Alabama Cooperative Extension System

Information Technology Resources Policy

Updated May 31, 2006

I.         Overview

The ACES/Ag Computer Technology Unit (CTU) is responsible for facilitating, managing, and supporting the use of information technology (IT) resources within the Alabama Cooperative Extension System (ACES), the Auburn University College of Agriculture (COA), and the Alabama Agricultural Experiment Station (AAES). Information Technology resources include personal computers, servers, network connectivity (for on-campus and off-campus offices), videoconferencing technology, handheld devices, and various other equipment and services.

The ACES/Ag network is part of the AU network (AUnet) and includes all ACES/COA/AAES buildings on the AU campus, certain resources in the Dawson Building on the Alabama A&M University campus, Extension field offices, and AAES outlying units. Various ACES/Ag resources are provided and managed in partnership with the AU Office of Information Technology (OIT). As such, the ACES/Ag network and its resources fall under the IT policies and procedures of Auburn University (http://www.auburn.edu/oit/it_policies/). For some issues, employees affiliated with Alabama A&M University or located on the AAMU campus must abide by AAMU IT policies (http://www.aamu.edu/eits).

The remainder of this chapter addresses ACES/Ag IT resources from an Extension perspective, although much of the information also applies to the Alabama Agricultural Experiment Station and the AU College of Agriculture. AU IT policies are referenced where appropriate. Given the rapidly evolving nature of information technology, this document may become outdated on some topics. The CTU website, http://www.aces.edu/ctu, is the best source for current information.

II.      User Accounts

A user account consisting of a username and a password is required to access various ACES/Ag computing resources, including personal computers, internal online resources, and e-mail. The account is also used for accessing OIT-provided services. Each account is assigned to only one user, and that person is responsible for all actions of the account. The account remains active as long as the person is affiliated with Extension. Under certain circumstances, accounts may be provided to non-employees.

A. Types of Accounts

1.             Extension Personnel

Extension personnel are assigned an account for administrative, instructional, research, and extension use. The account is created automatically for each permanent employee during the hiring process.

2.             Extension Retirees

Upon request, Extension retirees may retain their ACES/Ag user account after retirement.

3.             Courtesy or Guest Accounts

Accounts may be assigned to non-Extension personnel as determined by need on an individual basis. Guest accounts for access to AU resources may require a fee as determined by AU OIT. See the OIT web site for additional information about guest accounts.

4.             Student Assistant Accounts

Accounts may be assigned to AAMU and AU students working with Extension on an individual basis. Information about requesting student accounts is available on the CTU website.

B. Account Status

Accounts are created, provided for use, and deleted as dictated by a user’s affiliation with ACES/COA/AAES. Any retiree, courtesy or student assistant account which is without user activity for a period of six months may be subject to deletion.

1.             Creation

When an account is created, the following items are established:

·  A unique username (also called user ID) which is assigned based on an algorithm to ensure the username is unique within the ACES/Ag and AU user community. The username may not be subsequently changed except in the case of a legal name change.

·  A temporary password which the user should change prior to using the account.

·  An e-mail address.

·   A home directory for storing the user’s online files.

2.             Active

Accounts will remain active until one of the following criteria is met:

a.       For all accounts:       

The account is found to have been used for activities that violate any portion of this policy or Auburn University IT policies.

The owner of the account has been found violating any portion of this policy or Auburn University IT policies.

b.      For employee or student accounts:

The person is no longer employed by Extension or Auburn University, or the person is no longer enrolled as a student at Auburn University.

c.       For System Retiree accounts:

The person chooses to relinquish the account.

d.      For courtesy accounts:

The person no longer demonstrates a valid need for the account.

3.             Deleted          

When an account is deleted, the username will be considered unused and all files belonging to the user will be deleted. Electronic mail sent to the user will be rejected.

4.             Temporary Restrictions

If security issues are identified related to a specific account, the account may be temporarily restricted while the issue is being investigated. If appropriate, CTU will attempt to notify the user when this occurs. Users having trouble logging in should contact the ACES/Ag IT Help Desk.

C. Requesting Accounts

CTU automatically creates a user account for each new Extension employee based on the ACES and AU Human Resources databases. The ACES/Ag Help Desk will notify the new employee when the account is created. An account username can only be changed in the event of a legal name change (marriage, etc.) In that case, must first ensure that HR has processed a Personnel Action Form (PAF) updating the individual’s name in the HR database. After the PAF is processed, the user must submit to CTU a request to change the username.

Requests for other types of accounts (retiree, courtesy, or guest) must be made to CTU.

D. Password Selection

Passwords are synchronized across all AU and ACES/Ag user accounts so that only a single password is required. Perhaps the most vulnerable part of any computer system is the account password. Any computer system, no matter how secure it is from network attacks, can be fully exploited by intruders who can gain access via a poorly chosen password. It is important to select a password that is not easily guessed and to not share the password with ANYONE. In addition, for added security of AU and ACES/Ag accounts, users are advised to use a different password for non-AU and non-ACES/Ag accounts (e.g. home cable networks, Yahoo e-mail, etc.) AU and ACES/Ag passwords may be set at http://www.auburn.edu/password. In addition to the Password Rules on that web page, the following guidelines should also be observed:

·  DO NOT use any variation of your login name (i.e., reversed, capitalized, doubled, etc.).

·  DO NOT use any variation of your first, middle, or last name.

·  DO NOT use your spouse’s or child’s name; this information is easier to obtain than you might think.

·  DO NOT use other information easily obtained about you; this includes license plate numbers, telephone numbers, social security numbers, birthday dates, wedding dates, the make of your automobile, the name of the street you live on, the room number or building in which you work, etc.

·  DO NOT use a word contained in English or foreign language dictionaries, spelling lists or commonly digitized texts such as the Bible or encyclopedia.

·  DO use a password with mIXeD-CasE alphabetics.

·  DO use a password that is easy for you to remember so you don’t have to write it down.

·  DO use a password that you can type quickly without having to look at the keyboard.

Methods of selecting a password which adhere to these guidelines include:

·  Choosing a line or two from a song or poem, and using the first letter of each word.

·  Alternating between one consonant and one or two vowels, up to seven or eight characters. This provides nonsense words which are usually pronounceable yet easily remembered.

·  Substitute a number for letter (i.e. use the number ‘8’ for the letter ‘a’ or use the number ‘1’ for the letter ‘l’).

E.  Changing Your Password

Users should change their password periodically, usually every three months. Changing your password periodically will frustrate even the most patient intruder.

It is your responsibility to change your password. To change your password, visit the AU Password Page at http://www.auburn.edu/password.

F.  Determining Account Misuse

Often users are the first persons to detect unauthorized use of their account. If this occurs, please notify the ACES/Ag Help Desk immediately.

III.   Access to Computing Resources

A. Secure Internet Access to ACES/Ag Resources

CTU recommends using secure, encrypted connections when logging into any ACES/Ag resource with a username and password. Instructions for obtaining and using secure connection software are available on the CTU web site.

B. Dial-up Access

Dial-up Internet access is available via the AU-Dial service for a small monthly fee. The fee must be charged to an AU Banner billing number. Individuals interested in AU-Dial should contact the ACES/Ag Help Desk for assistance.

C. Routing Devices

Users may not add routers, hubs, or wireless access points to the network. Such devices may only be installed by the ACES/Ag CTU or AU OIT. Exceptions may be made for off-campus offices, upon approval by the ACES/Ag CTU. Please also refer to the AU Wireless Networking Policy at http://www.auburn.edu/oit.

D. Adding Devices to the Network

The addition of any network device must be coordinated with CTU. These devices include PCs, laptops, Macs, network printers, as well as any other device that uses the Internet Protocol. CTU will ensure that the device is properly named, configured, and joined to the AU domain. All capable ACES/Ag computer devices will participate in Auburn University’s system for computing resource management. The ACES/Ag Computer Management and Security Policy is available on the CTU web page.

IV.   Rights and Responsibilities of Users

A. Physical Security

Physical security is the most important part of computing security and is the responsibility of all users. Electronic security means nothing if the whole machine is stolen. Users should be aware of which computing resources are in their vicinity and keep an eye out for any suspicious activity. Doors to offices and laboratories should be closed and locked if there is no one present.

Theft or vandalism of computing resources should be reported to the appropriate law enforcement agency as well as to the ACES/Ag Computer Technology Unit.

B. Electronic Security

Electronic security is the responsibility of all users. Users should report unusual or suspicious computer or network activity to the ACES/Ag Computer Technology Unit.

C. Virus Protection

Virus protection will be run and regularly updated on all ACES/Ag computers. The choice of which software to run is determined by the individual’s university affiliation. Further information about university policies and available software is available on the Auburn University OIT web site and Alabama A&M University IT web site.

D. Electronic Data Disposal

As a matter of AU policy, all computer systems, electronic devices and electronic media must be properly cleaned of sensitive data and software before being transferred outside of Auburn University either as surplus property or as trash. For computers that are processed for surplus via CTU, the CTU staff will sanitize the hard drives and other electronic media accordingly. For computers that are processed through AAMU, CTU will provide the sanitization software to users upon request.

E.  Licensed Software

A variety of copyrighted and licensed software is available for use on ACES/Ag computers. Applications have varying licensing methods. Software may be site-licensed, licensed to a particular machine or person, or may have a “floating node” license that limits the number of concurrent users.

Copyrighted and licensed software and documentation may not be duplicated unless the license explicitly states that you may do so. When in doubt, DO NOT COPY.

Details regarding software available to ACES/Ag users can be found under the Software link on the CTU web page (http://www.aces.edu/ctu) or on the AU-Software page at http://www.auburn.edu/ausoftware. Note that, due to licensing restrictions, some AU-licensed software is available only to AU employees and is not available to Extension employees affiliated with AAMU. Comparable software may be available from AAMU.

F.  Storage Resources

The ACES/Ag servers have a large, but finite, amount of disk space. If a user consumes large amounts of disk space, others will be affected since all users share common disks on the network. All ACES/Ag accounts are created with a disk quota that limits the amount of disk space a user can fill. This space is called the user’s “home directory” and is provided for storing files that need to be accessible online (e.g. via the user’s personal web page) or shared for collaboration with other users. The home directory is available to the user as Drive H: when the user logs into any ACES/Ag computer.

Within each home directory is a folder named “public_html” which serves as the user’s personal web space. The “public_html” folder is available to the user as Drive P: on ACES/Ag computers. Files placed in drive P: are automatically available via the web at http://www.aces.edu/~username.

1.             Disallowed Files

The following file types are not permitted to be transported, stored, printed, or otherwise exist on any ACES/Ag computing resource.

·    unauthorized copyrighted material

·    any unlicensed, copyrighted file

·    commercial software or media files that have not been legally purchased or licensed

2.             Data Privacy

New accounts are created such that all files and directories created by a user within his or her home directory (H: drive) will be accessible only by the user. As previously mentioned, the personal web space directory (public_html, or Drive P:) is an exception to this rule. Users needing to alter permissions for special situations should contact the ACES/Ag Help Desk for assistance.

3.             Backing up Data on Individual Computers

Individuals are responsible for backing up their own computers (e.g. desktops PCs, laptops, handheld devices) on a regular basis. Various tools are available for this purpose. Current information and recommendations are available on the ACES/Ag CTU web page.

The ACES/Ag servers are optimized for hosting shared and online resources. The servers are not configured to act as efficient backup repositories for individual computers. Therefore, home directories are not to be used for backing up individual computers. This topic is further addressed in the next section.

G.   Recovery of Deleted Server Files

Files stored on ACES/Ag servers, including users’ home directories, are backed up to offline devices (e.g. magnetic tapes) every night. To request restoration of deleted files, contact the ACES/Ag Help Desk. Files which are prohibited under this policy will not be restored.

H. Printing Resources

Many printers are available to network users. As with other ACES/Ag IT resources, printers shall only be used for printing material which is used for administrative, instructional, research, or Extension purposes. All other use is prohibited.

I.    Electronic Mail

E-mail is an approved medium for communicating with Extension employees who have regular access to a computer as part of their job assignment. The ACES/Ag network uses GroupWise e-mail service provided by AU OIT. The AU OIT policy on e-mail can be found on the web at http://www.auburn.edu/oit.

1.             GroupWise Access

A GroupWise account is automatically assigned to each Extension employee. To accommodate organizational identities, each account has two addresses (username@aces.edu and username@auburn.edu) which function exactly alike and deliver mail to the same mailbox.

The GroupWise Client program provides the most feature-rich access to GroupWise services. Therefore, it is recommended over other mail programs such as Outlook, Eudora, or Netscape Mail.

2.             E-mail Lists

Extension-wide electronic mail lists are maintained based upon each employee’s title, office location, and responsibilities. Membership in these lists is automatic and may not be altered by the user. Extension mail lists should be used with discretion. Individuals are encouraged to target e-mail to specific mail lists based upon the subject of the e-mail message. The aces-happenings mail list is available for publicizing unofficial information among Extension personnel. All other Extension mail lists are intended solely for distributing information related to the Extension mission. The names and descriptions of the Extension mail lists can be viewed on the CTU web page.

3.             Proxy Access

As with other ACES/Ag computing resources, e-mail accounts must not be shared between users. The GroupWise Proxy feature can be used to share GroupWise resources when necessary.

J.    World-Wide Web

CTU manages the server for World Wide Web resources for ACES/COA/AAES. Policies for web usage are provided in the next chapter of this manual. The Web Policies and Standards Guide is also available on the CTU webpage.

K. Other ACES/Ag IT Resources

In addition to the resources previously mentioned, CTU may provide and manage resources not specifically itemized in this document. All ACES/Ag IT resources, whether or not mentioned herein, fall within the general scope of this policy.

L.  Non-ACES/Ag IT Resources

The ACES/Ag network is part of the Auburn University network (AUnet.) Various resources are provided to ACES/Ag users by AU OIT and other divisions of Auburn University. When using non-ACES/Ag resources, users are bound by the policies of the resource provider.

V.      Abuse of Computing Resources

The ACES/Ag Computer Technology Unit does not routinely monitor individuals for inappropriate use of computing resources. If a user reports problems or concerns about computing resources, CTU does not treat the situation as potential abuse and focuses instead on resolving the user’s concerns.

However, when attention is otherwise drawn to a situation of potential abuse, the situation is investigated thoroughly to determine the cause and, if appropriate, assign responsibility. The user’s supervisor is normally informed when an investigation begins.

In most cases, CTU can differentiate between intentional abuse by the user and situations resulting from viruses or other security breaches. A user is not held responsible unless there is irrefutable evidence that the user deliberately abused his/her privileges. If the user is not held accountable, his/her supervisor is advised to make the user aware of the situation in case the user needs to take additional steps to secure the computer. If the user is deemed to be responsible, then the Extension Director is informed so appropriate steps can be taken depending on the situation.

While individual usage is not monitored, overall network and resource performance is monitored by CTU and AU OIT, which may lead to the detection of abuse. This section serves to provide specific examples of the types of abuse not tolerated. This list is by no means complete and is subject to change without notice as new methods of abusing resources surface. Penalties for abuse of computing resources include, but are not limited to, temporary or permanent restriction of computing resource privileges, administrative action, or criminal prosecution.

A. Theft and Vandalism

Theft and vandalism of computing resources will be handled by the appropriate law enforcement agency. ACES will pursue and support criminal prosecution of individuals suspected of theft and/or vandalism.

B. Unauthorized Use of Computing Resources

Unauthorized use is defined as the use of computing resources beyond the privileges granted to the user. Unauthorized use of computing resources is considered an abuse of the computing system. If direct expenses are incurred by Extension during unauthorized used (i.e., paper, printer supplies, etc.), Extension and/or ACES/Ag CTU reserves the right to pursue full reimbursement of those costs from the individual.

1.             Unauthorized Access of Computing Resources

Attempting to gain access to or using ACES/Ag computing resources without proper authorization is considered a violation of policy. In the course of their duties, AU and ACES/Ag IT specialists and members of the ACES/Ag Help Desk may have a need to have temporary access to users’ computers, accounts, and/or passwords. If appropriate and if possible, CTU will provide advance notice to the user of temporary restriction of the account

2.             Unauthorized Access of Electronic Information

Accessing electronic information without proper authorization is prohibited, even if the files are readable and/or writable. When in doubt, do not read, copy, or change information or files without having proper authorization.

3.             Cracking Passwords

Any attempt to crack or otherwise obtain passwords is prohibited. Storing or transferring encrypted or unencrypted password information is prohibited. Writing, transferring, compiling or running programs designed to guess passwords or otherwise gain unauthorized access to user or network accounts or passwords is prohibited. This includes programs or techniques designed to trick users into divulging their password.

4.             Sharing Individual Accounts

An individual account is assigned to a single user (the owner) and must not be shared with others. The owner is ultimately responsible for all actions traced to a given account. If any damage is done via a shared account, the owner and everyone else who has access to the account may be held liable.

Upon request, CTU will provide tools or shared online workspace for groups of users who need to collaborate.

5.             Compromising Security

Altering the configuration settings of a computing resource in order to compromise the intended access restrictions will be considered a security breach. Such actions are prohibited on the ACES/Ag network. One example of such a compromise would be the use of a “.rhosts” file in a user’s home directory.

C. Pecuniary Use of Resources

Use of ACES/Ag computing resources for personal pecuniary purposes is prohibited.

D. Licensing and Copyright Infringement

Most intellectual and artistic works are licensed and/or copyrighted. Most licenses and copyright agreements specifically prohibit copying or unauthorized use of the software, photos, graphics, music, videos, etc. When in doubt, don’t copy. Please refer to AU copyright policy at http://www.auburn.edu/oit for additional information.

E.  Disrupting Service

Deliberate disruption or degradation of network service is prohibited, except by authorized IT specialists in the course of their jobs.

There are numerous ways in which network service could be disrupted. Two examples are as follows:

·  Unplugging the network connection for a server or shared public resource.

·  Attempting to overload a server or shared public resource (i.e. running a large number of computationally intensive applications).

F.  Electronic Mail and Communications

Extension’s GroupWise service is provided by AU OIT. Related policies are on the AU OIT web site.

Users are encouraged to actively manage their e-mail on a regular basis by reading, storing, archiving, and/or disposing of messages as appropriate. Users must observe their individual storage quota in order to avoid interruption of service. E-mail security is reasonably strong, but not infallible. Therefore, e-mail should not be used to transfer secure or confidential information.

1.             Electronic Mail Privacy

Electronic mail should be considered private in the same sense that U.S. mail is. Do not attempt to read, copy, or otherwise disturb another user’s e-mail without permission or authorization. If mail or other GroupWise services need to be shared, the GroupWise Proxy feature should be used. AU OIT and ACES/Ag CTU, with the approval of appropriate administrators, reserve the right to inspect an individual’s e-mail account should that user be suspected of a crime or account abuse.

2.             Electronic Communications Privacy Act

E-mail is covered under the Electronic Communications Privacy Act of 1986. This act provides for prosecution of individuals found surreptitiously capturing, reading, or altering another’s e-mail without permission or authorization.

3.             Chain Letters, Urban Legends, Virus Warnings

Chain letters, urban legends, and virus warnings are an unfortunate fact of life on the Internet. However well-intentioned, most messages of this sort are nothing more than an annoyance to the recipient. Users should not forward to other users any chain letters, urban legends, or virus warnings. If you receive such a message that you believe warrants attention, please forward it to the CTU Help Desk (helpdesk@aces.edu) for further evaluation and appropriate action.

Solicitation for financial gain or fund raising outside of the extension, research and teaching missions is prohibited.

4.             Forging

Any attempt by ACES/Ag users to forge an e-mail message will be considered an abuse of IT resources. If a user receives mail that could have been forged, it is in the best interests of all parties involved to confirm the e-mail with the supposed sender via personal contact. If it is determined that the e-mail is a forgery, contact the CTU Help Desk, and save a complete copy of the message for further investigation. Incidents involving forged mail may be forwarded to the Academic Honesty Committee or Administration for disposition.

G.   Worms, Viruses, and other Disruptive Files

Deliberately introducing or attempting to introduce worms, viruses, or any other disruptive file to ACES/Ag IT resources is a violation of this policy and may result in loss of computing privileges. Exceptions apply for IT specialists when performing their assigned duties (e.g. security testing).

H. File Transfers

Using file transfer applications to transfer files to or from remote sites which violate the policies of the remote site is prohibited. In particular, transferring files which contain material offensive to either site, contain information to be used for pecuniary interests outside of the ACES or AU missions, or contain inappropriate solicitations is prohibited.

VI.   Responsibilities of the ACES/Ag Computer Technology Unit

The ACES/Ag CTU is charged with the following responsibilities within the ACES/COA/AAES: facilitating the use of technology, assisting in procurement of hardware and software, licensing of software, managing computing resources, ensuring electronic security, configuring computing resources to accepted University standards, facilitating safe and legal disposal methods, training users in common applications and technologies, and monitoring technology advances. The CTU also represents the interests of the ACES/COA/AAES in IT issues with AU OIT, other AU colleges, and external organizations.

A. Privacy Considerations

CTU staff members are held to a higher standard than the average user because they are responsible for maintaining IT resources, and thus, must be entrusted with the security and privacy of a variety of electronic data. CTU staff members are mandated to protect the confidentiality and integrity of this information.

B. Liability

CTU makes every effort to safeguard data stored on ACES/Ag computers. However, CTU staff members are not liable for any loss of data or loss of service on the ACES/Ag network. The ultimate responsibility for safeguarding data rests with the user through proper security and backup procedures.

C. Investigation of Violations of IT Policies

CTU staff members are charged with investigating violations of IT policies and suspected abuse of IT resources. During such investigations, the IT specialists may have complete access to all data on ACES/Ag IT resources as needed for the investigation.

CTU cooperates fully with remote site system administrators in the investigation of remote site policy violations.

VII.         Enforcement

A. Temporary Access Restriction

An individual’s access to IT resources may be temporarily restricted for a variety of reasons, including:

·  Maintenance or servicing of network resources,

·  Dissemination of information before continued use of an account,

·  Investigation of IT policy violations or suspected abuse of resources.

Temporary access restrictions are intended to be short lived and usually require the account’s owner to contact the CTU for reactivation. Note that investigations of network policy violations may require any number of potentially affected accounts to be temporarily restricted. The owner of the account may not be the object of the investigation if, for example, it may be suspected that the user’s password has been cracked by a third party.

B. Permanent Access Restriction

If it is determined that a user's policy violations are so serious that continued use of IT resources would infringe upon the rights or security of other users, the user's account will be permanently restricted. Permanent access restrictions must be approved by the Director with concurrence of the affected user’s unit leader and CTU management. All accounts assigned to a user may be restricted and future network privileges denied. Severe abuse may also result in additional disciplinary action or referral to the appropriate law enforcement agency.

VIII.      Concluding Remarks

ACES/Ag IT resources are intended to enhance the efforts of the specialists, agents, faculty, and staff of the ACES, the College of Agriculture, and the AAES. CTU staff members make every attempt to ensure the reliability of all IT resources. Please offer your feedback and suggestions by contacting CTU at helpdesk@aces.edu or 334-844-9660.