Defines the scope of authorized and acceptable use of UCSF Institutional Information and IT resources.
The University of California (University) recognizes and encourages the use of Institutional Information and IT resources (Resources) in support of the University's mission of education, research, community service, and patient care and to conduct University business. This Authorized and Acceptable Use Policy formally defines the scope of authorized and acceptable use of UCSF Resources.
Individuals whose devices or applications are unable to meet UCSF’s Minimum Security Standards for technical reasons must apply for a security policy exception by completing and digitally signing the online form for which instructions are linked immediately below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University’s Information Security Officer will respond to your request.
Instruction for filling out Security Exception Request Form (UCSF MyAccess login required)
A term that broadly describes all data and information created, received and/or collected by UC. The UCSF Data Classification Standard (Addendum F) defines categories according to their unique protective requirements and provides guidance for identifying appropriate users or recipients. UCSF departments and units should determine in advance the extent to which information should be disclosed to specific users. Determinations should be made based on the nature of the content and the duties of department employees.
The individual, identified group, committee or board designated responsible for the information and the processes supporting the University function. Institutional Information Proprietors are responsible for ensuring compliance with federal or state statutory regulation or University policy regarding the release of information according to procedures established by the University, the campus, or the department as applicable to the situation. Examples of responsibilities of Institutional Information Proprietors include:
- Assumes overall responsibility for establishing the Protection Level classification, access to and release of a defined set of Institutional Information.
- Classifies Institutional Information under their area of responsibility in accordance with these policies.
- Establishes and documents rules for use of, access to, approval for use of and removal of access to the Institutional Information related to their area of responsibility.
- Notifies Units, users, Service Providers and Suppliers of the Institutional Information Protection Level.
- Approves Institutional Information transfers and access related to their areas of responsibility.
- Notifies Units, Service Providers and Suppliers of any changes in requirements set by the Institutional Information Proprietor.
A term that broadly describes IT infrastructure, software and/or hardware with computing and networking capability. These include but are not limited to portable computing devices and systems, mobile phones, printers, network devices, industrial control systems (SCADA, etc.), access control systems, digital video monitoring systems, data storage systems, data processing systems, backup systems, electronic media, logical media, biometric and access tokens, and other devices that connect to any UC network. This includes both UCSF-owned and personally owned devices while they store Institutional Information, are connected to UCSF systems, are connected to UCSF Networks, or are used for UCSF business.
Protection of data is required by federal or state law or regulation, or contractual obligation, and may be subject to data breach notification requirements. UCSF Minimum Security Standards apply.
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Research Health Information (RHI)
- Payment Card Industry (PCI) Data
- Confidential Security Information
- Licensed Proprietary IP and Product Development Information
Protection of data is required by the data owner or other confidentiality agreement and may be required by federal or state law or regulation or by policy. UCSF Minimum Security Standards apply.
- University Intellectual Property
- De-identified Health Information
- Employee Information
- Sensitive Faculty Activities
- Student Information
- Donor Information
- Current Litigation/Investigation Materials
- Physical Building Designs
- Financial Information
Any UCSF employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.
This Policy does not prohibit units within UCSF from having additional authorized and acceptable use policies and guidelines as necessitated by legal constraints or business requirements. Deviations from this Policy, however, cannot be less stringent than this Policy, must be properly documented and approved, and must be made available in a location accessible to affected Workforce Members.
A. Authorized Use
Usage of and access to UCSF Resources is limited to Workforce Members and is considered a privilege, not a right. UCSF reserves the right to revoke or curtail access privileges at any time and does not provide any guarantee for availability and reliability of Resources.
Access by Workforce Members shall be limited to the minimum necessary to further the University’s mission and to conduct University business. Controls shall be used to minimize risk of abuse and/or information security incidents.
For the purposes of this Policy, users of Resources meant for public use, including but not limited to Internet kiosks and publicly accessible web servers, are considered Workforce Members and fall within the scope of this policy.
B. Acceptable Use
Examples of acceptable and unacceptable uses are described below.
- Copyrights and Licenses—Workforce Members shall respect all copyrights and licensing agreements.
- Copying—Software shall not be copied except as permitted by copyright law or a license agreement.
- Number of simultaneous Workforce Members—The number and distribution of copies shall be handled so the number of simultaneous Workforce Members does not exceed the number of copies purchased, unless otherwise stipulated in the purchase contract.
- Plagiarism—Copied material shall be properly attributed. Plagiarism of electronic information is subject to the same sanctions as in any other medium.
- Integrity—Workforce Members shall not interfere with the normal operation of any Resources.
- Modification, damage, or removal—Workforce Members shall not intentionally modify, damage, or remove Resources owned by the University or Workforce Members without proper authorization from UCSF or the owner of the Resource.
- Encroaching on others’ access and use—Workforce Members shall not intentionally encroach on others’ access and use of Resources. This includes but is not limited to:
- the sending of chain-letters or excessive messages (size or volume)
- printing excessive copies
- running grossly inefficient programs when efficient alternatives are available
- unauthorized modification of Institutional Information; attempting to disable or prevent authorized access to Institutional Information
- Unauthorized or destructive programs—Workforce Members shall not intentionally develop or use programs such as, but not limited to: viruses, backdoors, and worms which:
- disrupt other Workforce Members
- access private or restricted portions of the system or identify security vulnerabilities
- decrypt secure data, or damage the software or hardware components of a Resource
Legitimate academic pursuits for research and instruction conducted under the supervision of academic personnel are authorized to the extent the pursuits do not compromise the University’s Resources.
- Disabling, modifying, testing, or circumventing security controls—Workforce Members shall not intentionally disable, modify, test, or circumvent any Resource security controls without authorization. This includes but is not limited to:
- disabling or circumventing authorization and authentication mechanisms
- intentionally disabling, modifying or removing security logs
- intentionally causing a security control to fail
- running any programs which intentionally create numerous security control false positives
- modifying networks to circumvent security monitoring or access controls
- intentionally causing or creating the perception of an information security incident
- using remote access or virtual private networking tools other than those provided by UCSF IT
- establishing persistent network connectivity to third-party networks
- Use of Campus Network—All devices that attach to the network must meet the requirements of UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources. Network devices (e.g., wireless access points) attached to the network must also meet the requirements of UCSF Policy 650-14 Network Gateway Policy, which requires device registration with UCSF IT
- Non-UCSF Devices—Non-UCSF devices, including personally owned computing devices, are expected to meet UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources when connected to the UCSF network. For example, a personally owned computer that accesses the UCSF network through a VPN connection is expected to meet those standards. Additionally, any non-UCSF device used to conduct UCSF business (including any storage or processing of UCSF information), must meet those requirements at all times, even when not connected to the UCSF network.
- Access—Workforce Members shall not seek or enable unauthorized access.
- Authorization—Workforce Members shall not access Institutional Information Resources without proper authorization, or intentionally enable others to do so.
- Authorization levels
- Workforce Member access levels shall not be greater than required to conduct University business, i.e., a Workforce Member who does not conduct system administration on a Resource should not be given system administrator privileges on said Resource.
- Workforce Members shall not attempt to obtain a higher authorization level without need and permission.
- Password and other protection
- A Workforce Member who has been authorized to use a password-protected account shall not disclose the password or otherwise make the account available to others.
- Sharing of accounts is prohibited. Other methods, such as shared file permissions or temporary passwords should be used in cases in which data needs to be shared.
- When using multi-factor authentication (e.g., Duo), users will approve only valid logins and will not set any level of authentication to default to approved.
- Use of Electronic Communication Records—Workforce Members may seek out, use, or disclose electronic communication records only for UCSF business in compliance with the UCSF Network Security Monitoring Policy (650-19) and the UC Electronic Communications Policy (ECP).
- Usage—Workforce Members shall comply with all applicable law and University policy.
- Hostile working environment—Workforce Members shall not use Resources in a manner which creates a hostile working environment (including sexual or other forms of harassment), or which violates obscenity laws.
- Unlawful activities—Workforce Members shall not use Resources for unlawful activities or activities which violate University policy, including fraudulent, libelous, slanderous, harassing, threatening, or other communications.
- Mass messaging—Workforce Members shall avoid spamming, and other inappropriate mass messaging. Subscribers to an electronic mailing list will be viewed as having solicited any material delivered by the list so long as the material is consistent with the list’s purpose.
- Information belonging to other Workforce Members—Workforce Members shall not intentionally seek or provide information on, obtain copies of, or modify data files, programs, or passwords belonging to other Workforce Members without the permission of those other Workforce Members.
- False identity—Workforce Members shall not use the identity of another Workforce Member without the explicit approval of said Workforce Member or mask the identity of an account or machine.
- Implying University Endorsement—Workforce Members shall not imply University endorsement of products or services of a non-University entity from a Resource without approval. Workforce Members shall not give the impression they are representing, giving opinions, or otherwise making statements on behalf of the University unless authorized to do so. To avoid such misrepresentation or misinterpretation, the Workforce Member may use a disclaimer such as “The opinions or statements expressed herein should not be taken as a position of or endorsement by the University of California.”
- Protection of Restricted/Sensitive Information—Workforce Members are responsible for maintaining the security of Institutional Information. Restricted/Sensitive Information not necessary for a Workforce Member to conduct University business shall be removed from the Resource or shall have authorizations set so it is inaccessible to said Workforce Member.
- Political or Religious Use—UCSF is a not-for-profit, tax-exempt organization and, as such, is subject to federal, state, and local laws regarding the use of University property.
In communications relating to religious or political activities or issues, the Workforce Member’s UCSF title may be used only for identification. If such identification might reasonably be construed as implying the support, endorsement, or opposition of UCSF respective to any religious or political activity or issue, a disclaimer shall be used, e.g. “The opinions or statements expressed herein should not be taken as a position of or endorsement by the University of California.”
- Incidental Personal Use—Authorized Workforce Members may use Resources for Incidental Personal Use purposes provided such use does not directly or indirectly interfere with the University’s operation of electronic communications resources; interfere with the Workforce Member’s employment or other obligations to UCSF; burden UCSF with noticeable incremental costs; or violate the law or UCSF policy.
- Workforce Members are responsible for ensuring any Incidental Personal Use falls within this scope and may be held liable for any damages to UCSF associated with Incidental Personal Use.
- Any Incidental Personal Use may become University records and subject to disclosure to the University and third parties.
- Examples of Incidental Personal Use include, but are not limited to:
- visiting non-work-related websites; sending personal emails
- using instant messaging services for personal communications
- accessing media for which the Workforce Member has access rights
- Commercial Use—Resources shall not be used for non-University commercial purposes, except as permitted under University policy or with the appropriate approval.
- Advertisements—Resources shall not be used to transmit commercial or personal advertisements, solicitations, or promotions, except as permitted under University policy and with the appropriate approval.
- Non-University Sites and Resources—External non-University sites and resources accessible through UCSF Resources may have their own policies governing their use. Workforce Members are responsible for understanding and following UCSF policies and/or the remote resources’ policies, whichever are more restrictive.
C. Administrative and Authorization Management
Resources shall use physical and logical authentication and authorization controls in accordance with University policy and appropriate to the risk level for said Resource.
Unauthenticated access and/or authorization shall only be granted if specifically necessitated by an operational requirement or in instances in which authentication and/or authorization are not technically feasible. Examples include but are not limited to:
- public Internet kiosks
- web servers meant for public access, access to information meant for public access. Additional security controls, such as monitoring and logging, shall be deployed in such instances to reduce the risk of abuse and/or information security incidents. Refer to UC Policy BFB-IS-3: Electronic Information Security for more information about appropriate controls.
Restricted/Sensitive Information must not reside on a Resource allowing unauthenticated access and/or authorization.
- Account Management
- Accounts may only be granted to Authorized Workforce Members and must be associated with an identifiable person. An example of an identifiable person is someone who is granted a UCSF ID number.
- Accounts granted to a Workforce Member who is not a UCSF faculty, staff, or student must designate a UCSF faculty or staff member as being responsible for the account. For further information refer to the guest account link in the References section below. Guest Access must be reviewed and approved by an appropriate UCSF authority, such as a Department chair or a Dean, to ensure the appropriateness of the request.
- Units responsible for granting access are responsible for ensuring timely removal of accounts and for ensuring proper access levels are maintained.
- Units are responsible for reviewing their accounts at least once a calendar year to ensure all Workforce Members are still authorized Workforce Members and have appropriate access levels, and to remove or modify access where appropriate.
- Workforce Member accounts must be deleted, disabled, have their access rights restricted or have their access rights removed from any IT Resource for which they no longer need access at the end of the Workforce Member’s employment within 24 hours, at the time of a full transition of job responsibilities or during an approved leave of absence. If a user transitioning to a new role requires access to resources from their previous role, they may retain them with the former manager’s approval, but upon full transition to their new role, access must be fully disabled within 24 hours.
- Application owners for non-Active Directory integrated systems are responsible for removing access of users who are leaving the university or are transitioning to another role that will not require them to have access to said system.
- Accounts which have not been accessed for 180 consecutive days must be reviewed. If not needed, they must be disabled or removed. CISOs may approve longer no-access periods for sabbaticals, leaves or other planned absences.
- Records of access approvals to Restricted/Sensitive Information should be retained consistent with the requirements of the University Records Disposition Program and Procedures (BFB RMP-2).
- An account which is not deleted upon loss of affiliation shall be transferred to another UCSF faculty or staff person designated as being responsible for the account.
- An individual who terminates his or her UCSF affiliation, but still requires access to UCSF Resources, shall have access privileges modified to restrict access to only those required.
All such Workforce Members shall be associated with a UCSF faculty or staff member who can ensure their continued access requirements and must have their access and affiliation with the UCSF faculty or staff member documented. Access by such individuals must be reviewed no less than annually to ensure continued access is still required. For further information, refer to the UCSF Guest Access form.
Example: When a researcher leaves UCSF, but there is an operational need to occasionally collaborate with UCSF colleagues, access may be granted, provided a UCSF faculty or staff person has been appointed as being responsible for this individual. Such access should be restricted to the minimum needed, reviewed on a periodic basis, and terminated when no longer required.
Implementation of this Policy is the responsibility of each Department and School within UCSF and all Workforce Members. All Workforce Members are responsible for understanding this Policy and ensuring their use falls within the scope of this Policy.
Deviations from this Policy must be documented and made available to affected Workforce Members. Temporary or minor deviations to this Policy may be handled as Exceptions to Policy and must be documented.
E. Violations and Sanctions
Minor or accidental violations of this Policy may be handled informally through email, education, or discussion.
More serious or repeated Policy violations may result in temporary or permanent loss of access privileges or modification of these privileges.
Violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion under applicable University policies and collective bargaining agreements. They may also be subject to any federal or state penalties for violations.
Individuals who become aware of a violation or potential violation of this Policy should inform their supervisor, department head, or Internal Audit.
In the event of a violation of this Policy involving possible unlawful action by an individual, the Locally Designated Official, the employee’s immediate supervisor, or other appropriate official should immediately be notified in accordance with the Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities (the “Whistleblower Policy”). Notification should be made before any action is taken, unless prompt emergency action is required to prevent bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policy, or significant liability to the University or to members of the University community.
Resources found in violation of this Policy may be removed from the UCSF network or prohibited from connecting to the UCSF network until the violation is mitigated. Notifications of disconnects will be communicated to the Institutional Information Proprietor as quickly as possible; however, Resources may be disconnected prior to notification.
UCSF may disconnect or limit access to a Resource, groups of Resources, the UCSF network, and the Internet without notice to protect Resources, both external and internal, under exigent circumstances.
Contact Responsible Office (above) with any questions.