Policies and Recommendations
Policy on Responsible and Ethical Use of Computing Resources
Final version, approved by the CIT October 26, 1998
Revisions approved by the CIT November 4, 2002
This policy is intended to promote the responsible and
ethical use of the computing resources of Wake Forest University.
Copies of the policy shall be provided to all users of the Academic
Computing System, and every effort shall be made to ensure that all
users read the policy at least once.
The policy applies to all computer and computer
communication facilities owned, leased, operated, or contracted by the
University. This includes, but is not limited to, word-processing
equipment, microcomputers, minicomputers, mainframes, computer
networks, computer peripherals, and software, whether used for
administration, research, teaching, or other purposes. The policy
extends to any use of University facilities to access computers
The administrators of various on-campus and off-campus
computing facilities, and those responsible for access to those
facilities, may promulgate additional regulations to control their use,
if not inconsistent with this policy. System administrators are
responsible for publicizing any such additional regulations.
2 Basic Principles
The University's computing resources are for
instructional and research use by the students, faculty, and staff of
Wake Forest University. Ethical standards which apply to other
University activities (Honor Code, the Social Rules and
Responsibilities, and all local, state, and federal laws) apply equally
to use of campus computing facilities.
As in all aspects of University life, users of
computing facilities should act honorably and in a manner consistent
with ordinary ethical obligations. Cheating, stealing, making false or
deceiving statements, plagiarism, vandalism, and harassment are just as
wrong in the context of computing systems as they are in all other
Use of campus facilities is restricted to authorized
users. For the purposes of this document, an ``authorized user'' shall
be defined as an individual who has been assigned a login ID and
password by Information Systems staff (on any relevant system), or by
an authorized agent. Individual users are responsible for the proper
use of their accounts, including the protection of their login IDs and
passwords. Users are also responsible for reporting any activities
which they believe to be in violation of this policy, just as students
are responsible for reporting Honor Code violations.
Individuals should use only those computing facilities they have been authorized to use. They should use these facilities:
- in a manner consistent with the terms under which they were granted access to them;
- in a way that respects the rights and privacy of other users;
- so as not to interfere with or violate the normal, appropriate use of these facilities; and
- in a responsible manner.
Inappropriate activities which are already covered under
other University policies are to be handled in the same way, and by the
same authorities, as if a computer had not been involved, following
established guidelines. In such cases the Information Systems
Department will follow the advice of the appropriate authorities,
although it reserves the right to add additional, computer-oriented
punishments when the abuse involves the use of campus computing
resources. Violations that relate exclusively to this policy and other
computer usage policies (such as forging mail and interfering with the
use of campus computer resources) shall be handled by Information
3 System Monitoring
This statement serves as notice to all users of campus
computing systems that regular monitoring of system activities may
occur. (But see also section 4 below.)
Only the following persons are authorized to engage in
system monitoring; the Chief Information Officer or Assistant Chief
Information Officer, Director of Networking, Director of Systems,
Assistant Manager of Systems, and any Systems Administrator or Network
Administrator (on the systems or networks they administer).
Detailed records of all system monitoring that takes
place (routine or not) shall be kept, and may be inspected by the
Provost or an appointed representative of the Provost at any time.
The following may be monitored by the above-mentioned staff:
- Any system log files which contain information pertaining to processes executed on a given system.
- System directories, temporary storage areas, work areas, and all areas outside of users' personal files. (Personal files are defined as any files created by and/or owned by the user.)
- Unsuccessful attempts to log into an account or a network.
- Attempts to gain unauthorized access to departmental or personal machines within the campus community.
- Attempts to disguise the source of electronic mail.
- Personal computers associated with reported incidents of
harassment or other violations of acceptable use policies, or user
- Any activity which in the opinion of the above-mentioned staff appears to compromise the security or integrity of the operating system.
In addition mail messages with invalid recipient or
sender fields are commonly sent to the ``Postmaster'', who will examine
them to determine the cause of the problem. Complaints brought by users
may also result in examination of relevant files and emails, pursuant
to approval by the appropriate authority. (See section 4.) In the
latter case, the email recipient must give permission in writing before
such an investigation can proceed.
All users, including the members of
the Information Systems staff, should respect the privacy of other
authorized users. Thus they should respect the rights of other users to
security of files, confidentiality of data, and the ownership of their
Nonetheless, in order to enforce the policies set out here, the Information Systems staff listed in section 3
are permitted to monitor activity on local computing systems. In
general, the staff may routinely search a University-owned file system
for potential violations of these ploicies. When there is clear evidence of a violation deemed
serious by the appropriate authorities, they may view users'
files, monitor keystrokes, and otherwise observe users' activities. In
cases deemed especially serious by the appropriate authorities, Information Systems staff may read users' email, but only after obtaining permission from the appropriate authority.
If a member of the University community outside of
Information Systems reports activities in apparent violation of the
policies described here, IS will inform the appropriate authorities of
the complaint. Upon approval, an investigation of a user's
computing activites, emails, and files may be initiated by Information
Systems. In such a situation, a
record of the investigation shall be placed in a permanent file to be
kept in Information Systems, beyond the standard log of all systems
monitoring. This record shall state why the user was investigated, what
files were examined, and the results of the investigation. Information
Systems staff shall not reveal the contents of users' files, users'
activities, or the record of investigations except under in the
following cases (and then only with the approval of the Assistant Vice
President for Information Systems or the Provost):
- Evidence of Honor Code or Social Rules and Regulations
violations will be referred to the Dean of the appropriate college, or
to the Dean of Students.
- Evidence of improper activities by University employees
will be referred to the Director of Human Resources or the appropriate
- Evidence of violations of law will be referred to the appropriate law enforcement officials.
Should Information Systems receive an inquiry concerning
whether a user has had computer-related disciplinary action taken
against him or her, IS staff will provide only a confirmation of the
disciplinary action taken and the dates of the action. No information
regarding the reasons for the action will be provided to anyone except
the user and the authorities involved, and no names may be given. (For
example, if someone asks about the person that broke into their
account, they are only told the punishment and dates of the punishment
- not who broke into the account. IS staff are committed to abide by
existing privacy laws.)
5 Prohibited Activities
The following list is intended to aid in interpreting
the principles set out above; the list should not be construed as
comprehensive. Examples of actions in violation of the approved
- Providing copyrighted or licensed material to
others while maintaining copies for one's own use, unless there is a
specific provision in the license which allows this. This activity is
forbidden even if the material is provided without cost for an educational purpose.
- Using software or documentation known to have been
obtained in violation of the Copyright Law or a valid license
provision. Use of a copyrighted program obtained from another party,
for which no license exists that allows such a transfer, will be
presumed to be knowing and the burden of demonstrating that the use was
innocent will rest with the user.
- Using a copyrighted program on more than one machine at
the same time, unless this is permitted by a specific license
- Copying any copyrighted material or licensed program
contents, unless allowed under the fair-use doctrine or explicitly
permitted by the copyright owner. (For further information, see http://zsr.wfu.edu/research/guides/copyright/ )
- Interfering with others' legitimate use of computing facilities.
- Using the computer access privileges of others.
- Providing any unauthorized user with access to a personal
login ID, or in any way allowing others access to a machine under one's
own name. This includes providing access to campus computing resources
without the express written permission of Information Systems.
- Intentionally creating, modifying, reading or copying
files (including mail) to or from any areas to which the user has not
been granted access. This includes accessing, copying, or modifying the
files of others without their explicit permission.
- Disguising one's identity in any way, including the
sending of falsified messages, removal of data from system files, and
the masking of process names. This prohibition includes sending
electronic mail fraudulently.
- The establishment of any function which provides
unauthorized access, via the Internet connection or otherwise, without
the written permission of Information Systems. For example, users may
not install games which allow users to access academic computers
without a valid login ID.
- Sending harassing or libelous messages via any digital means.
- Sending chain letters via electronic mail.
- Using University facilities to gain unauthorized access to computer systems off-campus.
- Use of campus computer facilities for commercial purposes without prior written permission.
- Attempting to interfere with the normal operation of
computing systems in any way, or attempting to subvert the restrictions
associated with such facilities.
6 Disciplinary Actions
Substantial evidence of a violation of the principles
described in this policy statement may result in disciplinary action.
As stated above, in cases where a policy already exists, and the only
difference is that a computer was used to perform the activity, such
action will be taken through appropriate University channels such as
administrative procedures, the Honor and Ethics Council, the Graduate
Council, or other supervisory authority to which the individual is
subject. Violation of State or Federal statutes may result in civil or
criminal proceedings. Otherwise, however, those who engage in computer
violations are subject to Information Systems.
System administrators, with due regard for the right of
privacy of users and the confidentiality of their data, have the right
to suspend or modify computer access privileges, examine files,
passwords, accounting information, printouts, tapes, and any other
material that may aid in maintaining the integrity and efficient
operation of the system. Users whose activity is viewed as a threat to
the operation of a computing system, who abuse the rights of other
users, or who refuse to cease improper behavior may have disciplinary
action taken against them.
Violation of the the policies articulated here may
result one or more of the following, plus any additional actions deemed
appropriate by Information Systems:
- Suspension of one's ability to perform interactive logins on relevant machines on-campus.
- Suspension of one's ability to login to a campus network.
- Suspension of one's ability to send email.
- Suspension of one's ability to receive email.
- Increased monitoring of further computer activity (beyond normal systems monitoring).
Upon taking action, Information Systems
will notify the user in writing within 24 hours. The notice will
clearly state which policies allegedly were violated. The suspended
user must contact the Assistant Vice-President of Information Systems
or his designated representative (the ``policy enactor'') regarding the
suspension. After discussing the alleged violation, the policy enactor
may undo any or all of the disciplinary action, or continue action for
up to one year. If the user has not contacted the Representative within
seven days of the disciplinary action, the Representative will render a
decision and notify the user as specified below.
In the event that the user and the policy enactor are
unable to resolve the matter to the user's satisfaction, he or she may
appeal to the Director of Information Systems within seven days. The
Director of Information Systems may modify or sustain the decision.
When disciplinary action is taken, a written notice will be sent to the
user and the Office of the Provost explaining the length of the
punishment and the violations which occurred. Copies of this notice
will be sent to administrators of other campus computing systems on a
need-to-know basis. Information Systems also will forward this notice
to the authorities specified above if there is reason to believe a
violation of other University policies or law has occurred.
If a revoked privilege is needed by a student to
complete classwork, the student must obtain a note signed by the
professor in question explaining why the privilege is required, to be
sent to the policy enactor. Only the minimum privileges needed for the
student's class activities will be restored. Any further abuse by the
student in question will lead to the privilege being revoked anyway.
Information Systems reserves the right to monitor previous offenders
for further abuse.
Any disciplinary action taken by Information Systems
may be revoked and/or modified by the Provost of the University or
anyone the Provost designates to deal with such matters.
7 Changes to This Policy
Information Systems may, in consultation with the
Committee on Information Technology, change or amend this policy from
time to time. When changes are made, they will be announced through
whatever messaging system is currently in use. As with all matters of
law and ethics, ignorance of the rules does not excuse violations.
(split) tunneling allows two simultaneous, active connections to a
secure network (via VPN) and a non-secure network, without having to
disconnect the VPN connection. This security vulnerability allows a
direct connection from the non-secured Internet to the VPN secured