Policies For
Responsible Computing at
Walla Walla College

May 5, 1995
Walla Walla College
College Place, Washington 99324


Table of Contents


1. Introduction


Scope, Audience, and Authority

This document describes policies for use of college computer systems by faculty, staff, and students. The creation of these policies involved broad input from the computer users of Walla Walla College. The policies have been adopted by these campus groups: the Campus Computer Center, the Computer Users Committee, the Student Senate, the Faculty Senate, and the President's Cabinet.

Readers are also referred to several other documents concerning policies and procedures for campus computer resources -- including the Computer Center System Backup Policy, the Computer Center Basic Services Guide, the section in the Governance Handbook regarding the Computer Users Committee, the section on Software in the College Copyright Policy, the Computer Primer, the Academic Computing Handbook, and the Internet Primer.

Philosophy

Walla Walla College maintains computers, computer software, computerized data, computer networks, and connections to external networks, collectively referred to as computer facilities, for the purpose of fostering the instruction, research, and the administrative functions of the college.

Computing facilities are provided for use by WWC students, faculty, and staff in support of the activities of the college. All students, faculty and staff are responsible for seeing that these computing facilities are used in an effective, efficient, ethical, and lawful manner.

These policies establish rights, responsibilities, and restrictions regarding the access and use of college-owned computer facilities. These policies apply to centrally administered computer systems, departmental computer systems, and college-owned personal computers. They include all means of accessing these, as well as all computerized institutional data regardless of the office in which it resides or the format in which it is used.

All computer users have two basic rights -- a reasonable expectation of privacy and a fair share of the resources. Consequently, computer users have the responsibility to help ensure that others also experience those rights. The following policies are intended to ensure these rights.


2. General Policies


2.1 Ownership of Resources

Computer facilities and data owned by the college are to be used solely for college-related activities. All access to centralized computer systems shall be approved through the Computer Center. Access to departmental computer systems shall be approved by the department chairman or authorized representative.

Computerized Institutional Data

All computerized institutional data is considered to be an asset of the college and shall be protected from loss, corruption, misuse, and inappropriate disclosure. Certain computerized institutional data, by law or by college policy, is confidential and may not be released without permission. Users of college computer resources are responsible for the privacy and protection of data over which they have control.


2.2 Authorized Users

Computer facilities are provided to support the instructional, research, and administrative functions of the college. Students, staff members, and faculty members (including emeritus faculty and members of the Board of Trustees), are permitted, upon proper validation, to use the academic portion of these facilities without charge. The facilities available will be determined by the intended use of the facilities and the resources available at the time. Because of limited resources the college does not provide computer facilities for use by relatives or friends who do not otherwise qualify as users.

2.3 General Policies

Policy: Computer users may log in only to their own computer accounts

Rationale:
System managers are more able to make systems run smoothly when they know who is using the system. Users are less likely to interfere with each other if they each have their own account. Unauthorized users can then be identified more readily. On systems that charge for computer resources, one user may be paying for the computer usage of another. Some systems limit the number of simultaneous users of a single account. Private information is available to the legitimate owner of an account.
Exceptions:
Some systems have generic accounts (e.g., guest) that almost anyone is authorized to use.

Policy: Computer users must ensure that their work does not interfere with others

Rationale:
Students, faculty, and staff depend on reliable and efficient computer systems to do work and schoolwork. Disrupting computer systems causes lost productivity and frustration.
Exceptions:
Nearly everyone, from time to time, unknowingly does something on the computer that has an adverse effect on the network, the hard drive space, or some other shared resource. This is usually quite innocent and unintentional. Users are responsible for educating themselves regarding their computer work, so as to have a minimum of impact on other users. The Computer Center will help with that educational process by making users aware of resource-consuming activities when they are discovered.
Examples:
Exceeding assigned disk quotas
Attaching incompatible equipment to the campus network
Releasing a virus program
Sending harassing messages

Policy: Computer users may not examine, copy, modify, or delete files belonging to other users without their consent.

Rationale:
Computer users have a reasonable expectation of privacy for their data stored on campus computer systems. Most systems have security protections in place to make it difficult for users to look where they have no permission to look. This policy applies to System Managers as well as regular computer users.
Examples:
Attempting to discover other users' or system passwords.
Attempting to read or modify other users' files without their permission.
Attempting to circumvent data protection schemes or uncover security loopholes.
Attempting to read or modify another's E-mail.
Attempting to modify system software or configuration files.

Users who encounter or observe a gap in system security should report it to the Computer Center.

Exceptions:
It is generally considered acceptable for work supervisors to access the work-related files in the accounts of their employees when necessary. This is one reason why student employees are encouraged to keep their work files separate from their personal files. Of course, guidelines for these practices will vary between departments.

Policy: Computer users must not waste computer resources

Rationale:
Wasting computer resources that could be used by others hurts everyone. Good computer citizens will not use more than their fair share of the computer resources.

Examples of wasting resources: generating unnecessary printer output, using unwarranted or excessive amounts of disk storage, creating unnecessary processes on multi-user systems, propagating electronic chain letters, sending frivolous E-mail to large groups, or creating or posting inappropriate messages to news or list groups, posting messages to multitudinous news groups, creating unnecessary network traffic.

Policy: Computer users must not use WWC computer facilities to gain unauthorized access to remote networks or systems or violate the use policies of any remote system.

Rationale:
System managers on the Internet depend on each other's cooperation to enforce policies and keep general order. If a Walla Walla College computer user were to use our facilities to disrupt the operation of remote systems, the only recourse for the remote system manager might be to terminate all access from WWC computers. This could cause the disruption of many Internet facilities upon which our users depend. In addition, if government systems were involved, the user might be in violation of United States and/or Washington State Law (refer to the Washington State Criminal Code).

2.4 Use and Storage of Potentially Dangerous Programs

The introduction of worm or virus programs into the computer systems can be particularly disruptive. Because of this, the existence of such software as well as other software intended to break security is regulated.

Possession of computer software used to discover passwords or otherwise scan for security loopholes may be allowed for legitimate academic purposes, but must be registered with and approved by the Computer Center before storing it on a college- owned computer system or system connected to a campus network. To protect the integrity of the network, unregistered copies of such software discovered on campus systems will be promptly removed .


2.5 Privacy Issues

Security

The College makes every reasonable effort to ensure the integrity of its various systems. All computer systems available to users offer some form of data protection which can be modified by an authorized user as needed. However, due to a number of technical, legal, and economic reasons, no system will offer absolute security. Thus, users should never place highly sensitive or confidential information on any computer, especially a networked one, without understanding the risks involved. Steps can be taken by users to improve the security of their data through publicly available cryptographic technologies. Users are encouraged to use these techniques when appropriate.

Privacy and Confidentiality of User Data

Programs and files stored in users' private directories are considered private unless their owners have explicitly made them available. However, in the case of system problems or clear policy violations, system managers (as authorized below) may examine user files and system logs in order to gather sufficient information to diagnose and correct system problems and investigate policy violations.

The following policies are intended to create a balance between users' rights to privacy and the right to a smoothly-functioning computer system, free of disruption.

  • Personal user files -- whether stored on disk or backup tape -- are considered private and will not be scanned or read by computer center staff except as specifically authorized below. If System Managers discover private information as an incidental result of performing their duties, they are obligated to keep this information confidential. However, such information, if evidence of policy violations, may be used in disciplinary proceedings.
  • System Managers are authorized to examine user files or processes only as far as necessary to ensure reliable and secure system operation. If reliable system operation is in jeopardy, system operators are also authorized to kill or suspend user processes, move user files to alternate storage media or delete files that can be easily recovered (for instance, from off the Internet). The users affected will be promptly notified of the actions taken and the reasons why. System Managers will make every reasonable attempt to assist users in recovering work files that were destroyed in the process of attempting to keep the system running properly.
  • System Managers are authorized to examine user files to collect evidence of specific college policy violations, provided that probable cause exists for such a search. Any examination of this sort must be reported promptly to the Director of Computing.
Note that not all data created by users is considered personal. In particular, logs of user activity created automatically by system programs (such as login) are not considered personal or private.

Some systems run programs which periodically scan disk volumes looking for problem files such as viruses and large graphical images. The system program will report these potential problems to the System Manager. Private disk volumes not mounted on the network are never scanned.

Being Logged In is Considered Public Information

Most systems have publicly available software that can be used to list the user names of currently logged-in users, and on some systems the last command executed by each user. On some systems, this information is available even from off-campus computers. In short, being logged into a system is considered public information.

Disclaimer for Loss of Data

The College disclaims liability for the loss of data or interference with files resulting from its efforts to maintain the operation, privacy, and security of the computer facilities. For additional information regarding procedures in place to protect system and user data, refer to the Computer Center Backup Policy.


2.6 Copyright Policies

Many copyrighted programs are made available on campus systems under license agreements with the publishers. These license agreements generally do not allow campus computer users to make copies of these programs. Unless otherwise specified, users are not allowed to make personal copies of software stored on central systems. For additional information refer to the WWC Copyright Policy.


2.7 Non-Commercial Use Policy

College computer accounts are to be used for the college-related activities for which they are assigned. College computing resources are not to be used for commercial activities without written authorization from the college administration. In these cases, the college will require payment of appropriate fees.


2.8 Electronic Mail Policies

Electronic mail, once received, belongs to the recipient. A user's mailbox is treated in the same manner as any other file belonging to that user, and is subject to the same privacy protections as regular files.

The college will not attempt to regulate the content of electronic mail except for cases involving violations of other college policies. The college accepts no liability for the content of users' electronic mail. The college has policies against racism, sexism, and sexual harassment; if necessary, individuals may direct their concerns to the appropriate administrator.


3. Policies Specific to Computer Labs

Several clusters of public-access computers are available on campus and are commonly referred to as computer labs. While primarily intended for students to use for course work, faculty and staff are also welcome to use the facilities on an equal basis with students.

Faculty May Reserve the Computer Labs

Faculty wishing to reserve a computer lab for a class or seminar must contact the office of the Director of Academic Computing at least one week before the event. Such requests are generally granted on a first-come first-served basis. Generally the labs should not be reserved during evening hours nor all at the same time.

Unattended Workstations

Any workstation left unattended for more than fifteen minutes may be appropriated by another user.

Computer Games

Playing recreational games in a computer lab is prohibited. Any exceptions to this policy must be approved in writing by the Computer Users Committee.

Other Non-Academic Computer Use

Computer lab facilities are intended for educational and research purposes, and these have higher priority than other types of use (for example, composing personal electronic messages or reading electronic news). A user engaging in non-academic activities while other users are waiting to use a terminal, is expected to yield the terminal. As a matter of courtesy, give up the terminal voluntarily without having to be asked.

Experimenting with graphics (non-course work), reading news, and writing personal correspondence are considered to have educational value; however, they should not be performed during peak lab hours.

Manuals

Manuals for most common software are available in the labs. Do not remove these manuals or other computer supplies without authorization.


4. Penalties and Due Process

Available Penalties

Depending on the nature and severity of the policy violation, the College may take one or more of the following disciplinary actions:
  • Send a verbal, written, or electronic mail warning
  • Allow only restricted computer privileges
  • Temporarily suspend the computer account (typically 1 to 10 weeks)
  • Revoke all computer privileges
Warnings and temporary suspension of accounts may be issued by the appropriate System Manager. Restricting or revoking computer privileges for more than three days requires the approval of the Director of Computing. Termination of computer privileges permanently or indefinitely requires action by the college administration.

Supervisors have authority over their workers' accounts -- to activate or terminate as necessary. Supervisors on administrative systems also determine what specific data access rights their workers are granted. When someone ceases to be an employee of the College, the supervisor or department head should promptly notify the Computer Center so that the account can be disabled.

In cases where the integrity or functionality of the network or a multi-user system is in jeopardy, the system administrator is authorized to take immediate steps to prevent further damage -- up to and including disabling user accounts and disconnecting a user's workstation from the campus network. In the event that the user's account is being used by someone other than the true owner, this policy may prevent damage to the legitimate owner's data. The system administrator will promptly notify the account owner of the action taken.

When an account cannot be accessed, the user should immediately contact Computer Support for an explanation of the situation. Quite often, temporary revocation is the result of a minor or unintentional violation of the policies; it is customary to restore the account after the staff has discussed the situation with the user.

Procedures for Students

Students who are for any reason dissatisfied by the application of this policy have a right to appeal under the procedures specified in the Student Handbook. For severe infractions the matter will be remanded to the Vice President for Student Administration for disciplinary procedures under the Student Handbook.

If the Vice President for Student Administration initiates disciplinary action, the Computer Center may be able to provide computing access on a restricted basis during disciplinary proceedings. This restricted access will depend upon the severity of the infraction and the technical feasibility of providing such access. The level of access will be determined by the college administration.

If the Vice President for Student Administration chooses not to bring disciplinary action, or if the judicial proceedings are resolved in the defendant's favor, computer access will be restored immediately.

Procedures for Employees

Employees who are for any reason dissatisfied by the application of this policy have a right to appeal under the procedures specified in the Governance Handbook. For severe infractions, the matter will be remanded to the vice president of the department. The vice president in consultation with the Director of Computing will decide what temporary computer access is appropriate during the disciplinary proceedings.

Statutory Provisions

The Washington State Criminal Code defines Computer Trespass in the first degree as a class C felony, punishable by fines of up to $10,000 and imprisonment for up to 5 years. Title 18 of the United States Code as amended in 1994 also includes fines and imprisonment for "Computer Abuse." Copies of the relevant sections of the code are available in the Appendix.


5. Acknowledgments

Parts of this document were adapted and ideas taken from the computer policies of the following institutions:
Columbia University; California State University, Fresno; University of Hawaii, Manoa; Iowa State University; University of Kentucky; Louisiana Tech University; Princeton University; Rice University, University of Delaware.

6. Approvals:

Computer Users Committee:	Voted to Recommend to Senate:	November 29, 1994

Amendments approved February 2, 1995 Faculty Senate: First Reading: December 1, 1994 Second Reading and Voted to Recommend to Student Senate and Faculty: January 5, 1995 Amendments approved March 2, 1995 Student Senate: Approved with Amendments February 2, 1995 President's Cabinet: Faculty & Staff Meeting: First Reading April 3, 1995 Second Reading and Adoption May 1, 1995


Appendix


Revised Code of Washington
Computer Statutes

9A.52.110 Computer trespass in the first degree.

(1) A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another; and
(a) The access is made with the intent to commit another crime; or (b) The violation involves a computer or data base maintained by a government agency.
(2) Computer trespass in the first degree is a class C felony. [1984 c 273 1.]

A class C felony is punishable by fines of up to $10,000 and imprisonment for up to 5 years.

9A.52.120 Computer trespass in the second degree.

(1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another under circumstances not constituting the offense in the first degree.
(2) Computer trespass in the second degree is a gross misdemeanor. [1984 c 273 2.]

A gross misdemeanor is punishable by fines of up to $5,000 and imprisonment for up to one year.


Oregon Criminal Code
Computer Statutes

164.377 Computer Crime.

(3) Any person who knowingly and without authorization alters, damages or destroys any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits [a Class C felony punishable by up to five years in prison and $100,000 in fines].

(4) Any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits [a Class A misdemeanor punishable by up to 1 year in jail and $5,000 in fines].


Summary of The Computer Fraud and Abuse Statute
Title 18 of the United States Criminal Code
18 USC Chapter 47 Sec 1030 Fraud and related activity in connection with computers.
As amended by the 1994 Omnibus Crime Bill

Whoever knowingly and without authorization causes loss or damage to a computer, network, information ,data, or program used in interstate commerce or communications (including loss of use of the system by the rightful users), of value aggregating $1,000 or more during any 1-year period shall be punished by fines and imprisonment of not more than five years (ten years for repeat offenders).

The complete text of the statute is available electronically in WordPerfect 5.1 format in the file HAL/SYS:APP\CLASS\POLICIES\COMPUTER\STATUTES\USCODE.WP.


Document Identification

	File name:	...\policies\cccpol7.wpd
	First Draft:	July 22, 1993
	Revised: 	May 12, 1994
	Revised: 	November, 1994
	Revised: 	March 30, 1995
	Printed:  	04/11/96 3:56 PM
	Converted to
	HTML:		April 23, 1996