training.
7. University Personnel authorized for Remote Access must undergo one-time Acceptable Use of Remote Access Services training and acknowledge the OU IT Remote Access Rules of Behavior prior to being granted access to Remote Access services.
8. University Personnel who fail a scheduled OU IT phishing simulation must complete required Social Engineering Red Flags training.
9. University Personnel found to violate University Information Security Policy must complete required Information Security training.

Unacceptable Use

The activities listed below are generally prohibited. Under no circumstances is an Individual User permitted to engage in any activity that is illegal under applicable law while using University-owned resources or Information Systems. The list below is not exhaustive and provides some examples of unacceptable use.

1. System and Network Activities:  The following activities are strictly prohibited without exception:
   1. Violating the rights of any person or University under copyright, trade secret, patent, or other intellectual property laws, such as by installing or distributing “pirated” or other software products that are not appropriately licensed for use by the University.
   2. Accessing University information, Information Systems, or a user account for any purpose other than conducting University business or as otherwise expressly permitted by University Policy.
   3.  Importing or exporting software, technical information, encryption software or technology in violation of applicable trade laws, including export control laws. The University’s Office of Legal Counsel or Office of Export Controls should be consulted if you have any questions or concerns.
   4. Introducing malicious programs (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) to the University’s network or server, or any other Information System.
   5. Revealing your account password to or allowing use of your account by third parties. For example, you may not share your account password with family or other household members when conducting work outside of the office.
   6. Using any Information System to actively download or transmit material that violates applicable sexual harassment or hostile workplace laws, or otherwise violates applicable laws or regulations.
   7. Making fraudulent or deceptive offers of products or services originating from any University’s account.
   8. Making statements on the University’s behalf about the University’s representations, warranties, conditions, or undertakings other than those pre-approved by the University, unless the University’s Office of Legal Counsel approval has been obtained.
   9. Causing or attempting to cause any security breaches, disruptions of network communications or Information Security Incidents. “Disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and using forged routing information for malicious purposes.
   10. Port scanning or security scanning unless prior approval from University System Security Governance, Risk, and Compliance has been obtained.
   11. Executing any form of network monitoring which will intercept data not intended for the Individual User’s host except in accordance with University Policy.
   12. Circumventing user authentication protocols or the security of any host, network, account or other University or third-party system.
   13. Introducing honeypots, honey nets, or similar technology on the University’s network except in accordance with University Policy.
   14. Interfering with or disabling a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
   15. Providing information about, or lists of, University’s employees to parties outside of the University, except as specifically permitted by university policy.

Email and Communication Activities

1. The following activities are prohibited when using University of Oklahoma electronic messaging and communication services:
   1. Sending unsolicited email or other electronic messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material.
   2. Engaging in any form of harassment via email, telephone, or text messaging, whether through the content, frequency, or size of the messages.
   3. Including any misrepresentations or misleading information in email header information.
   4. Creating or forwarding chain letters or communications relating to Ponzi, pyramid or other fraudulent or misleading schemes of any type.
   5. Using unsolicited electronic messages originating from within the University’s networks of other Internet/Intranet/Extranet service providers to advertise any service hosted by University Information Systems or connected via the University’s network, unless specifically authorized in writing by the University Office of Legal Counsel.
   6. Posting the same or similar non-business-related messages to large numbers of Individual Users or other individuals.

Blogging and Social Media

1. Limited and occasional use of the University’s Information Systems to engage in blogging and social media activities is acceptable, provided that it complies with the OU Marketing and Web Communications Social Media Policy, complies with applicable laws and regulations, and does not interfere with an Individual user’s regular work duties.  Blogging and use of social media from the University’s Information Systems may be subject to monitoring.
2. Access to TikTok on university-owned or operated devices by any employee or student is prohibited.  This includes devices that are personally owned, but for which the owner receives a stipend from OU for business use of the device.
3. The use of TikTok for official University business on select devices is allowed with an approved TikTok Usage exception request.  The request will require vice president level approval.  Examples include student and athlete engagement, public and fan engagement, academic course work, and threat and safety assessment.  These devices cannot be used for any other University business.
4. Access to TikTok is prohibited from all university wired or wireless networks.  Access to TikTok is permitted on guest Wi-Fi networks available in student and public event spaces.
5. The University may restrict or prohibit recording or posting of video content including TikTok in designated areas and facilities especially related to sensitive research.

Use of Artificial Intelligence ("AI")

1. Students may not use generative AI in a manner contrary to University policy, including the Academic Misconduct Code or a class syllabus, or in a manner not explicitly permitted by the faculty member.
2. Employees and students may not use confidential information such as records protected by HIPAA, FERPA, or other state and federal laws, proprietary content, and any other data categorized as prohibited, restricted, or confidential University data under the Information System and Data Classification Policy with AI tools.
3. Students and employees must abide by the Intellectual Property (IP) Policy, the Information System Digital Copyright Policy, and the Academic Misconduct Code when utilizing IP-protected works to create new data sets for training AI models.